diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
index e37209d05..d3c324982 100644
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@@ -1,18 +1,21 @@
+---
 name: drydock CodeQL config
 
+paths-ignore:
+  # MSW service worker — generated by `npx msw init`, not our code
+  - apps/demo/public/mockServiceWorker.js
+
 queries:
   - uses: security-and-quality
   - uses: ./.github/codeql/custom-queries
 
 query-filters:
-  - exclude:
-      id: js/clear-text-logging
-  # Exclude the built-in log-injection query; our custom-queries pack provides
-  # a replacement that recognises sanitizeLogParam() as a taint barrier.
+  # Replaced by .github/codeql/custom-queries/LogInjection.ql
+  # (same upstream flow module with an added sanitizeLogParam() barrier).
   - exclude:
       id: js/log-injection
-  # Exclude the built-in http-to-file-access query; our custom-queries pack
-  # provides a replacement that recognises validateFetchedIconPayload() as a
-  # taint barrier after payload validation.
+  # Replaced by .github/codeql/custom-queries/HttpToFileAccess.ql
+  # (same upstream flow module with an added
+  # validateFetchedIconPayload() barrier).
   - exclude:
       id: js/http-to-file-access
diff --git a/.github/workflows/ci-verify.yml b/.github/workflows/ci-verify.yml
new file mode 100644
index 000000000..087380b43
--- /dev/null
+++ b/.github/workflows/ci-verify.yml
@@ -0,0 +1,1152 @@
+name: "🔬 CI Verify"
+run-name: >-
+  ${{
+    github.event_name == 'pull_request' && format('🔬 CI Verify — PR #{0}: {1}', github.event.pull_request.number, github.event.pull_request.title) ||
+    github.event_name == 'push' && format('🔬 CI Verify — {0}', github.event.head_commit.message) ||
+    github.event_name == 'merge_group' && format('🔬 CI Verify — Merge Queue: {0}', github.ref_name) ||
+    github.event_name == 'workflow_call' && format('🔬 CI Verify — workflow_call ({0})', github.sha) ||
+    format('🔬 CI Verify — {0}', github.ref_name)
+  }}
+
+on:
+  push:
+    branches:
+      - main
+      - 'release/**'
+      - 'feature/**'
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '30 6 * * 1'  # Weekly CodeQL (Monday 06:30 UTC)
+    - cron: '0 6 * * 0'   # Weekly Fuzz (Sunday 06:00 UTC)
+  merge_group:
+    branches: [main]
+  workflow_call:
+    secrets:
+      CODECOV_TOKEN:
+        required: false
+
+concurrency:
+  group: ci-verify-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    name: "🔐 Security: Actions"
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8  # v0.5.2
+        with:
+          token: ${{ github.token }}
+
+  codeql:
+    name: "🛡️ SAST: CodeQL"
+    if: github.event_name == 'pull_request' || github.event_name == 'schedule' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
+    needs: [zizmor]
+    runs-on: ubuntu-latest
+    timeout-minutes: 60  # CodeQL init/autobuild/analyze can be long on cache misses
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript-typescript]
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8  # v4.33.0
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@b1bff81932f5cdfc8695c7752dcee935dcd061c8  # v4.33.0
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8  # v4.33.0
+        with:
+          category: /language:${{ matrix.language }}
+
+  fuzz:
+    name: "🎯 Fuzz Testing"
+    if: github.event_name == 'pull_request' || github.event_name == 'schedule' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
+    needs: [zizmor]
+    runs-on: ubuntu-latest
+    timeout-minutes: 25
+    permissions:
+      contents: read
+      issues: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: 24
+          package-manager-cache: false
+
+      - name: Install dependencies
+        run: npm ci
+        working-directory: app
+
+      - name: Run fuzz tests
+        id: fuzz-run
+        continue-on-error: true
+        run: |
+          set -euo pipefail
+          mkdir -p ../artifacts/fuzz
+          npx vitest run --reporter=verbose '.fuzz.test.ts' 2>&1 | tee ../artifacts/fuzz/fuzz-test.log
+        working-directory: app
+
+      - name: Summarize fuzz result
+        id: fuzz-status
+        if: always()
+        env:
+          FUZZ_OUTCOME: ${{ steps.fuzz-run.outcome }}
+        run: |
+          set -euo pipefail
+
+          if [ "${FUZZ_OUTCOME}" = "success" ]; then
+            echo "failed=false" >> "$GITHUB_OUTPUT"
+            {
+              echo "### Fuzz Testing"
+              echo "- Result: PASS"
+              echo "- Log artifact: \`fuzz-log-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}\`"
+            } >> "$GITHUB_STEP_SUMMARY"
+            exit 0
+          fi
+
+          echo "failed=true" >> "$GITHUB_OUTPUT"
+          {
+            echo "### Fuzz Testing"
+            echo "- Result: FAIL"
+            echo "- AI_ACTION_REQUIRED: inspect fuzz log artifact and failing seed/case before merge."
+            echo "- Log artifact: \`fuzz-log-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}\`"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload fuzz log artifact
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: fuzz-log-${{ github.run_id }}-${{ github.run_attempt }}
+          path: artifacts/fuzz/fuzz-test.log
+          if-no-files-found: warn
+          retention-days: 14
+
+      - name: Notify via issue on unattended failure
+        if: steps.fuzz-status.outputs.failed == 'true' && github.event_name == 'schedule'
+        env:
+          GH_TOKEN: ${{ github.token }}
+          ISSUE_TITLE: "🚨 CI: Fuzz tests failing on main"
+          RUN_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: |
+          set -euo pipefail
+
+          api_headers=(
+            -H "Authorization: Bearer ${GH_TOKEN}"
+            -H "Accept: application/vnd.github+json"
+          )
+
+          issues_url="${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/issues?state=open&per_page=100"
+          open_issues="$(curl -fsSL "${api_headers[@]}" "${issues_url}")"
+          existing_number="$(echo "${open_issues}" | jq -r --arg title "${ISSUE_TITLE}" '.[] | select(.title == $title and (.pull_request | not)) | .number' | head -n1)"
+
+          comment_body=$(
+            cat <<EOF
+          Fuzz job failed again.
+
+          - Workflow run: ${RUN_URL}
+          - Commit: \`${GITHUB_SHA}\`
+          - Ref: \`${GITHUB_REF}\`
+          - Log artifact: \`fuzz-log-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}\`
+          EOF
+          )
+
+          if [ -n "${existing_number}" ]; then
+            comment_url="${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/issues/${existing_number}/comments"
+            curl -fsSL -X POST "${api_headers[@]}" "${comment_url}" \
+              -d "$(jq -n --arg body "${comment_body}" '{body: $body}')" >/dev/null
+            exit 0
+          fi
+
+          issue_body=$(
+            cat <<EOF
+          Fuzz tests are failing on unattended runs.
+
+          - Latest failing run: ${RUN_URL}
+          - Commit: \`${GITHUB_SHA}\`
+          - Ref: \`${GITHUB_REF}\`
+          - Log artifact: \`fuzz-log-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}\`
+
+          Keep this issue open until fuzz is green again.
+          EOF
+          )
+
+          create_url="${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/issues"
+          curl -fsSL -X POST "${api_headers[@]}" "${create_url}" \
+            -d "$(jq -n --arg title "${ISSUE_TITLE}" --arg body "${issue_body}" '{title: $title, body: $body}')" >/dev/null
+
+      - name: Fail workflow on fuzz failure
+        if: steps.fuzz-status.outputs.failed == 'true'
+        run: exit 1
+
+  dependency-review:
+    name: "📦 Security: Dependency Review"
+    if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+      pull-requests: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Dependency review
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48  # v4.9.0
+        with:
+          base-ref: ${{ github.event_name == 'push' && github.event.before || '' }}
+          head-ref: ${{ github.event_name == 'push' && github.sha || '' }}
+
+  commit-message:
+    name: "📝 Policy: Commit Message Gate (Advisory)"
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    continue-on-error: true
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: 24
+          package-manager-cache: false
+
+      - name: Validate commit messages in PR range
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: node scripts/validate-commit-range.mjs --base "${BASE_SHA}" --head "${HEAD_SHA}"
+
+  lint:
+    name: "🧹 Quality: Lint"
+    if: github.event_name != 'schedule'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: 24
+          package-manager-cache: false
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Block new @ts-nocheck usage
+        run: node scripts/check-ts-nocheck-allowlist.mjs
+
+      - name: Biome check
+        run: npx biome check .
+
+      - name: Setup Qlty
+        uses: qltysh/qlty-action/install@a19242102d17e497f437d7466aa01b528537e899  # v2.2.0
+
+      - name: Qlty check (all plugins, enforced)
+        run: ./scripts/qlty-check-gate.sh all
+
+      - name: Qlty smells report (advisory)
+        run: |
+          mkdir -p artifacts/qlty
+          node scripts/qlty-smells-gate.mjs \
+            --scope=all \
+            --sarif-output=artifacts/qlty/qlty-smells-all.sarif \
+            --summary-output=artifacts/qlty/qlty-smells-summary.md
+
+      - name: Upload Qlty smells report
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: qlty-smells-${{ github.run_id }}-${{ github.run_attempt }}
+          path: artifacts/qlty
+          if-no-files-found: warn
+          retention-days: 14
+
+  test:
+    name: "🧪 Quality: Test & Coverage"
+    if: github.event_name != 'schedule'
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    environment: ci-codecov
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: 24
+          package-manager-cache: false
+
+      - name: Install app dependencies
+        run: npm ci
+        working-directory: app
+
+      - name: Install ui dependencies
+        run: npm ci
+        working-directory: ui
+
+      - name: Run app tests
+        run: npm test
+        working-directory: app
+
+      - name: Run ui tests
+        run: npm run test:unit
+        working-directory: ui
+
+      - name: Normalize coverage paths for Codecov
+        run: node scripts/prepare-codecov-reports.mjs
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2  # v6.0.0
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: coverage/codecov-app.lcov.info,coverage/codecov-ui.lcov.info
+          flags: app,ui
+          fail_ci_if_error: false  # coverage upload is informational — don't block CI on transient Codecov infra failures
+
+  build:
+    name: "🏗️ Build"
+    if: github.event_name != 'schedule'
+    needs: [lint, test]
+    runs-on: ubuntu-latest
+    timeout-minutes: 35  # Includes UI build + single-arch QA image + multi-arch smoke build
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: 24
+          package-manager-cache: false
+
+      - name: Install ui dependencies
+        run: npm ci
+        working-directory: ui
+
+      - name: Build ui
+        run: npm run build
+        working-directory: ui
+
+      - name: Build Storybook (regression smoke)
+        run: npm run test:storybook
+        working-directory: ui
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
+
+      - name: Docker build (QA image + smoke test)
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294  # v7.0.0
+        with:
+          context: .
+          push: false
+          load: true
+          tags: drydock:dev
+          build-args: DD_VERSION=ci
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Set up QEMU (multi-arch smoke build)
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a  # v4.0.0
+
+      - name: Docker build (multi-arch smoke)
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294  # v7.0.0
+        with:
+          context: .
+          push: false
+          platforms: linux/amd64,linux/arm64
+          build-args: DD_VERSION=ci-multiarch-smoke
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Export QA image artifact
+        run: |
+          mkdir -p artifacts/qa
+          docker save drydock:dev | gzip > artifacts/qa/drydock-dev-image.tar.gz
+
+      - name: Upload QA image artifact
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: qa-image-${{ github.run_id }}-${{ github.run_attempt }}
+          path: artifacts/qa/drydock-dev-image.tar.gz
+          if-no-files-found: error
+          retention-days: 1
+
+  dast-zap-baseline:
+    name: "🕷️ DAST: ZAP Baseline"
+    runs-on: ubuntu-latest
+    timeout-minutes: 25  # Includes QA stack startup and scanner container runtime
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release/')
+    needs: [build]
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Download QA image artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+        with:
+          name: qa-image-${{ github.run_id }}-${{ github.run_attempt }}
+          path: artifacts/qa
+
+      - name: Load QA image
+        run: docker load < artifacts/qa/drydock-dev-image.tar.gz
+
+      - name: Start QA stack
+        run: docker compose -p drydock-zap -f test/qa-compose.yml up -d
+
+      - name: Wait for QA health
+        run: |
+          set -euo pipefail
+          for _ in $(seq 1 60); do
+            if curl -sf http://localhost:3333/health >/dev/null 2>&1; then
+              echo "Drydock is healthy"
+              exit 0
+            fi
+            sleep 2
+          done
+
+          echo "Drydock failed to become healthy after 120 seconds."
+          docker compose -p drydock-zap -f test/qa-compose.yml ps
+          exit 1
+
+      - name: Run ZAP baseline scan
+        uses: zaproxy/action-baseline@de8ad967d3548d44ef623df22cf95c3b0baf8b25  # v0.15.0
+        with:
+          target: http://localhost:3333
+          docker_name: ghcr.io/zaproxy/zaproxy:stable
+          allow_issue_writing: false
+          fail_action: true
+          cmd_options: '-I'
+
+      - name: Upload ZAP HTML report
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: zap-baseline-html-${{ github.run_id }}-${{ github.run_attempt }}
+          path: report_html.html
+          if-no-files-found: warn
+          retention-days: 30
+
+      - name: Summarize ZAP findings
+        if: always()
+        run: |
+          set -uo pipefail
+
+          report="report_json.json"
+          artifact_name="zap-baseline-html-${{ github.run_id }}-${{ github.run_attempt }}"
+          artifact_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}#artifacts"
+
+          high=0
+          medium=0
+          low=0
+          info=0
+          total=0
+          parse_error=0
+
+          if [ -f "${report}" ] && [ -s "${report}" ]; then
+            if jq -e . "${report}" >/dev/null 2>&1; then
+              high="$(jq '[.site[]?.alerts[]? | select((.riskcode // "") == "3")] | length' "${report}")"
+              medium="$(jq '[.site[]?.alerts[]? | select((.riskcode // "") == "2")] | length' "${report}")"
+              low="$(jq '[.site[]?.alerts[]? | select((.riskcode // "") == "1")] | length' "${report}")"
+              info="$(jq '[.site[]?.alerts[]? | select((.riskcode // "") == "0")] | length' "${report}")"
+              total=$((high + medium + low + info))
+            else
+              parse_error=1
+            fi
+          fi
+
+          {
+            echo "### DAST: ZAP Baseline"
+            if [ ! -f "${report}" ]; then
+              echo "- Report: JSON output not found (\`${report}\`)."
+            elif [ ! -s "${report}" ]; then
+              echo "- Report: JSON output is empty (\`${report}\`)."
+            elif [ "${parse_error}" -eq 1 ]; then
+              echo "- Report: JSON output could not be parsed (\`${report}\`)."
+            fi
+            echo "- Findings: **${total}**"
+            echo "- Severity breakdown: high=${high}, medium=${medium}, low=${low}, info=${info}"
+            echo "- Artifact: [${artifact_name}](${artifact_url})"
+          } >> "${GITHUB_STEP_SUMMARY}"
+
+      - name: Show QA logs on failure
+        if: failure()
+        run: docker compose -p drydock-zap -f test/qa-compose.yml logs --no-color
+
+      - name: Stop QA stack
+        if: always()
+        run: docker compose -p drydock-zap -f test/qa-compose.yml down -v --remove-orphans
+
+  dast-nuclei:
+    name: "🔎 DAST: Nuclei"
+    runs-on: ubuntu-latest
+    timeout-minutes: 25  # Includes QA stack startup and full medium+ template pass
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release/')
+    needs: [build]
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Download QA image artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+        with:
+          name: qa-image-${{ github.run_id }}-${{ github.run_attempt }}
+          path: artifacts/qa
+
+      - name: Load QA image
+        run: docker load < artifacts/qa/drydock-dev-image.tar.gz
+
+      - name: Start QA stack
+        run: docker compose -p drydock-nuclei -f test/qa-compose.yml up -d
+
+      - name: Wait for QA health
+        run: |
+          set -euo pipefail
+          for _ in $(seq 1 60); do
+            if curl -sf http://localhost:3333/health >/dev/null 2>&1; then
+              echo "Drydock is healthy"
+              exit 0
+            fi
+            sleep 2
+          done
+
+          echo "Drydock failed to become healthy after 120 seconds."
+          docker compose -p drydock-nuclei -f test/qa-compose.yml ps
+          exit 1
+
+      - name: Create Nuclei report directory
+        run: mkdir -p artifacts/dast
+
+      - name: Run Nuclei scan
+        id: nuclei_scan
+        continue-on-error: true
+        uses: projectdiscovery/nuclei-action@32a91c0da7be14c07b0ade6c14fa0f6e78d97c9c  # v3.1.0
+        with:
+          version: v3.7.1
+          args: -u http://localhost:3333 -as -severity medium,high,critical -json-export artifacts/dast/nuclei-report.json -silent
+
+      - name: Enforce Nuclei severity gate (medium+)
+        env:
+          SCAN_OUTCOME: ${{ steps.nuclei_scan.outcome }}
+        run: |
+          set -euo pipefail
+
+          report="artifacts/dast/nuclei-report.json"
+
+          if [ ! -f "${report}" ]; then
+            echo "Nuclei did not produce a JSON report."
+            if [ "${SCAN_OUTCOME}" != "success" ]; then
+              echo "Nuclei action failed before report generation."
+              exit 1
+            fi
+            exit 0
+          fi
+
+          if [ ! -s "${report}" ]; then
+            echo "No medium+ findings detected."
+            if [ "${SCAN_OUTCOME}" != "success" ]; then
+              echo "Nuclei action did not succeed."
+              exit 1
+            fi
+            exit 0
+          fi
+
+          finding_count="$(jq -s '[.[] | (if type == "array" then .[] else . end) | select(((.info.severity // .severity // "") | ascii_downcase | test("^(medium|high|critical)$")))] | length' "${report}")"
+          echo "Medium+ findings: ${finding_count}"
+
+          if [ "${SCAN_OUTCOME}" != "success" ]; then
+            echo "Nuclei action did not complete successfully."
+            exit 1
+          fi
+
+          if [ "${finding_count}" -gt 0 ]; then
+            echo "Nuclei reported medium+ severity findings."
+            exit 1
+          fi
+
+      - name: Upload Nuclei JSON report
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: nuclei-json-${{ github.run_id }}-${{ github.run_attempt }}
+          path: artifacts/dast/nuclei-report.json
+          if-no-files-found: warn
+          retention-days: 30
+
+      - name: Summarize Nuclei findings
+        if: always()
+        run: |
+          set -uo pipefail
+
+          report="artifacts/dast/nuclei-report.json"
+          artifact_name="nuclei-json-${{ github.run_id }}-${{ github.run_attempt }}"
+          artifact_url="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}#artifacts"
+
+          critical=0
+          high=0
+          medium=0
+          low=0
+          info=0
+          total=0
+          parse_error=0
+
+          if [ -f "${report}" ] && [ -s "${report}" ]; then
+            if jq -e -s . "${report}" >/dev/null 2>&1; then
+              total="$(jq -s '[.[] | (if type == "array" then .[] else . end)] | length' "${report}")"
+              critical="$(jq -s '[.[] | (if type == "array" then .[] else . end) | select(((.info.severity // .severity // "") | ascii_downcase) == "critical")] | length' "${report}")"
+              high="$(jq -s '[.[] | (if type == "array" then .[] else . end) | select(((.info.severity // .severity // "") | ascii_downcase) == "high")] | length' "${report}")"
+              medium="$(jq -s '[.[] | (if type == "array" then .[] else . end) | select(((.info.severity // .severity // "") | ascii_downcase) == "medium")] | length' "${report}")"
+              low="$(jq -s '[.[] | (if type == "array" then .[] else . end) | select(((.info.severity // .severity // "") | ascii_downcase) == "low")] | length' "${report}")"
+              info="$(jq -s '[.[] | (if type == "array" then .[] else . end) | select(((.info.severity // .severity // "") | ascii_downcase) == "info")] | length' "${report}")"
+            else
+              parse_error=1
+            fi
+          fi
+
+          {
+            echo "### DAST: Nuclei"
+            if [ ! -f "${report}" ]; then
+              echo "- Report: JSON output not found (\`${report}\`)."
+            elif [ ! -s "${report}" ]; then
+              echo "- Report: JSON output is empty (\`${report}\`)."
+            elif [ "${parse_error}" -eq 1 ]; then
+              echo "- Report: JSON output could not be parsed (\`${report}\`)."
+            fi
+            echo "- Findings: **${total}**"
+            echo "- Severity breakdown: critical=${critical}, high=${high}, medium=${medium}, low=${low}, info=${info}"
+            echo "- Artifact: [${artifact_name}](${artifact_url})"
+          } >> "${GITHUB_STEP_SUMMARY}"
+
+      - name: Show QA logs on failure
+        if: failure()
+        run: docker compose -p drydock-nuclei -f test/qa-compose.yml logs --no-color
+
+      - name: Stop QA stack
+        if: always()
+        run: docker compose -p drydock-nuclei -f test/qa-compose.yml down -v --remove-orphans
+
+  e2e:
+    name: "🥒 E2E: Cucumber"
+    if: github.event_name != 'schedule'
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    needs: [build]
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: 24
+          package-manager-cache: false
+
+      - name: Install e2e dependencies
+        run: npm ci
+        working-directory: e2e
+
+      - name: Setup test containers
+        run: ./scripts/setup-test-containers.sh
+
+      - name: Start drydock
+        id: drydock
+        run: ./scripts/start-drydock.sh
+
+      - name: Run Cucumber e2e tests
+        run: npm run cucumber
+        working-directory: e2e
+        env:
+          DD_PORT: ${{ steps.drydock.outputs.dd_port }}
+
+      - name: Show drydock logs on failure
+        if: failure()
+        run: docker logs drydock
+
+      - name: Cleanup
+        if: always()
+        run: ./scripts/cleanup-test-containers.sh
+
+  playwright:
+    name: "🎭 E2E: Playwright"
+    if: github.event_name != 'schedule'
+    runs-on: ubuntu-latest
+    timeout-minutes: 25  # Browser install + QA stack startup + full UI flow tests
+    needs: [build]
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: 24
+          package-manager-cache: false
+
+      - name: Download QA image artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+        with:
+          name: qa-image-${{ github.run_id }}-${{ github.run_attempt }}
+          path: artifacts/qa
+
+      - name: Load QA image
+        run: docker load < artifacts/qa/drydock-dev-image.tar.gz
+
+      - name: Install e2e dependencies
+        run: npm ci
+        working-directory: e2e
+
+      - name: Install Playwright Chromium
+        run: npx playwright install --with-deps chromium
+        working-directory: e2e
+
+      - name: Start QA stack
+        run: docker compose -p drydock-playwright -f test/qa-compose.yml up -d
+
+      - name: Wait for QA health
+        run: |
+          set -euo pipefail
+          for _ in $(seq 1 60); do
+            if curl -sf http://localhost:3333/health >/dev/null 2>&1; then
+              echo "Drydock QA is healthy"
+              exit 0
+            fi
+            sleep 2
+          done
+
+          echo "Drydock QA failed to become healthy after 120 seconds."
+          docker compose -p drydock-playwright -f test/qa-compose.yml ps
+          exit 1
+
+      - name: Run Playwright tests
+        run: npm run test:playwright
+        working-directory: e2e
+
+      - name: Upload Playwright HTML report
+        if: failure()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: playwright-html-${{ github.run_id }}-${{ github.run_attempt }}
+          path: e2e/playwright-report
+          if-no-files-found: warn
+          retention-days: 14
+
+      - name: Upload Playwright traces
+        if: failure()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: playwright-traces-${{ github.run_id }}-${{ github.run_attempt }}
+          path: e2e/test-results
+          if-no-files-found: warn
+          retention-days: 14
+
+      - name: Show QA logs on failure
+        if: failure()
+        run: docker compose -p drydock-playwright -f test/qa-compose.yml logs --no-color
+
+      - name: Stop QA stack
+        if: always()
+        run: docker compose -p drydock-playwright -f test/qa-compose.yml down -v --remove-orphans
+
+  load-test-ci:
+    name: "⚡ Load Test: CI"
+    runs-on: ubuntu-latest
+    timeout-minutes: 30  # Full enforced load/correctness gates on push
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/'))
+    needs: [build]
+    permissions:
+      contents: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: 24
+          package-manager-cache: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
+
+      - name: Install e2e dependencies
+        run: npm ci
+        working-directory: e2e
+
+      - name: Run Artillery load test
+        id: run-load-test-ci
+        env:
+          ARTILLERY_ENV: ci
+          DD_LOAD_TEST_BUILD_CACHE: gha
+          DD_LOAD_TEST_ARTIFACT_DIR: artifacts/load-test/ci
+        run: ./scripts/run-load-test.sh
+
+      - name: Run Artillery behavior test
+        env:
+          ARTILLERY_FILE: ./test/test-behavior.yml
+          ARTILLERY_ENV: behavior
+          DD_LOAD_TEST_BUILD_CACHE: gha
+          DD_LOAD_TEST_ARTIFACT_DIR: artifacts/load-test/behavior
+        run: ./scripts/run-load-test.sh
+
+      - name: Summarize load test metrics (ci)
+        if: always()
+        run: |
+          report="$(find artifacts/load-test/ci -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
+          ./scripts/summarize-load-test-report.sh "$report" "Load Test (CI)"
+
+      - name: Summarize load test metrics (behavior)
+        if: always()
+        run: |
+          report="$(find artifacts/load-test/behavior -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
+          ./scripts/summarize-load-test-report.sh "$report" "Load Test (Behavior)"
+
+      - name: Correctness check (ci, enforced)
+        if: always()
+        env:
+          DD_LOAD_TEST_CORRECTNESS_ENFORCE: 'true'
+          DD_LOAD_TEST_MAX_5XX: '0'
+          DD_LOAD_TEST_MAX_VUSERS_FAILED: '0'
+          DD_LOAD_TEST_MIN_429: '0'
+          DD_LOAD_TEST_MAX_429: '0'
+        run: |
+          report="$(find artifacts/load-test/ci -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
+          ./scripts/check-load-test-correctness.sh "$report" "Load Test Correctness (CI)"
+
+      - name: Correctness check (behavior, advisory)
+        if: always()
+        env:
+          DD_LOAD_TEST_CORRECTNESS_ENFORCE: 'false'
+          DD_LOAD_TEST_MAX_5XX: '0'
+          DD_LOAD_TEST_MAX_VUSERS_FAILED: '0'
+          DD_LOAD_TEST_MIN_429: '0'
+          DD_LOAD_TEST_MAX_429: '0'
+        run: |
+          report="$(find artifacts/load-test/behavior -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
+          ./scripts/check-load-test-correctness.sh "$report" "Load Test Correctness (Behavior)"
+
+      - name: Resolve committed load test baseline (ci)
+        id: load-test-baseline-ci
+        if: ${{ always() && steps.run-load-test-ci.conclusion == 'success' }}
+        run: |
+          set -euo pipefail
+
+          baseline_report="test/load-test-baselines/ci.json"
+          if [ ! -f "${baseline_report}" ]; then
+            echo "::error::Committed baseline not found at ${baseline_report}."
+            exit 1
+          fi
+
+          echo "baseline_artifact_name=repo:${baseline_report}" >> "${GITHUB_OUTPUT}"
+          echo "baseline_report=${baseline_report}" >> "${GITHUB_OUTPUT}"
+
+      - name: Regression check against committed baseline (ci, enforced)
+        if: ${{ always() && steps.run-load-test-ci.conclusion == 'success' }}
+        env:
+          BASELINE_REPORT: ${{ steps.load-test-baseline-ci.outputs.baseline_report }}
+          DD_LOAD_TEST_BASELINE_ARTIFACT_NAME: ${{ steps.load-test-baseline-ci.outputs.baseline_artifact_name }}
+          DD_LOAD_TEST_MAX_P95_INCREASE_PCT: '20'
+          DD_LOAD_TEST_MAX_P99_INCREASE_PCT: '25'
+          DD_LOAD_TEST_MAX_RATE_DECREASE_PCT: '15'
+          DD_LOAD_TEST_MAX_P95_MS: '1200'
+          DD_LOAD_TEST_MAX_P99_MS: '2500'
+          DD_LOAD_TEST_MIN_REQUEST_RATE: '10'
+          DD_LOAD_TEST_REGRESSION_ENFORCE: 'true'
+        run: |
+          set -euo pipefail
+
+          if [ "${DD_LOAD_TEST_REGRESSION_ENFORCE:-}" != "true" ]; then
+            echo "::error::Regression gate misconfigured: DD_LOAD_TEST_REGRESSION_ENFORCE must be true in enforced mode."
+            exit 1
+          fi
+
+          current_report="$(find artifacts/load-test/ci -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
+          if [ -z "${current_report}" ]; then
+            echo "::error::Current CI report not found; cannot run regression gate."
+            exit 1
+          fi
+
+          if [ -z "${BASELINE_REPORT}" ]; then
+            echo "::error::Baseline report path is empty; expected committed baseline."
+            exit 1
+          fi
+
+          ./scripts/check-load-test-regression.sh "${current_report}" "${BASELINE_REPORT}"
+
+      - name: Upload load test artifact (ci)
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: load-test-ci-${{ github.run_id }}-${{ github.run_attempt }}
+          path: artifacts/load-test/ci/*.json
+          if-no-files-found: warn
+          retention-days: 30
+
+      - name: Upload load test artifact (behavior)
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: load-test-behavior-${{ github.run_id }}-${{ github.run_attempt }}
+          path: artifacts/load-test/behavior/*.json
+          if-no-files-found: warn
+          retention-days: 30
+
+  auto-tag:
+    name: "🏷️ Release: Auto Tag"
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: [zizmor, dependency-review, lint, test, build, e2e, playwright, load-test-ci, codeql, fuzz]
+    permissions:
+      contents: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: true
+
+      - name: Compute release tag
+        id: compute
+        env:
+          TARGET_SHA: ${{ github.sha }}
+        run: |
+          set -euo pipefail
+
+          latest_tag="$(git tag --list 'v*' --sort=-v:refname | head -n1)"
+          if [ -z "${latest_tag}" ]; then
+            latest_tag="v0.0.0"
+          fi
+
+          current_version="${latest_tag#v}"
+
+          if [ "${latest_tag}" = "v0.0.0" ]; then
+            release_level="patch"
+            next_version="0.0.1"
+          else
+            set +e
+            mapfile -t vars < <(node scripts/release-next-version.mjs \
+              --current "${current_version}" \
+              --bump auto \
+              --from "${latest_tag}" \
+              --to "${TARGET_SHA}")
+            rc=$?
+            set -e
+
+            if [ "${rc}" -ne 0 ]; then
+              echo "No releasable commits found; skipping auto tag."
+              echo "should_tag=false" >> "$GITHUB_OUTPUT"
+              exit 0
+            fi
+
+            for kv in "${vars[@]}"; do
+              key="${kv%%=*}"
+              value="${kv#*=}"
+              case "${key}" in
+                release_level) release_level="${value}" ;;
+                next_version) next_version="${value}" ;;
+              esac
+            done
+          fi
+
+          release_tag="v${next_version}"
+          if git rev-parse -q --verify "refs/tags/${release_tag}" >/dev/null; then
+            echo "Tag already exists: ${release_tag}; nothing to do."
+            echo "should_tag=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          {
+            echo "should_tag=true"
+            echo "release_level=${release_level}"
+            echo "release_tag=${release_tag}"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Create and push release tag
+        if: steps.compute.outputs.should_tag == 'true'
+        env:
+          RELEASE_TAG: ${{ steps.compute.outputs.release_tag }}
+          TARGET_SHA: ${{ github.sha }}
+        run: |
+          set -euo pipefail
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git tag -a "${RELEASE_TAG}" "${TARGET_SHA}" -m "release: ${RELEASE_TAG}"
+          git push origin "${RELEASE_TAG}"
+
+      - name: Tag summary
+        if: always()
+        env:
+          SHOULD_TAG: ${{ steps.compute.outputs.should_tag }}
+          RELEASE_LEVEL: ${{ steps.compute.outputs.release_level }}
+          RELEASE_TAG: ${{ steps.compute.outputs.release_tag }}
+        run: |
+          set -euo pipefail
+          should_tag="${SHOULD_TAG:-false}"
+          {
+            echo "### Auto Tag"
+            echo "- should_tag: \`${should_tag}\`"
+            if [ "${should_tag}" = "true" ]; then
+              echo "- release_level: \`${RELEASE_LEVEL}\`"
+              echo "- release_tag: \`${RELEASE_TAG}\`"
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
deleted file mode 100644
index 73f63d88d..000000000
--- a/.github/workflows/ci.yml
+++ /dev/null
@@ -1,573 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-  workflow_call:
-    secrets:
-      CODECOV_TOKEN:
-        required: false
-      ARTILLERY_CLOUD_API_KEY:
-        required: false
-
-permissions:
-  contents: read
-
-jobs:
-  zizmor:
-    name: Actions Security
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: write
-      actions: read
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8  # v0.5.2
-        with:
-          online-audits: false
-
-  lint:
-    name: Lint
-    needs: [zizmor]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
-        with:
-          node-version: 24
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Block new @ts-nocheck usage
-        run: node scripts/check-ts-nocheck-allowlist.mjs
-
-      - name: Biome check
-        run: npx biome check .
-
-      - name: Setup Qlty
-        uses: qltysh/qlty-action/install@a19242102d17e497f437d7466aa01b528537e899  # v2.2.0
-
-      - name: Qlty check (all plugins)
-        run: |
-          for attempt in 1 2 3; do
-            echo "::group::Attempt $attempt of 3"
-            if qlty check --all --no-progress; then
-              echo "::endgroup::"
-              exit 0
-            fi
-            echo "::endgroup::"
-            if [ "$attempt" -lt 3 ]; then
-              echo "Attempt $attempt failed, retrying in 10s..."
-              sleep 10
-            fi
-          done
-          echo "::error::Qlty check failed after 3 attempts"
-          exit 1
-        timeout-minutes: 8
-
-  test:
-    name: Test & Coverage
-    needs: [zizmor]
-    runs-on: ubuntu-latest
-    environment: ci
-    permissions:
-      contents: read
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
-        with:
-          node-version: 24
-          cache: 'npm'
-          cache-dependency-path: |
-            app/package-lock.json
-            ui/package-lock.json
-
-      - name: Install app dependencies
-        run: npm ci
-        working-directory: app
-
-      - name: Install ui dependencies
-        run: npm ci
-        working-directory: ui
-
-      - name: Run app tests
-        run: npm test
-        working-directory: app
-
-      - name: Run ui tests
-        run: npm run test:unit
-        working-directory: ui
-
-      - name: Normalize coverage paths for Codecov
-        run: node scripts/prepare-codecov-reports.mjs
-
-      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de  # v5.5.2
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: coverage/codecov-app.lcov.info,coverage/codecov-ui.lcov.info
-          flags: app,ui
-          fail_ci_if_error: false  # coverage upload is informational — don't block CI on transient Codecov infra failures
-
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    needs: [zizmor, lint, test]
-    permissions:
-      contents: read
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
-        with:
-          node-version: 24
-          cache: 'npm'
-          cache-dependency-path: ui/package-lock.json
-
-      - name: Install ui dependencies
-        run: npm ci
-        working-directory: ui
-
-      - name: Build ui
-        run: npm run build
-        working-directory: ui
-
-      - name: Build Storybook (regression smoke)
-        run: npm run test:storybook
-        working-directory: ui
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a  # v4.0.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
-
-      - name: Docker build (multi-platform smoke test)
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294  # v7.0.0
-        with:
-          context: .
-          push: false
-          platforms: linux/amd64,linux/arm64
-          build-args: DD_VERSION=ci
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-  e2e:
-    name: E2E Tests
-    runs-on: ubuntu-latest
-    needs: [build]
-    permissions:
-      contents: read
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
-        with:
-          node-version: 24
-          cache: 'npm'
-          cache-dependency-path: e2e/package-lock.json
-
-      - name: Install e2e dependencies
-        run: npm ci
-        working-directory: e2e
-
-      - name: Setup test containers
-        run: ./scripts/setup-test-containers.sh
-
-      - name: Start drydock
-        id: drydock
-        run: ./scripts/start-drydock.sh
-
-      - name: Run Cucumber e2e tests
-        run: npm run cucumber
-        working-directory: e2e
-        env:
-          DD_PORT: ${{ steps.drydock.outputs.dd_port }}
-
-      - name: Show drydock logs on failure
-        if: failure()
-        run: docker logs drydock
-
-      - name: Cleanup
-        if: always()
-        run: ./scripts/cleanup-test-containers.sh
-
-  load-test-smoke:
-    name: Load Test (Smoke)
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
-    continue-on-error: true  # advisory until baselines stabilize for this release cycle
-    needs: [build]
-    environment: ci
-    permissions:
-      contents: read
-      actions: read
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
-        with:
-          node-version: 24
-          cache: 'npm'
-          cache-dependency-path: e2e/package-lock.json
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
-
-      - name: Install e2e dependencies
-        run: npm ci
-        working-directory: e2e
-
-      - name: Run Artillery smoke test (advisory)
-        continue-on-error: true
-        env:
-          ARTILLERY_ENV: smoke
-          DD_LOAD_TEST_BUILD_CACHE: gha
-          DD_LOAD_TEST_ARTIFACT_DIR: artifacts/load-test/smoke
-          ARTILLERY_CLOUD_API_KEY: ${{ secrets.ARTILLERY_CLOUD_API_KEY }}
-        run: ./scripts/run-load-test.sh
-
-      - name: Run Artillery behavior test (advisory)
-        continue-on-error: true
-        env:
-          ARTILLERY_FILE: ./test/test-behavior.yml
-          ARTILLERY_ENV: behavior
-          DD_LOAD_TEST_BUILD_CACHE: gha
-          DD_LOAD_TEST_ARTIFACT_DIR: artifacts/load-test/behavior
-          ARTILLERY_CLOUD_API_KEY: ${{ secrets.ARTILLERY_CLOUD_API_KEY }}
-        run: ./scripts/run-load-test.sh
-
-      - name: Summarize load test metrics (smoke)
-        if: always()
-        run: |
-          report="$(find artifacts/load-test/smoke -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
-          ./scripts/summarize-load-test-report.sh "$report" "Load Test (Smoke)"
-
-      - name: Summarize load test metrics (behavior)
-        if: always()
-        run: |
-          report="$(find artifacts/load-test/behavior -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
-          ./scripts/summarize-load-test-report.sh "$report" "Load Test (Behavior)"
-
-      - name: Correctness check (smoke, advisory)
-        if: always()
-        env:
-          DD_LOAD_TEST_CORRECTNESS_ENFORCE: 'false'
-          DD_LOAD_TEST_MAX_5XX: '0'
-          DD_LOAD_TEST_MAX_VUSERS_FAILED: '0'
-          DD_LOAD_TEST_MIN_429: '0'
-          DD_LOAD_TEST_MAX_429: '0'
-        run: |
-          report="$(find artifacts/load-test/smoke -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
-          ./scripts/check-load-test-correctness.sh "$report" "Load Test Correctness (Smoke)"
-
-      - name: Correctness check (behavior, advisory)
-        if: always()
-        env:
-          DD_LOAD_TEST_CORRECTNESS_ENFORCE: 'false'
-          DD_LOAD_TEST_MAX_5XX: '0'
-          DD_LOAD_TEST_MAX_VUSERS_FAILED: '0'
-          DD_LOAD_TEST_MIN_429: '0'
-          DD_LOAD_TEST_MAX_429: '0'
-        run: |
-          report="$(find artifacts/load-test/behavior -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
-          ./scripts/check-load-test-correctness.sh "$report" "Load Test Correctness (Behavior)"
-
-      - name: Fetch load test baseline from main
-        id: load-test-baseline
-        if: success()
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          set -euo pipefail
-
-          base_dir="artifacts/load-test/baseline"
-          mkdir -p "${base_dir}"
-
-          api_get() {
-            local url="$1"
-            curl -fsSL \
-              -H "Authorization: Bearer ${GH_TOKEN}" \
-              -H "Accept: application/vnd.github+json" \
-              "${url}"
-          }
-
-          runs_url="${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/actions/workflows/ci.yml/runs?branch=main&event=push&status=success&per_page=30"
-          runs_json="$(api_get "${runs_url}" || true)"
-          if [ -z "${runs_json}" ]; then
-            echo "Could not fetch workflow runs for baseline lookup."
-            echo "baseline_report=" >> "${GITHUB_OUTPUT}"
-            exit 0
-          fi
-
-          mapfile -t run_ids < <(echo "${runs_json}" | jq -r '.workflow_runs[].id')
-
-          baseline_url=""
-          baseline_name=""
-          for run_id in "${run_ids[@]}"; do
-            artifacts_url="${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/actions/runs/${run_id}/artifacts?per_page=100"
-            artifacts_json="$(api_get "${artifacts_url}" || true)"
-            if [ -z "${artifacts_json}" ]; then
-              continue
-            fi
-
-            baseline_url="$(echo "${artifacts_json}" | jq -r '.artifacts[] | select(.expired == false and (.name | startswith("load-test-ci-"))) | .archive_download_url' | head -n1)"
-            baseline_name="$(echo "${artifacts_json}" | jq -r '.artifacts[] | select(.expired == false and (.name | startswith("load-test-ci-"))) | .name' | head -n1)"
-
-            if [ -n "${baseline_url}" ] && [ "${baseline_url}" != "null" ]; then
-              break
-            fi
-          done
-
-          if [ -z "${baseline_url}" ] || [ "${baseline_url}" = "null" ]; then
-            echo "No non-expired load-test-ci artifact found on main yet."
-            echo "baseline_report=" >> "${GITHUB_OUTPUT}"
-            exit 0
-          fi
-
-          zip_path="${base_dir}/baseline.zip"
-          if ! curl -fsSL \
-            -H "Authorization: Bearer ${GH_TOKEN}" \
-            -H "Accept: application/vnd.github+json" \
-            "${baseline_url}" \
-            -o "${zip_path}"; then
-            echo "Failed to download baseline artifact: ${baseline_name}"
-            echo "baseline_report=" >> "${GITHUB_OUTPUT}"
-            exit 0
-          fi
-
-          unpack_dir="${base_dir}/unpacked"
-          mkdir -p "${unpack_dir}"
-          unzip -oq "${zip_path}" -d "${unpack_dir}"
-
-          baseline_report="$(find "${unpack_dir}" -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
-          if [ -z "${baseline_report}" ]; then
-            echo "Downloaded baseline artifact did not include a json report."
-            echo "baseline_report=" >> "${GITHUB_OUTPUT}"
-            exit 0
-          fi
-
-          echo "baseline_artifact_name=${baseline_name}" >> "${GITHUB_OUTPUT}"
-          echo "baseline_report=${baseline_report}" >> "${GITHUB_OUTPUT}"
-
-      - name: Regression check against main baseline (advisory)
-        if: success()
-        env:
-          BASELINE_REPORT: ${{ steps.load-test-baseline.outputs.baseline_report }}
-          DD_LOAD_TEST_BASELINE_ARTIFACT_NAME: ${{ steps.load-test-baseline.outputs.baseline_artifact_name }}
-          DD_LOAD_TEST_MAX_P95_INCREASE_PCT: '20'
-          DD_LOAD_TEST_MAX_P99_INCREASE_PCT: '25'
-          DD_LOAD_TEST_MAX_RATE_DECREASE_PCT: '15'
-          DD_LOAD_TEST_REGRESSION_ENFORCE: 'false'
-        run: |
-          set -euo pipefail
-
-          current_report="$(find artifacts/load-test/smoke -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
-          if [ -z "${current_report}" ]; then
-            {
-              echo "### Load Test Regression Gate"
-              echo "- Current smoke report not found; skipping regression check."
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 0
-          fi
-
-          if [ -z "${BASELINE_REPORT}" ]; then
-            {
-              echo "### Load Test Regression Gate"
-              echo "- No baseline load-test-ci artifact from \`main\` is available yet; skipping regression check."
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 0
-          fi
-
-          ./scripts/check-load-test-regression.sh "${current_report}" "${BASELINE_REPORT}"
-
-      - name: Upload load test artifact (smoke)
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
-        with:
-          name: load-test-smoke-${{ github.run_id }}-${{ github.run_attempt }}
-          path: artifacts/load-test/smoke/*.json
-          if-no-files-found: warn
-          retention-days: 30
-
-      - name: Upload load test artifact (behavior)
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
-        with:
-          name: load-test-behavior-${{ github.run_id }}-${{ github.run_attempt }}
-          path: artifacts/load-test/behavior/*.json
-          if-no-files-found: warn
-          retention-days: 30
-
-  load-test-ci:
-    name: Load Test (CI)
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push'
-    needs: [build]
-    environment: ci
-    permissions:
-      contents: read
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
-        with:
-          node-version: 24
-          cache: 'npm'
-          cache-dependency-path: e2e/package-lock.json
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
-
-      - name: Install e2e dependencies
-        run: npm ci
-        working-directory: e2e
-
-      - name: Run Artillery load test
-        env:
-          ARTILLERY_ENV: ci
-          DD_LOAD_TEST_BUILD_CACHE: gha
-          DD_LOAD_TEST_ARTIFACT_DIR: artifacts/load-test/ci
-          ARTILLERY_CLOUD_API_KEY: ${{ secrets.ARTILLERY_CLOUD_API_KEY }}
-        run: ./scripts/run-load-test.sh
-
-      - name: Run Artillery behavior test
-        env:
-          ARTILLERY_FILE: ./test/test-behavior.yml
-          ARTILLERY_ENV: behavior
-          DD_LOAD_TEST_BUILD_CACHE: gha
-          DD_LOAD_TEST_ARTIFACT_DIR: artifacts/load-test/behavior
-          ARTILLERY_CLOUD_API_KEY: ${{ secrets.ARTILLERY_CLOUD_API_KEY }}
-        run: ./scripts/run-load-test.sh
-
-      - name: Summarize load test metrics (ci)
-        if: always()
-        run: |
-          report="$(find artifacts/load-test/ci -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
-          ./scripts/summarize-load-test-report.sh "$report" "Load Test (CI)"
-
-      - name: Summarize load test metrics (behavior)
-        if: always()
-        run: |
-          report="$(find artifacts/load-test/behavior -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
-          ./scripts/summarize-load-test-report.sh "$report" "Load Test (Behavior)"
-
-      - name: Correctness check (ci, enforced)
-        if: always()
-        env:
-          DD_LOAD_TEST_CORRECTNESS_ENFORCE: 'true'
-          DD_LOAD_TEST_MAX_5XX: '0'
-          DD_LOAD_TEST_MAX_VUSERS_FAILED: '0'
-          DD_LOAD_TEST_MIN_429: '0'
-          DD_LOAD_TEST_MAX_429: '0'
-        run: |
-          report="$(find artifacts/load-test/ci -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
-          ./scripts/check-load-test-correctness.sh "$report" "Load Test Correctness (CI)"
-
-      - name: Correctness check (behavior, advisory)
-        if: always()
-        env:
-          DD_LOAD_TEST_CORRECTNESS_ENFORCE: 'false'
-          DD_LOAD_TEST_MAX_5XX: '0'
-          DD_LOAD_TEST_MAX_VUSERS_FAILED: '0'
-          DD_LOAD_TEST_MIN_429: '0'
-          DD_LOAD_TEST_MAX_429: '0'
-        run: |
-          report="$(find artifacts/load-test/behavior -maxdepth 1 -name '*.json' -printf '%T@ %p\n' 2>/dev/null | sort -rn | head -n1 | cut -d' ' -f2-)"
-          ./scripts/check-load-test-correctness.sh "$report" "Load Test Correctness (Behavior)"
-
-      - name: Upload load test artifact (ci)
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
-        with:
-          name: load-test-ci-${{ github.run_id }}-${{ github.run_attempt }}
-          path: artifacts/load-test/ci/*.json
-          if-no-files-found: warn
-          retention-days: 30
-
-      - name: Upload load test artifact (behavior)
-        if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
-        with:
-          name: load-test-behavior-${{ github.run_id }}-${{ github.run_attempt }}
-          path: artifacts/load-test/behavior/*.json
-          if-no-files-found: warn
-          retention-days: 30
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
deleted file mode 100644
index 1ba5da640..000000000
--- a/.github/workflows/codeql.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-name: CodeQL
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-  schedule:
-    - cron: '30 6 * * 1'
-
-permissions: read-all
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      security-events: write
-      contents: read
-      actions: read
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [javascript-typescript]
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@f0213c31c702f929cf06ddb900ac315d246a8997  # v4.33.0
-        with:
-          languages: ${{ matrix.language }}
-          config-file: ./.github/codeql/codeql-config.yml
-
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@f0213c31c702f929cf06ddb900ac315d246a8997  # v4.33.0
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@f0213c31c702f929cf06ddb900ac315d246a8997  # v4.33.0
-        with:
-          category: /language:${{ matrix.language }}
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
deleted file mode 100644
index d7d32456d..000000000
--- a/.github/workflows/fuzz.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-name: Fuzz Testing
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-  schedule:
-    - cron: '0 6 * * 0'  # Weekly on Sunday at 06:00 UTC
-
-permissions:
-  contents: read
-
-jobs:
-  fuzz:
-    name: Fuzz
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
-        with:
-          node-version: 24
-
-      - name: Install dependencies
-        run: npm ci
-        working-directory: app
-
-      - name: Run fuzz tests
-        run: npx vitest run --reporter=verbose '.fuzz.test.ts'
-        working-directory: app
diff --git a/.github/workflows/quality-mutation-weekly.yml b/.github/workflows/quality-mutation-weekly.yml
new file mode 100644
index 000000000..514a3cfc3
--- /dev/null
+++ b/.github/workflows/quality-mutation-weekly.yml
@@ -0,0 +1,86 @@
+name: "🧬 Quality: Mutation Testing"
+run-name: >-
+  ${{
+    github.event_name == 'schedule' && '🧬 Quality: Mutation Testing — Weekly schedule' ||
+    format('🧬 Quality: Mutation Testing — Manual by {0}', github.actor)
+  }}
+
+# Keep mutation testing out of the push/PR fast path.
+# This workflow is a weekly/manual quality signal used to find weak assertions,
+# dead code, and refactor candidates after merges land on the integration branch.
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '15 6 * * 2'  # Weekly on Tuesday at 06:15 UTC
+
+permissions:
+  contents: read
+
+concurrency:
+  group: mutation-testing-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  stryker:
+    name: "🧬 Quality: Stryker Advisory (${{ matrix.package }})"
+    runs-on: ubuntu-latest
+    environment: mutation
+    timeout-minutes: 60  # Mutation testing is intentionally expensive; cap runaway mutants
+    continue-on-error: true  # advisory by policy; review results, then file focused follow-up work
+    env:
+      STRYKER_DASHBOARD_API_KEY: ${{ secrets.STRYKER_DASHBOARD_API_KEY }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - package: app
+            lockfile: app/package-lock.json
+          - package: ui
+            lockfile: ui/package-lock.json
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: 24
+          package-manager-cache: false
+
+      - name: Install dependencies
+        run: npm ci
+        working-directory: ${{ matrix.package }}
+
+      - name: Run Stryker
+        run: npm run test:mutation
+        working-directory: ${{ matrix.package }}
+
+      - name: Summarize advisory mode
+        if: always()
+        run: |
+          {
+            echo "### Mutation Testing"
+            echo "- Mode: ADVISORY (non-blocking)."
+            echo "- Trigger policy: weekly schedule plus manual dispatch only; not part of push or PR CI."
+            echo "- Expected use: review surviving mutants and initial dry-run failures, then create focused follow-up work for real test gaps or brittle logic."
+            echo "- Dashboard publish: enabled automatically when STRYKER_DASHBOARD_API_KEY is configured in GitHub Actions secrets."
+            echo "- Merge policy: do not block merges on mutation score."
+            echo "- Promotion criteria to stricter enforcement: clean dry-runs in every package, stable CI variance, and explicit team agreement."
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload mutation report
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: mutation-report-${{ matrix.package }}-${{ github.run_id }}-${{ github.run_attempt }}
+          path: ${{ matrix.package }}/reports/mutation
+          if-no-files-found: warn
+          retention-days: 14
diff --git a/.github/workflows/release-cut.yml b/.github/workflows/release-cut.yml
new file mode 100644
index 000000000..d1e6b59f5
--- /dev/null
+++ b/.github/workflows/release-cut.yml
@@ -0,0 +1,209 @@
+name: "🏷️ Release: Cut"
+run-name: "🏷️ Release: Cut — manual by ${{ github.actor }}"
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  actions: read
+
+concurrency:
+  group: release-cut
+  cancel-in-progress: false
+
+env:
+  CI_VERIFY_WORKFLOW_FILE: ci-verify.yml
+
+jobs:
+  cut:
+    name: "🏷️ Release: Cut Tag"
+    runs-on: ubuntu-latest
+    timeout-minutes: 20  # Includes CI-success polling for target SHA before tagging
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: true
+
+      - name: Resolve target SHA
+        id: target
+        run: |
+          set -euo pipefail
+          sha="$(git rev-parse HEAD)"
+          echo "sha=${sha}" >> "$GITHUB_OUTPUT"
+          echo "Target SHA: ${sha}"
+
+      - name: Resolve CI workflow reference
+        id: ci_workflow
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+
+          workflow_url="${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/actions/workflows/${CI_VERIFY_WORKFLOW_FILE}"
+          workflow_json="$(curl -fsSL \
+            -H "Authorization: Bearer ${GH_TOKEN}" \
+            -H "Accept: application/vnd.github+json" \
+            "${workflow_url}")"
+
+          workflow_id="$(echo "${workflow_json}" | jq -r '.id // empty')"
+          workflow_name="$(echo "${workflow_json}" | jq -r '.name // empty')"
+          workflow_path="$(echo "${workflow_json}" | jq -r '.path // empty')"
+          if [ -z "${workflow_id}" ] || [ -z "${workflow_path}" ]; then
+            echo "::error::Failed to resolve workflow metadata for ${CI_VERIFY_WORKFLOW_FILE}."
+            exit 1
+          fi
+
+          {
+            echo "id=${workflow_id}"
+            echo "name=${workflow_name}"
+            echo "path=${workflow_path}"
+          } >> "$GITHUB_OUTPUT"
+          echo "Using CI verification workflow: ${workflow_name} (${workflow_path}, id=${workflow_id})"
+
+      - name: Verify successful branch CI on target SHA
+        env:
+          GH_TOKEN: ${{ github.token }}
+          CI_WORKFLOW_ID: ${{ steps.ci_workflow.outputs.id }}
+          CI_WORKFLOW_NAME: ${{ steps.ci_workflow.outputs.name }}
+          TARGET_SHA: ${{ steps.target.outputs.sha }}
+        run: |
+          set -euo pipefail
+
+          max_attempts=20
+          sleep_seconds=15
+
+          for attempt in $(seq 1 "${max_attempts}"); do
+            runs_url="${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/actions/workflows/${CI_WORKFLOW_ID}/runs?head_sha=${TARGET_SHA}&event=push&per_page=50"
+            runs_json="$(curl -fsSL \
+              -H "Authorization: Bearer ${GH_TOKEN}" \
+              -H "Accept: application/vnd.github+json" \
+              "${runs_url}")"
+
+            successful_runs="$(echo "${runs_json}" | jq '[.workflow_runs[] | select(.conclusion == "success" and ((.head_branch // "") | length > 0))] | length')"
+            in_progress_runs="$(echo "${runs_json}" | jq '[.workflow_runs[] | select(.status != "completed" and ((.head_branch // "") | length > 0))] | length')"
+            completed_runs="$(echo "${runs_json}" | jq '[.workflow_runs[] | select(.status == "completed" and ((.head_branch // "") | length > 0))] | length')"
+
+            if [ "${successful_runs}" -gt 0 ]; then
+              echo "Found successful ${CI_WORKFLOW_NAME} branch push run for ${TARGET_SHA}."
+              exit 0
+            fi
+
+            if [ "${completed_runs}" -gt 0 ] && [ "${in_progress_runs}" -eq 0 ]; then
+              echo "::error::${CI_WORKFLOW_NAME} branch push runs for ${TARGET_SHA} completed without success."
+              echo "${runs_json}" | jq '.workflow_runs[] | select((.head_branch // "") | length > 0) | {id, status, conclusion, head_branch, html_url}'
+              exit 1
+            fi
+
+            echo "Attempt ${attempt}/${max_attempts}: waiting for successful ${CI_WORKFLOW_NAME} branch push run on ${TARGET_SHA}..."
+            sleep "${sleep_seconds}"
+          done
+
+          echo "::error::Timed out waiting for successful ${CI_WORKFLOW_NAME} branch push run on ${TARGET_SHA}."
+          exit 1
+
+      - name: Find latest release tag
+        id: base
+        run: |
+          set -euo pipefail
+          latest_tag="$(git tag --list 'v*' --sort=-v:refname | head -n1)"
+          if [ -z "${latest_tag}" ]; then
+            latest_tag="v0.0.0"
+          fi
+
+          echo "latest_tag=${latest_tag}" >> "$GITHUB_OUTPUT"
+          echo "current_version=${latest_tag#v}" >> "$GITHUB_OUTPUT"
+
+      - name: Compute next version
+        id: next
+        env:
+          BUMP: auto
+          CURRENT_VERSION: ${{ steps.base.outputs.current_version }}
+          LATEST_TAG: ${{ steps.base.outputs.latest_tag }}
+          TARGET_SHA: ${{ steps.target.outputs.sha }}
+        run: |
+          set -euo pipefail
+
+          if [ "${BUMP}" = "auto" ] && [ "${LATEST_TAG}" = "v0.0.0" ]; then
+            release_level="patch"
+            next_version="0.0.1"
+          else
+            mapfile -t vars < <(node scripts/release-next-version.mjs \
+              --current "${CURRENT_VERSION}" \
+              --bump "${BUMP}" \
+              --from "${LATEST_TAG}" \
+              --to "${TARGET_SHA}")
+
+            for kv in "${vars[@]}"; do
+              key="${kv%%=*}"
+              value="${kv#*=}"
+              case "${key}" in
+                release_level) release_level="${value}" ;;
+                next_version) next_version="${value}" ;;
+              esac
+            done
+          fi
+
+          release_tag="v${next_version}"
+          if git rev-parse -q --verify "refs/tags/${release_tag}" >/dev/null; then
+            echo "::error::Tag already exists: ${release_tag}"
+            exit 1
+          fi
+
+          {
+            echo "release_level=${release_level}"
+            echo "next_version=${next_version}"
+            echo "release_tag=${release_tag}"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Validate CHANGELOG entry for release tag
+        env:
+          RELEASE_TAG: ${{ steps.next.outputs.release_tag }}
+        run: |
+          set -euo pipefail
+          entry_file="$(mktemp)"
+
+          node scripts/extract-changelog-entry.mjs --version "${RELEASE_TAG}" --file CHANGELOG.md > "${entry_file}"
+
+          if ! awk 'NR > 1 && NF { found = 1; exit } END { exit found ? 0 : 1 }' "${entry_file}"; then
+            echo "::error::CHANGELOG entry for ${RELEASE_TAG} is empty. Add release notes under the heading before cutting a tag."
+            exit 1
+          fi
+
+          echo "Validated CHANGELOG entry for ${RELEASE_TAG}."
+
+      - name: Create and push release tag
+        env:
+          RELEASE_TAG: ${{ steps.next.outputs.release_tag }}
+          TARGET_SHA: ${{ steps.target.outputs.sha }}
+        run: |
+          set -euo pipefail
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          git tag -a "${RELEASE_TAG}" "${TARGET_SHA}" -m "release: ${RELEASE_TAG}"
+          git push origin "${RELEASE_TAG}"
+
+      - name: Release summary
+        env:
+          TARGET_SHA: ${{ steps.target.outputs.sha }}
+          RELEASE_LEVEL: ${{ steps.next.outputs.release_level }}
+          NEXT_VERSION: ${{ steps.next.outputs.next_version }}
+          RELEASE_TAG: ${{ steps.next.outputs.release_tag }}
+        run: |
+          {
+            echo "### Release Cut Summary"
+            echo "- Target SHA: \`${TARGET_SHA}\`"
+            echo "- Bump level: \`${RELEASE_LEVEL}\`"
+            echo "- Next version: \`${NEXT_VERSION}\`"
+            echo "- Tag: \`${RELEASE_TAG}\`"
+            echo "- Docker build tag format: \`${NEXT_VERSION}-b###\` (generated in release workflow)"
+            echo "- Nightly-ready format: \`vX.Y.Z-nightly.YYYYMMDD.N\`"
+          } >> "$GITHUB_STEP_SUMMARY"
diff --git a/.github/workflows/release-from-tag.yml b/.github/workflows/release-from-tag.yml
new file mode 100644
index 000000000..4153dc213
--- /dev/null
+++ b/.github/workflows/release-from-tag.yml
@@ -0,0 +1,482 @@
+name: "🚀 Release: From Tag"
+run-name: "🚀 Release: From Tag — ${{ github.ref_name }}"
+
+on:
+  push:
+    tags: ['v*']
+
+permissions: read-all
+
+env:
+  DOCKER_PLATFORMS: linux/amd64,linux/arm64
+  CI_VERIFY_WORKFLOW_FILE: ci-verify.yml
+
+concurrency:
+  group: release-from-tag-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  verify-ci:
+    name: "✅ Release: Verify Prior CI Success"
+    runs-on: ubuntu-latest
+    timeout-minutes: 20  # Poll loop waits for prior branch CI status on tag SHA
+    permissions:
+      contents: read
+      actions: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Resolve CI workflow reference
+        id: ci_workflow
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+
+          workflow_url="${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/actions/workflows/${CI_VERIFY_WORKFLOW_FILE}"
+          workflow_json="$(curl -fsSL \
+            -H "Authorization: Bearer ${GH_TOKEN}" \
+            -H "Accept: application/vnd.github+json" \
+            "${workflow_url}")"
+
+          workflow_id="$(echo "${workflow_json}" | jq -r '.id // empty')"
+          workflow_name="$(echo "${workflow_json}" | jq -r '.name // empty')"
+          workflow_path="$(echo "${workflow_json}" | jq -r '.path // empty')"
+          if [ -z "${workflow_id}" ] || [ -z "${workflow_path}" ]; then
+            echo "::error::Failed to resolve workflow metadata for ${CI_VERIFY_WORKFLOW_FILE}."
+            exit 1
+          fi
+
+          {
+            echo "id=${workflow_id}"
+            echo "name=${workflow_name}"
+            echo "path=${workflow_path}"
+          } >> "$GITHUB_OUTPUT"
+          echo "Using CI verification workflow: ${workflow_name} (${workflow_path}, id=${workflow_id})"
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Assert tag version matches package versions
+        run: |
+          set -euo pipefail
+
+          tag_version="${GITHUB_REF_NAME#v}"
+          if [ -z "${tag_version}" ] || [ "${tag_version}" = "${GITHUB_REF_NAME}" ]; then
+            echo "::error::Tag '${GITHUB_REF_NAME}' does not match expected format vX.Y.Z[-prerelease]."
+            exit 1
+          fi
+
+          # For prereleases (rc, nightly), compare base version only:
+          # v1.5.0-rc.1 → compare 1.5.0 against package.json
+          base_version="${tag_version%%-*}"
+
+          for package_path in package.json app/package.json ui/package.json; do
+            package_version="$(jq -r '.version // empty' "${package_path}")"
+            if [ -z "${package_version}" ]; then
+              echo "::error::Missing required version field in ${package_path}"
+              exit 1
+            fi
+            if [ "${package_version}" != "${base_version}" ]; then
+              echo "::error::Version mismatch: tag base=${base_version} (from ${GITHUB_REF_NAME}), ${package_path}=${package_version}"
+              exit 1
+            fi
+          done
+
+          echo "Tag version ${base_version} matches package.json, app/package.json, and ui/package.json."
+
+      - name: Wait for successful branch CI on tag SHA
+        env:
+          GH_TOKEN: ${{ github.token }}
+          CI_WORKFLOW_ID: ${{ steps.ci_workflow.outputs.id }}
+          CI_WORKFLOW_NAME: ${{ steps.ci_workflow.outputs.name }}
+        run: |
+          set -euo pipefail
+
+          max_attempts=25
+          sleep_seconds=60
+
+          for attempt in $(seq 1 "${max_attempts}"); do
+            runs_url="${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/actions/workflows/${CI_WORKFLOW_ID}/runs?head_sha=${GITHUB_SHA}&event=push&per_page=50"
+            runs_json="$(curl -fsSL \
+              -H "Authorization: Bearer ${GH_TOKEN}" \
+              -H "Accept: application/vnd.github+json" \
+              "${runs_url}")"
+
+            success_count="$(echo "${runs_json}" | jq '[.workflow_runs[] | select(.conclusion == "success" and ((.head_branch // "") | length > 0))] | length')"
+            in_progress_count="$(echo "${runs_json}" | jq '[.workflow_runs[] | select(.status != "completed" and ((.head_branch // "") | length > 0))] | length')"
+            completed_count="$(echo "${runs_json}" | jq '[.workflow_runs[] | select(.status == "completed" and ((.head_branch // "") | length > 0))] | length')"
+
+            if [ "${success_count}" -gt 0 ]; then
+              echo "Found successful ${CI_WORKFLOW_NAME} push run for ${GITHUB_SHA}."
+              exit 0
+            fi
+
+            if [ "${completed_count}" -gt 0 ] && [ "${in_progress_count}" -eq 0 ]; then
+              echo "::error::${CI_WORKFLOW_NAME} branch push runs for ${GITHUB_SHA} completed without success."
+              echo "${runs_json}" | jq '.workflow_runs[] | select((.head_branch // "") | length > 0) | {id, status, conclusion, head_branch, html_url}'
+              exit 1
+            fi
+
+            echo "Attempt ${attempt}/${max_attempts}: waiting for ${CI_WORKFLOW_NAME} branch push run on ${GITHUB_SHA}..."
+            sleep "${sleep_seconds}"
+          done
+
+          echo "::error::Timed out waiting for successful ${CI_WORKFLOW_NAME} branch push run on ${GITHUB_SHA}."
+          exit 1
+
+  release:
+    name: "🚀 Release: Docker Build & Push"
+    runs-on: ubuntu-latest
+    timeout-minutes: 120  # Multi-arch build, signing, attestations, and release upload
+    environment: release-publish
+    needs: [verify-ci]
+    permissions:
+      contents: write
+      packages: write
+      id-token: write  # cosign keyless signing
+      attestations: write
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a  # v4.0.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
+
+      - name: Log in to GHCR
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Log in to Quay.io
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf  # v6.0.0
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+            docker.io/codeswhat/drydock
+            quay.io/codeswhat/drydock
+          tags: |
+            # full semver on all tags (e.g. 1.5.0, 1.5.0-rc.1)
+            type=semver,pattern={{version}}
+            # major.minor on stable only (e.g. 1.5)
+            type=semver,pattern={{major}}.{{minor}},enable=${{ !contains(github.ref_name, '-') }}
+            # major on stable only (e.g. 1)
+            type=semver,pattern={{major}},enable=${{ !contains(github.ref_name, '-') }}
+            # latest on stable tags only
+            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-') }}
+
+      - name: Build and push
+        id: build
+        continue-on-error: true  # allow manifest retry path on transient push failures
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294  # v7.0.0
+        with:
+          context: .
+          push: true
+          platforms: ${{ env.DOCKER_PLATFORMS }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: DD_VERSION=${{ steps.meta.outputs.version || github.ref_name }}
+          sbom: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Retry manifest publish on transient registry failure
+        id: manifest-retry
+        if: steps.build.outcome == 'failure'
+        env:
+          BUILD_DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          set -euo pipefail
+
+          if [ -z "${BUILD_DIGEST:-}" ]; then
+            echo "::error::Build step failed before producing a digest; cannot retry manifest publish without a source digest."
+            exit 1
+          fi
+
+          source_candidates=(
+            "ghcr.io/${GITHUB_REPOSITORY}@${BUILD_DIGEST}"
+            "docker.io/codeswhat/drydock@${BUILD_DIGEST}"
+            "quay.io/codeswhat/drydock@${BUILD_DIGEST}"
+          )
+
+          source_ref=""
+          for candidate in "${source_candidates[@]}"; do
+            if docker buildx imagetools inspect "${candidate}" >/dev/null 2>&1; then
+              source_ref="${candidate}"
+              break
+            fi
+          done
+
+          if [ -z "${source_ref}" ]; then
+            echo "::error::No registry contains source manifest digest ${BUILD_DIGEST}; cannot perform manifest-only retry."
+            exit 1
+          fi
+
+          while IFS= read -r tag; do
+            [ -z "${tag}" ] && continue
+            echo "Re-pushing manifest tag: ${tag} (source: ${source_ref})"
+            for attempt in 1 2 3; do
+              if docker buildx imagetools create --tag "${tag}" "${source_ref}" >/dev/null; then
+                break
+              fi
+
+              if [ "${attempt}" -eq 3 ]; then
+                echo "::error::Manifest publish retry failed for ${tag}"
+                exit 1
+              fi
+
+              sleep 5
+            done
+          done <<< "${TAGS}"
+
+          echo "digest=${BUILD_DIGEST}" >> "$GITHUB_OUTPUT"
+
+      - name: Resolve image digest
+        id: digest
+        if: steps.build.outcome == 'success' || steps.manifest-retry.outcome == 'success'
+        env:
+          RETRY_DIGEST: ${{ steps.manifest-retry.outputs.digest }}
+          BUILD_DIGEST: ${{ steps.build.outputs.digest }}
+        run: echo "value=${RETRY_DIGEST:-$BUILD_DIGEST}" >> "$GITHUB_OUTPUT"
+
+      - name: Install cosign
+        if: steps.build.outcome == 'success' || steps.manifest-retry.outcome == 'success'
+        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22  # v4.1.0
+
+      - name: Sign container images
+        if: always() && steps.digest.outputs.value
+        env:
+          DIGEST: ${{ steps.digest.outputs.value }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          set -euo pipefail
+          images=()
+          while IFS= read -r tag; do
+            [ -n "${tag}" ] && images+=("${tag}@${DIGEST}")
+          done <<< "${TAGS}"
+          cosign sign --yes "${images[@]}"
+
+      - name: Verify container image signatures
+        if: always() && steps.digest.outputs.value
+        env:
+          DIGEST: ${{ steps.digest.outputs.value }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          set -euo pipefail
+          identity_regex="^https://github.com/${GITHUB_REPOSITORY}/.github/workflows/release-from-tag.yml@refs/tags/.+$"
+          issuer="https://token.actions.githubusercontent.com"
+
+          images=()
+          while IFS= read -r tag; do
+            [ -n "${tag}" ] && images+=("${tag}@${DIGEST}")
+          done <<< "${TAGS}"
+
+          if [ "${#images[@]}" -eq 0 ]; then
+            echo "::error::No images found to verify"
+            exit 1
+          fi
+
+          for image in "${images[@]}"; do
+            echo "Verifying cosign signature for ${image}"
+            for attempt in 1 2 3; do
+              if cosign verify \
+                --certificate-identity-regexp "${identity_regex}" \
+                --certificate-oidc-issuer "${issuer}" \
+                "${image}" >/dev/null; then
+                break
+              fi
+
+              if [ "${attempt}" -eq 3 ]; then
+                echo "::error::Cosign verification failed for ${image}"
+                exit 1
+              fi
+
+              sleep 5
+            done
+          done
+
+      - name: Build release artifact
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          RELEASE_TAG: ${{ github.ref_name }}
+        run: |
+          mkdir -p dist
+          artifact="dist/drydock-${RELEASE_TAG}.tar.gz"
+          git archive --format=tar.gz --prefix="drydock-${RELEASE_TAG}/" --output="${artifact}" "${GITHUB_SHA}"
+          sha256sum "${artifact}" > "${artifact}.sha256"
+
+      - name: Sign release artifact
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          RELEASE_TAG: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          artifact="dist/drydock-${RELEASE_TAG}.tar.gz"
+          cosign sign-blob --yes \
+            --bundle "${artifact}.bundle" \
+            --new-bundle-format=false \
+            --output-signature "${artifact}.sig" \
+            --output-certificate "${artifact}.pem" \
+            "${artifact}"
+
+          # Cosign v3 may only emit bundle output in some keyless flows.
+          # Materialize legacy signature/cert files from the bundle when needed.
+          if [ ! -s "${artifact}.sig" ]; then
+            sig_b64="$(jq -r '.base64Signature // .messageSignature.signature // empty' "${artifact}.bundle")"
+            if [ -n "${sig_b64}" ]; then
+              printf '%s' "${sig_b64}" | base64 --decode > "${artifact}.sig"
+            fi
+          fi
+
+          if [ ! -s "${artifact}.pem" ]; then
+            cert_pem="$(jq -r '.cert // empty' "${artifact}.bundle")"
+            if [ -n "${cert_pem}" ]; then
+              printf '%s\n' "${cert_pem}" > "${artifact}.pem"
+            else
+              cert_der_b64="$(jq -r '.verificationMaterial.certificate.rawBytes // empty' "${artifact}.bundle")"
+              if [ -n "${cert_der_b64}" ]; then
+                printf '%s' "${cert_der_b64}" | base64 --decode | openssl x509 -inform DER -out "${artifact}.pem"
+              fi
+            fi
+          fi
+
+          if [ ! -s "${artifact}.sig" ] || [ ! -s "${artifact}.pem" ]; then
+            echo "::error::Expected signature outputs were not generated"
+            ls -la dist
+            jq 'keys' "${artifact}.bundle" || true
+            exit 1
+          fi
+
+      - name: Verify release artifact signature
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          RELEASE_TAG: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          artifact="dist/drydock-${RELEASE_TAG}.tar.gz"
+          identity_regex="^https://github.com/${GITHUB_REPOSITORY}/.github/workflows/release-from-tag.yml@refs/tags/.+$"
+          issuer="https://token.actions.githubusercontent.com"
+
+          cosign verify-blob \
+            --signature "${artifact}.sig" \
+            --certificate "${artifact}.pem" \
+            --certificate-identity-regexp "${identity_regex}" \
+            --certificate-oidc-issuer "${issuer}" \
+            "${artifact}" >/dev/null
+
+      - name: Attest release artifact provenance
+        if: startsWith(github.ref, 'refs/tags/')
+        id: attest_release_artifact
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
+        with:
+          subject-path: dist/drydock-${{ github.ref_name }}.tar.gz
+
+      - name: Export release provenance asset
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          RELEASE_TAG: ${{ github.ref_name }}
+          BUNDLE_PATH: ${{ steps.attest_release_artifact.outputs.bundle-path }}
+        run: |
+          artifact="dist/drydock-${RELEASE_TAG}.tar.gz"
+          cp "${BUNDLE_PATH}" "${artifact}.intoto.jsonl"
+
+      - name: Generate release notes from changelog
+        if: startsWith(github.ref, 'refs/tags/')
+        id: release_notes
+        env:
+          RELEASE_TAG: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          notes_path="dist/release-notes-${RELEASE_TAG}.md"
+
+          # Try exact version first, then fall back to [Unreleased] for pre-releases
+          entry_path="$(mktemp)"
+          missing_heading="## [${RELEASE_TAG#v}] - YYYY-MM-DD"
+          if ! node scripts/extract-changelog-entry.mjs --version "${RELEASE_TAG}" --file CHANGELOG.md > "${entry_path}"; then
+            # For pre-releases (rc, beta, alpha), try [Unreleased] as fallback
+            if [[ "${RELEASE_TAG}" == *-* ]] && node scripts/extract-changelog-entry.mjs --version "Unreleased" --file CHANGELOG.md > "${entry_path}" 2>/dev/null; then
+              echo "Using [Unreleased] changelog section for pre-release ${RELEASE_TAG}."
+            else
+              rm -f "${entry_path}" "${notes_path}"
+              echo "::error::Release notes generation failed: CHANGELOG entry missing for ${RELEASE_TAG}. Add heading '${missing_heading}' and retry release."
+              {
+                echo "### Release Notes Generation"
+                echo "- Result: FAIL"
+                echo "- AI_ACTION_REQUIRED: Add CHANGELOG entry for \`${RELEASE_TAG}\` using heading \`${missing_heading}\`, then re-run release."
+              } >> "${GITHUB_STEP_SUMMARY}"
+              exit 1
+            fi
+          fi
+          {
+            echo "# ${RELEASE_TAG}"
+            echo ""
+            cat "${entry_path}"
+          } > "${notes_path}"
+          rm -f "${entry_path}"
+          echo "path=${notes_path}" >> "$GITHUB_OUTPUT"
+
+      - name: Upload signed release assets
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RELEASE_TAG: ${{ github.ref_name }}
+          RELEASE_NOTES_PATH: ${{ steps.release_notes.outputs.path }}
+        run: |
+          # Mark RC and nightly tags as prerelease on GitHub
+          prerelease_flag=""
+          case "${RELEASE_TAG}" in
+            *-rc.*) prerelease_flag="--prerelease" ;;
+          esac
+
+          gh release view "${RELEASE_TAG}" >/dev/null 2>&1 || gh release create "${RELEASE_TAG}" --title "${RELEASE_TAG}" --notes-file "${RELEASE_NOTES_PATH}" ${prerelease_flag}
+          gh release edit "${RELEASE_TAG}" --title "${RELEASE_TAG}" --notes-file "${RELEASE_NOTES_PATH}" ${prerelease_flag}
+          gh release upload "${RELEASE_TAG}" \
+            "dist/drydock-${RELEASE_TAG}.tar.gz" \
+            "dist/drydock-${RELEASE_TAG}.tar.gz.sha256" \
+            "dist/drydock-${RELEASE_TAG}.tar.gz.bundle" \
+            "dist/drydock-${RELEASE_TAG}.tar.gz.sig" \
+            "dist/drydock-${RELEASE_TAG}.tar.gz.intoto.jsonl" \
+            "dist/drydock-${RELEASE_TAG}.tar.gz.pem" \
+            --clobber
+
+      - name: Attest build provenance
+        if: always() && steps.digest.outputs.value
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
+        with:
+          subject-name: ghcr.io/${{ github.repository }}
+          subject-digest: ${{ steps.digest.outputs.value }}
+          push-to-registry: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
deleted file mode 100644
index 5f211f042..000000000
--- a/.github/workflows/release.yml
+++ /dev/null
@@ -1,230 +0,0 @@
-name: Release
-
-on:
-  push:
-    tags: ['v*']
-
-permissions: read-all
-
-env:
-  DOCKER_PLATFORMS: linux/amd64,linux/arm64
-
-jobs:
-  ci:
-    name: CI
-    permissions:
-      contents: read
-      security-events: write  # zizmor SARIF upload
-      actions: read           # zizmor workflow analysis
-    uses: ./.github/workflows/ci.yml
-    secrets:
-      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-
-  release:
-    name: Docker Build & Push
-    runs-on: ubuntu-latest
-    needs: [ci]
-    environment: release
-    permissions:
-      contents: write
-      packages: write
-      id-token: write  # cosign keyless signing
-      attestations: write
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a  # v4.0.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
-
-      - name: Log in to GHCR
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Log in to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Log in to Quay.io
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_PASSWORD }}
-
-      - name: Docker metadata
-        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf  # v6.0.0
-        with:
-          images: |
-            ghcr.io/${{ github.repository }}
-            docker.io/codeswhat/drydock
-            quay.io/codeswhat/drydock
-          tags: |
-            # full semver on tags (e.g. 9.0.0)
-            type=semver,pattern={{version}}
-            # major.minor on tags (e.g. 9.0)
-            type=semver,pattern={{major}}.{{minor}}
-            # major on tags (e.g. 9)
-            type=semver,pattern={{major}}
-            # latest on tags
-            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-') }}
-
-      - name: Build and push
-        id: build
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294  # v7.0.0
-        with:
-          context: .
-          push: true
-          platforms: ${{ env.DOCKER_PLATFORMS }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: DD_VERSION=${{ steps.meta.outputs.version }}
-          sbom: true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Retry push on transient registry failure
-        id: build-retry
-        if: failure() && steps.build.outcome == 'failure'
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294  # v7.0.0
-        with:
-          context: .
-          push: true
-          platforms: ${{ env.DOCKER_PLATFORMS }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: DD_VERSION=${{ steps.meta.outputs.version }}
-          sbom: true
-          cache-from: type=gha
-
-      - name: Resolve image digest
-        id: digest
-        if: always() && (steps.build.outcome == 'success' || steps.build-retry.outcome == 'success')
-        env:
-          RETRY_DIGEST: ${{ steps.build-retry.outputs.digest }}
-          BUILD_DIGEST: ${{ steps.build.outputs.digest }}
-        run: echo "value=${RETRY_DIGEST:-$BUILD_DIGEST}" >> "$GITHUB_OUTPUT"
-
-      - name: Install cosign
-        if: always() && (steps.build.outcome == 'success' || steps.build-retry.outcome == 'success')
-        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22  # v4.1.0
-
-      - name: Sign container images
-        if: always() && steps.digest.outputs.value
-        env:
-          DIGEST: ${{ steps.digest.outputs.value }}
-          TAGS: ${{ steps.meta.outputs.tags }}
-        run: |
-          images=()
-          while IFS= read -r tag; do
-            [ -n "${tag}" ] && images+=("${tag}@${DIGEST}")
-          done <<< "${TAGS}"
-          cosign sign --yes "${images[@]}"
-
-      - name: Build release artifact
-        if: startsWith(github.ref, 'refs/tags/')
-        env:
-          RELEASE_TAG: ${{ github.ref_name }}
-        run: |
-          mkdir -p dist
-          artifact="dist/drydock-${RELEASE_TAG}.tar.gz"
-          git archive --format=tar.gz --prefix="drydock-${RELEASE_TAG}/" --output="${artifact}" "${GITHUB_SHA}"
-          sha256sum "${artifact}" > "${artifact}.sha256"
-
-      - name: Sign release artifact
-        if: startsWith(github.ref, 'refs/tags/')
-        env:
-          RELEASE_TAG: ${{ github.ref_name }}
-        run: |
-          artifact="dist/drydock-${RELEASE_TAG}.tar.gz"
-          cosign sign-blob --yes \
-            --bundle "${artifact}.bundle" \
-            --new-bundle-format=false \
-            --output-signature "${artifact}.sig" \
-            --output-certificate "${artifact}.pem" \
-            "${artifact}"
-
-          # Cosign v3 may only emit bundle output in some keyless flows.
-          # Materialize legacy signature/cert files from the bundle when needed.
-          if [ ! -s "${artifact}.sig" ]; then
-            sig_b64="$(jq -r '.base64Signature // .messageSignature.signature // empty' "${artifact}.bundle")"
-            if [ -n "${sig_b64}" ]; then
-              printf '%s' "${sig_b64}" | base64 --decode > "${artifact}.sig"
-            fi
-          fi
-
-          if [ ! -s "${artifact}.pem" ]; then
-            cert_pem="$(jq -r '.cert // empty' "${artifact}.bundle")"
-            if [ -n "${cert_pem}" ]; then
-              printf '%s\n' "${cert_pem}" > "${artifact}.pem"
-            else
-              cert_der_b64="$(jq -r '.verificationMaterial.certificate.rawBytes // empty' "${artifact}.bundle")"
-              if [ -n "${cert_der_b64}" ]; then
-                printf '%s' "${cert_der_b64}" | base64 --decode | openssl x509 -inform DER -out "${artifact}.pem"
-              fi
-            fi
-          fi
-
-          if [ ! -s "${artifact}.sig" ] || [ ! -s "${artifact}.pem" ]; then
-            echo "::error::Expected signature outputs were not generated"
-            ls -la dist
-            jq 'keys' "${artifact}.bundle" || true
-            exit 1
-          fi
-
-      - name: Attest release artifact provenance
-        if: startsWith(github.ref, 'refs/tags/')
-        id: attest_release_artifact
-        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
-        with:
-          subject-path: dist/drydock-${{ github.ref_name }}.tar.gz
-
-      - name: Export release provenance asset
-        if: startsWith(github.ref, 'refs/tags/')
-        env:
-          RELEASE_TAG: ${{ github.ref_name }}
-          BUNDLE_PATH: ${{ steps.attest_release_artifact.outputs.bundle-path }}
-        run: |
-          artifact="dist/drydock-${RELEASE_TAG}.tar.gz"
-          cp "${BUNDLE_PATH}" "${artifact}.intoto.jsonl"
-
-      - name: Upload signed release assets
-        if: startsWith(github.ref, 'refs/tags/')
-        env:
-          GH_TOKEN: ${{ github.token }}
-          RELEASE_TAG: ${{ github.ref_name }}
-        run: |
-          gh release view "${RELEASE_TAG}" >/dev/null 2>&1 || gh release create "${RELEASE_TAG}" --title "${RELEASE_TAG}" --notes ""
-          gh release upload "${RELEASE_TAG}" \
-            "dist/drydock-${RELEASE_TAG}.tar.gz" \
-            "dist/drydock-${RELEASE_TAG}.tar.gz.sha256" \
-            "dist/drydock-${RELEASE_TAG}.tar.gz.bundle" \
-            "dist/drydock-${RELEASE_TAG}.tar.gz.sig" \
-            "dist/drydock-${RELEASE_TAG}.tar.gz.intoto.jsonl" \
-            "dist/drydock-${RELEASE_TAG}.tar.gz.pem" \
-            --clobber
-
-      - name: Attest build provenance
-        if: always() && steps.digest.outputs.value
-        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32  # v4.1.0
-        with:
-          subject-name: ghcr.io/${{ github.repository }}
-          subject-digest: ${{ steps.digest.outputs.value }}
-          push-to-registry: true
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/security-scorecard.yml
similarity index 63%
rename from .github/workflows/scorecard.yml
rename to .github/workflows/security-scorecard.yml
index e26294a45..ce617a57a 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/security-scorecard.yml
@@ -1,18 +1,26 @@
-name: OpenSSF Scorecard
+name: "🛡️ Security: OpenSSF Scorecard"
+run-name: >-
+  ${{
+    github.event_name == 'branch_protection_rule' && '🛡️ Security: OpenSSF Scorecard — Branch protection changed' ||
+    github.event_name == 'schedule' && '🛡️ Security: OpenSSF Scorecard — Weekly schedule' ||
+    format('🛡️ Security: OpenSSF Scorecard — {0}', github.ref_name)
+  }}
 
 on:
+  push:
+    branches:
+      - main
   branch_protection_rule:
   schedule:
     - cron: '0 6 * * 1'  # Weekly on Monday at 06:00 UTC
-  push:
-    branches: [main]
 
 permissions: read-all
 
 jobs:
   analysis:
-    name: Scorecard analysis
+    name: "🛡️ Security: Scorecard Analysis"
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     permissions:
       contents: read  # Checkout code
       security-events: write  # Upload SARIF results
@@ -37,6 +45,6 @@ jobs:
           publish_results: true
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@f0213c31c702f929cf06ddb900ac315d246a8997  # v4.33.0
+        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8  # v4.33.0
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/security-snyk-weekly.yml b/.github/workflows/security-snyk-weekly.yml
new file mode 100644
index 000000000..9cf4faa39
--- /dev/null
+++ b/.github/workflows/security-snyk-weekly.yml
@@ -0,0 +1,256 @@
+name: "🛡️ Security: Snyk Paid Scans"
+run-name: >-
+  ${{
+    github.event_name == 'schedule' && '🛡️ Security: Snyk Paid Scans — Weekly run' ||
+    format('🛡️ Security: Snyk Paid Scans — Manual by {0}', github.actor)
+  }}
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '15 7 * * 1'  # Weekly on Monday at 07:15 UTC
+
+permissions:
+  contents: read
+
+concurrency:
+  group: snyk-paid-${{ github.workflow }}
+  cancel-in-progress: true
+
+env:
+  SNYK_CLI_VERSION: '1.1303.1'
+  SNYK_QUOTA_CONFIG_PATH: scripts/snyk-quota-config.json
+  SNYK_CONTAINER_IMAGE: drydock:snyk
+
+jobs:
+  prepare:
+    name: "🛠️ Security: Prepare Snyk Context"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    environment: ci-security
+    outputs:
+      has_token: ${{ steps.token.outputs.has_token }}
+      is_default_branch: ${{ steps.token.outputs.is_default_branch }}
+    steps:
+      - name: Check Snyk token availability
+        id: token
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          CURRENT_REF: ${{ github.ref }}
+        run: |
+          if [ -n "${SNYK_TOKEN:-}" ]; then
+            echo "has_token=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_token=false" >> "$GITHUB_OUTPUT"
+          fi
+
+          if [ "$CURRENT_REF" = "refs/heads/$DEFAULT_BRANCH" ]; then
+            echo "is_default_branch=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "is_default_branch=false" >> "$GITHUB_OUTPUT"
+          fi
+
+  quota-plan:
+    name: "📊 Security: Snyk Quota Plan"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    needs: [prepare]
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Validate monthly quota plan
+        id: quota
+        run: |
+          set -euo pipefail
+          node scripts/snyk-quota-plan.mjs --config "${SNYK_QUOTA_CONFIG_PATH}" > quota.json
+          cat quota.json
+
+      - name: Attach quota summary
+        run: |
+          {
+            echo "### Snyk Quota Plan"
+            cat quota.json
+          } >> "$GITHUB_STEP_SUMMARY"
+
+  open-source:
+    name: "📦 Security: Snyk Open Source"
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    environment: ci-security
+    needs: [prepare, quota-plan]
+    if: ${{ needs.quota-plan.result == 'success' && needs.prepare.outputs.has_token == 'true' && needs.prepare.outputs.is_default_branch == 'true' }}
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: 24
+
+      - name: Install Snyk CLI
+        run: npm install -g "snyk@${SNYK_CLI_VERSION}"
+
+      - name: Run Snyk Open Source scans
+        run: |
+          set -euo pipefail
+          ./scripts/snyk-deps-gate.sh --file=package-lock.json --package-manager=npm
+          ./scripts/snyk-deps-gate.sh --file=app/package-lock.json --package-manager=npm
+          ./scripts/snyk-deps-gate.sh --file=ui/package-lock.json --package-manager=npm
+          ./scripts/snyk-deps-gate.sh --file=e2e/package-lock.json --package-manager=npm
+
+  code:
+    name: "🧠 Security: Snyk Code"
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    environment: ci-security
+    needs: [prepare, quota-plan]
+    if: ${{ needs.quota-plan.result == 'success' && needs.prepare.outputs.has_token == 'true' && needs.prepare.outputs.is_default_branch == 'true' }}
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      SNYK_CODE_ENFORCE: "true"
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: 24
+
+      - name: Install Snyk CLI
+        run: npm install -g "snyk@${SNYK_CLI_VERSION}"
+
+      - name: Run Snyk Code scan
+        run: ./scripts/snyk-code-gate.sh
+
+  container:
+    name: "🐳 Security: Snyk Container"
+    runs-on: ubuntu-latest
+    timeout-minutes: 30  # Includes Docker image build before scan
+    environment: ci-security
+    needs: [prepare, quota-plan]
+    if: ${{ needs.quota-plan.result == 'success' && needs.prepare.outputs.has_token == 'true' && needs.prepare.outputs.is_default_branch == 'true' }}
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: 24
+
+      - name: Install Snyk CLI
+        run: npm install -g "snyk@${SNYK_CLI_VERSION}"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
+
+      - name: Build image for container scan (cached)
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294  # v7.0.0
+        with:
+          context: .
+          push: false
+          load: true
+          tags: ${{ env.SNYK_CONTAINER_IMAGE }}
+          build-args: DD_VERSION=snyk
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Run Snyk Container scan
+        run: ./scripts/snyk-container-gate.sh "${SNYK_CONTAINER_IMAGE}" --file=Dockerfile
+
+  iac:
+    name: "🏗️ Security: Snyk IaC"
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    environment: ci-security
+    needs: [prepare, quota-plan]
+    if: ${{ needs.quota-plan.result == 'success' && needs.prepare.outputs.has_token == 'true' && needs.prepare.outputs.is_default_branch == 'true' }}
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594  # v2.16.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6.3.0
+        with:
+          node-version: 24
+
+      - name: Install Snyk CLI
+        run: npm install -g "snyk@${SNYK_CLI_VERSION}"
+
+      - name: Run Snyk IaC scan
+        run: ./scripts/snyk-iac-gate.sh .
+
+  skipped:
+    name: "⏭️ Security: Snyk Scans Skipped"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    needs: [prepare, quota-plan]
+    if: ${{ always() && (needs.quota-plan.result != 'success' || needs.prepare.outputs.has_token != 'true' || needs.prepare.outputs.is_default_branch != 'true') }}
+    steps:
+      - name: Explain skip reason(s)
+        env:
+          HAS_TOKEN: ${{ needs.prepare.outputs.has_token }}
+          IS_DEFAULT_BRANCH: ${{ needs.prepare.outputs.is_default_branch }}
+          QUOTA_PLAN_RESULT: ${{ needs.quota-plan.result }}
+        run: |
+          {
+            echo "### Snyk scans skipped"
+            if [ "$HAS_TOKEN" != "true" ]; then
+              echo "- Reason: \`SNYK_TOKEN\` secret is not configured."
+            fi
+            if [ "$IS_DEFAULT_BRANCH" != "true" ]; then
+              echo "- Reason: this workflow only runs paid scans on the default branch to protect quotas."
+            fi
+            if [ "$QUOTA_PLAN_RESULT" != "success" ]; then
+              echo "- Reason: quota plan validation failed (\`quota-plan\` job result: \`$QUOTA_PLAN_RESULT\`)."
+            fi
+          } >> "$GITHUB_STEP_SUMMARY"
diff --git a/.gitignore b/.gitignore
index dcce7a3aa..3c6e44754 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,6 +25,8 @@ lib-cov
 # Coverage directory used by tools like istanbul
 coverage
 *.lcov
+.coverage-gaps.json
+CLAUDE.md
 
 # nyc test coverage
 .nyc_output
@@ -151,6 +153,9 @@ ui/public/fonts/
 # Canonical docs are versioned at content/docs/*
 apps/web/content/docs/
 
+# Stryker mutation testing sandboxes
+.stryker-tmp/
+
 # Storybook build output
 storybook-static/
 
diff --git a/.qlty/qlty.toml b/.qlty/qlty.toml
index 96ccde74f..3e8486504 100644
--- a/.qlty/qlty.toml
+++ b/.qlty/qlty.toml
@@ -21,33 +21,20 @@ exclude_patterns = [
   "**/.yarn/**",
   "**/bower_components/**",
   "**/build/**",
+  "**/coverage/**",
   "**/cache/**",
-  "**/config/**",
-  "**/db/**",
-  "**/deps/**",
   "**/dist/**",
-  "**/extern/**",
-  "**/external/**",
   "**/generated/**",
-  "**/Godeps/**",
-  "**/gradlew/**",
-  "**/mvnw/**",
   "**/node_modules/**",
-  "**/protos/**",
-  "**/seed/**",
   "**/target/**",
   "**/testdata/**",
   "**/vendor/**",
-  "**/assets/**",
   ".qlty/out/**",
   ".qlty/logs/**",
   ".qlty/results/**",
   ".qlty/plugin_cachedir/**",
-  "prototypes/**/style.css",
   ".playwright-cli/**",
   "output/**",
-  "app/coverage/**",
-  "ui/coverage/**",
 ]
 
 test_patterns = [
@@ -123,10 +110,12 @@ name = "trufflehog"
 [[plugin]]
 name = "yamllint"
 
-[[plugin]]
-name = "zizmor"
-
 # Entrypoint uses su-exec for runtime privilege drop; no static USER needed
 [[triage]]
 match.rules = ["trivy:DS002", "trivy:DS-0002"]
 set.ignored = true
+
+# markdownlint table style is low-signal for this repository's docs format
+[[triage]]
+match.rules = ["markdownlint:MD060"]
+set.ignored = true
diff --git a/.yamllint.yml b/.yamllint.yml
index ad27cb56b..432d4637e 100644
--- a/.yamllint.yml
+++ b/.yamllint.yml
@@ -1,3 +1,4 @@
+---
 # qlty-managed yamllint — see .qlty/qlty.toml
 extends: default
 rules:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index d9ff1e593..522b2738c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,134 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.5.0] — 2026-03-19
+
+### Added
+
+- **Up-to-date and pinned badges in Kind column** — Containers table now shows a green check-circle badge ("Up to date") for containers at their latest version, and a green pin badge ("Pinned") for containers with skipped updates, replacing the previous dash placeholder.
+
+- **Real-time container log viewer** — WebSocket-based live log streaming from Docker containers directly in the UI. Features ANSI color rendering, automatic JSON log detection with syntax-highlighted pretty-printing, free-text and regex search with match navigation, stdout/stderr stream filtering, log level filtering for structured logs, copy to clipboard, and gzip-compressed download. Available in both the container detail panel and a dedicated full-page view at `/containers/:id/logs`. ([Phase 4.2](https://getdrydock.com/docs/configuration/logs))
+- **Diagnostic debug dump** — One-click export of redacted system state from Configuration > Diagnostics. Collects runtime metadata, component state (watchers, registries, triggers, agents), Docker API diagnostics, MQTT Home Assistant sensors, recent Docker events, store stats, and `DD_*` environment variables. Sensitive values matching `password|token|secret|key|hash` are automatically redacted. Configurable time window (1–1440 minutes). ([Phase 4.14](https://getdrydock.com/docs/api/container))
+- **Container log streaming API** — `WS /api/v1/containers/:id/logs/stream` endpoint with Docker binary stream demultiplexing, session-based authentication on WebSocket upgrade, and fixed-window rate limiting (1,000 connections per 15 minutes).
+- **Container log download API** — `GET /api/v1/containers/:id/logs` endpoint with gzip compression support, stdout/stderr filtering, configurable tail size, and timestamp-based `since` filtering.
+- **Debug dump API** — `GET /api/v1/debug/dump` endpoint with configurable `minutes` query parameter for time-windowed event collection.
+- **Copy logs to clipboard** — Copy button in the container log viewer copies all visible log entries to clipboard with timestamp, stream type, and content.
+- **Dashboard customization** — Customizable grid layout with drag-to-reorder, resize, and per-widget visibility toggles using `grid-layout-plus`. Edit mode via pencil icon in breadcrumb header. Customize panel with checkboxes and S/M/L size badges. All widgets progressively collapse content based on container height.
+- **Resource usage dashboard widget** — CPU and memory usage bars with top-N resource consumers, progressive detail at different widget sizes.
+- **Trigger environment variable aliases** — Triggers can now be configured with `DD_ACTION_*` or `DD_NOTIFICATION_*` prefixes in addition to `DD_TRIGGER_*`. All three prefixes resolve identically at startup.
+- **Digest notification mode** — New `MODE=digest` trigger option that accumulates update events over a configurable time window and sends a single batch notification on a cron schedule. Configure with `DD_TRIGGER_{type}_{name}_MODE=digest` and `DD_TRIGGER_{type}_{name}_DIGESTCRON=0 8 * * *` (default: daily at 8am). Works with all notification triggers (SMTP, Telegram, Slack, Pushover, etc.). ([Discussion #185](https://github.com/CodesWhat/drydock/discussions/185))
+- **Toast notifications for all container actions** — Every container action (update, start, stop, restart, scan, delete, group update, rollback, trigger run) now shows a success toast. Error toasts for failures. Toasts auto-dismiss after 6 seconds. ([#183](https://github.com/CodesWhat/drydock/issues/183), [#193](https://github.com/CodesWhat/drydock/discussions/193))
+- **"View containers" navigation from Watchers and Agents** — Detail panels now include a button that navigates directly to the container list filtered by the selected host. ([#194](https://github.com/CodesWhat/drydock/discussions/194))
+- **Podman API version negotiation** — Docker watcher probes the daemon's `/version` endpoint over the Unix socket and pins Dockerode to the reported API version. Prevents `EAI_AGAIN` crashes caused by `docker-modem`'s redirect-following bug when Podman returns HTTP 301 for unversioned API paths. ([#182](https://github.com/CodesWhat/drydock/issues/182))
+- **System log live streaming in UI** — Added end-to-end WebSocket support for system logs (`/api/v1/log/stream`) with new UI service/composable and live log view integration.
+- **Watcher run-time visibility in UI** — Watcher metadata now exposes `lastRunAt`, and UI surfaces it as a relative timestamp.
+- **Shared log viewer primitives** — Added reusable `AppLogViewer` building blocks, JSON tokenizer/search utilities, and full-page container detail tab components for consistent log UX.
+- **Bearer token auth for `/metrics` endpoint** — Set `DD_SERVER_METRICS_TOKEN` to authenticate Prometheus scrapers via `Authorization: Bearer <token>` without requiring session/basic auth. Uses SHA-256 hashing with timing-safe comparison. Three auth modes: (1) bearer token when token is set, (2) session/basic auth fallback, (3) no auth when `DD_SERVER_METRICS_AUTH=false`.
+- **Design system components** — Added shared UI building blocks: `AppIconButton` (icon-only button with WCAG 2.5.8 touch targets), `AppBadge` (tone-based badge with size/uppercase/dot props), `StatusDot` (semantic status indicator), `DetailField` (label+value pair), and `AppTabBar` (v-model tab bar with icons, counts, compact mode). Migrated dashboard, container, settings, layout, and config views to use the new components. ([Discussion #199](https://github.com/CodesWhat/drydock/discussions/199))
+- **Floating tag detection and UI indicator** — New `tagPrecision` classifier (`specific` | `floating`) detects mutable version aliases (e.g. `v3`, `1.4`) and auto-enables digest watching on non-Docker Hub registries. Container detail views show a caution badge when a floating tag is detected without digest watching enabled. ([Discussion #178](https://github.com/CodesWhat/drydock/discussions/178))
+- **Notification bell action filtering** — Audit log endpoint now supports an `actions` query parameter for comma-separated event type filtering. `NotificationBell` uses this to fetch only actionable alert types instead of the full audit log.
+- **Semantic typography utility classes** — Added `dd-text-label`, `dd-text-body`, `dd-text-heading-panel`, and related Tailwind utility classes for consistent text sizing across views.
+- **Disable default local watcher** — Set `DD_LOCAL_WATCHER=false` to prevent the built-in Docker watcher from starting, useful for controller-only nodes that manage remote agents exclusively.
+- **Container row dimming during actions** — Container table rows dim with reduced opacity while an action (update, restart, etc.) is in progress, providing clear visual feedback. ([#227](https://github.com/CodesWhat/drydock/issues/227))
+
+### Changed
+
+- **Container log viewer upgraded to WebSocket streaming** — Replaced the previous HTTP polling-based log viewer with real-time WebSocket streaming. Logs now appear instantly as containers produce them, with no polling interval needed. The viewer retains up to 5,000 lines in a ring buffer.
+- **Container detail panel log tab sizing** — Log viewer in the slide-in detail panel and full-page view now fills the available viewport height without causing outer scrollbars. Uses proper flex layout containment instead of fixed `calc()` heights.
+- **Search match navigation** — Prev/Next search navigation buttons are now hidden by default and only appear when a search query is active, reducing toolbar clutter.
+- **UI text and margin standardization** — Consistent text sizing, view margins, and scroll container padding across all views and components.
+- **Connection lost overlay z-index** — Overlay now covers entire viewport including sidebar using CSS custom property `--z-modal`.
+- **Deprecation banner composable** — Reusable `useDeprecationBanner` composable for session and permanent dismissal of deprecation notices.
+- **Debug dump redaction patterns expanded** — Sensitive key detection now covers 14+ token patterns including `passwd`, `credential`, `apikey`, `accesskey`, `privatekey`, `bearer`, `auth`, and `login` (env-style keys only for auth/bearer/login to avoid false positives).
+- **Lefthook pre-push Playwright gate** — Added `e2e-playwright` to the root pre-push pipeline so local hooks now run Cucumber E2E and Playwright QA before push.
+- **Trigger rename migration CLI support** — `config migrate` now supports `--source trigger` and rewrites legacy trigger prefixes (`DD_TRIGGER_*`, `dd.trigger.include`, `dd.trigger.exclude`) to action-prefixed aliases.
+- **Centralized rollback container guard** — `-old-{timestamp}` container rejection moved from Docker trigger to base Trigger class, covering all trigger types.
+- **Container list query internals modularized** — Extracted query-validation logic and split tests by concern.
+- **Container list filtering performance** — Status/kind filters avoid unnecessary full-collection loads; age/created sorting precomputes values.
+- **Healthcheck execution path optimized** — Default HEALTHCHECK probe replaced with a 65KB static C binary (`/bin/healthcheck`). curl is retained for backward compatibility with user-defined HEALTHCHECK overrides and will be removed in v1.6.0.
+- **Watcher event logging noise reduced** — First event-stream reconnect downgraded from `warn` to `info`.
+- **CI workflows renamed** — Dropped numeric prefixes from workflow filenames for clarity.
+- **Smoke load test profile removed** — Replaced with the ci profile for meaningful regression detection.
+- **Container-update event deduplication** — Added `hasContainerChanged()` to detect meaningful state differences between existing and incoming container records. Suppresses redundant SSE `container-updated` events when a poll cycle returns identical data.
+- **Log viewer layout improvements** — Log entries now use `white-space: nowrap` for single-line scannable output (horizontal scroll for overflow), row alignment changed to `items-center` for consistent baselines, and the terminal has a `min-h-[300px]` floor. Log viewer fills container height with `flex-1`, removed line separators, and added dark background on search input.
+- **AppIconButton toolbar size** — Added `toolbar` size variant (w-8 h-8, 15px icon) for dense filter bars.
+- **Deprecation banner actions layout** — Migration guide link, Dismiss button, and "Don't show again" checkbox stacked vertically with checkbox-gated permanent dismiss.
+- **Dashboard customize panel responsive on mobile** — Panel is opt-in on mobile (sliders icon to open), full-screen overlay with backdrop dismiss. Desktop behavior unchanged. ([#222](https://github.com/CodesWhat/drydock/issues/222))
+- **Socket version probe hardened** — Added 64KB body cap on socket probe response, timer cleanup via `onScopeDispose`/`onUnmounted`, and typed `gridLayout` as `PersistedLayoutItem[]`.
+- **Action trigger default mode** — Action triggers (`docker`, `dockercompose`, `command`) now default to `auto=oninclude` instead of `auto=all`, requiring an explicit `dd.trigger.include` label before auto-updating containers. ([#213](https://github.com/CodesWhat/drydock/issues/213))
+
+### Fixed
+
+- **Telegram MarkdownV2 escaping in all trigger paths** — Body text in `trigger()` and `triggerBatch()` was not escaped for MarkdownV2 reserved characters (`.`, `-`, `(`, `)`, `>`, etc.), causing Telegram API 400 errors and silent notification failures. Now all paths escape via a format-aware helper. ([Discussion #211](https://github.com/CodesWhat/drydock/discussions/211))
+- **Dashboard edit-mode dashed borders clipped at grid edges** — Replaced CSS `outline` with `::before` pseudo-element for edit-mode dashed borders; outlines were clipped by ancestor `overflow-hidden` on items at grid edges. Also matched grid negative margins to responsive breakpoints (mobile 10px, tablet 14px, desktop 16px).
+- **DataTable icon column clipping on mobile** — Removed `overflow-hidden` from icon-type table columns that was clipping container icons on narrow viewports.
+- **Version column alignment on mobile** — Recent updates widget mobile version text now centers and truncates with tooltip instead of left-aligning with `break-all`.
+- **Competitor comparison page accuracy** — Corrected WUD registry count (13→10), Watchtower lifecycle hooks verdict (tie→drydock advantage), Portainer RAM footprint (~200MB+→~100–200MB), Dockhand scanning feature name (Update Bouncer→Safe-Pull Protection).
+- **TypeScript type safety in watcher registry lookups** — Replaced unsafe `as unknown as` casts with `isDockerWatcher()` type guard for Docker watcher state lookups.
+- **Container alias name canonicalization** — `getContainerName()` now strips Docker recreate alias prefixes (e.g. `8bf70beac570_termix` → `termix`) before the name enters the store, so all triggers (Telegram, Slack, Pushover, etc.) receive canonical names. MQTT was already fixed in v1.4.5; this extends the fix to the source. ([#156](https://github.com/CodesWhat/drydock/issues/156))
+- **Cascading -old container updates** — "Update All" batch no longer triggers updates on containers renamed with `-old-{timestamp}` suffix during a prior update. Guard added to base Trigger class (`mustTrigger`), all API endpoints (container-actions, webhook, trigger proxy), and UI batch freezes container IDs at start. ([#183](https://github.com/CodesWhat/drydock/issues/183))
+- **Remote trigger error reporting** — Agent-side trigger endpoints now return structured error details with reason field. Controller extracts and logs the actual failure message instead of bare "Request failed with status code 500". Original Axios error preserved for proxy forwarding. ([#183](https://github.com/CodesWhat/drydock/issues/183))
+- **Dashboard confirm dialog** — `ConfirmDialog` moved to global app shell so update prompts from the dashboard "Updates Available" widget appear immediately instead of requiring navigation to the Containers page. ([#184](https://github.com/CodesWhat/drydock/issues/184))
+- **Registry failures in Updates Available widget** — Containers with "check failed" status (registry errors) no longer appear in the dashboard "Updates Available" section. They remain visible on the Containers page with error indicators. ([#186](https://github.com/CodesWhat/drydock/issues/186))
+- **Digest buffer stale entry eviction** — Containers evicted from digest buffer when update-applied events fire, preventing already-updated containers from appearing in the next digest flush.
+- **Rate-limiter memory safety** — Fixed-window limiter now enforces a hard `maxEntries` cap to prevent unbounded growth.
+- **UI interaction polish** — Fixed agent column picker positioning ([#187](https://github.com/CodesWhat/drydock/issues/187)), dashboard mobile stacking, Escape-key dashboard edit exit, popover z-index/positioning.
+- **Watcher "Last Run" display** — Watchers page now shows relative timestamps for last run. ([#189](https://github.com/CodesWhat/drydock/issues/189))
+- **Duplicate containers after recreate** — Three-layer deduplication filtering prevents alias containers from entering the store during Docker recreate cycles. ([#180](https://github.com/CodesWhat/drydock/issues/180))
+- **Agent disconnect notification template** — Agent disconnect events now use a dedicated notification template instead of being rendered as container updates. ([#195](https://github.com/CodesWhat/drydock/issues/195))
+- **Digest-only image visibility** — Watchers no longer silently drop containers with digest-only image references (e.g. Portainer agent). ([#192](https://github.com/CodesWhat/drydock/issues/192))
+- **Digest cron validation** — `DIGESTCRON` config validated with `cron.validate()` at registration time, failing with a clear error instead of a runtime crash.
+- **Container list runtime status filtering** — Container list API now accepts Docker runtime statuses (`running`, `stopped`, `paused`, etc.) in `status` filtering.
+- **Debug dump filename normalization** — Debug exports now use date-only `.json` filenames.
+- **Dashboard widget mobile scroll** — Added `overscroll-contain` to all scrollable dashboard widgets so touch scrolling stays within the widget instead of scrolling the page. ([#200](https://github.com/CodesWhat/drydock/issues/200))
+- **WebSocket robustness fixes** — Prevented writes on closed sockets, fixed non-matching upgrade URL pass-through behavior, and eliminated stats-collector listener leaks across restart cycles.
+- **Official image pretty logs restored by default** — The release Docker image now defaults back to `DD_LOG_FORMAT=text`, restoring the human-readable `docker logs` experience from v1.4.5. Set `DD_LOG_FORMAT=json` explicitly if you want structured log output. ([Discussion #221](https://github.com/CodesWhat/drydock/discussions/221))
+- **CalVer zero-padded month in strict family filter** — Tags like `2026.02.0` were rejected when the current tag was `2025.11.1` because zero-padded single digits (`01`–`09`) were treated as a family mismatch. Normal in CalVer month fields. ([#202](https://github.com/CodesWhat/drydock/issues/202))
+- **Dashboard updates widget 6-item cap** — Removed hard-coded `RECENT_UPDATES_LIMIT` that silently dropped entries beyond 6 in the Updates Available widget. The scroll container was already in place. ([#208](https://github.com/CodesWhat/drydock/issues/208))
+- **Disabled tooltip regression** — Restored pointer events on disabled `AppIconButton` so tooltips still explain why actions are unavailable (regressed lock button explanations in grouped views).
+- **AppTabBar accessibility** — Added `aria-label` in `iconOnly` mode so tabs are identifiable to assistive technology when visible labels are hidden.
+- **OpenAPI `/metrics` security spec** — Removed anonymous `{}` from security alternatives; runtime requires auth by default, spec should not advertise otherwise.
+- **Missing filter icon in DataFilterBar** — Restored `AppIconButton` import that was silently swallowed by Vue, making the filter icon invisible on all pages.
+- **Missing component imports** — Added missing imports in `SecurityEmptyState` and `AgentsView` that were silently dropped.
+- **tagPrecision mapper type safety** — Removed `as any` cast from tagPrecision container mapper.
+- **AppIconButton tooltip type** — Widened tooltip prop type and fixed ThemeToggle dead branch.
+- **Docker recreate alias prefix stripping unconditional** — Container names are now unconditionally stripped of `hex12_` prefixes at both watcher and trigger level, preventing alias names like `fcdb966987a0_termix` from leaking into notifications. ([#156](https://github.com/CodesWhat/drydock/issues/156))
+- **Banner checkbox label text invisible** — "Don't show again" text on deprecation banners was unreadable because `dd-text-muted` was used on a `color-mix` background. Switched to tone color.
+- **Dashboard updates list not refreshing after container update** — Backend now clears `updateAvailable` flag after manual trigger; frontend SSE `container-changed` event triggers full data refresh instead of summary-only. ([#229](https://github.com/CodesWhat/drydock/issues/229))
+- **Dashboard layout customizations lost on page reload** — Added `gridLayout` to `PreferencesSchema`; reorder now uses `loadPersistedLayout` instead of `createLayoutFromOrder`. ([#223](https://github.com/CodesWhat/drydock/issues/223))
+- **Mobile vertical scroll on containers page** — Restored vertical scrolling on the containers page when viewed on mobile devices. ([#231](https://github.com/CodesWhat/drydock/issues/231))
+- **Podman pod infra containers skipped** — Watchers now skip Podman pod infrastructure containers that have an empty `Image` field instead of failing during version comparison. ([#182](https://github.com/CodesWhat/drydock/issues/182))
+- **Dashboard scroll and layout fixes** — Removed scroll trap from Security Overview widget ([#216](https://github.com/CodesWhat/drydock/issues/216)), prevented dashboard widget scroll layout shift ([#217](https://github.com/CodesWhat/drydock/issues/217)), stopped table resize handles from bleeding through modals, and discarded corrupted single-column grid layouts on load.
+- **Stale updateAvailable overwrite after remote trigger** — Agent controller no longer overwrites cleared `updateAvailable` flags with stale snapshot data after a remote trigger completes. ([#229](https://github.com/CodesWhat/drydock/issues/229))
+
+### Accessibility
+
+- **Tooltip audit** — Added `v-tooltip` to interactive elements and status indicators missing tooltip hints: status dots (watchers, registries, triggers, audit, security), drag handles on dashboard widgets, icon-only badges (registry private/public), NotificationBell button, pagination and test buttons, and spinner/action-in-progress indicators. ([Discussion #199](https://github.com/CodesWhat/drydock/discussions/199))
+
+### Security
+
+- **Log injection prevention** — Removed version string interpolation from startup and migration log messages.
+- **Reflected XSS in Podman redirect guard** — 404 handler no longer reflects request URL in response body.
+- **TOCTOU race in SRI script** — `apply-sri.mjs` now uses `readdirSync({ withFileTypes })` to eliminate stat/read race condition.
+- **WebSocket origin and lockout hardening** — Added stricter WebSocket origin validation and safer lockout file-permission handling.
+- **Trivy supply chain advisory** — Published advisory page and site banner for Trivy supply chain compromise. Pinned Trivy versions and corrected advisory details.
+- **Security bouncer enforcement on container updates** — Update and Update All actions now enforce the security bouncer gate, surfacing blocked-update reasons in the UI instead of silently failing.
+
+### Dependencies
+
+- **`fast-xml-parser` upgraded to 5.5.8** — Addresses CVE-2026-33349 (numeric entity expansion bypass). Updated app/e2e dependency versions.
+- **Vite 7.3 upgraded to 8.0** — Migrated to Vite 8.0 with Rolldown bundler.
+- **Patch/minor dependency bumps** — Updated all patch/minor dependencies and upgraded knip to v6.
+- **Vulnerable transitive dependency patches** — nodemailer 8.0.3→8.0.4, picomatch→4.0.4, brace-expansion→5.0.5, smol-toml→1.6.1, yaml→2.8.3.
+
+### Testing
+
+- **Coverage and stability expansion** — Added/updated tests for WebSocket log streaming, auth lockout flows, registry provider error paths, webhook payload bounds, release-notes/digest lifecycle, and dashboard layout defaults; refactored large trigger/watcher suites for clearer ownership and lower flake risk.
+
+### Documentation
+
+- **Guide/API endpoint synchronization** — Updated current docs and guides to consistently use canonical `/api/v1/*` paths, expanded container list API docs, and added dashboard customization guide.
+
 ## [1.4.5] — 2026-03-17
 
 ### Added
@@ -105,6 +233,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - **Update-operations pagination** — `GET /api/containers/:id/update-operations` now supports `limit` and `offset` query parameters with `_links` navigation, matching the existing container list pagination pattern.
 - **Periodic audit log pruning** — Audit store now runs a background timer (hourly, unref'd) to prune stale entries even with low insert volume, in addition to the existing insert-count-based pruning.
+- **Container release notes enrichment** — Watch cycles now enrich update candidates with GitHub release metadata (`result.releaseNotes` and `result.releaseLink`), and full notes are available via `GET /api/containers/:id/release-notes`.
+- **Container list sort and filter query params** — `GET /api/containers` now supports `sort` (`name`, `status`, `age`, `created`, with optional `-` prefix for descending), plus `status`, `kind`, `watcher`, and `maturity` filters.
+- **Update age and maturity API signals** — Container payloads now track `updateAge` and support maturity states (`hot`, `mature`, `established`) for filtering and policy workflows.
+- **Suggested semver tag hints** — Containers tracked on non-semver tags such as `latest` now expose `result.suggestedTag` to surface the best semver target.
+- **`oninclude` trigger auto mode** — Trigger `auto` now supports `oninclude`, which only auto-runs for containers explicitly matched by include labels. ([#160](https://github.com/CodesWhat/drydock/issues/160))
+- **Container runtime observability APIs** — Added `/api/containers/stats`, `/api/containers/:id/stats`, and `/api/containers/:id/stats/stream` for resource telemetry, plus richer per-container runtime snapshots.
+- **Real-time container log streaming** — Added WebSocket streaming at `/api/v1/containers/:id/logs/stream` with `stdout`/`stderr`, `tail`, `since`, and `follow` controls.
+- **Container logs and runtime stats panels** — Container detail views now include dedicated live Logs and Runtime Stats tabs (including full-page logs route support).
+- **Signed registry webhook receiver** — Added `POST /api/webhooks/registry` with HMAC signature verification and provider-specific payload parsing for registry push events.
+- **Auth lockout Prometheus observability** — Added Prometheus metrics for login success/failure and lockout activity.
 
 ### Changed
 
@@ -114,11 +252,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Decompose useContainerActions** — Split the 1200-line composable into focused modules: `useContainerBackups`, `useContainerPolicy`, `useContainerPreview`, and `useContainerTriggers`.
 - **Registry error handling** — Replaced `catch (e: any)` with `catch (e: unknown)` and `getErrorMessage(e)` in component registration and trigger/watcher startup.
 - **E2E test resilience** — Container row count assertions now use `toBeGreaterThan(0)` instead of hardcoded counts, preventing false failures when the QA environment has a different number of containers.
+- **Registry digest cache dedup per poll cycle** — Digest cache lookups now deduplicate repeated requests within a single poll cycle, reducing redundant registry calls and improving metric accuracy.
 - **Extract runtime config evaluation context type** — Consolidated scattered runtime field evaluation parameters into a typed `ClonedRuntimeFieldEvaluationContext` interface for trigger providers.
 - **Argon2 hash parsing type safety** — Extracted `Argon2Parameters` interface, parameter key type guard, and PHC parameter parsing into a reusable function for improved type safety.
 - **Extract agent client initialization methods** — Extracted URL parsing, HTTPS detection, protocol validation, and TLS configuration from monolithic constructor into focused private methods.
 - **Extract shared self-hosted registry config schema** — Deduplicated the registry configuration schema (url, login, password, auth, cafile, insecure, clientcert, clientkey) into a reusable helper shared by Custom and SelfHostedBasic registry providers.
 
+### Documentation
+
+- **Podman docs expansion** — Added Podman setup/compatibility guidance plus SELinux, `podman-compose`, and production notes in watcher and FAQ docs.
+- **Docs site URL rebrand** — Replaced `drydock.codeswhat.com` links with `getdrydock.com` across docs pages, sitemap/robots metadata, and website copy.
+
 ### Fixed
 
 - **CSRF validation behind reverse proxies** — Same-origin mutation checks now honor `X-Forwarded-Proto` and `X-Forwarded-Host` when present before falling back to direct request protocol/host, preventing false `403 CSRF validation failed` responses in TLS-terminating proxy setups. ([#146](https://github.com/CodesWhat/drydock/issues/146))
@@ -914,7 +1058,12 @@ Remaining upstream-only changes (not ported — not applicable to drydock):
 | Fix codeberg tests | Covered by drydock's own tests |
 | Update changelog | Upstream-specific |
 
-[Unreleased]: https://github.com/CodesWhat/drydock/compare/v1.4.1...HEAD
+[Unreleased]: https://github.com/CodesWhat/drydock/compare/v1.5.0...HEAD
+[1.5.0]: https://github.com/CodesWhat/drydock/compare/v1.4.5...v1.5.0
+[1.4.5]: https://github.com/CodesWhat/drydock/compare/v1.4.4...v1.4.5
+[1.4.4]: https://github.com/CodesWhat/drydock/compare/v1.4.3...v1.4.4
+[1.4.3]: https://github.com/CodesWhat/drydock/compare/v1.4.2...v1.4.3
+[1.4.2]: https://github.com/CodesWhat/drydock/compare/v1.4.1...v1.4.2
 [1.4.1]: https://github.com/CodesWhat/drydock/compare/v1.4.0...v1.4.1
 [1.4.0]: https://github.com/CodesWhat/drydock/compare/v1.3.9...v1.4.0
 [1.3.9]: https://github.com/CodesWhat/drydock/compare/v1.3.8...v1.3.9
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index dae5ac94c..f61257237 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -4,10 +4,32 @@ Thanks for your interest in contributing! Whether it's a bug fix, new feature, d
 
 Questions or ideas? Start a [GitHub Discussion](https://github.com/CodesWhat/drydock/discussions) or open an [issue](https://github.com/CodesWhat/drydock/issues).
 
+## How contributions work
+
+Drydock maintains strict quality gates (100% code coverage, multi-stage CI pipeline, mutation testing). **You don't need to worry about any of that.** Here's how it works:
+
+1. **You write the code** — focus on the feature or fix itself
+2. **Open a PR** — even if it's rough, incomplete, or has no tests
+3. **The maintainer handles the rest** — testing, coverage, lint fixes, docs updates, and final polish
+
+Your commits keep your Git author attribution. If the maintainer needs to restructure your work, they'll use `Co-Authored-By` to preserve credit.
+
+**The goal is zero friction for contributors.** Don't let the CI pipeline scare you — it runs on PRs for visibility, but passing everything is the maintainer's job, not yours.
+
+## Where to help
+
+Drydock moves fast — open issues tend to get fixed quickly. The best way to find work:
+
+- **Open a [Discussion](https://github.com/CodesWhat/drydock/discussions)** and say what you're interested in. We'll scope something that fits your experience level.
+- **Browse the [Ideas category](https://github.com/CodesWhat/drydock/discussions/categories/ideas)** — feature requests from users that haven't been built yet.
+- **Add a new trigger provider** — the `app/triggers/providers/` directory has 20 examples to follow. Adding support for a new notification service (Pushbullet, Gotify, etc.) is self-contained and well-patterned.
+- **Documentation** — improvements to `content/docs/` are always welcome and need zero backend knowledge.
+- **Check for [`good first issue`](https://github.com/CodesWhat/drydock/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22)** labels when they exist, but don't wait for them.
+
 ## Getting started
 
-1. **Fork** the repository and clone your fork.
-2. **Use Node.js 24+** (required for local development and tests):
+1. **Fork** the repository and clone your fork
+2. **Use Node.js 24+**:
 
    ```bash
    nvm use || nvm install
@@ -18,29 +40,29 @@ Questions or ideas? Start a [GitHub Discussion](https://github.com/CodesWhat/dry
    ```bash
    cd app && npm install
    cd ui && npm install
-   cd e2e && npm install
    ```
 
 4. **Create a branch** from the appropriate base:
-   - Bug fixes for the current release: branch from `main`
-   - New features targeting the next release: branch from the active feature branch (check open branches for the current one)
+   - Bug fixes: branch from `main`
+   - New features: branch from the active feature branch (check open branches)
 
-## Development setup
+## Quick development loop
 
 ### Backend (`app/`)
 
 ```bash
-npm run build     # TypeScript compilation (tsc)
-npm test          # Vitest with coverage (100% thresholds enforced)
-npx vitest run path/to/file.test.ts   # Run a single test file
+npm run build                           # TypeScript compilation
+npx vitest run path/to/file.test.ts     # Run a single test file (fast)
+npx vitest run --reporter=verbose       # Run all tests (no coverage)
+npm run lint:fix                        # Auto-fix formatting
 ```
 
 ### Frontend (`ui/`)
 
 ```bash
-npm run build       # Vite production build
-npm run test:unit   # Vitest with coverage (100% thresholds enforced)
-npm run serve       # Dev server on port 8080 (proxies API to backend)
+npm run serve                           # Dev server on port 8080
+npx vitest run tests/path/to/file.spec.ts   # Single test file
+npm run lint:fix                        # Auto-fix formatting
 ```
 
 ### Docker QA environment
@@ -50,28 +72,50 @@ docker build -t drydock:dev .
 docker compose -f test/qa-compose.yml up -d   # Starts on port 3333
 ```
 
-## Code style
+You don't need to run the full test suite, coverage gates, or e2e tests locally. Just make sure your code compiles (`npm run build`) and your specific tests pass. The maintainer handles the rest.
 
-- **Language:** TypeScript (ESM, `NodeNext` module resolution)
-- **Linter/formatter:** [Biome](https://biomejs.dev/) — direct devDependency in the root workspace. [Qlty](https://qlty.sh) runs all other linters (actionlint, shellcheck, trivy, etc.)
-- **Line width:** 100
-- **Quotes:** single quotes
-- **No transpiler:** the project compiles with `tsc` directly
+## Architecture overview
 
-Run from any workspace:
+Drydock is a Docker container update manager with a dynamic component registry:
 
-```bash
-npm run lint       # biome check .
-npm run lint:fix   # biome check --fix .
-npm run format     # biome format --write .
+```text
+app/                        # Backend (TypeScript, Express, LokiJS)
+├── watchers/providers/     # Monitor containers (Docker socket)
+├── registries/providers/   # Query image registries (23 providers)
+├── triggers/providers/     # Send notifications / actions (20 providers)
+├── api/                    # REST API + SSE
+├── store/                  # LokiJS in-memory database
+├── model/                  # TypeScript interfaces
+└── agent/                  # Distributed controller-agent architecture
+
+ui/                         # Frontend (Vue 3, Tailwind CSS 4, Vite)
+├── src/views/              # Page components
+├── src/components/         # Shared components (AppButton, AppBadge, etc.)
+├── src/composables/        # Vue composables
+├── src/services/           # API client layer
+└── src/utils/              # Helpers and mappers
+
+content/docs/               # Documentation (MDX, versioned)
+e2e/                        # End-to-end tests (Cucumber + Playwright)
 ```
 
-Or check everything from the repo root:
+**Component registry pattern:** Components are loaded dynamically from environment variables:
 
-```bash
-qlty check --all --no-progress
+```text
+DD_REGISTRY_GHCR_PRIVATE_TOKEN=xxx  →  loads registries/providers/ghcr/Ghcr.ts
+DD_TRIGGER_SLACK_MYSLACK_TOKEN=xxx  →  loads triggers/providers/slack/Slack.ts
+DD_WATCHER_LOCAL_SOCKET=xxx         →  loads watchers/providers/docker/Docker.ts
 ```
 
+Each component type extends a base class with `init()`, `deregister()`, and type-specific methods.
+
+## Code style
+
+- **Language:** TypeScript (ESM, `NodeNext` module resolution)
+- **Linter/formatter:** [Biome](https://biomejs.dev/) — run `npm run lint:fix` to auto-fix
+- **Line width:** 100, single quotes
+- **No transpiler:** compiles with `tsc` directly
+
 ## Commit convention
 
 We use **Gitmoji + Conventional Commits**:
@@ -80,34 +124,38 @@ We use **Gitmoji + Conventional Commits**:
 <emoji> <type>(<scope>): <description>
 ```
 
-|Emoji|Type|Use|
+| Emoji | Type | Use |
 |---|---|---|
-|✨|`feat`|New feature|
-|🐛|`fix`|Bug fix|
-|📝|`docs`|Documentation|
-|💄|`style`|UI/cosmetic changes|
-|♻️|`refactor`|Code refactor (no feature/fix)|
-|⚡|`perf`|Performance improvement|
-|✅|`test`|Adding/updating tests|
-|🔧|`chore`|Build, config, tooling|
-|🔒|`security`|Security fix|
-|⬆️|`deps`|Dependency upgrade|
-|🗑️|`revert`|Revert a previous commit|
-
-Scope is optional. Subject line should be imperative, lowercase, no trailing period.
+| ✨ | `feat` | New feature |
+| 🐛 | `fix` | Bug fix |
+| 📝 | `docs` | Documentation |
+| 💄 | `style` | UI/cosmetic changes |
+| ♻️ | `refactor` | Code refactor (no feature/fix) |
+| ⚡ | `perf` | Performance improvement |
+| ✅ | `test` | Adding/updating tests |
+| 🔧 | `chore` | Build, config, tooling |
+| 🔒 | `security` | Security fix |
+| ⬆️ | `deps` | Dependency upgrade |
+| 🗑️ | `revert` | Intentional revert |
+
+Scope is optional. Subject line: imperative, lowercase, no trailing period.
 
 ```text
 ✨ feat(docker): add health check endpoint
 🐛 fix: resolve socket EACCES (#38)
-♻️ refactor(store): simplify collection init
 ```
 
-## Testing
+Don't stress about getting the emoji/format perfect — the commit-msg hook will tell you if something's off, and the maintainer can fix it during merge.
+
+## Testing (optional for contributors)
+
+Tests are welcome but **not required** in your PR. The maintainer will add or update tests to maintain 100% coverage.
 
-- **Framework:** [Vitest](https://vitest.dev/) with globals enabled — no need to import `describe`, `test`, `expect`, or `vi`
-- **Coverage:** 100% thresholds enforced for both `app/` and `ui/` — new features and bug fixes must include tests
-- **Shared helpers:** `app/test/helpers.ts` and `app/test/mock-constructor.ts`
-- **Logger mock pattern** (used in most backend tests):
+If you do want to write tests:
+
+- **Framework:** [Vitest](https://vitest.dev/) with globals — no need to import `describe`, `test`, `expect`, or `vi`
+- **Run your test:** `npx vitest run path/to/your.test.ts`
+- **Logger mock** (backend tests usually need this):
 
   ```ts
   vi.mock('../../log/index.js', () => ({
@@ -115,37 +163,17 @@ Scope is optional. Subject line should be imperative, lowercase, no trailing per
   }));
   ```
 
-- **Mock hoisting constraint:** `vi.mock()` factory callbacks are hoisted above all imports. You **cannot** reference imported helpers inside them — only values from `vi.hoisted()` in the same file. Shared helpers can be used in test bodies and `beforeEach`, but not inside mock factories.
-
-## Pre-push checks
-
-[Lefthook](https://github.com/evilmartians/lefthook) runs a piped (sequential, fail-fast) pipeline on every `git push`:
-
-|Priority|Step|What it does|On Failure|
-|---|---|---|---|
-|0|`clean-tree`|Block push if uncommitted changes exist|Fail|
-|1|`ts-nocheck`|Rejects any `@ts-nocheck` directives|Fail|
-|2|`biome`|Biome lint and format check|Fail|
-|3|`qlty`|Full qlty lint pass (`qlty check --all`)|Fail|
-|4|`build-and-test`|Parallel build + test for both `app/` and `ui/`|Fail|
-|5|`e2e`|Cucumber E2E tests against a fresh Drydock instance|Fail|
-|6|`zizmor`|GitHub Actions workflow linting (blocking)|Fail|
-
-If lefthook passes locally, CI will pass. Fix any issues **before** pushing.
-
-## Documentation
-
-Documentation lives in `content/docs/` (MDX format, versioned by release) and is published to [getdrydock.com](https://getdrydock.com). When your code change affects user-facing behavior, include the corresponding documentation update in the same PR.
-
-CHANGELOG and README updates should accompany each logical change — don't batch them separately.
+- **Gotcha:** `vi.mock()` factories are hoisted above imports — you can't use imported helpers inside them. Use `vi.hoisted()` for values needed in mock factories.
 
 ## Pull requests
 
-- **Target branch:** `main` for bug fixes on the current release; the active feature branch for new features
-- Keep commits focused and atomic — one concern per commit
-- Ensure all pre-push checks pass before opening a PR
-- Include tests for new functionality and bug fixes
-- Update documentation when changing user-facing behavior
+- **Target:** `main` for bug fixes, the active feature branch for new features
+- **Size:** Smaller is better — one concern per PR when possible
+- **Tests/coverage:** Nice to have, not required. The maintainer handles it.
+- **Docs:** If your change affects user-facing behavior, a docs update in the same PR is appreciated but not mandatory.
+- **CI failures:** Don't worry about them. CI runs the full pipeline for visibility, but passing is the maintainer's responsibility.
+
+Draft PRs are welcome if you want early feedback before finishing.
 
 ## Reporting bugs
 
@@ -158,3 +186,41 @@ Open a [GitHub Issue](https://github.com/CodesWhat/drydock/issues) with steps to
 ## License
 
 By contributing, you agree that your contributions will be licensed under the [GNU Affero General Public License v3.0](LICENSE).
+
+---
+
+## Maintainer reference
+
+<details>
+<summary>Full quality pipeline (maintainers only)</summary>
+
+### Pre-push checks
+
+[Lefthook](https://github.com/evilmartians/lefthook) runs a piped (sequential, fail-fast) pipeline on every `git push`:
+
+| Priority | Step | What it does | On Failure |
+|---|---|---|---|
+| 0 | `clean-tree` | Rejects uncommitted changes | Fail |
+| 1 | `ts-nocheck` | Checks for `@ts-nocheck` directives | Fail |
+| 2 | `biome check` | Linting and formatting | Fail |
+| 3 | `qlty` | Static analysis (medium+ severity gate) | Fail |
+| 4 | `build-and-test` | Parallel builds + tests WITHOUT coverage | Fail |
+| 5 | `e2e` | End-to-end Cucumber tests | Fail |
+| 6 | `e2e-playwright` | Playwright browser tests | Fail |
+| 7 | `zizmor` | GitHub Actions security scanning | Fail |
+
+Coverage enforcement runs in the `pre-commit` hook (not pre-push). When coverage fails, `.coverage-gaps.json` contains exact files and uncovered lines.
+
+### Coverage policy
+
+100% line/branch/function/statement coverage is enforced for both `app/` and `ui/`. This is achievable because the project uses AI-assisted development for test generation. External contributors are not expected to meet this bar.
+
+### Mutation testing
+
+Stryker runs weekly (`.github/workflows/quality-mutation-weekly.yml`), advisory only. Use it as a quality signal, not a score target.
+
+### Paid security scans
+
+Snyk (Open Source, Code, Container, IaC) runs weekly via `.github/workflows/security-snyk-weekly.yml` to preserve monthly quotas.
+
+</details>
diff --git a/DEPRECATIONS.md b/DEPRECATIONS.md
index 7ed2ceb03..5b0f33cf2 100644
--- a/DEPRECATIONS.md
+++ b/DEPRECATIONS.md
@@ -18,15 +18,15 @@ OIDC providers configured with an `http://` discovery URL trigger `allowInsecure
 
 ---
 
-### SHA-1 Basic Auth Password Hashes
+### Legacy Basic Auth Password Hashes
 
 | | |
 | --- | --- |
 | **Deprecated in** | v1.4.0 |
 | **Removed in** | v1.6.0 |
-| **Affects** | `DD_AUTH_BASIC_*_HASH` values using `{SHA}<base64>` format |
+| **Affects** | `DD_AUTH_BASIC_*_HASH` values using `{SHA}`, `$apr1$`/`$1$` (MD5), `crypt`, or plain-text formats |
 
-Legacy SHA-1 `{SHA}` password hashes inherited from the upstream WUD project are accepted with deprecation warnings. SHA-1 is cryptographically broken and unsuitable for password hashing.
+Legacy password hash formats inherited from the upstream WUD project (`{SHA}`, APR1/MD5, crypt, and plain-text) are accepted with deprecation warnings. These formats are cryptographically weak and unsuitable for password hashing.
 
 **Migration:** Generate a new argon2id hash using the Drydock container and update your `DD_AUTH_BASIC_<name>_HASH` environment variable:
 
@@ -87,7 +87,7 @@ Setting `DD_SERVER_CORS_ENABLED=true` without specifying `DD_SERVER_CORS_ORIGIN`
 
 | | |
 | --- | --- |
-| **Deprecated in** | v1.2.0 |
+| **Deprecated in** | v1.4.0 |
 | **Removed in** | v1.6.0 |
 | **Affects** | Containers using `wud.*` labels (e.g., `wud.watch`, `wud.tag.include`) |
 
@@ -101,7 +101,7 @@ Legacy `wud.*` labels from the upstream WUD project are accepted as fallbacks fo
 
 | | |
 | --- | --- |
-| **Deprecated in** | v1.2.0 |
+| **Deprecated in** | v1.4.0 |
 | **Removed in** | v1.6.0 |
 | **Affects** | Configurations using `WUD_*` env vars (e.g., `WUD_AGENT_SECRET`) |
 
@@ -111,11 +111,51 @@ Legacy `WUD_*` environment variables are accepted as fallbacks for their `DD_*`
 
 ---
 
+### `curl` in Docker image
+
+| | |
+| --- | --- |
+| **Deprecated in** | v1.5.0 |
+| **Removed in** | v1.6.0 |
+| **Affects** | Custom `healthcheck:` overrides in compose files that use `curl` |
+
+The official Docker image previously included `curl` for custom healthcheck overrides. The built-in `HEALTHCHECK` now uses a lightweight static binary (`/bin/healthcheck`).
+
+**Migration:** Remove custom `healthcheck:` blocks from your drydock compose service — the image handles it automatically. If you need custom intervals, use `test: /bin/healthcheck ${DD_SERVER_PORT:-3000}`. See [Monitoring](https://getdrydock.com/docs/monitoring).
+
+---
+
+### Legacy trigger prefix inputs (`DD_TRIGGER_*`, `dd.trigger.*`)
+
+| | |
+| --- | --- |
+| **Deprecated in** | v1.5.0 |
+| **Removed in** | v1.7.0 |
+| **Affects** | Trigger configs using `DD_TRIGGER_*` env vars and container labels `dd.trigger.include` / `dd.trigger.exclude` |
+
+Legacy trigger prefixes are accepted as compatibility aliases while the trigger taxonomy moves to action/notification prefixes.
+
+**Migration:** Prefer `DD_ACTION_*` / `DD_NOTIFICATION_*` and `dd.action.*` / `dd.notification.*`.
+
+The migration CLI can rewrite legacy trigger prefixes for you:
+
+```bash
+# Preview changes
+node dist/index.js config migrate --source trigger --dry-run
+
+# Apply to specific files
+node dist/index.js config migrate --source trigger --file .env --file compose.yaml
+```
+
+The CLI rewrites legacy trigger keys to action-prefixed aliases by default (`DD_ACTION_*`, `dd.action.*`), which remain fully compatible.
+
+---
+
 ### `DD_WATCHER_{name}_WATCHDIGEST` environment variable
 
 | | |
 | --- | --- |
-| **Deprecated in** | v1.2.0 |
+| **Deprecated in** | v1.4.0 |
 | **Removed in** | v1.6.0 |
 | **Affects** | Configurations using `DD_WATCHER_{name}_WATCHDIGEST` |
 
@@ -129,7 +169,7 @@ The `WATCHDIGEST` env var is deprecated. Use the `dd.watch.digest=true` containe
 
 | | |
 | --- | --- |
-| **Deprecated in** | v1.2.0 |
+| **Deprecated in** | v1.4.0 |
 | **Removed in** | v1.6.0 |
 | **Affects** | Configurations using `DD_WATCHER_{name}_WATCHATSTART` |
 
@@ -171,7 +211,7 @@ Kafka trigger configuration now uses `clientid` (lowercase) as the canonical key
 
 | | |
 | --- | --- |
-| **Deprecated in** | v1.3.0 |
+| **Deprecated in** | v1.4.0 |
 | **Removed in** | v1.6.0 |
 | **Affects** | `DD_REGISTRY_HUB_PUBLIC_TOKEN`, `DD_REGISTRY_DHI_TOKEN`, and similar token-auth env vars |
 
diff --git a/Dockerfile b/Dockerfile
index 220eb3e6b..09a104da9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,24 +12,28 @@ ENV WORKDIR=/home/node/app
 ENV DD_LOG_FORMAT=text
 ENV DD_VERSION=$DD_VERSION
 
-HEALTHCHECK --interval=30s --timeout=5s CMD ["sh", "-c", "if [ -n \"$DD_SERVER_ENABLED\" ] && [ \"$DD_SERVER_ENABLED\" != 'true' ]; then exit 0; fi; if [ \"$DD_SERVER_TLS_ENABLED\" = 'true' ]; then curl --fail --insecure https://localhost:${DD_SERVER_PORT:-3000}/health || exit 1; else curl --fail http://localhost:${DD_SERVER_PORT:-3000}/health || exit 1; fi"]
+HEALTHCHECK --interval=30s --timeout=5s CMD ["sh", "-c", "if [ -n \"$DD_SERVER_ENABLED\" ] && [ \"$DD_SERVER_ENABLED\" != 'true' ]; then exit 0; fi; /bin/healthcheck ${DD_SERVER_PORT:-3000}"]
 
 # Install system packages, trivy, and cosign
-# hadolint ignore=DL3018,DL3028,DL4006
 RUN apk add --no-cache \
-    bash \
-    curl \
-    git \
-    jq \
-    openssl \
-    su-exec \
-    tini \
-    tzdata \
-    && apk add --no-cache cosign \
+    bash=5.3.3-r1 \
+    git=2.52.0-r0 \
+    jq=1.8.1-r0 \
+    openssl=3.5.5-r0 \
+    su-exec=0.3-r0 \
+    tini=0.19.0-r3 \
+    tzdata=2026a-r0 \
+    && apk add --no-cache cosign=2.4.3-r11 \
     && apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing trivy=0.69.3-r1 \
     && apk upgrade --no-cache zlib \
     && mkdir /store && chown node:node /store
 
+# Build stage for healthcheck binary (~65KB static binary)
+FROM alpine:3.21@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709 AS healthcheck-build
+RUN apk add --no-cache gcc=14.2.0-r4 musl-dev=1.2.5-r9
+COPY healthcheck.c /src/healthcheck.c
+RUN gcc -Os -static -s -o /bin/healthcheck /src/healthcheck.c
+
 # Build stage for backend app
 FROM base AS app-build
 
@@ -62,13 +66,17 @@ RUN npm run build
 
 # Release stage
 FROM base AS release
-ENV DD_LOG_FORMAT=json
+ENV DD_LOG_FORMAT=text
 
 # Remove unnecessary network utilities (busybox symlinks) and npm to reduce attack surface.
-# curl is kept for the HEALTHCHECK probe; npm is only needed during build stages.
+# curl is kept for backward compatibility with user-defined HEALTHCHECK overrides;
+# it will be removed in v1.6.0 — use the built-in /bin/healthcheck binary instead.
 RUN rm -f /usr/bin/wget /usr/bin/nc \
     && rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
 
+# Copy healthcheck binary (65KB static, replaces curl for HEALTHCHECK probe)
+COPY --from=healthcheck-build /bin/healthcheck /bin/healthcheck
+
 # Default entrypoint
 COPY --chmod=755 Docker.entrypoint.sh /usr/bin/entrypoint.sh
 ENTRYPOINT ["tini", "-g", "--", "/usr/bin/entrypoint.sh"]
diff --git a/README.md b/README.md
index 77615bf9e..c389c07a8 100644
--- a/README.md
+++ b/README.md
@@ -16,8 +16,8 @@
 </div>
 
 <p align="center">
-  <a href="https://github.com/CodesWhat/drydock/releases"><img src="https://img.shields.io/badge/version-1.4.5-blue" alt="Version"></a>
-  <a href="https://github.com/CodesWhat/drydock/pkgs/container/drydock"><img src="https://img.shields.io/badge/GHCR-40K%2B_pulls-2ea44f?logo=github&logoColor=white" alt="GHCR pulls"></a>
+  <a href="https://github.com/CodesWhat/drydock/releases"><img src="https://img.shields.io/badge/version-1.5.0-blue" alt="Version"></a>
+  <a href="https://github.com/CodesWhat/drydock/pkgs/container/drydock"><img src="https://img.shields.io/badge/GHCR-50K%2B_pulls-2ea44f?logo=github&logoColor=white" alt="GHCR pulls"></a>
   <a href="https://hub.docker.com/r/codeswhat/drydock"><img src="https://img.shields.io/docker/pulls/codeswhat/drydock?logo=docker&logoColor=white&label=Docker+Hub" alt="Docker Hub pulls"></a>
   <a href="https://quay.io/repository/codeswhat/drydock"><img src="https://img.shields.io/badge/Quay.io-image-ee0000?logo=redhat&logoColor=white" alt="Quay.io"></a>
   <br>
@@ -40,11 +40,12 @@
 </p>
 
 <p align="center">
-  <a href="https://github.com/CodesWhat/drydock/actions/workflows/ci.yml"><img src="https://github.com/CodesWhat/drydock/actions/workflows/ci.yml/badge.svg?branch=main" alt="CI"></a>
+  <a href="https://github.com/CodesWhat/drydock/actions/workflows/ci-verify.yml"><img src="https://github.com/CodesWhat/drydock/actions/workflows/ci-verify.yml/badge.svg?branch=main" alt="CI"></a>
   <a href="https://www.bestpractices.dev/projects/11915"><img src="https://www.bestpractices.dev/projects/11915/badge" alt="OpenSSF Best Practices"></a>
   <a href="https://securityscorecards.dev/viewer/?uri=github.com/CodesWhat/drydock"><img src="https://img.shields.io/ossf-scorecard/github.com/CodesWhat/drydock?label=openssf+scorecard&style=flat" alt="OpenSSF Scorecard"></a>
   <br>
   <a href="https://app.codecov.io/gh/CodesWhat/drydock"><img src="https://codecov.io/gh/CodesWhat/drydock/graph/badge.svg?token=b90d4863-46c5-40d2-bf00-f6e4a79c8656" alt="Codecov"></a>
+  <a href="https://dashboard.stryker-mutator.io/reports/github.com/CodesWhat/drydock/main"><img src="https://img.shields.io/endpoint?style=flat&url=https%3A%2F%2Fbadge-api.stryker-mutator.io%2Fgithub.com%2FCodesWhat%2Fdrydock%2Fmain" alt="Mutation testing"></a>
   <a href="https://qlty.sh/gh/CodesWhat/projects/drydock"><img src="https://qlty.sh/gh/CodesWhat/projects/drydock/maintainability.svg" alt="Maintainability"></a>
   <a href="https://snyk.io/test/github/CodesWhat/drydock?targetFile=app/package.json"><img src="https://snyk.io/test/github/CodesWhat/drydock/badge.svg?targetFile=app/package.json" alt="Snyk"></a>
 </p>
@@ -55,13 +56,13 @@
 
 - [📖 Documentation](https://getdrydock.com/docs)
 - [🚀 Quick Start](#quick-start)
+- [🆕 Recent Updates](#recent-updates)
 - [📸 Screenshots & Live Demo](#screenshots)
 - [✨ Features](#features)
 - [🔌 Supported Integrations](#supported-integrations)
 - [⚖️ Feature Comparison](#feature-comparison)
 - [🔄 Migration](#migration)
 - [🗺️ Roadmap](#roadmap)
-- [📖 Documentation](#documentation)
 - [⭐ Star History](#star-history)
 - [🔧 Built With](#built-with)
 - [🤝 Community QA](#community-qa)
@@ -145,6 +146,19 @@ See the [Quick Start guide](https://getdrydock.com/docs/quickstart) for Docker C
 
 <hr>
 
+<h2 align="center" id="recent-updates">🆕 Recent Updates</h2>
+
+- **Real-time container log viewer** — WebSocket-based live log streaming with ANSI color rendering, JSON syntax highlighting, regex search, and gzip download.
+- **Dashboard customization** — Drag-to-reorder, resize, and per-widget visibility toggles with a dedicated edit mode.
+- **Digest notifications** — Batch update events with `MODE=digest` and configurable `DIGESTCRON`.
+- **Design system components** — `AppIconButton`, `AppBadge`, `StatusDot`, `DetailField`, `AppTabBar` with WCAG 2.5.8 touch targets.
+- **Floating tag detection** — `tagPrecision` classifier warns when mutable aliases like `v3` are used without digest watching.
+- **Podman compatibility** — API version negotiation prevents `EAI_AGAIN` crashes with Podman socket connections.
+- **Bearer token auth for `/metrics`** — `DD_SERVER_METRICS_TOKEN` for Prometheus scrapers without session auth.
+- **Toast notifications** — Success/error feedback for all container actions with auto-dismiss.
+
+<hr>
+
 <h2 align="center" id="screenshots">📸 Screenshots & Live Demo</h2>
 
 <table>
@@ -222,7 +236,7 @@ Start, stop, restart, and update containers from the UI or API with feature-flag
 </td>
 <td align="center" width="33%">
 <h3>Webhook API</h3>
-Token-authenticated HTTP endpoints with per-endpoint token support for CI/CD integration to trigger watch cycles and updates
+Token-authenticated CI/CD endpoints for watch/update actions plus signed registry webhook ingestion for push events
 </td>
 <td align="center" width="33%">
 <h3>Container Grouping</h3>
@@ -231,6 +245,20 @@ Smart stack detection via compose project or labels with collapsible groups and
 </tr>
 <tr>
 <td align="center" width="33%">
+<h3>Digest Notifications</h3>
+Batch update events over a schedule with trigger `MODE=digest` and configurable digest cron windows
+</td>
+<td align="center" width="33%">
+<h3>System Log Streaming</h3>
+Real-time WebSocket system log view in the UI with shared log viewer components
+</td>
+<td align="center" width="33%">
+<h3>Advanced List API</h3>
+Container list supports queryable sort/order, watched-kind, runtime status, watcher, and maturity filters
+</td>
+</tr>
+<tr>
+<td align="center" width="33%">
 <h3>Lifecycle Hooks</h3>
 Pre/post-update shell commands via container labels with configurable timeout and abort control
 </td>
@@ -275,7 +303,7 @@ Apprise · Command · Discord · Docker · Docker Compose · Google Chat · Goti
 
 Anonymous (opt-in via `DD_ANONYMOUS_AUTH_CONFIRM=true`) · Basic (username + password hash) · OIDC (Authelia, Auth0, Authentik). All auth flows fail closed by default.
 
-API note: `POST /api/containers/:id/env/reveal` is currently scoped to authentication only (no per-container RBAC yet), so any authenticated user is treated as a trusted operator for secret reveal actions.
+API note: `POST /api/v1/containers/:id/env/reveal` is currently scoped to authentication only (no per-container RBAC yet), so any authenticated user is treated as a trusted operator for secret reveal actions. The unversioned `/api/containers/:id/env/reveal` alias remains available during the API-version transition.
 
 OpenAPI note: machine-readable API docs are available at `GET /api/v1/openapi.json` (canonical) and `GET /api/openapi.json` (compatibility alias during transition).
 
@@ -326,11 +354,12 @@ Trivy-powered vulnerability scanning blocks unsafe updates before they deploy. I
 <tr><td>Semver-aware updates</td><td align="center">✅</td><td align="center">✅</td><td align="center">✅</td><td align="center">❌</td><td align="center">❌</td></tr>
 <tr><td>Digest watching</td><td align="center">✅</td><td align="center">✅</td><td align="center">✅</td><td align="center">✅</td><td align="center">✅</td></tr>
 <tr><td>Multi-arch (amd64/arm64)</td><td align="center">✅</td><td align="center">✅</td><td align="center">✅</td><td align="center">✅</td><td align="center">✅</td></tr>
+<tr><td>Container log viewer</td><td align="center">✅</td><td align="center">❌</td><td align="center">❌</td><td align="center">❌</td><td align="center">❌</td></tr>
 <tr><td>Actively maintained</td><td align="center">✅</td><td align="center">✅</td><td align="center">✅</td><td align="center">❌</td><td align="center">❌</td></tr>
 </tbody>
 </table>
 
-> Data based on publicly available documentation as of February 2026.
+> Data based on publicly available documentation as of March 2026.
 > Contributions welcome if any information is inaccurate.
 
 </details>
@@ -358,17 +387,17 @@ Drop-in replacement — swap the image, restart, done. All `WUD_*` env vars and
 | **v1.4.2** ✅ | Bug Fixes | Watcher container count fix (#155), container recreate alias filtering (#156), stale store data fix (#157), CI versioned-only images (#154), maturity badge sizing, dependency upgrades |
 | **v1.4.3** ✅ | DNS & Security | Configurable DNS result ordering for Alpine EAI_AGAIN fix (#161), Docker socket security guide, zizmor blocking in CI, scoped GitHub environments |
 | **v1.4.4** ✅ | UI Polish & Hardening | Alias dedup hardening with 30s transient window (#156), dashboard host-status for remote watchers (#155), tooltip viewport fix (#165), click-to-copy version tags (#164), Simple Icons dark mode inversion, theme switcher fix, search button polish, URL rebrand to getdrydock.com |
-| **v1.5.0** | Observability & User-Requested Features | Real-time log viewer, container resource monitoring, registry webhooks, auth endpoint telemetry/guardrails, image maturity/sort-by-age indicator, URL-driven filter/sort state, release notes in UI & notifications, smart tag suggestions, digest check deduplication, Podman setup docs |
+| **v1.5.0** ✅ | Observability & User-Requested Features | Real-time WebSocket log viewer with ANSI colors + JSON syntax highlighting, dashboard customization (grid layout, drag, resize, widget visibility), container resource monitoring (CPU/memory stats + dashboard widget), diagnostic debug dump, registry webhook receiver, trigger env var aliases (`DD_ACTION_*`/`DD_NOTIFICATION_*`), digest notification mode, design system components (WCAG touch targets, shared primitives), floating tag detection + auto digest watching, bearer token auth for `/metrics`, Podman API version negotiation, toast notifications for all container actions, UI standardization (margins, text sizes, deprecation banners) |
 | **v1.5.1** | Scanner Decoupling | Backend-based scanner execution (docker/remote), Grype provider, scanner asset lifecycle |
-| **v1.6.0** | Notifications & Release Intel | Notification templates, MS Teams & Matrix triggers, remove all deprecated compatibility aliases (see [DEPRECATIONS.md](DEPRECATIONS.md)) |
-| **v1.7.0** | Smart Updates & UX | Dependency-aware ordering, clickable port links, image prune, static image monitoring, dashboard customization |
-| **v1.8.0** | Fleet Management & Live Config | YAML config, live UI config panels, volume browser, parallel updates, SQLite store migration, i18n framework |
+| **v1.6.0** | Notifications & Release Intel | Notification templates, release notes in notifications, notification preferences UI, cross-device preference sync, software version column, bidirectional MQTT for HA, remove all deprecated compatibility aliases (see [DEPRECATIONS.md](DEPRECATIONS.md)) |
+| **v1.7.0** | Smart Updates & UX | Dependency-aware ordering, clickable port links, image prune, static image monitoring, image maturity indicator, keyboard shortcuts, container uptime display, PWA support, debounced container discovery |
+| **v1.8.0** | Fleet Management & Live Config | YAML config, live UI config panels, volume browser, parallel updates, SQLite store migration + ID-based container identity, i18n framework + Crowdin integration |
 | **v2.0.0** | Platform Expansion | Docker Swarm, Kubernetes watchers and triggers, basic GitOps |
 | **v2.1.0** | Advanced Deployment Patterns | Health check gates, canary deployments, durable self-update controller |
 | **v2.2.0** | Container Operations | Web terminal, file browser, image building, basic Podman support |
 | **v2.3.0** | Automation & Developer Experience | API keys, passkey auth, TOTP 2FA, TypeScript actions, CLI |
 | **v2.4.0** | Data Safety & Templates | Scheduled backups (S3, SFTP), compose templates, secret management |
-| **v3.0.0** | Advanced Platform | Network topology, GPU monitoring, full i18n translations |
+| **v3.0.0** | Advanced Platform | Network topology, GPU monitoring, full i18n translations + RTL |
 | **v3.1.0** | Enterprise Access & Compliance | RBAC, LDAP/AD, environment-scoped permissions, audit logging, Wolfi hardened image |
 | **v3.2.0** | Drydock Socket Proxy | Built-in companion proxy container (allowlist-filtered Docker API), rootless Docker & remote TLS security docs |
 
@@ -395,12 +424,8 @@ Drop-in replacement — swap the image, restart, done. All `WUD_*` env vars and
 <a id="star-history"></a>
 
 <div align="center">
-  <a href="https://www.star-history.com/#CodesWhat/drydock&type=timeline&legend=top-left">
-    <picture>
-      <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=CodesWhat/drydock&type=timeline&theme=dark&legend=top-left" />
-      <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=CodesWhat/drydock&type=timeline&legend=top-left" />
-      <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=CodesWhat/drydock&type=timeline&legend=top-left" />
-    </picture>
+  <a href="https://star-history.com/#CodesWhat/drydock&Date">
+    <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=CodesWhat/drydock&type=Date" />
   </a>
 </div>
 
@@ -425,9 +450,9 @@ Drop-in replacement — swap the image, restart, done. All `WUD_*` env vars and
 
 ### Community QA
 
-Thanks to the users who helped test v1.4.0 release candidates and reported bugs:
+Thanks to the users who helped test v1.4.0 and v1.5.0 release candidates and reported bugs:
 
-[@RK62](https://github.com/RK62) &middot; [@flederohr](https://github.com/flederohr) &middot; [@rj10rd](https://github.com/rj10rd) &middot; [@larueli](https://github.com/larueli) &middot; [@Waler](https://github.com/Waler) &middot; [@ElVit](https://github.com/ElVit) &middot; [@nchieffo](https://github.com/nchieffo)
+[@RK62](https://github.com/RK62) &middot; [@flederohr](https://github.com/flederohr) &middot; [@rj10rd](https://github.com/rj10rd) &middot; [@larueli](https://github.com/larueli) &middot; [@Waler](https://github.com/Waler) &middot; [@ElVit](https://github.com/ElVit) &middot; [@nchieffo](https://github.com/nchieffo) &middot; [@begunfx](https://github.com/begunfx) &middot; [@Ra72xx](https://github.com/Ra72xx)
 
 ---
 
diff --git a/SECURITY.md b/SECURITY.md
index 732995788..12cfe147f 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,9 +4,8 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 1.4.x   | :white_check_mark: |
-| 1.3.x   | :white_check_mark: |
-| < 1.3   | :x:                |
+| latest  | :white_check_mark: |
+| < latest | :x:               |
 
 ## Reporting a Vulnerability
 
diff --git a/app/agent/AgentClient.test.ts b/app/agent/AgentClient.test.ts
index d301cfb1f..1c24c9453 100644
--- a/app/agent/AgentClient.test.ts
+++ b/app/agent/AgentClient.test.ts
@@ -25,6 +25,7 @@ vi.mock('../event/index.js', () => ({
   emitAgentConnected: vi.fn().mockResolvedValue(undefined),
   emitAgentDisconnected: vi.fn().mockResolvedValue(undefined),
   emitContainerReport: vi.fn(),
+  emitContainerReports: vi.fn(),
 }));
 vi.mock('../registry/index.js', () => ({
   deregisterAgentComponents: vi.fn(),
@@ -291,6 +292,140 @@ describe('AgentClient', () => {
         expect.objectContaining({ changed: false }),
       );
     });
+
+    test('should ignore invalid ids when managing pending freshness state', () => {
+      const internal = client as unknown as {
+        markPendingFreshState: (containerId: unknown) => void;
+        clearPendingFreshState: (containerId: unknown) => void;
+        pendingFreshStateAfterRemoteUpdate: Set<string>;
+      };
+
+      internal.pendingFreshStateAfterRemoteUpdate.add('c1');
+      internal.markPendingFreshState(undefined);
+      internal.markPendingFreshState('');
+      internal.clearPendingFreshState(undefined);
+      internal.clearPendingFreshState('');
+
+      expect([...internal.pendingFreshStateAfterRemoteUpdate]).toEqual(['c1']);
+    });
+
+    test('should preserve cleared updateAvailable for stale incremental events after remote update', async () => {
+      axios.post.mockResolvedValue({ data: {} });
+      const existing = {
+        id: 'c1',
+        updateAvailable: false,
+        resultChanged: vi.fn().mockReturnValue(true),
+      };
+      storeContainer.getContainer.mockReturnValue(existing);
+      storeContainer.updateContainer.mockReturnValue({
+        id: 'c1',
+        updateAvailable: false,
+      });
+
+      await client.runRemoteTrigger({ id: 'c1' }, 'docker', 'update');
+      await client.handleEvent('dd:container-updated', {
+        id: 'c1',
+        name: 'test',
+        updateAvailable: true,
+      });
+
+      expect(storeContainer.updateContainer).toHaveBeenCalledWith(
+        expect.objectContaining({
+          id: 'c1',
+          name: 'test',
+          agent: 'test-agent',
+          updateAvailable: false,
+        }),
+      );
+      expect(event.emitContainerReport).toHaveBeenCalledWith(
+        expect.objectContaining({ changed: false }),
+      );
+    });
+
+    test('should clear stale update suppression after agent reports updateAvailable false', async () => {
+      axios.post.mockResolvedValue({ data: {} });
+      const existing = {
+        id: 'c1',
+        updateAvailable: false,
+        resultChanged: vi.fn().mockReturnValue(true),
+      };
+      storeContainer.getContainer.mockReturnValue(existing);
+      storeContainer.updateContainer
+        .mockReturnValueOnce({
+          id: 'c1',
+          updateAvailable: false,
+        })
+        .mockReturnValueOnce({
+          id: 'c1',
+          updateAvailable: true,
+        });
+
+      await client.runRemoteTrigger({ id: 'c1' }, 'docker', 'update');
+      await client.handleEvent('dd:container-updated', {
+        id: 'c1',
+        name: 'test',
+        updateAvailable: false,
+      });
+      await client.handleEvent('dd:container-updated', {
+        id: 'c1',
+        name: 'test',
+        updateAvailable: true,
+      });
+
+      expect(storeContainer.updateContainer).toHaveBeenNthCalledWith(
+        1,
+        expect.objectContaining({
+          id: 'c1',
+          name: 'test',
+          agent: 'test-agent',
+          updateAvailable: false,
+        }),
+      );
+      expect(storeContainer.updateContainer).toHaveBeenNthCalledWith(
+        2,
+        expect.objectContaining({
+          id: 'c1',
+          name: 'test',
+          agent: 'test-agent',
+          updateAvailable: true,
+        }),
+      );
+    });
+
+    test('should accept authoritative watcher snapshot state after remote update suppression', async () => {
+      axios.post.mockResolvedValue({ data: {} });
+      const existing = {
+        id: 'c1',
+        updateAvailable: false,
+        resultChanged: vi.fn().mockReturnValue(true),
+      };
+      storeContainer.getContainer.mockReturnValue(existing);
+      storeContainer.updateContainer.mockReturnValue({
+        id: 'c1',
+        watcher: 'local',
+        updateAvailable: true,
+      });
+      storeContainer.getContainers.mockReturnValue([]);
+
+      await client.runRemoteTrigger({ id: 'c1' }, 'docker', 'update');
+      await client.handleEvent('dd:watcher-snapshot', {
+        watcher: { type: 'docker', name: 'local' },
+        containers: [{ id: 'c1', name: 'test', watcher: 'local', updateAvailable: true }],
+      });
+
+      expect(storeContainer.updateContainer).toHaveBeenCalledWith(
+        expect.objectContaining({
+          id: 'c1',
+          name: 'test',
+          watcher: 'local',
+          agent: 'test-agent',
+          updateAvailable: true,
+        }),
+      );
+      expect(event.emitContainerReport).toHaveBeenCalledWith(
+        expect.objectContaining({ changed: true }),
+      );
+    });
   });
 
   describe('handshake', () => {
@@ -329,6 +464,38 @@ describe('AgentClient', () => {
       expect(event.emitAgentConnected).toHaveBeenCalledWith({ agentName: 'test-agent' });
     });
 
+    test('should emit batched container reports after handshake processing', async () => {
+      axios.get
+        .mockResolvedValueOnce({
+          data: [
+            { id: 'c1', name: 'one', watcher: 'local' },
+            { id: 'c2', name: 'two', watcher: 'local' },
+          ],
+        })
+        .mockResolvedValueOnce({ data: [] })
+        .mockResolvedValueOnce({ data: [] });
+
+      storeContainer.getContainer.mockReturnValue(undefined);
+      storeContainer.insertContainer.mockImplementation((container) => ({
+        ...container,
+        updateAvailable: true,
+      }));
+      storeContainer.getContainers.mockReturnValue([]);
+
+      await client.handshake();
+
+      expect(event.emitContainerReports).toHaveBeenCalledWith([
+        expect.objectContaining({
+          changed: true,
+          container: expect.objectContaining({ id: 'c1', agent: 'test-agent' }),
+        }),
+        expect.objectContaining({
+          changed: true,
+          container: expect.objectContaining({ id: 'c2', agent: 'test-agent' }),
+        }),
+      ]);
+    });
+
     test('should not emit agent-connected when already connected', async () => {
       client.isConnected = true;
       axios.get
@@ -720,6 +887,96 @@ describe('AgentClient', () => {
       expect(storeContainer.deleteContainer).toHaveBeenCalledWith('c1');
     });
 
+    test('should reconcile watcher snapshot by processing current containers and pruning missing ones', async () => {
+      const processSpy = vi.spyOn(client, 'processContainer').mockResolvedValue(undefined);
+      const containersInStore = [
+        { id: 'c1', name: 'current', watcher: 'local', agent: 'test-agent' },
+        { id: 'c2', name: 'stale-old', watcher: 'local', agent: 'test-agent' },
+        { id: 'c3', name: 'other-watcher', watcher: 'remote', agent: 'test-agent' },
+      ];
+      storeContainer.getContainers.mockImplementation((query = {}) =>
+        containersInStore.filter(
+          (container) =>
+            (!query.agent || container.agent === query.agent) &&
+            (!query.watcher || container.watcher === query.watcher),
+        ),
+      );
+
+      await client.handleEvent('dd:watcher-snapshot', {
+        watcher: { type: 'docker', name: 'local' },
+        containers: [{ id: 'c1', name: 'current', watcher: 'local' }],
+      });
+
+      expect(processSpy).toHaveBeenCalledWith({ id: 'c1', name: 'current', watcher: 'local' });
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('c2');
+      expect(storeContainer.deleteContainer).not.toHaveBeenCalledWith('c3');
+    });
+
+    test('should emit batched container reports for watcher snapshots', async () => {
+      storeContainer.getContainer.mockReturnValue(undefined);
+      storeContainer.insertContainer.mockImplementation((container) => ({
+        ...container,
+        updateAvailable: true,
+      }));
+      storeContainer.getContainers.mockReturnValue([]);
+
+      await client.handleEvent('dd:watcher-snapshot', {
+        watcher: { type: 'docker', name: 'local' },
+        containers: [
+          { id: 'c1', name: 'current', watcher: 'local' },
+          { id: 'c2', name: 'next', watcher: 'local' },
+        ],
+      });
+
+      expect(event.emitContainerReports).toHaveBeenCalledWith([
+        expect.objectContaining({
+          changed: true,
+          container: expect.objectContaining({ id: 'c1', agent: 'test-agent' }),
+        }),
+        expect.objectContaining({
+          changed: true,
+          container: expect.objectContaining({ id: 'c2', agent: 'test-agent' }),
+        }),
+      ]);
+    });
+
+    test('should prune all containers for a watcher when a watcher snapshot is empty', async () => {
+      const containersInStore = [
+        { id: 'c1', name: 'stale-1', watcher: 'local', agent: 'test-agent' },
+        { id: 'c2', name: 'stale-2', watcher: 'local', agent: 'test-agent' },
+        { id: 'c3', name: 'other-watcher', watcher: 'remote', agent: 'test-agent' },
+      ];
+      storeContainer.getContainers.mockImplementation((query = {}) =>
+        containersInStore.filter(
+          (container) =>
+            (!query.agent || container.agent === query.agent) &&
+            (!query.watcher || container.watcher === query.watcher),
+        ),
+      );
+
+      await client.handleEvent('dd:watcher-snapshot', {
+        watcher: { type: 'docker', name: 'local' },
+        containers: [],
+      });
+
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('c1');
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('c2');
+      expect(storeContainer.deleteContainer).not.toHaveBeenCalledWith('c3');
+    });
+
+    test('should ignore invalid watcher snapshot payloads without pruning', async () => {
+      const processSpy = vi.spyOn(client, 'processContainer').mockResolvedValue(undefined);
+
+      await client.handleEvent('dd:watcher-snapshot', {
+        watcher: { type: 'docker', name: 42 },
+        containers: { id: 'c1' },
+      });
+
+      expect(processSpy).not.toHaveBeenCalled();
+      expect(storeContainer.deleteContainer).not.toHaveBeenCalled();
+      expect(storeContainer.getContainers).not.toHaveBeenCalled();
+    });
+
     test('should ignore unknown event types', async () => {
       const processSpy = vi.spyOn(client, 'processContainer');
       await client.handleEvent('dd:unknown', {});
@@ -747,6 +1004,89 @@ describe('AgentClient', () => {
       );
     });
 
+    test('should stringify non-object remote trigger failures', async () => {
+      axios.post.mockRejectedValue('trigger failed as string');
+
+      await expect(client.runRemoteTrigger({ id: 'c1' }, 'docker', 'update')).rejects.toThrow(
+        'trigger failed as string',
+      );
+    });
+
+    test('should fall back to generic error message when remote payload is not an object', async () => {
+      axios.post.mockRejectedValue({
+        message: 'Request failed with status code 500',
+        response: {
+          status: 500,
+          data: 'unexpected response shape',
+        },
+      });
+
+      await expect(client.runRemoteTrigger({ id: 'c1' }, 'docker', 'update')).rejects.toThrow(
+        'Request failed with status code 500',
+      );
+    });
+
+    test('should fall back to transport error message when remote payload has no error field', async () => {
+      axios.post.mockRejectedValue({
+        message: 'Request failed with status code 500',
+        response: {
+          status: 500,
+          data: {
+            details: {
+              reason: 'No watcher found',
+            },
+          },
+        },
+      });
+
+      await expect(client.runRemoteTrigger({ id: 'c1' }, 'docker', 'update')).rejects.toThrow(
+        'Request failed with status code 500',
+      );
+    });
+
+    test('should rethrow original error preserving response for proxy forwarding', async () => {
+      const axiosError = {
+        message: 'Request failed with status code 500',
+        response: {
+          status: 500,
+          data: {
+            error: 'Error when running trigger docker.update',
+            details: {
+              reason: 'No watcher found for container c1 (docker.default)',
+            },
+          },
+        },
+      };
+      axios.post.mockRejectedValue(axiosError);
+
+      await expect(client.runRemoteTrigger({ id: 'c1' }, 'docker', 'update')).rejects.toBe(
+        axiosError,
+      );
+      // Original error is rethrown with response intact for proxy forwarding
+      expect(axiosError.response.status).toBe(500);
+      expect(axiosError.response.data.details.reason).toBe(
+        'No watcher found for container c1 (docker.default)',
+      );
+    });
+
+    test('should rethrow original error when details lack reason field', async () => {
+      const axiosError = {
+        message: 'Request failed with status code 500',
+        response: {
+          status: 500,
+          data: {
+            error: 'Error when running trigger docker.update',
+            details: { info: 'missing reason field' },
+          },
+        },
+      };
+      axios.post.mockRejectedValue(axiosError);
+
+      await expect(client.runRemoteTrigger({ id: 'c1' }, 'docker', 'update')).rejects.toBe(
+        axiosError,
+      );
+    });
+
     test('should encode path segments to prevent SSRF', async () => {
       axios.post.mockResolvedValue({ data: {} });
       await client.runRemoteTrigger({ id: 'c1' }, '../admin', '../../etc/passwd');
@@ -769,6 +1109,36 @@ describe('AgentClient', () => {
       );
     });
 
+    test('should not preserve stale updateAvailable after non-update batch triggers', async () => {
+      axios.post.mockResolvedValue({ data: {} });
+      const existing = {
+        id: 'c1',
+        updateAvailable: false,
+        resultChanged: vi.fn().mockReturnValue(true),
+      };
+      storeContainer.getContainer.mockReturnValue(existing);
+      storeContainer.updateContainer.mockReturnValue({
+        id: 'c1',
+        updateAvailable: true,
+      });
+
+      await client.runRemoteTriggerBatch([{ id: 'c1' }], 'mock', 'notify');
+      await client.handleEvent('dd:container-updated', {
+        id: 'c1',
+        name: 'test',
+        updateAvailable: true,
+      });
+
+      expect(storeContainer.updateContainer).toHaveBeenCalledWith(
+        expect.objectContaining({
+          id: 'c1',
+          name: 'test',
+          agent: 'test-agent',
+          updateAvailable: true,
+        }),
+      );
+    });
+
     test('should throw on failure', async () => {
       axios.post.mockRejectedValue(new Error('batch failed'));
       await expect(client.runRemoteTriggerBatch([], 'docker', 'update')).rejects.toThrow(
diff --git a/app/agent/AgentClient.ts b/app/agent/AgentClient.ts
index abdf9c043..942fe078c 100644
--- a/app/agent/AgentClient.ts
+++ b/app/agent/AgentClient.ts
@@ -3,13 +3,19 @@ import https from 'node:https';
 import { StringDecoder } from 'node:string_decoder';
 import axios, { type AxiosRequestConfig } from 'axios';
 import type { Logger } from 'pino';
-import { emitAgentConnected, emitAgentDisconnected, emitContainerReport } from '../event/index.js';
+import {
+  emitAgentConnected,
+  emitAgentDisconnected,
+  emitContainerReport,
+  emitContainerReports,
+} from '../event/index.js';
 import logger from '../log/index.js';
 import { sanitizeLogParam } from '../log/sanitize.js';
 import type { Container, ContainerReport } from '../model/container.js';
 import * as registry from '../registry/index.js';
 import { resolveConfiguredPath } from '../runtime/paths.js';
 import * as storeContainer from '../store/container.js';
+import { getErrorMessage } from '../util/error.js';
 
 export interface AgentClientConfig {
   host: string;
@@ -32,8 +38,43 @@ interface AgentClientRuntimeInfo {
   pollInterval?: string;
 }
 
+interface AgentComponentDescriptor {
+  type: string;
+  name: string;
+  configuration: Record<string, unknown>;
+}
+
+interface AgentRuntimeAckPayload {
+  version?: unknown;
+  os?: unknown;
+  arch?: unknown;
+  cpus?: unknown;
+  memoryGb?: unknown;
+  uptimeSeconds?: unknown;
+  lastSeen?: unknown;
+}
+
+interface AgentSsePayload {
+  type?: unknown;
+  data?: unknown;
+}
+
+interface WatcherSnapshotPayload {
+  watcher?: {
+    type?: unknown;
+    name?: unknown;
+  };
+  containers?: unknown;
+}
+
+interface RemoteTriggerErrorPayload {
+  error?: unknown;
+  details?: unknown;
+}
+
 const INITIAL_SSE_RECONNECT_DELAY_MS = 1_000;
 const MAX_SSE_RECONNECT_DELAY_MS = 60_000;
+const REMOTE_UPDATE_TRIGGER_TYPES = new Set(['docker', 'dockercompose']);
 
 export class AgentClient {
   public name: string;
@@ -45,6 +86,7 @@ export class AgentClient {
   public info: AgentClientRuntimeInfo;
   private reconnectTimer: NodeJS.Timeout | null;
   private reconnectAttempts: number;
+  private readonly pendingFreshStateAfterRemoteUpdate: Set<string>;
 
   constructor(name: string, config: AgentClientConfig) {
     this.name = name;
@@ -59,6 +101,7 @@ export class AgentClient {
     this.info = {};
     this.reconnectTimer = null;
     this.reconnectAttempts = 0;
+    this.pendingFreshStateAfterRemoteUpdate = new Set();
   }
 
   private parseBaseUrl(): URL {
@@ -141,7 +184,7 @@ export class AgentClient {
   }
 
   private pruneOldContainers(newContainers: Container[], watcher?: string) {
-    const query: any = { agent: this.name };
+    const query: Record<string, unknown> = { agent: this.name };
     if (watcher) {
       query.watcher = watcher;
     }
@@ -154,11 +197,50 @@ export class AgentClient {
 
     containersToRemove.forEach((c) => {
       this.log.info(`Pruning container ${c.name} (removed on Agent)`);
+      this.pendingFreshStateAfterRemoteUpdate.delete(c.id);
       storeContainer.deleteContainer(c.id);
     });
   }
 
-  private async registerAgentComponents(kind: 'watcher' | 'trigger', remoteComponents: any[]) {
+  private markPendingFreshState(containerId: unknown) {
+    if (typeof containerId === 'string' && containerId.length > 0) {
+      this.pendingFreshStateAfterRemoteUpdate.add(containerId);
+    }
+  }
+
+  private clearPendingFreshState(containerId: unknown) {
+    if (typeof containerId === 'string' && containerId.length > 0) {
+      this.pendingFreshStateAfterRemoteUpdate.delete(containerId);
+    }
+  }
+
+  private shouldPreserveClearedUpdateAvailable(container: Container): boolean {
+    return (
+      this.pendingFreshStateAfterRemoteUpdate.has(container.id) &&
+      container.updateAvailable === true
+    );
+  }
+
+  private async processAuthoritativeContainer(container: Container): Promise<ContainerReport> {
+    this.clearPendingFreshState(container.id);
+    return this.processContainer(container);
+  }
+
+  private async processAuthoritativeContainers(
+    containers: Container[],
+  ): Promise<ContainerReport[]> {
+    const containerReports: ContainerReport[] = [];
+    for (const container of containers) {
+      containerReports.push(await this.processAuthoritativeContainer(container));
+    }
+    void emitContainerReports(containerReports);
+    return containerReports;
+  }
+
+  private async registerAgentComponents(
+    kind: 'watcher' | 'trigger',
+    remoteComponents: AgentComponentDescriptor[],
+  ) {
     for (const remoteComponent of remoteComponents) {
       this.log.debug(`Registering agent ${kind} ${remoteComponent.type}.${remoteComponent.name}`);
       await registry.registerComponent({
@@ -181,47 +263,45 @@ export class AgentClient {
     const containers = response.data;
     this.log.info(`Handshake successful. Received ${containers.length} containers.`);
 
-    for (const container of containers) {
-      await this.processContainer(container);
-    }
+    await this.processAuthoritativeContainers(containers);
     this.pruneOldContainers(containers);
 
-    // Unregister any existing components for this agent
+    // Unregister existing components for this agent
     await registry.deregisterAgentComponents(this.name);
 
     // Fetch and register watchers
     try {
-      const responseWatchers = await axios.get<any[]>(
+      const responseWatchers = await axios.get<AgentComponentDescriptor[]>(
         `${this.baseUrl}/api/watchers`,
         this.axiosOptions,
       );
       await this.registerAgentComponents('watcher', responseWatchers.data);
-    } catch (e: any) {
-      this.log.warn(`Failed to fetch/register watchers: ${e.message}`);
+    } catch (error: unknown) {
+      this.log.warn(`Failed to fetch/register watchers: ${getErrorMessage(error)}`);
     }
 
     // Fetch and register triggers
     try {
-      const responseTriggers = await axios.get<any[]>(
+      const responseTriggers = await axios.get<AgentComponentDescriptor[]>(
         `${this.baseUrl}/api/triggers`,
         this.axiosOptions,
       );
       await this.registerAgentComponents('trigger', responseTriggers.data);
-    } catch (e: any) {
-      this.log.warn(`Failed to fetch/register triggers: ${e.message}`);
+    } catch (error: unknown) {
+      this.log.warn(`Failed to fetch/register triggers: ${getErrorMessage(error)}`);
     }
 
     this.isConnected = true;
     if (!wasConnected) {
       void emitAgentConnected({
         agentName: this.name,
-      }).catch((e: any) => {
-        this.log.debug(`Failed to emit agent connected event (${e.message})`);
+      }).catch((error: unknown) => {
+        this.log.debug(`Failed to emit agent connected event (${getErrorMessage(error)})`);
       });
     }
   }
 
-  async processContainer(container: Container) {
+  async processContainer(container: Container): Promise<ContainerReport> {
     container.agent = this.name;
     // The container coming from Agent should already be normalized and have results
     // We rely on the Agent to perform Registry checks if configured
@@ -232,6 +312,12 @@ export class AgentClient {
       container.details.env = container.details.env.map(({ key, value }) => ({ key, value }));
     }
 
+    if (this.shouldPreserveClearedUpdateAvailable(container)) {
+      container.updateAvailable = false;
+    } else if (container.updateAvailable === false) {
+      this.clearPendingFreshState(container.id);
+    }
+
     // Save to store logic with Change Detection
     const existing = storeContainer.getContainer(container.id);
     const containerReport = {
@@ -255,7 +341,8 @@ export class AgentClient {
     }
 
     // Emit report so Triggers can fire if changed
-    emitContainerReport(containerReport);
+    void emitContainerReport(containerReport);
+    return containerReport;
   }
 
   private getNextReconnectDelayMs(): number {
@@ -278,8 +365,8 @@ export class AgentClient {
       void emitAgentDisconnected({
         agentName: this.name,
         reason: 'SSE connection lost',
-      }).catch((e: any) => {
-        this.log.debug(`Failed to emit agent disconnected event (${e.message})`);
+      }).catch((error: unknown) => {
+        this.log.debug(`Failed to emit agent disconnected event (${getErrorMessage(error)})`);
       });
     }
     this.reconnectTimer = setTimeout(() => {
@@ -293,12 +380,12 @@ export class AgentClient {
       return;
     }
     try {
-      const payload = JSON.parse(line.substring(6));
+      const payload = JSON.parse(line.substring(6)) as AgentSsePayload;
       if (payload.type && payload.data) {
-        this.handleEvent(payload.type, payload.data);
+        this.handleEvent(payload.type as string, payload.data);
       }
-    } catch (e: any) {
-      this.log.warn(`Error parsing SSE data: ${e.message}`);
+    } catch (error: unknown) {
+      this.log.warn(`Error parsing SSE data: ${getErrorMessage(error)}`);
     }
   }
 
@@ -348,47 +435,68 @@ export class AgentClient {
         this.reconnectAttempts = 0;
         this.attachStreamHandlers(response.data);
       })
-      .catch((e) => {
-        this.log.error(`SSE Connection failed: ${e.message}. Retrying...`);
+      .catch((error: unknown) => {
+        this.log.error(`SSE Connection failed: ${getErrorMessage(error)}. Retrying...`);
         this.scheduleReconnect();
       });
   }
 
-  private buildRuntimeInfoFromAck(data: any): AgentClientRuntimeInfo {
+  private buildRuntimeInfoFromAck(data: unknown): AgentClientRuntimeInfo {
+    const runtimeData = data as AgentRuntimeAckPayload;
     return {
       ...this.info,
-      version: typeof data?.version === 'string' ? data.version : this.info.version,
-      os: typeof data?.os === 'string' ? data.os : this.info.os,
-      arch: typeof data?.arch === 'string' ? data.arch : this.info.arch,
-      cpus: Number.isFinite(data?.cpus) ? Number(data.cpus) : this.info.cpus,
-      memoryGb: Number.isFinite(data?.memoryGb) ? Number(data.memoryGb) : this.info.memoryGb,
-      uptimeSeconds: Number.isFinite(data?.uptimeSeconds)
-        ? Number(data.uptimeSeconds)
+      version: typeof runtimeData?.version === 'string' ? runtimeData.version : this.info.version,
+      os: typeof runtimeData?.os === 'string' ? runtimeData.os : this.info.os,
+      arch: typeof runtimeData?.arch === 'string' ? runtimeData.arch : this.info.arch,
+      cpus: Number.isFinite(runtimeData?.cpus) ? Number(runtimeData.cpus) : this.info.cpus,
+      memoryGb: Number.isFinite(runtimeData?.memoryGb)
+        ? Number(runtimeData.memoryGb)
+        : this.info.memoryGb,
+      uptimeSeconds: Number.isFinite(runtimeData?.uptimeSeconds)
+        ? Number(runtimeData.uptimeSeconds)
         : this.info.uptimeSeconds,
       lastSeen:
-        typeof data?.lastSeen === 'string' && data.lastSeen
-          ? data.lastSeen
+        typeof runtimeData?.lastSeen === 'string' && runtimeData.lastSeen
+          ? runtimeData.lastSeen
           : new Date().toISOString(),
     };
   }
 
-  private handleAckEvent(data: any) {
+  private handleAckEvent(data: unknown) {
     this.info = this.buildRuntimeInfoFromAck(data);
-    this.log.info(`Agent ${this.name} connected (version: ${data.version})`);
-    void this.handshake().catch((e: any) => {
-      this.log.error(`Handshake failed after dd:ack: ${e.message}`);
+    const ackData = data as AgentRuntimeAckPayload;
+    this.log.info(`Agent ${this.name} connected (version: ${ackData.version})`);
+    void this.handshake().catch((error: unknown) => {
+      this.log.error(`Handshake failed after dd:ack: ${getErrorMessage(error)}`);
     });
   }
 
-  private async handleContainerChangeEvent(data: any) {
+  private async handleContainerChangeEvent(data: unknown) {
     await this.processContainer(data as Container);
   }
 
-  private handleContainerRemovedEvent(data: any) {
-    storeContainer.deleteContainer(data.id);
+  private handleContainerRemovedEvent(data: unknown) {
+    const removedContainerData = data as { id: string };
+    this.clearPendingFreshState(removedContainerData.id);
+    storeContainer.deleteContainer(removedContainerData.id);
+  }
+
+  private async handleWatcherSnapshotEvent(data: unknown) {
+    const snapshotPayload = data as WatcherSnapshotPayload;
+    const watcherName =
+      typeof snapshotPayload?.watcher?.name === 'string' ? snapshotPayload.watcher.name : undefined;
+    const containers = Array.isArray(snapshotPayload?.containers)
+      ? (snapshotPayload.containers as Container[])
+      : [];
+
+    await this.processAuthoritativeContainers(containers);
+
+    if (watcherName) {
+      this.pruneOldContainers(containers, watcherName);
+    }
   }
 
-  async handleEvent(eventName: string, data: any) {
+  async handleEvent(eventName: string, data: unknown) {
     switch (eventName) {
       case 'dd:ack':
         this.handleAckEvent(data);
@@ -400,11 +508,43 @@ export class AgentClient {
       case 'dd:container-removed':
         this.handleContainerRemovedEvent(data);
         return;
+      case 'dd:watcher-snapshot':
+        await this.handleWatcherSnapshotEvent(data);
+        return;
       default:
         return;
     }
   }
 
+  private getRemoteTriggerFailureMessage(error: unknown): string | undefined {
+    if (!error || typeof error !== 'object') {
+      return undefined;
+    }
+    const response = (error as { response?: unknown }).response;
+    if (!response || typeof response !== 'object') {
+      return undefined;
+    }
+    const data = (response as { data?: unknown }).data;
+    if (!data || typeof data !== 'object') {
+      return undefined;
+    }
+
+    const payload = data as RemoteTriggerErrorPayload;
+    const errorMessage = typeof payload.error === 'string' ? payload.error : undefined;
+    if (!errorMessage) {
+      return undefined;
+    }
+
+    const details = payload.details;
+    const reason =
+      details &&
+      typeof details === 'object' &&
+      typeof (details as { reason?: unknown }).reason === 'string'
+        ? (details as { reason: string }).reason
+        : undefined;
+    return reason ? `${errorMessage} (reason: ${reason})` : errorMessage;
+  }
+
   async runRemoteTrigger(container: Container, triggerType: string, triggerName: string) {
     try {
       this.log.debug(
@@ -415,9 +555,14 @@ export class AgentClient {
         container,
         this.axiosOptions,
       );
-    } catch (e: any) {
-      this.log.error(`Error running remote trigger: ${sanitizeLogParam(e.message)}`);
-      throw e;
+      if (REMOTE_UPDATE_TRIGGER_TYPES.has(triggerType)) {
+        this.markPendingFreshState(container.id);
+      }
+    } catch (error: unknown) {
+      const detailedMessage = this.getRemoteTriggerFailureMessage(error);
+      const errorMessage = detailedMessage ?? getErrorMessage(error);
+      this.log.error(`Error running remote trigger: ${sanitizeLogParam(errorMessage)}`);
+      throw error;
     }
   }
 
@@ -428,9 +573,14 @@ export class AgentClient {
         containers,
         this.axiosOptions,
       );
-    } catch (e: any) {
-      this.log.error(`Error running remote batch trigger: ${sanitizeLogParam(e.message)}`);
-      throw e;
+      if (REMOTE_UPDATE_TRIGGER_TYPES.has(triggerType)) {
+        containers.forEach(({ id }) => this.markPendingFreshState(id));
+      }
+    } catch (error: unknown) {
+      const detailedMessage = this.getRemoteTriggerFailureMessage(error);
+      const errorMessage = detailedMessage ?? getErrorMessage(error);
+      this.log.error(`Error running remote batch trigger: ${sanitizeLogParam(errorMessage)}`);
+      throw error;
     }
   }
 
@@ -448,9 +598,9 @@ export class AgentClient {
       const requestUrl = query ? `${logEntriesUrl}?${query}` : logEntriesUrl;
       const response = await axios.get(requestUrl, this.axiosOptions);
       return response.data;
-    } catch (e: any) {
-      this.log.error(`Error fetching log entries from agent: ${e.message}`);
-      throw e;
+    } catch (error: unknown) {
+      this.log.error(`Error fetching log entries from agent: ${getErrorMessage(error)}`);
+      throw error;
     }
   }
 
@@ -464,9 +614,9 @@ export class AgentClient {
         this.axiosOptions,
       );
       return response.data;
-    } catch (e: any) {
-      this.log.error(`Error fetching container logs from agent: ${e.message}`);
-      throw e;
+    } catch (error: unknown) {
+      this.log.error(`Error fetching container logs from agent: ${getErrorMessage(error)}`);
+      throw error;
     }
   }
 
@@ -477,9 +627,9 @@ export class AgentClient {
         `${this.baseUrl}/api/containers/${encodeURIComponent(containerId)}`,
         this.axiosOptions,
       );
-    } catch (e: any) {
-      this.log.error(`Error deleting container on agent: ${e.message}`);
-      throw e;
+    } catch (error: unknown) {
+      this.log.error(`Error deleting container on agent: ${getErrorMessage(error)}`);
+      throw error;
     }
   }
 
@@ -491,15 +641,13 @@ export class AgentClient {
         this.axiosOptions,
       );
       const reports = response.data;
-      for (const report of reports) {
-        await this.processContainer(report.container);
-      }
+      await this.processAuthoritativeContainers(reports.map((report) => report.container));
       const containers = reports.map((report) => report.container);
       this.pruneOldContainers(containers, watcherName);
       return reports;
-    } catch (e: any) {
-      this.log.error(`Error watching on agent: ${sanitizeLogParam(e.message)}`);
-      throw e;
+    } catch (error: unknown) {
+      this.log.error(`Error watching on agent: ${sanitizeLogParam(getErrorMessage(error))}`);
+      throw error;
     }
   }
 
@@ -513,11 +661,13 @@ export class AgentClient {
       const report = response.data;
 
       // Process the result (registry check, store update)
-      await this.processContainer(report.container);
+      await this.processAuthoritativeContainer(report.container);
       return report;
-    } catch (e: any) {
-      this.log.error(`Error watching container ${container.name} on agent: ${e.message}`);
-      throw e;
+    } catch (error: unknown) {
+      this.log.error(
+        `Error watching container ${container.name} on agent: ${getErrorMessage(error)}`,
+      );
+      throw error;
     }
   }
 }
diff --git a/app/agent/AgentClient.typecheck.ts b/app/agent/AgentClient.typecheck.ts
index ebe64ee9b..b6b478bab 100644
--- a/app/agent/AgentClient.typecheck.ts
+++ b/app/agent/AgentClient.typecheck.ts
@@ -8,5 +8,3 @@ const client = new AgentClient('typecheck-agent', {
 
 // @ts-expect-error `log` is private and should not be externally accessible.
 client.log.info('typecheck');
-// @ts-expect-error `log` is private and should not be externally accessible.
-client.log.notARealMethod('typecheck');
diff --git a/app/agent/api/event.test.ts b/app/agent/api/event.test.ts
index eacb37028..ff0b89720 100644
--- a/app/agent/api/event.test.ts
+++ b/app/agent/api/event.test.ts
@@ -26,6 +26,7 @@ vi.mock('../../event/index.js', () => ({
   registerContainerAdded: vi.fn(),
   registerContainerUpdated: vi.fn(),
   registerContainerRemoved: vi.fn(),
+  registerWatcherSnapshot: vi.fn(),
 }));
 
 vi.mock('../../configuration/index.js', () => ({
@@ -205,6 +206,7 @@ describe('agent API event', () => {
       expect(event.registerContainerAdded).toHaveBeenCalledWith(expect.any(Function));
       expect(event.registerContainerUpdated).toHaveBeenCalledWith(expect.any(Function));
       expect(event.registerContainerRemoved).toHaveBeenCalledWith(expect.any(Function));
+      expect(event.registerWatcherSnapshot).toHaveBeenCalledWith(expect.any(Function));
     });
 
     test('container-added handler should send SSE to connected clients', () => {
@@ -358,5 +360,73 @@ describe('agent API event', () => {
       const payload = res.write.mock.calls[0][0];
       expect(payload).toContain('dd:container-removed');
     });
+
+    test('watcher-snapshot handler should send watcher identity and sanitized containers', () => {
+      storeContainer.getContainerRaw.mockReturnValueOnce({
+        id: 'c1',
+        watcher: 'local',
+        details: {
+          env: [{ key: 'API_TOKEN', value: 'super-secret' }],
+        },
+      });
+
+      eventApi.subscribeEvents(req, res);
+      res.write.mockClear();
+      eventApi.initEvents();
+
+      const snapshotHandler = event.registerWatcherSnapshot.mock.calls[0][0];
+      snapshotHandler({
+        watcher: { type: 'docker', name: 'local' },
+        containers: [
+          {
+            id: 'c1',
+            watcher: 'local',
+            details: {
+              env: [{ key: 'API_TOKEN', value: '[REDACTED]', sensitive: true }],
+            },
+          },
+        ],
+      });
+
+      expect(res.write).toHaveBeenCalled();
+      const payload = res.write.mock.calls[0][0];
+      expect(payload).toContain('dd:watcher-snapshot');
+      expect(payload).toContain('"type":"docker"');
+      expect(payload).toContain('"name":"local"');
+      expect(payload).toContain('"key":"API_TOKEN"');
+      expect(payload).toContain('"value":"super-secret"');
+      expect(payload).not.toContain('"sensitive"');
+    });
+
+    test('watcher-snapshot handler should emit an empty container list for non-array containers', () => {
+      eventApi.subscribeEvents(req, res);
+      res.write.mockClear();
+      eventApi.initEvents();
+
+      const snapshotHandler = event.registerWatcherSnapshot.mock.calls[0][0];
+      snapshotHandler({
+        watcher: { type: 'docker', name: 'local' },
+        containers: 'invalid',
+      });
+
+      expect(res.write).toHaveBeenCalled();
+      const payload = res.write.mock.calls[0][0];
+      expect(payload).toContain('dd:watcher-snapshot');
+      expect(payload).toContain('"containers":[]');
+    });
+
+    test('watcher-snapshot handler should pass through non-object payloads', () => {
+      eventApi.subscribeEvents(req, res);
+      res.write.mockClear();
+      eventApi.initEvents();
+
+      const snapshotHandler = event.registerWatcherSnapshot.mock.calls[0][0];
+      snapshotHandler('invalid-snapshot');
+
+      expect(res.write).toHaveBeenCalled();
+      const payload = res.write.mock.calls[0][0];
+      expect(payload).toContain('dd:watcher-snapshot');
+      expect(payload).toContain('"data":"invalid-snapshot"');
+    });
   });
 });
diff --git a/app/agent/api/event.ts b/app/agent/api/event.ts
index e3805fa16..b6dd355f0 100644
--- a/app/agent/api/event.ts
+++ b/app/agent/api/event.ts
@@ -28,6 +28,16 @@ interface ContainerSummaryCache {
   expiresAtMs: number;
 }
 
+interface ContainerImageLike {
+  id?: unknown;
+  name?: unknown;
+}
+
+interface ContainerLike {
+  id?: unknown;
+  image?: ContainerImageLike;
+}
+
 const CONTAINER_SUMMARY_CACHE_TTL_MS = 2_000;
 
 interface RuntimeEnvEntry {
@@ -53,7 +63,7 @@ function allocateSseClientId(): number {
  * @param eventName
  * @param data
  */
-function sendSseEvent(eventName: string, data: any) {
+function sendSseEvent(eventName: string, data: unknown) {
   const message = {
     type: eventName,
     data: data,
@@ -130,12 +140,31 @@ function getAgentContainerSsePayload(payload: unknown): unknown {
   return sanitizeContainerLifecyclePayloadForAgentSse(payload);
 }
 
+function sanitizeWatcherSnapshotPayloadForAgentSse(payload: unknown): unknown {
+  if (!payload || typeof payload !== 'object') {
+    return payload;
+  }
+
+  const snapshotPayload = payload as {
+    watcher?: unknown;
+    containers?: unknown;
+  };
+  const containers = Array.isArray(snapshotPayload.containers)
+    ? snapshotPayload.containers.map((container) => getAgentContainerSsePayload(container))
+    : [];
+
+  return {
+    watcher: snapshotPayload.watcher,
+    containers,
+  };
+}
+
 function computeContainerSummary(): ContainerSummary {
   const containers = storeContainer.getContainers();
   const containerStatus = getContainerStatusSummary(containers);
   const images = new Set(
     containers.map(
-      (container: any) => container.image?.id ?? container.image?.name ?? container.id,
+      (container: ContainerLike) => container.image?.id ?? container.image?.name ?? container.id,
     ),
   ).size;
   return {
@@ -216,6 +245,9 @@ export function initEvents() {
   event.registerContainerRemoved((container: event.ContainerLifecycleEventPayload) =>
     sendSseEvent('dd:container-removed', { id: container.id }),
   );
+  event.registerWatcherSnapshot((payload: event.WatcherSnapshotEventPayload) =>
+    sendSseEvent('dd:watcher-snapshot', sanitizeWatcherSnapshotPayloadForAgentSse(payload)),
+  );
 }
 
 export function _setNextSseClientIdForTests(value: number): void {
diff --git a/app/agent/api/index.test.ts b/app/agent/api/index.test.ts
index 4627e3524..8cf439cb3 100644
--- a/app/agent/api/index.test.ts
+++ b/app/agent/api/index.test.ts
@@ -165,6 +165,28 @@ describe('Agent API index', () => {
       await expect(init()).rejects.toThrow('Error reading secret file');
     });
 
+    test('should handle non-object secret file read errors', async () => {
+      process.env.DD_AGENT_SECRET_FILE = '/nonexistent';
+      const fs = await import('node:fs');
+      fs.default.readFileSync.mockImplementation(() => {
+        throw 'ENOENT';
+      });
+
+      await expect(init()).rejects.toThrow('Error reading secret file: undefined');
+      expect(mockLog.error).toHaveBeenCalledWith('Error reading secret file: ');
+    });
+
+    test('should stringify symbol secret file read messages in thrown error', async () => {
+      process.env.DD_AGENT_SECRET_FILE = '/nonexistent';
+      const fs = await import('node:fs');
+      fs.default.readFileSync.mockImplementation(() => {
+        throw { message: Symbol('boom') };
+      });
+
+      await expect(init()).rejects.toThrow('Error reading secret file: Symbol(boom)');
+      expect(mockLog.error).toHaveBeenCalledWith('Error reading secret file: Symbol(boom)');
+    });
+
     test('should sanitize secret file read errors before logging', async () => {
       process.env.DD_AGENT_SECRET_FILE = '/nonexistent';
       const fs = await import('node:fs');
diff --git a/app/agent/api/index.ts b/app/agent/api/index.ts
index 11209349c..749d6ba0a 100644
--- a/app/agent/api/index.ts
+++ b/app/agent/api/index.ts
@@ -20,6 +20,22 @@ const SAFE_LOG_COMPONENT_PATTERN = /^[a-zA-Z0-9._-]+$/;
 
 let cachedSecret: string | undefined;
 
+function getErrorMessageValue(error: unknown): unknown {
+  if (!error || typeof error !== 'object') {
+    return undefined;
+  }
+
+  return (error as { message?: unknown }).message;
+}
+
+function stringifyErrorMessage(message: unknown): string {
+  try {
+    return `${message as string}`;
+  } catch {
+    return String(message);
+  }
+}
+
 function getValidatedLogLevel(level: unknown): string | undefined | null {
   if (level == null) {
     return undefined;
@@ -80,9 +96,10 @@ export async function init() {
   } else if (agentSecretFile) {
     try {
       cachedSecret = fs.readFileSync(agentSecretFile, 'utf-8').trim();
-    } catch (e: any) {
-      log.error(`Error reading secret file: ${sanitizeLogParam(e.message)}`);
-      throw new Error(`Error reading secret file: ${e.message}`);
+    } catch (e: unknown) {
+      const errorMessage = getErrorMessageValue(e);
+      log.error(`Error reading secret file: ${sanitizeLogParam(errorMessage)}`);
+      throw new Error(`Error reading secret file: ${stringifyErrorMessage(errorMessage)}`);
     }
   }
 
@@ -99,7 +116,7 @@ export async function init() {
   const app = express();
   app.disable('x-powered-by');
 
-  app.use(express.json());
+  app.use(express.json({ limit: '256kb' }));
   if (configuration.cors.enabled) {
     app.use(
       cors({
diff --git a/app/agent/api/trigger.test.ts b/app/agent/api/trigger.test.ts
index e32ab06ab..64981b979 100644
--- a/app/agent/api/trigger.test.ts
+++ b/app/agent/api/trigger.test.ts
@@ -108,5 +108,23 @@ describe('agent API trigger', () => {
         expect.objectContaining({ error: 'Error when running batch trigger docker.update' }),
       );
     });
+
+    test('should return default 500 message when trigger throws non-object error', async () => {
+      req.params = { type: 'docker', name: 'update' };
+      req.body = [{ id: 'c1' }];
+      const mockTrigger = {
+        triggerBatch: vi.fn().mockRejectedValue(42),
+      };
+      registry.getState.mockReturnValue({
+        trigger: { 'docker.update': mockTrigger },
+      });
+
+      await triggerApi.runTriggerBatch(req, res);
+
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith(
+        expect.objectContaining({ error: 'Internal Server Error' }),
+      );
+    });
   });
 });
diff --git a/app/agent/api/trigger.ts b/app/agent/api/trigger.ts
index b4994d923..6631e53ce 100644
--- a/app/agent/api/trigger.ts
+++ b/app/agent/api/trigger.ts
@@ -5,7 +5,6 @@ import * as triggerApi from '../../api/trigger.js';
 import logger from '../../log/index.js';
 import { sanitizeLogParam } from '../../log/sanitize.js';
 import * as registry from '../../registry/index.js';
-import { getErrorMessage } from '../../util/error.js';
 
 const log = logger.child({ component: 'agent-api-trigger' });
 
@@ -14,6 +13,20 @@ interface TriggerRouteParams {
   name: string;
 }
 
+type TriggerRequest = Request<TriggerRouteParams>;
+
+function getErrorMessage(error: unknown): string | undefined {
+  if (
+    error &&
+    typeof error === 'object' &&
+    'message' in error &&
+    typeof error.message === 'string'
+  ) {
+    return error.message;
+  }
+  return undefined;
+}
+
 /**
  * Get Triggers.
  */
@@ -27,11 +40,11 @@ export function getTriggers(req: Request, res: Response) {
  * Run Remote Trigger.
  * Delegates to the common API handler but ensures no proxying happens.
  */
-export async function runTrigger(req: Request, res: Response) {
+export async function runTrigger(req: TriggerRequest, res: Response) {
   if (req.body?.agent) {
     delete req.body.agent;
   }
-  return triggerApi.runTrigger(req as unknown as Request<TriggerRouteParams>, res);
+  return triggerApi.runTrigger(req, res);
 }
 
 /**
@@ -63,11 +76,20 @@ export async function runTriggerBatch(req: Request, res: Response) {
     });
     await trigger.triggerBatch(sanitizedContainers);
     res.status(200).json({});
-  } catch (e) {
+  } catch (e: unknown) {
     const errorMessage = getErrorMessage(e);
     log.error(
-      `Error running batch trigger ${sanitizeLogParam(name)}: ${sanitizeLogParam(errorMessage)}`,
+      `Error running batch trigger ${sanitizeLogParam(name)}: ${sanitizeLogParam(errorMessage ?? '')}`,
     );
-    sendErrorResponse(res, 500, `Error when running batch trigger ${type}.${name}`);
+    if (errorMessage) {
+      sendErrorResponse(res, 500, {
+        message: `Error when running batch trigger ${type}.${name}`,
+        details: {
+          reason: errorMessage,
+        },
+      });
+      return;
+    }
+    sendErrorResponse(res, 500);
   }
 }
diff --git a/app/agent/api/watcher.test.ts b/app/agent/api/watcher.test.ts
index 5d7c4436c..9357607de 100644
--- a/app/agent/api/watcher.test.ts
+++ b/app/agent/api/watcher.test.ts
@@ -76,6 +76,23 @@ describe('agent API watcher', () => {
         expect.objectContaining({ error: 'Internal server error' }),
       );
     });
+
+    test('should return 500 with string message from non-Error objects', async () => {
+      req.params = { type: 'docker', name: 'local' };
+      const mockWatcher = {
+        watch: vi.fn().mockRejectedValue({ message: 'watch failed as plain object' }),
+      };
+      registry.getState.mockReturnValue({
+        watcher: { 'docker.local': mockWatcher },
+      });
+
+      await watcherApi.watchWatcher(req, res);
+
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith(
+        expect.objectContaining({ error: 'watch failed as plain object' }),
+      );
+    });
   });
 
   describe('watchContainer', () => {
@@ -131,5 +148,22 @@ describe('agent API watcher', () => {
         expect.objectContaining({ error: 'Internal server error' }),
       );
     });
+
+    test('should stringify non-object errors when watchContainer throws', async () => {
+      req.params = { type: 'docker', name: 'local', id: 'c1' };
+      const container = { id: 'c1', name: 'test' };
+      const mockWatcher = {
+        watchContainer: vi.fn().mockRejectedValue(42),
+      };
+      registry.getState.mockReturnValue({
+        watcher: { 'docker.local': mockWatcher },
+      });
+      storeContainer.getContainer.mockReturnValue(container);
+
+      await watcherApi.watchContainer(req, res);
+
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith(expect.objectContaining({ error: '42' }));
+    });
   });
 });
diff --git a/app/agent/api/watcher.ts b/app/agent/api/watcher.ts
index bd3102494..a86f1ffc9 100644
--- a/app/agent/api/watcher.ts
+++ b/app/agent/api/watcher.ts
@@ -5,11 +5,32 @@ import logger from '../../log/index.js';
 import { sanitizeLogParam } from '../../log/sanitize.js';
 import * as registry from '../../registry/index.js';
 import * as storeContainer from '../../store/container.js';
-import { getErrorMessage } from '../../util/error.js';
 
 const log = logger.child({ component: 'agent-api-watcher' });
 const INTERNAL_SERVER_ERROR_MESSAGE = 'Internal server error';
 
+interface ErrorWithMessage {
+  message: string;
+}
+
+function hasStringMessage(value: unknown): value is ErrorWithMessage {
+  if (typeof value !== 'object' || value === null || !('message' in value)) {
+    return false;
+  }
+  const candidate = value as { message?: unknown };
+  return typeof candidate.message === 'string';
+}
+
+function normalizeErrorMessage(error: unknown): string {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  if (hasStringMessage(error)) {
+    return error.message;
+  }
+  return String(error);
+}
+
 /**
  * Get Watchers.
  */
@@ -37,9 +58,9 @@ export async function watchWatcher(req: Request, res: Response) {
     const results = await watcher.watch();
     res.json(results);
   } catch (error: unknown) {
-    const message = getErrorMessage(error);
+    const message = normalizeErrorMessage(error);
     log.error(`Error watching watcher ${sanitizeLogParam(name)}: ${sanitizeLogParam(message)}`);
-    sendErrorResponse(res, 500, INTERNAL_SERVER_ERROR_MESSAGE);
+    sendErrorResponse(res, 500, error instanceof Error ? INTERNAL_SERVER_ERROR_MESSAGE : message);
   }
 }
 
@@ -68,8 +89,8 @@ export async function watchContainer(req: Request, res: Response) {
     const result = await watcher.watchContainer(container);
     res.json(result);
   } catch (error: unknown) {
-    const message = getErrorMessage(error);
+    const message = normalizeErrorMessage(error);
     log.error(`Error watching container ${sanitizeLogParam(id)}: ${sanitizeLogParam(message)}`);
-    sendErrorResponse(res, 500, INTERNAL_SERVER_ERROR_MESSAGE);
+    sendErrorResponse(res, 500, error instanceof Error ? INTERNAL_SERVER_ERROR_MESSAGE : message);
   }
 }
diff --git a/app/agent/components/AgentTrigger.ts b/app/agent/components/AgentTrigger.ts
index 1d9f02b8d..b8c63096c 100644
--- a/app/agent/components/AgentTrigger.ts
+++ b/app/agent/components/AgentTrigger.ts
@@ -11,7 +11,7 @@ class AgentTrigger extends Trigger {
    * Trigger method.
    * Delegates to the agent.
    */
-  async trigger(container: Container): Promise<any> {
+  async trigger(container: Container): Promise<unknown> {
     const client = getRequiredAgentClient(this.agent, 'AgentTrigger');
     return client.runRemoteTrigger(container, this.type, this.name);
   }
@@ -20,7 +20,7 @@ class AgentTrigger extends Trigger {
    * Trigger batch method.
    * Delegates to the agent.
    */
-  async triggerBatch(containers: Container[]): Promise<any> {
+  async triggerBatch(containers: Container[]): Promise<unknown> {
     const client = getRequiredAgentClient(this.agent, 'AgentTrigger');
     return client.runRemoteTriggerBatch(containers, this.type, this.name);
   }
diff --git a/app/agent/components/AgentWatcher.ts b/app/agent/components/AgentWatcher.ts
index dd5b184eb..faaa9e0b0 100644
--- a/app/agent/components/AgentWatcher.ts
+++ b/app/agent/components/AgentWatcher.ts
@@ -1,4 +1,4 @@
-import type { Container } from '../../model/container.js';
+import type { Container, ContainerReport } from '../../model/container.js';
 import Watcher from '../../watchers/Watcher.js';
 import { getRequiredAgentClient } from './getRequiredAgentClient.js';
 
@@ -11,7 +11,7 @@ class AgentWatcher extends Watcher {
    * Watch main method.
    * Delegate to the agent client.
    */
-  async watch(): Promise<any[]> {
+  async watch(): Promise<ContainerReport[]> {
     const client = getRequiredAgentClient(this.agent, 'AgentWatcher');
     return client.watch(this.type, this.name);
   }
@@ -20,7 +20,7 @@ class AgentWatcher extends Watcher {
    * Watch a Container.
    * Delegate to the agent client.
    */
-  async watchContainer(container: Container): Promise<any> {
+  async watchContainer(container: Container): Promise<ContainerReport> {
     const client = getRequiredAgentClient(this.agent, 'AgentWatcher');
     return client.watchContainer(this.type, this.name, container);
   }
diff --git a/app/api/api.test.ts b/app/api/api.test.ts
index a35bd6c41..46824b3df 100644
--- a/app/api/api.test.ts
+++ b/app/api/api.test.ts
@@ -61,6 +61,7 @@ vi.mock('./log', mockInit);
 vi.mock('./notification', mockInit);
 vi.mock('./settings', mockInit);
 vi.mock('./store', mockInit);
+vi.mock('./debug', mockInit);
 vi.mock('./server', mockInit);
 vi.mock('./agent', mockInit);
 vi.mock('./preview', mockInit);
@@ -68,6 +69,7 @@ vi.mock('./backup', mockInit);
 vi.mock('./container-actions', mockInit);
 vi.mock('./audit', mockInit);
 vi.mock('./webhook', mockInit);
+vi.mock('./webhooks', mockInit);
 vi.mock('./sse', mockInit);
 vi.mock('./auth', () => ({
   requireAuthentication: vi.fn((req, res, next) => next()),
@@ -132,6 +134,18 @@ describe('API Router', () => {
     expect(mockJsonMiddleware).toHaveBeenCalledTimes(3);
   });
 
+  test('should capture raw mutation request body in json verify hook', () => {
+    const jsonOptions = mockExpressJson.mock.calls[0]?.[0];
+    expect(jsonOptions).toBeDefined();
+    expect(typeof jsonOptions.verify).toBe('function');
+
+    const req = {} as { rawBody?: Buffer };
+    const body = Buffer.from('{"hello":"world"}');
+    jsonOptions.verify(req, {}, body);
+
+    expect(req.rawBody).toEqual(Buffer.from('{"hello":"world"}'));
+  });
+
   test('should reject mutation requests with non-json content type when body is present', async () => {
     const auth = await import('./auth.js');
     const csrf = await import('./csrf.js');
@@ -254,6 +268,7 @@ describe('API Router', () => {
     const notificationRouter = await import('./notification.js');
     const settingsRouter = await import('./settings.js');
     const storeRouter = await import('./store.js');
+    const debugRouter = await import('./debug.js');
     const serverRouter = await import('./server.js');
     const agentRouter = await import('./agent.js');
     const previewRouter = await import('./preview.js');
@@ -261,6 +276,7 @@ describe('API Router', () => {
     const containerActionsRouter = await import('./container-actions.js');
     const auditRouter = await import('./audit.js');
     const webhookRouter = await import('./webhook.js');
+    const webhooksRouter = await import('./webhooks.js');
     await import('./sse.js');
 
     expect(appRouter.init).toHaveBeenCalled();
@@ -275,6 +291,7 @@ describe('API Router', () => {
     expect(notificationRouter.init).toHaveBeenCalled();
     expect(settingsRouter.init).toHaveBeenCalled();
     expect(storeRouter.init).toHaveBeenCalled();
+    expect(debugRouter.init).toHaveBeenCalled();
     expect(serverRouter.init).toHaveBeenCalled();
     expect(agentRouter.init).toHaveBeenCalled();
     expect(previewRouter.init).toHaveBeenCalled();
@@ -282,6 +299,7 @@ describe('API Router', () => {
     expect(containerActionsRouter.init).toHaveBeenCalled();
     expect(auditRouter.init).toHaveBeenCalled();
     expect(webhookRouter.init).toHaveBeenCalled();
+    expect(webhooksRouter.init).toHaveBeenCalled();
   });
 
   test('should use requireAuthentication middleware', async () => {
diff --git a/app/api/api.ts b/app/api/api.ts
index d57db8a02..f97475914 100644
--- a/app/api/api.ts
+++ b/app/api/api.ts
@@ -11,6 +11,7 @@ import * as backupRouter from './backup.js';
 import * as containerRouter from './container.js';
 import * as containerActionsRouter from './container-actions.js';
 import { requireSameOriginForMutations } from './csrf.js';
+import * as debugRouter from './debug.js';
 import { sendErrorResponse } from './error-response.js';
 import * as groupRouter from './group.js';
 import * as iconsRouter from './icons.js';
@@ -30,6 +31,7 @@ import * as storeRouter from './store.js';
 import * as triggerRouter from './trigger.js';
 import * as watcherRouter from './watcher.js';
 import * as webhookRouter from './webhook.js';
+import * as webhooksRouter from './webhooks.js';
 
 /**
  * Init the API router.
@@ -54,7 +56,12 @@ export function init(): express.Router {
   });
   router.use(apiLimiter);
 
-  const mutationJsonBodyParser = express.json();
+  const mutationJsonBodyParser = express.json({
+    limit: '256kb',
+    verify: (req, _res, buffer) => {
+      (req as Request & { rawBody?: Buffer }).rawBody = Buffer.from(buffer);
+    },
+  });
   router.use(requireJsonContentTypeForMutations);
   router.use((req, res, next) => {
     if (shouldParseJsonBody(req.method)) {
@@ -65,6 +72,7 @@ export function init(): express.Router {
 
   // Mount webhook router (uses its own bearer token auth)
   router.use('/webhook', webhookRouter.init());
+  router.use('/webhooks', webhooksRouter.init());
 
   // Public OpenAPI document for integrations and API clients.
   router.get('/openapi.json', async (_req: Request, res: Response) => {
@@ -88,6 +96,9 @@ export function init(): express.Router {
   // Mount store router
   router.use('/store', storeRouter.init());
 
+  // Mount debug dump router
+  router.use('/debug', debugRouter.init());
+
   // Mount server router
   router.use('/server', serverRouter.init());
 
diff --git a/app/api/audit.test.ts b/app/api/audit.test.ts
index bd36df1f7..5629531a0 100644
--- a/app/api/audit.test.ts
+++ b/app/api/audit.test.ts
@@ -138,7 +138,16 @@ describe('Audit Router', () => {
       skip: 0,
       limit: 50,
     });
-    expect(res.json).toHaveBeenCalledWith(expect.objectContaining({ offset: 0 }));
+    expect(res.json).toHaveBeenCalledWith({
+      data: [],
+      total: 0,
+      limit: 50,
+      offset: 0,
+      hasMore: false,
+      _links: {
+        self: '/api/audit?limit=50&offset=0',
+      },
+    });
   });
 
   test('should clamp limit to maximum of 200', () => {
@@ -263,4 +272,101 @@ describe('Audit Router', () => {
     expect(res.status).toHaveBeenCalledWith(400);
     expect(res.json).toHaveBeenCalledWith({ error: 'Invalid container query parameter' });
   });
+
+  test('should pass actions filter as array to store', () => {
+    auditRouter.init();
+    const handler = mockRouter.get.mock.calls.find((c) => c[0] === '/')[1];
+
+    mockGetAuditEntries.mockReturnValue({ entries: [], total: 0 });
+
+    const req = createMockRequest({
+      query: {
+        actions: 'update-available,security-alert,agent-disconnect',
+      },
+    });
+    const res = createMockResponse();
+
+    handler(req, res);
+
+    expect(mockGetAuditEntries).toHaveBeenCalledWith({
+      skip: 0,
+      limit: 50,
+      actions: ['update-available', 'security-alert', 'agent-disconnect'],
+    });
+    expect(res.status).toHaveBeenCalledWith(200);
+  });
+
+  test('should return 400 when actions parameter contains unsafe characters', () => {
+    auditRouter.init();
+    const handler = mockRouter.get.mock.calls.find((c) => c[0] === '/')[1];
+
+    const req = createMockRequest({
+      query: { actions: 'update-available,evil;drop' },
+    });
+    const res = createMockResponse();
+
+    handler(req, res);
+
+    expect(mockGetAuditEntries).not.toHaveBeenCalled();
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Invalid actions query parameter' });
+  });
+
+  test('should ignore empty actions parameter', () => {
+    auditRouter.init();
+    const handler = mockRouter.get.mock.calls.find((c) => c[0] === '/')[1];
+
+    mockGetAuditEntries.mockReturnValue({ entries: [], total: 0 });
+
+    const req = createMockRequest({ query: { actions: '' } });
+    const res = createMockResponse();
+
+    handler(req, res);
+
+    expect(mockGetAuditEntries).toHaveBeenCalledWith({
+      skip: 0,
+      limit: 50,
+    });
+  });
+
+  test('should ignore actions parameter containing only commas', () => {
+    auditRouter.init();
+    const handler = mockRouter.get.mock.calls.find((c) => c[0] === '/')[1];
+
+    mockGetAuditEntries.mockReturnValue({ entries: [], total: 0 });
+
+    const req = createMockRequest({ query: { actions: ',,,' } });
+    const res = createMockResponse();
+
+    handler(req, res);
+
+    expect(mockGetAuditEntries).toHaveBeenCalledWith({
+      skip: 0,
+      limit: 50,
+    });
+  });
+
+  test('should prefer action over actions when both provided', () => {
+    auditRouter.init();
+    const handler = mockRouter.get.mock.calls.find((c) => c[0] === '/')[1];
+
+    mockGetAuditEntries.mockReturnValue({ entries: [], total: 0 });
+
+    const req = createMockRequest({
+      query: {
+        action: 'update-applied',
+        actions: 'update-available,security-alert',
+      },
+    });
+    const res = createMockResponse();
+
+    handler(req, res);
+
+    expect(mockGetAuditEntries).toHaveBeenCalledWith({
+      skip: 0,
+      limit: 50,
+      action: 'update-applied',
+      actions: ['update-available', 'security-alert'],
+    });
+  });
 });
diff --git a/app/api/audit.ts b/app/api/audit.ts
index a79194339..52c9a0a03 100644
--- a/app/api/audit.ts
+++ b/app/api/audit.ts
@@ -11,6 +11,7 @@ type AuditEntriesQuery = {
   skip: number;
   limit: number;
   action?: string;
+  actions?: string[];
   container?: string;
   from?: string;
   to?: string;
@@ -64,6 +65,19 @@ function getAuditEntries(req: Request, res: Response) {
     return;
   }
 
+  const actionsParam = getQueryStringValue(req.query.actions);
+  let validatedActions: string[] | undefined;
+  if (actionsParam) {
+    const actionsList = actionsParam.split(',').filter((a) => a.length > 0);
+    for (const a of actionsList) {
+      if (!SAFE_AUDIT_FILTER_PATTERN.test(a)) {
+        sendErrorResponse(res, 400, 'Invalid actions query parameter');
+        return;
+      }
+    }
+    validatedActions = actionsList.length > 0 ? actionsList : undefined;
+  }
+
   const container = getValidatedAuditFilter(req.query.container);
   if (container === null) {
     sendErrorResponse(res, 400, 'Invalid container query parameter');
@@ -74,6 +88,9 @@ function getAuditEntries(req: Request, res: Response) {
   if (action) {
     query.action = action;
   }
+  if (validatedActions) {
+    query.actions = validatedActions;
+  }
   if (container) {
     query.container = container;
   }
diff --git a/app/api/auth-lockout.test.ts b/app/api/auth-lockout.test.ts
new file mode 100644
index 000000000..bb1dcbc49
--- /dev/null
+++ b/app/api/auth-lockout.test.ts
@@ -0,0 +1,429 @@
+const {
+  mockFs,
+  mockPassportAuthenticate,
+  mockRecordAuthLogin,
+  mockSetAuthAccountLockedTotal,
+  mockSetAuthIpLockedTotal,
+  mockRecordLoginAuditEvent,
+  mockSendErrorResponse,
+} = vi.hoisted(() => {
+  return {
+    mockFs: {
+      existsSync: vi.fn(),
+      readFileSync: vi.fn(),
+      writeFileSync: vi.fn(),
+      mkdirSync: vi.fn(),
+    },
+    mockPassportAuthenticate: vi.fn(() => vi.fn()),
+    mockRecordAuthLogin: vi.fn(),
+    mockSetAuthAccountLockedTotal: vi.fn(),
+    mockSetAuthIpLockedTotal: vi.fn(),
+    mockRecordLoginAuditEvent: vi.fn(),
+    mockSendErrorResponse: vi.fn((res: any, status: number, error: string) => {
+      res.status(status);
+      res.json({ error });
+    }),
+  };
+});
+
+const lockoutStateFiles = new Map<string, string>();
+const LOCKOUT_STATE_PATH = '/test/store/db.json.auth-lockouts.json';
+
+vi.mock('passport', () => ({
+  default: {
+    authenticate: mockPassportAuthenticate,
+  },
+}));
+
+vi.mock('node:fs', () => ({
+  default: mockFs,
+}));
+
+vi.mock('../store/index.js', () => ({
+  getConfiguration: vi.fn(() => ({
+    path: '/test/store',
+    file: 'db.json',
+  })),
+}));
+
+vi.mock('../log/index.js', () => ({
+  default: {
+    warn: vi.fn(),
+  },
+}));
+
+vi.mock('../prometheus/auth.js', () => ({
+  recordAuthLogin: mockRecordAuthLogin,
+  setAuthAccountLockedTotal: mockSetAuthAccountLockedTotal,
+  setAuthIpLockedTotal: mockSetAuthIpLockedTotal,
+}));
+
+vi.mock('./auth-audit.js', () => ({
+  recordLoginAuditEvent: mockRecordLoginAuditEvent,
+}));
+
+vi.mock('./auth-strategies.js', () => ({
+  getAllIds: vi.fn(() => ['basic.default']),
+}));
+
+vi.mock('./error-response.js', () => ({
+  sendErrorResponse: mockSendErrorResponse,
+}));
+
+import log from '../log/index.js';
+import {
+  authenticateLogin,
+  initializeLoginLockoutState,
+  resetLoginLockoutStateForTests,
+} from './auth-lockout.js';
+
+function createResponse() {
+  return {
+    status: vi.fn().mockReturnThis(),
+    json: vi.fn().mockReturnThis(),
+    setHeader: vi.fn(),
+  };
+}
+
+function makePassportInvalidCredentials() {
+  mockPassportAuthenticate.mockImplementation((_ids, _options, callback) => {
+    return () => callback(null, false);
+  });
+}
+
+function makePassportSuccess(username = 'john') {
+  mockPassportAuthenticate.mockImplementation((_ids, _options, callback) => {
+    return () => callback(null, { username });
+  });
+}
+
+describe('auth-lockout', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    lockoutStateFiles.clear();
+    mockFs.existsSync.mockImplementation((candidate: unknown) =>
+      lockoutStateFiles.has(`${candidate}`),
+    );
+    mockFs.readFileSync.mockImplementation((candidate: unknown) => {
+      const value = lockoutStateFiles.get(`${candidate}`);
+      if (value === undefined) {
+        throw new Error('ENOENT: lockout file missing');
+      }
+      return value;
+    });
+    mockFs.writeFileSync.mockImplementation((candidate: unknown, content: unknown) => {
+      lockoutStateFiles.set(`${candidate}`, `${content}`);
+    });
+    mockFs.mkdirSync.mockImplementation(() => undefined);
+    resetLoginLockoutStateForTests();
+    vi.useRealTimers();
+  });
+
+  afterEach(() => {
+    resetLoginLockoutStateForTests();
+  });
+
+  test('returns 401 and records an audit event for invalid credentials', () => {
+    makePassportInvalidCredentials();
+    const req = {
+      body: { username: ' Alice ' },
+      ip: '203.0.113.10',
+    } as any;
+    const res = createResponse();
+    const next = vi.fn();
+
+    authenticateLogin(req, res as any, next);
+
+    expect(mockPassportAuthenticate).toHaveBeenCalledWith(
+      ['basic.default'],
+      { session: false },
+      expect.any(Function),
+    );
+    expect(mockRecordLoginAuditEvent).toHaveBeenCalledWith(
+      req,
+      'error',
+      'Authentication failed (invalid credentials)',
+      'Alice',
+    );
+    expect(mockSendErrorResponse).toHaveBeenCalledWith(res, 401, 'Unauthorized');
+    expect(next).not.toHaveBeenCalled();
+  });
+
+  test('forwards passport authenticate errors to next', () => {
+    const error = new Error('passport failure');
+    mockPassportAuthenticate.mockImplementation((_ids, _options, callback) => {
+      return () => callback(error, false);
+    });
+    const req = { ip: '203.0.113.11' } as any;
+    const res = createResponse();
+    const next = vi.fn();
+
+    authenticateLogin(req, res as any, next);
+
+    expect(next).toHaveBeenCalledWith(error);
+    expect(mockSendErrorResponse).not.toHaveBeenCalled();
+  });
+
+  test('locks account after repeated failures and sets Retry-After', () => {
+    makePassportInvalidCredentials();
+    const req = {
+      body: { username: 'lock-user' },
+      ip: '203.0.113.12',
+    } as any;
+    const next = vi.fn();
+
+    for (let index = 0; index < 4; index += 1) {
+      authenticateLogin(req, createResponse() as any, next);
+    }
+
+    const lockedResponse = createResponse();
+    authenticateLogin(req, lockedResponse as any, next);
+
+    expect(lockedResponse.status).toHaveBeenCalledWith(423);
+    expect(lockedResponse.setHeader).toHaveBeenCalledWith('Retry-After', expect.any(String));
+    expect(mockRecordAuthLogin).toHaveBeenCalledWith('locked', 'basic');
+    expect(mockSendErrorResponse).toHaveBeenCalledWith(
+      lockedResponse,
+      423,
+      'Account temporarily locked due to repeated failed login attempts',
+    );
+  });
+
+  test('rejects already-locked identities before invoking passport', () => {
+    makePassportInvalidCredentials();
+    const req = {
+      body: { username: 'prelock-user' },
+      ip: '203.0.113.13',
+    } as any;
+    const next = vi.fn();
+
+    for (let index = 0; index < 5; index += 1) {
+      authenticateLogin(req, createResponse() as any, next);
+    }
+    const authenticateCallCount = mockPassportAuthenticate.mock.calls.length;
+
+    const lockedResponse = createResponse();
+    authenticateLogin(req, lockedResponse as any, next);
+
+    expect(mockPassportAuthenticate).toHaveBeenCalledTimes(authenticateCallCount);
+    expect(lockedResponse.status).toHaveBeenCalledWith(423);
+  });
+
+  test('keeps lockout pressure after lockout duration expires when failures continue', () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date('2026-01-01T00:00:00.000Z'));
+    makePassportInvalidCredentials();
+    const req = {
+      body: { username: 'sustained-user' },
+      ip: '203.0.113.14',
+    } as any;
+    const next = vi.fn();
+
+    for (let index = 0; index < 5; index += 1) {
+      authenticateLogin(req, createResponse() as any, next);
+    }
+
+    vi.setSystemTime(new Date('2026-01-01T00:15:00.000Z'));
+    const responseAfterExpiry = createResponse();
+    authenticateLogin(req, responseAfterExpiry as any, next);
+
+    expect(responseAfterExpiry.status).toHaveBeenCalledWith(423);
+    vi.useRealTimers();
+  });
+
+  test('resets stale lockout windows after the configured window elapses', () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date('2026-01-01T00:00:00.000Z'));
+    makePassportInvalidCredentials();
+    const req = {
+      body: { username: 'window-user' },
+      ip: '203.0.113.15',
+    } as any;
+
+    for (let index = 0; index < 4; index += 1) {
+      authenticateLogin(req, createResponse() as any, vi.fn());
+    }
+
+    vi.setSystemTime(new Date('2026-01-01T00:16:00.000Z'));
+    const responseAfterWindow = createResponse();
+    authenticateLogin(req, responseAfterWindow as any, vi.fn());
+
+    expect(responseAfterWindow.status).toHaveBeenCalledWith(401);
+    vi.useRealTimers();
+  });
+
+  test('clears lockout state after a successful authentication', () => {
+    makePassportInvalidCredentials();
+    const req = {
+      body: { username: 'recover-user' },
+      ip: '203.0.113.16',
+    } as any;
+    const next = vi.fn();
+
+    authenticateLogin(req, createResponse() as any, next);
+
+    makePassportSuccess('recover-user');
+    authenticateLogin(req, createResponse() as any, next);
+    expect(next).toHaveBeenCalledTimes(1);
+    expect(req.user).toEqual({ username: 'recover-user' });
+
+    makePassportInvalidCredentials();
+    for (let index = 0; index < 4; index += 1) {
+      const res = createResponse();
+      authenticateLogin(req, res as any, vi.fn());
+      expect(res.status).toHaveBeenCalledWith(401);
+    }
+  });
+
+  test('extracts login identity from the first authorization header value when headers are arrays', () => {
+    makePassportInvalidCredentials();
+    const req = {
+      headers: {
+        authorization: [
+          `Basic ${Buffer.from('array-user').toString('base64')}`,
+          `Basic ${Buffer.from('ignored-user:pass').toString('base64')}`,
+        ],
+      },
+      ip: '203.0.113.17',
+    } as any;
+
+    authenticateLogin(req, createResponse() as any, vi.fn());
+
+    expect(mockRecordLoginAuditEvent).toHaveBeenCalledWith(
+      req,
+      'error',
+      'Authentication failed (invalid credentials)',
+      'array-user',
+    );
+  });
+
+  test('hydrates persisted lockout state on init and blocks locked identities', () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date('2026-01-01T00:00:00.000Z'));
+    lockoutStateFiles.set(
+      LOCKOUT_STATE_PATH,
+      JSON.stringify({
+        account: {
+          'restored-user': {
+            failedAttempts: 5,
+            windowStartAt: Date.parse('2026-01-01T00:00:00.000Z'),
+            lockedUntil: Date.parse('2026-01-01T00:10:00.000Z'),
+            lastAttemptAt: Date.parse('2026-01-01T00:00:00.000Z'),
+          },
+        },
+        ip: {},
+      }),
+    );
+    makePassportInvalidCredentials();
+
+    initializeLoginLockoutState();
+    const res = createResponse();
+    authenticateLogin(
+      {
+        body: { username: 'restored-user' },
+        ip: '203.0.113.18',
+      } as any,
+      res as any,
+      vi.fn(),
+    );
+
+    expect(mockPassportAuthenticate).not.toHaveBeenCalled();
+    expect(res.status).toHaveBeenCalledWith(423);
+    vi.useRealTimers();
+  });
+
+  test('ignores invalid persisted lockout entries during hydration', () => {
+    lockoutStateFiles.set(
+      LOCKOUT_STATE_PATH,
+      JSON.stringify({
+        account: {
+          'bad-shape': {
+            failedAttempts: '5',
+            windowStartAt: Date.parse('2026-01-01T00:00:00.000Z'),
+            lockedUntil: Date.parse('2026-01-01T00:10:00.000Z'),
+            lastAttemptAt: Date.parse('2026-01-01T00:00:00.000Z'),
+          },
+        },
+        ip: {},
+      }),
+    );
+    makePassportInvalidCredentials();
+
+    initializeLoginLockoutState();
+    const res = createResponse();
+    authenticateLogin(
+      {
+        body: { username: 'bad-shape' },
+        ip: '203.0.113.19',
+      } as any,
+      res as any,
+      vi.fn(),
+    );
+
+    expect(mockPassportAuthenticate).toHaveBeenCalled();
+    expect(res.status).toHaveBeenCalledWith(401);
+  });
+
+  test('prunes stale entries on the maintenance timer and persists changes', () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date('2026-01-01T00:00:00.000Z'));
+    lockoutStateFiles.set(
+      LOCKOUT_STATE_PATH,
+      JSON.stringify({
+        account: {
+          'timer-user': {
+            failedAttempts: 1,
+            windowStartAt: Date.parse('2026-01-01T00:00:00.000Z'),
+            lockedUntil: 0,
+            lastAttemptAt: Date.parse('2026-01-01T00:00:00.000Z'),
+          },
+        },
+        ip: {},
+      }),
+    );
+
+    initializeLoginLockoutState();
+    vi.setSystemTime(new Date('2026-01-01T00:16:00.000Z'));
+    vi.advanceTimersByTime(16 * 60 * 1000);
+
+    const persisted = JSON.parse(lockoutStateFiles.get(LOCKOUT_STATE_PATH) ?? '{}');
+    expect(persisted.account['timer-user']).toBeUndefined();
+    vi.useRealTimers();
+  });
+
+  test('warns when persisting lockout state fails', () => {
+    vi.useFakeTimers();
+    makePassportInvalidCredentials();
+    mockFs.writeFileSync.mockImplementation(() => {
+      throw new Error('persist write failed');
+    });
+
+    authenticateLogin(
+      {
+        body: { username: 'persist-error-user' },
+        ip: '203.0.113.20',
+      } as any,
+      createResponse() as any,
+      vi.fn(),
+    );
+
+    vi.advanceTimersByTime(1000);
+
+    expect(log.warn).toHaveBeenCalledWith(
+      expect.stringContaining('Unable to persist login lockout state (persist write failed)'),
+    );
+    vi.useRealTimers();
+  });
+
+  test('resetLoginLockoutStateForTests clears gauges and cancels scheduled work', () => {
+    vi.useFakeTimers();
+    initializeLoginLockoutState();
+
+    resetLoginLockoutStateForTests();
+    vi.advanceTimersByTime(60 * 60 * 1000);
+
+    expect(mockSetAuthAccountLockedTotal).toHaveBeenCalledWith(0);
+    expect(mockSetAuthIpLockedTotal).toHaveBeenCalledWith(0);
+    vi.useRealTimers();
+  });
+});
diff --git a/app/api/auth-lockout.ts b/app/api/auth-lockout.ts
index 3c8142079..f613cbf5f 100644
--- a/app/api/auth-lockout.ts
+++ b/app/api/auth-lockout.ts
@@ -3,6 +3,11 @@ import path from 'node:path';
 import type { NextFunction, Response } from 'express';
 import passport from 'passport';
 import log from '../log/index.js';
+import {
+  recordAuthLogin,
+  setAuthAccountLockedTotal,
+  setAuthIpLockedTotal,
+} from '../prometheus/auth.js';
 import * as store from '../store/index.js';
 import { getErrorMessage } from '../util/error.js';
 import { recordLoginAuditEvent } from './auth-audit.js';
@@ -63,6 +68,21 @@ let maintenanceTimer: ReturnType<typeof setInterval> | undefined;
 let persistTimer: ReturnType<typeof setTimeout> | undefined;
 let persistenceInitialized = false;
 
+function countActiveLockouts(lockouts: Map<string, LoginLockoutEntry>, now: number): number {
+  let activeLockouts = 0;
+  lockouts.forEach((entry) => {
+    if (entry.lockedUntil > now) {
+      activeLockouts += 1;
+    }
+  });
+  return activeLockouts;
+}
+
+function updateLockoutGaugeTotals(now = Date.now()): void {
+  setAuthAccountLockedTotal(countActiveLockouts(accountLoginLockouts, now));
+  setAuthIpLockedTotal(countActiveLockouts(ipLoginLockouts, now));
+}
+
 function parsePositiveIntegerEnv(name: string, fallback: number): number {
   const raw = process.env[name];
   if (raw === undefined) {
@@ -130,7 +150,10 @@ function persistLockoutState(): void {
       account: toPersistedRecord(accountLoginLockouts),
       ip: toPersistedRecord(ipLoginLockouts),
     };
-    fs.writeFileSync(lockoutStatePath, JSON.stringify(persistedState), 'utf8');
+    fs.writeFileSync(lockoutStatePath, JSON.stringify(persistedState), {
+      encoding: 'utf8',
+      mode: 0o600,
+    });
   } catch (error: unknown) {
     log.warn(`Unable to persist login lockout state (${getErrorMessage(error)})`);
   }
@@ -176,6 +199,7 @@ function loadPersistedLockoutState(): void {
     const persistedState = parsedState as Partial<PersistedLoginLockoutState>;
     hydrateLockoutMap(accountLoginLockouts, persistedState.account, accountLockoutPolicy);
     hydrateLockoutMap(ipLoginLockouts, persistedState.ip, ipLockoutPolicy);
+    updateLockoutGaugeTotals();
   } catch (error: unknown) {
     log.warn(`Unable to load login lockout state (${getErrorMessage(error)})`);
   }
@@ -193,14 +217,17 @@ function pruneAndPersistIfChanged(): void {
   ) {
     scheduleLockoutStatePersist();
   }
+  updateLockoutGaugeTotals(now);
 }
 
 export function initializeLoginLockoutState(): void {
   if (persistenceInitialized) {
+    updateLockoutGaugeTotals();
     return;
   }
   persistenceInitialized = true;
   loadPersistedLockoutState();
+  updateLockoutGaugeTotals();
   maintenanceTimer = setInterval(() => {
     pruneAndPersistIfChanged();
   }, lockoutPruneIntervalMs);
@@ -288,6 +315,7 @@ function getLockoutUntil(
     if (now - entry.lastAttemptAt > policy.windowMs) {
       lockouts.delete(key);
       scheduleLockoutStatePersist();
+      updateLockoutGaugeTotals(now);
     }
     return undefined;
   }
@@ -316,6 +344,7 @@ function registerFailedLoginAttempt(
       lastAttemptAt: now,
     });
     scheduleLockoutStatePersist();
+    updateLockoutGaugeTotals(now);
     return undefined;
   }
 
@@ -327,6 +356,7 @@ function registerFailedLoginAttempt(
 
   lockouts.set(key, existingEntry);
   scheduleLockoutStatePersist();
+  updateLockoutGaugeTotals(now);
   return existingEntry.lockedUntil > now ? existingEntry.lockedUntil : undefined;
 }
 
@@ -339,6 +369,7 @@ function clearLoginLockout(
   }
   if (lockouts.delete(key)) {
     scheduleLockoutStatePersist();
+    updateLockoutGaugeTotals();
   }
 }
 
@@ -364,6 +395,7 @@ function sendLockoutResponse(
 ): void {
   const retryAfterSeconds = Math.max(1, Math.ceil((lockoutUntil - now) / 1000));
   setRetryAfterHeader(res, retryAfterSeconds);
+  recordAuthLogin('locked', 'basic');
   recordLoginAuditEvent(
     req,
     'error',
@@ -466,4 +498,6 @@ export function resetLoginLockoutStateForTests(): void {
     persistTimer = undefined;
   }
   persistenceInitialized = false;
+  setAuthAccountLockedTotal(0);
+  setAuthIpLockedTotal(0);
 }
diff --git a/app/api/auth-remember-me.test.ts b/app/api/auth-remember-me.test.ts
new file mode 100644
index 000000000..c6c97023e
--- /dev/null
+++ b/app/api/auth-remember-me.test.ts
@@ -0,0 +1,170 @@
+import type { Response } from 'express';
+import { describe, expect, type Mock, test, vi } from 'vitest';
+import type { AuthRequest } from './auth-types.js';
+
+const { mockGetCookieMaxAge, mockSendErrorResponse } = vi.hoisted(() => ({
+  mockGetCookieMaxAge: vi.fn((days: number) => days * 86400000),
+  mockSendErrorResponse: vi.fn(),
+}));
+
+vi.mock('./auth-session.js', () => ({
+  getCookieMaxAge: mockGetCookieMaxAge,
+  REMEMBER_ME_DAYS: 30,
+}));
+
+vi.mock('./error-response.js', () => ({
+  sendErrorResponse: mockSendErrorResponse,
+}));
+
+import { applyRememberMe, setRememberMe } from './auth-remember-me.js';
+
+function createMockRequest(overrides: Partial<AuthRequest> = {}): AuthRequest {
+  return {
+    session: {
+      cookie: { maxAge: null, expires: undefined as unknown as Date },
+      rememberMe: false,
+    },
+    body: {},
+    ...overrides,
+  } as unknown as AuthRequest;
+}
+
+function createMockResponse(): Response {
+  const res = {
+    status: vi.fn().mockReturnThis(),
+    json: vi.fn().mockReturnThis(),
+  };
+  return res as unknown as Response;
+}
+
+describe('auth-remember-me', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe('applyRememberMe', () => {
+    test('extends cookie maxAge when rememberMe is true', () => {
+      const req = createMockRequest({
+        session: {
+          cookie: { maxAge: null, expires: undefined as unknown as Date },
+          rememberMe: true,
+        },
+      } as Partial<AuthRequest>);
+
+      applyRememberMe(req);
+
+      expect(mockGetCookieMaxAge).toHaveBeenCalledWith(30);
+      expect(req.session!.cookie.maxAge).toBe(30 * 86400000);
+    });
+
+    test('sets session cookie when rememberMe is false', () => {
+      const req = createMockRequest({
+        session: {
+          cookie: { maxAge: 999, expires: new Date() },
+          rememberMe: false,
+        },
+      } as Partial<AuthRequest>);
+
+      applyRememberMe(req);
+
+      expect(req.session!.cookie.expires).toBe(false);
+      expect(req.session!.cookie.maxAge).toBeNull();
+      expect(mockGetCookieMaxAge).not.toHaveBeenCalled();
+    });
+
+    test('returns early when session is undefined', () => {
+      const req = createMockRequest({ session: undefined });
+
+      applyRememberMe(req);
+
+      expect(mockGetCookieMaxAge).not.toHaveBeenCalled();
+    });
+
+    test('returns early when session.cookie is undefined', () => {
+      const req = createMockRequest({
+        session: { rememberMe: true } as any,
+      });
+
+      applyRememberMe(req);
+
+      expect(mockGetCookieMaxAge).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('setRememberMe', () => {
+    test('stores remember=true in session and applies cookie', () => {
+      const req = createMockRequest({
+        body: { remember: true },
+        session: {
+          cookie: { maxAge: null, expires: undefined as unknown as Date },
+          rememberMe: false,
+        },
+      } as Partial<AuthRequest>);
+      const res = createMockResponse();
+
+      setRememberMe(req, res);
+
+      expect(req.session!.rememberMe).toBe(true);
+      expect(mockGetCookieMaxAge).toHaveBeenCalledWith(30);
+      expect((res.status as Mock).mock.calls[0][0]).toBe(200);
+      expect((res.json as Mock).mock.calls[0][0]).toEqual({ ok: true });
+    });
+
+    test('stores remember=false when body.remember is not true', () => {
+      const req = createMockRequest({
+        body: { remember: false },
+        session: {
+          cookie: { maxAge: 999, expires: new Date() },
+          rememberMe: true,
+        },
+      } as Partial<AuthRequest>);
+      const res = createMockResponse();
+
+      setRememberMe(req, res);
+
+      expect(req.session!.rememberMe).toBe(false);
+      expect(req.session!.cookie.maxAge).toBeNull();
+      expect((res.status as Mock).mock.calls[0][0]).toBe(200);
+    });
+
+    test('treats missing body.remember as false', () => {
+      const req = createMockRequest({
+        body: {},
+        session: {
+          cookie: { maxAge: null, expires: undefined as unknown as Date },
+          rememberMe: undefined,
+        },
+      } as Partial<AuthRequest>);
+      const res = createMockResponse();
+
+      setRememberMe(req, res);
+
+      expect(req.session!.rememberMe).toBe(false);
+    });
+
+    test('treats undefined body as false', () => {
+      const req = createMockRequest({
+        body: undefined,
+        session: {
+          cookie: { maxAge: null, expires: undefined as unknown as Date },
+          rememberMe: undefined,
+        },
+      } as Partial<AuthRequest>);
+      const res = createMockResponse();
+
+      setRememberMe(req, res);
+
+      expect(req.session!.rememberMe).toBe(false);
+    });
+
+    test('sends 500 error when session is missing', () => {
+      const req = createMockRequest({ session: undefined });
+      const res = createMockResponse();
+
+      setRememberMe(req, res);
+
+      expect(mockSendErrorResponse).toHaveBeenCalledWith(res, 500, 'Unable to access session');
+      expect(res.status as Mock).not.toHaveBeenCalled();
+    });
+  });
+});
diff --git a/app/api/auth-remember-me.ts b/app/api/auth-remember-me.ts
index dc4448244..a0b5200e5 100644
--- a/app/api/auth-remember-me.ts
+++ b/app/api/auth-remember-me.ts
@@ -20,7 +20,7 @@ export function applyRememberMe(req: AuthRequest): void {
 
 /**
  * Store the "remember me" preference in the session.
- * Called before any auth flow (basic or OIDC redirect).
+ * Called before each auth flow (basic or OIDC redirect).
  * @param req
  * @param res
  */
diff --git a/app/api/auth-strategies.test.ts b/app/api/auth-strategies.test.ts
new file mode 100644
index 000000000..f4acd0756
--- /dev/null
+++ b/app/api/auth-strategies.test.ts
@@ -0,0 +1,290 @@
+import type { Application, Request, Response } from 'express';
+import type { Strategy } from 'passport';
+import { describe, expect, type Mock, test, vi } from 'vitest';
+import type Authentication from '../authentications/providers/Authentication.js';
+import type { StrategyDescription } from '../authentications/providers/Authentication.js';
+
+const {
+  mockPassportUse,
+  mockGetState,
+  mockGetAuthenticationRegistrationErrors,
+  mockGetRegistrationWarnings,
+} = vi.hoisted(() => ({
+  mockPassportUse: vi.fn(),
+  mockGetState: vi.fn(),
+  mockGetAuthenticationRegistrationErrors: vi.fn().mockReturnValue([]),
+  mockGetRegistrationWarnings: vi.fn().mockReturnValue([]),
+}));
+
+vi.mock('passport', () => ({
+  default: { use: mockPassportUse },
+}));
+
+vi.mock('../registry/index.js', () => ({
+  getState: mockGetState,
+  getAuthenticationRegistrationErrors: mockGetAuthenticationRegistrationErrors,
+  getRegistrationWarnings: mockGetRegistrationWarnings,
+}));
+
+vi.mock('../log/index.js', () => ({
+  default: {
+    child: () => ({ info: vi.fn(), warn: vi.fn(), debug: vi.fn(), error: vi.fn() }),
+    warn: vi.fn(),
+  },
+}));
+
+import {
+  getAllIds,
+  getAuthStatus,
+  getLogoutRedirectUrl,
+  getStrategies,
+  registerStrategies,
+  resetStrategyIdsForTests,
+} from './auth-strategies.js';
+
+function createMockAuthentication(overrides: {
+  id: string;
+  strategy?: Strategy;
+  description: StrategyDescription;
+  throwOnGetStrategy?: boolean;
+}): Authentication {
+  return {
+    getId: () => overrides.id,
+    getStrategy: overrides.throwOnGetStrategy
+      ? () => {
+          throw new Error('strategy error');
+        }
+      : () => overrides.strategy ?? ({} as Strategy),
+    getStrategyDescription: () => overrides.description,
+  } as unknown as Authentication;
+}
+
+function createMockResponse(): Response {
+  const res = { json: vi.fn() };
+  return res as unknown as Response;
+}
+
+describe('auth-strategies', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    resetStrategyIdsForTests();
+  });
+
+  describe('getAllIds', () => {
+    test('returns empty array initially', () => {
+      expect(getAllIds()).toEqual([]);
+    });
+
+    test('returns a copy of the strategy IDs array', () => {
+      const auth = createMockAuthentication({
+        id: 'basic.local',
+        description: { type: 'basic', name: 'Local' },
+      });
+      mockGetState.mockReturnValue({ authentication: { local: auth } });
+
+      registerStrategies({} as Application);
+
+      const ids = getAllIds();
+      ids.push('mutated');
+      expect(getAllIds()).toEqual(['basic.local']);
+    });
+  });
+
+  describe('registerStrategies', () => {
+    test('registers each authentication strategy with passport', () => {
+      const strategy = {} as Strategy;
+      const auth = createMockAuthentication({
+        id: 'basic.local',
+        strategy,
+        description: { type: 'basic', name: 'Local' },
+      });
+      mockGetState.mockReturnValue({ authentication: { local: auth } });
+
+      registerStrategies({} as Application);
+
+      expect(mockPassportUse).toHaveBeenCalledWith('basic.local', strategy);
+      expect(getAllIds()).toEqual(['basic.local']);
+    });
+
+    test('registers multiple strategies', () => {
+      const auth1 = createMockAuthentication({
+        id: 'basic.local',
+        description: { type: 'basic', name: 'Local' },
+      });
+      const auth2 = createMockAuthentication({
+        id: 'oidc.google',
+        description: { type: 'oidc', name: 'Google' },
+      });
+      mockGetState.mockReturnValue({ authentication: { local: auth1, google: auth2 } });
+
+      registerStrategies({} as Application);
+
+      expect(mockPassportUse).toHaveBeenCalledTimes(2);
+      expect(getAllIds()).toEqual(['basic.local', 'oidc.google']);
+    });
+
+    test('catches and logs errors from getStrategy without crashing', () => {
+      const auth = createMockAuthentication({
+        id: 'broken.auth',
+        throwOnGetStrategy: true,
+        description: { type: 'basic', name: 'Broken' },
+      });
+      mockGetState.mockReturnValue({ authentication: { broken: auth } });
+
+      registerStrategies({} as Application);
+
+      expect(mockPassportUse).not.toHaveBeenCalled();
+      expect(getAllIds()).toEqual([]);
+    });
+
+    test('registers healthy strategies even when one fails', () => {
+      const healthy = createMockAuthentication({
+        id: 'basic.local',
+        description: { type: 'basic', name: 'Local' },
+      });
+      const broken = createMockAuthentication({
+        id: 'broken.auth',
+        throwOnGetStrategy: true,
+        description: { type: 'basic', name: 'Broken' },
+      });
+      mockGetState.mockReturnValue({ authentication: { local: healthy, broken } });
+
+      registerStrategies({} as Application);
+
+      expect(mockPassportUse).toHaveBeenCalledTimes(1);
+      expect(getAllIds()).toEqual(['basic.local']);
+    });
+  });
+
+  describe('getAuthStatus', () => {
+    test('returns unique providers sorted by name and registration errors', () => {
+      const auth1 = createMockAuthentication({
+        id: 'basic.z-auth',
+        description: { type: 'basic', name: 'Zulu' },
+      });
+      const auth2 = createMockAuthentication({
+        id: 'oidc.alpha',
+        description: { type: 'oidc', name: 'Alpha' },
+      });
+      mockGetState.mockReturnValue({ authentication: { z: auth1, a: auth2 } });
+      const errors = [{ provider: 'bad', message: 'fail' }];
+      mockGetAuthenticationRegistrationErrors.mockReturnValue(errors);
+
+      const res = createMockResponse();
+      getAuthStatus({} as Request, res);
+
+      expect((res.json as Mock).mock.calls[0][0]).toEqual({
+        providers: [
+          { type: 'oidc', name: 'Alpha' },
+          { type: 'basic', name: 'Zulu' },
+        ],
+        errors,
+      });
+    });
+
+    test('deduplicates strategies with same type and name', () => {
+      const auth1 = createMockAuthentication({
+        id: 'basic.first',
+        description: { type: 'basic', name: 'Local' },
+      });
+      const auth2 = createMockAuthentication({
+        id: 'basic.second',
+        description: { type: 'basic', name: 'Local' },
+      });
+      mockGetState.mockReturnValue({ authentication: { a: auth1, b: auth2 } });
+      mockGetAuthenticationRegistrationErrors.mockReturnValue([]);
+
+      const res = createMockResponse();
+      getAuthStatus({} as Request, res);
+
+      const payload = (res.json as Mock).mock.calls[0][0];
+      expect(payload.providers).toHaveLength(1);
+      expect(payload.providers[0]).toEqual({ type: 'basic', name: 'Local' });
+    });
+
+    test('returns empty providers when no authentication configured', () => {
+      mockGetState.mockReturnValue({ authentication: {} });
+      mockGetAuthenticationRegistrationErrors.mockReturnValue([]);
+
+      const res = createMockResponse();
+      getAuthStatus({} as Request, res);
+
+      expect((res.json as Mock).mock.calls[0][0]).toEqual({
+        providers: [],
+        errors: [],
+      });
+    });
+  });
+
+  describe('getStrategies', () => {
+    test('returns strategies with registration warnings', () => {
+      const auth = createMockAuthentication({
+        id: 'basic.local',
+        description: { type: 'basic', name: 'Local' },
+      });
+      mockGetState.mockReturnValue({ authentication: { local: auth } });
+      mockGetAuthenticationRegistrationErrors.mockReturnValue([]);
+      mockGetRegistrationWarnings.mockReturnValue(['Warning: config missing']);
+
+      const res = createMockResponse();
+      getStrategies({} as Request, res);
+
+      expect((res.json as Mock).mock.calls[0][0]).toEqual({
+        strategies: [{ type: 'basic', name: 'Local' }],
+        warnings: ['Warning: config missing'],
+      });
+    });
+  });
+
+  describe('getLogoutRedirectUrl', () => {
+    test('returns logoutUrl from first strategy that has one', () => {
+      const auth1 = createMockAuthentication({
+        id: 'basic.local',
+        description: { type: 'basic', name: 'Local' },
+      });
+      const auth2 = createMockAuthentication({
+        id: 'oidc.google',
+        description: {
+          type: 'oidc',
+          name: 'Google',
+          logoutUrl: 'https://accounts.google.com/logout',
+        },
+      });
+      mockGetState.mockReturnValue({ authentication: { local: auth1, google: auth2 } });
+
+      expect(getLogoutRedirectUrl()).toBe('https://accounts.google.com/logout');
+    });
+
+    test('returns undefined when no strategy has a logoutUrl', () => {
+      const auth = createMockAuthentication({
+        id: 'basic.local',
+        description: { type: 'basic', name: 'Local' },
+      });
+      mockGetState.mockReturnValue({ authentication: { local: auth } });
+
+      expect(getLogoutRedirectUrl()).toBeUndefined();
+    });
+
+    test('returns undefined when no authentication configured', () => {
+      mockGetState.mockReturnValue({ authentication: {} });
+
+      expect(getLogoutRedirectUrl()).toBeUndefined();
+    });
+  });
+
+  describe('resetStrategyIdsForTests', () => {
+    test('clears strategy IDs', () => {
+      const auth = createMockAuthentication({
+        id: 'basic.local',
+        description: { type: 'basic', name: 'Local' },
+      });
+      mockGetState.mockReturnValue({ authentication: { local: auth } });
+      registerStrategies({} as Application);
+      expect(getAllIds()).toHaveLength(1);
+
+      resetStrategyIdsForTests();
+
+      expect(getAllIds()).toEqual([]);
+    });
+  });
+});
diff --git a/app/api/auth-strategies.ts b/app/api/auth-strategies.ts
index 5b82028fd..3cf307135 100644
--- a/app/api/auth-strategies.ts
+++ b/app/api/auth-strategies.ts
@@ -48,7 +48,7 @@ export function registerStrategies(app: Application): void {
   });
 }
 
-export function getUniqueStrategies(): StrategyDescription[] {
+function getUniqueStrategies(): StrategyDescription[] {
   const strategies = Object.values(registry.getState().authentication).map(
     (authentication: Authentication): StrategyDescription =>
       authentication.getStrategyDescription(),
@@ -80,7 +80,7 @@ export function getAuthStatus(_req: Request, res: Response): void {
 
 /**
  * Return the registered strategies from the registry.
- * Includes any registration warnings so the login UI can surface them.
+ * Includes registration warnings so the login UI can surface them.
  * @param req
  * @param res
  */
diff --git a/app/api/auth.test.ts b/app/api/auth.test.ts
index 09b27041b..1931d1539 100644
--- a/app/api/auth.test.ts
+++ b/app/api/auth.test.ts
@@ -223,6 +223,19 @@ describe('Auth Router', () => {
     });
   });
 
+  describe('getSessionMiddleware', () => {
+    test('returns the initialized session middleware', () => {
+      const app = createApp();
+      registry.getState.mockReturnValue({
+        authentication: {},
+      });
+
+      auth.init(app);
+
+      expect(auth.getSessionMiddleware()).toBe('session-middleware');
+    });
+  });
+
   describe('requireAuthentication', () => {
     test('should call next when user is authenticated', () => {
       const req = { isAuthenticated: vi.fn(() => true) };
@@ -741,11 +754,10 @@ describe('Auth Router', () => {
 
         vi.advanceTimersByTime(1000);
 
-        expect(mockFs.writeFileSync).toHaveBeenCalledWith(
-          LOCKOUT_STATE_PATH,
-          expect.any(String),
-          'utf8',
-        );
+        expect(mockFs.writeFileSync).toHaveBeenCalledWith(LOCKOUT_STATE_PATH, expect.any(String), {
+          encoding: 'utf8',
+          mode: 0o600,
+        });
         const persistedState = JSON.parse(lockoutStateFiles.get(LOCKOUT_STATE_PATH) ?? '{}');
         expect(persistedState.account['persist-user']).toEqual(
           expect.objectContaining({
diff --git a/app/api/auth.ts b/app/api/auth.ts
index e757faf16..3e86ceb06 100644
--- a/app/api/auth.ts
+++ b/app/api/auth.ts
@@ -45,12 +45,17 @@ const router = express.Router();
 const AUTH_USER_CACHE_CONTROL = 'private, no-cache, no-store, must-revalidate';
 const LOGIN_SESSION_ERROR_RESPONSE = 'Unable to establish session';
 const LOGIN_SUCCESS_AUDIT_MESSAGE = 'Login succeeded';
+let sessionMiddleware: ReturnType<typeof session> | undefined;
 
 type LoginFinish = () => void;
 type LoginErrorHandler = (errorMessage: string, options?: { logWarning?: boolean }) => void;
 
 export { getAllIds };
 
+export function getSessionMiddleware() {
+  return sessionMiddleware;
+}
+
 export function _resetLoginLockoutStateForTests(): void {
   resetLoginLockoutStateForTests();
 }
@@ -326,24 +331,23 @@ export function init(app: Application): void {
   }
 
   // Init express session
-  app.use(
-    session({
-      store: new LokiStore({
-        path: `${store.getConfiguration().path}/${store.getConfiguration().file}`,
-        // Keep store retention >= longest auth cookie lifespan (remember-me).
-        ttl: getCookieMaxAge(REMEMBER_ME_DAYS) / 1000,
-      }),
-      secret: getSessionSecretKey(),
-      resave: false,
-      saveUninitialized: false,
-      cookie: {
-        httpOnly: true,
-        sameSite: sessionCookieSameSite,
-        secure: sessionCookieSecure,
-        maxAge: getCookieMaxAge(DEFAULT_SESSION_DAYS),
-      },
+  sessionMiddleware = session({
+    store: new LokiStore({
+      path: `${store.getConfiguration().path}/${store.getConfiguration().file}`,
+      // Keep store retention >= longest auth cookie lifespan (remember-me).
+      ttl: getCookieMaxAge(REMEMBER_ME_DAYS) / 1000,
     }),
-  );
+    secret: getSessionSecretKey(),
+    resave: false,
+    saveUninitialized: false,
+    cookie: {
+      httpOnly: true,
+      sameSite: sessionCookieSameSite,
+      secure: sessionCookieSecure,
+      maxAge: getCookieMaxAge(DEFAULT_SESSION_DAYS),
+    },
+  });
+  app.use(sessionMiddleware);
 
   // Init passport middleware
   app.use(passport.initialize());
diff --git a/app/api/backup.test.ts b/app/api/backup.test.ts
index 209b132bf..1f826d373 100644
--- a/app/api/backup.test.ts
+++ b/app/api/backup.test.ts
@@ -201,9 +201,9 @@ describe('Backup Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('No backups found') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('No backups found'),
+      });
     });
 
     test('should return 404 when backupId does not exist', async () => {
@@ -252,9 +252,9 @@ describe('Backup Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('No docker trigger found') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('No docker trigger found'),
+      });
     });
 
     test('should rollback successfully', async () => {
@@ -298,12 +298,10 @@ describe('Backup Router', () => {
       expect(mockTrigger.stopAndRemoveContainer).toHaveBeenCalled();
       expect(mockTrigger.recreateContainer).toHaveBeenCalled();
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          message: 'Container rolled back successfully',
-          backup: latestBackup,
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        message: 'Container rolled back successfully',
+        backup: latestBackup,
+      });
     });
 
     test('should rollback successfully with a dockercompose trigger', async () => {
@@ -347,12 +345,10 @@ describe('Backup Router', () => {
       expect(composeTrigger.stopAndRemoveContainer).toHaveBeenCalled();
       expect(composeTrigger.recreateContainer).toHaveBeenCalled();
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          message: 'Container rolled back successfully',
-          backup: latestBackup,
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        message: 'Container rolled back successfully',
+        backup: latestBackup,
+      });
     });
 
     test('should rollback successfully when a valid backupId is provided', async () => {
@@ -398,12 +394,10 @@ describe('Backup Router', () => {
       expect(mockTrigger.stopAndRemoveContainer).toHaveBeenCalled();
       expect(mockTrigger.recreateContainer).toHaveBeenCalled();
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          message: 'Container rolled back successfully',
-          backup: selectedBackup,
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        message: 'Container rolled back successfully',
+        backup: selectedBackup,
+      });
     });
 
     test('should return 500 when current container cannot be found in Docker', async () => {
@@ -474,7 +468,7 @@ describe('Backup Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith({ error: 'Error rolling back container' });
+      expect(res.json).toHaveBeenCalledWith({ error: 'Pull failed' });
     });
 
     test('should stringify non-Error rollback failures', async () => {
@@ -509,7 +503,7 @@ describe('Backup Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith({ error: 'Error rolling back container' });
+      expect(res.json).toHaveBeenCalledWith({ error: 'pull failed as string' });
     });
   });
 });
diff --git a/app/api/component.test.ts b/app/api/component.test.ts
index 6cfb0b818..98bab4229 100644
--- a/app/api/component.test.ts
+++ b/app/api/component.test.ts
@@ -31,10 +31,6 @@ vi.mock('../registry', () => ({
 import * as registry from '../registry/index.js';
 import * as component from './component.js';
 
-function createResponse() {
-  return createMockResponse();
-}
-
 describe('Component Router', () => {
   beforeEach(() => {
     vi.clearAllMocks();
@@ -76,11 +72,13 @@ describe('Component Router', () => {
         configuration: { url: 'https://hub.docker.com' },
       };
       const result = component.mapComponentToItem('docker.hub', comp);
-      expect(result).toEqual(
-        expect.objectContaining({
-          configuration: { url: 'https://hub.docker.com' },
-        }),
-      );
+      expect(result).toEqual({
+        id: 'docker.hub',
+        type: 'docker',
+        name: 'hub',
+        configuration: { url: 'https://hub.docker.com' },
+        agent: undefined,
+      });
     });
 
     test('should include metadata when component has getMetadata', () => {
@@ -251,13 +249,16 @@ describe('Component Router', () => {
       const result = component.mapComponentsToList(components, 'trigger');
 
       expect(result).toEqual([
-        expect.objectContaining({
+        {
           id: 'slack.ops',
+          type: 'slack',
+          name: 'ops',
           configuration: {
             channel: '[REDACTED]',
             mode: 'simple',
           },
-        }),
+          agent: undefined,
+        },
       ]);
     });
   });
@@ -274,11 +275,17 @@ describe('Component Router', () => {
       });
 
       const req = { params: { type: 'docker', name: 'hub' } };
-      const res = createResponse();
+      const res = createMockResponse();
       component.getById(req, res, 'watcher');
 
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(expect.objectContaining({ id: 'docker.hub' }));
+      expect(res.json).toHaveBeenCalledWith({
+        id: 'docker.hub',
+        type: 'docker',
+        name: 'hub',
+        configuration: { url: 'hub' },
+        agent: undefined,
+      });
     });
 
     test('should return component by agent.type.name id', () => {
@@ -295,24 +302,28 @@ describe('Component Router', () => {
       const req = {
         params: { agent: 'myagent', type: 'docker', name: 'hub' },
       };
-      const res = createResponse();
+      const res = createMockResponse();
       component.getById(req, res, 'watcher');
 
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(expect.objectContaining({ id: 'myagent.docker.hub' }));
+      expect(res.json).toHaveBeenCalledWith({
+        id: 'myagent.docker.hub',
+        type: 'docker',
+        name: 'hub',
+        configuration: {},
+        agent: 'myagent',
+      });
     });
 
     test('should return 404 when component is not found', () => {
       registry.getState.mockReturnValue({ watcher: {} });
 
       const req = { params: { type: 'docker', name: 'missing' } };
-      const res = createResponse();
+      const res = createMockResponse();
       component.getById(req, res, 'watcher');
 
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Component not found' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Component not found' });
     });
   });
 
@@ -339,12 +350,14 @@ describe('Component Router', () => {
       component.init('watcher');
       const getAllHandler = mockRouter.get.mock.calls.find((c) => c[0] === '/')[1];
 
-      const res = createResponse();
+      const res = createMockResponse();
       getAllHandler({ query: {} }, res);
 
       expect(res.status).toHaveBeenCalledWith(200);
       expect(res.json).toHaveBeenCalledWith({
-        data: [expect.objectContaining({ id: 'docker.hub' })],
+        data: [
+          { id: 'docker.hub', type: 'docker', name: 'hub', configuration: {}, agent: undefined },
+        ],
         total: 1,
         limit: 0,
         offset: 0,
@@ -364,12 +377,14 @@ describe('Component Router', () => {
       component.init('watcher');
       const getAllHandler = mockRouter.get.mock.calls.find((c) => c[0] === '/')[1];
 
-      const res = createResponse();
+      const res = createMockResponse();
       getAllHandler({ query: { limit: '1', offset: '1' } }, res);
 
       expect(res.status).toHaveBeenCalledWith(200);
       expect(res.json).toHaveBeenCalledWith({
-        data: [expect.objectContaining({ id: 'docker.beta' })],
+        data: [
+          { id: 'docker.beta', type: 'docker', name: 'beta', configuration: {}, agent: undefined },
+        ],
         total: 3,
         limit: 1,
         offset: 1,
@@ -389,15 +404,27 @@ describe('Component Router', () => {
       component.init('watcher');
       const getAllHandler = mockRouter.get.mock.calls.find((c) => c[0] === '/')[1];
 
-      const res = createResponse();
+      const res = createMockResponse();
       getAllHandler({ query: { limit: ['999', '1'], offset: '-5' } }, res);
 
       expect(res.status).toHaveBeenCalledWith(200);
       expect(res.json).toHaveBeenCalledWith({
         data: [
-          expect.objectContaining({ id: 'docker.alpha' }),
-          expect.objectContaining({ id: 'docker.beta' }),
-          expect.objectContaining({ id: 'docker.gamma' }),
+          {
+            id: 'docker.alpha',
+            type: 'docker',
+            name: 'alpha',
+            configuration: {},
+            agent: undefined,
+          },
+          { id: 'docker.beta', type: 'docker', name: 'beta', configuration: {}, agent: undefined },
+          {
+            id: 'docker.gamma',
+            type: 'docker',
+            name: 'gamma',
+            configuration: {},
+            agent: undefined,
+          },
         ],
         total: 3,
         limit: 200,
@@ -417,7 +444,7 @@ describe('Component Router', () => {
       component.init('watcher');
       const getAllHandler = mockRouter.get.mock.calls.find((c) => c[0] === '/')[1];
 
-      const res = createResponse();
+      const res = createMockResponse();
       getAllHandler({ query: { limit: '1', offset: '99' } }, res);
 
       expect(res.status).toHaveBeenCalledWith(200);
@@ -439,15 +466,23 @@ describe('Component Router', () => {
 
       component.init('watcher');
       const getAllHandler = mockRouter.get.mock.calls.find((c) => c[0] === '/')[1];
-      const resWithInvalid = createResponse();
-      const resWithUndefinedQuery = createResponse();
+      const resWithInvalid = createMockResponse();
+      const resWithUndefinedQuery = createMockResponse();
 
       getAllHandler({ query: { limit: 'oops', offset: 'oops' } }, resWithInvalid);
       getAllHandler({}, resWithUndefinedQuery);
 
       expect(resWithInvalid.status).toHaveBeenCalledWith(200);
       expect(resWithInvalid.json).toHaveBeenCalledWith({
-        data: [expect.objectContaining({ id: 'docker.alpha' })],
+        data: [
+          {
+            id: 'docker.alpha',
+            type: 'docker',
+            name: 'alpha',
+            configuration: {},
+            agent: undefined,
+          },
+        ],
         total: 1,
         limit: 0,
         offset: 0,
@@ -455,7 +490,15 @@ describe('Component Router', () => {
       });
       expect(resWithUndefinedQuery.status).toHaveBeenCalledWith(200);
       expect(resWithUndefinedQuery.json).toHaveBeenCalledWith({
-        data: [expect.objectContaining({ id: 'docker.alpha' })],
+        data: [
+          {
+            id: 'docker.alpha',
+            type: 'docker',
+            name: 'alpha',
+            configuration: {},
+            agent: undefined,
+          },
+        ],
         total: 1,
         limit: 0,
         offset: 0,
@@ -476,7 +519,7 @@ describe('Component Router', () => {
       component.init('trigger');
       const getByIdHandler = mockRouter.get.mock.calls.find((c) => c[0] === '/:type/:name')[1];
 
-      const res = createResponse();
+      const res = createMockResponse();
       getByIdHandler({ params: { type: 'docker', name: 'hub' } }, res);
 
       expect(res.status).toHaveBeenCalledWith(200);
@@ -498,7 +541,7 @@ describe('Component Router', () => {
         (c) => c[0] === '/:type/:name/:agent',
       )[1];
 
-      const res = createResponse();
+      const res = createMockResponse();
       getByIdHandler({ params: { agent: 'myagent', type: 'docker', name: 'hub' } }, res);
 
       expect(res.status).toHaveBeenCalledWith(200);
diff --git a/app/api/container-actions.test.ts b/app/api/container-actions.test.ts
index 4f8187dcb..75d44caf4 100644
--- a/app/api/container-actions.test.ts
+++ b/app/api/container-actions.test.ts
@@ -121,12 +121,10 @@ describe('Container Actions Router', () => {
 
       expect(dockerContainer.start).toHaveBeenCalled();
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          message: 'Container started successfully',
-          result: expect.any(Object),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        message: 'Container started successfully',
+        result: expect.any(Object),
+      });
       const contractValidation = validateOpenApiJsonResponse({
         path: '/api/containers/{id}/start',
         method: 'post',
@@ -146,9 +144,7 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Container not found' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Container not found' });
     });
 
     test('should return 404 when no docker trigger found', async () => {
@@ -161,9 +157,9 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('No docker trigger found') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('No docker trigger found'),
+      });
     });
 
     test('should return 403 when feature flag is disabled', async () => {
@@ -175,9 +171,7 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(403);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Container actions are disabled' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Container actions are disabled' });
     });
 
     test('should return 500 when Docker API throws error', async () => {
@@ -193,9 +187,7 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Error performing start on container' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'container already started' });
     });
 
     test('should stringify non-Error Docker API failures', async () => {
@@ -211,9 +203,7 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Error performing start on container' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'start failed as string' });
     });
 
     test('should insert audit entry on success', async () => {
@@ -293,12 +283,10 @@ describe('Container Actions Router', () => {
 
       expect(mockUpdateContainer).not.toHaveBeenCalled();
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          message: 'Container started successfully',
-          result: container,
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        message: 'Container started successfully',
+        result: container,
+      });
     });
   });
 
@@ -316,12 +304,10 @@ describe('Container Actions Router', () => {
 
       expect(dockerContainer.stop).toHaveBeenCalled();
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          message: 'Container stopped successfully',
-          result: expect.any(Object),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        message: 'Container stopped successfully',
+        result: expect.any(Object),
+      });
     });
 
     test('should return 403 when feature flag is disabled', async () => {
@@ -333,9 +319,7 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(403);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Container actions are disabled' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Container actions are disabled' });
     });
 
     test('should return 500 when Docker API throws error', async () => {
@@ -351,9 +335,7 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Error performing stop on container' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'stop failed' });
     });
   });
 
@@ -371,12 +353,10 @@ describe('Container Actions Router', () => {
 
       expect(dockerContainer.restart).toHaveBeenCalled();
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          message: 'Container restarted successfully',
-          result: expect.any(Object),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        message: 'Container restarted successfully',
+        result: expect.any(Object),
+      });
     });
 
     test('should return 403 when feature flag is disabled', async () => {
@@ -388,9 +368,7 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(403);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Container actions are disabled' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Container actions are disabled' });
     });
 
     test('should insert audit entry with correct action', async () => {
@@ -425,9 +403,7 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Error performing restart on container' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'restart failed' });
     });
   });
 
@@ -439,8 +415,16 @@ describe('Container Actions Router', () => {
         image: { name: 'nginx' },
         updateAvailable: true,
       };
-      const updatedContainer = { ...container, image: { name: 'nginx:latest' } };
-      mockGetContainer.mockReturnValueOnce(container).mockReturnValueOnce(updatedContainer);
+      const clearedContainer = {
+        ...container,
+        image: { name: 'nginx:latest' },
+        updateAvailable: false,
+      };
+      mockGetContainer
+        .mockReturnValueOnce(container) // initial lookup
+        .mockReturnValueOnce(container) // post-trigger check (still has updateAvailable)
+        .mockReturnValueOnce(clearedContainer); // after updateContainer clears flag
+      mockUpdateContainer.mockReturnValue(clearedContainer);
       const mockTriggerFn = vi.fn().mockResolvedValue(undefined);
       const trigger = { type: 'docker', trigger: mockTriggerFn };
       mockGetState.mockReturnValue({ trigger: { 'docker.default': trigger } });
@@ -451,13 +435,14 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(mockTriggerFn).toHaveBeenCalledWith(container);
-      expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          message: 'Container updated successfully',
-          result: updatedContainer,
-        }),
+      expect(mockUpdateContainer).toHaveBeenCalledWith(
+        expect.objectContaining({ updateAvailable: false }),
       );
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith({
+        message: 'Container updated successfully',
+        result: clearedContainer,
+      });
     });
 
     test('should update container successfully with a dockercompose trigger', async () => {
@@ -467,8 +452,16 @@ describe('Container Actions Router', () => {
         image: { name: 'nginx' },
         updateAvailable: true,
       };
-      const updatedContainer = { ...container, image: { name: 'nginx:latest' } };
-      mockGetContainer.mockReturnValueOnce(container).mockReturnValueOnce(updatedContainer);
+      const clearedContainer = {
+        ...container,
+        image: { name: 'nginx:latest' },
+        updateAvailable: false,
+      };
+      mockGetContainer
+        .mockReturnValueOnce(container) // initial lookup
+        .mockReturnValueOnce(container) // post-trigger check
+        .mockReturnValueOnce(clearedContainer); // after clearing flag
+      mockUpdateContainer.mockReturnValue(clearedContainer);
       const mockTriggerFn = vi.fn().mockResolvedValue(undefined);
       const trigger = { type: 'dockercompose', trigger: mockTriggerFn };
       mockGetState.mockReturnValue({ trigger: { 'dockercompose.default': trigger } });
@@ -479,13 +472,48 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(mockTriggerFn).toHaveBeenCalledWith(container);
-      expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          message: 'Container updated successfully',
-          result: updatedContainer,
-        }),
+      expect(mockUpdateContainer).toHaveBeenCalledWith(
+        expect.objectContaining({ updateAvailable: false }),
       );
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith({
+        message: 'Container updated successfully',
+        result: clearedContainer,
+      });
+    });
+
+    test('should not clear updateAvailable when the post-trigger container is already up to date', async () => {
+      const container = {
+        id: 'c1',
+        name: 'nginx',
+        image: { name: 'nginx' },
+        updateAvailable: true,
+      };
+      const updatedContainer = {
+        ...container,
+        image: { name: 'nginx:latest' },
+        updateAvailable: false,
+      };
+      mockGetContainer
+        .mockReturnValueOnce(container)
+        .mockReturnValueOnce(updatedContainer)
+        .mockReturnValueOnce(updatedContainer);
+      const mockTriggerFn = vi.fn().mockResolvedValue(undefined);
+      const trigger = { type: 'docker', trigger: mockTriggerFn };
+      mockGetState.mockReturnValue({ trigger: { 'docker.default': trigger } });
+
+      const handler = getHandler('post', '/:id/update');
+      const req = createMockRequest({ params: { id: 'c1' } });
+      const res = createMockResponse();
+      await handler(req, res);
+
+      expect(mockTriggerFn).toHaveBeenCalledWith(container);
+      expect(mockUpdateContainer).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith({
+        message: 'Container updated successfully',
+        result: updatedContainer,
+      });
     });
 
     test('should select the dockercompose trigger matching container compose labels', async () => {
@@ -543,9 +571,7 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Container not found' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Container not found' });
     });
 
     test('should return 400 when no update available', async () => {
@@ -563,9 +589,56 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'No update available for this container' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'No update available for this container' });
+    });
+
+    test('should return 409 when target is a temporary rollback -old container', async () => {
+      const container = {
+        id: 'c1',
+        name: 'nginx-old-1773933154786',
+        image: { name: 'nginx' },
+        updateAvailable: true,
+      };
+      mockGetContainer.mockReturnValue(container);
+      const mockTriggerFn = vi.fn().mockResolvedValue(undefined);
+      const trigger = { type: 'docker', trigger: mockTriggerFn };
+      mockGetState.mockReturnValue({ trigger: { 'docker.default': trigger } });
+
+      const handler = getHandler('post', '/:id/update');
+      const req = createMockRequest({ params: { id: 'c1' } });
+      const res = createMockResponse();
+      await handler(req, res);
+
+      expect(res.status).toHaveBeenCalledWith(409);
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('temporary rollback container'),
+      });
+      expect(mockTriggerFn).not.toHaveBeenCalled();
+    });
+
+    test('should return 409 when update is blocked by a security scan', async () => {
+      const container = {
+        id: 'c1',
+        name: 'nginx',
+        image: { name: 'nginx' },
+        updateAvailable: true,
+        security: {
+          scan: {
+            status: 'blocked',
+          },
+        },
+      };
+      mockGetContainer.mockReturnValue(container);
+
+      const handler = getHandler('post', '/:id/update');
+      const req = createMockRequest({ params: { id: 'c1' } });
+      const res = createMockResponse();
+      await handler(req, res);
+
+      expect(res.status).toHaveBeenCalledWith(409);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Update blocked by security scan. Use force-update to override.',
+      });
     });
 
     test('should return 404 when no docker trigger found', async () => {
@@ -584,9 +657,9 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('No docker trigger found') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('No docker trigger found'),
+      });
     });
 
     test('should return 403 when feature flag is disabled', async () => {
@@ -598,9 +671,7 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(403);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Container actions are disabled' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Container actions are disabled' });
     });
 
     test('should return 500 when trigger throws error', async () => {
@@ -621,9 +692,7 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Error updating container' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'pull failed' });
     });
 
     test('should insert audit entry on success', async () => {
@@ -722,9 +791,7 @@ describe('Container Actions Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Error updating container' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'update failed as string' });
     });
   });
 });
diff --git a/app/api/container-actions.ts b/app/api/container-actions.ts
index 7bb8778c7..42dbd0e41 100644
--- a/app/api/container-actions.ts
+++ b/app/api/container-actions.ts
@@ -6,6 +6,7 @@ import type { AuditEntry } from '../model/audit.js';
 import { getContainerActionsCounter } from '../prometheus/container-actions.js';
 import * as registry from '../registry/index.js';
 import * as storeContainer from '../store/container.js';
+import Trigger from '../triggers/providers/Trigger.js';
 import { recordAuditEvent } from './audit-events.js';
 import { findDockerTriggerForContainer, NO_DOCKER_TRIGGER_FOUND_ERROR } from './docker-trigger.js';
 import { sendErrorResponse } from './error-response.js';
@@ -47,8 +48,8 @@ type DockerWatcher = {
  * Execute a container action (start, stop, restart).
  *
  * Security note: these action endpoints are intentionally authentication-gated
- * only. In current single-operator deployments, any authenticated user can
- * start, stop, or restart any container. Fine-grained RBAC is planned for a
+ * only. In current single-operator deployments, all authenticated users can
+ * start, stop, or restart containers. Fine-grained RBAC is planned for a
  * future enterprise access release.
  */
 async function executeAction(
@@ -163,6 +164,20 @@ async function updateContainer(req: Request, res: Response) {
     return;
   }
 
+  if (Trigger.isRollbackContainer(container)) {
+    sendErrorResponse(
+      res,
+      409,
+      'Cannot update temporary rollback container renamed with -old-{timestamp}',
+    );
+    return;
+  }
+
+  if (container.security?.scan?.status === 'blocked') {
+    sendErrorResponse(res, 409, 'Update blocked by security scan. Use force-update to override.');
+    return;
+  }
+
   const trigger = findDockerTriggerForContainer(registry.getState().trigger, container, {
     triggerTypes: ['docker', 'dockercompose'],
   });
@@ -173,6 +188,12 @@ async function updateContainer(req: Request, res: Response) {
 
   try {
     await trigger.trigger(container);
+    // Clear updateAvailable so the UI refresh sees the change immediately
+    // (the watcher will re-evaluate on its next scan cycle)
+    const containerAfterTrigger = storeContainer.getContainer(id);
+    if (containerAfterTrigger?.updateAvailable) {
+      storeContainer.updateContainer({ ...containerAfterTrigger, updateAvailable: false });
+    }
     const updatedContainer = storeContainer.getContainer(id);
     recordAuditEvent({ action: 'container-update', container, status: 'success' });
     getContainerActionsCounter()?.inc({ action: 'container-update' });
diff --git a/app/api/container.test.ts b/app/api/container.test.ts
index c2a633bca..ef962f15f 100644
--- a/app/api/container.test.ts
+++ b/app/api/container.test.ts
@@ -12,6 +12,31 @@ const mockEmitSecurityAlert = vi.hoisted(() => vi.fn().mockResolvedValue(undefin
 const mockGetOperationsByContainerName = vi.hoisted(() => vi.fn());
 const mockCreateAuthenticatedRouteRateLimitKeyGenerator = vi.hoisted(() => vi.fn(() => undefined));
 const mockIsIdentityAwareRateLimitKeyingEnabled = vi.hoisted(() => vi.fn(() => false));
+const { mockCreateContainerStatsCollector, capturedContainerStatsCollectorDependencies } =
+  vi.hoisted(() => {
+    const captured = {
+      current: undefined as
+        | { getContainerById: (id: string) => unknown; getWatchers: () => Record<string, unknown> }
+        | undefined,
+    };
+
+    return {
+      mockCreateContainerStatsCollector: vi.fn((dependencies: unknown) => {
+        captured.current = dependencies as {
+          getContainerById: (id: string) => unknown;
+          getWatchers: () => Record<string, unknown>;
+        };
+        return {
+          watch: vi.fn(() => vi.fn()),
+          touch: vi.fn(),
+          subscribe: vi.fn(() => vi.fn()),
+          getLatest: vi.fn(() => undefined),
+          getHistory: vi.fn(() => []),
+        };
+      }),
+      capturedContainerStatsCollectorDependencies: captured,
+    };
+  });
 
 vi.mock('express', () => ({
   default: { Router: vi.fn(() => mockRouter) },
@@ -79,6 +104,7 @@ vi.mock('../triggers/providers/Trigger', () => ({
   default: {
     parseIncludeOrIncludeTriggerString: vi.fn((str) => ({ id: str })),
     doesReferenceMatchId: vi.fn(() => false),
+    isRollbackContainer: vi.fn(() => false),
   },
 }));
 
@@ -92,6 +118,10 @@ vi.mock('../event/index.js', () => ({
   emitSecurityAlert: (...args: unknown[]) => mockEmitSecurityAlert(...args),
 }));
 
+vi.mock('../stats/collector.js', () => ({
+  createContainerStatsCollector: (...args: unknown[]) => mockCreateContainerStatsCollector(...args),
+}));
+
 vi.mock('./rate-limit-key.js', () => ({
   createAuthenticatedRouteRateLimitKeyGenerator: mockCreateAuthenticatedRouteRateLimitKeyGenerator,
   isIdentityAwareRateLimitKeyingEnabled: mockIsIdentityAwareRateLimitKeyingEnabled,
@@ -211,10 +241,14 @@ describe('Container Router', () => {
       const router = containerRouter.init();
       expect(router.use).toHaveBeenCalledWith('nocache-middleware');
       expect(router.get).toHaveBeenCalledWith('/', expect.any(Function));
+      expect(router.get).toHaveBeenCalledWith('/stats', expect.any(Function));
       expect(router.get).toHaveBeenCalledWith('/summary', expect.any(Function));
       expect(router.get).toHaveBeenCalledWith('/recent-status', expect.any(Function));
       expect(router.post).toHaveBeenCalledWith('/watch', expect.any(Function));
       expect(router.get).toHaveBeenCalledWith('/:id', expect.any(Function));
+      expect(router.get).toHaveBeenCalledWith('/:id/release-notes', expect.any(Function));
+      expect(router.get).toHaveBeenCalledWith('/:id/stats', expect.any(Function));
+      expect(router.get).toHaveBeenCalledWith('/:id/stats/stream', expect.any(Function));
       expect(router.delete).toHaveBeenCalledWith(
         '/:id',
         expect.any(Function),
@@ -302,6 +336,21 @@ describe('Container Router', () => {
         }),
       );
     });
+
+    test('should wire stats collector dependencies to store and registry state', () => {
+      expect(capturedContainerStatsCollectorDependencies.current).toBeDefined();
+      const dependencies = capturedContainerStatsCollectorDependencies.current!;
+      const container = { id: 'container-1' };
+
+      storeContainer.getContainer.mockReturnValue(container as any);
+      expect(dependencies.getContainerById('container-1')).toBe(container);
+
+      registry.getState.mockReturnValue({
+        watcher: undefined,
+        trigger: {},
+      } as any);
+      expect(dependencies.getWatchers()).toEqual({});
+    });
   });
 
   describe('getContainers', () => {
@@ -635,6 +684,8 @@ describe('Container Router', () => {
         security: {
           issues: 2,
         },
+        hotUpdates: 0,
+        matureUpdates: 0,
       });
       expect(res.json.mock.calls[0][0]).not.toHaveProperty('vulnerabilities');
     });
@@ -670,6 +721,8 @@ describe('Container Router', () => {
         security: {
           issues: 1,
         },
+        hotUpdates: 0,
+        matureUpdates: 0,
       });
     });
   });
@@ -939,13 +992,15 @@ describe('Container Router', () => {
       const res = createResponse();
       handler({ params: { id: 'c1' } }, res);
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          status: 'not-scanned',
-          vulnerabilities: [],
-          blockingCount: 0,
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        scanner: undefined,
+        scannedAt: undefined,
+        status: 'not-scanned',
+        blockSeverities: [],
+        blockingCount: 0,
+        summary: { unknown: 0, low: 0, medium: 0, high: 0, critical: 0 },
+        vulnerabilities: [],
+      });
     });
 
     test('should return scan payload when available', async () => {
@@ -1012,11 +1067,9 @@ describe('Container Router', () => {
       const res = createResponse();
       await handler({ params: { id: 'c1' }, query: { format: 'foo' } }, res);
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: expect.stringContaining('Unsupported SBOM format'),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('Unsupported SBOM format'),
+      });
     });
 
     test('should return existing sbom document when available in container security state', async () => {
@@ -1040,12 +1093,14 @@ describe('Container Router', () => {
       await handler({ params: { id: 'c1' }, query: {} }, res);
       expect(mockGenerateImageSbom).not.toHaveBeenCalled();
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          format: 'spdx-json',
-          document: { SPDXID: 'SPDXRef-DOCUMENT' },
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        generator: 'trivy',
+        image: 'registry.example.com/test/app:1.2.3',
+        generatedAt: '2026-02-15T12:00:00.000Z',
+        format: 'spdx-json',
+        document: { SPDXID: 'SPDXRef-DOCUMENT' },
+        error: undefined,
+      });
     });
 
     test('should generate sbom when existing sbom is generated but lacks requested format', async () => {
@@ -1086,12 +1141,14 @@ describe('Container Router', () => {
         expect.objectContaining({ formats: ['cyclonedx-json'] }),
       );
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          format: 'cyclonedx-json',
-          document: { bomFormat: 'CycloneDX' },
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        generator: 'trivy',
+        image: 'my-registry/test/app:1.2.3',
+        generatedAt: '2026-02-15T12:00:00.000Z',
+        format: 'cyclonedx-json',
+        document: { bomFormat: 'CycloneDX' },
+        error: undefined,
+      });
     });
 
     test('should generate and persist sbom when not cached', async () => {
@@ -1240,11 +1297,9 @@ describe('Container Router', () => {
       const res = createResponse();
       await handler({ params: { id: 'c1' }, query: {} }, res);
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: expect.stringContaining('Error generating SBOM'),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('Error generating SBOM'),
+      });
     });
 
     test('should return 500 when sbom generation throws', async () => {
@@ -1404,9 +1459,7 @@ describe('Container Router', () => {
       });
       const res = await callScanContainer();
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Security scanner is not configured' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Security scanner is not configured' });
     });
 
     test('should return 400 when scanner is not trivy', async () => {
@@ -1419,9 +1472,7 @@ describe('Container Router', () => {
       });
       const res = await callScanContainer();
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Security scanner is not configured' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Security scanner is not configured' });
     });
 
     test('should scan update candidate image when updateKind is present', async () => {
@@ -1995,11 +2046,9 @@ describe('Container Router', () => {
       getServerConfiguration.mockReturnValue({ feature: { delete: true } });
       const res = await callDeleteRemoteContainer(undefined);
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: expect.stringContaining('Agent remote not found'),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('Agent remote not found'),
+      });
     });
 
     test('should delete remote container successfully', async () => {
@@ -2028,11 +2077,9 @@ describe('Container Router', () => {
       const mockAgentObj = { deleteContainer: vi.fn().mockRejectedValue(error) };
       const res = await callDeleteRemoteContainer(mockAgentObj);
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: expect.stringContaining('Error deleting container on agent'),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('Error deleting container on agent'),
+      });
     });
 
     test('should return 500 on non-error rejection from agent delete', async () => {
@@ -2040,11 +2087,9 @@ describe('Container Router', () => {
       const mockAgentObj = { deleteContainer: vi.fn().mockRejectedValue(null) };
       const res = await callDeleteRemoteContainer(mockAgentObj);
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: expect.stringContaining('unknown error'),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('unknown error'),
+      });
     });
 
     test('should handle agent delete error without response', async () => {
@@ -2085,11 +2130,9 @@ describe('Container Router', () => {
       await handler({ query: {} }, res);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: expect.stringContaining('watch failed'),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('watch failed'),
+      });
     });
   });
 
@@ -2106,9 +2149,7 @@ describe('Container Router', () => {
         { type: 'slack', name: 'default', configuration: {} },
       ]);
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ data: expect.any(Array), total: 1 }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ data: expect.any(Array), total: 1 });
     });
 
     test('should filter triggers with triggerInclude', async () => {
@@ -2180,9 +2221,7 @@ describe('Container Router', () => {
         triggerName: 'default',
       });
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Container not found' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Container not found' });
     });
 
     test.each([
@@ -2199,9 +2238,7 @@ describe('Container Router', () => {
       registry.getState.mockReturnValue({ watcher: {}, trigger: {} });
       const res = await callRunTrigger({ id: 'c1', triggerType: 'slack', triggerName: 'default' });
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Trigger not found' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Trigger not found' });
     });
 
     test('should run trigger successfully', async () => {
@@ -2220,7 +2257,7 @@ describe('Container Router', () => {
       const res = await callRunTrigger({ id: 'c1', triggerType: 'slack', triggerName: 'default' });
       expect(res.status).toHaveBeenCalledWith(500);
       expect(res.json).toHaveBeenCalledWith({
-        error: 'Error when running trigger (type=slack, name=default)',
+        error: 'trigger error',
       });
     });
 
@@ -2286,9 +2323,9 @@ describe('Container Router', () => {
       registry.getState.mockReturnValue({ watcher: {}, trigger: {} });
       const res = await callWatchContainer();
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('No provider found') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('No provider found'),
+      });
     });
 
     test('should use agent prefix for watcher id when container has agent', async () => {
@@ -2296,9 +2333,9 @@ describe('Container Router', () => {
       registry.getState.mockReturnValue({ watcher: {}, trigger: {} });
       const res = await callWatchContainer();
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('remote.docker.local') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('remote.docker.local'),
+      });
     });
 
     test('should watch container successfully', async () => {
@@ -2377,10 +2414,10 @@ describe('Container Router', () => {
     }
 
     /** Helper: invoke getContainerLogs handler */
-    async function callGetContainerLogs(id = 'c1', query = {}) {
+    async function callGetContainerLogs(id = 'c1', query = {}, requestOverrides = {}) {
       const handler = getHandler('get', '/:id/logs');
       const res = createResponse();
-      await handler({ params: { id }, query }, res);
+      await handler({ params: { id }, query, ...requestOverrides }, res);
       return res;
     }
 
@@ -2410,13 +2447,18 @@ describe('Container Router', () => {
       expect(mockDockerContainer.logs).toHaveBeenCalledWith({
         stdout: true,
         stderr: true,
-        tail: 100,
+        tail: 1000,
         since: 0,
         timestamps: true,
         follow: false,
       });
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith({ logs: logText });
+      expect(res.setHeader).toHaveBeenCalledWith('Content-Type', 'text/plain; charset=utf-8');
+      expect(res.setHeader).toHaveBeenCalledWith(
+        'Content-Disposition',
+        'attachment; filename="my-container-logs.txt"',
+      );
+      expect(res.send).toHaveBeenCalledWith(logText);
     });
 
     test('should demux logs when docker API returns a non-Buffer payload', async () => {
@@ -2435,7 +2477,7 @@ describe('Container Router', () => {
 
       const res = await callGetContainerLogs('c1');
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith({ logs: logText });
+      expect(res.send).toHaveBeenCalledWith(logText);
     });
 
     test('should ignore truncated docker stream frames', async () => {
@@ -2457,7 +2499,7 @@ describe('Container Router', () => {
 
       const res = await callGetContainerLogs('c1');
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith({ logs: '' });
+      expect(res.send).toHaveBeenCalledWith('');
     });
 
     test('should pass query params to docker logs', async () => {
@@ -2473,10 +2515,16 @@ describe('Container Router', () => {
       });
       registry.getState.mockReturnValue({ watcher: { 'docker.local': mockWatcher }, trigger: {} });
 
-      await callGetContainerLogs('c1', { tail: '50', since: '1700000000', timestamps: 'false' });
+      await callGetContainerLogs('c1', {
+        stdout: 'false',
+        stderr: 'true',
+        tail: '50',
+        since: '1700000000',
+        timestamps: 'false',
+      });
 
       expect(mockDockerContainer.logs).toHaveBeenCalledWith({
-        stdout: true,
+        stdout: false,
         stderr: true,
         tail: 50,
         since: 1700000000,
@@ -2528,7 +2576,7 @@ describe('Container Router', () => {
       expect(mockDockerContainer.logs).toHaveBeenCalledWith({
         stdout: true,
         stderr: true,
-        tail: 100,
+        tail: 1000,
         since: 0,
         timestamps: true,
         follow: false,
@@ -2553,7 +2601,7 @@ describe('Container Router', () => {
       expect(mockDockerContainer.logs).toHaveBeenCalledWith({
         stdout: true,
         stderr: true,
-        tail: 100,
+        tail: 1000,
         since: 0,
         timestamps: true,
         follow: false,
@@ -2578,7 +2626,7 @@ describe('Container Router', () => {
       expect(mockDockerContainer.logs).toHaveBeenCalledWith({
         stdout: true,
         stderr: true,
-        tail: 100,
+        tail: 1000,
         since: 0,
         timestamps: true,
         follow: false,
@@ -2598,12 +2646,36 @@ describe('Container Router', () => {
       const res = await callGetContainerLogs('c1');
 
       expect(mockAgent.getContainerLogs).toHaveBeenCalledWith('c1', {
-        tail: 100,
+        tail: 1000,
         since: 0,
         timestamps: true,
       });
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith({ logs: 'agent logs' });
+      expect(res.send).toHaveBeenCalledWith('agent logs');
+    });
+
+    test('should gzip log download when client accepts gzip', async () => {
+      const logText = 'compressed logs';
+      const mockLogs = dockerStreamBuffer(logText);
+      const mockDockerContainer = { logs: vi.fn().mockResolvedValue(mockLogs) };
+      const mockWatcher = {
+        dockerApi: { getContainer: vi.fn().mockReturnValue(mockDockerContainer) },
+      };
+      storeContainer.getContainer.mockReturnValue({
+        id: 'c1',
+        name: 'gzip me',
+        watcher: 'local',
+      });
+      registry.getState.mockReturnValue({ watcher: { 'docker.local': mockWatcher }, trigger: {} });
+
+      const res = await callGetContainerLogs('c1', {}, { headers: { 'accept-encoding': 'gzip' } });
+
+      expect(res.setHeader).toHaveBeenCalledWith(
+        'Content-Disposition',
+        'attachment; filename="gzip_me-logs.txt.gz"',
+      );
+      expect(res.setHeader).toHaveBeenCalledWith('Content-Encoding', 'gzip');
+      expect(res.send).toHaveBeenCalledWith(expect.any(Buffer));
     });
 
     test('should return 500 when agent not found for agent container', async () => {
@@ -2618,11 +2690,9 @@ describe('Container Router', () => {
       const res = await callGetContainerLogs('c1');
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: expect.stringContaining('Agent remote not found'),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('Agent remote not found'),
+      });
     });
 
     test('should return 500 when agent call fails', async () => {
@@ -2638,11 +2708,9 @@ describe('Container Router', () => {
       const res = await callGetContainerLogs('c1');
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: expect.stringContaining('Error fetching logs from agent'),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('Error fetching logs from agent'),
+      });
     });
 
     test('should return 500 when watcher not found', async () => {
@@ -2656,11 +2724,9 @@ describe('Container Router', () => {
       const res = await callGetContainerLogs('c1');
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: expect.stringContaining('No watcher found'),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('No watcher found'),
+      });
     });
 
     test('should return 500 when docker API fails', async () => {
@@ -2678,11 +2744,9 @@ describe('Container Router', () => {
       const res = await callGetContainerLogs('c1');
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: expect.stringContaining('Error fetching container logs'),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('Error fetching container logs'),
+      });
     });
 
     test('should use first id when logs route param id is an array', async () => {
@@ -2725,9 +2789,7 @@ describe('Container Router', () => {
     test('should return 400 when no action provided', () => {
       const res = callUpdatePolicy({ id: 'c1' }, {});
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: 'Action is required' }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Action is required' });
     });
 
     test('should use first id when update-policy route param id is an array', () => {
@@ -2791,9 +2853,7 @@ describe('Container Router', () => {
     test('should return 400 for unknown action', () => {
       const res = callUpdatePolicy({ id: 'c1' }, { action: 'unknown-action' });
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('Unknown action') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: expect.stringContaining('Unknown action') });
     });
 
     test('should skip current tag update', () => {
@@ -2866,9 +2926,9 @@ describe('Container Router', () => {
         { action: 'skip-current' },
       );
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('No current update available') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('No current update available'),
+      });
     });
 
     test('should return 400 when no update value available', () => {
@@ -2877,9 +2937,9 @@ describe('Container Router', () => {
         { action: 'skip-current' },
       );
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('No update value available') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('No update value available'),
+      });
     });
 
     test('should clear skip tags and digests', () => {
@@ -2971,9 +3031,7 @@ describe('Container Router', () => {
     ])('should return 400 when remove-skip payload is invalid: %s', (_label, body) => {
       const res = callUpdatePolicy({ id: 'c1', updatePolicy: { skipTags: ['2.0.0'] } }, body);
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('remove-skip') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: expect.stringContaining('remove-skip') });
     });
 
     test('should snooze with default 7 days', () => {
diff --git a/app/api/container.ts b/app/api/container.ts
index 5b3d565f1..eb1f0447e 100644
--- a/app/api/container.ts
+++ b/app/api/container.ts
@@ -16,6 +16,7 @@ import {
   updateDigestScanCache,
   verifyImageSignature,
 } from '../security/scan.js';
+import { createContainerStatsCollector } from '../stats/collector.js';
 import * as auditStore from '../store/audit.js';
 import * as storeContainer from '../store/container.js';
 import * as updateOperationStore from '../store/update-operation.js';
@@ -33,6 +34,7 @@ import {
   resolveContainerImageFullName,
   resolveContainerRegistryAuth,
 } from './container/shared.js';
+import { createStatsHandlers } from './container/stats.js';
 import { createTriggerHandlers } from './container/triggers.js';
 import { createUpdatePolicyHandlers } from './container/update-policy.js';
 import { requireDestructiveActionConfirmation } from './destructive-confirmation.js';
@@ -163,6 +165,11 @@ const triggerHandlers = createTriggerHandlers({
   log,
 });
 
+const containerStatsCollector = createContainerStatsCollector({
+  getContainerById: (id) => storeContainer.getContainer(id),
+  getWatchers: () => registry.getState().watcher || {},
+});
+
 const updatePolicyHandlers = createUpdatePolicyHandlers({
   storeContainer,
   uniqStrings,
@@ -196,6 +203,11 @@ const logHandlers = createLogHandlers({
   getErrorMessage,
 });
 
+const statsHandlers = createStatsHandlers({
+  storeContainer,
+  statsCollector: containerStatsCollector,
+});
+
 export const deleteContainer = crudHandlers.deleteContainer;
 export const getContainerTriggers = triggerHandlers.getContainerTriggers;
 
@@ -215,9 +227,13 @@ export function init() {
   router.use(nocache());
   router.get('/', crudHandlers.getContainers);
   router.post('/watch', crudHandlers.watchContainers);
+  router.get('/stats', statsHandlers.getAllContainerStats);
   router.get('/summary', crudHandlers.getContainerSummary);
   router.get('/recent-status', getContainerRecentStatus);
   router.get('/security/vulnerabilities', crudHandlers.getContainerSecurityVulnerabilities);
+  router.get('/:id/stats', statsHandlers.getContainerStats);
+  router.get('/:id/stats/stream', statsHandlers.streamContainerStats);
+  router.get('/:id/release-notes', crudHandlers.getContainerReleaseNotes);
   router.get('/:id', crudHandlers.getContainer);
   router.get('/:id/update-operations', crudHandlers.getContainerUpdateOperations);
   router.delete(
diff --git a/app/api/container/crud-context.ts b/app/api/container/crud-context.ts
new file mode 100644
index 000000000..b7aba408d
--- /dev/null
+++ b/app/api/container/crud-context.ts
@@ -0,0 +1,130 @@
+import type { Request } from 'express';
+import type { AgentClient } from '../../agent/AgentClient.js';
+import type { Container, ContainerReport } from '../../model/container.js';
+import type { PaginationLinks } from '../pagination-links.js';
+
+export interface CrudStoreContainerApi {
+  getContainer: (id: string) => Container | undefined;
+  deleteContainer: (id: string) => void;
+}
+
+export interface ContainerListPagination {
+  limit: number;
+  offset: number;
+}
+
+export interface ContainerListResponse {
+  data: Container[];
+  total: number;
+  limit: number;
+  offset: number;
+  hasMore: boolean;
+  _links?: PaginationLinks;
+}
+
+export interface WatchContainersBody {
+  containerIds?: string[];
+}
+
+export interface UpdateOperationStoreApi {
+  getOperationsByContainerName: (containerName: string) => unknown[];
+}
+
+export interface ServerConfiguration {
+  feature: {
+    delete: boolean;
+  };
+}
+
+export interface LocalContainerWatcher {
+  watch: () => Promise<unknown>;
+  getContainers?: () => Promise<Container[]>;
+  watchContainer: (container: Container) => Promise<ContainerReport>;
+}
+
+export interface AuditStoreApi {
+  insertAudit: (entry: {
+    action: string;
+    containerName: string;
+    containerImage?: string;
+    status: string;
+    details?: string;
+  }) => unknown;
+}
+
+export interface CrudHandlerDependencies {
+  storeApi: {
+    getContainersFromStore: (
+      query: Request['query'],
+      pagination?: ContainerListPagination,
+    ) => Container[];
+    getContainerCountFromStore: (query: Request['query']) => number;
+    storeContainer: CrudStoreContainerApi;
+    updateOperationStore: UpdateOperationStoreApi;
+    getContainerRaw?: (id: string) => Container | undefined;
+  };
+  agentApi: {
+    getServerConfiguration: () => ServerConfiguration;
+    getAgent: (name: string) => AgentClient | undefined;
+    getWatchers: () => Record<string, LocalContainerWatcher>;
+  };
+  errorApi: {
+    getErrorMessage: (error: unknown) => string;
+    getErrorStatusCode: (error: unknown) => number | undefined;
+  };
+  securityApi: {
+    redactContainerRuntimeEnv: (container: Container) => Container;
+    redactContainersRuntimeEnv: (containers: Container[]) => Container[];
+    auditStore?: AuditStoreApi;
+  };
+}
+
+export interface CrudHandlerContext {
+  getContainersFromStore: CrudHandlerDependencies['storeApi']['getContainersFromStore'];
+  getContainerCountFromStore: CrudHandlerDependencies['storeApi']['getContainerCountFromStore'];
+  storeContainer: CrudStoreContainerApi;
+  updateOperationStore: UpdateOperationStoreApi;
+  getContainerRaw?: CrudHandlerDependencies['storeApi']['getContainerRaw'];
+  getServerConfiguration: CrudHandlerDependencies['agentApi']['getServerConfiguration'];
+  getAgent: CrudHandlerDependencies['agentApi']['getAgent'];
+  getWatchers: CrudHandlerDependencies['agentApi']['getWatchers'];
+  getErrorMessage: CrudHandlerDependencies['errorApi']['getErrorMessage'];
+  getErrorStatusCode: CrudHandlerDependencies['errorApi']['getErrorStatusCode'];
+  redactContainerRuntimeEnv: CrudHandlerDependencies['securityApi']['redactContainerRuntimeEnv'];
+  redactContainersRuntimeEnv: CrudHandlerDependencies['securityApi']['redactContainersRuntimeEnv'];
+  auditStore?: AuditStoreApi;
+}
+
+export interface WatchTarget {
+  container: Container;
+  watcher: LocalContainerWatcher;
+}
+
+export function buildCrudHandlerContext({
+  storeApi: {
+    getContainersFromStore,
+    getContainerCountFromStore,
+    storeContainer,
+    updateOperationStore,
+    getContainerRaw,
+  },
+  agentApi: { getServerConfiguration, getAgent, getWatchers },
+  errorApi: { getErrorMessage, getErrorStatusCode },
+  securityApi: { redactContainerRuntimeEnv, redactContainersRuntimeEnv, auditStore },
+}: CrudHandlerDependencies): CrudHandlerContext {
+  return {
+    getContainersFromStore,
+    getContainerCountFromStore,
+    storeContainer,
+    updateOperationStore,
+    getContainerRaw,
+    getServerConfiguration,
+    getAgent,
+    getWatchers,
+    getErrorMessage,
+    getErrorStatusCode,
+    redactContainerRuntimeEnv,
+    redactContainersRuntimeEnv,
+    auditStore,
+  };
+}
diff --git a/app/api/container/crud.test.ts b/app/api/container/crud.test.ts
index f5b8427f3..378a83f4f 100644
--- a/app/api/container/crud.test.ts
+++ b/app/api/container/crud.test.ts
@@ -1,5 +1,12 @@
 import { beforeEach, describe, expect, test, vi } from 'vitest';
 import { createMockResponse } from '../../test/helpers.js';
+
+const mockGetFullReleaseNotesForContainer = vi.hoisted(() => vi.fn());
+vi.mock('../../release-notes/index.js', () => ({
+  getFullReleaseNotesForContainer: (...args: unknown[]) =>
+    mockGetFullReleaseNotesForContainer(...args),
+}));
+
 import { createCrudHandlers } from './crud.js';
 
 type CrudDependencies = Parameters<typeof createCrudHandlers>[0];
@@ -64,12 +71,52 @@ function groupCrudDeps(deps: GroupedCrudDepsInput): CrudDependencies {
   };
 }
 
+function getValueByPath(record: Record<string, unknown>, path: string): unknown {
+  const pathSegments = path.split('.');
+  let currentValue: unknown = record;
+  for (const segment of pathSegments) {
+    if (!currentValue || typeof currentValue !== 'object') {
+      return undefined;
+    }
+    currentValue = (currentValue as Record<string, unknown>)[segment];
+  }
+  return currentValue;
+}
+
+function filterAndSortContainers(
+  containers: Record<string, unknown>[],
+  query: Record<string, unknown>,
+) {
+  const queryEntries = Object.entries(query || {});
+  const filteredContainers = containers.filter((container) =>
+    queryEntries.every(
+      ([queryPath, queryValue]) => getValueByPath(container, queryPath) === queryValue,
+    ),
+  );
+  return [...filteredContainers].sort((leftContainer, rightContainer) => {
+    const watcherCompare = `${leftContainer.watcher ?? ''}`.localeCompare(
+      `${rightContainer.watcher ?? ''}`,
+    );
+    if (watcherCompare !== 0) {
+      return watcherCompare;
+    }
+    const nameCompare = `${leftContainer.name ?? ''}`.localeCompare(`${rightContainer.name ?? ''}`);
+    if (nameCompare !== 0) {
+      return nameCompare;
+    }
+    return `${leftContainer.image?.tag?.value ?? ''}`.localeCompare(
+      `${rightContainer.image?.tag?.value ?? ''}`,
+    );
+  });
+}
+
 function createHarness(options: { containers?: any[] } = {}) {
   const containers = options.containers ?? [];
   const byId = new Map(containers.map((container) => [container.id, container]));
 
   const deps = {
-    getContainersFromStore: vi.fn((_query: Record<string, unknown>, pagination?: any) => {
+    getContainersFromStore: vi.fn((query: Record<string, unknown> = {}, pagination?: any) => {
+      const matchingContainers = filterAndSortContainers(containers, query);
       const limit =
         typeof pagination?.limit === 'number' && Number.isFinite(pagination.limit)
           ? Math.max(0, Math.trunc(pagination.limit))
@@ -79,14 +126,16 @@ function createHarness(options: { containers?: any[] } = {}) {
           ? Math.max(0, Math.trunc(pagination.offset))
           : 0;
       if (limit === 0 && offset === 0) {
-        return containers;
+        return matchingContainers;
       }
       if (limit === 0) {
-        return containers.slice(offset);
+        return matchingContainers.slice(offset);
       }
-      return containers.slice(offset, offset + limit);
+      return matchingContainers.slice(offset, offset + limit);
     }),
-    getContainerCountFromStore: vi.fn((_query: Record<string, unknown>) => containers.length),
+    getContainerCountFromStore: vi.fn(
+      (query: Record<string, unknown> = {}) => filterAndSortContainers(containers, query).length,
+    ),
     storeContainer: {
       getContainer: vi.fn((id: string) => byId.get(id)),
       deleteContainer: vi.fn((id: string) => {
@@ -150,6 +199,15 @@ function callGetContainer(
   return res;
 }
 
+async function callGetContainerReleaseNotes(
+  handlers: ReturnType<typeof createCrudHandlers>,
+  id: string | string[] | undefined = 'c1',
+) {
+  const res = createMockResponse();
+  await handlers.getContainerReleaseNotes({ params: { id } } as any, res as any);
+  return res;
+}
+
 function callGetContainerUpdateOperations(
   handlers: ReturnType<typeof createCrudHandlers>,
   id: string | string[] | undefined = 'c1',
@@ -208,6 +266,7 @@ async function callWatchContainer(
 describe('api/container/crud', () => {
   beforeEach(() => {
     vi.clearAllMocks();
+    mockGetFullReleaseNotesForContainer.mockResolvedValue(undefined);
   });
 
   describe('createCrudHandlers dependency grouping', () => {
@@ -220,16 +279,17 @@ describe('api/container/crud', () => {
       const res = callGetContainerSummary(handlers);
 
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          containers: expect.objectContaining({
-            total: 1,
-            running: 1,
-            stopped: 0,
-          }),
-          security: { issues: 0 },
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        containers: {
+          total: 1,
+          running: 1,
+          stopped: 0,
+          updatesAvailable: 0,
+        },
+        security: { issues: 0 },
+        hotUpdates: 0,
+        matureUpdates: 0,
+      });
     });
   });
 
@@ -253,19 +313,48 @@ describe('api/container/crud', () => {
       });
     });
 
+    test('returns suggestedTag in container result payload when available', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({
+            id: 'c1',
+            result: {
+              tag: 'latest',
+              suggestedTag: '1.27.3',
+            },
+          }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers);
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith({
+        data: [
+          expect.objectContaining({
+            result: expect.objectContaining({ suggestedTag: '1.27.3' }),
+          }),
+        ],
+        total: 1,
+        limit: 0,
+        offset: 0,
+        hasMore: false,
+      });
+    });
+
     test('normalizes negative/invalid pagination to zero and returns all results', () => {
       const harness = createHarness({
         containers: [createContainer({ id: 'c1' }), createContainer({ id: 'c2' })],
       });
 
       const res = callGetContainers(harness.handlers, {
-        watcher: 'docker',
+        watcher: 'local',
         limit: '-25',
         offset: 'invalid',
       });
 
       expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith(
-        { watcher: 'docker' },
+        { watcher: 'local' },
         { limit: 0, offset: 0 },
       );
       expect(res.status).toHaveBeenCalledWith(200);
@@ -288,14 +377,14 @@ describe('api/container/crud', () => {
       });
 
       const res = callGetContainers(harness.handlers, {
-        watcher: 'docker',
+        watcher: 'local',
         includeVulnerabilities: 'false',
         limit: ['1', '99'],
         offset: ['1', '99'],
       });
 
       expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith(
-        { watcher: 'docker' },
+        { watcher: 'local' },
         { limit: 1, offset: 1 },
       );
       expect(res.status).toHaveBeenCalledWith(200);
@@ -306,8 +395,8 @@ describe('api/container/crud', () => {
         offset: 1,
         hasMore: true,
         _links: {
-          self: '/api/containers?watcher=docker&includeVulnerabilities=false&limit=1&offset=1',
-          next: '/api/containers?watcher=docker&includeVulnerabilities=false&limit=1&offset=2',
+          self: '/api/containers?watcher=local&includeVulnerabilities=false&limit=1&offset=1',
+          next: '/api/containers?watcher=local&includeVulnerabilities=false&limit=1&offset=2',
         },
       });
     });
@@ -322,13 +411,13 @@ describe('api/container/crud', () => {
       });
 
       callGetContainers(harness.handlers, {
-        watcher: 'docker',
+        watcher: 'local',
         limit: ['1', '99'],
         offset: ['1', '99'],
       });
 
       expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith(
-        { watcher: 'docker' },
+        { watcher: 'local' },
         { limit: 1, offset: 1 },
       );
     });
@@ -343,18 +432,18 @@ describe('api/container/crud', () => {
       });
 
       const res = callGetContainers(harness.handlers, {
-        watcher: 'docker',
+        watcher: 'local',
         limit: '1',
         offset: '1',
       });
 
       expect(harness.deps.getContainersFromStore).toHaveBeenCalledTimes(1);
       expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith(
-        { watcher: 'docker' },
+        { watcher: 'local' },
         { limit: 1, offset: 1 },
       );
       expect(harness.deps.getContainerCountFromStore).toHaveBeenCalledTimes(1);
-      expect(harness.deps.getContainerCountFromStore).toHaveBeenCalledWith({ watcher: 'docker' });
+      expect(harness.deps.getContainerCountFromStore).toHaveBeenCalledWith({ watcher: 'local' });
       expect(res.status).toHaveBeenCalledWith(200);
       expect(res.json).toHaveBeenCalledWith({
         data: [expect.objectContaining({ id: 'c2' })],
@@ -363,153 +452,1039 @@ describe('api/container/crud', () => {
         offset: 1,
         hasMore: true,
         _links: {
-          self: '/api/containers?watcher=docker&limit=1&offset=1',
-          next: '/api/containers?watcher=docker&limit=1&offset=2',
+          self: '/api/containers?watcher=local&limit=1&offset=1',
+          next: '/api/containers?watcher=local&limit=1&offset=2',
+        },
+      });
+    });
+
+    test('caps limit at 200 items', () => {
+      const containers = Array.from({ length: 240 }, (_, index) =>
+        createContainer({ id: `c${index + 1}` }),
+      );
+      const harness = createHarness({ containers });
+
+      const res = callGetContainers(harness.handlers, {
+        limit: '9999',
+      });
+
+      const payload = res.json.mock.calls[0][0];
+      expect(payload).toMatchObject({
+        total: 240,
+        limit: 200,
+        offset: 0,
+        hasMore: true,
+        _links: {
+          self: '/api/containers?limit=200&offset=0',
+          next: '/api/containers?limit=200&offset=200',
+        },
+      });
+      expect(Array.isArray(payload.data)).toBe(true);
+      expect(payload.data).toHaveLength(200);
+      expect(payload.data[0]).toEqual(expect.objectContaining({ id: 'c1' }));
+      expect(payload.data[199]).toEqual(expect.objectContaining({ id: 'c200' }));
+    });
+
+    test('applies offset when normalized limit is zero', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1' }),
+          createContainer({ id: 'c2' }),
+          createContainer({ id: 'c3' }),
+          createContainer({ id: 'c4' }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, {
+        limit: '0',
+        offset: '2',
+      });
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith({
+        data: [expect.objectContaining({ id: 'c3' }), expect.objectContaining({ id: 'c4' })],
+        total: 4,
+        limit: 0,
+        offset: 2,
+        hasMore: false,
+      });
+    });
+
+    test('strips vulnerability arrays by default when security scans are present', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({
+            id: 'c1',
+            security: {
+              scan: {
+                vulnerabilities: [{ id: 'CVE-1' }],
+              },
+              updateScan: {
+                vulnerabilities: [{ id: 'CVE-2' }],
+              },
+            },
+          }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, {});
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith({
+        data: [
+          expect.objectContaining({
+            id: 'c1',
+            security: expect.objectContaining({
+              scan: expect.objectContaining({ vulnerabilities: [] }),
+              updateScan: expect.objectContaining({ vulnerabilities: [] }),
+            }),
+          }),
+        ],
+        total: 1,
+        limit: 0,
+        offset: 0,
+        hasMore: false,
+      });
+    });
+
+    test('keeps vulnerability arrays when includeVulnerabilities=true', () => {
+      const container = createContainer({
+        id: 'c1',
+        security: {
+          scan: {
+            vulnerabilities: [{ id: 'CVE-1' }],
+          },
         },
       });
+      const harness = createHarness({
+        containers: [container],
+      });
+
+      const res = callGetContainers(harness.handlers, { includeVulnerabilities: 'true' });
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith({
+        data: [container],
+        total: 1,
+        limit: 0,
+        offset: 0,
+        hasMore: false,
+      });
+    });
+
+    test('preserves undefined scan/updateScan when security object exists without scans', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({
+            id: 'c1',
+            security: {},
+          }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, {});
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith({
+        data: [
+          expect.objectContaining({
+            id: 'c1',
+            security: expect.objectContaining({
+              scan: undefined,
+              updateScan: undefined,
+            }),
+          }),
+        ],
+        total: 1,
+        limit: 0,
+        offset: 0,
+        hasMore: false,
+      });
+    });
+
+    test('supports sort=age and returns oldest updates first', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1', updateAge: 2_000 }),
+          createContainer({ id: 'c2', updateAge: 8_000 }),
+          createContainer({ id: 'c3', updateAge: 4_000 }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, { sort: 'age' });
+
+      expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith({}, { limit: 0, offset: 0 });
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith({
+        data: [
+          expect.objectContaining({ id: 'c2' }),
+          expect.objectContaining({ id: 'c3' }),
+          expect.objectContaining({ id: 'c1' }),
+        ],
+        total: 3,
+        limit: 0,
+        offset: 0,
+        hasMore: false,
+      });
+    });
+
+    test('supports maturity filter for hot|mature|established', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1', updateMaturityLevel: 'hot' }),
+          createContainer({ id: 'c2', updateMaturityLevel: 'mature' }),
+          createContainer({ id: 'c3', updateMaturityLevel: 'established' }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, { maturity: 'mature' });
+
+      expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith({}, { limit: 0, offset: 0 });
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith({
+        data: [expect.objectContaining({ id: 'c2' })],
+        total: 1,
+        limit: 0,
+        offset: 0,
+        hasMore: false,
+      });
+    });
+
+    test('sorts containers by name ascending by default', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1', name: 'zulu' }),
+          createContainer({ id: 'c2', name: 'alpha' }),
+          createContainer({ id: 'c3', name: 'bravo' }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, {});
+      const payload = res.json.mock.calls[0][0];
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(payload.data.map((container: { name: string }) => container.name)).toEqual([
+        'alpha',
+        'bravo',
+        'zulu',
+      ]);
+    });
+
+    test('sorts containers by name descending when sort=-name', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1', name: 'alpha' }),
+          createContainer({ id: 'c2', name: 'charlie' }),
+          createContainer({ id: 'c3', name: 'bravo' }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, { sort: '-name' });
+      const payload = res.json.mock.calls[0][0];
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(payload.data.map((container: { name: string }) => container.name)).toEqual([
+        'charlie',
+        'bravo',
+        'alpha',
+      ]);
+    });
+
+    test('sorts by update status with available updates first', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1', name: 'no-update', updateAvailable: false }),
+          createContainer({ id: 'c2', name: 'has-update-a', updateAvailable: true }),
+          createContainer({ id: 'c3', name: 'has-update-b', updateAvailable: true }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, { sort: 'status' });
+      const payload = res.json.mock.calls[0][0];
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(
+        payload.data.map((container: { name: string; updateAvailable: boolean }) => ({
+          name: container.name,
+          updateAvailable: container.updateAvailable,
+        })),
+      ).toEqual([
+        { name: 'has-update-a', updateAvailable: true },
+        { name: 'has-update-b', updateAvailable: true },
+        { name: 'no-update', updateAvailable: false },
+      ]);
+    });
+
+    test('sorts by update age with oldest updates first', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({
+            id: 'c1',
+            name: 'newest-update',
+            updateAvailable: true,
+            updateAge: 2_000,
+          }),
+          createContainer({
+            id: 'c2',
+            name: 'oldest-update',
+            updateAvailable: true,
+            updateAge: 8_000,
+          }),
+          createContainer({
+            id: 'c3',
+            name: 'no-update',
+            updateAvailable: false,
+          }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, { sort: 'age' });
+      const payload = res.json.mock.calls[0][0];
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(payload.data.map((container: { name: string }) => container.name)).toEqual([
+        'oldest-update',
+        'newest-update',
+        'no-update',
+      ]);
+    });
+
+    test('sorts by image creation date', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({
+            id: 'c1',
+            name: 'new-image',
+            image: {
+              registry: { name: 'hub', url: 'docker.io' },
+              name: 'library/nginx',
+              tag: { value: '1.0.0' },
+              created: '2026-03-01T00:00:00.000Z',
+            },
+          }),
+          createContainer({
+            id: 'c2',
+            name: 'old-image',
+            image: {
+              registry: { name: 'hub', url: 'docker.io' },
+              name: 'library/nginx',
+              tag: { value: '1.0.0' },
+              created: '2025-01-01T00:00:00.000Z',
+            },
+          }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, { sort: 'created' });
+      const payload = res.json.mock.calls[0][0];
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(payload.data.map((container: { name: string }) => container.name)).toEqual([
+        'old-image',
+        'new-image',
+      ]);
+    });
+
+    test('applies sorting before pagination', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1', name: 'charlie' }),
+          createContainer({ id: 'c2', name: 'alpha' }),
+          createContainer({ id: 'c3', name: 'bravo' }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, {
+        sort: 'name',
+        limit: '1',
+        offset: '1',
+      });
+      const payload = res.json.mock.calls[0][0];
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(payload.data).toEqual([expect.objectContaining({ name: 'bravo' })]);
+      expect(payload.total).toBe(3);
+      expect(payload.hasMore).toBe(true);
+    });
+
+    test('supports order=desc to sort containers in descending order', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1', name: 'alpha' }),
+          createContainer({ id: 'c2', name: 'charlie' }),
+          createContainer({ id: 'c3', name: 'bravo' }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, { sort: 'name', order: 'desc' });
+      const payload = res.json.mock.calls[0][0];
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(payload.data.map((container: { name: string }) => container.name)).toEqual([
+        'charlie',
+        'bravo',
+        'alpha',
+      ]);
+    });
+
+    test('supports order=asc to sort containers in ascending order', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1', name: 'charlie' }),
+          createContainer({ id: 'c2', name: 'alpha' }),
+          createContainer({ id: 'c3', name: 'bravo' }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, { sort: 'name', order: 'asc' });
+      const payload = res.json.mock.calls[0][0];
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(payload.data.map((container: { name: string }) => container.name)).toEqual([
+        'alpha',
+        'bravo',
+        'charlie',
+      ]);
+    });
+
+    test('order=asc overrides prefix-based descending sort', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1', name: 'charlie' }),
+          createContainer({ id: 'c2', name: 'alpha' }),
+          createContainer({ id: 'c3', name: 'bravo' }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, { sort: '-name', order: 'asc' });
+      const payload = res.json.mock.calls[0][0];
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(payload.data.map((container: { name: string }) => container.name)).toEqual([
+        'alpha',
+        'bravo',
+        'charlie',
+      ]);
+    });
+
+    test('order=desc with sort=status sorts update-available last', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1', name: 'no-update', updateAvailable: false }),
+          createContainer({ id: 'c2', name: 'has-update', updateAvailable: true }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, { sort: 'status', order: 'desc' });
+      const payload = res.json.mock.calls[0][0];
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(payload.data.map((container: { name: string }) => container.name)).toEqual([
+        'no-update',
+        'has-update',
+      ]);
+    });
+
+    test('order param without sort defaults to name sort', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1', name: 'charlie' }),
+          createContainer({ id: 'c2', name: 'alpha' }),
+          createContainer({ id: 'c3', name: 'bravo' }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, { order: 'desc' });
+      const payload = res.json.mock.calls[0][0];
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(payload.data.map((container: { name: string }) => container.name)).toEqual([
+        'charlie',
+        'bravo',
+        'alpha',
+      ]);
+    });
+
+    test('order param is not passed as a column filter to the store', () => {
+      const harness = createHarness({
+        containers: [createContainer({ id: 'c1', name: 'nginx' })],
+      });
+
+      callGetContainers(harness.handlers, { sort: 'name', order: 'asc' });
+
+      expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith({}, { limit: 0, offset: 0 });
+    });
+
+    test('returns 400 for invalid order value', () => {
+      const harness = createHarness({ containers: [] });
+
+      const res = callGetContainers(harness.handlers, { order: 'ascending' });
+
+      expect(res.status).toHaveBeenCalledWith(400);
+    });
+
+    test('applies sort with order before pagination', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1', name: 'alpha' }),
+          createContainer({ id: 'c2', name: 'charlie' }),
+          createContainer({ id: 'c3', name: 'bravo' }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, {
+        sort: 'name',
+        order: 'desc',
+        limit: '2',
+        offset: '0',
+      });
+      const payload = res.json.mock.calls[0][0];
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(payload.data.map((container: { name: string }) => container.name)).toEqual([
+        'charlie',
+        'bravo',
+      ]);
+      expect(payload.total).toBe(3);
+      expect(payload.hasMore).toBe(true);
+    });
+
+    test('maps status/kind/watcher filters to store query fields with AND semantics', () => {
+      const harness = createHarness({
+        containers: [createContainer({ id: 'c1' })],
+      });
+
+      callGetContainers(harness.handlers, {
+        status: 'update-available',
+        kind: 'major',
+        watcher: 'local',
+      });
+
+      // status and kind are pushed down as store-level filters, so pagination
+      // is forwarded to the store (fast path) instead of loading everything.
+      expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith(
+        {
+          updateAvailable: true,
+          'updateKind.semverDiff': 'major',
+          watcher: 'local',
+        },
+        { limit: 0, offset: 0 },
+      );
+    });
+
+    test('maps status=up-to-date to updateAvailable=false', () => {
+      const harness = createHarness({
+        containers: [createContainer({ id: 'c1', updateAvailable: false })],
+      });
+
+      callGetContainers(harness.handlers, {
+        status: 'up-to-date',
+      });
+
+      expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith(
+        {
+          updateAvailable: false,
+        },
+        { limit: 0, offset: 0 },
+      );
+    });
+
+    test('maps status=running to runtime status store filter', () => {
+      const harness = createHarness({
+        containers: [createContainer({ id: 'c1', status: 'running' })],
+      });
+
+      callGetContainers(harness.handlers, {
+        status: 'running',
+      });
+
+      expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith(
+        {
+          status: 'running',
+        },
+        { limit: 0, offset: 0 },
+      );
+    });
+
+    test.each([
+      'running',
+      'stopped',
+      'exited',
+      'paused',
+      'restarting',
+      'dead',
+      'created',
+    ])('accepts Docker runtime status=%s as a valid filter', (runtimeStatus) => {
+      const harness = createHarness({
+        containers: [createContainer({ id: 'c1', status: runtimeStatus })],
+      });
+
+      const res = callGetContainers(harness.handlers, {
+        status: runtimeStatus,
+      });
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith(
+        { status: runtimeStatus },
+        { limit: 0, offset: 0 },
+      );
+    });
+
+    test('maps kind=digest to updateKind.kind filter', () => {
+      const harness = createHarness({
+        containers: [createContainer({ id: 'c1' })],
+      });
+
+      callGetContainers(harness.handlers, {
+        kind: 'digest',
+      });
+
+      expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith(
+        {
+          'updateKind.kind': 'digest',
+        },
+        { limit: 0, offset: 0 },
+      );
+    });
+
+    test('kind=all keeps store-level pagination path without watched-kind in-memory filtering', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({ id: 'c1', name: 'watched', watch: true }),
+          createContainer({ id: 'c2', name: 'unwatched', watch: false }),
+        ],
+      });
+
+      const res = callGetContainers(harness.handlers, {
+        kind: 'all',
+        limit: '1',
+        offset: '0',
+      });
+
+      expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith({}, { limit: 1, offset: 0 });
+      expect(harness.deps.getContainerCountFromStore).toHaveBeenCalledWith({});
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json.mock.calls[0][0].total).toBe(2);
+    });
+
+    test('status/kind filters use store-level pagination without full-collection load', () => {
+      const containers = Array.from({ length: 20 }, (_, i) =>
+        createContainer({
+          id: `c${i + 1}`,
+          name: `container-${String(i + 1).padStart(2, '0')}`,
+          updateAvailable: true,
+          updateKind: { semverDiff: 'major', kind: 'tag' },
+        }),
+      );
+      const harness = createHarness({ containers });
+
+      const res = callGetContainers(harness.handlers, {
+        status: 'update-available',
+        kind: 'major',
+        limit: '5',
+        offset: '0',
+      });
+
+      // Should forward pagination to the store (fast path) since status
+      // and kind are store-level filters — no full-collection load needed.
+      expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith(
+        { updateAvailable: true, 'updateKind.semverDiff': 'major' },
+        { limit: 5, offset: 0 },
+      );
+      // Should use getContainerCountFromStore for total instead of
+      // loading all containers just to count them.
+      expect(harness.deps.getContainerCountFromStore).toHaveBeenCalledWith({
+        updateAvailable: true,
+        'updateKind.semverDiff': 'major',
+      });
+      const payload = res.json.mock.calls[0][0];
+      expect(payload.data).toHaveLength(5);
+      expect(payload.total).toBe(20);
+      expect(payload.hasMore).toBe(true);
+    });
+
+    test('status filter with sort still requires full-collection load', () => {
+      const containers = Array.from({ length: 10 }, (_, i) =>
+        createContainer({
+          id: `c${i + 1}`,
+          name: `container-${i + 1}`,
+          updateAvailable: true,
+        }),
+      );
+      const harness = createHarness({ containers });
+
+      callGetContainers(harness.handlers, {
+        status: 'update-available',
+        sort: 'status',
+        limit: '3',
+      });
+
+      // Sort requires full collection for correct pagination order
+      expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith(
+        { updateAvailable: true },
+        { limit: 0, offset: 0 },
+      );
+      // Should NOT call getContainerCountFromStore — total comes from the sorted array
+      expect(harness.deps.getContainerCountFromStore).not.toHaveBeenCalled();
+    });
+
+    test('filters by update maturity buckets', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({
+            id: 'c-hot',
+            name: 'hot-update',
+            updateAvailable: true,
+            updateMaturityLevel: 'hot',
+          }),
+          createContainer({
+            id: 'c-mature',
+            name: 'mature-update',
+            updateAvailable: true,
+            updateMaturityLevel: 'mature',
+          }),
+          createContainer({
+            id: 'c-established',
+            name: 'established-update',
+            updateAvailable: true,
+            updateMaturityLevel: 'established',
+          }),
+        ],
+      });
+
+      const hotRes = callGetContainers(harness.handlers, { maturity: 'hot' });
+      expect(hotRes.json.mock.calls[0][0].data).toEqual([expect.objectContaining({ id: 'c-hot' })]);
+
+      const matureRes = callGetContainers(harness.handlers, { maturity: 'mature' });
+      expect(matureRes.json.mock.calls[0][0].data).toEqual([
+        expect.objectContaining({ id: 'c-mature' }),
+      ]);
+
+      const establishedRes = callGetContainers(harness.handlers, { maturity: 'established' });
+      expect(establishedRes.json.mock.calls[0][0].data).toEqual([
+        expect.objectContaining({ id: 'c-established' }),
+      ]);
+    });
+
+    test.each([
+      [{ sort: 'latest-first' }, 'Invalid sort value'],
+      [{ status: 'active' }, 'Invalid status filter value'],
+      [{ kind: 'prerelease' }, 'Invalid kind filter value'],
+      [{ watcher: '   ' }, 'Invalid watcher filter value'],
+      [{ maturity: 'fresh' }, 'Invalid maturity filter value'],
+    ])('returns 400 for invalid container-list filters: %o', (query, expectedMessage) => {
+      const harness = createHarness({
+        containers: [createContainer({ id: 'c1' })],
+      });
+
+      const res = callGetContainers(harness.handlers, query);
+
+      expect(res.status).toHaveBeenCalledWith(400);
+      expect(res.json).toHaveBeenCalledWith({
+        error: expectedMessage,
+      });
+      expect(harness.deps.getContainersFromStore).not.toHaveBeenCalled();
+    });
+
+    test('preserves non-control query params in store filtering', () => {
+      const harness = createHarness({
+        containers: [createContainer({ id: 'c1', labels: 'prod' })],
+      });
+
+      callGetContainers(harness.handlers, {
+        labels: 'prod',
+        watcher: 'local',
+      });
+
+      expect(harness.deps.getContainersFromStore).toHaveBeenCalledWith(
+        {
+          labels: 'prod',
+          watcher: 'local',
+        },
+        { limit: 0, offset: 0 },
+      );
+    });
+
+    test('supports array query values for sort and defaults when array contains no strings', () => {
+      const harness = createHarness({
+        containers: [createContainer({ id: 'c1', name: 'alpha' })],
+      });
+
+      const resFromStringArray = callGetContainers(harness.handlers, {
+        sort: ['-name', 'name'],
+      });
+      expect(resFromStringArray.status).toHaveBeenCalledWith(200);
+
+      const resFromNonStringArray = callGetContainers(harness.handlers, {
+        sort: [1, 2] as any,
+      });
+      expect(resFromNonStringArray.status).toHaveBeenCalledWith(200);
+    });
+
+    test('computes update age fallback from firstSeenAt, publishedAt, and updateDetectedAt', () => {
+      vi.useFakeTimers();
+      const now = new Date('2026-03-15T00:00:00.000Z').getTime();
+      vi.setSystemTime(now);
+
+      try {
+        const harness = createHarness({
+          containers: [
+            createContainer({
+              id: 'c-min',
+              firstSeenAt: '2026-03-05T00:00:00.000Z',
+              result: { publishedAt: '2026-03-12T00:00:00.000Z' },
+            }),
+            createContainer({
+              id: 'c-first',
+              firstSeenAt: '2026-03-07T00:00:00.000Z',
+            }),
+            createContainer({
+              id: 'c-published',
+              result: { publishedAt: '2026-03-09T00:00:00.000Z' },
+            }),
+            createContainer({
+              id: 'c-detected',
+              updateDetectedAt: '2026-03-11T00:00:00.000Z',
+            }),
+            createContainer({
+              id: 'c-none',
+            }),
+          ],
+        });
+
+        const res = callGetContainers(harness.handlers, { sort: 'age' });
+        const payload = res.json.mock.calls[0][0];
+
+        expect(payload.data.map((container: { id: string }) => container.id)).toEqual([
+          'c-min',
+          'c-first',
+          'c-published',
+          'c-detected',
+          'c-none',
+        ]);
+      } finally {
+        vi.useRealTimers();
+      }
+    });
+
+    test('derives maturity filter from update age when updateMaturityLevel is missing', () => {
+      vi.useFakeTimers();
+      const now = new Date('2026-03-15T00:00:00.000Z').getTime();
+      vi.setSystemTime(now);
+      const previousThreshold = process.env.DD_UI_MATURITY_THRESHOLD_DAYS;
+      process.env.DD_UI_MATURITY_THRESHOLD_DAYS = '5';
+
+      try {
+        const harness = createHarness({
+          containers: [
+            createContainer({
+              id: 'c-hot',
+              firstSeenAt: '2026-03-14T00:00:00.000Z',
+            }),
+            createContainer({
+              id: 'c-mature',
+              result: { publishedAt: '2026-03-07T00:00:00.000Z' },
+            }),
+            createContainer({
+              id: 'c-established',
+              updateDetectedAt: '2026-02-01T00:00:00.000Z',
+            }),
+          ],
+        });
+
+        const hotRes = callGetContainers(harness.handlers, { maturity: 'hot' });
+        expect(hotRes.json.mock.calls[0][0].data).toEqual([
+          expect.objectContaining({ id: 'c-hot' }),
+        ]);
+
+        const matureRes = callGetContainers(harness.handlers, { maturity: 'mature' });
+        expect(matureRes.json.mock.calls[0][0].data).toEqual([
+          expect.objectContaining({ id: 'c-mature' }),
+        ]);
+
+        const establishedRes = callGetContainers(harness.handlers, { maturity: 'established' });
+        expect(establishedRes.json.mock.calls[0][0].data).toEqual([
+          expect.objectContaining({ id: 'c-established' }),
+        ]);
+      } finally {
+        if (previousThreshold === undefined) {
+          delete process.env.DD_UI_MATURITY_THRESHOLD_DAYS;
+        } else {
+          process.env.DD_UI_MATURITY_THRESHOLD_DAYS = previousThreshold;
+        }
+        vi.useRealTimers();
+      }
     });
 
-    test('caps limit at 200 items', () => {
-      const containers = Array.from({ length: 240 }, (_, index) =>
-        createContainer({ id: `c${index + 1}` }),
-      );
-      const harness = createHarness({ containers });
+    test('excludes containers without resolvable age when applying maturity filters', () => {
+      vi.useFakeTimers();
+      vi.setSystemTime(new Date('2026-03-15T00:00:00.000Z'));
 
-      const res = callGetContainers(harness.handlers, {
-        limit: '9999',
-      });
+      try {
+        const harness = createHarness({
+          containers: [
+            createContainer({
+              id: 'c-no-age',
+            }),
+            createContainer({
+              id: 'c-hot',
+              firstSeenAt: '2026-03-14T00:00:00.000Z',
+            }),
+          ],
+        });
 
-      const payload = res.json.mock.calls[0][0];
-      expect(payload).toMatchObject({
-        total: 240,
-        limit: 200,
-        offset: 0,
-        hasMore: true,
-        _links: {
-          self: '/api/containers?limit=200&offset=0',
-          next: '/api/containers?limit=200&offset=200',
-        },
-      });
-      expect(Array.isArray(payload.data)).toBe(true);
-      expect(payload.data).toHaveLength(200);
-      expect(payload.data[0]).toEqual(expect.objectContaining({ id: 'c1' }));
-      expect(payload.data[199]).toEqual(expect.objectContaining({ id: 'c200' }));
+        const res = callGetContainers(harness.handlers, { maturity: 'hot' });
+        const payload = res.json.mock.calls[0][0];
+
+        expect(payload.data.map((container: { id: string }) => container.id)).toEqual(['c-hot']);
+      } finally {
+        vi.useRealTimers();
+      }
     });
 
-    test('applies offset when normalized limit is zero', () => {
+    test('uses watcher/name/id fallbacks when sorting by age with equal ages', () => {
       const harness = createHarness({
         containers: [
-          createContainer({ id: 'c1' }),
-          createContainer({ id: 'c2' }),
-          createContainer({ id: 'c3' }),
-          createContainer({ id: 'c4' }),
+          createContainer({
+            id: 1 as any,
+            name: 1 as any,
+            watcher: 1 as any,
+          }),
+          createContainer({
+            id: 'c2',
+            name: 'alpha',
+            watcher: 'local',
+          }),
         ],
       });
 
-      const res = callGetContainers(harness.handlers, {
-        limit: '0',
-        offset: '2',
-      });
+      const res = callGetContainers(harness.handlers, { sort: 'age' });
+      const payload = res.json.mock.calls[0][0];
 
-      expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith({
-        data: [expect.objectContaining({ id: 'c3' }), expect.objectContaining({ id: 'c4' })],
-        total: 4,
-        limit: 0,
-        offset: 2,
-        hasMore: false,
-      });
+      expect(payload.data.map((container: { id: unknown }) => container.id)).toEqual([1, 'c2']);
     });
 
-    test('strips vulnerability arrays by default when security scans are present', () => {
+    test('sorts by created date name tie-breaker when timestamps are equal', () => {
       const harness = createHarness({
         containers: [
           createContainer({
-            id: 'c1',
-            security: {
-              scan: {
-                vulnerabilities: [{ id: 'CVE-1' }],
-              },
-              updateScan: {
-                vulnerabilities: [{ id: 'CVE-2' }],
-              },
+            id: 'c-beta',
+            name: 'beta',
+            image: {
+              registry: { name: 'hub', url: 'docker.io' },
+              name: 'library/nginx',
+              tag: { value: '1.0.0' },
+              created: '2026-03-01T00:00:00.000Z',
+            },
+          }),
+          createContainer({
+            id: 'c-alpha',
+            name: 'alpha',
+            image: {
+              registry: { name: 'hub', url: 'docker.io' },
+              name: 'library/nginx',
+              tag: { value: '1.0.0' },
+              created: '2026-03-01T00:00:00.000Z',
             },
           }),
         ],
       });
 
-      const res = callGetContainers(harness.handlers, {});
+      const res = callGetContainers(harness.handlers, { sort: 'created' });
+      const payload = res.json.mock.calls[0][0];
 
-      expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith({
-        data: [
-          expect.objectContaining({
-            id: 'c1',
-            security: expect.objectContaining({
-              scan: expect.objectContaining({ vulnerabilities: [] }),
-              updateScan: expect.objectContaining({ vulnerabilities: [] }),
-            }),
-          }),
-        ],
-        total: 1,
-        limit: 0,
-        offset: 0,
-        hasMore: false,
-      });
+      expect(payload.data.map((container: { id: string }) => container.id)).toEqual([
+        'c-alpha',
+        'c-beta',
+      ]);
     });
 
-    test('keeps vulnerability arrays when includeVulnerabilities=true', () => {
-      const container = createContainer({
-        id: 'c1',
-        security: {
-          scan: {
-            vulnerabilities: [{ id: 'CVE-1' }],
-          },
-        },
-      });
+    test('sorts by created date with valid timestamps before invalid timestamps', () => {
       const harness = createHarness({
-        containers: [container],
+        containers: [
+          createContainer({
+            id: 'c-invalid-a',
+            name: 'invalid-a',
+            image: {
+              registry: { name: 'hub', url: 'docker.io' },
+              name: 'library/nginx',
+              tag: { value: '1.0.0' },
+              created: 'not-a-date',
+            },
+          }),
+          createContainer({
+            id: 'c-valid',
+            name: 'valid',
+            image: {
+              registry: { name: 'hub', url: 'docker.io' },
+              name: 'library/nginx',
+              tag: { value: '1.0.0' },
+              created: '2025-01-01T00:00:00.000Z',
+            },
+          }),
+          createContainer({
+            id: 'c-invalid-b',
+            name: 'invalid-b',
+          }),
+        ],
       });
 
-      const res = callGetContainers(harness.handlers, { includeVulnerabilities: 'true' });
+      const res = callGetContainers(harness.handlers, { sort: 'created' });
+      const payload = res.json.mock.calls[0][0];
 
-      expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith({
-        data: [container],
-        total: 1,
-        limit: 0,
-        offset: 0,
-        hasMore: false,
-      });
+      expect(payload.data.map((container: { id: string }) => container.id)).toEqual([
+        'c-valid',
+        'c-invalid-a',
+        'c-invalid-b',
+      ]);
     });
 
-    test('preserves undefined scan/updateScan when security object exists without scans', () => {
+    test('sorts by created date when left entry is invalid and right entry is valid', () => {
       const harness = createHarness({
         containers: [
           createContainer({
-            id: 'c1',
-            security: {},
+            id: 'c-invalid',
+            image: {
+              registry: { name: 'hub', url: 'docker.io' },
+              name: 'library/nginx',
+              tag: { value: '1.0.0' },
+              created: 'not-a-date',
+            },
+          }),
+          createContainer({
+            id: 'c-valid',
+            image: {
+              registry: { name: 'hub', url: 'docker.io' },
+              name: 'library/nginx',
+              tag: { value: '1.0.0' },
+              created: '2025-01-01T00:00:00.000Z',
+            },
           }),
         ],
       });
 
-      const res = callGetContainers(harness.handlers, {});
+      const res = callGetContainers(harness.handlers, { sort: 'created' });
+      const payload = res.json.mock.calls[0][0];
 
-      expect(res.status).toHaveBeenCalledWith(200);
+      expect(payload.data.map((container: { id: string }) => container.id)).toEqual([
+        'c-valid',
+        'c-invalid',
+      ]);
+    });
+
+    test('returns generic invalid request message when a non-Error is thrown', () => {
+      const harness = createHarness({
+        containers: [createContainer({ id: 'c1' })],
+      });
+      harness.deps.getContainersFromStore.mockImplementation(() => {
+        throw 'non-error';
+      });
+
+      const res = callGetContainers(harness.handlers);
+
+      expect(res.status).toHaveBeenCalledWith(400);
       expect(res.json).toHaveBeenCalledWith({
-        data: [
-          expect.objectContaining({
-            id: 'c1',
-            security: expect.objectContaining({
-              scan: undefined,
-              updateScan: undefined,
-            }),
-          }),
-        ],
-        total: 1,
-        limit: 0,
-        offset: 0,
-        hasMore: false,
+        error: 'Invalid request',
       });
     });
   });
@@ -553,6 +1528,8 @@ describe('api/container/crud', () => {
         security: {
           issues: 2,
         },
+        hotUpdates: 0,
+        matureUpdates: 0,
       });
     });
 
@@ -581,6 +1558,8 @@ describe('api/container/crud', () => {
         security: {
           issues: 0,
         },
+        hotUpdates: 0,
+        matureUpdates: 0,
       });
     });
 
@@ -605,6 +1584,50 @@ describe('api/container/crud', () => {
         security: {
           issues: 0,
         },
+        hotUpdates: 0,
+        matureUpdates: 0,
+      });
+    });
+
+    test('includes hot and mature update counters in summary', () => {
+      const harness = createHarness({
+        containers: [
+          createContainer({
+            id: 'c1',
+            updateAvailable: true,
+            updateMaturityLevel: 'hot',
+          }),
+          createContainer({
+            id: 'c2',
+            updateAvailable: true,
+            updateMaturityLevel: 'mature',
+          }),
+          createContainer({
+            id: 'c3',
+            updateAvailable: true,
+            updateMaturityLevel: 'established',
+          }),
+          createContainer({
+            id: 'c4',
+            updateAvailable: false,
+            updateMaturityLevel: 'hot',
+          }),
+        ],
+      });
+
+      const res = callGetContainerSummary(harness.handlers);
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith({
+        containers: {
+          total: 4,
+          running: 4,
+          stopped: 0,
+          updatesAvailable: 3,
+        },
+        security: { issues: 0 },
+        hotUpdates: 1,
+        matureUpdates: 2,
       });
     });
 
@@ -744,12 +1767,22 @@ describe('api/container/crud', () => {
 
       expect(harness.deps.getContainerCountFromStore).toHaveBeenCalledWith({});
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          totalContainers: 42,
-          scannedContainers: 1,
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        totalContainers: 42,
+        scannedContainers: 1,
+        latestScannedAt: '2026-02-01T10:00:00.000Z',
+        total: 0,
+        limit: 0,
+        offset: 0,
+        hasMore: false,
+        images: [
+          {
+            image: 'nginx',
+            containerIds: ['c1'],
+            vulnerabilities: [],
+          },
+        ],
+      });
     });
 
     test('supports limit/offset pagination for aggregated vulnerabilities', () => {
@@ -1335,15 +2368,13 @@ describe('api/container/crud', () => {
       });
 
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          data: [{ id: 'op-2' }, { id: 'op-3' }],
-          total: 3,
-          limit: 0,
-          offset: 1,
-          hasMore: false,
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        data: [{ id: 'op-2' }, { id: 'op-3' }],
+        total: 3,
+        limit: 0,
+        offset: 1,
+        hasMore: false,
+      });
     });
 
     test('returns 404 for update-operation lookup when container is missing', () => {
@@ -1357,6 +2388,77 @@ describe('api/container/crud', () => {
     });
   });
 
+  describe('release notes handler', () => {
+    test('returns full release notes when available', async () => {
+      mockGetFullReleaseNotesForContainer.mockResolvedValue({
+        title: 'Release 2.0.0',
+        body: 'Full release notes body',
+        url: 'https://github.com/acme/service/releases/tag/v2.0.0',
+        publishedAt: '2026-03-01T00:00:00.000Z',
+        provider: 'github',
+      });
+      const harness = createHarness({
+        containers: [
+          createContainer({
+            id: 'c1',
+            sourceRepo: 'github.com/acme/service',
+            result: {
+              tag: '2.0.0',
+            },
+          }),
+        ],
+      });
+
+      const res = await callGetContainerReleaseNotes(harness.handlers, 'c1');
+
+      expect(res.status).toHaveBeenCalledWith(200);
+      expect(res.json).toHaveBeenCalledWith({
+        title: 'Release 2.0.0',
+        body: 'Full release notes body',
+        url: 'https://github.com/acme/service/releases/tag/v2.0.0',
+        publishedAt: '2026-03-01T00:00:00.000Z',
+        provider: 'github',
+      });
+    });
+
+    test('returns 404 when container is missing', async () => {
+      const harness = createHarness({
+        containers: [createContainer({ id: 'c1' })],
+      });
+
+      const res = await callGetContainerReleaseNotes(harness.handlers, 'missing');
+
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Container not found' });
+      expect(mockGetFullReleaseNotesForContainer).not.toHaveBeenCalled();
+    });
+
+    test('returns 404 when release notes are unavailable', async () => {
+      const harness = createHarness({
+        containers: [createContainer({ id: 'c1' })],
+      });
+
+      const res = await callGetContainerReleaseNotes(harness.handlers, 'c1');
+
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Release notes not available' });
+    });
+
+    test('returns 500 when release notes lookup throws', async () => {
+      mockGetFullReleaseNotesForContainer.mockRejectedValue(new Error('boom'));
+      const harness = createHarness({
+        containers: [createContainer({ id: 'c1' })],
+      });
+
+      const res = await callGetContainerReleaseNotes(harness.handlers, 'c1');
+
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Error retrieving release notes (boom)',
+      });
+    });
+  });
+
   describe('revealContainerEnv', () => {
     test('returns 501 when raw env dependencies are not provided', () => {
       const handlers = createCrudHandlers({
@@ -1581,7 +2683,7 @@ describe('api/container/crud', () => {
         'docker.remote': watcherB,
       });
 
-      const res = await callWatchContainers(harness.handlers, { query: { watcher: 'docker' } });
+      const res = await callWatchContainers(harness.handlers, { query: { watcher: 'local' } });
 
       expect(watcherA.watch).toHaveBeenCalledTimes(1);
       expect(watcherB.watch).toHaveBeenCalledTimes(1);
@@ -1852,7 +2954,7 @@ describe('api/container/crud', () => {
       );
       expect(res.status).toHaveBeenCalledWith(200);
       expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ id: 'c1', agent: 'agent-a' }),
+        createContainer({ id: 'c1', watcher: 'local', agent: 'agent-a' }),
       );
     });
 
diff --git a/app/api/container/crud.ts b/app/api/container/crud.ts
index f480c74e9..2e06818ac 100644
--- a/app/api/container/crud.ts
+++ b/app/api/container/crud.ts
@@ -1,363 +1,46 @@
 import type { Request, Response } from 'express';
-import type { AgentClient } from '../../agent/AgentClient.js';
-import type { Container, ContainerReport } from '../../model/container.js';
 import { getContainerStatusSummary } from '../../util/container-summary.js';
 import { sendErrorResponse } from '../error-response.js';
-import { buildPaginationLinks, type PaginationLinks } from '../pagination-links.js';
 import {
-  getPathParamValue,
-  normalizeLimitOffsetPagination,
-  parseBooleanQueryParam,
-} from './request-helpers.js';
+  buildCrudHandlerContext,
+  type CrudHandlerContext,
+  type CrudHandlerDependencies,
+} from './crud-context.js';
+import {
+  createGetContainerUpdateOperationsHandler,
+  createRevealContainerEnvHandler,
+  createWatchContainerHandler,
+  createWatchContainersHandler,
+} from './handlers/actions.js';
+import { getContainerOrNotFound } from './handlers/common.js';
+import { createGetContainersHandler } from './handlers/list.js';
+import { createGetContainerReleaseNotesHandler } from './handlers/release-notes.js';
+import { getPathParamValue } from './request-helpers.js';
 import {
   buildSecurityVulnerabilityOverviewResponse,
   getSecurityIssueCount,
   type SecurityVulnerabilityOverviewResponse,
 } from './security-overview.js';
-import { isSensitiveKey } from './shared.js';
-
-interface CrudStoreContainerApi {
-  getContainer: (id: string) => Container | undefined;
-  deleteContainer: (id: string) => void;
-}
-
-interface ContainerListPagination {
-  limit: number;
-  offset: number;
-}
-
-interface ContainerListResponse {
-  data: Container[];
-  total: number;
-  limit: number;
-  offset: number;
-  hasMore: boolean;
-  _links?: PaginationLinks;
-}
-
-interface WatchContainersBody {
-  containerIds?: string[];
-}
-
-interface UpdateOperationStoreApi {
-  getOperationsByContainerName: (containerName: string) => unknown[];
-}
-
-interface ServerConfiguration {
-  feature: {
-    delete: boolean;
-  };
-}
-
-interface LocalContainerWatcher {
-  watch: () => Promise<unknown>;
-  getContainers?: () => Promise<Container[]>;
-  watchContainer: (container: Container) => Promise<ContainerReport>;
-}
-
-interface AuditStoreApi {
-  insertAudit: (entry: {
-    action: string;
-    containerName: string;
-    containerImage?: string;
-    status: string;
-    details?: string;
-  }) => unknown;
-}
-
-export interface CrudHandlerDependencies {
-  storeApi: {
-    getContainersFromStore: (
-      query: Request['query'],
-      pagination?: ContainerListPagination,
-    ) => Container[];
-    getContainerCountFromStore: (query: Request['query']) => number;
-    storeContainer: CrudStoreContainerApi;
-    updateOperationStore: UpdateOperationStoreApi;
-    getContainerRaw?: (id: string) => Container | undefined;
-  };
-  agentApi: {
-    getServerConfiguration: () => ServerConfiguration;
-    getAgent: (name: string) => AgentClient | undefined;
-    getWatchers: () => Record<string, LocalContainerWatcher>;
-  };
-  errorApi: {
-    getErrorMessage: (error: unknown) => string;
-    getErrorStatusCode: (error: unknown) => number | undefined;
-  };
-  securityApi: {
-    redactContainerRuntimeEnv: (container: Container) => Container;
-    redactContainersRuntimeEnv: (containers: Container[]) => Container[];
-    auditStore?: AuditStoreApi;
-  };
-}
-
-const CONTAINER_LIST_MAX_LIMIT = 200;
-const WATCH_CONTAINERS_MAX_IDS = 200;
-
-function removeContainerListControlParams(query: Request['query']): Request['query'] {
-  const filteredQuery: Record<string, unknown> = {};
-  Object.entries(query || {}).forEach(([key, value]) => {
-    if (key === 'includeVulnerabilities' || key === 'limit' || key === 'offset') {
-      return;
-    }
-    filteredQuery[key] = value;
-  });
-  return filteredQuery as Request['query'];
-}
-
-function normalizeContainerListPagination(query: Request['query']) {
-  return normalizeLimitOffsetPagination(query, { maxLimit: CONTAINER_LIST_MAX_LIMIT });
-}
-
-function paginateCollection<T>(collection: T[], pagination: ContainerListPagination): T[] {
-  if (pagination.limit === 0 && pagination.offset === 0) {
-    return collection;
-  }
-  if (pagination.limit === 0) {
-    return collection.slice(pagination.offset);
-  }
-  return collection.slice(pagination.offset, pagination.offset + pagination.limit);
-}
-
-function parseWatchContainersBody(body: unknown): { body?: WatchContainersBody; error?: string } {
-  if (body === undefined || body === null) {
-    return { body: {} };
-  }
-
-  if (typeof body !== 'object' || Array.isArray(body)) {
-    return { error: 'Request body must be an object' };
-  }
-
-  const requestBody = body as Record<string, unknown>;
-  const unknownKeys = Object.keys(requestBody).filter((key) => key !== 'containerIds');
-  if (unknownKeys.length > 0) {
-    return { error: `Unknown request properties: ${unknownKeys.join(', ')}` };
-  }
-
-  const { containerIds } = requestBody;
-  if (containerIds === undefined) {
-    return { body: {} };
-  }
-  if (!Array.isArray(containerIds)) {
-    return { error: 'containerIds must be an array of non-empty strings' };
-  }
-  if (containerIds.length === 0) {
-    return { error: 'containerIds must not be empty' };
-  }
-  if (containerIds.length > WATCH_CONTAINERS_MAX_IDS) {
-    return { error: `containerIds must contain at most ${WATCH_CONTAINERS_MAX_IDS} entries` };
-  }
-
-  const normalizedIds: string[] = [];
-  const seenIds = new Set<string>();
-  for (const containerId of containerIds) {
-    if (typeof containerId !== 'string' || containerId.trim() === '') {
-      return { error: 'containerIds must be an array of non-empty strings' };
-    }
-    const normalizedId = containerId.trim();
-    if (seenIds.has(normalizedId)) {
-      continue;
-    }
-    seenIds.add(normalizedId);
-    normalizedIds.push(normalizedId);
-  }
-
-  return {
-    body: {
-      containerIds: normalizedIds,
-    },
-  };
-}
-
-function resolveWatcherIdForContainer(container: Container): string {
-  let watcherId = `docker.${container.watcher}`;
-  if (container.agent) {
-    watcherId = `${container.agent}.${watcherId}`;
-  }
-  return watcherId;
-}
-
-function stripContainerVulnerabilityArrays(container: Container): Container {
-  if (!container.security) {
-    return container;
-  }
-  return {
-    ...container,
-    security: {
-      ...container.security,
-      scan: container.security.scan
-        ? {
-            ...container.security.scan,
-            vulnerabilities: [],
-          }
-        : container.security.scan,
-      updateScan: container.security.updateScan
-        ? {
-            ...container.security.updateScan,
-            vulnerabilities: [],
-          }
-        : container.security.updateScan,
-    },
-  };
-}
-
-interface CrudHandlerContext {
-  getContainersFromStore: CrudHandlerDependencies['storeApi']['getContainersFromStore'];
-  getContainerCountFromStore: CrudHandlerDependencies['storeApi']['getContainerCountFromStore'];
-  storeContainer: CrudStoreContainerApi;
-  updateOperationStore: UpdateOperationStoreApi;
-  getContainerRaw?: CrudHandlerDependencies['storeApi']['getContainerRaw'];
-  getServerConfiguration: CrudHandlerDependencies['agentApi']['getServerConfiguration'];
-  getAgent: CrudHandlerDependencies['agentApi']['getAgent'];
-  getWatchers: CrudHandlerDependencies['agentApi']['getWatchers'];
-  getErrorMessage: CrudHandlerDependencies['errorApi']['getErrorMessage'];
-  getErrorStatusCode: CrudHandlerDependencies['errorApi']['getErrorStatusCode'];
-  redactContainerRuntimeEnv: CrudHandlerDependencies['securityApi']['redactContainerRuntimeEnv'];
-  redactContainersRuntimeEnv: CrudHandlerDependencies['securityApi']['redactContainersRuntimeEnv'];
-  auditStore?: AuditStoreApi;
-}
-
-interface WatchTarget {
-  container: Container;
-  watcher: LocalContainerWatcher;
-}
-
-function buildCrudHandlerContext({
-  storeApi: {
-    getContainersFromStore,
-    getContainerCountFromStore,
-    storeContainer,
-    updateOperationStore,
-    getContainerRaw,
-  },
-  agentApi: { getServerConfiguration, getAgent, getWatchers },
-  errorApi: { getErrorMessage, getErrorStatusCode },
-  securityApi: { redactContainerRuntimeEnv, redactContainersRuntimeEnv, auditStore },
-}: CrudHandlerDependencies): CrudHandlerContext {
-  return {
-    getContainersFromStore,
-    getContainerCountFromStore,
-    storeContainer,
-    updateOperationStore,
-    getContainerRaw,
-    getServerConfiguration,
-    getAgent,
-    getWatchers,
-    getErrorMessage,
-    getErrorStatusCode,
-    redactContainerRuntimeEnv,
-    redactContainersRuntimeEnv,
-    auditStore,
-  };
-}
-
-function buildContainerListResponse(
-  context: CrudHandlerContext,
-  query: Request['query'],
-  basePath: '/api/containers' | '/api/containers/watch',
-): ContainerListResponse {
-  const includeVulnerabilities = parseBooleanQueryParam(query.includeVulnerabilities, false);
-  const filteredQuery = removeContainerListControlParams(query);
-  const pagination = normalizeContainerListPagination(query);
-  const pagedContainers = context.getContainersFromStore(filteredQuery, pagination);
-  const total =
-    pagination.limit === 0 && pagination.offset === 0
-      ? pagedContainers.length
-      : context.getContainerCountFromStore(filteredQuery);
-  const redactedContainers = context.redactContainersRuntimeEnv(pagedContainers);
-  const data = includeVulnerabilities
-    ? redactedContainers
-    : redactedContainers.map((container) => stripContainerVulnerabilityArrays(container));
-  const hasMore = pagination.limit > 0 && pagination.offset + data.length < total;
-  const links = buildPaginationLinks({
-    basePath,
-    query,
-    limit: pagination.limit,
-    offset: pagination.offset,
-    total,
-    returnedCount: data.length,
-  });
-  return {
-    data,
-    total,
-    limit: pagination.limit,
-    offset: pagination.offset,
-    hasMore,
-    ...(links ? { _links: links } : {}),
-  };
-}
-
-function getContainerOrNotFound(context: CrudHandlerContext, id: string, res: Response) {
-  const container = context.storeContainer.getContainer(id);
-  if (!container) {
-    sendErrorResponse(res, 404, 'Container not found');
-    return undefined;
-  }
-  return container;
-}
-
-function resolveTargetedWatchTargets(
-  context: CrudHandlerContext,
-  containerIds: string[],
-  watcherMap: Record<string, LocalContainerWatcher>,
-): { targets: WatchTarget[] } | { targets?: undefined; status: number; error: string } {
-  const selectedTargets: WatchTarget[] = [];
-
-  for (const containerId of containerIds) {
-    const container = context.storeContainer.getContainer(containerId);
-    if (!container) {
-      return { status: 404, error: 'Container not found' };
-    }
-
-    const watcherId = resolveWatcherIdForContainer(container);
-    const watcher = watcherMap[watcherId];
-    if (!watcher) {
-      return {
-        status: 500,
-        error: `No provider found for container ${container.id} and provider ${watcherId}`,
-      };
-    }
-
-    selectedTargets.push({
-      container,
-      watcher,
-    });
-  }
-
-  return { targets: selectedTargets };
-}
-
-function extractContainerEnv(container: Container) {
-  const details = container.details as { env?: unknown[] } | undefined;
-  const rawEnv = Array.isArray(details?.env) ? details.env : [];
-
-  return rawEnv
-    .filter(
-      (entry): entry is { key: string; value: string } =>
-        !!entry &&
-        typeof entry === 'object' &&
-        typeof (entry as { key?: unknown }).key === 'string',
-    )
-    .map((entry) => ({
-      key: entry.key,
-      value: entry.value,
-      sensitive: isSensitiveKey(entry.key),
-    }));
-}
-
-function getContainersHandler(context: CrudHandlerContext, req: Request, res: Response) {
-  res.status(200).json(buildContainerListResponse(context, req.query, '/api/containers'));
-}
 
 function getContainerSummaryHandler(context: CrudHandlerContext, _req: Request, res: Response) {
   const containers = context.getContainersFromStore({});
   const containerStatus = getContainerStatusSummary(containers);
+  const hotUpdates = containers.filter(
+    (container) => container.updateAvailable && container.updateMaturityLevel === 'hot',
+  ).length;
+  const matureUpdates = containers.filter(
+    (container) =>
+      container.updateAvailable &&
+      (container.updateMaturityLevel === 'mature' ||
+        container.updateMaturityLevel === 'established'),
+  ).length;
   res.status(200).json({
     containers: containerStatus,
     security: {
       issues: getSecurityIssueCount(containers),
     },
+    hotUpdates,
+    matureUpdates,
   });
 }
 
@@ -387,39 +70,6 @@ function getContainerHandler(context: CrudHandlerContext, req: Request, res: Res
   }
 }
 
-function getContainerUpdateOperationsHandler(
-  context: CrudHandlerContext,
-  req: Request,
-  res: Response,
-) {
-  const id = getPathParamValue(req.params.id);
-  const container = getContainerOrNotFound(context, id, res);
-  if (!container) {
-    return;
-  }
-
-  const operations = context.updateOperationStore.getOperationsByContainerName(container.name);
-  const pagination = normalizeContainerListPagination(req.query);
-  const data = paginateCollection(operations, pagination);
-  const hasMore = pagination.limit > 0 && pagination.offset + data.length < operations.length;
-  const links = buildPaginationLinks({
-    basePath: `/api/containers/${id}/update-operations`,
-    query: req.query,
-    limit: pagination.limit,
-    offset: pagination.offset,
-    total: operations.length,
-    returnedCount: data.length,
-  });
-  res.status(200).json({
-    data,
-    total: operations.length,
-    limit: pagination.limit,
-    offset: pagination.offset,
-    hasMore,
-    ...(links ? { _links: links } : {}),
-  });
-}
-
 async function deleteContainerHandler(context: CrudHandlerContext, req: Request, res: Response) {
   const serverConfiguration = context.getServerConfiguration();
   if (!serverConfiguration.feature.delete) {
@@ -463,101 +113,17 @@ async function deleteContainerHandler(context: CrudHandlerContext, req: Request,
   }
 }
 
-async function watchContainersHandler(context: CrudHandlerContext, req: Request, res: Response) {
-  const parsedBody = parseWatchContainersBody(req.body);
-  if (parsedBody.error) {
-    sendErrorResponse(res, 400, parsedBody.error);
-    return;
-  }
-
-  const watcherMap = context.getWatchers();
-  const containerIds = parsedBody.body?.containerIds;
-  try {
-    if (Array.isArray(containerIds) && containerIds.length > 0) {
-      const selected = resolveTargetedWatchTargets(context, containerIds, watcherMap);
-      if ('error' in selected) {
-        sendErrorResponse(res, selected.status, selected.error);
-        return;
-      }
-      await Promise.all(
-        selected.targets.map((target) => target.watcher.watchContainer(target.container)),
-      );
-    } else {
-      await Promise.all(Object.values(watcherMap).map((watcher) => watcher.watch()));
-    }
-
-    res.status(200).json(buildContainerListResponse(context, req.query, '/api/containers/watch'));
-  } catch (error: unknown) {
-    sendErrorResponse(res, 500, `Error when watching images (${context.getErrorMessage(error)})`);
-  }
-}
-
-async function watchContainerHandler(context: CrudHandlerContext, req: Request, res: Response) {
-  const id = getPathParamValue(req.params.id);
-  const container = getContainerOrNotFound(context, id, res);
-  if (!container) {
-    return;
-  }
-
-  const watcherId = resolveWatcherIdForContainer(container);
-  const watcher = context.getWatchers()[watcherId];
-  if (!watcher) {
-    sendErrorResponse(res, 500, `No provider found for container ${id} and provider ${watcherId}`);
-    return;
-  }
-
-  try {
-    if (typeof watcher.getContainers === 'function') {
-      // Ensure container is still in store
-      // (for cases where it has been removed before running a new watchAll)
-      const containers = await watcher.getContainers();
-      const containerFound = containers.some(
-        (containerInList) => containerInList.id === container.id,
-      );
-      if (!containerFound) {
-        sendErrorResponse(res, 404, 'Container not found');
-        return;
-      }
-    }
-    // Run watchContainer from the Provider
-    const containerReport = await watcher.watchContainer(container);
-    res.status(200).json(context.redactContainerRuntimeEnv(containerReport.container));
-  } catch {
-    sendErrorResponse(res, 500, `Error when watching container ${id}`);
-  }
-}
-
-function revealContainerEnvHandler(context: CrudHandlerContext, req: Request, res: Response) {
-  if (!context.getContainerRaw || !context.auditStore) {
-    sendErrorResponse(res, 501, 'Environment reveal is not available');
-    return;
-  }
-
-  const id = getPathParamValue(req.params.id);
-  const container = context.getContainerRaw(id);
-  if (!container) {
-    sendErrorResponse(res, 404, 'Container not found');
-    return;
-  }
-
-  const env = extractContainerEnv(container);
-  context.auditStore.insertAudit({
-    action: 'env-reveal',
-    containerName: container.name,
-    containerImage: container.image?.name,
-    status: 'info',
-    details: `Revealed ${env.filter((entry) => entry.sensitive).length} sensitive env var(s)`,
-  });
-
-  res.status(200).json({ env });
-}
-
 export function createCrudHandlers(dependencies: CrudHandlerDependencies) {
   const context = buildCrudHandlerContext(dependencies);
+  const getContainers = createGetContainersHandler(context);
+  const getContainerReleaseNotes = createGetContainerReleaseNotesHandler(context);
+  const getContainerUpdateOperations = createGetContainerUpdateOperationsHandler(context);
+  const watchContainers = createWatchContainersHandler(context);
+  const watchContainer = createWatchContainerHandler(context);
+  const revealContainerEnv = createRevealContainerEnvHandler(context);
+
   return {
-    getContainers(req: Request, res: Response) {
-      getContainersHandler(context, req, res);
-    },
+    getContainers,
     getContainerSummary(req: Request, res: Response) {
       getContainerSummaryHandler(context, req, res);
     },
@@ -570,20 +136,13 @@ export function createCrudHandlers(dependencies: CrudHandlerDependencies) {
     getContainer(req: Request, res: Response) {
       getContainerHandler(context, req, res);
     },
-    getContainerUpdateOperations(req: Request, res: Response) {
-      getContainerUpdateOperationsHandler(context, req, res);
-    },
+    getContainerReleaseNotes,
+    getContainerUpdateOperations,
     deleteContainer(req: Request, res: Response) {
       return deleteContainerHandler(context, req, res);
     },
-    watchContainers(req: Request, res: Response) {
-      return watchContainersHandler(context, req, res);
-    },
-    watchContainer(req: Request, res: Response) {
-      return watchContainerHandler(context, req, res);
-    },
-    revealContainerEnv(req: Request, res: Response) {
-      revealContainerEnvHandler(context, req, res);
-    },
+    watchContainers,
+    watchContainer,
+    revealContainerEnv,
   };
 }
diff --git a/app/api/container/filters.test.ts b/app/api/container/filters.test.ts
new file mode 100644
index 000000000..7d6c39cf0
--- /dev/null
+++ b/app/api/container/filters.test.ts
@@ -0,0 +1,452 @@
+import { describe, expect, test, vi } from 'vitest';
+import type { Container } from '../../model/container.js';
+import {
+  applyContainerMaturityFilter,
+  applyContainerWatchedKindFilter,
+  isContainerRuntimeStatus,
+  isContainerWatchedKind,
+  mapContainerListKindFilter,
+  mapContainerListStatusFilter,
+  removeContainerListControlParams,
+  resolveContainerSortMode,
+  sortContainers,
+  validateContainerListQuery,
+} from './filters.js';
+
+describe('api/container/filters', () => {
+  test('normalizes -status sort mode before sorting', () => {
+    const sorted = sortContainers(
+      [
+        { id: 'c1', name: 'alpha', updateAvailable: true },
+        { id: 'c2', name: 'beta', updateAvailable: false },
+      ] as any,
+      '-status',
+    );
+
+    expect(sorted.map((container) => container.id)).toEqual(['c2', 'c1']);
+  });
+
+  test('normalizes -age sort mode before sorting', () => {
+    const sorted = sortContainers(
+      [
+        { id: 'c1', name: 'alpha', updateAge: 120_000 },
+        { id: 'c2', name: 'beta', updateAge: 60_000 },
+      ] as any,
+      '-age',
+    );
+
+    expect(sorted.map((container) => container.id)).toEqual(['c2', 'c1']);
+  });
+
+  test('computes update age once per container when sorting by age', () => {
+    const parseSpy = vi.spyOn(Date, 'parse');
+    const containers = Array.from({ length: 12 }, (_, index) => ({
+      id: `c${index + 1}`,
+      name: `container-${index + 1}`,
+      firstSeenAt: `2024-01-${String(index + 1).padStart(2, '0')}T00:00:00.000Z`,
+    }));
+
+    try {
+      sortContainers(containers as any, 'age');
+      expect(parseSpy).toHaveBeenCalledTimes(containers.length * 3);
+    } finally {
+      parseSpy.mockRestore();
+    }
+  });
+
+  test('computes created timestamps once per container when sorting by created', () => {
+    const parseSpy = vi.spyOn(Date, 'parse');
+    const containers = Array.from({ length: 12 }, (_, index) => ({
+      id: `c${index + 1}`,
+      name: `container-${index + 1}`,
+      image: { created: `2024-01-${String(index + 1).padStart(2, '0')}T00:00:00.000Z` },
+    }));
+
+    try {
+      sortContainers(containers as any, 'created');
+      expect(parseSpy).toHaveBeenCalledTimes(containers.length);
+    } finally {
+      parseSpy.mockRestore();
+    }
+  });
+
+  test('reads UI maturity threshold once when applying maturity filter', () => {
+    const originalEnv = process.env;
+    let thresholdReads = 0;
+    const proxiedEnv = new Proxy(originalEnv, {
+      get(target, property, receiver) {
+        if (property === 'DD_UI_MATURITY_THRESHOLD_DAYS') {
+          thresholdReads++;
+        }
+        return Reflect.get(target, property, receiver);
+      },
+    });
+    process.env = proxiedEnv as NodeJS.ProcessEnv;
+    const containers = Array.from({ length: 12 }, (_, index) => ({
+      id: `c${index + 1}`,
+      name: `container-${index + 1}`,
+      updateAge: 0,
+    }));
+
+    try {
+      applyContainerMaturityFilter(containers as any, 'hot');
+      expect(thresholdReads).toBe(1);
+    } finally {
+      process.env = originalEnv;
+    }
+  });
+
+  test('normalizes -created sort mode before sorting', () => {
+    const sorted = sortContainers(
+      [
+        { id: 'c1', name: 'alpha', image: { created: '2024-01-01T00:00:00.000Z' } },
+        { id: 'c2', name: 'beta', image: { created: '2023-01-01T00:00:00.000Z' } },
+      ] as any,
+      '-created',
+    );
+
+    expect(sorted.map((container) => container.id)).toEqual(['c1', 'c2']);
+  });
+
+  test('sorts status mode by update availability before name', () => {
+    const sorted = sortContainers(
+      [
+        { id: 'c1', name: 'alpha', updateAvailable: false },
+        { id: 'c2', name: 'beta', updateAvailable: true },
+      ] as any,
+      'status',
+    );
+
+    expect(sorted.map((container) => container.id)).toEqual(['c2', 'c1']);
+  });
+
+  test('sorts created mode with valid timestamps before invalid timestamps', () => {
+    const sorted = sortContainers(
+      [
+        { id: 'c1', name: 'alpha', image: { created: 'invalid-date' } },
+        { id: 'c2', name: 'beta', image: { created: '2024-01-01T00:00:00.000Z' } },
+      ] as any,
+      'created',
+    );
+
+    expect(sorted.map((container) => container.id)).toEqual(['c2', 'c1']);
+  });
+
+  test('sorts created mode with valid timestamps before invalid timestamps in reverse order', () => {
+    const sorted = sortContainers(
+      [
+        { id: 'c1', name: 'alpha', image: { created: '2024-01-01T00:00:00.000Z' } },
+        { id: 'c2', name: 'beta', image: { created: 'invalid-date' } },
+      ] as any,
+      'created',
+    );
+
+    expect(sorted.map((container) => container.id)).toEqual(['c1', 'c2']);
+  });
+
+  test('supports descending name sort mode', () => {
+    const sorted = sortContainers(
+      [
+        { id: 'c1', name: 'alpha' },
+        { id: 'c2', name: 'beta' },
+      ] as any,
+      '-name',
+    );
+
+    expect(sorted.map((container) => container.id)).toEqual(['c2', 'c1']);
+  });
+
+  test('supports ascending name sort mode', () => {
+    const sorted = sortContainers(
+      [
+        { id: 'c1', name: 'beta' },
+        { id: 'c2', name: 'alpha' },
+      ] as any,
+      'name',
+    );
+
+    expect(sorted.map((container) => container.id)).toEqual(['c2', 'c1']);
+  });
+
+  test('validateContainerListQuery accepts all supported sort modes', () => {
+    const supportedSortModes = [
+      'name',
+      '-name',
+      'status',
+      '-status',
+      'age',
+      '-age',
+      'created',
+      '-created',
+    ];
+
+    for (const sortMode of supportedSortModes) {
+      expect(validateContainerListQuery({ sort: sortMode } as any).sortMode).toBe(sortMode);
+    }
+  });
+
+  test('validateContainerListQuery throws schema validation details for invalid sort', () => {
+    expect(() => validateContainerListQuery({ sort: 'invalid-sort' } as any)).toThrow(
+      'Invalid sort value',
+    );
+  });
+
+  test('validateContainerListQuery accepts update status values', () => {
+    expect(validateContainerListQuery({ status: 'update-available' } as any).status).toBe(
+      'update-available',
+    );
+    expect(validateContainerListQuery({ status: 'up-to-date' } as any).status).toBe('up-to-date');
+  });
+
+  test('validateContainerListQuery accepts Docker runtime status values', () => {
+    const runtimeStatuses = [
+      'running',
+      'stopped',
+      'exited',
+      'paused',
+      'restarting',
+      'dead',
+      'created',
+    ];
+    for (const status of runtimeStatuses) {
+      expect(validateContainerListQuery({ status } as any).status).toBe(status);
+    }
+  });
+
+  test('validateContainerListQuery throws for invalid status values', () => {
+    expect(() => validateContainerListQuery({ status: 'active' } as any)).toThrow(
+      'Invalid status filter value',
+    );
+  });
+
+  test('isContainerRuntimeStatus identifies runtime status values', () => {
+    expect(isContainerRuntimeStatus('running')).toBe(true);
+    expect(isContainerRuntimeStatus('stopped')).toBe(true);
+    expect(isContainerRuntimeStatus('exited')).toBe(true);
+    expect(isContainerRuntimeStatus('paused')).toBe(true);
+    expect(isContainerRuntimeStatus('restarting')).toBe(true);
+    expect(isContainerRuntimeStatus('dead')).toBe(true);
+    expect(isContainerRuntimeStatus('created')).toBe(true);
+    expect(isContainerRuntimeStatus('update-available')).toBe(false);
+    expect(isContainerRuntimeStatus('up-to-date')).toBe(false);
+    expect(isContainerRuntimeStatus('active')).toBe(false);
+    expect(isContainerRuntimeStatus(undefined)).toBe(false);
+    expect(isContainerRuntimeStatus(null)).toBe(false);
+  });
+
+  test('mapContainerListStatusFilter maps update status to updateAvailable', () => {
+    expect(mapContainerListStatusFilter('update-available')).toEqual({ updateAvailable: true });
+    expect(mapContainerListStatusFilter('up-to-date')).toEqual({ updateAvailable: false });
+  });
+
+  test('mapContainerListStatusFilter maps runtime status to runtimeStatus', () => {
+    expect(mapContainerListStatusFilter('running')).toEqual({ runtimeStatus: 'running' });
+    expect(mapContainerListStatusFilter('exited')).toEqual({ runtimeStatus: 'exited' });
+    expect(mapContainerListStatusFilter('stopped')).toEqual({ runtimeStatus: 'stopped' });
+  });
+
+  test('mapContainerListStatusFilter returns undefined for unknown values', () => {
+    expect(mapContainerListStatusFilter('unknown-value')).toBeUndefined();
+    expect(mapContainerListStatusFilter(undefined)).toBeUndefined();
+    expect(mapContainerListStatusFilter('')).toBeUndefined();
+  });
+
+  test('resolveContainerSortMode returns ascending sort when order is asc', () => {
+    expect(resolveContainerSortMode('name', 'asc')).toBe('name');
+    expect(resolveContainerSortMode('status', 'asc')).toBe('status');
+    expect(resolveContainerSortMode('age', 'asc')).toBe('age');
+    expect(resolveContainerSortMode('created', 'asc')).toBe('created');
+  });
+
+  test('resolveContainerSortMode returns descending sort when order is desc', () => {
+    expect(resolveContainerSortMode('name', 'desc')).toBe('-name');
+    expect(resolveContainerSortMode('status', 'desc')).toBe('-status');
+    expect(resolveContainerSortMode('age', 'desc')).toBe('-age');
+    expect(resolveContainerSortMode('created', 'desc')).toBe('-created');
+  });
+
+  test('resolveContainerSortMode order=asc overrides prefix-based descending sort', () => {
+    expect(resolveContainerSortMode('-name', 'asc')).toBe('name');
+    expect(resolveContainerSortMode('-status', 'asc')).toBe('status');
+    expect(resolveContainerSortMode('-age', 'asc')).toBe('age');
+    expect(resolveContainerSortMode('-created', 'asc')).toBe('created');
+  });
+
+  test('resolveContainerSortMode order=desc overrides prefix-based ascending sort', () => {
+    expect(resolveContainerSortMode('name', 'desc')).toBe('-name');
+    expect(resolveContainerSortMode('status', 'desc')).toBe('-status');
+  });
+
+  test('resolveContainerSortMode preserves prefix when no order is given', () => {
+    expect(resolveContainerSortMode('-name', undefined)).toBe('-name');
+    expect(resolveContainerSortMode('name', undefined)).toBe('name');
+    expect(resolveContainerSortMode('-status', '')).toBe('-status');
+  });
+
+  test('resolveContainerSortMode defaults to name when sort is invalid', () => {
+    expect(resolveContainerSortMode('invalid', 'desc')).toBe('-name');
+    expect(resolveContainerSortMode(undefined, 'asc')).toBe('name');
+    expect(resolveContainerSortMode(undefined, undefined)).toBe('name');
+  });
+
+  test('validateContainerListQuery resolves sort + order into sortMode', () => {
+    expect(validateContainerListQuery({ sort: 'name', order: 'desc' } as any).sortMode).toBe(
+      '-name',
+    );
+    expect(validateContainerListQuery({ sort: 'status', order: 'asc' } as any).sortMode).toBe(
+      'status',
+    );
+    expect(validateContainerListQuery({ sort: 'age', order: 'desc' } as any).sortMode).toBe('-age');
+    expect(validateContainerListQuery({ sort: 'created', order: 'asc' } as any).sortMode).toBe(
+      'created',
+    );
+  });
+
+  test('validateContainerListQuery accepts order without sort', () => {
+    expect(validateContainerListQuery({ order: 'desc' } as any).sortMode).toBe('-name');
+    expect(validateContainerListQuery({ order: 'asc' } as any).sortMode).toBe('name');
+  });
+
+  test('validateContainerListQuery throws for invalid order value', () => {
+    expect(() => validateContainerListQuery({ order: 'ascending' } as any)).toThrow(
+      'Invalid order value',
+    );
+  });
+
+  test('removeContainerListControlParams strips order from query', () => {
+    const query = { sort: 'name', order: 'asc', name: 'nginx' } as any;
+    const result = removeContainerListControlParams(query);
+    expect(result).toEqual({ name: 'nginx' });
+    expect(result).not.toHaveProperty('sort');
+    expect(result).not.toHaveProperty('order');
+  });
+
+  test('validateContainerListQuery accepts watched kind values', () => {
+    expect(validateContainerListQuery({ kind: 'watched' } as any).kind).toBe('watched');
+    expect(validateContainerListQuery({ kind: 'unwatched' } as any).kind).toBe('unwatched');
+    expect(validateContainerListQuery({ kind: 'all' } as any).kind).toBe('all');
+  });
+
+  test('validateContainerListQuery still accepts update kind values', () => {
+    expect(validateContainerListQuery({ kind: 'major' } as any).kind).toBe('major');
+    expect(validateContainerListQuery({ kind: 'minor' } as any).kind).toBe('minor');
+    expect(validateContainerListQuery({ kind: 'patch' } as any).kind).toBe('patch');
+    expect(validateContainerListQuery({ kind: 'digest' } as any).kind).toBe('digest');
+  });
+
+  test('validateContainerListQuery throws for invalid kind values', () => {
+    expect(() => validateContainerListQuery({ kind: 'invalid-kind' } as any)).toThrow(
+      'Invalid kind filter value',
+    );
+  });
+
+  test('isContainerWatchedKind identifies watched kind values', () => {
+    expect(isContainerWatchedKind('watched')).toBe(true);
+    expect(isContainerWatchedKind('unwatched')).toBe(true);
+    expect(isContainerWatchedKind('all')).toBe(true);
+    expect(isContainerWatchedKind('major')).toBe(false);
+    expect(isContainerWatchedKind('minor')).toBe(false);
+    expect(isContainerWatchedKind('digest')).toBe(false);
+    expect(isContainerWatchedKind(undefined)).toBe(false);
+    expect(isContainerWatchedKind(null)).toBe(false);
+    expect(isContainerWatchedKind('')).toBe(false);
+  });
+
+  test('mapContainerListKindFilter returns undefined for watched kind values', () => {
+    expect(mapContainerListKindFilter('watched')).toBeUndefined();
+    expect(mapContainerListKindFilter('unwatched')).toBeUndefined();
+    expect(mapContainerListKindFilter('all')).toBeUndefined();
+  });
+
+  test('mapContainerListKindFilter still maps update kind values', () => {
+    expect(mapContainerListKindFilter('digest')).toEqual({ 'updateKind.kind': 'digest' });
+    expect(mapContainerListKindFilter('major')).toEqual({ 'updateKind.semverDiff': 'major' });
+    expect(mapContainerListKindFilter('minor')).toEqual({ 'updateKind.semverDiff': 'minor' });
+    expect(mapContainerListKindFilter('patch')).toEqual({ 'updateKind.semverDiff': 'patch' });
+  });
+
+  test('applyContainerWatchedKindFilter returns all containers when kind is all', () => {
+    const containers = [
+      { id: 'c1', labels: { 'dd.watch': 'true' } },
+      { id: 'c2', labels: {} },
+    ] as unknown as Container[];
+    expect(applyContainerWatchedKindFilter(containers, 'all').map((c) => c.id)).toEqual([
+      'c1',
+      'c2',
+    ]);
+  });
+
+  test('applyContainerWatchedKindFilter returns all containers when kind is undefined', () => {
+    const containers = [
+      { id: 'c1', labels: { 'dd.watch': 'true' } },
+      { id: 'c2', labels: {} },
+    ] as unknown as Container[];
+    expect(applyContainerWatchedKindFilter(containers, undefined).map((c) => c.id)).toEqual([
+      'c1',
+      'c2',
+    ]);
+  });
+
+  test('applyContainerWatchedKindFilter returns only watched containers when kind is watched', () => {
+    const containers = [
+      { id: 'c1', labels: { 'dd.watch': 'true' } },
+      { id: 'c2', labels: {} },
+      { id: 'c3', labels: { 'dd.watch': 'false' } },
+      { id: 'c4', labels: { 'dd.watch': 'True' } },
+    ] as unknown as Container[];
+    expect(applyContainerWatchedKindFilter(containers, 'watched').map((c) => c.id)).toEqual([
+      'c1',
+      'c4',
+    ]);
+  });
+
+  test('applyContainerWatchedKindFilter returns only unwatched containers when kind is unwatched', () => {
+    const containers = [
+      { id: 'c1', labels: { 'dd.watch': 'true' } },
+      { id: 'c2', labels: {} },
+      { id: 'c3', labels: { 'dd.watch': 'false' } },
+      { id: 'c4' },
+    ] as unknown as Container[];
+    expect(applyContainerWatchedKindFilter(containers, 'unwatched').map((c) => c.id)).toEqual([
+      'c2',
+      'c3',
+      'c4',
+    ]);
+  });
+
+  test('applyContainerWatchedKindFilter recognizes wud.watch legacy label', () => {
+    const containers = [
+      { id: 'c1', labels: { 'wud.watch': 'true' } },
+      { id: 'c2', labels: { 'wud.watch': 'false' } },
+    ] as unknown as Container[];
+    expect(applyContainerWatchedKindFilter(containers, 'watched').map((c) => c.id)).toEqual(['c1']);
+    expect(applyContainerWatchedKindFilter(containers, 'unwatched').map((c) => c.id)).toEqual([
+      'c2',
+    ]);
+  });
+
+  test('applyContainerWatchedKindFilter prefers dd.watch over wud.watch', () => {
+    const containers = [
+      { id: 'c1', labels: { 'dd.watch': 'true', 'wud.watch': 'false' } },
+      { id: 'c2', labels: { 'dd.watch': 'false', 'wud.watch': 'true' } },
+    ] as unknown as Container[];
+    expect(applyContainerWatchedKindFilter(containers, 'watched').map((c) => c.id)).toEqual(['c1']);
+    expect(applyContainerWatchedKindFilter(containers, 'unwatched').map((c) => c.id)).toEqual([
+      'c2',
+    ]);
+  });
+
+  test('applyContainerWatchedKindFilter treats containers without labels as unwatched', () => {
+    const containers = [
+      { id: 'c1' },
+      { id: 'c2', labels: undefined },
+      { id: 'c3', labels: null },
+    ] as unknown as Container[];
+    expect(applyContainerWatchedKindFilter(containers, 'watched')).toEqual([]);
+    expect(applyContainerWatchedKindFilter(containers, 'unwatched').map((c) => c.id)).toEqual([
+      'c1',
+      'c2',
+      'c3',
+    ]);
+  });
+});
diff --git a/app/api/container/filters.ts b/app/api/container/filters.ts
new file mode 100644
index 000000000..cb0ddc575
--- /dev/null
+++ b/app/api/container/filters.ts
@@ -0,0 +1,269 @@
+import type { Request } from 'express';
+import joi from 'joi';
+import type { ContainerMaturityFilter } from './maturity-filter.js';
+import { normalizeLimitOffsetPagination } from './request-helpers.js';
+import { isContainerSortMode, normalizeContainerSortMode } from './sorting.js';
+import type { ContainerWatchedKind } from './watched-kind-filter.js';
+import { isContainerWatchedKind } from './watched-kind-filter.js';
+
+const DEFAULT_CONTAINER_SORT_MODE: ContainerSortMode = 'name';
+const CONTAINER_LIST_MAX_LIMIT = 200;
+
+export type ContainerSortMode =
+  | 'name'
+  | '-name'
+  | 'status'
+  | '-status'
+  | 'age'
+  | '-age'
+  | 'created'
+  | '-created';
+
+export const CONTAINER_SORT_FIELDS = ['name', 'status', 'age', 'created'] as const;
+export type ContainerSortField = (typeof CONTAINER_SORT_FIELDS)[number];
+
+export const CONTAINER_ORDER_VALUES = ['asc', 'desc'] as const;
+export type ContainerOrderDirection = (typeof CONTAINER_ORDER_VALUES)[number];
+
+export {
+  applyContainerMaturityFilter,
+  parseContainerMaturityFilter,
+} from './maturity-filter.js';
+export {
+  applyContainerWatchedKindFilter,
+  isContainerWatchedKind,
+} from './watched-kind-filter.js';
+export type { ContainerMaturityFilter, ContainerWatchedKind };
+
+const CONTAINER_LIST_QUERY_SCHEMA = joi.object({
+  sort: joi
+    .string()
+    .valid('name', '-name', 'status', '-status', 'age', '-age', 'created', '-created')
+    .messages({
+      'any.only': 'Invalid sort value',
+    }),
+  order: joi
+    .string()
+    .valid(...CONTAINER_ORDER_VALUES)
+    .messages({
+      'any.only': 'Invalid order value',
+    }),
+  status: joi
+    .string()
+    .valid(
+      'update-available',
+      'up-to-date',
+      'running',
+      'stopped',
+      'exited',
+      'paused',
+      'restarting',
+      'dead',
+      'created',
+    )
+    .messages({
+      'any.only': 'Invalid status filter value',
+    }),
+  kind: joi
+    .string()
+    .valid('major', 'minor', 'patch', 'digest', 'watched', 'unwatched', 'all')
+    .messages({
+      'any.only': 'Invalid kind filter value',
+    }),
+  watcher: joi.string().trim().min(1).messages({
+    'string.empty': 'Invalid watcher filter value',
+    'string.min': 'Invalid watcher filter value',
+  }),
+  maturity: joi.string().valid('hot', 'mature', 'established').messages({
+    'any.only': 'Invalid maturity filter value',
+  }),
+});
+
+export function removeContainerListControlParams(query: Request['query']): Request['query'] {
+  const filteredQuery: Record<string, unknown> = {};
+  Object.entries(query || {}).forEach(([key, value]) => {
+    if (
+      key === 'includeVulnerabilities' ||
+      key === 'limit' ||
+      key === 'offset' ||
+      key === 'sort' ||
+      key === 'order' ||
+      key === 'maturity' ||
+      key === 'status' ||
+      key === 'kind' ||
+      key === 'watcher'
+    ) {
+      return;
+    }
+    filteredQuery[key] = value;
+  });
+  return filteredQuery as Request['query'];
+}
+
+function getFirstQueryValue(value: unknown): string | undefined {
+  if (Array.isArray(value)) {
+    for (const item of value) {
+      if (typeof item === 'string') {
+        return item.trim();
+      }
+    }
+    return undefined;
+  }
+  return typeof value === 'string' ? value.trim() : undefined;
+}
+
+export function getFirstNonEmptyQueryValue(value: unknown): string | undefined {
+  const queryValue = getFirstQueryValue(value);
+  if (!queryValue || queryValue.length === 0) {
+    return undefined;
+  }
+  return queryValue;
+}
+
+function parseContainerSortMode(sortQuery: unknown): ContainerSortMode {
+  const sortValue = getFirstNonEmptyQueryValue(sortQuery);
+  if (!sortValue || !isContainerSortMode(sortValue)) {
+    return DEFAULT_CONTAINER_SORT_MODE;
+  }
+  return sortValue;
+}
+
+export function resolveContainerSortMode(
+  sortQuery: unknown,
+  orderQuery: unknown,
+): ContainerSortMode {
+  const baseSortMode = parseContainerSortMode(sortQuery);
+  const orderValue = getFirstNonEmptyQueryValue(orderQuery)?.toLowerCase();
+
+  // If an explicit order param is provided, it overrides any prefix on the sort value
+  if (orderValue === 'desc') {
+    const normalizedSort = normalizeContainerSortMode(baseSortMode);
+    return `-${normalizedSort}` as ContainerSortMode;
+  }
+  if (orderValue === 'asc') {
+    return normalizeContainerSortMode(baseSortMode);
+  }
+
+  // No order param — use the sort value as-is (including any prefix)
+  return baseSortMode;
+}
+
+export type ContainerRuntimeStatus =
+  | 'running'
+  | 'stopped'
+  | 'exited'
+  | 'paused'
+  | 'restarting'
+  | 'dead'
+  | 'created';
+
+export type ContainerUpdateStatus = 'update-available' | 'up-to-date';
+
+export interface ValidatedContainerListQuery {
+  sortMode: ContainerSortMode;
+  status?: ContainerUpdateStatus | ContainerRuntimeStatus;
+  kind?: 'major' | 'minor' | 'patch' | 'digest' | ContainerWatchedKind;
+  watcher?: string;
+  maturity?: ContainerMaturityFilter;
+}
+
+export function validateContainerListQuery(query: Request['query']): ValidatedContainerListQuery {
+  const { value, error } = CONTAINER_LIST_QUERY_SCHEMA.validate(
+    {
+      sort: getFirstQueryValue(query.sort),
+      order: getFirstQueryValue(query.order),
+      status: getFirstQueryValue(query.status),
+      kind: getFirstQueryValue(query.kind),
+      watcher: getFirstQueryValue(query.watcher),
+      maturity: getFirstQueryValue(query.maturity),
+    },
+    {
+      abortEarly: true,
+    },
+  );
+
+  if (error) {
+    throw new Error(error.message);
+  }
+
+  return {
+    sortMode: resolveContainerSortMode(value.sort, value.order),
+    status: value.status,
+    kind: value.kind,
+    watcher: value.watcher,
+    maturity: value.maturity,
+  };
+}
+
+export { sortContainers } from './sorting.js';
+
+const RUNTIME_STATUS_VALUES: ReadonlySet<string> = new Set([
+  'running',
+  'stopped',
+  'exited',
+  'paused',
+  'restarting',
+  'dead',
+  'created',
+]);
+
+export function isContainerRuntimeStatus(value: unknown): value is ContainerRuntimeStatus {
+  return typeof value === 'string' && RUNTIME_STATUS_VALUES.has(value);
+}
+
+export interface ContainerListStatusFilter {
+  updateAvailable?: boolean;
+  runtimeStatus?: ContainerRuntimeStatus;
+}
+
+export function mapContainerListStatusFilter(
+  statusQuery: unknown,
+): ContainerListStatusFilter | undefined {
+  const statusFilter = getFirstNonEmptyQueryValue(statusQuery);
+  if (statusFilter === 'update-available') {
+    return { updateAvailable: true };
+  }
+  if (statusFilter === 'up-to-date') {
+    return { updateAvailable: false };
+  }
+  if (isContainerRuntimeStatus(statusFilter)) {
+    return { runtimeStatus: statusFilter };
+  }
+  return undefined;
+}
+
+export function mapContainerListKindFilter(
+  kindQuery: unknown,
+):
+  | { 'updateKind.kind': 'digest' }
+  | { 'updateKind.semverDiff': 'major' | 'minor' | 'patch' }
+  | undefined {
+  const kindFilter = getFirstNonEmptyQueryValue(kindQuery);
+  if (isContainerWatchedKind(kindFilter)) {
+    return undefined;
+  }
+  if (kindFilter === 'digest') {
+    return { 'updateKind.kind': 'digest' };
+  }
+  if (kindFilter === 'major' || kindFilter === 'minor' || kindFilter === 'patch') {
+    return { 'updateKind.semverDiff': kindFilter };
+  }
+  return undefined;
+}
+
+export function normalizeContainerListPagination(query: Request['query']) {
+  return normalizeLimitOffsetPagination(query, { maxLimit: CONTAINER_LIST_MAX_LIMIT });
+}
+
+export function paginateCollection<T>(
+  collection: T[],
+  pagination: { limit: number; offset: number },
+): T[] {
+  if (pagination.limit === 0 && pagination.offset === 0) {
+    return collection;
+  }
+  if (pagination.limit === 0) {
+    return collection.slice(pagination.offset);
+  }
+  return collection.slice(pagination.offset, pagination.offset + pagination.limit);
+}
diff --git a/app/api/container/handlers/actions.ts b/app/api/container/handlers/actions.ts
new file mode 100644
index 000000000..21413cdc8
--- /dev/null
+++ b/app/api/container/handlers/actions.ts
@@ -0,0 +1,243 @@
+import type { Request, Response } from 'express';
+import type { Container } from '../../../model/container.js';
+import { sendErrorResponse } from '../../error-response.js';
+import { buildPaginationLinks } from '../../pagination-links.js';
+import type {
+  CrudHandlerContext,
+  LocalContainerWatcher,
+  WatchContainersBody,
+  WatchTarget,
+} from '../crud-context.js';
+import { normalizeContainerListPagination, paginateCollection } from '../filters.js';
+import { getPathParamValue } from '../request-helpers.js';
+import { isSensitiveKey } from '../shared.js';
+import { getContainerOrNotFound, resolveWatcherIdForContainer } from './common.js';
+import { buildContainerListResponse } from './list.js';
+
+const WATCH_CONTAINERS_MAX_IDS = 200;
+
+function parseWatchContainersBody(body: unknown): { body?: WatchContainersBody; error?: string } {
+  if (body === undefined || body === null) {
+    return { body: {} };
+  }
+
+  if (typeof body !== 'object' || Array.isArray(body)) {
+    return { error: 'Request body must be an object' };
+  }
+
+  const requestBody = body as Record<string, unknown>;
+  const unknownKeys = Object.keys(requestBody).filter((key) => key !== 'containerIds');
+  if (unknownKeys.length > 0) {
+    return { error: `Unknown request properties: ${unknownKeys.join(', ')}` };
+  }
+
+  const { containerIds } = requestBody;
+  if (containerIds === undefined) {
+    return { body: {} };
+  }
+  if (!Array.isArray(containerIds)) {
+    return { error: 'containerIds must be an array of non-empty strings' };
+  }
+  if (containerIds.length === 0) {
+    return { error: 'containerIds must not be empty' };
+  }
+  if (containerIds.length > WATCH_CONTAINERS_MAX_IDS) {
+    return { error: `containerIds must contain at most ${WATCH_CONTAINERS_MAX_IDS} entries` };
+  }
+
+  const normalizedIds: string[] = [];
+  const seenIds = new Set<string>();
+  for (const containerId of containerIds) {
+    if (typeof containerId !== 'string' || containerId.trim() === '') {
+      return { error: 'containerIds must be an array of non-empty strings' };
+    }
+    const normalizedId = containerId.trim();
+    if (seenIds.has(normalizedId)) {
+      continue;
+    }
+    seenIds.add(normalizedId);
+    normalizedIds.push(normalizedId);
+  }
+
+  return {
+    body: {
+      containerIds: normalizedIds,
+    },
+  };
+}
+
+function resolveTargetedWatchTargets(
+  context: CrudHandlerContext,
+  containerIds: string[],
+  watcherMap: Record<string, LocalContainerWatcher>,
+): { targets: WatchTarget[] } | { targets?: undefined; status: number; error: string } {
+  const selectedTargets: WatchTarget[] = [];
+
+  for (const containerId of containerIds) {
+    const container = context.storeContainer.getContainer(containerId);
+    if (!container) {
+      return { status: 404, error: 'Container not found' };
+    }
+
+    const watcherId = resolveWatcherIdForContainer(container);
+    const watcher = watcherMap[watcherId];
+    if (!watcher) {
+      return {
+        status: 500,
+        error: `No provider found for container ${container.id} and provider ${watcherId}`,
+      };
+    }
+
+    selectedTargets.push({
+      container,
+      watcher,
+    });
+  }
+
+  return { targets: selectedTargets };
+}
+
+function extractContainerEnv(container: Container) {
+  const details = container.details as { env?: unknown[] } | undefined;
+  const rawEnv = Array.isArray(details?.env) ? details.env : [];
+
+  return rawEnv
+    .filter(
+      (entry): entry is { key: string; value: string } =>
+        !!entry &&
+        typeof entry === 'object' &&
+        typeof (entry as { key?: unknown }).key === 'string',
+    )
+    .map((entry) => ({
+      key: entry.key,
+      value: entry.value,
+      sensitive: isSensitiveKey(entry.key),
+    }));
+}
+
+export function createGetContainerUpdateOperationsHandler(context: CrudHandlerContext) {
+  return function getContainerUpdateOperations(req: Request, res: Response) {
+    const id = getPathParamValue(req.params.id);
+    const container = getContainerOrNotFound(context, id, res);
+    if (!container) {
+      return;
+    }
+
+    const operations = context.updateOperationStore.getOperationsByContainerName(container.name);
+    const pagination = normalizeContainerListPagination(req.query);
+    const data = paginateCollection(operations, pagination);
+    const hasMore = pagination.limit > 0 && pagination.offset + data.length < operations.length;
+    const links = buildPaginationLinks({
+      basePath: `/api/containers/${id}/update-operations`,
+      query: req.query,
+      limit: pagination.limit,
+      offset: pagination.offset,
+      total: operations.length,
+      returnedCount: data.length,
+    });
+    res.status(200).json({
+      data,
+      total: operations.length,
+      limit: pagination.limit,
+      offset: pagination.offset,
+      hasMore,
+      ...(links ? { _links: links } : {}),
+    });
+  };
+}
+
+export function createWatchContainersHandler(context: CrudHandlerContext) {
+  return async function watchContainers(req: Request, res: Response) {
+    const parsedBody = parseWatchContainersBody(req.body);
+    if (parsedBody.error) {
+      sendErrorResponse(res, 400, parsedBody.error);
+      return;
+    }
+
+    const watcherMap = context.getWatchers();
+    const containerIds = parsedBody.body?.containerIds;
+    try {
+      if (Array.isArray(containerIds) && containerIds.length > 0) {
+        const selected = resolveTargetedWatchTargets(context, containerIds, watcherMap);
+        if ('error' in selected) {
+          sendErrorResponse(res, selected.status, selected.error);
+          return;
+        }
+        await Promise.all(
+          selected.targets.map((target) => target.watcher.watchContainer(target.container)),
+        );
+      } else {
+        await Promise.all(Object.values(watcherMap).map((watcher) => watcher.watch()));
+      }
+
+      res.status(200).json(buildContainerListResponse(context, req.query, '/api/containers/watch'));
+    } catch (error: unknown) {
+      sendErrorResponse(res, 500, `Error when watching images (${context.getErrorMessage(error)})`);
+    }
+  };
+}
+
+export function createWatchContainerHandler(context: CrudHandlerContext) {
+  return async function watchContainer(req: Request, res: Response) {
+    const id = getPathParamValue(req.params.id);
+    const container = getContainerOrNotFound(context, id, res);
+    if (!container) {
+      return;
+    }
+
+    const watcherId = resolveWatcherIdForContainer(container);
+    const watcher = context.getWatchers()[watcherId];
+    if (!watcher) {
+      sendErrorResponse(
+        res,
+        500,
+        `No provider found for container ${id} and provider ${watcherId}`,
+      );
+      return;
+    }
+
+    try {
+      if (typeof watcher.getContainers === 'function') {
+        const containers = await watcher.getContainers();
+        const containerFound = containers.some(
+          (containerInList) => containerInList.id === container.id,
+        );
+        if (!containerFound) {
+          sendErrorResponse(res, 404, 'Container not found');
+          return;
+        }
+      }
+      const containerReport = await watcher.watchContainer(container);
+      res.status(200).json(context.redactContainerRuntimeEnv(containerReport.container));
+    } catch {
+      sendErrorResponse(res, 500, `Error when watching container ${id}`);
+    }
+  };
+}
+
+export function createRevealContainerEnvHandler(context: CrudHandlerContext) {
+  return function revealContainerEnv(req: Request, res: Response) {
+    if (!context.getContainerRaw || !context.auditStore) {
+      sendErrorResponse(res, 501, 'Environment reveal is not available');
+      return;
+    }
+
+    const id = getPathParamValue(req.params.id);
+    const container = context.getContainerRaw(id);
+    if (!container) {
+      sendErrorResponse(res, 404, 'Container not found');
+      return;
+    }
+
+    const env = extractContainerEnv(container);
+    context.auditStore.insertAudit({
+      action: 'env-reveal',
+      containerName: container.name,
+      containerImage: container.image?.name,
+      status: 'info',
+      details: `Revealed ${env.filter((entry) => entry.sensitive).length} sensitive env var(s)`,
+    });
+
+    res.status(200).json({ env });
+  };
+}
diff --git a/app/api/container/handlers/common.ts b/app/api/container/handlers/common.ts
new file mode 100644
index 000000000..89cc8e68c
--- /dev/null
+++ b/app/api/container/handlers/common.ts
@@ -0,0 +1,25 @@
+import type { Response } from 'express';
+import type { Container } from '../../../model/container.js';
+import { sendErrorResponse } from '../../error-response.js';
+import type { CrudHandlerContext } from '../crud-context.js';
+
+export function getContainerOrNotFound(
+  context: CrudHandlerContext,
+  id: string,
+  res: Response,
+): Container | undefined {
+  const container = context.storeContainer.getContainer(id);
+  if (!container) {
+    sendErrorResponse(res, 404, 'Container not found');
+    return undefined;
+  }
+  return container;
+}
+
+export function resolveWatcherIdForContainer(container: Container): string {
+  let watcherId = `docker.${container.watcher}`;
+  if (container.agent) {
+    watcherId = `${container.agent}.${watcherId}`;
+  }
+  return watcherId;
+}
diff --git a/app/api/container/handlers/list.ts b/app/api/container/handlers/list.ts
new file mode 100644
index 000000000..8f90eabaf
--- /dev/null
+++ b/app/api/container/handlers/list.ts
@@ -0,0 +1,149 @@
+import type { Request, Response } from 'express';
+import type { Container } from '../../../model/container.js';
+import { sendErrorResponse } from '../../error-response.js';
+import { buildPaginationLinks } from '../../pagination-links.js';
+import type { ContainerListResponse, CrudHandlerContext } from '../crud-context.js';
+import {
+  applyContainerMaturityFilter,
+  applyContainerWatchedKindFilter,
+  type ContainerWatchedKind,
+  getFirstNonEmptyQueryValue,
+  isContainerWatchedKind,
+  mapContainerListKindFilter,
+  mapContainerListStatusFilter,
+  normalizeContainerListPagination,
+  paginateCollection,
+  parseContainerMaturityFilter,
+  removeContainerListControlParams,
+  sortContainers,
+  validateContainerListQuery,
+} from '../filters.js';
+import { parseBooleanQueryParam } from '../request-helpers.js';
+
+export type ContainerListBasePath = '/api/containers' | '/api/containers/watch';
+
+function stripContainerVulnerabilityArrays(container: Container): Container {
+  if (!container.security) {
+    return container;
+  }
+  return {
+    ...container,
+    security: {
+      ...container.security,
+      scan: container.security.scan
+        ? {
+            ...container.security.scan,
+            vulnerabilities: [],
+          }
+        : container.security.scan,
+      updateScan: container.security.updateScan
+        ? {
+            ...container.security.updateScan,
+            vulnerabilities: [],
+          }
+        : container.security.updateScan,
+    },
+  };
+}
+
+export function buildContainerListResponse(
+  context: CrudHandlerContext,
+  query: Request['query'],
+  basePath: ContainerListBasePath,
+): ContainerListResponse {
+  const validatedQuery = validateContainerListQuery(query);
+  const sortMode = validatedQuery.sortMode;
+  const statusFilter = mapContainerListStatusFilter(validatedQuery.status);
+  const kindFilter = mapContainerListKindFilter(validatedQuery.kind);
+  const maturityFilter = parseContainerMaturityFilter(validatedQuery.maturity);
+  const watchedKindFilter: ContainerWatchedKind | undefined = isContainerWatchedKind(
+    validatedQuery.kind,
+  )
+    ? validatedQuery.kind
+    : undefined;
+
+  const includeVulnerabilities = parseBooleanQueryParam(query.includeVulnerabilities, false);
+  const filteredQuery = {
+    ...(removeContainerListControlParams(query) as Record<string, unknown>),
+    ...(kindFilter || {}),
+    ...(statusFilter?.updateAvailable !== undefined
+      ? { updateAvailable: statusFilter.updateAvailable }
+      : {}),
+    ...(statusFilter?.runtimeStatus ? { status: statusFilter.runtimeStatus } : {}),
+    ...(validatedQuery.watcher ? { watcher: validatedQuery.watcher } : {}),
+  } as Request['query'];
+  const pagination = normalizeContainerListPagination(query);
+
+  // Sort/order, maturity, and watched-kind filters require loading the full
+  // collection before pagination because they inspect in-memory properties
+  // (container labels, update age) that cannot be pushed down to the store.
+  // status and update-kind are already pushed down to filteredQuery as
+  // store-level filters (updateAvailable, updateKind.*), so the store handles
+  // those efficiently without loading everything into memory first.
+  const needsFullCollection =
+    getFirstNonEmptyQueryValue(query.sort) !== undefined ||
+    getFirstNonEmptyQueryValue(query.order) !== undefined ||
+    maturityFilter !== undefined ||
+    (watchedKindFilter !== undefined && watchedKindFilter !== 'all');
+  let pagedContainers: Container[];
+  let total: number;
+
+  if (needsFullCollection) {
+    const containersToSort = context.getContainersFromStore(filteredQuery, {
+      limit: 0,
+      offset: 0,
+    });
+    const watchedKindFilteredContainers = applyContainerWatchedKindFilter(
+      containersToSort,
+      watchedKindFilter,
+    );
+    const maturityFilteredContainers = applyContainerMaturityFilter(
+      watchedKindFilteredContainers,
+      maturityFilter,
+    );
+    const sortedContainers = sortContainers(maturityFilteredContainers, sortMode);
+    total = sortedContainers.length;
+    pagedContainers = paginateCollection(sortedContainers, pagination);
+  } else {
+    pagedContainers = context.getContainersFromStore(filteredQuery, pagination);
+    const sortedPagedContainers = sortContainers(pagedContainers, sortMode);
+    total =
+      pagination.limit === 0 && pagination.offset === 0
+        ? sortedPagedContainers.length
+        : context.getContainerCountFromStore(filteredQuery);
+    pagedContainers = sortedPagedContainers;
+  }
+
+  const redactedContainers = context.redactContainersRuntimeEnv(pagedContainers);
+  const data = includeVulnerabilities
+    ? redactedContainers
+    : redactedContainers.map((container) => stripContainerVulnerabilityArrays(container));
+  const hasMore = pagination.limit > 0 && pagination.offset + data.length < total;
+  const links = buildPaginationLinks({
+    basePath,
+    query,
+    limit: pagination.limit,
+    offset: pagination.offset,
+    total,
+    returnedCount: data.length,
+  });
+  return {
+    data,
+    total,
+    limit: pagination.limit,
+    offset: pagination.offset,
+    hasMore,
+    ...(links ? { _links: links } : {}),
+  };
+}
+
+export function createGetContainersHandler(context: CrudHandlerContext) {
+  return function getContainers(req: Request, res: Response) {
+    try {
+      res.status(200).json(buildContainerListResponse(context, req.query, '/api/containers'));
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : 'Invalid request';
+      sendErrorResponse(res, 400, message);
+    }
+  };
+}
diff --git a/app/api/container/handlers/release-notes.test.ts b/app/api/container/handlers/release-notes.test.ts
new file mode 100644
index 000000000..aaa5b8754
--- /dev/null
+++ b/app/api/container/handlers/release-notes.test.ts
@@ -0,0 +1,116 @@
+import { createMockRequest, createMockResponse } from '../../../test/helpers.js';
+import { createGetContainerReleaseNotesHandler } from './release-notes.js';
+
+vi.mock('../../../release-notes/index.js', () => ({
+  getFullReleaseNotesForContainer: vi.fn(),
+}));
+
+vi.mock('../../error-response.js', () => ({
+  sendErrorResponse: vi.fn(),
+}));
+
+vi.mock('./common.js', () => ({
+  getContainerOrNotFound: vi.fn(),
+}));
+
+vi.mock('../request-helpers.js', () => ({
+  getPathParamValue: vi.fn((v: string) => v),
+}));
+
+import { getFullReleaseNotesForContainer } from '../../../release-notes/index.js';
+import { sendErrorResponse } from '../../error-response.js';
+import type { CrudHandlerContext } from '../crud-context.js';
+import { getContainerOrNotFound } from './common.js';
+
+const mockGetFullReleaseNotes = vi.mocked(getFullReleaseNotesForContainer);
+const mockSendErrorResponse = vi.mocked(sendErrorResponse);
+const mockGetContainerOrNotFound = vi.mocked(getContainerOrNotFound);
+
+function createMockContext(overrides: Partial<CrudHandlerContext> = {}): CrudHandlerContext {
+  return {
+    getContainersFromStore: vi.fn(),
+    getContainerCountFromStore: vi.fn(),
+    storeContainer: { getContainer: vi.fn(), deleteContainer: vi.fn() },
+    updateOperationStore: { getOperationsByContainerName: vi.fn() },
+    getServerConfiguration: vi.fn(),
+    getAgent: vi.fn(),
+    getWatchers: vi.fn(),
+    getErrorMessage: vi.fn((e: unknown) => String(e)),
+    getErrorStatusCode: vi.fn(),
+    redactContainerRuntimeEnv: vi.fn(),
+    redactContainersRuntimeEnv: vi.fn(),
+    ...overrides,
+  };
+}
+
+function createMockReqRes(id = 'test-id') {
+  const req = createMockRequest({ params: { id } });
+  const res = createMockResponse();
+  return { req, res };
+}
+
+describe('createGetContainerReleaseNotesHandler', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test('returns early when container is not found', async () => {
+    mockGetContainerOrNotFound.mockReturnValue(undefined);
+    const context = createMockContext();
+    const handler = createGetContainerReleaseNotesHandler(context);
+    const { req, res } = createMockReqRes();
+
+    await handler(req, res);
+
+    expect(mockGetContainerOrNotFound).toHaveBeenCalledWith(context, 'test-id', res);
+    expect(mockGetFullReleaseNotes).not.toHaveBeenCalled();
+  });
+
+  test('returns 404 when release notes are not available', async () => {
+    const container = { id: 'test-id', name: 'test' };
+    mockGetContainerOrNotFound.mockReturnValue(container as never);
+    mockGetFullReleaseNotes.mockResolvedValue(undefined as never);
+    const context = createMockContext();
+    const handler = createGetContainerReleaseNotesHandler(context);
+    const { req, res } = createMockReqRes();
+
+    await handler(req, res);
+
+    expect(mockSendErrorResponse).toHaveBeenCalledWith(res, 404, 'Release notes not available');
+  });
+
+  test('returns 200 with release notes when available', async () => {
+    const container = { id: 'test-id', name: 'test' };
+    const releaseNotes = { version: '2.0.0', body: 'New stuff' };
+    mockGetContainerOrNotFound.mockReturnValue(container as never);
+    mockGetFullReleaseNotes.mockResolvedValue(releaseNotes as never);
+    const context = createMockContext();
+    const handler = createGetContainerReleaseNotesHandler(context);
+    const { req, res } = createMockReqRes();
+
+    await handler(req, res);
+
+    expect(res.status).toHaveBeenCalledWith(200);
+    expect(res.json).toHaveBeenCalledWith(releaseNotes);
+    expect(mockSendErrorResponse).not.toHaveBeenCalled();
+  });
+
+  test('returns 500 when getFullReleaseNotesForContainer throws', async () => {
+    const container = { id: 'test-id', name: 'test' };
+    mockGetContainerOrNotFound.mockReturnValue(container as never);
+    mockGetFullReleaseNotes.mockRejectedValue(new Error('fetch failed'));
+    const context = createMockContext({
+      getErrorMessage: vi.fn(() => 'fetch failed'),
+    });
+    const handler = createGetContainerReleaseNotesHandler(context);
+    const { req, res } = createMockReqRes();
+
+    await handler(req, res);
+
+    expect(mockSendErrorResponse).toHaveBeenCalledWith(
+      res,
+      500,
+      'Error retrieving release notes (fetch failed)',
+    );
+  });
+});
diff --git a/app/api/container/handlers/release-notes.ts b/app/api/container/handlers/release-notes.ts
new file mode 100644
index 000000000..d819c624d
--- /dev/null
+++ b/app/api/container/handlers/release-notes.ts
@@ -0,0 +1,31 @@
+import type { Request, Response } from 'express';
+import { getFullReleaseNotesForContainer } from '../../../release-notes/index.js';
+import { sendErrorResponse } from '../../error-response.js';
+import type { CrudHandlerContext } from '../crud-context.js';
+import { getPathParamValue } from '../request-helpers.js';
+import { getContainerOrNotFound } from './common.js';
+
+export function createGetContainerReleaseNotesHandler(context: CrudHandlerContext) {
+  return async function getContainerReleaseNotes(req: Request, res: Response) {
+    const id = getPathParamValue(req.params.id);
+    const container = getContainerOrNotFound(context, id, res);
+    if (!container) {
+      return;
+    }
+
+    try {
+      const releaseNotes = await getFullReleaseNotesForContainer(container);
+      if (!releaseNotes) {
+        sendErrorResponse(res, 404, 'Release notes not available');
+        return;
+      }
+      res.status(200).json(releaseNotes);
+    } catch (error: unknown) {
+      sendErrorResponse(
+        res,
+        500,
+        `Error retrieving release notes (${context.getErrorMessage(error)})`,
+      );
+    }
+  };
+}
diff --git a/app/api/container/log-stream.test.ts b/app/api/container/log-stream.test.ts
new file mode 100644
index 000000000..46d6b9bb9
--- /dev/null
+++ b/app/api/container/log-stream.test.ts
@@ -0,0 +1,1502 @@
+import { EventEmitter } from 'node:events';
+import { WebSocketServer } from 'ws';
+import * as configuration from '../../configuration/index.js';
+import * as registry from '../../registry/index.js';
+import * as storeContainer from '../../store/container.js';
+import * as rateLimitKey from '../rate-limit-key.js';
+import {
+  attachContainerLogStreamWebSocketServer,
+  createContainerLogStreamGateway,
+  createDockerLogFrameDemuxer,
+  createDockerLogMessageDecoder,
+  parseContainerLogStreamQuery,
+} from './log-stream.js';
+
+function dockerFrame(payload: string, streamType = 1): Buffer {
+  const payloadBuffer = Buffer.from(payload, 'utf8');
+  const header = Buffer.alloc(8);
+  header[0] = streamType;
+  header.writeUInt32BE(payloadBuffer.length, 4);
+  return Buffer.concat([header, payloadBuffer]);
+}
+
+function createUpgradeSocket() {
+  return {
+    destroyed: false,
+    write: vi.fn(),
+    destroy: vi.fn(function destroy() {
+      this.destroyed = true;
+    }),
+  };
+}
+
+function createUpgradeRequest(url: string) {
+  return {
+    url,
+    headers: {},
+    socket: {
+      remoteAddress: '127.0.0.1',
+    },
+  };
+}
+
+describe('api/container/log-stream', () => {
+  describe('parseContainerLogStreamQuery', () => {
+    test('uses expected defaults', () => {
+      const query = parseContainerLogStreamQuery(new URLSearchParams());
+      expect(query).toEqual({
+        stdout: true,
+        stderr: true,
+        tail: 100,
+        since: 0,
+        follow: true,
+      });
+    });
+
+    test('parses booleans, integers, and ISO timestamps', () => {
+      const query = parseContainerLogStreamQuery(
+        new URLSearchParams({
+          stdout: 'false',
+          stderr: 'true',
+          tail: '50',
+          since: '2026-01-01T00:00:00.000Z',
+          follow: 'false',
+        }),
+      );
+      expect(query).toEqual({
+        stdout: false,
+        stderr: true,
+        tail: 50,
+        since: 1767225600,
+        follow: false,
+      });
+    });
+
+    test('parses numeric since timestamps', () => {
+      const query = parseContainerLogStreamQuery(
+        new URLSearchParams({
+          since: '1700000000',
+        }),
+      );
+      expect(query).toEqual({
+        stdout: true,
+        stderr: true,
+        tail: 100,
+        since: 1700000000,
+        follow: true,
+      });
+    });
+
+    test('falls back when numeric since overflows finite bounds', () => {
+      const query = parseContainerLogStreamQuery(
+        new URLSearchParams({
+          since: '9'.repeat(400),
+        }),
+      );
+      expect(query.since).toBe(0);
+    });
+
+    test('falls back on invalid values', () => {
+      const query = parseContainerLogStreamQuery(
+        new URLSearchParams({
+          stdout: 'maybe',
+          stderr: 'nope',
+          tail: '-10',
+          since: 'invalid-date',
+          follow: 'perhaps',
+        }),
+      );
+      expect(query).toEqual({
+        stdout: true,
+        stderr: true,
+        tail: 100,
+        since: 0,
+        follow: true,
+      });
+    });
+  });
+
+  describe('docker stream decoding', () => {
+    test('demultiplexes multiplexed stdout/stderr frames across chunk boundaries', () => {
+      const demuxer = createDockerLogFrameDemuxer();
+      const mixed = Buffer.concat([
+        dockerFrame('2026-01-01T00:00:00.000000000Z first line\n', 1),
+        dockerFrame('2026-01-01T00:00:01.000000000Z error line\n', 2),
+      ]);
+
+      const chunkA = mixed.subarray(0, 10);
+      const chunkB = mixed.subarray(10);
+
+      expect(demuxer.push(chunkA)).toEqual([]);
+      expect(demuxer.push(chunkB)).toEqual([
+        {
+          type: 'stdout',
+          payload: '2026-01-01T00:00:00.000000000Z first line\n',
+        },
+        {
+          type: 'stderr',
+          payload: '2026-01-01T00:00:01.000000000Z error line\n',
+        },
+      ]);
+    });
+
+    test('ignores unknown stream types', () => {
+      const demuxer = createDockerLogFrameDemuxer();
+      const unknownFrame = dockerFrame('ignored payload\n', 3);
+      expect(demuxer.push(unknownFrame)).toEqual([]);
+    });
+
+    test('converts payloads to typed ts/line messages and flushes trailing partial lines', () => {
+      const decoder = createDockerLogMessageDecoder();
+
+      expect(
+        decoder.push({
+          type: 'stdout',
+          payload: '2026-01-01T00:00:00.000000000Z hello\n2026-01-01T00:00:01.000000000Z wo',
+        }),
+      ).toEqual([
+        {
+          type: 'stdout',
+          ts: '2026-01-01T00:00:00.000000000Z',
+          line: 'hello',
+        },
+      ]);
+
+      expect(
+        decoder.push({
+          type: 'stdout',
+          payload: 'rld\n',
+        }),
+      ).toEqual([
+        {
+          type: 'stdout',
+          ts: '2026-01-01T00:00:01.000000000Z',
+          line: 'world',
+        },
+      ]);
+
+      expect(decoder.flush()).toEqual([]);
+    });
+
+    test('flushes remaining stderr line and normalizes CRLF line endings', () => {
+      const decoder = createDockerLogMessageDecoder();
+      expect(
+        decoder.push({
+          type: 'stderr',
+          payload: '2026-01-01T00:00:00.000000000Z error happened\r\nincomplete',
+        }),
+      ).toEqual([
+        {
+          type: 'stderr',
+          ts: '2026-01-01T00:00:00.000000000Z',
+          line: 'error happened',
+        },
+      ]);
+      expect(decoder.flush()).toEqual([
+        {
+          type: 'stderr',
+          ts: '',
+          line: 'incomplete',
+        },
+      ]);
+    });
+
+    test('flush trims trailing carriage returns from partial lines', () => {
+      const decoder = createDockerLogMessageDecoder();
+      decoder.push({
+        type: 'stdout',
+        payload: 'partial line with carriage\r',
+      });
+      expect(decoder.flush()).toEqual([
+        {
+          type: 'stdout',
+          ts: 'partial',
+          line: 'line with carriage',
+        },
+      ]);
+    });
+
+    test('defaults trailing partial to empty when split pop returns undefined', () => {
+      const decoder = createDockerLogMessageDecoder();
+      const popSpy = vi.spyOn(Array.prototype, 'pop').mockReturnValueOnce(undefined as never);
+      try {
+        expect(
+          decoder.push({
+            type: 'stdout',
+            payload: '',
+          }),
+        ).toEqual([
+          {
+            type: 'stdout',
+            ts: '',
+            line: '',
+          },
+        ]);
+      } finally {
+        popSpy.mockRestore();
+      }
+    });
+  });
+
+  describe('createContainerLogStreamGateway', () => {
+    test('returns 404 for non-log-stream upgrade routes', async () => {
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: (_req: unknown, _res: unknown, next: (error?: unknown) => void) =>
+          next(),
+        webSocketServer: {
+          handleUpgrade: vi.fn(),
+        },
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/not-logs') as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).not.toHaveBeenCalled();
+      expect(socket.destroy).not.toHaveBeenCalled();
+    });
+
+    test('silently returns when upgrade url is missing or malformed', async () => {
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: (_req: unknown, _res: unknown, next: (error?: unknown) => void) =>
+          next(),
+      });
+
+      const socketWithoutUrl = createUpgradeSocket();
+      await gateway.handleUpgrade(
+        { socket: { remoteAddress: '127.0.0.1' } } as any,
+        socketWithoutUrl as any,
+        Buffer.alloc(0),
+      );
+      expect(socketWithoutUrl.write).not.toHaveBeenCalled();
+
+      const socketWithDecodeError = createUpgradeSocket();
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/%E0%A4%A/logs/stream') as any,
+        socketWithDecodeError as any,
+        Buffer.alloc(0),
+      );
+      expect(socketWithDecodeError.write).not.toHaveBeenCalled();
+
+      const socketWithInvalidUrl = createUpgradeSocket();
+      await gateway.handleUpgrade(
+        { url: 'http://[::1', socket: { remoteAddress: '127.0.0.1' } } as any,
+        socketWithInvalidUrl as any,
+        Buffer.alloc(0),
+      );
+      expect(socketWithInvalidUrl.write).not.toHaveBeenCalled();
+    });
+
+    test('returns 403 when Origin header does not match Host', async () => {
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: (_req: unknown, _res: unknown, next: (error?: unknown) => void) =>
+          next(),
+        webSocketServer: { handleUpgrade: vi.fn() },
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        {
+          url: '/api/v1/containers/c1/logs/stream',
+          headers: { origin: 'https://evil.com', host: 'localhost:3000' },
+          socket: { remoteAddress: '127.0.0.1' },
+        } as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('403 Forbidden'));
+      expect(socket.destroy).toHaveBeenCalledTimes(1);
+    });
+
+    test('returns 503 when session middleware is not configured', async () => {
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: undefined,
+        webSocketServer: {
+          handleUpgrade: vi.fn(),
+        },
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).toHaveBeenCalledWith(
+        expect.stringContaining('503 Session middleware unavailable'),
+      );
+      expect(socket.destroy).toHaveBeenCalledTimes(1);
+    });
+
+    test('returns 401 when session middleware fails', async () => {
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: (_req: unknown, _res: unknown, next: (error?: unknown) => void) =>
+          next(new Error('session failed')),
+        webSocketServer: {
+          handleUpgrade: vi.fn(),
+        },
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('401 Unauthorized'));
+      expect(socket.destroy).toHaveBeenCalledTimes(1);
+    });
+
+    test('rejects upgrades when rate limited', async () => {
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: {
+          handleUpgrade: vi.fn(),
+        },
+        isRateLimited: vi.fn(() => true),
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('429 Too Many Requests'));
+      expect(socket.destroy).toHaveBeenCalledTimes(1);
+    });
+
+    test('uses ip:unknown rate-limit key when remote address is unavailable', async () => {
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: (_req: any, _res: unknown, next: (error?: unknown) => void) => next(),
+        webSocketServer: {
+          handleUpgrade: vi.fn(),
+        },
+        isRateLimited: vi.fn(() => false),
+      });
+      const socket = createUpgradeSocket();
+      await gateway.handleUpgrade(
+        { url: '/api/v1/containers/c1/logs/stream', headers: {}, socket: {} } as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+      expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('401 Unauthorized'));
+    });
+
+    test('uses ip:unknown rate-limit key when remote address is blank', async () => {
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: (_req: any, _res: unknown, next: (error?: unknown) => void) => next(),
+        webSocketServer: {
+          handleUpgrade: vi.fn(),
+        },
+        isRateLimited: vi.fn(() => false),
+      });
+      const socket = createUpgradeSocket();
+      await gateway.handleUpgrade(
+        {
+          url: '/api/v1/containers/c1/logs/stream',
+          headers: {},
+          socket: { remoteAddress: '   ' },
+        } as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+      expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('401 Unauthorized'));
+    });
+
+    test('rejects unauthenticated upgrades', async () => {
+      const mockWebSocketServer = {
+        handleUpgrade: vi.fn(),
+      };
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: (_req: unknown, _res: unknown, next: (error?: unknown) => void) =>
+          next(),
+        webSocketServer: mockWebSocketServer,
+        isRateLimited: vi.fn(() => false),
+      });
+
+      const socket = createUpgradeSocket();
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('401 Unauthorized'));
+      expect(socket.destroy).toHaveBeenCalledTimes(1);
+      expect(mockWebSocketServer.handleUpgrade).not.toHaveBeenCalled();
+    });
+
+    test('closes websocket with 4004 when container is missing', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn(() => {
+        ws.emit('close');
+      });
+
+      const mockWebSocketServer = {
+        handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+          callback(ws),
+        ),
+      };
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(() => undefined),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: mockWebSocketServer,
+        isRateLimited: vi.fn(() => false),
+      });
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/missing/logs/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      expect(ws.close).toHaveBeenCalledWith(4004, 'Container not found');
+    });
+
+    test('closes websocket with 4001 when container is not running', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn(() => {
+        ws.emit('close');
+      });
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(() => ({
+          id: 'c1',
+          name: 'my-container',
+          watcher: 'local',
+          status: 'exited',
+        })),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+      });
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      expect(ws.close).toHaveBeenCalledWith(4001, 'Container not running');
+    });
+
+    test('closes websocket when watcher is unavailable', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(() => ({
+          id: 'c1',
+          name: 'my-container',
+          watcher: 'local',
+          status: 'running',
+        })),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+      });
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      expect(ws.close).toHaveBeenCalledWith(1011, 'Watcher not available');
+    });
+
+    test('closes websocket when docker logs cannot be opened', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      const mockDockerContainer = {
+        logs: vi.fn().mockRejectedValue(new Error('docker down')),
+      };
+      const mockWatcher = {
+        dockerApi: {
+          getContainer: vi.fn(() => mockDockerContainer),
+        },
+      };
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(() => ({
+          id: 'c1',
+          name: 'my-container',
+          watcher: 'local',
+          status: 'running',
+        })),
+        getWatchers: vi.fn(() => ({
+          'docker.local': mockWatcher,
+        })),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+      });
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      expect(ws.close).toHaveBeenCalledWith(1011, expect.stringContaining('Unable to open logs'));
+    });
+
+    test('streams one-shot non-readable log payloads and closes cleanly', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      const mockDockerContainer = {
+        logs: vi.fn().mockResolvedValue(dockerFrame('2026-01-01T00:00:00.000000000Z hello\n', 1)),
+      };
+      const mockWatcher = {
+        dockerApi: {
+          getContainer: vi.fn(() => mockDockerContainer),
+        },
+      };
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(() => ({
+          id: 'c1',
+          name: 'my-container',
+          watcher: 'local',
+          status: 'running',
+        })),
+        getWatchers: vi.fn(() => ({
+          'docker.local': mockWatcher,
+        })),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+      });
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream?follow=false') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      expect(ws.send).toHaveBeenCalledWith(
+        JSON.stringify({
+          type: 'stdout',
+          ts: '2026-01-01T00:00:00.000000000Z',
+          line: 'hello',
+        }),
+      );
+      expect(ws.close).toHaveBeenCalledWith(1000, 'Stream complete');
+    });
+
+    test('does not throw when send fails on one-shot non-readable payload', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn(() => {
+        throw new Error('WebSocket is not open');
+      });
+      ws.close = vi.fn();
+
+      const mockDockerContainer = {
+        logs: vi.fn().mockResolvedValue(dockerFrame('2026-01-01T00:00:00.000000000Z hello\n', 1)),
+      };
+      const mockWatcher = {
+        dockerApi: {
+          getContainer: vi.fn(() => mockDockerContainer),
+        },
+      };
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(() => ({
+          id: 'c1',
+          name: 'my-container',
+          watcher: 'local',
+          status: 'running',
+        })),
+        getWatchers: vi.fn(() => ({
+          'docker.local': mockWatcher,
+        })),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+      });
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream?follow=false') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      // send threw but no unhandled exception; close is NOT called because send failed
+      expect(ws.close).not.toHaveBeenCalled();
+    });
+
+    test('cleans up docker stream when send throws during streaming', async () => {
+      const dockerStream = new EventEmitter() as EventEmitter & {
+        destroy: ReturnType<typeof vi.fn>;
+      };
+      dockerStream.destroy = vi.fn();
+
+      const mockDockerContainer = {
+        logs: vi.fn().mockResolvedValue(dockerStream),
+      };
+      const mockWatcher = {
+        dockerApi: {
+          getContainer: vi.fn(() => mockDockerContainer),
+        },
+      };
+
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(() => ({
+          id: 'c1',
+          name: 'my-container',
+          watcher: 'local',
+          status: 'running',
+        })),
+        getWatchers: vi.fn(() => ({
+          'docker.local': mockWatcher,
+        })),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+      });
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      // Make send throw to simulate a closed socket
+      ws.send = vi.fn(() => {
+        throw new Error('WebSocket is not open');
+      });
+
+      dockerStream.emit('data', dockerFrame('2026-01-01T00:00:00.000000000Z hello\n', 1));
+
+      // cleanup should have been called — docker stream destroyed
+      expect(dockerStream.destroy).toHaveBeenCalledTimes(1);
+    });
+
+    test('stops emitting queued log lines after websocket buffer overflow', async () => {
+      const dockerStream = new EventEmitter() as EventEmitter & {
+        destroy: ReturnType<typeof vi.fn>;
+      };
+      dockerStream.destroy = vi.fn();
+
+      const mockDockerContainer = {
+        logs: vi.fn().mockResolvedValue(dockerStream),
+      };
+      const mockWatcher = {
+        dockerApi: {
+          getContainer: vi.fn(() => mockDockerContainer),
+        },
+      };
+
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+        bufferedAmount: number;
+      };
+      ws.bufferedAmount = 0;
+      ws.send = vi.fn(() => {
+        ws.bufferedAmount += 512;
+        if (ws.bufferedAmount > 700) {
+          throw new Error('WebSocket buffer overflow');
+        }
+      });
+      ws.close = vi.fn();
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(() => ({
+          id: 'c1',
+          name: 'my-container',
+          watcher: 'local',
+          status: 'running',
+        })),
+        getWatchers: vi.fn(() => ({
+          'docker.local': mockWatcher,
+        })),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+      });
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      dockerStream.emit(
+        'data',
+        dockerFrame(
+          `${[
+            '2026-01-01T00:00:00.000000000Z first',
+            '2026-01-01T00:00:01.000000000Z second',
+            '2026-01-01T00:00:02.000000000Z third',
+          ].join('\n')}\n`,
+          1,
+        ),
+      );
+      dockerStream.emit('data', dockerFrame('2026-01-01T00:00:03.000000000Z after-cleanup\n', 1));
+
+      expect(ws.send).toHaveBeenCalledTimes(2);
+      expect(dockerStream.destroy).toHaveBeenCalledTimes(1);
+    });
+
+    test('does not throw when close fails during stream end', async () => {
+      const dockerStream = new EventEmitter() as EventEmitter & {
+        destroy: ReturnType<typeof vi.fn>;
+      };
+      dockerStream.destroy = vi.fn();
+
+      const mockDockerContainer = {
+        logs: vi.fn().mockResolvedValue(dockerStream),
+      };
+      const mockWatcher = {
+        dockerApi: {
+          getContainer: vi.fn(() => mockDockerContainer),
+        },
+      };
+
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn(() => {
+        throw new Error('WebSocket is not open');
+      });
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(() => ({
+          id: 'c1',
+          name: 'my-container',
+          watcher: 'local',
+          status: 'running',
+        })),
+        getWatchers: vi.fn(() => ({
+          'docker.local': mockWatcher,
+        })),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+      });
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      // stream ends, close throws — should not cause unhandled exception
+      dockerStream.emit('end');
+
+      expect(dockerStream.destroy).toHaveBeenCalledTimes(1);
+    });
+
+    test('closes websocket with stream error and destroys docker stream', async () => {
+      const dockerStream = new EventEmitter() as EventEmitter & {
+        destroy: ReturnType<typeof vi.fn>;
+      };
+      dockerStream.destroy = vi.fn();
+
+      const mockDockerContainer = {
+        logs: vi.fn().mockResolvedValue(dockerStream),
+      };
+      const mockWatcher = {
+        dockerApi: {
+          getContainer: vi.fn(() => mockDockerContainer),
+        },
+      };
+
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(() => ({
+          id: 'c1',
+          name: 'my-container',
+          watcher: 'local',
+          status: 'running',
+        })),
+        getWatchers: vi.fn(() => ({
+          'docker.local': mockWatcher,
+        })),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+      });
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      dockerStream.emit('error', new Error('stream boom'));
+
+      expect(ws.close).toHaveBeenCalledWith(1011, expect.stringContaining('Log stream error'));
+      expect(dockerStream.destroy).toHaveBeenCalledTimes(1);
+    });
+
+    test('cleans up docker stream when websocket emits error', async () => {
+      const dockerStream = new EventEmitter() as EventEmitter & {
+        destroy: ReturnType<typeof vi.fn>;
+      };
+      dockerStream.destroy = vi.fn();
+
+      const mockDockerContainer = {
+        logs: vi.fn().mockResolvedValue(dockerStream),
+      };
+      const mockWatcher = {
+        dockerApi: {
+          getContainer: vi.fn(() => mockDockerContainer),
+        },
+      };
+
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(() => ({
+          id: 'c1',
+          name: 'my-container',
+          watcher: 'local',
+          status: 'running',
+        })),
+        getWatchers: vi.fn(() => ({
+          'docker.local': mockWatcher,
+        })),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+      });
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      ws.emit('error', new Error('ws boom'));
+      expect(dockerStream.destroy).toHaveBeenCalledTimes(1);
+    });
+
+    test('closes websocket when stream ends naturally', async () => {
+      const dockerStream = new EventEmitter() as EventEmitter & {
+        destroy: ReturnType<typeof vi.fn>;
+      };
+      dockerStream.destroy = vi.fn();
+
+      const mockDockerContainer = {
+        logs: vi.fn().mockResolvedValue(dockerStream),
+      };
+      const mockWatcher = {
+        dockerApi: {
+          getContainer: vi.fn(() => mockDockerContainer),
+        },
+      };
+
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn(() => {
+        ws.emit('close');
+      });
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(() => ({
+          id: 'c1',
+          name: 'my-container',
+          watcher: 'local',
+          status: 'running',
+        })),
+        getWatchers: vi.fn(() => ({
+          'docker.local': mockWatcher,
+        })),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+      });
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      dockerStream.emit(
+        'data',
+        dockerFrame('2026-01-01T00:00:00.000000000Z hello from stream\n', 1),
+      );
+      dockerStream.emit('end');
+
+      expect(ws.send).toHaveBeenCalledWith(
+        JSON.stringify({
+          type: 'stdout',
+          ts: '2026-01-01T00:00:00.000000000Z',
+          line: 'hello from stream',
+        }),
+      );
+      expect(ws.close).toHaveBeenCalledWith(1000, 'Stream ended');
+      expect(dockerStream.destroy).toHaveBeenCalledTimes(1);
+    });
+
+    test('destroys docker log stream when websocket disconnects', async () => {
+      const dockerStream = new EventEmitter() as EventEmitter & {
+        destroy: ReturnType<typeof vi.fn>;
+      };
+      dockerStream.destroy = vi.fn();
+
+      const mockDockerContainer = {
+        logs: vi.fn().mockResolvedValue(dockerStream),
+      };
+      const mockWatcher = {
+        dockerApi: {
+          getContainer: vi.fn(() => mockDockerContainer),
+        },
+      };
+
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      const mockWebSocketServer = {
+        handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+          callback(ws),
+        ),
+      };
+
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(() => ({
+          id: 'c1',
+          name: 'my-container',
+          watcher: 'local',
+          status: 'running',
+        })),
+        getWatchers: vi.fn(() => ({
+          'docker.local': mockWatcher,
+        })),
+        sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+          req.session = { passport: { user: '{"username":"alice"}' } };
+          req.sessionID = 'session-1';
+          next();
+        },
+        webSocketServer: mockWebSocketServer,
+        isRateLimited: vi.fn(() => false),
+      });
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream?tail=42&follow=true') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      expect(mockDockerContainer.logs).toHaveBeenCalledWith({
+        follow: true,
+        stdout: true,
+        stderr: true,
+        tail: 42,
+        since: 0,
+        timestamps: true,
+      });
+
+      ws.emit('close');
+      expect(dockerStream.destroy).toHaveBeenCalledTimes(1);
+    });
+
+    test('does not write an error response when socket is already destroyed', async () => {
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: (_req: unknown, _res: unknown, next: (error?: unknown) => void) =>
+          next(),
+      });
+      const socket = createUpgradeSocket();
+      socket.destroyed = true;
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/not-logs') as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).not.toHaveBeenCalled();
+      expect(socket.destroy).not.toHaveBeenCalled();
+    });
+
+    test('applies default fixed-window rate limiter', async () => {
+      const gateway = createContainerLogStreamGateway({
+        getContainer: vi.fn(),
+        getWatchers: vi.fn(() => ({})),
+        sessionMiddleware: (_req: any, _res: unknown, next: (error?: unknown) => void) => next(),
+      });
+
+      const request = {
+        url: '/api/v1/containers/c1/logs/stream',
+        headers: {},
+        socket: { remoteAddress: '127.0.0.1' },
+      } as any;
+
+      for (let index = 0; index < 1000; index += 1) {
+        const socket = createUpgradeSocket();
+        await gateway.handleUpgrade(request, socket as any, Buffer.alloc(0));
+        expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('401 Unauthorized'));
+      }
+
+      const rateLimitedSocket = createUpgradeSocket();
+      await gateway.handleUpgrade(request, rateLimitedSocket as any, Buffer.alloc(0));
+      expect(rateLimitedSocket.write).toHaveBeenCalledWith(
+        expect.stringContaining('429 Too Many Requests'),
+      );
+    });
+  });
+
+  describe('attachContainerLogStreamWebSocketServer', () => {
+    test('uses default ip-based key resolver when identity-aware keying is disabled', async () => {
+      const webSocketUpgradeSpy = vi
+        .spyOn(WebSocketServer.prototype, 'handleUpgrade')
+        .mockImplementation((_request, _socket, _head, callback) => {
+          const ws = new EventEmitter() as EventEmitter & {
+            send: ReturnType<typeof vi.fn>;
+            close: ReturnType<typeof vi.fn>;
+          };
+          ws.send = vi.fn();
+          ws.close = vi.fn(() => {
+            ws.emit('close');
+          });
+          callback(ws as any);
+        });
+      const getStateSpy = vi.spyOn(registry, 'getState').mockReturnValue({
+        watcher: {
+          'docker.local': {
+            dockerApi: {
+              getContainer: vi.fn(() => ({
+                logs: vi
+                  .fn()
+                  .mockResolvedValue(dockerFrame('2026-01-01T00:00:00.000000000Z hello\n', 1)),
+              })),
+            },
+          },
+        },
+      } as any);
+      const getContainerSpy = vi.spyOn(storeContainer, 'getContainer').mockReturnValue({
+        id: 'c1',
+        name: 'default-key-container',
+        watcher: 'local',
+        status: 'running',
+      } as any);
+      const listeners: Array<(request: unknown, socket: unknown, head: Buffer) => void> = [];
+      const server = {
+        on: vi.fn(
+          (
+            _event: 'upgrade',
+            listener: (request: unknown, socket: unknown, head: Buffer) => void,
+          ) => {
+            listeners.push(listener);
+          },
+        ),
+      };
+
+      try {
+        attachContainerLogStreamWebSocketServer({
+          server: server as any,
+          sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+            req.session = { passport: { user: '{"username":"alice"}' } };
+            req.sessionID = 'session-1';
+            next();
+          },
+          serverConfiguration: {
+            ratelimit: { identitykeying: false },
+          },
+        });
+
+        const socket = createUpgradeSocket();
+        listeners[0](
+          createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+          socket as any,
+          Buffer.alloc(0),
+        );
+        await new Promise((resolve) => setImmediate(resolve));
+      } finally {
+        webSocketUpgradeSpy.mockRestore();
+        getStateSpy.mockRestore();
+        getContainerSpy.mockRestore();
+      }
+    });
+
+    test('registers an upgrade listener', async () => {
+      const getStateSpy = vi.spyOn(registry, 'getState').mockReturnValue({ watcher: {} } as any);
+      const getContainerSpy = vi.spyOn(storeContainer, 'getContainer').mockReturnValue(undefined);
+      const upgradeListeners: Array<(request: unknown, socket: unknown, head: Buffer) => void> = [];
+      const server = {
+        on: vi.fn(
+          (
+            _event: 'upgrade',
+            listener: (request: unknown, socket: unknown, head: Buffer) => void,
+          ) => {
+            upgradeListeners.push(listener);
+          },
+        ),
+      };
+
+      try {
+        const gateway = attachContainerLogStreamWebSocketServer({
+          server: server as any,
+          sessionMiddleware: (_req: any, _res: unknown, next: (error?: unknown) => void) => next(),
+          serverConfiguration: {
+            ratelimit: { identitykeying: true },
+          },
+        });
+
+        expect(gateway).toBeDefined();
+        expect(server.on).toHaveBeenCalledWith('upgrade', expect.any(Function));
+        expect(upgradeListeners).toHaveLength(1);
+        const socket = createUpgradeSocket();
+        (upgradeListeners[0] as any)(
+          createUpgradeRequest('/api/v1/containers/c1/not-logs') as any,
+          socket,
+          Buffer.alloc(0),
+        );
+        await new Promise((resolve) => setImmediate(resolve));
+        expect(socket.write).not.toHaveBeenCalled();
+      } finally {
+        getStateSpy.mockRestore();
+        getContainerSpy.mockRestore();
+      }
+    });
+
+    test('falls back to ip key when identity-aware key generator returns an empty key', async () => {
+      const createKeySpy = vi
+        .spyOn(rateLimitKey, 'createAuthenticatedRouteRateLimitKeyGenerator')
+        .mockReturnValue(() => '' as any);
+      const webSocketUpgradeSpy = vi
+        .spyOn(WebSocketServer.prototype, 'handleUpgrade')
+        .mockImplementation((_request, _socket, _head, callback) => {
+          const ws = new EventEmitter() as EventEmitter & {
+            send: ReturnType<typeof vi.fn>;
+            close: ReturnType<typeof vi.fn>;
+          };
+          ws.send = vi.fn();
+          ws.close = vi.fn();
+          callback(ws as any);
+        });
+      const getStateSpy = vi.spyOn(registry, 'getState').mockReturnValue({
+        watcher: {
+          'docker.local': {
+            dockerApi: {
+              getContainer: vi.fn(() => ({
+                logs: vi
+                  .fn()
+                  .mockResolvedValue(dockerFrame('2026-01-01T00:00:00.000000000Z hello\n', 1)),
+              })),
+            },
+          },
+        },
+      } as any);
+      const getContainerSpy = vi.spyOn(storeContainer, 'getContainer').mockReturnValue({
+        id: 'c1',
+        name: 'fallback-container',
+        watcher: 'local',
+        status: 'running',
+      } as any);
+      const listeners: Array<(request: unknown, socket: unknown, head: Buffer) => void> = [];
+      const server = {
+        on: vi.fn(
+          (
+            _event: 'upgrade',
+            listener: (request: unknown, socket: unknown, head: Buffer) => void,
+          ) => {
+            listeners.push(listener);
+          },
+        ),
+      };
+
+      try {
+        attachContainerLogStreamWebSocketServer({
+          server: server as any,
+          sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+            req.session = { passport: { user: '{"username":"alice"}' } };
+            req.sessionID = 'session-1';
+            next();
+          },
+          serverConfiguration: {
+            ratelimit: { identitykeying: true },
+          },
+        });
+
+        const socket = createUpgradeSocket();
+        listeners[0](
+          createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+          socket as any,
+          Buffer.alloc(0),
+        );
+        await new Promise((resolve) => setImmediate(resolve));
+      } finally {
+        createKeySpy.mockRestore();
+        webSocketUpgradeSpy.mockRestore();
+        getStateSpy.mockRestore();
+        getContainerSpy.mockRestore();
+      }
+    });
+
+    test('uses generated identity-aware keys when available', async () => {
+      const webSocketUpgradeSpy = vi
+        .spyOn(WebSocketServer.prototype, 'handleUpgrade')
+        .mockImplementation((_request, _socket, _head, callback) => {
+          const ws = new EventEmitter() as EventEmitter & {
+            send: ReturnType<typeof vi.fn>;
+            close: ReturnType<typeof vi.fn>;
+          };
+          ws.send = vi.fn();
+          ws.close = vi.fn();
+          callback(ws as any);
+        });
+      const getStateSpy = vi.spyOn(registry, 'getState').mockReturnValue({
+        watcher: {
+          'docker.local': {
+            dockerApi: {
+              getContainer: vi.fn(() => ({
+                logs: vi
+                  .fn()
+                  .mockResolvedValue(dockerFrame('2026-01-01T00:00:00.000000000Z hello\n', 1)),
+              })),
+            },
+          },
+        },
+      } as any);
+      const getContainerSpy = vi.spyOn(storeContainer, 'getContainer').mockReturnValue({
+        id: 'c1',
+        name: 'identity-key-container',
+        watcher: 'local',
+        status: 'running',
+      } as any);
+      const listeners: Array<(request: unknown, socket: unknown, head: Buffer) => void> = [];
+      const server = {
+        on: vi.fn(
+          (
+            _event: 'upgrade',
+            listener: (request: unknown, socket: unknown, head: Buffer) => void,
+          ) => {
+            listeners.push(listener);
+          },
+        ),
+      };
+
+      try {
+        attachContainerLogStreamWebSocketServer({
+          server: server as any,
+          sessionMiddleware: (req: any, _res: unknown, next: (error?: unknown) => void) => {
+            req.session = { passport: { user: '{"username":"alice"}' } };
+            req.sessionID = 'session-identity';
+            next();
+          },
+          serverConfiguration: {
+            ratelimit: { identitykeying: true },
+          },
+        });
+
+        const socket = createUpgradeSocket();
+        listeners[0](
+          createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+          socket as any,
+          Buffer.alloc(0),
+        );
+        await new Promise((resolve) => setImmediate(resolve));
+      } finally {
+        webSocketUpgradeSpy.mockRestore();
+        getStateSpy.mockRestore();
+        getContainerSpy.mockRestore();
+      }
+    });
+
+    test('uses getServerConfiguration when serverConfiguration is omitted', async () => {
+      const serverConfigurationSpy = vi
+        .spyOn(configuration, 'getServerConfiguration')
+        .mockReturnValue({ ratelimit: { identitykeying: false } } as any);
+      const server = {
+        on: vi.fn(),
+      };
+
+      try {
+        attachContainerLogStreamWebSocketServer({
+          server: server as any,
+          sessionMiddleware: (_req: any, _res: unknown, next: (error?: unknown) => void) => next(),
+        });
+
+        expect(serverConfigurationSpy).toHaveBeenCalled();
+        expect(server.on).toHaveBeenCalledWith('upgrade', expect.any(Function));
+      } finally {
+        serverConfigurationSpy.mockRestore();
+      }
+    });
+  });
+});
diff --git a/app/api/container/log-stream.ts b/app/api/container/log-stream.ts
new file mode 100644
index 000000000..90ed046c9
--- /dev/null
+++ b/app/api/container/log-stream.ts
@@ -0,0 +1,500 @@
+import type { IncomingMessage } from 'node:http';
+import type { Socket } from 'node:net';
+import type { Readable } from 'node:stream';
+import { type WebSocket, WebSocketServer } from 'ws';
+import { getServerConfiguration } from '../../configuration/index.js';
+import type { Container } from '../../model/container.js';
+import * as registry from '../../registry/index.js';
+import * as storeContainer from '../../store/container.js';
+import { getErrorMessage } from '../../util/error.js';
+import {
+  applySessionMiddleware,
+  createFixedWindowRateLimiter,
+  createIdentityAwareUpgradeRateLimitKeyResolver,
+  getDefaultRateLimitKey,
+  isAuthenticatedSession,
+  isOriginAllowed,
+  type SessionMiddleware,
+  type UpgradeRequest,
+  writeUpgradeError,
+} from '../ws-upgrade-utils.js';
+import { isLocalDockerWatcherApi } from './logs.js';
+
+const STREAM_ROUTE_PATTERN = /^\/api(?:\/v1)?\/containers\/([^/]+)\/logs\/stream$/;
+const RATE_LIMIT_WINDOW_MS = 15 * 60 * 1000;
+const RATE_LIMIT_MAX = 1000;
+const CLOSE_CODE_CONTAINER_NOT_RUNNING = 4001;
+const CLOSE_CODE_CONTAINER_NOT_FOUND = 4004;
+
+type WebSocketLike = Pick<WebSocket, 'close' | 'on' | 'send'> & {
+  off?: (event: 'close' | 'error', listener: () => void) => void;
+};
+
+type WebSocketServerLike = {
+  handleUpgrade: (
+    request: IncomingMessage,
+    socket: Socket,
+    head: Buffer,
+    callback: (webSocket: WebSocketLike) => void,
+  ) => void;
+};
+
+interface ParsedContainerLogStreamQuery {
+  stdout: boolean;
+  stderr: boolean;
+  tail: number;
+  since: number;
+  follow: boolean;
+}
+
+interface DockerLogFrame {
+  type: 'stdout' | 'stderr';
+  payload: string;
+}
+
+interface DockerLogMessage {
+  type: 'stdout' | 'stderr';
+  ts: string;
+  line: string;
+}
+
+interface LogStreamContainerApi {
+  getContainer: (id: string) => Container | undefined;
+}
+
+interface LocalDockerContainerApi {
+  logs: (options: {
+    follow: boolean;
+    stdout: boolean;
+    stderr: boolean;
+    tail: number;
+    since: number;
+    timestamps: boolean;
+  }) => Promise<Buffer | string | Uint8Array | Readable>;
+}
+
+interface LocalDockerWatcherApi {
+  dockerApi?: {
+    getContainer: (containerName: string) => LocalDockerContainerApi;
+  };
+}
+
+interface ContainerLogStreamGatewayDependencies {
+  getContainer: LogStreamContainerApi['getContainer'];
+  getWatchers: () => Record<string, unknown>;
+  sessionMiddleware?: SessionMiddleware;
+  webSocketServer?: WebSocketServerLike;
+  isRateLimited?: (key: string) => boolean;
+  getRateLimitKey?: (request: UpgradeRequest, authenticated: boolean) => string;
+  getErrorMessage?: (error: unknown) => string;
+}
+
+function parseBooleanParam(rawValue: string | null, fallback: boolean): boolean {
+  if (rawValue === null) {
+    return fallback;
+  }
+  if (rawValue === 'true') {
+    return true;
+  }
+  if (rawValue === 'false') {
+    return false;
+  }
+  return fallback;
+}
+
+function parseIntegerParam(rawValue: string | null, fallback: number): number {
+  if (rawValue === null) {
+    return fallback;
+  }
+  const parsedValue = Number.parseInt(rawValue, 10);
+  if (!Number.isFinite(parsedValue) || parsedValue < 0) {
+    return fallback;
+  }
+  return parsedValue;
+}
+
+function parseSinceParam(rawValue: string | null, fallback: number): number {
+  if (rawValue === null) {
+    return fallback;
+  }
+
+  const trimmedValue = rawValue.trim();
+  if (/^[0-9]+$/.test(trimmedValue)) {
+    const parsedNumericValue = parseIntegerParam(trimmedValue, Number.NaN);
+    if (Number.isFinite(parsedNumericValue)) {
+      return parsedNumericValue;
+    }
+  }
+
+  const parsedTimestamp = Date.parse(trimmedValue);
+  if (!Number.isNaN(parsedTimestamp) && parsedTimestamp >= 0) {
+    return Math.floor(parsedTimestamp / 1000);
+  }
+
+  return fallback;
+}
+
+export function parseContainerLogStreamQuery(
+  query: URLSearchParams,
+): ParsedContainerLogStreamQuery {
+  return {
+    stdout: parseBooleanParam(query.get('stdout'), true),
+    stderr: parseBooleanParam(query.get('stderr'), true),
+    tail: parseIntegerParam(query.get('tail'), 100),
+    since: parseSinceParam(query.get('since'), 0),
+    follow: parseBooleanParam(query.get('follow'), true),
+  };
+}
+
+function parseContainerIdFromUpgradeUrl(rawUrl: string | undefined):
+  | {
+      containerId: string;
+      query: ParsedContainerLogStreamQuery;
+    }
+  | undefined {
+  if (!rawUrl) {
+    return undefined;
+  }
+
+  let parsedUrl: URL;
+  try {
+    parsedUrl = new URL(rawUrl, 'http://localhost');
+  } catch {
+    return undefined;
+  }
+
+  const routeMatch = parsedUrl.pathname.match(STREAM_ROUTE_PATTERN);
+  if (!routeMatch?.[1]) {
+    return undefined;
+  }
+
+  let containerId = routeMatch[1];
+  try {
+    containerId = decodeURIComponent(containerId);
+  } catch {
+    return undefined;
+  }
+
+  return {
+    containerId,
+    query: parseContainerLogStreamQuery(parsedUrl.searchParams),
+  };
+}
+
+function isReadableStream(value: unknown): value is Readable {
+  return (
+    !!value &&
+    typeof value === 'object' &&
+    typeof (value as { on?: unknown }).on === 'function' &&
+    typeof (value as { destroy?: unknown }).destroy === 'function'
+  );
+}
+
+export function createDockerLogFrameDemuxer() {
+  let bufferedChunk = Buffer.alloc(0);
+
+  return {
+    push(chunk: Buffer | string | Uint8Array): DockerLogFrame[] {
+      const chunkBuffer = Buffer.from(chunk);
+      bufferedChunk =
+        bufferedChunk.length > 0 ? Buffer.concat([bufferedChunk, chunkBuffer]) : chunkBuffer;
+
+      const frames: DockerLogFrame[] = [];
+      while (bufferedChunk.length >= 8) {
+        const streamType = bufferedChunk[0];
+        const payloadSize = bufferedChunk.readUInt32BE(4);
+        if (bufferedChunk.length < 8 + payloadSize) {
+          break;
+        }
+
+        const payload = bufferedChunk.subarray(8, 8 + payloadSize).toString('utf8');
+        bufferedChunk = bufferedChunk.subarray(8 + payloadSize);
+
+        if (streamType === 1) {
+          frames.push({ type: 'stdout', payload });
+        } else if (streamType === 2) {
+          frames.push({ type: 'stderr', payload });
+        }
+      }
+      return frames;
+    },
+  };
+}
+
+function splitTimestampedLogLine(rawLine: string): { ts: string; line: string } {
+  const separatorIndex = rawLine.indexOf(' ');
+  if (separatorIndex <= 0) {
+    return { ts: '', line: rawLine };
+  }
+  return {
+    ts: rawLine.slice(0, separatorIndex),
+    line: rawLine.slice(separatorIndex + 1),
+  };
+}
+
+export function createDockerLogMessageDecoder() {
+  const trailingPartialByStream: Record<'stdout' | 'stderr', string> = {
+    stdout: '',
+    stderr: '',
+  };
+
+  return {
+    push(frame: DockerLogFrame): DockerLogMessage[] {
+      const combinedPayload = trailingPartialByStream[frame.type] + frame.payload;
+      const splitLines = combinedPayload.split('\n');
+      trailingPartialByStream[frame.type] = splitLines.pop() ?? '';
+
+      return splitLines.map((line) => {
+        const normalizedLine = line.endsWith('\r') ? line.slice(0, -1) : line;
+        const { ts, line: messageLine } = splitTimestampedLogLine(normalizedLine);
+        return {
+          type: frame.type,
+          ts,
+          line: messageLine,
+        };
+      });
+    },
+    flush(): DockerLogMessage[] {
+      const messages: DockerLogMessage[] = [];
+      for (const type of ['stdout', 'stderr'] as const) {
+        const trailingLine = trailingPartialByStream[type];
+        if (trailingLine.length === 0) {
+          continue;
+        }
+        const normalizedLine = trailingLine.endsWith('\r')
+          ? trailingLine.slice(0, -1)
+          : trailingLine;
+        const { ts, line } = splitTimestampedLogLine(normalizedLine);
+        messages.push({ type, ts, line });
+        trailingPartialByStream[type] = '';
+      }
+      return messages;
+    },
+  };
+}
+
+async function streamContainerLogsToWebSocket({
+  webSocket,
+  containerId,
+  query,
+  getContainer,
+  getWatchers,
+  getErrorMessage,
+}: {
+  webSocket: WebSocketLike;
+  containerId: string;
+  query: ParsedContainerLogStreamQuery;
+  getContainer: ContainerLogStreamGatewayDependencies['getContainer'];
+  getWatchers: ContainerLogStreamGatewayDependencies['getWatchers'];
+  getErrorMessage: (error: unknown) => string;
+}): Promise<void> {
+  const container = getContainer(containerId);
+  if (!container) {
+    webSocket.close(CLOSE_CODE_CONTAINER_NOT_FOUND, 'Container not found');
+    return;
+  }
+  if (container.status !== 'running') {
+    webSocket.close(CLOSE_CODE_CONTAINER_NOT_RUNNING, 'Container not running');
+    return;
+  }
+
+  const watcher = getWatchers()[`docker.${container.watcher}`];
+  if (!isLocalDockerWatcherApi(watcher) || !watcher.dockerApi) {
+    webSocket.close(1011, 'Watcher not available');
+    return;
+  }
+
+  let dockerStream: Buffer | string | Uint8Array | Readable;
+  try {
+    dockerStream = await watcher.dockerApi.getContainer(container.name).logs({
+      follow: query.follow,
+      stdout: query.stdout,
+      stderr: query.stderr,
+      tail: query.tail,
+      since: query.since,
+      timestamps: true,
+    });
+  } catch (error: unknown) {
+    webSocket.close(1011, `Unable to open logs (${getErrorMessage(error)})`);
+    return;
+  }
+
+  const demuxer = createDockerLogFrameDemuxer();
+  const decoder = createDockerLogMessageDecoder();
+
+  const emitMessages = (messages: DockerLogMessage[]): boolean => {
+    for (const message of messages) {
+      try {
+        webSocket.send(JSON.stringify(message));
+      } catch {
+        return false;
+      }
+    }
+    return true;
+  };
+
+  const emitChunk = (chunk: Buffer | string | Uint8Array): boolean => {
+    const frames = demuxer.push(chunk);
+    for (const frame of frames) {
+      if (!emitMessages(decoder.push(frame))) {
+        return false;
+      }
+    }
+    return true;
+  };
+
+  if (!isReadableStream(dockerStream)) {
+    if (emitChunk(dockerStream) && emitMessages(decoder.flush())) {
+      webSocket.close(1000, 'Stream complete');
+    }
+    return;
+  }
+
+  let cleaned = false;
+  const cleanup = () => {
+    if (cleaned) {
+      return;
+    }
+    cleaned = true;
+    dockerStream.off('data', handleData);
+    dockerStream.off('end', handleEnd);
+    dockerStream.off('error', handleError);
+    webSocket.off?.('close', handleWebSocketClose);
+    webSocket.off?.('error', handleWebSocketError);
+    dockerStream.destroy();
+  };
+
+  const handleData = (chunk: Buffer | string | Uint8Array) => {
+    if (!emitChunk(chunk)) {
+      cleanup();
+    }
+  };
+  const handleEnd = () => {
+    emitMessages(decoder.flush());
+    try {
+      webSocket.close(1000, 'Stream ended');
+    } catch {
+      /* socket already closed */
+    }
+    cleanup();
+  };
+  const handleError = (error: unknown) => {
+    try {
+      webSocket.close(1011, `Log stream error (${getErrorMessage(error)})`);
+    } catch {
+      /* socket already closed */
+    }
+    cleanup();
+  };
+  const handleWebSocketClose = () => {
+    cleanup();
+  };
+  const handleWebSocketError = () => {
+    cleanup();
+  };
+
+  dockerStream.on('data', handleData);
+  dockerStream.on('end', handleEnd);
+  dockerStream.on('error', handleError);
+  webSocket.on('close', handleWebSocketClose);
+  webSocket.on('error', handleWebSocketError);
+}
+
+export function createContainerLogStreamGateway(
+  dependencies: ContainerLogStreamGatewayDependencies,
+) {
+  const {
+    getContainer,
+    getWatchers,
+    sessionMiddleware,
+    webSocketServer = new WebSocketServer({ noServer: true }),
+    isRateLimited = (() => {
+      const limiter = createFixedWindowRateLimiter({
+        windowMs: RATE_LIMIT_WINDOW_MS,
+        max: RATE_LIMIT_MAX,
+      });
+      return (key: string) => !limiter.consume(key);
+    })(),
+    getRateLimitKey = (request: UpgradeRequest) => getDefaultRateLimitKey(request),
+    getErrorMessage: getLogStreamErrorMessage = getErrorMessage,
+  } = dependencies;
+
+  return {
+    async handleUpgrade(request: IncomingMessage, socket: Socket, head: Buffer): Promise<void> {
+      const parsedRequest = parseContainerIdFromUpgradeUrl(request.url);
+      if (!parsedRequest) {
+        return;
+      }
+
+      if (!isOriginAllowed(request)) {
+        writeUpgradeError(socket, 403, 'Forbidden');
+        return;
+      }
+
+      if (!sessionMiddleware) {
+        writeUpgradeError(socket, 503, 'Session middleware unavailable');
+        return;
+      }
+
+      try {
+        await applySessionMiddleware(sessionMiddleware, request);
+      } catch {
+        writeUpgradeError(socket, 401, 'Unauthorized');
+        return;
+      }
+
+      const upgradeRequest = request as UpgradeRequest;
+      const authenticated = isAuthenticatedSession(upgradeRequest);
+      const rateLimitKey = getRateLimitKey(upgradeRequest, authenticated);
+      if (isRateLimited(rateLimitKey)) {
+        writeUpgradeError(socket, 429, 'Too Many Requests');
+        return;
+      }
+      if (!authenticated) {
+        writeUpgradeError(socket, 401, 'Unauthorized');
+        return;
+      }
+
+      await new Promise<void>((resolve) => {
+        webSocketServer.handleUpgrade(request, socket, head, (webSocket) => {
+          void streamContainerLogsToWebSocket({
+            webSocket,
+            containerId: parsedRequest.containerId,
+            query: parsedRequest.query,
+            getContainer,
+            getWatchers,
+            getErrorMessage: getLogStreamErrorMessage,
+          }).finally(resolve);
+        });
+      });
+    },
+  };
+}
+
+export function attachContainerLogStreamWebSocketServer(options: {
+  server: {
+    on: (
+      event: 'upgrade',
+      listener: (request: IncomingMessage, socket: Socket, head: Buffer) => void,
+    ) => void;
+  };
+  sessionMiddleware?: SessionMiddleware;
+  serverConfiguration?: Record<string, unknown>;
+  isRateLimited?: (key: string) => boolean;
+}) {
+  const serverConfiguration =
+    options.serverConfiguration ?? (getServerConfiguration() as Record<string, unknown>);
+  const gateway = createContainerLogStreamGateway({
+    getContainer: storeContainer.getContainer,
+    getWatchers: () => registry.getState().watcher,
+    sessionMiddleware: options.sessionMiddleware,
+    getRateLimitKey: createIdentityAwareUpgradeRateLimitKeyResolver(serverConfiguration),
+    isRateLimited: options.isRateLimited,
+  });
+
+  options.server.on('upgrade', (request, socket, head) => {
+    void gateway.handleUpgrade(request, socket, head);
+  });
+
+  return gateway;
+}
diff --git a/app/api/container/logs.test.ts b/app/api/container/logs.test.ts
index f0ef419c7..591768053 100644
--- a/app/api/container/logs.test.ts
+++ b/app/api/container/logs.test.ts
@@ -1,5 +1,11 @@
 import { describe, expect, test } from 'vitest';
-import { isLocalDockerWatcherApi } from './logs.js';
+import { createMockResponse } from '../../test/helpers.js';
+import {
+  createLogHandlers,
+  demuxDockerStream,
+  isLocalDockerWatcherApi,
+  parseContainerLogDownloadQuery,
+} from './logs.js';
 
 describe('api/container/logs', () => {
   describe('isLocalDockerWatcherApi', () => {
@@ -30,4 +36,238 @@ describe('api/container/logs', () => {
       expect(isLocalDockerWatcherApi(watcher)).toBe(true);
     });
   });
+
+  describe('parseContainerLogDownloadQuery', () => {
+    test('returns expected defaults', () => {
+      expect(parseContainerLogDownloadQuery({} as any)).toEqual({
+        stdout: true,
+        stderr: true,
+        tail: 1000,
+        since: 0,
+        timestamps: true,
+      });
+    });
+
+    test('parses boolean, integer, and ISO timestamp query params', () => {
+      expect(
+        parseContainerLogDownloadQuery({
+          stdout: 'false',
+          stderr: ['true'],
+          tail: '250',
+          since: '2026-01-01T00:00:00.000Z',
+        } as any),
+      ).toEqual({
+        stdout: false,
+        stderr: true,
+        tail: 250,
+        since: 1767225600,
+        timestamps: true,
+      });
+    });
+
+    test('falls back to default since when timestamp parsing fails', () => {
+      expect(
+        parseContainerLogDownloadQuery({
+          since: 'not-a-time',
+        } as any),
+      ).toEqual({
+        stdout: true,
+        stderr: true,
+        tail: 1000,
+        since: 0,
+        timestamps: true,
+      });
+    });
+
+    test('uses first array value for since query param', () => {
+      expect(
+        parseContainerLogDownloadQuery({
+          since: ['1700000000', '1700000001'],
+        } as any),
+      ).toEqual({
+        stdout: true,
+        stderr: true,
+        tail: 1000,
+        since: 1700000000,
+        timestamps: true,
+      });
+    });
+
+    test('falls back when numeric since overflows finite bounds', () => {
+      expect(
+        parseContainerLogDownloadQuery({
+          since: '9'.repeat(400),
+        } as any),
+      ).toEqual({
+        stdout: true,
+        stderr: true,
+        tail: 1000,
+        since: 0,
+        timestamps: true,
+      });
+    });
+  });
+
+  describe('demuxDockerStream', () => {
+    test('joins complete multiplexed frames', () => {
+      const payloadA = Buffer.from('line a\n', 'utf8');
+      const payloadB = Buffer.from('line b\n', 'utf8');
+      const headerA = Buffer.alloc(8);
+      const headerB = Buffer.alloc(8);
+      headerA[0] = 1;
+      headerB[0] = 2;
+      headerA.writeUInt32BE(payloadA.length, 4);
+      headerB.writeUInt32BE(payloadB.length, 4);
+
+      const buffer = Buffer.concat([headerA, payloadA, headerB, payloadB]);
+      expect(demuxDockerStream(buffer)).toBe('line a\nline b\n');
+    });
+
+    test('ignores truncated trailing frames', () => {
+      const payload = Buffer.from('line a\n', 'utf8');
+      const header = Buffer.alloc(8);
+      header[0] = 1;
+      header.writeUInt32BE(100, 4);
+      const truncated = Buffer.concat([header, payload]);
+      expect(demuxDockerStream(truncated)).toBe('');
+    });
+  });
+
+  describe('agent payload normalization', () => {
+    test('supports agent payloads returned as plain string', async () => {
+      const handlers = createLogHandlers({
+        storeContainer: {
+          getContainer: vi.fn(() => ({
+            id: 'c1',
+            name: 'test',
+            watcher: 'local',
+            status: 'running',
+            agent: 'remote',
+          })),
+        },
+        getAgent: vi.fn(() => ({
+          getContainerLogs: vi.fn().mockResolvedValue('string logs'),
+        })),
+        getWatchers: vi.fn(() => ({})),
+        getErrorMessage: vi.fn(() => 'error'),
+      } as any);
+
+      const res = createMockResponse();
+      await handlers.getContainerLogs(
+        {
+          params: { id: 'c1' },
+          query: {},
+          headers: {},
+        } as any,
+        res as any,
+      );
+
+      expect(res.send).toHaveBeenCalledWith('string logs');
+    });
+
+    test('falls back to empty payload when agent response is not recognized', async () => {
+      const handlers = createLogHandlers({
+        storeContainer: {
+          getContainer: vi.fn(() => ({
+            id: 'c1',
+            name: 'test',
+            watcher: 'local',
+            status: 'running',
+            agent: 'remote',
+          })),
+        },
+        getAgent: vi.fn(() => ({
+          getContainerLogs: vi.fn().mockResolvedValue({}),
+        })),
+        getWatchers: vi.fn(() => ({})),
+        getErrorMessage: vi.fn(() => 'error'),
+      } as any);
+
+      const res = createMockResponse();
+      await handlers.getContainerLogs(
+        {
+          params: { id: 'c1' },
+          query: {},
+          headers: {},
+        } as any,
+        res as any,
+      );
+
+      expect(res.send).toHaveBeenCalledWith('');
+    });
+
+    test('falls back to empty payload when agent response is null', async () => {
+      const handlers = createLogHandlers({
+        storeContainer: {
+          getContainer: vi.fn(() => ({
+            id: 'c1',
+            name: 'test',
+            watcher: 'local',
+            status: 'running',
+            agent: 'remote',
+          })),
+        },
+        getAgent: vi.fn(() => ({
+          getContainerLogs: vi.fn().mockResolvedValue(null),
+        })),
+        getWatchers: vi.fn(() => ({})),
+        getErrorMessage: vi.fn(() => 'error'),
+      } as any);
+
+      const res = createMockResponse();
+      await handlers.getContainerLogs(
+        {
+          params: { id: 'c1' },
+          query: {},
+          headers: {},
+        } as any,
+        res as any,
+      );
+
+      expect(res.send).toHaveBeenCalledWith('');
+    });
+  });
+
+  describe('download response headers', () => {
+    test('supports array-form accept-encoding headers and empty container names', async () => {
+      const handlers = createLogHandlers({
+        storeContainer: {
+          getContainer: vi.fn(() => ({
+            id: 'c1',
+            name: '',
+            watcher: 'local',
+            status: 'running',
+          })),
+        },
+        getAgent: vi.fn(() => undefined),
+        getWatchers: vi.fn(() => ({
+          'docker.local': {
+            dockerApi: {
+              getContainer: vi.fn(() => ({
+                logs: vi.fn().mockResolvedValue(Buffer.alloc(0)),
+              })),
+            },
+          },
+        })),
+        getErrorMessage: vi.fn(() => 'error'),
+      } as any);
+
+      const res = createMockResponse();
+      await handlers.getContainerLogs(
+        {
+          params: { id: 'c1' },
+          query: {},
+          headers: { 'accept-encoding': ['br', 'gzip'] },
+        } as any,
+        res as any,
+      );
+
+      expect(res.setHeader).toHaveBeenCalledWith(
+        'Content-Disposition',
+        'attachment; filename="container-logs.txt.gz"',
+      );
+      expect(res.setHeader).toHaveBeenCalledWith('Content-Encoding', 'gzip');
+      expect(res.send).toHaveBeenCalledWith(expect.any(Buffer));
+    });
+  });
 });
diff --git a/app/api/container/logs.ts b/app/api/container/logs.ts
index 004ef306f..050b59d84 100644
--- a/app/api/container/logs.ts
+++ b/app/api/container/logs.ts
@@ -1,3 +1,4 @@
+import { gzipSync } from 'node:zlib';
 import type { Request, Response } from 'express';
 import type { AgentClient } from '../../agent/AgentClient.js';
 import type { Container } from '../../model/container.js';
@@ -13,7 +14,7 @@ interface LogStoreContainerApi {
 }
 
 interface LocalDockerContainerApi {
-  logs: (options: LocalDockerLogsOptions) => Promise<Buffer | string>;
+  logs: (options: LocalDockerLogsOptions) => Promise<Buffer | string | Uint8Array>;
 }
 
 interface LocalDockerWatcherApi {
@@ -23,6 +24,8 @@ interface LocalDockerWatcherApi {
 }
 
 interface ParsedContainerLogQuery {
+  stdout: boolean;
+  stderr: boolean;
   tail: number;
   since: number;
   timestamps: boolean;
@@ -37,7 +40,7 @@ interface LocalDockerLogsOptions {
   follow: boolean;
 }
 
-export interface LogHandlerDependencies {
+interface LogHandlerDependencies {
   storeContainer: LogStoreContainerApi;
   getAgent: (name: string) => AgentClient | undefined;
   getWatchers: () => Record<string, unknown>;
@@ -59,9 +62,9 @@ export function isLocalDockerWatcherApi(value: unknown): value is LocalDockerWat
  * Docker uses an 8-byte header per frame: [streamType(1), padding(3), size(4BE)].
  * This strips those headers and returns the raw log text.
  */
-function demuxDockerStream(buffer: Buffer | string | Uint8Array) {
+export function demuxDockerStream(buffer: Buffer | string | Uint8Array): string {
   const buf = Buffer.isBuffer(buffer) ? buffer : Buffer.from(buffer);
-  const lines = [];
+  const lines: string[] = [];
   let offset = 0;
   while (offset + 8 <= buf.length) {
     const size = buf.readUInt32BE(offset + 4);
@@ -73,18 +76,42 @@ function demuxDockerStream(buffer: Buffer | string | Uint8Array) {
   return lines.join('');
 }
 
-function parseContainerLogQuery(req: Request): ParsedContainerLogQuery {
+function parseSinceQueryParam(rawValue: unknown, fallback: number): number {
+  const value = Array.isArray(rawValue) ? rawValue[0] : rawValue;
+  if (typeof value !== 'string') {
+    return fallback;
+  }
+
+  const trimmedValue = value.trim();
+  if (/^[0-9]+$/.test(trimmedValue)) {
+    const parsedNumericValue = Number.parseInt(trimmedValue, 10);
+    if (Number.isFinite(parsedNumericValue) && parsedNumericValue >= 0) {
+      return parsedNumericValue;
+    }
+  }
+
+  const parsedTimestamp = Date.parse(trimmedValue);
+  if (!Number.isNaN(parsedTimestamp) && parsedTimestamp >= 0) {
+    return Math.floor(parsedTimestamp / 1000);
+  }
+
+  return fallback;
+}
+
+export function parseContainerLogDownloadQuery(query: Request['query']): ParsedContainerLogQuery {
   return {
-    tail: parseIntegerQueryParam(req.query.tail, 100),
-    since: parseIntegerQueryParam(req.query.since, 0),
-    timestamps: parseBooleanQueryParam(req.query.timestamps, true),
+    stdout: parseBooleanQueryParam(query.stdout, true),
+    stderr: parseBooleanQueryParam(query.stderr, true),
+    tail: parseIntegerQueryParam(query.tail, 1000),
+    since: parseSinceQueryParam(query.since, 0),
+    timestamps: parseBooleanQueryParam(query.timestamps, true),
   };
 }
 
 function buildLocalDockerLogsOptions(query: ParsedContainerLogQuery): LocalDockerLogsOptions {
   return {
-    stdout: true,
-    stderr: true,
+    stdout: query.stdout,
+    stderr: query.stderr,
     follow: false,
     tail: query.tail,
     since: query.since,
@@ -104,12 +131,65 @@ function resolveLocalDockerWatcher(
   return watcher;
 }
 
+function getAgentLogPayload(responsePayload: unknown): string {
+  if (typeof responsePayload === 'string') {
+    return responsePayload;
+  }
+  if (responsePayload && typeof responsePayload === 'object') {
+    const logs = (responsePayload as { logs?: unknown }).logs;
+    if (typeof logs === 'string') {
+      return logs;
+    }
+  }
+  return '';
+}
+
+function acceptsGzip(req: Request): boolean {
+  const rawAcceptEncoding = req.headers?.['accept-encoding'];
+  const normalizedAcceptEncoding = Array.isArray(rawAcceptEncoding)
+    ? rawAcceptEncoding.join(',')
+    : rawAcceptEncoding;
+  return typeof normalizedAcceptEncoding === 'string' && /\bgzip\b/i.test(normalizedAcceptEncoding);
+}
+
+function getDownloadFilename(container: Container, gzipEnabled: boolean): string {
+  const sanitizedName = container.name.replace(/[^a-zA-Z0-9._-]/g, '_') || 'container';
+  return gzipEnabled ? `${sanitizedName}-logs.txt.gz` : `${sanitizedName}-logs.txt`;
+}
+
+function sendLogDownloadResponse({
+  req,
+  res,
+  container,
+  logs,
+}: {
+  req: Request;
+  res: Response;
+  container: Container;
+  logs: string;
+}): void {
+  const gzipEnabled = acceptsGzip(req);
+  const filename = getDownloadFilename(container, gzipEnabled);
+  res.setHeader('Content-Type', 'text/plain; charset=utf-8');
+  res.setHeader('Content-Disposition', `attachment; filename="${filename}"`);
+  res.setHeader('Vary', 'Accept-Encoding');
+
+  if (gzipEnabled) {
+    res.setHeader('Content-Encoding', 'gzip');
+    res.status(200).send(gzipSync(Buffer.from(logs, 'utf8')));
+    return;
+  }
+
+  res.status(200).send(logs);
+}
+
 async function handleAgentContainerLogs({
   id,
   container,
   query,
   getAgent,
   getErrorMessage,
+  req,
   res,
 }: {
   id: string;
@@ -117,6 +197,7 @@ async function handleAgentContainerLogs({
   query: ParsedContainerLogQuery;
   getAgent: LogHandlerDependencies['getAgent'];
   getErrorMessage: LogHandlerDependencies['getErrorMessage'];
+  req: Request;
   res: Response;
 }): Promise<boolean> {
   if (!container.agent) {
@@ -129,8 +210,17 @@ async function handleAgentContainerLogs({
       sendErrorResponse(res, 500, `Agent ${container.agent} not found`);
       return true;
     }
-    const result = await agent.getContainerLogs(id, query);
-    res.status(200).json(result);
+    const result = await agent.getContainerLogs(id, {
+      tail: query.tail,
+      since: query.since,
+      timestamps: query.timestamps,
+    });
+    sendLogDownloadResponse({
+      req,
+      res,
+      container,
+      logs: getAgentLogPayload(result),
+    });
   } catch (error: unknown) {
     sendErrorResponse(res, 500, `Error fetching logs from agent (${getErrorMessage(error)})`);
   }
@@ -143,6 +233,7 @@ async function handleLocalContainerLogs({
   query,
   getWatchers,
   getErrorMessage,
+  req,
   res,
 }: {
   id: string;
@@ -150,6 +241,7 @@ async function handleLocalContainerLogs({
   query: ParsedContainerLogQuery;
   getWatchers: LogHandlerDependencies['getWatchers'];
   getErrorMessage: LogHandlerDependencies['getErrorMessage'];
+  req: Request;
   res: Response;
 }): Promise<void> {
   const watcher = resolveLocalDockerWatcher(container, getWatchers);
@@ -163,7 +255,7 @@ async function handleLocalContainerLogs({
       .getContainer(container.name)
       .logs(buildLocalDockerLogsOptions(query));
     const logs = demuxDockerStream(logsBuffer);
-    res.status(200).json({ logs });
+    sendLogDownloadResponse({ req, res, container, logs });
   } catch (error: unknown) {
     sendErrorResponse(res, 500, `Error fetching container logs (${getErrorMessage(error)})`);
   }
@@ -183,13 +275,14 @@ function createGetContainerLogsHandler({
       return;
     }
 
-    const query = parseContainerLogQuery(req);
+    const query = parseContainerLogDownloadQuery(req.query);
     const handledByAgent = await handleAgentContainerLogs({
       id,
       container,
       query,
       getAgent,
       getErrorMessage,
+      req,
       res,
     });
     if (handledByAgent) {
@@ -202,6 +295,7 @@ function createGetContainerLogsHandler({
       query,
       getWatchers,
       getErrorMessage,
+      req,
       res,
     });
   };
diff --git a/app/api/container/maturity-filter.test.ts b/app/api/container/maturity-filter.test.ts
new file mode 100644
index 000000000..d887ca0c0
--- /dev/null
+++ b/app/api/container/maturity-filter.test.ts
@@ -0,0 +1,22 @@
+import { describe, expect, test } from 'vitest';
+import type { Container } from '../../model/container.js';
+import { applyContainerMaturityFilter, parseContainerMaturityFilter } from './maturity-filter.js';
+
+describe('api/container/maturity-filter', () => {
+  test('parseContainerMaturityFilter normalizes valid values', () => {
+    expect(parseContainerMaturityFilter('HOT')).toBe('hot');
+    expect(parseContainerMaturityFilter('mature')).toBe('mature');
+    expect(parseContainerMaturityFilter('established')).toBe('established');
+  });
+
+  test('applyContainerMaturityFilter returns only hot containers', () => {
+    const containers = [
+      { id: 'c1', updateAge: 60_000 } as unknown as Container,
+      { id: 'c2', updateAge: 9 * 24 * 60 * 60 * 1000 } as unknown as Container,
+      { id: 'c3', updateAge: 35 * 24 * 60 * 60 * 1000 } as unknown as Container,
+    ];
+
+    const filtered = applyContainerMaturityFilter(containers, 'hot');
+    expect(filtered.map((container) => container.id)).toEqual(['c1']);
+  });
+});
diff --git a/app/api/container/maturity-filter.ts b/app/api/container/maturity-filter.ts
new file mode 100644
index 000000000..59bdb3103
--- /dev/null
+++ b/app/api/container/maturity-filter.ts
@@ -0,0 +1,66 @@
+import type { Container } from '../../model/container.js';
+import {
+  maturityMinAgeDaysToMilliseconds,
+  resolveMaturityMinAgeDays,
+} from '../../model/maturity-policy.js';
+import { getFirstNonEmptyQueryValue } from './query-values.js';
+import { getContainerUpdateAge } from './update-age.js';
+
+const DEFAULT_UI_MATURITY_THRESHOLD_DAYS = 7;
+const ESTABLISHED_UPDATE_AGE_DAYS = 30;
+
+export type ContainerMaturityFilter = 'hot' | 'mature' | 'established';
+
+export function parseContainerMaturityFilter(
+  maturityQuery: unknown,
+): ContainerMaturityFilter | undefined {
+  const normalized = getFirstNonEmptyQueryValue(maturityQuery)?.toLowerCase();
+  if (normalized === 'hot' || normalized === 'mature' || normalized === 'established') {
+    return normalized;
+  }
+  return undefined;
+}
+
+function resolveUiMaturityThresholdDays(): number {
+  return resolveMaturityMinAgeDays(
+    process.env.DD_UI_MATURITY_THRESHOLD_DAYS,
+    DEFAULT_UI_MATURITY_THRESHOLD_DAYS,
+  );
+}
+
+function resolveUiMaturityThresholdMs(): number {
+  return maturityMinAgeDaysToMilliseconds(resolveUiMaturityThresholdDays());
+}
+
+function getContainerMaturityLevel(
+  container: Container,
+  uiMaturityThresholdMs: number,
+): ContainerMaturityFilter | undefined {
+  const cachedLevel = container.updateMaturityLevel;
+  if (cachedLevel === 'hot' || cachedLevel === 'mature' || cachedLevel === 'established') {
+    return cachedLevel;
+  }
+
+  const updateAge = getContainerUpdateAge(container);
+  if (updateAge === undefined) {
+    return undefined;
+  }
+  if (updateAge >= maturityMinAgeDaysToMilliseconds(ESTABLISHED_UPDATE_AGE_DAYS)) {
+    return 'established';
+  }
+  return updateAge >= uiMaturityThresholdMs ? 'mature' : 'hot';
+}
+
+export function applyContainerMaturityFilter(
+  containers: Container[],
+  maturityFilter: ContainerMaturityFilter | undefined,
+): Container[] {
+  if (!maturityFilter) {
+    return containers;
+  }
+
+  const uiMaturityThresholdMs = resolveUiMaturityThresholdMs();
+  return containers.filter(
+    (container) => getContainerMaturityLevel(container, uiMaturityThresholdMs) === maturityFilter,
+  );
+}
diff --git a/app/api/container/query-values.ts b/app/api/container/query-values.ts
new file mode 100644
index 000000000..a3e72135f
--- /dev/null
+++ b/app/api/container/query-values.ts
@@ -0,0 +1,19 @@
+export function getFirstQueryValue(value: unknown): string | undefined {
+  if (Array.isArray(value)) {
+    for (const item of value) {
+      if (typeof item === 'string') {
+        return item.trim();
+      }
+    }
+    return undefined;
+  }
+  return typeof value === 'string' ? value.trim() : undefined;
+}
+
+export function getFirstNonEmptyQueryValue(value: unknown): string | undefined {
+  const queryValue = getFirstQueryValue(value);
+  if (!queryValue || queryValue.length === 0) {
+    return undefined;
+  }
+  return queryValue;
+}
diff --git a/app/api/container/security-overview.test.ts b/app/api/container/security-overview.test.ts
index 7d99f3ca7..fdbd9a7a1 100644
--- a/app/api/container/security-overview.test.ts
+++ b/app/api/container/security-overview.test.ts
@@ -202,4 +202,40 @@ describe('api/container/security-overview', () => {
     expect(response.totalContainers).toBe(25);
     expect(response.scannedContainers).toBe(1);
   });
+
+  test('keeps the current latest scan timestamp when a later container has an older valid timestamp', () => {
+    const response = buildSecurityVulnerabilityOverviewResponse(
+      [
+        createContainer({
+          id: 'first',
+          security: { scan: { scannedAt: '2026-02-20T00:00:00.000Z', vulnerabilities: [] } },
+        }),
+        createContainer({
+          id: 'second',
+          security: { scan: { scannedAt: '2026-02-10T00:00:00.000Z', vulnerabilities: [] } },
+        }),
+      ] as any[],
+      {} as any,
+    );
+
+    expect(response.latestScannedAt).toBe('2026-02-20T00:00:00.000Z');
+  });
+
+  test('falls back to lexicographic ordering when scannedAt values are not parseable dates', () => {
+    const response = buildSecurityVulnerabilityOverviewResponse(
+      [
+        createContainer({
+          id: 'first',
+          security: { scan: { scannedAt: 'aaa', vulnerabilities: [] } },
+        }),
+        createContainer({
+          id: 'second',
+          security: { scan: { scannedAt: 'zzz', vulnerabilities: [] } },
+        }),
+      ] as any[],
+      {} as any,
+    );
+
+    expect(response.latestScannedAt).toBe('zzz');
+  });
 });
diff --git a/app/api/container/security.ts b/app/api/container/security.ts
index 43b5e7c95..5df2e28a6 100644
--- a/app/api/container/security.ts
+++ b/app/api/container/security.ts
@@ -32,7 +32,7 @@ interface SecurityAlertPayload {
   container?: Container;
 }
 
-export interface SecurityHandlerDependencies {
+interface SecurityHandlerDependencies {
   storeContainer: SecurityStoreContainerApi;
   getSecurityConfiguration: () => SecurityConfiguration;
   SECURITY_SBOM_FORMATS: readonly SecuritySbomFormat[];
diff --git a/app/api/container/sorting.ts b/app/api/container/sorting.ts
new file mode 100644
index 000000000..c0f4e29fa
--- /dev/null
+++ b/app/api/container/sorting.ts
@@ -0,0 +1,199 @@
+import type { Container } from '../../model/container.js';
+import { getFirstNonEmptyQueryValue } from './query-values.js';
+import { getContainerUpdateAge } from './update-age.js';
+
+const DEFAULT_CONTAINER_SORT_MODE: ContainerSortMode = 'name';
+
+export const CONTAINER_SORT_MODES = [
+  'name',
+  '-name',
+  'status',
+  '-status',
+  'age',
+  '-age',
+  'created',
+  '-created',
+] as const;
+
+export type ContainerSortMode = (typeof CONTAINER_SORT_MODES)[number];
+
+export const CONTAINER_ORDER_VALUES = ['asc', 'desc'] as const;
+export type ContainerOrderDirection = (typeof CONTAINER_ORDER_VALUES)[number];
+
+type AscendingContainerSortMode = Exclude<
+  ContainerSortMode,
+  '-name' | '-status' | '-age' | '-created'
+>;
+
+export function parseContainerSortMode(sortQuery: unknown): ContainerSortMode {
+  const sortValue = getFirstNonEmptyQueryValue(sortQuery);
+  if (!sortValue || !isContainerSortMode(sortValue)) {
+    return DEFAULT_CONTAINER_SORT_MODE;
+  }
+  return sortValue;
+}
+
+export function resolveContainerSortMode(
+  sortQuery: unknown,
+  orderQuery: unknown,
+): ContainerSortMode {
+  const baseSortMode = parseContainerSortMode(sortQuery);
+  const orderValue = getFirstNonEmptyQueryValue(orderQuery)?.toLowerCase();
+
+  if (orderValue === 'desc') {
+    const normalizedSort = normalizeContainerSortMode(baseSortMode);
+    return `-${normalizedSort}` as ContainerSortMode;
+  }
+  if (orderValue === 'asc') {
+    return normalizeContainerSortMode(baseSortMode);
+  }
+
+  return baseSortMode;
+}
+
+export function getContainerNameForSort(container: Container): string {
+  return typeof container.name === 'string' ? container.name : '';
+}
+
+export function getContainerIdForSort(container: Container): string {
+  return typeof container.id === 'string' ? container.id : '';
+}
+
+export function getContainerWatcherForSort(container: Container): string {
+  return typeof container.watcher === 'string' ? container.watcher : '';
+}
+
+function sortContainersByAge(containers: Container[]): Container[] {
+  const ageMap = new Map<Container, number | undefined>();
+  const nameMap = new Map<Container, string>();
+  for (const container of containers) {
+    ageMap.set(container, getContainerUpdateAge(container));
+    nameMap.set(
+      container,
+      `${getContainerWatcherForSort(container)}.${getContainerNameForSort(container)}.${getContainerIdForSort(container)}`,
+    );
+  }
+  const sorted = [...containers];
+  sorted.sort((left, right) => {
+    const leftAge = ageMap.get(left);
+    const rightAge = ageMap.get(right);
+    if (leftAge !== undefined && rightAge !== undefined && leftAge !== rightAge) {
+      return rightAge - leftAge;
+    }
+    if (leftAge !== undefined && rightAge === undefined) {
+      return -1;
+    }
+    if (leftAge === undefined && rightAge !== undefined) {
+      return 1;
+    }
+    return (nameMap.get(left) as string).localeCompare(nameMap.get(right) as string);
+  });
+  return sorted;
+}
+
+function sortContainersByStatus(containers: Container[]): Container[] {
+  const containersSorted = [...containers];
+  containersSorted.sort((leftContainer, rightContainer) => {
+    if (leftContainer.updateAvailable !== rightContainer.updateAvailable) {
+      return leftContainer.updateAvailable ? -1 : 1;
+    }
+    return getContainerNameForSort(leftContainer).localeCompare(
+      getContainerNameForSort(rightContainer),
+    );
+  });
+  return containersSorted;
+}
+
+function sortContainersByCreatedDate(containers: Container[]): Container[] {
+  const createdMap = new Map<Container, number>();
+  for (const container of containers) {
+    const ms = Date.parse(container.image?.created || '');
+    createdMap.set(container, Number.isFinite(ms) ? ms : Number.NaN);
+  }
+  const containersSorted = [...containers];
+  containersSorted.sort((leftContainer, rightContainer) => {
+    const leftCreatedAtMs = createdMap.get(leftContainer) as number;
+    const rightCreatedAtMs = createdMap.get(rightContainer) as number;
+    const leftHasValidCreatedAt = !Number.isNaN(leftCreatedAtMs);
+    const rightHasValidCreatedAt = !Number.isNaN(rightCreatedAtMs);
+
+    if (leftHasValidCreatedAt && rightHasValidCreatedAt) {
+      if (leftCreatedAtMs !== rightCreatedAtMs) {
+        return leftCreatedAtMs - rightCreatedAtMs;
+      }
+      return getContainerNameForSort(leftContainer).localeCompare(
+        getContainerNameForSort(rightContainer),
+      );
+    }
+    if (leftHasValidCreatedAt !== rightHasValidCreatedAt) {
+      return leftHasValidCreatedAt ? -1 : 1;
+    }
+    return getContainerNameForSort(leftContainer).localeCompare(
+      getContainerNameForSort(rightContainer),
+    );
+  });
+  return containersSorted;
+}
+
+function sortContainersByName(containers: Container[]): Container[] {
+  const containersSorted = [...containers];
+  containersSorted.sort((leftContainer, rightContainer) => {
+    const nameCompare = getContainerNameForSort(leftContainer).localeCompare(
+      getContainerNameForSort(rightContainer),
+    );
+    return nameCompare;
+  });
+  return containersSorted;
+}
+
+export function isContainerSortMode(value: string): value is ContainerSortMode {
+  return (
+    value === 'name' ||
+    value === '-name' ||
+    value === 'status' ||
+    value === '-status' ||
+    value === 'age' ||
+    value === '-age' ||
+    value === 'created' ||
+    value === '-created'
+  );
+}
+
+export function normalizeContainerSortMode(
+  sortMode: ContainerSortMode,
+): AscendingContainerSortMode {
+  if (sortMode === '-name') {
+    return 'name';
+  }
+  if (sortMode === '-status') {
+    return 'status';
+  }
+  if (sortMode === '-age') {
+    return 'age';
+  }
+  if (sortMode === '-created') {
+    return 'created';
+  }
+  return sortMode;
+}
+
+export function sortContainers(containers: Container[], sortMode: ContainerSortMode): Container[] {
+  const isDescending = sortMode.startsWith('-');
+  const normalizedSortMode = normalizeContainerSortMode(sortMode);
+
+  let containersSorted: Container[];
+  if (normalizedSortMode === 'status') {
+    containersSorted = sortContainersByStatus(containers);
+  } else if (normalizedSortMode === 'age') {
+    containersSorted = sortContainersByAge(containers);
+  } else if (normalizedSortMode === 'created') {
+    containersSorted = sortContainersByCreatedDate(containers);
+  } else {
+    containersSorted = sortContainersByName(containers);
+  }
+
+  if (isDescending) {
+    containersSorted.reverse();
+  }
+  return containersSorted;
+}
diff --git a/app/api/container/stats.test.ts b/app/api/container/stats.test.ts
new file mode 100644
index 000000000..6b436277c
--- /dev/null
+++ b/app/api/container/stats.test.ts
@@ -0,0 +1,288 @@
+import { beforeEach, describe, expect, test, vi } from 'vitest';
+import logger from '../../log/index.js';
+import { createStatsHandlers } from './stats.js';
+
+function createResponse() {
+  const listeners: Record<string, (...args: unknown[]) => void> = {};
+  return {
+    status: vi.fn().mockReturnThis(),
+    json: vi.fn(),
+    writeHead: vi.fn(),
+    write: vi.fn().mockReturnValue(true),
+    flushHeaders: vi.fn(),
+    flush: vi.fn(),
+    on: vi.fn((event: string, handler: (...args: unknown[]) => void) => {
+      listeners[event] = handler;
+    }),
+    emit(event: string, ...args: unknown[]) {
+      listeners[event]?.(...args);
+    },
+  };
+}
+
+function createRequest(overrides: Record<string, unknown> = {}) {
+  const listeners: Record<string, (...args: unknown[]) => void> = {};
+  return {
+    params: {},
+    on: vi.fn((event: string, handler: (...args: unknown[]) => void) => {
+      listeners[event] = handler;
+    }),
+    emit(event: string, ...args: unknown[]) {
+      listeners[event]?.(...args);
+    },
+    ...overrides,
+  };
+}
+
+function createHarness() {
+  const containersById = new Map([
+    ['c1', { id: 'c1', name: 'web', status: 'running', watcher: 'local' }],
+    ['c2', { id: 'c2', name: 'db', watcher: 'local' }],
+  ]);
+  const getContainer = vi.fn((id: string) => containersById.get(id));
+  const getContainers = vi.fn(() => [...containersById.values()]);
+  const watch = vi.fn(() => vi.fn());
+  const touch = vi.fn();
+  let subscriptionHandler: ((snapshot: unknown) => void) | undefined;
+  const unsubscribe = vi.fn();
+  const subscribe = vi.fn((_containerId: string, handler: (snapshot: unknown) => void) => {
+    subscriptionHandler = handler;
+    return unsubscribe;
+  });
+  const getLatest = vi.fn((id: string) =>
+    id === 'c1'
+      ? {
+          containerId: 'c1',
+          cpuPercent: 10,
+        }
+      : undefined,
+  );
+  const getHistory = vi.fn((id: string) =>
+    id === 'c1' ? [{ containerId: 'c1', cpuPercent: 8 }] : [],
+  );
+
+  const handlers = createStatsHandlers({
+    storeContainer: {
+      getContainer,
+      getContainers,
+    },
+    statsCollector: {
+      watch,
+      touch,
+      subscribe,
+      getLatest,
+      getHistory,
+    },
+  });
+
+  return {
+    handlers,
+    getContainer,
+    getContainers,
+    watch,
+    touch,
+    subscribe,
+    getLatest,
+    getHistory,
+    unsubscribe,
+    emitSnapshot(snapshot: unknown) {
+      subscriptionHandler?.(snapshot);
+    },
+  };
+}
+
+describe('api/container/stats', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    vi.useFakeTimers();
+  });
+
+  test('returns latest snapshot and history for a container', () => {
+    const harness = createHarness();
+    const req = createRequest({
+      params: { id: 'c1' },
+    });
+    const res = createResponse();
+
+    harness.handlers.getContainerStats(req as any, res as any);
+
+    expect(harness.touch).toHaveBeenCalledWith('c1');
+    expect(res.status).toHaveBeenCalledWith(200);
+    expect(res.json).toHaveBeenCalledWith({
+      data: { containerId: 'c1', cpuPercent: 10 },
+      history: [{ containerId: 'c1', cpuPercent: 8 }],
+    });
+  });
+
+  test('returns 404 when container does not exist', () => {
+    const harness = createHarness();
+    const req = createRequest({
+      params: { id: 'missing' },
+    });
+    const res = createResponse();
+
+    harness.handlers.getContainerStats(req as any, res as any);
+
+    expect(res.status).toHaveBeenCalledWith(404);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Container not found' });
+  });
+
+  test('returns null stats when no latest snapshot is available yet', () => {
+    const harness = createHarness();
+    const req = createRequest({
+      params: { id: 'c2' },
+    });
+    const res = createResponse();
+
+    harness.handlers.getContainerStats(req as any, res as any);
+
+    expect(res.status).toHaveBeenCalledWith(200);
+    expect(res.json).toHaveBeenCalledWith({
+      data: null,
+      history: [],
+    });
+  });
+
+  test('returns summary stats for all containers', () => {
+    const harness = createHarness();
+    const req = createRequest();
+    const res = createResponse();
+
+    harness.handlers.getAllContainerStats(req as any, res as any);
+
+    expect(harness.touch).toHaveBeenCalledWith('c1');
+    expect(harness.touch).toHaveBeenCalledWith('c2');
+    expect(res.status).toHaveBeenCalledWith(200);
+    expect(res.json).toHaveBeenCalledWith({
+      data: [
+        {
+          id: 'c1',
+          name: 'web',
+          status: 'running',
+          watcher: 'local',
+          agent: undefined,
+          stats: { containerId: 'c1', cpuPercent: 10 },
+        },
+        {
+          id: 'c2',
+          name: 'db',
+          status: undefined,
+          watcher: 'local',
+          agent: undefined,
+          stats: null,
+        },
+      ],
+    });
+  });
+
+  test('streams container stats over SSE with heartbeat and cleans up on disconnect', async () => {
+    const harness = createHarness();
+    const req = createRequest({
+      params: { id: 'c1' },
+    });
+    const res = createResponse();
+    const releaseWatch = vi.fn();
+    harness.watch.mockReturnValue(releaseWatch);
+
+    harness.handlers.streamContainerStats(req as any, res as any);
+
+    expect(res.writeHead).toHaveBeenCalledWith(200, {
+      'Content-Type': 'text/event-stream',
+      'Cache-Control': 'no-cache, no-transform',
+      Connection: 'keep-alive',
+      'X-Accel-Buffering': 'no',
+    });
+    expect(harness.watch).toHaveBeenCalledWith('c1');
+    expect(harness.subscribe).toHaveBeenCalledWith('c1', expect.any(Function));
+    expect(res.write).toHaveBeenCalledWith(
+      `event: dd:container-stats\ndata: ${JSON.stringify({
+        containerId: 'c1',
+        cpuPercent: 10,
+      })}\n\n`,
+    );
+
+    harness.emitSnapshot({ containerId: 'c1', cpuPercent: 22 });
+    expect(res.write).toHaveBeenCalledWith(
+      `event: dd:container-stats\ndata: ${JSON.stringify({
+        containerId: 'c1',
+        cpuPercent: 22,
+      })}\n\n`,
+    );
+
+    await vi.advanceTimersByTimeAsync(15_000);
+    expect(res.write).toHaveBeenCalledWith('event: dd:heartbeat\ndata: {}\n\n');
+
+    req.emit('close');
+    req.emit('aborted');
+    expect(harness.unsubscribe).toHaveBeenCalledTimes(1);
+    expect(releaseWatch).toHaveBeenCalledTimes(1);
+  });
+
+  test('cleanup continues when unsubscribe throws', () => {
+    const harness = createHarness();
+    const req = createRequest({ params: { id: 'c1' } });
+    const res = createResponse();
+    const releaseWatch = vi.fn();
+    harness.watch.mockReturnValue(releaseWatch);
+    harness.unsubscribe.mockImplementation(() => {
+      throw new Error('unsubscribe boom');
+    });
+
+    harness.handlers.streamContainerStats(req as any, res as any);
+    req.emit('close');
+
+    expect(harness.unsubscribe).toHaveBeenCalledOnce();
+    expect(releaseWatch).toHaveBeenCalledOnce();
+  });
+
+  test('cleanup logs debug messages when cleanup steps throw', () => {
+    const harness = createHarness();
+    const req = createRequest({ params: { id: 'c1' } });
+    const res = createResponse();
+    const debug = vi.fn();
+    const childSpy = vi.spyOn(logger, 'child').mockReturnValue({ debug } as any);
+    const clearIntervalSpy = vi.spyOn(globalThis, 'clearInterval').mockImplementation(() => {
+      throw new Error('clear interval boom');
+    });
+    const releaseWatch = vi.fn(() => {
+      throw new Error('release watch boom');
+    });
+    harness.watch.mockReturnValue(releaseWatch);
+    harness.unsubscribe.mockImplementation(() => {
+      throw new Error('unsubscribe boom');
+    });
+
+    try {
+      harness.handlers.streamContainerStats(req as any, res as any);
+      req.emit('close');
+    } finally {
+      clearIntervalSpy.mockRestore();
+      childSpy.mockRestore();
+    }
+
+    expect(debug).toHaveBeenCalledTimes(3);
+    expect(debug).toHaveBeenCalledWith(
+      expect.stringContaining('Failed to clear stats stream heartbeat interval for c1'),
+    );
+    expect(debug).toHaveBeenCalledWith(
+      expect.stringContaining('Failed to unsubscribe stats stream listener for c1'),
+    );
+    expect(debug).toHaveBeenCalledWith(
+      expect.stringContaining('Failed to release stats stream watch for c1'),
+    );
+  });
+
+  test('returns 404 when trying to stream a missing container', () => {
+    const harness = createHarness();
+    const req = createRequest({
+      params: { id: 'missing' },
+    });
+    const res = createResponse();
+
+    harness.handlers.streamContainerStats(req as any, res as any);
+
+    expect(harness.watch).not.toHaveBeenCalled();
+    expect(res.status).toHaveBeenCalledWith(404);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Container not found' });
+  });
+});
diff --git a/app/api/container/stats.ts b/app/api/container/stats.ts
new file mode 100644
index 000000000..25517c159
--- /dev/null
+++ b/app/api/container/stats.ts
@@ -0,0 +1,171 @@
+import type { Request, Response } from 'express';
+import logger from '../../log/index.js';
+import type { Container } from '../../model/container.js';
+import type { ContainerStatsCollector } from '../../stats/collector.js';
+import { STATS_STREAM_HEARTBEAT_INTERVAL_MS } from '../../stats/config.js';
+import { getErrorMessage } from '../../util/error.js';
+import { sendErrorResponse } from '../error-response.js';
+import { getPathParamValue } from './request-helpers.js';
+
+type ContainerStatsSnapshot = ReturnType<ContainerStatsCollector['getLatest']>;
+type ContainerStatsListener = (snapshot: NonNullable<ContainerStatsSnapshot>) => void;
+
+interface StatsStoreContainerApi {
+  getContainer: (id: string) => Container | undefined;
+  getContainers: (query?: Record<string, unknown>) => Container[];
+}
+
+interface StreamableResponse extends Response {
+  flush?: () => void;
+}
+
+interface StatsHandlerDependencies {
+  storeContainer: StatsStoreContainerApi;
+  statsCollector: Pick<
+    ContainerStatsCollector,
+    'watch' | 'touch' | 'subscribe' | 'getLatest' | 'getHistory'
+  >;
+}
+
+function ensureContainerExists(
+  storeContainer: StatsStoreContainerApi,
+  id: string,
+  res: Response,
+): Container | undefined {
+  const container = storeContainer.getContainer(id);
+  if (!container) {
+    sendErrorResponse(res, 404, 'Container not found');
+    return undefined;
+  }
+  return container;
+}
+
+function writeStatsEvent(res: StreamableResponse, snapshot: unknown): void {
+  res.write(`event: dd:container-stats\ndata: ${JSON.stringify(snapshot)}\n\n`);
+  res.flush?.();
+}
+
+function writeHeartbeatEvent(res: StreamableResponse): void {
+  res.write('event: dd:heartbeat\ndata: {}\n\n');
+}
+
+function createGetContainerStatsHandler({
+  storeContainer,
+  statsCollector,
+}: StatsHandlerDependencies) {
+  return function getContainerStats(req: Request, res: Response): void {
+    const id = getPathParamValue(req.params.id);
+    const container = ensureContainerExists(storeContainer, id, res);
+    if (!container) {
+      return;
+    }
+
+    statsCollector.touch(container.id);
+    res.status(200).json({
+      data: statsCollector.getLatest(container.id) ?? null,
+      history: statsCollector.getHistory(container.id),
+    });
+  };
+}
+
+function createGetAllContainerStatsHandler({
+  storeContainer,
+  statsCollector,
+}: StatsHandlerDependencies) {
+  return function getAllContainerStats(_req: Request, res: Response): void {
+    const containers = storeContainer.getContainers();
+
+    const data = containers.map((container) => {
+      statsCollector.touch(container.id);
+      return {
+        id: container.id,
+        name: container.name,
+        status: container.status,
+        watcher: container.watcher,
+        agent: container.agent,
+        stats: statsCollector.getLatest(container.id) ?? null,
+      };
+    });
+
+    res.status(200).json({ data });
+  };
+}
+
+function createStreamContainerStatsHandler({
+  storeContainer,
+  statsCollector,
+}: StatsHandlerDependencies) {
+  return function streamContainerStats(req: Request, res: Response): void {
+    const id = getPathParamValue(req.params.id);
+    const container = ensureContainerExists(storeContainer, id, res);
+    if (!container) {
+      return;
+    }
+    const log = logger.child({ component: 'container-stats' });
+
+    const streamResponse = res as StreamableResponse;
+    streamResponse.writeHead(200, {
+      'Content-Type': 'text/event-stream',
+      'Cache-Control': 'no-cache, no-transform',
+      Connection: 'keep-alive',
+      'X-Accel-Buffering': 'no',
+    });
+    streamResponse.flushHeaders?.();
+
+    const latestSnapshot = statsCollector.getLatest(container.id);
+    if (latestSnapshot) {
+      writeStatsEvent(streamResponse, latestSnapshot);
+    }
+
+    const releaseWatch = statsCollector.watch(container.id);
+    const unsubscribe = statsCollector.subscribe(container.id, ((snapshot) => {
+      writeStatsEvent(streamResponse, snapshot);
+    }) as ContainerStatsListener);
+
+    const heartbeatInterval = globalThis.setInterval(() => {
+      writeHeartbeatEvent(streamResponse);
+    }, STATS_STREAM_HEARTBEAT_INTERVAL_MS);
+
+    let disconnected = false;
+    const cleanup = () => {
+      if (disconnected) {
+        return;
+      }
+      disconnected = true;
+      try {
+        globalThis.clearInterval(heartbeatInterval);
+      } catch (error: unknown) {
+        log.debug(
+          `Failed to clear stats stream heartbeat interval for ${container.id} (${getErrorMessage(error)})`,
+        );
+      }
+      try {
+        unsubscribe();
+      } catch (error: unknown) {
+        log.debug(
+          `Failed to unsubscribe stats stream listener for ${container.id} (${getErrorMessage(error)})`,
+        );
+      }
+      try {
+        releaseWatch();
+      } catch (error: unknown) {
+        log.debug(
+          `Failed to release stats stream watch for ${container.id} (${getErrorMessage(error)})`,
+        );
+      }
+    };
+
+    req.on('close', cleanup);
+    req.on('aborted', cleanup);
+    streamResponse.on('close', cleanup);
+    streamResponse.on('error', cleanup);
+  };
+}
+
+export function createStatsHandlers(dependencies: StatsHandlerDependencies) {
+  return {
+    getContainerStats: createGetContainerStatsHandler(dependencies),
+    getAllContainerStats: createGetAllContainerStatsHandler(dependencies),
+    streamContainerStats: createStreamContainerStatsHandler(dependencies),
+  };
+}
diff --git a/app/api/container/triggers.test.ts b/app/api/container/triggers.test.ts
index 587e5fad1..9b0e28fb3 100644
--- a/app/api/container/triggers.test.ts
+++ b/app/api/container/triggers.test.ts
@@ -372,6 +372,31 @@ describe('api/container/triggers', () => {
       expect(res.json).toHaveBeenCalledWith({ error: 'Trigger not found' });
     });
 
+    test('returns 409 when trigger targets a temporary rollback container', async () => {
+      const trigger = createTrigger({
+        id: 'slack.notify',
+        name: 'notify',
+      });
+      const harness = createHarness({
+        container: { id: 'c1', name: 'app-old-1234567890' },
+        triggerMap: {
+          'slack.notify': trigger,
+        },
+      });
+
+      const res = await callRunTrigger(harness.handlers, {
+        id: 'c1',
+        triggerType: 'slack',
+        triggerName: 'notify',
+      });
+
+      expect(res.status).toHaveBeenCalledWith(409);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Cannot update temporary rollback container',
+      });
+      expect(trigger.trigger).not.toHaveBeenCalled();
+    });
+
     test('resolves and executes an agent-qualified trigger id', async () => {
       const trigger = createTrigger({
         id: 'agent-1.slack.notify',
@@ -420,6 +445,32 @@ describe('api/container/triggers', () => {
       expect(harness.deps.log.warn).toHaveBeenCalledWith(
         expect.stringContaining('trigger exploded'),
       );
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'trigger exploded',
+      });
+    });
+
+    test('falls back to a synthesized error when getErrorMessage returns an empty string', async () => {
+      const trigger = createTrigger({
+        id: 'slack.notify',
+        name: 'notify',
+        trigger: vi.fn().mockRejectedValue(new Error('trigger exploded')),
+      });
+      const harness = createHarness({
+        container: { id: 'c1' },
+        triggerMap: {
+          'slack.notify': trigger,
+        },
+      });
+      harness.deps.getErrorMessage.mockReturnValue('');
+
+      const res = await callRunTrigger(harness.handlers, {
+        id: 'c1',
+        triggerType: 'slack',
+        triggerName: 'notify',
+      });
+
       expect(res.status).toHaveBeenCalledWith(500);
       expect(res.json).toHaveBeenCalledWith({
         error: 'Error when running trigger (type=slack, name=notify)',
diff --git a/app/api/container/triggers.ts b/app/api/container/triggers.ts
index 8850fce03..a568d93df 100644
--- a/app/api/container/triggers.ts
+++ b/app/api/container/triggers.ts
@@ -1,5 +1,6 @@
 import type { Request, Response } from 'express';
 import type { Container } from '../../model/container.js';
+import Trigger from '../../triggers/providers/Trigger.js';
 import type { ApiComponent } from '../component.js';
 import { isTriggerCompatibleWithContainer } from '../docker-trigger.js';
 import { sendErrorResponse } from '../error-response.js';
@@ -33,7 +34,7 @@ interface TriggerStaticApi {
   doesReferenceMatchId: (triggerReference: string, triggerId: string) => boolean;
 }
 
-export interface TriggerHandlerDependencies {
+interface TriggerHandlerDependencies {
   storeContainer: TriggerStoreContainerApi;
   mapComponentsToList: (components: Record<string, TriggerRuntimeComponent>) => ApiComponent[];
   getTriggers: () => Record<string, TriggerRuntimeComponent>;
@@ -200,6 +201,11 @@ function createRunTriggerHandler({
       return;
     }
 
+    if (Trigger.isRollbackContainer(containerToTrigger)) {
+      sendErrorResponse(res, 409, 'Cannot update temporary rollback container');
+      return;
+    }
+
     try {
       await triggerToRun.trigger(containerToTrigger);
       log.info(
@@ -213,7 +219,8 @@ function createRunTriggerHandler({
       sendErrorResponse(
         res,
         500,
-        `Error when running trigger (type=${triggerType}, name=${triggerName})`,
+        getErrorMessage(error) ||
+          `Error when running trigger (type=${triggerType}, name=${triggerName})`,
       );
     }
   };
diff --git a/app/api/container/update-age.ts b/app/api/container/update-age.ts
new file mode 100644
index 000000000..cd8b57451
--- /dev/null
+++ b/app/api/container/update-age.ts
@@ -0,0 +1,26 @@
+import type { Container } from '../../model/container.js';
+
+export function getContainerUpdateAge(container: Container): number | undefined {
+  const age = container.updateAge;
+  if (typeof age === 'number' && Number.isFinite(age)) {
+    return age;
+  }
+
+  // Fallback for containers not processed through validate() — includes
+  // updateDetectedAt as a third date source that the model layer omits.
+  const firstSeenAtMs = Date.parse(container.firstSeenAt || '');
+  const publishedAtMs = Date.parse(container.result?.publishedAt || '');
+  const updateDetectedAtMs = Date.parse(container.updateDetectedAt || '');
+  let startedAtMs: number | undefined;
+  if (Number.isFinite(firstSeenAtMs) && Number.isFinite(publishedAtMs)) {
+    startedAtMs = Math.min(firstSeenAtMs, publishedAtMs);
+  } else if (Number.isFinite(firstSeenAtMs)) {
+    startedAtMs = firstSeenAtMs;
+  } else if (Number.isFinite(publishedAtMs)) {
+    startedAtMs = publishedAtMs;
+  } else if (Number.isFinite(updateDetectedAtMs)) {
+    startedAtMs = updateDetectedAtMs;
+  }
+
+  return startedAtMs === undefined ? undefined : Math.max(0, Date.now() - startedAtMs);
+}
diff --git a/app/api/container/update-policy.ts b/app/api/container/update-policy.ts
index 98f88cb22..bf943a7a9 100644
--- a/app/api/container/update-policy.ts
+++ b/app/api/container/update-policy.ts
@@ -15,7 +15,7 @@ interface UpdatePolicyStoreContainerApi {
   updateContainer: (container: Container) => Container;
 }
 
-export interface UpdatePolicyHandlerDependencies {
+interface UpdatePolicyHandlerDependencies {
   storeContainer: UpdatePolicyStoreContainerApi;
   uniqStrings: (values: string[]) => string[];
   getErrorMessage: (error: unknown) => string;
diff --git a/app/api/container/watched-kind-filter.test.ts b/app/api/container/watched-kind-filter.test.ts
new file mode 100644
index 000000000..4531afdac
--- /dev/null
+++ b/app/api/container/watched-kind-filter.test.ts
@@ -0,0 +1,23 @@
+import { describe, expect, test } from 'vitest';
+import type { Container } from '../../model/container.js';
+import { applyContainerWatchedKindFilter, isContainerWatchedKind } from './watched-kind-filter.js';
+
+describe('api/container/watched-kind-filter', () => {
+  test('isContainerWatchedKind accepts only watched kind values', () => {
+    expect(isContainerWatchedKind('watched')).toBe(true);
+    expect(isContainerWatchedKind('unwatched')).toBe(true);
+    expect(isContainerWatchedKind('all')).toBe(true);
+    expect(isContainerWatchedKind('major')).toBe(false);
+  });
+
+  test('applyContainerWatchedKindFilter returns watched containers', () => {
+    const containers = [
+      { id: 'c1', labels: { 'dd.watch': 'true' } },
+      { id: 'c2', labels: {} },
+      { id: 'c3', labels: { 'wud.watch': 'true' } },
+    ] as unknown as Container[];
+
+    const filtered = applyContainerWatchedKindFilter(containers, 'watched');
+    expect(filtered.map((container) => container.id)).toEqual(['c1', 'c3']);
+  });
+});
diff --git a/app/api/container/watched-kind-filter.ts b/app/api/container/watched-kind-filter.ts
new file mode 100644
index 000000000..3c6d9afef
--- /dev/null
+++ b/app/api/container/watched-kind-filter.ts
@@ -0,0 +1,29 @@
+import type { Container } from '../../model/container.js';
+
+export type ContainerWatchedKind = 'watched' | 'unwatched' | 'all';
+
+export function isContainerWatchedKind(value: unknown): value is ContainerWatchedKind {
+  return value === 'watched' || value === 'unwatched' || value === 'all';
+}
+
+function isContainerExplicitlyWatched(container: Container): boolean {
+  const labels = container.labels;
+  if (!labels || typeof labels !== 'object') {
+    return false;
+  }
+  const watchLabel = labels['dd.watch'] ?? labels['wud.watch'];
+  return typeof watchLabel === 'string' && watchLabel.toLowerCase() === 'true';
+}
+
+export function applyContainerWatchedKindFilter(
+  containers: Container[],
+  kindFilter: ContainerWatchedKind | undefined,
+): Container[] {
+  if (!kindFilter || kindFilter === 'all') {
+    return containers;
+  }
+  if (kindFilter === 'watched') {
+    return containers.filter((container) => isContainerExplicitlyWatched(container));
+  }
+  return containers.filter((container) => !isContainerExplicitlyWatched(container));
+}
diff --git a/app/api/debug.test.ts b/app/api/debug.test.ts
new file mode 100644
index 000000000..1e5a1a133
--- /dev/null
+++ b/app/api/debug.test.ts
@@ -0,0 +1,114 @@
+import { createMockResponse } from '../test/helpers.js';
+
+const { mockRouter } = vi.hoisted(() => ({
+  mockRouter: { use: vi.fn(), get: vi.fn() },
+}));
+
+vi.mock('express', () => ({
+  default: { Router: vi.fn(() => mockRouter) },
+}));
+
+vi.mock('nocache', () => ({ default: vi.fn(() => 'nocache-middleware') }));
+
+const mockCollectDebugDump = vi.fn();
+const mockSerializeDebugDump = vi.fn();
+const mockGetDebugDumpFilename = vi.fn(() => 'drydock-debug-dump-2026-03-18.json');
+
+vi.mock('../debug/dump.js', () => ({
+  collectDebugDump: (...args: any[]) => mockCollectDebugDump(...args),
+  serializeDebugDump: (...args: any[]) => mockSerializeDebugDump(...args),
+  getDebugDumpFilename: (...args: any[]) => mockGetDebugDumpFilename(...args),
+}));
+
+import * as debugRouter from './debug.js';
+
+function createResponse() {
+  return createMockResponse();
+}
+
+describe('Debug Router', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test('registers nocache middleware and /dump route', () => {
+    const router = debugRouter.init();
+    expect(router.use).toHaveBeenCalledWith('nocache-middleware');
+    expect(router.get).toHaveBeenCalledWith('/dump', expect.any(Function));
+  });
+
+  test('returns an attached debug dump payload', async () => {
+    const dumpPayload = { metadata: { timestamp: '2026-03-18T00:00:00.000Z' } };
+    mockCollectDebugDump.mockResolvedValue(dumpPayload);
+    mockSerializeDebugDump.mockReturnValue('{"metadata":{"timestamp":"2026-03-18T00:00:00.000Z"}}');
+
+    debugRouter.init();
+    const handler = mockRouter.get.mock.calls.find((call) => call[0] === '/dump')?.[1];
+
+    const res = createResponse();
+    await handler({ query: {} }, res);
+
+    expect(mockCollectDebugDump).toHaveBeenCalledWith({ recentMinutes: 30 });
+    expect(res.setHeader).toHaveBeenCalledWith('Content-Type', 'application/json; charset=utf-8');
+    expect(res.setHeader).toHaveBeenCalledWith(
+      'Content-Disposition',
+      expect.stringContaining('attachment; filename="drydock-debug-dump-'),
+    );
+    expect(res.status).toHaveBeenCalledWith(200);
+    expect(res.send).toHaveBeenCalledWith('{"metadata":{"timestamp":"2026-03-18T00:00:00.000Z"}}');
+  });
+
+  test('uses minutes query parameter when provided', async () => {
+    mockCollectDebugDump.mockResolvedValue({});
+    mockSerializeDebugDump.mockReturnValue('{}');
+
+    debugRouter.init();
+    const handler = mockRouter.get.mock.calls.find((call) => call[0] === '/dump')?.[1];
+
+    const res = createResponse();
+    await handler({ query: { minutes: '45' } }, res);
+
+    expect(mockCollectDebugDump).toHaveBeenCalledWith({ recentMinutes: 45 });
+  });
+
+  test('uses the first array value for the minutes query parameter', async () => {
+    mockCollectDebugDump.mockResolvedValue({});
+    mockSerializeDebugDump.mockReturnValue('{}');
+
+    debugRouter.init();
+    const handler = mockRouter.get.mock.calls.find((call) => call[0] === '/dump')?.[1];
+
+    const res = createResponse();
+    await handler({ query: { minutes: ['abc'] } }, res);
+
+    expect(mockCollectDebugDump).toHaveBeenCalledWith({ recentMinutes: 30 });
+  });
+
+  test('falls back to the default minutes value when the query parses to zero', async () => {
+    mockCollectDebugDump.mockResolvedValue({});
+    mockSerializeDebugDump.mockReturnValue('{}');
+
+    debugRouter.init();
+    const handler = mockRouter.get.mock.calls.find((call) => call[0] === '/dump')?.[1];
+
+    const res = createResponse();
+    await handler({ query: { minutes: '0' } }, res);
+
+    expect(mockCollectDebugDump).toHaveBeenCalledWith({ recentMinutes: 30 });
+  });
+
+  test('returns an error response when the debug dump cannot be generated', async () => {
+    mockCollectDebugDump.mockRejectedValue(new Error('boom'));
+
+    debugRouter.init();
+    const handler = mockRouter.get.mock.calls.find((call) => call[0] === '/dump')?.[1];
+
+    const res = createResponse();
+    await handler({ query: {} }, res);
+
+    expect(res.status).toHaveBeenCalledWith(500);
+    expect(res.json).toHaveBeenCalledWith({
+      error: 'Unable to generate debug dump',
+    });
+  });
+});
diff --git a/app/api/debug.ts b/app/api/debug.ts
new file mode 100644
index 000000000..b6070b468
--- /dev/null
+++ b/app/api/debug.ts
@@ -0,0 +1,41 @@
+import type { Request, Response } from 'express';
+import express from 'express';
+import nocache from 'nocache';
+import { collectDebugDump, getDebugDumpFilename, serializeDebugDump } from '../debug/dump.js';
+import { sendErrorResponse } from './error-response.js';
+
+const router = express.Router();
+
+function parseRecentMinutes(rawValue: unknown): number {
+  const value = Array.isArray(rawValue) ? rawValue[0] : rawValue;
+  if (typeof value !== 'string') {
+    return 30;
+  }
+  const parsedValue = Number.parseInt(value, 10);
+  if (!Number.isFinite(parsedValue) || parsedValue <= 0) {
+    return 30;
+  }
+  return parsedValue;
+}
+
+async function getDebugDump(req: Request, res: Response): Promise<void> {
+  try {
+    const recentMinutes = parseRecentMinutes(req.query.minutes);
+    const dump = await collectDebugDump({
+      recentMinutes,
+    });
+    const dumpBody = serializeDebugDump(dump);
+
+    res.setHeader('Content-Type', 'application/json; charset=utf-8');
+    res.setHeader('Content-Disposition', `attachment; filename="${getDebugDumpFilename()}"`);
+    res.status(200).send(dumpBody);
+  } catch {
+    sendErrorResponse(res, 500, 'Unable to generate debug dump');
+  }
+}
+
+export function init() {
+  router.use(nocache());
+  router.get('/dump', getDebugDump);
+  return router;
+}
diff --git a/app/api/error-response.test.ts b/app/api/error-response.test.ts
index 746032128..c1453c4a7 100644
--- a/app/api/error-response.test.ts
+++ b/app/api/error-response.test.ts
@@ -1,17 +1,14 @@
-import type { Response } from 'express';
 import { describe, expect, test, vi } from 'vitest';
+import { createMockResponse } from '../test/helpers.js';
 import { sendErrorResponse } from './error-response.js';
 
-function createResponse(): Response {
-  return {
-    status: vi.fn().mockReturnThis(),
-    json: vi.fn(),
-  } as unknown as Response;
-}
-
 describe('sendErrorResponse', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
   test('uses explicit message when provided', () => {
-    const res = createResponse();
+    const res = createMockResponse();
 
     sendErrorResponse(res, 400, 'Bad payload');
 
@@ -20,7 +17,7 @@ describe('sendErrorResponse', () => {
   });
 
   test('uses standard status text when message is omitted', () => {
-    const res = createResponse();
+    const res = createMockResponse();
 
     sendErrorResponse(res, 404);
 
@@ -29,7 +26,7 @@ describe('sendErrorResponse', () => {
   });
 
   test('falls back to generic message when status text is unknown', () => {
-    const res = createResponse();
+    const res = createMockResponse();
 
     sendErrorResponse(res, 799);
 
@@ -38,7 +35,7 @@ describe('sendErrorResponse', () => {
   });
 
   test('supports options object with explicit message and details', () => {
-    const res = createResponse();
+    const res = createMockResponse();
 
     sendErrorResponse(res, 422, {
       message: 'Validation failed',
diff --git a/app/api/helpers.test.ts b/app/api/helpers.test.ts
index 4f104ed99..40aa4a133 100644
--- a/app/api/helpers.test.ts
+++ b/app/api/helpers.test.ts
@@ -125,7 +125,11 @@ describe('handleContainerActionError', () => {
       status: 'error',
       details: error.message,
     });
-    expect(mockSendErrorResponse).toHaveBeenCalledWith(res, 500, 'Error stopping container');
+    expect(mockSendErrorResponse).toHaveBeenCalledWith(
+      res,
+      500,
+      'docker stop failed\nreason: timeout',
+    );
   });
 
   test('stringifies non-Error failures for audit details and return value', () => {
@@ -154,6 +158,6 @@ describe('handleContainerActionError', () => {
       status: 'error',
       details: '503',
     });
-    expect(mockSendErrorResponse).toHaveBeenCalledWith(res, 500, 'Error starting container');
+    expect(mockSendErrorResponse).toHaveBeenCalledWith(res, 500, '503');
   });
 });
diff --git a/app/api/helpers.ts b/app/api/helpers.ts
index 830362c17..702692cb3 100644
--- a/app/api/helpers.ts
+++ b/app/api/helpers.ts
@@ -69,7 +69,6 @@ export function handleContainerActionError({
   res: Response;
 }): string {
   const message = error instanceof Error ? error.message : String(error);
-  const publicErrorMessage = `Error ${actionLabel} container`;
   log.warn(`Error ${actionLabel} container ${sanitizeLogParam(id)} (${sanitizeLogParam(message)})`);
 
   recordAuditEvent({
@@ -79,7 +78,7 @@ export function handleContainerActionError({
     details: message,
   });
 
-  sendErrorResponse(res, 500, publicErrorMessage);
+  sendErrorResponse(res, 500, message);
 
   return message;
 }
diff --git a/app/api/index.test.ts b/app/api/index.test.ts
index 4bfdefbd4..f1af4a70b 100644
--- a/app/api/index.test.ts
+++ b/app/api/index.test.ts
@@ -1,25 +1,38 @@
-const { mockApp, mockFs, mockHttps, mockGetServerConfiguration } = vi.hoisted(() => ({
-  mockApp: {
-    disable: vi.fn(),
-    set: vi.fn(),
-    use: vi.fn(),
-    listen: vi.fn((port, cb) => cb()),
-  },
-  mockFs: {
-    readFileSync: vi.fn(),
-  },
-  mockHttps: {
-    createServer: vi.fn(() => ({
+const { mockApp, mockFs, mockHttps, mockGetServerConfiguration, mockHttpServer, mockHttpsServer } =
+  vi.hoisted(() => {
+    const mockHttpServer = {
+      on: vi.fn(),
+    };
+    const mockHttpsServer = {
+      on: vi.fn(),
       listen: vi.fn((port, cb) => cb()),
-    })),
-  },
-  mockGetServerConfiguration: vi.fn(() => ({
-    enabled: true,
-    port: 3000,
-    cors: {},
-    tls: {},
-  })),
-}));
+    };
+    return {
+      mockApp: {
+        disable: vi.fn(),
+        set: vi.fn(),
+        use: vi.fn(),
+        listen: vi.fn((port, cb) => {
+          cb();
+          return mockHttpServer;
+        }),
+      },
+      mockFs: {
+        readFileSync: vi.fn(),
+      },
+      mockHttpServer,
+      mockHttpsServer,
+      mockHttps: {
+        createServer: vi.fn(() => mockHttpsServer),
+      },
+      mockGetServerConfiguration: vi.fn(() => ({
+        enabled: true,
+        port: 3000,
+        cors: {},
+        tls: {},
+      })),
+    };
+  });
 const mockLog = vi.hoisted(() => ({
   debug: vi.fn(),
   info: vi.fn(),
@@ -29,6 +42,9 @@ const mockLog = vi.hoisted(() => ({
 const mockDdEnvVars = vi.hoisted(() => ({}) as Record<string, string | undefined>);
 const mockHelmet = vi.hoisted(() => vi.fn(() => 'helmet-middleware'));
 const mockIsInternetlessModeEnabled = vi.hoisted(() => vi.fn(() => false));
+const mockGetSessionMiddleware = vi.hoisted(() => vi.fn(() => vi.fn()));
+const mockAttachContainerLogStreamWebSocketServer = vi.hoisted(() => vi.fn());
+const mockAttachSystemLogStreamWebSocketServer = vi.hoisted(() => vi.fn());
 
 vi.mock('node:fs', () => ({
   default: mockFs,
@@ -69,6 +85,7 @@ vi.mock('../log', () => ({
 
 vi.mock('./auth', () => ({
   init: vi.fn(),
+  getSessionMiddleware: mockGetSessionMiddleware,
 }));
 
 vi.mock('./api', () => ({
@@ -87,6 +104,14 @@ vi.mock('./health', () => ({
   init: vi.fn(() => 'health-router'),
 }));
 
+vi.mock('./container/log-stream', () => ({
+  attachContainerLogStreamWebSocketServer: mockAttachContainerLogStreamWebSocketServer,
+}));
+
+vi.mock('./log-stream', () => ({
+  attachSystemLogStreamWebSocketServer: mockAttachSystemLogStreamWebSocketServer,
+}));
+
 vi.mock('../configuration', () => ({
   getServerConfiguration: mockGetServerConfiguration,
   ddEnvVars: mockDdEnvVars,
@@ -105,8 +130,15 @@ describe('API Index', () => {
     mockApp.set.mockClear();
     mockApp.use.mockClear();
     mockApp.listen.mockClear();
+    mockHttpServer.on.mockClear();
+    mockHttpsServer.listen.mockClear();
+    mockHttpsServer.on.mockClear();
     mockHelmet.mockClear();
     mockIsInternetlessModeEnabled.mockReturnValue(false);
+    mockGetSessionMiddleware.mockReset();
+    mockGetSessionMiddleware.mockReturnValue(vi.fn());
+    mockAttachContainerLogStreamWebSocketServer.mockClear();
+    mockAttachSystemLogStreamWebSocketServer.mockClear();
     Object.keys(mockDdEnvVars).forEach((key) => delete mockDdEnvVars[key]);
   });
 
@@ -142,6 +174,54 @@ describe('API Index', () => {
     await indexRouter.init();
 
     expect(mockApp.listen).toHaveBeenCalledWith(3000, expect.any(Function));
+    expect(mockAttachContainerLogStreamWebSocketServer).toHaveBeenCalledWith({
+      server: mockHttpServer,
+      sessionMiddleware: expect.any(Function),
+      serverConfiguration: expect.objectContaining({ enabled: true }),
+      isRateLimited: expect.any(Function),
+    });
+    expect(mockAttachSystemLogStreamWebSocketServer).toHaveBeenCalledWith({
+      server: mockHttpServer,
+      sessionMiddleware: expect.any(Function),
+      serverConfiguration: expect.objectContaining({ enabled: true }),
+      isRateLimited: expect.any(Function),
+    });
+  });
+
+  test('should share a single rate limiter across both WebSocket log stream gateways', async () => {
+    mockGetServerConfiguration.mockReturnValue({
+      enabled: true,
+      port: 3000,
+      cors: {},
+      tls: {},
+    });
+
+    vi.resetModules();
+    const indexRouter = await import('./index.js');
+    await indexRouter.init();
+
+    const containerIsRateLimited =
+      mockAttachContainerLogStreamWebSocketServer.mock.calls[0][0].isRateLimited;
+    const systemIsRateLimited =
+      mockAttachSystemLogStreamWebSocketServer.mock.calls[0][0].isRateLimited;
+    expect(containerIsRateLimited).toBe(systemIsRateLimited);
+  });
+
+  test('isRateLimited callback should execute and report allowed traffic for a fresh key', async () => {
+    mockGetServerConfiguration.mockReturnValue({
+      enabled: true,
+      port: 3000,
+      cors: {},
+      tls: {},
+    });
+
+    vi.resetModules();
+    const indexRouter = await import('./index.js');
+    await indexRouter.init();
+
+    const isRateLimited =
+      mockAttachContainerLogStreamWebSocketServer.mock.calls[0][0].isRateLimited;
+    expect(isRateLimited('127.0.0.1')).toBe(false);
   });
 
   test('should start HTTP server when TLS is explicitly disabled', async () => {
diff --git a/app/api/index.ts b/app/api/index.ts
index f1642666d..a71dfced6 100644
--- a/app/api/index.ts
+++ b/app/api/index.ts
@@ -14,10 +14,13 @@ import { ddEnvVars, getServerConfiguration } from '../configuration/index.js';
 import * as settingsStore from '../store/settings.js';
 import * as apiRouter from './api.js';
 import * as auth from './auth.js';
+import { attachContainerLogStreamWebSocketServer } from './container/log-stream.js';
 import { sendErrorResponse } from './error-response.js';
 import * as healthRouter from './health.js';
+import { attachSystemLogStreamWebSocketServer } from './log-stream.js';
 import * as prometheusRouter from './prometheus.js';
 import * as uiRouter from './ui.js';
+import { createFixedWindowRateLimiter } from './ws-upgrade-utils.js';
 
 const configuration = getServerConfiguration();
 
@@ -155,25 +158,26 @@ function startHttpsServer(app) {
   const serverKey = readTlsFile(keyPath, 'key');
   const serverCert = readTlsFile(certPath, 'cert');
 
-  https.createServer({ key: serverKey, cert: serverCert }, app).listen(configuration.port, () => {
+  const server = https.createServer({ key: serverKey, cert: serverCert }, app);
+  server.listen(configuration.port, () => {
     log.info(`Server listening on port ${configuration.port} (HTTPS)`);
   });
+  return server;
 }
 
 function startHttpServer(app) {
-  app.listen(configuration.port, () => {
+  return app.listen(configuration.port, () => {
     log.info(`Server listening on port ${configuration.port} (HTTP)`);
   });
 }
 
 function startServer(app) {
   if (configuration.tls.enabled === true) {
-    startHttpsServer(app);
-    return;
+    return startHttpsServer(app);
   }
 
   // Listen plain HTTP
-  startHttpServer(app);
+  return startHttpServer(app);
 }
 
 function createApp() {
@@ -213,5 +217,22 @@ export async function init() {
 
   log.debug(`API/UI enabled => Start Http listener on port ${configuration.port}`);
   const app = createApp();
-  startServer(app);
+  const server = startServer(app);
+  const sharedLimiter = createFixedWindowRateLimiter({
+    windowMs: 15 * 60 * 1000,
+    max: 1000,
+  });
+  const isRateLimited = (key: string) => !sharedLimiter.consume(key);
+  attachContainerLogStreamWebSocketServer({
+    server,
+    sessionMiddleware: auth.getSessionMiddleware?.(),
+    serverConfiguration: configuration as Record<string, unknown>,
+    isRateLimited,
+  });
+  attachSystemLogStreamWebSocketServer({
+    server,
+    sessionMiddleware: auth.getSessionMiddleware?.(),
+    serverConfiguration: configuration as Record<string, unknown>,
+    isRateLimited,
+  });
 }
diff --git a/app/api/json-content-type.test.ts b/app/api/json-content-type.test.ts
index a4c487967..35e51e716 100644
--- a/app/api/json-content-type.test.ts
+++ b/app/api/json-content-type.test.ts
@@ -1,14 +1,8 @@
-import type { NextFunction, Request, Response } from 'express';
+import type { NextFunction, Request } from 'express';
 import { describe, expect, test, vi } from 'vitest';
+import { createMockResponse } from '../test/helpers.js';
 import { requireJsonContentTypeForMutations, shouldParseJsonBody } from './json-content-type.js';
 
-function createResponse(): Response {
-  return {
-    status: vi.fn().mockReturnThis(),
-    json: vi.fn(),
-  } as unknown as Response;
-}
-
 function createRequest(overrides: Partial<Request>): Request {
   return {
     method: 'POST',
@@ -19,6 +13,10 @@ function createRequest(overrides: Partial<Request>): Request {
 }
 
 describe('json content-type middleware', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
   test('shouldParseJsonBody returns true only for mutation methods', () => {
     expect(shouldParseJsonBody('POST')).toBe(true);
     expect(shouldParseJsonBody('PUT')).toBe(true);
@@ -28,7 +26,7 @@ describe('json content-type middleware', () => {
 
   test('allows non-mutation requests without checking content type', () => {
     const req = createRequest({ method: 'GET' });
-    const res = createResponse();
+    const res = createMockResponse();
     const next = vi.fn() as NextFunction;
 
     requireJsonContentTypeForMutations(req, res, next);
@@ -42,7 +40,7 @@ describe('json content-type middleware', () => {
       headers: { 'content-length': 'abc' },
       is: vi.fn(() => false),
     });
-    const res = createResponse();
+    const res = createMockResponse();
     const next = vi.fn() as NextFunction;
 
     requireJsonContentTypeForMutations(req, res, next);
@@ -56,7 +54,7 @@ describe('json content-type middleware', () => {
     const req = createRequest({
       headers: { 'content-length': '   ' },
     });
-    const res = createResponse();
+    const res = createMockResponse();
     const next = vi.fn() as NextFunction;
 
     requireJsonContentTypeForMutations(req, res, next);
@@ -70,7 +68,7 @@ describe('json content-type middleware', () => {
       headers: { 'transfer-encoding': ['chunked', 'gzip'] },
       is: vi.fn(() => false),
     });
-    const res = createResponse();
+    const res = createMockResponse();
     const next = vi.fn() as NextFunction;
 
     requireJsonContentTypeForMutations(req, res, next);
@@ -84,7 +82,7 @@ describe('json content-type middleware', () => {
     const req = createRequest({
       headers: { 'transfer-encoding': '   ' },
     });
-    const res = createResponse();
+    const res = createMockResponse();
     const next = vi.fn() as NextFunction;
 
     requireJsonContentTypeForMutations(req, res, next);
@@ -98,7 +96,7 @@ describe('json content-type middleware', () => {
       headers: { 'content-length': '2' },
       is: vi.fn(() => true),
     });
-    const res = createResponse();
+    const res = createMockResponse();
     const next = vi.fn() as NextFunction;
 
     requireJsonContentTypeForMutations(req, res, next);
diff --git a/app/api/log-stream-constants.test.ts b/app/api/log-stream-constants.test.ts
new file mode 100644
index 000000000..79b9e316e
--- /dev/null
+++ b/app/api/log-stream-constants.test.ts
@@ -0,0 +1,19 @@
+import {
+  LOG_STREAM_RATE_LIMIT_MAX,
+  LOG_STREAM_RATE_LIMIT_WINDOW_MS,
+  WS_CLOSE_CODE_CONTAINER_NOT_FOUND,
+  WS_CLOSE_CODE_CONTAINER_NOT_RUNNING,
+  WS_CLOSE_CODE_INTERNAL_ERROR,
+  WS_CLOSE_CODE_NORMAL,
+} from './log-stream-constants.js';
+
+describe('api/log-stream-constants', () => {
+  test('exports stable websocket close codes and rate-limit defaults', () => {
+    expect(LOG_STREAM_RATE_LIMIT_WINDOW_MS).toBe(15 * 60 * 1000);
+    expect(LOG_STREAM_RATE_LIMIT_MAX).toBe(1000);
+    expect(WS_CLOSE_CODE_NORMAL).toBe(1000);
+    expect(WS_CLOSE_CODE_INTERNAL_ERROR).toBe(1011);
+    expect(WS_CLOSE_CODE_CONTAINER_NOT_RUNNING).toBe(4001);
+    expect(WS_CLOSE_CODE_CONTAINER_NOT_FOUND).toBe(4004);
+  });
+});
diff --git a/app/api/log-stream-constants.ts b/app/api/log-stream-constants.ts
new file mode 100644
index 000000000..99f8ae237
--- /dev/null
+++ b/app/api/log-stream-constants.ts
@@ -0,0 +1,7 @@
+export const LOG_STREAM_RATE_LIMIT_WINDOW_MS = 15 * 60 * 1000;
+export const LOG_STREAM_RATE_LIMIT_MAX = 1000;
+
+export const WS_CLOSE_CODE_NORMAL = 1000;
+export const WS_CLOSE_CODE_INTERNAL_ERROR = 1011;
+export const WS_CLOSE_CODE_CONTAINER_NOT_RUNNING = 4001;
+export const WS_CLOSE_CODE_CONTAINER_NOT_FOUND = 4004;
diff --git a/app/api/log-stream.test.ts b/app/api/log-stream.test.ts
new file mode 100644
index 000000000..fe9ea1d55
--- /dev/null
+++ b/app/api/log-stream.test.ts
@@ -0,0 +1,832 @@
+import { EventEmitter } from 'node:events';
+import { WebSocketServer } from 'ws';
+import * as configuration from '../configuration/index.js';
+import {
+  attachSystemLogStreamWebSocketServer,
+  createSystemLogStreamGateway,
+  parseSystemLogStreamQuery,
+} from './log-stream.js';
+import * as rateLimitKey from './rate-limit-key.js';
+
+function createUpgradeSocket() {
+  return {
+    destroyed: false,
+    write: vi.fn(),
+    destroy: vi.fn(function destroy() {
+      this.destroyed = true;
+    }),
+  };
+}
+
+function createUpgradeRequest(url: string) {
+  return {
+    url,
+    headers: {},
+    socket: {
+      remoteAddress: '127.0.0.1',
+    },
+  };
+}
+
+function makeEntry(overrides = {}) {
+  return {
+    timestamp: Date.now(),
+    level: 'info',
+    component: 'drydock',
+    msg: 'test message',
+    ...overrides,
+  };
+}
+
+function authenticatingSessionMiddleware(req: any, _res: unknown, next: (error?: unknown) => void) {
+  req.session = { passport: { user: '{"username":"alice"}' } };
+  req.sessionID = 'session-1';
+  next();
+}
+
+describe('api/log-stream', () => {
+  describe('parseSystemLogStreamQuery', () => {
+    test('uses expected defaults', () => {
+      const query = parseSystemLogStreamQuery(new URLSearchParams());
+      expect(query).toEqual({
+        level: undefined,
+        component: undefined,
+        tail: 100,
+      });
+    });
+
+    test('parses level and component filters', () => {
+      const query = parseSystemLogStreamQuery(
+        new URLSearchParams({ level: 'warn', component: 'api', tail: '50' }),
+      );
+      expect(query).toEqual({
+        level: 'warn',
+        component: 'api',
+        tail: 50,
+      });
+    });
+
+    test('treats level=all as undefined', () => {
+      const query = parseSystemLogStreamQuery(new URLSearchParams({ level: 'all' }));
+      expect(query.level).toBeUndefined();
+    });
+
+    test('treats empty component as undefined', () => {
+      const query = parseSystemLogStreamQuery(new URLSearchParams({ component: '' }));
+      expect(query.component).toBeUndefined();
+    });
+
+    test('falls back on invalid tail values', () => {
+      const query = parseSystemLogStreamQuery(new URLSearchParams({ tail: '-5' }));
+      expect(query.tail).toBe(100);
+
+      const query2 = parseSystemLogStreamQuery(new URLSearchParams({ tail: 'abc' }));
+      expect(query2.tail).toBe(100);
+    });
+  });
+
+  describe('createSystemLogStreamGateway', () => {
+    test('silently returns for non-log-stream upgrade routes', async () => {
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+        webSocketServer: { handleUpgrade: vi.fn() },
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/containers/c1/logs/stream') as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).not.toHaveBeenCalled();
+      expect(socket.destroy).not.toHaveBeenCalled();
+    });
+
+    test('silently returns when url is missing', async () => {
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        { socket: { remoteAddress: '127.0.0.1' } } as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).not.toHaveBeenCalled();
+    });
+
+    test('silently returns when url is malformed', async () => {
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        { url: 'http://[::1', socket: { remoteAddress: '127.0.0.1' } } as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).not.toHaveBeenCalled();
+    });
+
+    test('returns 403 when Origin header does not match Host', async () => {
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+        webSocketServer: { handleUpgrade: vi.fn() },
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        {
+          url: '/api/v1/log/stream',
+          headers: { origin: 'https://evil.com', host: 'localhost:3000' },
+          socket: { remoteAddress: '127.0.0.1' },
+        } as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('403 Forbidden'));
+      expect(socket.destroy).toHaveBeenCalledTimes(1);
+    });
+
+    test('allows upgrade when Origin matches Host', async () => {
+      const mockHandleUpgrade = vi.fn(
+        (_req: unknown, _socket: unknown, _head: unknown, callback: (ws: unknown) => void) => {
+          const closeListeners: Array<() => void> = [];
+          const ws = {
+            on: vi.fn((event: string, listener: () => void) => {
+              if (event === 'close') closeListeners.push(listener);
+            }),
+            off: vi.fn(),
+            send: vi.fn(),
+            close: vi.fn(),
+          };
+          callback(ws);
+          for (const listener of closeListeners) listener();
+        },
+      );
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+        webSocketServer: { handleUpgrade: mockHandleUpgrade },
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        {
+          url: '/api/v1/log/stream',
+          headers: { origin: 'http://localhost:3000', host: 'localhost:3000' },
+          socket: { remoteAddress: '127.0.0.1' },
+        } as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).not.toHaveBeenCalledWith(expect.stringContaining('403'));
+      expect(mockHandleUpgrade).toHaveBeenCalledTimes(1);
+    });
+
+    test('returns 503 when session middleware is not configured', async () => {
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: undefined,
+        webSocketServer: { handleUpgrade: vi.fn() },
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/log/stream') as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).toHaveBeenCalledWith(
+        expect.stringContaining('503 Session middleware unavailable'),
+      );
+    });
+
+    test('returns 401 when session middleware fails', async () => {
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: (_req: unknown, _res: unknown, next: (error?: unknown) => void) =>
+          next(new Error('session failed')),
+        webSocketServer: { handleUpgrade: vi.fn() },
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/log/stream') as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('401 Unauthorized'));
+    });
+
+    test('rejects upgrades when rate limited', async () => {
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+        webSocketServer: { handleUpgrade: vi.fn() },
+        isRateLimited: vi.fn(() => true),
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/log/stream') as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('429 Too Many Requests'));
+    });
+
+    test('rejects unauthenticated upgrades', async () => {
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: (_req: unknown, _res: unknown, next: (error?: unknown) => void) =>
+          next(),
+        webSocketServer: { handleUpgrade: vi.fn() },
+        isRateLimited: vi.fn(() => false),
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/log/stream') as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('401 Unauthorized'));
+    });
+
+    test('does not write error when socket is already destroyed', async () => {
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+      });
+      const socket = createUpgradeSocket();
+      socket.destroyed = true;
+
+      await gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/not-log-stream') as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).not.toHaveBeenCalled();
+    });
+
+    test('matches deprecated unversioned path /api/log/stream', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+        getBackfillEntries: vi.fn(() => []),
+        subscribeToEntries: vi.fn(() => () => {}),
+      });
+
+      const upgradePromise = gateway.handleUpgrade(
+        createUpgradeRequest('/api/log/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      await new Promise((resolve) => setImmediate(resolve));
+      expect(ws.send).not.toHaveBeenCalled();
+      ws.emit('close');
+      await upgradePromise;
+    });
+
+    test('sends backfill entries on connect', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      const backfillEntries = [makeEntry({ msg: 'backfill-1' }), makeEntry({ msg: 'backfill-2' })];
+
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+        getBackfillEntries: vi.fn(() => backfillEntries),
+        subscribeToEntries: vi.fn(() => () => {}),
+      });
+
+      const upgradePromise = gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/log/stream?tail=50') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      await new Promise((resolve) => setImmediate(resolve));
+      expect(ws.send).toHaveBeenCalledTimes(2);
+      expect(ws.send).toHaveBeenCalledWith(JSON.stringify(backfillEntries[0]));
+      expect(ws.send).toHaveBeenCalledWith(JSON.stringify(backfillEntries[1]));
+      ws.emit('close');
+      await upgradePromise;
+    });
+
+    test('does not reject upgrade when websocket backfill send overflows its buffer', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+        bufferedAmount: number;
+      };
+      ws.bufferedAmount = 0;
+      ws.close = vi.fn();
+      ws.send = vi.fn(() => {
+        ws.bufferedAmount += 512;
+        if (ws.bufferedAmount > 700) {
+          throw new Error('WebSocket buffer overflow');
+        }
+      });
+
+      const subscribeToEntries = vi.fn(() => vi.fn());
+      const backfillEntries = [makeEntry({ msg: 'backfill-1' }), makeEntry({ msg: 'backfill-2' })];
+
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+        getBackfillEntries: vi.fn(() => backfillEntries),
+        subscribeToEntries,
+      });
+
+      await expect(
+        gateway.handleUpgrade(
+          createUpgradeRequest('/api/v1/log/stream?tail=50') as any,
+          createUpgradeSocket() as any,
+          Buffer.alloc(0),
+        ),
+      ).resolves.toBeUndefined();
+
+      expect(ws.send).toHaveBeenCalledTimes(2);
+      expect(subscribeToEntries).not.toHaveBeenCalled();
+    });
+
+    test('streams live entries that match filters', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      let capturedListener: ((entry: any) => void) | undefined;
+      const subscribeToEntries = vi.fn((listener: (entry: any) => void) => {
+        capturedListener = listener;
+        return () => {
+          capturedListener = undefined;
+        };
+      });
+
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+        getBackfillEntries: vi.fn(() => []),
+        subscribeToEntries,
+      });
+
+      const upgradePromise = gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/log/stream?level=warn') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      await new Promise((resolve) => setImmediate(resolve));
+      expect(capturedListener).toBeDefined();
+
+      const warnEntry = makeEntry({ level: 'warn', msg: 'should-pass' });
+      const debugEntry = makeEntry({ level: 'debug', msg: 'should-filter' });
+
+      capturedListener!(warnEntry);
+      capturedListener!(debugEntry);
+
+      // backfill sends 0, warn should be sent, debug should be filtered
+      expect(ws.send).toHaveBeenCalledTimes(1);
+      expect(ws.send).toHaveBeenCalledWith(JSON.stringify(warnEntry));
+      ws.emit('close');
+      await upgradePromise;
+    });
+
+    test('streams live entries that match component filter', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      let capturedListener: ((entry: any) => void) | undefined;
+      const subscribeToEntries = vi.fn((listener: (entry: any) => void) => {
+        capturedListener = listener;
+        return () => {
+          capturedListener = undefined;
+        };
+      });
+
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+        getBackfillEntries: vi.fn(() => []),
+        subscribeToEntries,
+      });
+
+      const upgradePromise = gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/log/stream?component=api') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      await new Promise((resolve) => setImmediate(resolve));
+      capturedListener!(makeEntry({ component: 'api-server', msg: 'match' }));
+      capturedListener!(makeEntry({ component: 'watcher', msg: 'no-match' }));
+
+      expect(ws.send).toHaveBeenCalledTimes(1);
+      ws.emit('close');
+      await upgradePromise;
+    });
+
+    test('unsubscribes on websocket close', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      const unsubscribeFn = vi.fn();
+      const subscribeToEntries = vi.fn(() => unsubscribeFn);
+
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+        getBackfillEntries: vi.fn(() => []),
+        subscribeToEntries,
+      });
+
+      const upgradePromise = gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/log/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      await new Promise((resolve) => setImmediate(resolve));
+      ws.emit('close');
+      await upgradePromise;
+      expect(unsubscribeFn).toHaveBeenCalledTimes(1);
+
+      // Second close should not call unsubscribe again (idempotent cleanup)
+      ws.emit('close');
+      expect(unsubscribeFn).toHaveBeenCalledTimes(1);
+    });
+
+    test('unsubscribes on websocket error', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      const unsubscribeFn = vi.fn();
+      const subscribeToEntries = vi.fn(() => unsubscribeFn);
+
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+        getBackfillEntries: vi.fn(() => []),
+        subscribeToEntries,
+      });
+
+      const upgradePromise = gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/log/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      await new Promise((resolve) => setImmediate(resolve));
+      ws.emit('error', new Error('ws boom'));
+      await upgradePromise;
+      expect(unsubscribeFn).toHaveBeenCalledTimes(1);
+    });
+
+    test('cleanup remains idempotent when close/error fire multiple times', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+        off: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+      // Keep listeners registered so repeated events re-enter cleanup.
+      ws.off = vi.fn();
+
+      const unsubscribeFn = vi.fn();
+      const subscribeToEntries = vi.fn(() => unsubscribeFn);
+
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+        getBackfillEntries: vi.fn(() => []),
+        subscribeToEntries,
+      });
+
+      const upgradePromise = gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/log/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      await new Promise((resolve) => setImmediate(resolve));
+      ws.emit('close');
+      ws.emit('error', new Error('late error'));
+      await upgradePromise;
+
+      expect(unsubscribeFn).toHaveBeenCalledTimes(1);
+    });
+
+    test('unsubscribes when send throws on a closed socket', async () => {
+      const ws = new EventEmitter() as EventEmitter & {
+        send: ReturnType<typeof vi.fn>;
+        close: ReturnType<typeof vi.fn>;
+      };
+      ws.send = vi.fn();
+      ws.close = vi.fn();
+
+      let capturedListener: ((entry: any) => void) | undefined;
+      const unsubscribeFn = vi.fn();
+      const subscribeToEntries = vi.fn((listener: (entry: any) => void) => {
+        capturedListener = listener;
+        return unsubscribeFn;
+      });
+
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: authenticatingSessionMiddleware,
+        webSocketServer: {
+          handleUpgrade: vi.fn((_req, _socket, _head, callback: (socket: unknown) => void) =>
+            callback(ws),
+          ),
+        },
+        isRateLimited: vi.fn(() => false),
+        getBackfillEntries: vi.fn(() => []),
+        subscribeToEntries,
+      });
+
+      const upgradePromise = gateway.handleUpgrade(
+        createUpgradeRequest('/api/v1/log/stream') as any,
+        createUpgradeSocket() as any,
+        Buffer.alloc(0),
+      );
+
+      await new Promise((resolve) => setImmediate(resolve));
+
+      // Simulate socket closing then a late entry arriving
+      ws.send = vi.fn(() => {
+        throw new Error('WebSocket is not open');
+      });
+
+      capturedListener!(makeEntry({ level: 'info', msg: 'late message' }));
+      await upgradePromise;
+
+      expect(unsubscribeFn).toHaveBeenCalledTimes(1);
+    });
+
+    test('applies default fixed-window rate limiter', async () => {
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: (_req: any, _res: unknown, next: (error?: unknown) => void) => next(),
+      });
+
+      const request = {
+        url: '/api/v1/log/stream',
+        headers: {},
+        socket: { remoteAddress: '127.0.0.1' },
+      } as any;
+
+      for (let i = 0; i < 1000; i++) {
+        const socket = createUpgradeSocket();
+        await gateway.handleUpgrade(request, socket as any, Buffer.alloc(0));
+        expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('401 Unauthorized'));
+      }
+
+      const rateLimitedSocket = createUpgradeSocket();
+      await gateway.handleUpgrade(request, rateLimitedSocket as any, Buffer.alloc(0));
+      expect(rateLimitedSocket.write).toHaveBeenCalledWith(
+        expect.stringContaining('429 Too Many Requests'),
+      );
+    });
+
+    test('uses ip:unknown rate-limit key when remote address is unavailable', async () => {
+      const gateway = createSystemLogStreamGateway({
+        sessionMiddleware: (_req: any, _res: unknown, next: (error?: unknown) => void) => next(),
+        isRateLimited: vi.fn(() => false),
+      });
+      const socket = createUpgradeSocket();
+
+      await gateway.handleUpgrade(
+        { url: '/api/v1/log/stream', headers: {}, socket: {} } as any,
+        socket as any,
+        Buffer.alloc(0),
+      );
+
+      expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('401 Unauthorized'));
+    });
+  });
+
+  describe('attachSystemLogStreamWebSocketServer', () => {
+    test('registers an upgrade listener', () => {
+      const server = { on: vi.fn() };
+
+      const gateway = attachSystemLogStreamWebSocketServer({
+        server: server as any,
+        sessionMiddleware: authenticatingSessionMiddleware,
+        serverConfiguration: { ratelimit: { identitykeying: false } },
+      });
+
+      expect(gateway).toBeDefined();
+      expect(server.on).toHaveBeenCalledWith('upgrade', expect.any(Function));
+    });
+
+    test('delegates upgrade events to the gateway', async () => {
+      const listeners: Array<(request: unknown, socket: unknown, head: Buffer) => void> = [];
+      const server = {
+        on: vi.fn(
+          (
+            _event: 'upgrade',
+            listener: (request: unknown, socket: unknown, head: Buffer) => void,
+          ) => {
+            listeners.push(listener);
+          },
+        ),
+      };
+
+      attachSystemLogStreamWebSocketServer({
+        server: server as any,
+        sessionMiddleware: authenticatingSessionMiddleware,
+        serverConfiguration: { ratelimit: { identitykeying: false } },
+      });
+
+      const socket = createUpgradeSocket();
+      listeners[0](createUpgradeRequest('/api/v1/log/not-stream') as any, socket, Buffer.alloc(0));
+      await new Promise((resolve) => setImmediate(resolve));
+
+      expect(socket.write).not.toHaveBeenCalled();
+    });
+
+    test('uses getServerConfiguration when serverConfiguration is omitted', () => {
+      const serverConfigurationSpy = vi
+        .spyOn(configuration, 'getServerConfiguration')
+        .mockReturnValue({ ratelimit: { identitykeying: false } } as any);
+      const server = { on: vi.fn() };
+
+      try {
+        attachSystemLogStreamWebSocketServer({
+          server: server as any,
+          sessionMiddleware: authenticatingSessionMiddleware,
+        });
+
+        expect(serverConfigurationSpy).toHaveBeenCalled();
+        expect(server.on).toHaveBeenCalledWith('upgrade', expect.any(Function));
+      } finally {
+        serverConfigurationSpy.mockRestore();
+      }
+    });
+
+    test('uses identity-aware key resolver when enabled', async () => {
+      const webSocketUpgradeSpy = vi
+        .spyOn(WebSocketServer.prototype, 'handleUpgrade')
+        .mockImplementation((_request, _socket, _head, callback) => {
+          const ws = new EventEmitter() as EventEmitter & {
+            send: ReturnType<typeof vi.fn>;
+            close: ReturnType<typeof vi.fn>;
+          };
+          ws.send = vi.fn();
+          ws.close = vi.fn();
+          callback(ws as any);
+        });
+      const listeners: Array<(request: unknown, socket: unknown, head: Buffer) => void> = [];
+      const server = {
+        on: vi.fn(
+          (
+            _event: 'upgrade',
+            listener: (request: unknown, socket: unknown, head: Buffer) => void,
+          ) => {
+            listeners.push(listener);
+          },
+        ),
+      };
+
+      try {
+        attachSystemLogStreamWebSocketServer({
+          server: server as any,
+          sessionMiddleware: authenticatingSessionMiddleware,
+          serverConfiguration: { ratelimit: { identitykeying: true } },
+        });
+
+        const socket = createUpgradeSocket();
+        listeners[0](
+          createUpgradeRequest('/api/v1/log/stream') as any,
+          socket as any,
+          Buffer.alloc(0),
+        );
+        await new Promise((resolve) => setImmediate(resolve));
+      } finally {
+        webSocketUpgradeSpy.mockRestore();
+      }
+    });
+
+    test('falls back to ip key when identity-aware key generator returns empty', async () => {
+      const createKeySpy = vi
+        .spyOn(rateLimitKey, 'createAuthenticatedRouteRateLimitKeyGenerator')
+        .mockReturnValue(() => '' as any);
+      const webSocketUpgradeSpy = vi
+        .spyOn(WebSocketServer.prototype, 'handleUpgrade')
+        .mockImplementation((_request, _socket, _head, callback) => {
+          const ws = new EventEmitter() as EventEmitter & {
+            send: ReturnType<typeof vi.fn>;
+            close: ReturnType<typeof vi.fn>;
+          };
+          ws.send = vi.fn();
+          ws.close = vi.fn();
+          callback(ws as any);
+        });
+      const listeners: Array<(request: unknown, socket: unknown, head: Buffer) => void> = [];
+      const server = {
+        on: vi.fn(
+          (
+            _event: 'upgrade',
+            listener: (request: unknown, socket: unknown, head: Buffer) => void,
+          ) => {
+            listeners.push(listener);
+          },
+        ),
+      };
+
+      try {
+        attachSystemLogStreamWebSocketServer({
+          server: server as any,
+          sessionMiddleware: authenticatingSessionMiddleware,
+          serverConfiguration: { ratelimit: { identitykeying: true } },
+        });
+
+        const socket = createUpgradeSocket();
+        listeners[0](
+          createUpgradeRequest('/api/v1/log/stream') as any,
+          socket as any,
+          Buffer.alloc(0),
+        );
+        await new Promise((resolve) => setImmediate(resolve));
+      } finally {
+        createKeySpy.mockRestore();
+        webSocketUpgradeSpy.mockRestore();
+      }
+    });
+  });
+});
diff --git a/app/api/log-stream.ts b/app/api/log-stream.ts
new file mode 100644
index 000000000..c4630481d
--- /dev/null
+++ b/app/api/log-stream.ts
@@ -0,0 +1,266 @@
+import type { IncomingMessage } from 'node:http';
+import type { Socket } from 'node:net';
+import { type WebSocket, WebSocketServer } from 'ws';
+import { getServerConfiguration } from '../configuration/index.js';
+import {
+  getEntries,
+  getMinLevel,
+  type LogEntry,
+  matchesComponent,
+  meetsMinLevel,
+  onEntry,
+} from '../log/buffer.js';
+import {
+  applySessionMiddleware,
+  createFixedWindowRateLimiter,
+  createIdentityAwareUpgradeRateLimitKeyResolver,
+  getDefaultRateLimitKey,
+  isAuthenticatedSession,
+  isOriginAllowed,
+  type SessionMiddleware,
+  type UpgradeRequest,
+  writeUpgradeError,
+} from './ws-upgrade-utils.js';
+
+const STREAM_ROUTE_PATTERN = /^\/api(?:\/v1)?\/log\/stream$/;
+const RATE_LIMIT_WINDOW_MS = 15 * 60 * 1000;
+const RATE_LIMIT_MAX = 1000;
+
+interface ParsedSystemLogStreamQuery {
+  level?: string;
+  component?: string;
+  tail: number;
+}
+
+type WebSocketLike = Pick<WebSocket, 'close' | 'on' | 'send'> & {
+  off?: (event: 'close' | 'error', listener: () => void) => void;
+};
+
+type WebSocketServerLike = {
+  handleUpgrade: (
+    request: IncomingMessage,
+    socket: Socket,
+    head: Buffer,
+    callback: (webSocket: WebSocketLike) => void,
+  ) => void;
+};
+
+export interface SystemLogStreamGatewayDependencies {
+  sessionMiddleware?: SessionMiddleware;
+  webSocketServer?: WebSocketServerLike;
+  isRateLimited?: (key: string) => boolean;
+  getRateLimitKey?: (request: UpgradeRequest, authenticated: boolean) => string;
+  getBackfillEntries?: (options: {
+    level?: string;
+    component?: string;
+    tail: number;
+  }) => LogEntry[];
+  subscribeToEntries?: (listener: (entry: LogEntry) => void) => () => void;
+}
+
+function parseIntegerParam(rawValue: string | null, fallback: number): number {
+  if (rawValue === null) {
+    return fallback;
+  }
+  const parsedValue = Number.parseInt(rawValue, 10);
+  if (!Number.isFinite(parsedValue) || parsedValue < 0) {
+    return fallback;
+  }
+  return parsedValue;
+}
+
+export function parseSystemLogStreamQuery(query: URLSearchParams): ParsedSystemLogStreamQuery {
+  const level = query.get('level') ?? undefined;
+  const component = query.get('component') ?? undefined;
+  const tail = parseIntegerParam(query.get('tail'), 100);
+  return {
+    level: level && level !== 'all' ? level : undefined,
+    component: component || undefined,
+    tail,
+  };
+}
+
+function parseSystemLogStreamUpgradeUrl(
+  rawUrl: string | undefined,
+): { query: ParsedSystemLogStreamQuery } | undefined {
+  if (!rawUrl) {
+    return undefined;
+  }
+
+  let parsedUrl: URL;
+  try {
+    parsedUrl = new URL(rawUrl, 'http://localhost');
+  } catch {
+    return undefined;
+  }
+
+  if (!STREAM_ROUTE_PATTERN.test(parsedUrl.pathname)) {
+    return undefined;
+  }
+
+  return {
+    query: parseSystemLogStreamQuery(parsedUrl.searchParams),
+  };
+}
+
+function matchesFilter(entry: LogEntry, minLevel: number, component?: string): boolean {
+  return meetsMinLevel(entry, minLevel) && matchesComponent(entry, component);
+}
+
+function trySendLogEntry(webSocket: WebSocketLike, entry: LogEntry): boolean {
+  try {
+    webSocket.send(JSON.stringify(entry));
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function streamSystemLogsToWebSocket({
+  webSocket,
+  query,
+  getBackfillEntries,
+  subscribeToEntries,
+}: {
+  webSocket: WebSocketLike;
+  query: ParsedSystemLogStreamQuery;
+  getBackfillEntries: NonNullable<SystemLogStreamGatewayDependencies['getBackfillEntries']>;
+  subscribeToEntries: NonNullable<SystemLogStreamGatewayDependencies['subscribeToEntries']>;
+}): Promise<void> {
+  const backfill = getBackfillEntries({
+    level: query.level,
+    component: query.component,
+    tail: query.tail,
+  });
+  for (const entry of backfill) {
+    if (!trySendLogEntry(webSocket, entry)) {
+      return Promise.resolve();
+    }
+  }
+
+  const minLevel = getMinLevel(query.level);
+
+  return new Promise<void>((resolve) => {
+    const unsubscribe = subscribeToEntries((entry: LogEntry) => {
+      if (matchesFilter(entry, minLevel, query.component)) {
+        if (!trySendLogEntry(webSocket, entry)) {
+          cleanup();
+        }
+      }
+    });
+
+    let cleaned = false;
+    const cleanup = () => {
+      if (cleaned) {
+        return;
+      }
+      cleaned = true;
+      unsubscribe();
+      webSocket.off?.('close', handleClose);
+      webSocket.off?.('error', handleError);
+      resolve();
+    };
+
+    const handleClose = () => {
+      cleanup();
+    };
+    const handleError = () => {
+      cleanup();
+    };
+
+    webSocket.on('close', handleClose);
+    webSocket.on('error', handleError);
+  });
+}
+
+export function createSystemLogStreamGateway(dependencies: SystemLogStreamGatewayDependencies) {
+  const {
+    sessionMiddleware,
+    webSocketServer = new WebSocketServer({ noServer: true }),
+    isRateLimited = (() => {
+      const limiter = createFixedWindowRateLimiter({
+        windowMs: RATE_LIMIT_WINDOW_MS,
+        max: RATE_LIMIT_MAX,
+      });
+      return (key: string) => !limiter.consume(key);
+    })(),
+    getRateLimitKey = (request: UpgradeRequest) => getDefaultRateLimitKey(request),
+    getBackfillEntries = (options) => getEntries(options),
+    subscribeToEntries = (listener) => onEntry(listener),
+  } = dependencies;
+
+  return {
+    async handleUpgrade(request: IncomingMessage, socket: Socket, head: Buffer): Promise<void> {
+      const parsedRequest = parseSystemLogStreamUpgradeUrl(request.url);
+      if (!parsedRequest) {
+        return;
+      }
+
+      if (!isOriginAllowed(request)) {
+        writeUpgradeError(socket, 403, 'Forbidden');
+        return;
+      }
+
+      if (!sessionMiddleware) {
+        writeUpgradeError(socket, 503, 'Session middleware unavailable');
+        return;
+      }
+
+      try {
+        await applySessionMiddleware(sessionMiddleware, request);
+      } catch {
+        writeUpgradeError(socket, 401, 'Unauthorized');
+        return;
+      }
+
+      const upgradeRequest = request as UpgradeRequest;
+      const authenticated = isAuthenticatedSession(upgradeRequest);
+      const rateLimitKey = getRateLimitKey(upgradeRequest, authenticated);
+      if (isRateLimited(rateLimitKey)) {
+        writeUpgradeError(socket, 429, 'Too Many Requests');
+        return;
+      }
+      if (!authenticated) {
+        writeUpgradeError(socket, 401, 'Unauthorized');
+        return;
+      }
+
+      await new Promise<void>((resolve) => {
+        webSocketServer.handleUpgrade(request, socket, head, (webSocket) => {
+          void streamSystemLogsToWebSocket({
+            webSocket,
+            query: parsedRequest.query,
+            getBackfillEntries,
+            subscribeToEntries,
+          }).finally(resolve);
+        });
+      });
+    },
+  };
+}
+
+export function attachSystemLogStreamWebSocketServer(options: {
+  server: {
+    on: (
+      event: 'upgrade',
+      listener: (request: IncomingMessage, socket: Socket, head: Buffer) => void,
+    ) => void;
+  };
+  sessionMiddleware?: SessionMiddleware;
+  serverConfiguration?: Record<string, unknown>;
+  isRateLimited?: (key: string) => boolean;
+}) {
+  const serverConfiguration =
+    options.serverConfiguration ?? (getServerConfiguration() as Record<string, unknown>);
+  const gateway = createSystemLogStreamGateway({
+    sessionMiddleware: options.sessionMiddleware,
+    getRateLimitKey: createIdentityAwareUpgradeRateLimitKeyResolver(serverConfiguration),
+    isRateLimited: options.isRateLimited,
+  });
+
+  options.server.on('upgrade', (request, socket, head) => {
+    void gateway.handleUpgrade(request, socket, head);
+  });
+
+  return gateway;
+}
diff --git a/app/api/openapi-contract.test.ts b/app/api/openapi-contract.test.ts
index 696d525c1..f5a6ae070 100644
--- a/app/api/openapi-contract.test.ts
+++ b/app/api/openapi-contract.test.ts
@@ -1,6 +1,6 @@
 import { createRequire } from 'node:module';
-import type { Response } from 'express';
 import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest';
+import { createMockResponse } from '../test/helpers.js';
 import { sendErrorResponse } from './error-response.js';
 import { openApiDocument } from './openapi.js';
 import { validateOpenApiJsonResponse } from './openapi-contract.js';
@@ -66,10 +66,7 @@ describe('validateOpenApiJsonResponse', () => {
       { schemas: structuredClone(originalSchemas) },
     );
 
-    const response = {
-      status: vi.fn().mockReturnThis(),
-      json: vi.fn(),
-    } as unknown as Response;
+    const response = createMockResponse();
 
     sendErrorResponse(response, 400, 'Bad payload');
 
diff --git a/app/api/openapi.test.ts b/app/api/openapi.test.ts
index 89f555c13..e2b4f7358 100644
--- a/app/api/openapi.test.ts
+++ b/app/api/openapi.test.ts
@@ -11,14 +11,19 @@ describe('OpenAPI document', () => {
     expect(openApiDocument.openapi).toBe('3.1.0');
     expect(openApiDocument.info.version).toBe(appPackageJson.version);
     expect(openApiDocument.paths['/api/openapi.json']?.get).toBeDefined();
+    expect(openApiDocument.paths['/api/debug/dump']?.get).toBeDefined();
     expect(openApiDocument.paths['/api/containers/{id}/scan']?.post).toBeDefined();
+    expect(openApiDocument.paths['/api/containers/{id}/stats']?.get).toBeDefined();
     expect(openApiDocument.paths['/api/webhook/watch']?.post).toBeDefined();
     expect(openApiDocument.paths['/auth/login']?.post).toBeDefined();
   });
 
-  test('should define session and webhook security schemes', () => {
+  test('should define session, webhook, and metrics bearer security schemes', () => {
     expect(openApiDocument.components.securitySchemes.sessionAuth).toBeDefined();
     expect(openApiDocument.components.securitySchemes.webhookBearerAuth).toBeDefined();
+    expect(openApiDocument.components.securitySchemes.metricsBearerAuth).toBeDefined();
+    expect(openApiDocument.components.securitySchemes.metricsBearerAuth.type).toBe('http');
+    expect(openApiDocument.components.securitySchemes.metricsBearerAuth.scheme).toBe('bearer');
   });
 
   test('should keep webhook endpoints protected by bearer auth in the spec', () => {
@@ -27,6 +32,13 @@ describe('OpenAPI document', () => {
     ]);
   });
 
+  test('should declare /metrics with bearer token and session security alternatives', () => {
+    expect(openApiDocument.paths['/metrics']?.get?.security).toStrictEqual([
+      { metricsBearerAuth: [] },
+      { sessionAuth: [] },
+    ]);
+  });
+
   test('should model action and webhook success payloads with a result envelope', () => {
     expect(openApiDocument.components.schemas.ContainerActionResponse).toMatchObject({
       type: 'object',
diff --git a/app/api/openapi/common.ts b/app/api/openapi/common.ts
index 2fb20c6cc..954c15689 100644
--- a/app/api/openapi/common.ts
+++ b/app/api/openapi/common.ts
@@ -6,7 +6,7 @@ export const genericArraySchema = {
 export const emptyObjectSchema = { type: 'object', additionalProperties: false };
 type JsonSchema = { $ref: string } | Record<string, unknown>;
 
-export const jsonContent = (schema: JsonSchema) => ({
+const jsonContent = (schema: JsonSchema) => ({
   'application/json': { schema },
 });
 
diff --git a/app/api/openapi/index.ts b/app/api/openapi/index.ts
index d04fa7ea5..ec17e423f 100644
--- a/app/api/openapi/index.ts
+++ b/app/api/openapi/index.ts
@@ -60,6 +60,11 @@ export const openApiDocument = {
         description:
           'Bearer token configured via webhook settings (shared token or endpoint-specific webhook tokens).',
       },
+      metricsBearerAuth: {
+        type: 'http',
+        scheme: 'bearer',
+        description: 'DD_SERVER_METRICS_TOKEN bearer token for /metrics endpoint',
+      },
     },
     schemas: openApiSchemas,
   },
diff --git a/app/api/openapi/paths/containers.ts b/app/api/openapi/paths/containers.ts
index 5991b59e3..2fbc7776f 100644
--- a/app/api/openapi/paths/containers.ts
+++ b/app/api/openapi/paths/containers.ts
@@ -135,6 +135,19 @@ export const containerPaths = {
       },
     },
   },
+  '/api/containers/stats': {
+    get: {
+      tags: ['Containers'],
+      summary: 'Get latest resource metric snapshot for all containers',
+      operationId: 'getAllContainerStats',
+      responses: {
+        200: jsonResponse('Container resource metrics summary', {
+          $ref: '#/components/schemas/ContainerStatsSummaryResponse',
+        }),
+        401: errorResponse('Authentication required'),
+      },
+    },
+  },
   '/api/containers/recent-status': {
     get: {
       tags: ['Containers'],
@@ -213,6 +226,41 @@ export const containerPaths = {
       },
     },
   },
+  '/api/containers/{id}/stats': {
+    get: {
+      tags: ['Containers'],
+      summary: 'Get latest resource metrics for a single container',
+      operationId: 'getContainerStats',
+      parameters: [containerIdPathParam],
+      responses: {
+        200: jsonResponse('Container resource metrics', {
+          $ref: '#/components/schemas/ContainerStatsResponse',
+        }),
+        401: errorResponse('Authentication required'),
+        404: errorResponse('Container not found'),
+      },
+    },
+  },
+  '/api/containers/{id}/stats/stream': {
+    get: {
+      tags: ['Containers'],
+      summary: 'Stream live resource metrics for a single container via SSE',
+      operationId: 'streamContainerStats',
+      parameters: [containerIdPathParam],
+      responses: {
+        200: {
+          description: 'SSE stream',
+          content: {
+            'text/event-stream': {
+              schema: { type: 'string' },
+            },
+          },
+        },
+        401: errorResponse('Authentication required'),
+        404: errorResponse('Container not found'),
+      },
+    },
+  },
   '/api/containers/{id}': {
     get: {
       tags: ['Containers'],
@@ -242,6 +290,21 @@ export const containerPaths = {
       },
     },
   },
+  '/api/containers/{id}/release-notes': {
+    get: {
+      tags: ['Containers'],
+      summary: 'Get full release notes for the current update target',
+      operationId: 'getContainerReleaseNotes',
+      parameters: [containerIdPathParam],
+      responses: {
+        200: jsonResponse('Release notes', {
+          $ref: '#/components/schemas/ReleaseNotesResource',
+        }),
+        401: errorResponse('Authentication required'),
+        404: errorResponse('Release notes not available'),
+      },
+    },
+  },
   '/api/containers/{id}/update-operations': {
     get: {
       tags: ['Containers'],
@@ -440,33 +503,55 @@ export const containerPaths = {
   '/api/containers/{id}/logs': {
     get: {
       tags: ['Logs'],
-      summary: 'Get container logs',
+      summary: 'Download container logs',
       operationId: 'getContainerLogs',
       parameters: [
         containerIdPathParam,
         {
-          name: 'tail',
+          name: 'stdout',
           in: 'query',
           required: false,
-          schema: { type: 'integer', minimum: 0 },
+          schema: { type: 'boolean' },
         },
         {
-          name: 'since',
+          name: 'stderr',
+          in: 'query',
+          required: false,
+          schema: { type: 'boolean' },
+        },
+        {
+          name: 'tail',
           in: 'query',
           required: false,
           schema: { type: 'integer', minimum: 0 },
         },
         {
-          name: 'timestamps',
+          name: 'since',
           in: 'query',
           required: false,
-          schema: { type: 'boolean' },
+          schema: {
+            oneOf: [
+              { type: 'integer', minimum: 0 },
+              { type: 'string', format: 'date-time' },
+            ],
+          },
         },
       ],
       responses: {
-        200: jsonResponse('Container logs', {
-          $ref: '#/components/schemas/ContainerLogsResponse',
-        }),
+        200: {
+          description: 'Container logs download',
+          content: {
+            'text/plain': {
+              schema: { type: 'string' },
+            },
+          },
+          headers: {
+            'Content-Disposition': {
+              description: 'Attachment filename',
+              schema: { type: 'string' },
+            },
+          },
+        },
         401: errorResponse('Authentication required'),
         404: errorResponse('Container not found'),
         500: errorResponse('Unable to fetch logs'),
diff --git a/app/api/openapi/paths/index.ts b/app/api/openapi/paths/index.ts
index 41955672f..3a566ba9d 100644
--- a/app/api/openapi/paths/index.ts
+++ b/app/api/openapi/paths/index.ts
@@ -229,6 +229,40 @@ export const openApiPaths = {
       },
     },
   },
+  '/api/debug/dump': {
+    get: {
+      tags: ['System'],
+      summary: 'Download diagnostic debug dump',
+      operationId: 'downloadDebugDump',
+      parameters: [
+        {
+          name: 'minutes',
+          in: 'query',
+          required: false,
+          description: 'How many recent minutes of event history to include',
+          schema: { type: 'integer', minimum: 1, maximum: 1440, default: 30 },
+        },
+      ],
+      responses: {
+        200: {
+          description: 'Redacted diagnostic dump JSON attachment',
+          headers: {
+            'Content-Disposition': {
+              description: 'Attachment filename for the exported dump',
+              schema: { type: 'string' },
+            },
+          },
+          content: {
+            'application/json': {
+              schema: { ...genericObjectSchema },
+            },
+          },
+        },
+        401: errorResponse('Authentication required'),
+        500: errorResponse('Unable to generate debug dump'),
+      },
+    },
+  },
   '/api/server': {
     get: {
       tags: ['System'],
@@ -498,7 +532,8 @@ export const openApiPaths = {
       summary: 'Get Prometheus metrics',
       operationId: 'getPrometheusMetrics',
       description:
-        'By default this endpoint requires authentication. It can be exposed without auth when DD_SERVER_METRICS_AUTH=false.',
+        'Returns Prometheus metrics. Auth modes: (1) bearer token via DD_SERVER_METRICS_TOKEN (recommended for Prometheus scrapers), (2) session/basic auth fallback when no token is set, (3) no auth when DD_SERVER_METRICS_AUTH=false.',
+      security: [{ metricsBearerAuth: [] }, { sessionAuth: [] }],
       responses: {
         200: {
           description: 'Prometheus metrics text',
diff --git a/app/api/openapi/schemas.ts b/app/api/openapi/schemas.ts
index 3da479ac6..2964cd13c 100644
--- a/app/api/openapi/schemas.ts
+++ b/app/api/openapi/schemas.ts
@@ -340,6 +340,18 @@ export const openApiSchemas = {
     required: ['id', 'name'],
     additionalProperties: true,
   },
+  ReleaseNotesResource: {
+    type: 'object',
+    properties: {
+      title: { type: 'string' },
+      body: { type: 'string' },
+      url: { type: 'string' },
+      publishedAt: { type: 'string', format: 'date-time' },
+      provider: { type: 'string', enum: ['github', 'gitlab', 'gitea'] },
+    },
+    required: ['title', 'body', 'url', 'publishedAt', 'provider'],
+    additionalProperties: false,
+  },
   VulnerabilitySummary: {
     type: 'object',
     properties: {
@@ -416,6 +428,74 @@ export const openApiSchemas = {
     required: ['logs'],
     additionalProperties: true,
   },
+  ContainerStatsSnapshot: {
+    type: 'object',
+    properties: {
+      containerId: { type: 'string' },
+      cpuPercent: { type: 'number', minimum: 0 },
+      memoryUsageBytes: { type: 'number', minimum: 0 },
+      memoryLimitBytes: { type: 'number', minimum: 0 },
+      memoryPercent: { type: 'number', minimum: 0 },
+      networkRxBytes: { type: 'number', minimum: 0 },
+      networkTxBytes: { type: 'number', minimum: 0 },
+      blockReadBytes: { type: 'number', minimum: 0 },
+      blockWriteBytes: { type: 'number', minimum: 0 },
+      timestamp: { type: 'string', format: 'date-time' },
+    },
+    required: [
+      'containerId',
+      'cpuPercent',
+      'memoryUsageBytes',
+      'memoryLimitBytes',
+      'memoryPercent',
+      'networkRxBytes',
+      'networkTxBytes',
+      'blockReadBytes',
+      'blockWriteBytes',
+      'timestamp',
+    ],
+    additionalProperties: false,
+  },
+  ContainerStatsResponse: {
+    type: 'object',
+    properties: {
+      data: {
+        anyOf: [{ $ref: '#/components/schemas/ContainerStatsSnapshot' }, { type: 'null' }],
+      },
+      history: {
+        type: 'array',
+        items: { $ref: '#/components/schemas/ContainerStatsSnapshot' },
+      },
+    },
+    required: ['data', 'history'],
+    additionalProperties: false,
+  },
+  ContainerStatsSummaryItem: {
+    type: 'object',
+    properties: {
+      id: { type: 'string' },
+      name: { type: 'string' },
+      status: { type: ['string', 'null'] },
+      watcher: { type: 'string' },
+      agent: { type: ['string', 'null'] },
+      stats: {
+        anyOf: [{ $ref: '#/components/schemas/ContainerStatsSnapshot' }, { type: 'null' }],
+      },
+    },
+    required: ['id', 'name', 'status', 'watcher', 'agent', 'stats'],
+    additionalProperties: false,
+  },
+  ContainerStatsSummaryResponse: {
+    type: 'object',
+    properties: {
+      data: {
+        type: 'array',
+        items: { $ref: '#/components/schemas/ContainerStatsSummaryItem' },
+      },
+    },
+    required: ['data'],
+    additionalProperties: false,
+  },
   PreviewResponse: {
     type: 'object',
     properties: {
diff --git a/app/api/preview.test.ts b/app/api/preview.test.ts
index 26aec745a..900a9c461 100644
--- a/app/api/preview.test.ts
+++ b/app/api/preview.test.ts
@@ -29,10 +29,6 @@ import * as registry from '../registry/index.js';
 import * as storeContainer from '../store/container.js';
 import * as previewRouter from './preview.js';
 
-function createResponse() {
-  return createMockResponse();
-}
-
 function getHandler(method, path) {
   previewRouter.init();
   const call = mockRouter[method].mock.calls.find((c) => c[0] === path);
@@ -41,7 +37,7 @@ function getHandler(method, path) {
 
 async function callPreview(id = 'c1') {
   const handler = getHandler('post', '/:id/preview');
-  const res = createResponse();
+  const res = createMockResponse();
   await handler({ params: { id } }, res);
   return res;
 }
@@ -72,9 +68,9 @@ describe('Preview Router', () => {
       registry.getState.mockReturnValue({ trigger: {} });
       const res = await callPreview();
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('No docker trigger found') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('No docker trigger found'),
+      });
     });
 
     test('should return 404 when triggers exist but none are docker type', async () => {
@@ -122,7 +118,7 @@ describe('Preview Router', () => {
 
       const res = await callPreview();
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith({ error: 'Error previewing container' });
+      expect(res.json).toHaveBeenCalledWith(expect.objectContaining({ error: expect.any(String) }));
     });
 
     test('should stringify non-Error preview failures', async () => {
@@ -137,7 +133,7 @@ describe('Preview Router', () => {
 
       const res = await callPreview();
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith({ error: 'Error previewing container' });
+      expect(res.json).toHaveBeenCalledWith(expect.objectContaining({ error: expect.any(String) }));
     });
 
     test('should skip docker triggers with mismatched agent', async () => {
diff --git a/app/api/prometheus.test.ts b/app/api/prometheus.test.ts
index 4894dc13b..06a50ea3d 100644
--- a/app/api/prometheus.test.ts
+++ b/app/api/prometheus.test.ts
@@ -83,4 +83,156 @@ describe('Prometheus Router', () => {
     expect(response.type).toHaveBeenCalledWith('text');
     expect(response.send).toHaveBeenCalledWith('metrics-output');
   });
+
+  describe('bearer token auth (DD_SERVER_METRICS_TOKEN)', () => {
+    const testToken = 'my-secret-metrics-token';
+
+    beforeEach(() => {
+      getServerConfiguration.mockReturnValue({
+        metrics: {
+          auth: true,
+          token: testToken,
+        },
+      });
+    });
+
+    function initMetricsTokenAuth(token = testToken) {
+      getServerConfiguration.mockReturnValue({
+        metrics: {
+          auth: true,
+          token,
+        },
+      });
+
+      prometheusRouter.init();
+    }
+
+    test('should use bearer token middleware when token is configured', () => {
+      const router = prometheusRouter.init();
+
+      expect(passport.authenticate).not.toHaveBeenCalled();
+      expect(router.use).toHaveBeenCalledWith(prometheusRouter.authenticateMetricsToken);
+    });
+
+    test('should return 200 for valid bearer token', () => {
+      initMetricsTokenAuth();
+      const req = { headers: { authorization: `Bearer ${testToken}` } };
+      const res = { status: vi.fn().mockReturnThis(), json: vi.fn() };
+      const next = vi.fn();
+
+      prometheusRouter.authenticateMetricsToken(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should return 401 for invalid bearer token', () => {
+      initMetricsTokenAuth();
+      const req = { headers: { authorization: 'Bearer wrong-token' } };
+      const res = { status: vi.fn().mockReturnThis(), json: vi.fn() };
+      const next = vi.fn();
+
+      prometheusRouter.authenticateMetricsToken(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(401);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Unauthorized' });
+    });
+
+    test('should return 401 when authorization header is missing', () => {
+      initMetricsTokenAuth();
+      const req = { headers: {} };
+      const res = { status: vi.fn().mockReturnThis(), json: vi.fn() };
+      const next = vi.fn();
+
+      prometheusRouter.authenticateMetricsToken(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(401);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Unauthorized' });
+    });
+
+    test('should accept lowercase "bearer" scheme (RFC 7235)', () => {
+      initMetricsTokenAuth();
+      const req = { headers: { authorization: `bearer ${testToken}` } };
+      const res = { status: vi.fn().mockReturnThis(), json: vi.fn() };
+      const next = vi.fn();
+
+      prometheusRouter.authenticateMetricsToken(req, res, next);
+
+      expect(next).toHaveBeenCalled();
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    test('should return 401 for wrong auth scheme', () => {
+      initMetricsTokenAuth();
+      const req = { headers: { authorization: `Basic ${testToken}` } };
+      const res = { status: vi.fn().mockReturnThis(), json: vi.fn() };
+      const next = vi.fn();
+
+      prometheusRouter.authenticateMetricsToken(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(401);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Unauthorized' });
+    });
+
+    test('should fall back to passport auth when token is empty string', () => {
+      getServerConfiguration.mockReturnValue({
+        metrics: {
+          auth: true,
+          token: '',
+        },
+      });
+
+      const router = prometheusRouter.init();
+
+      expect(passport.authenticate).toHaveBeenCalledWith(['basic.default']);
+      expect(router.use).toHaveBeenCalledWith('auth-middleware');
+    });
+
+    test('should use timing-safe comparison to prevent timing attacks', () => {
+      initMetricsTokenAuth();
+      // Verify that different-length tokens don't cause crashes or bypass.
+      // The SHA-256 hash normalization ensures buffers are always the same length.
+      const req = { headers: { authorization: 'Bearer x' } };
+      const res = { status: vi.fn().mockReturnThis(), json: vi.fn() };
+      const next = vi.fn();
+
+      prometheusRouter.authenticateMetricsToken(req, res, next);
+
+      expect(next).not.toHaveBeenCalled();
+      expect(res.status).toHaveBeenCalledWith(401);
+    });
+
+    test('should keep using the expected token hash computed during init', () => {
+      const initialToken = 'initial-token';
+      const rotatedToken = 'rotated-token';
+
+      initMetricsTokenAuth(initialToken);
+
+      getServerConfiguration.mockReturnValue({
+        metrics: {
+          auth: true,
+          token: rotatedToken,
+        },
+      });
+
+      const initialReq = { headers: { authorization: `Bearer ${initialToken}` } };
+      const initialRes = { status: vi.fn().mockReturnThis(), json: vi.fn() };
+      const initialNext = vi.fn();
+      prometheusRouter.authenticateMetricsToken(initialReq, initialRes, initialNext);
+
+      const rotatedReq = { headers: { authorization: `Bearer ${rotatedToken}` } };
+      const rotatedRes = { status: vi.fn().mockReturnThis(), json: vi.fn() };
+      const rotatedNext = vi.fn();
+      prometheusRouter.authenticateMetricsToken(rotatedReq, rotatedRes, rotatedNext);
+
+      expect(initialNext).toHaveBeenCalled();
+      expect(initialRes.status).not.toHaveBeenCalled();
+      expect(rotatedNext).not.toHaveBeenCalled();
+      expect(rotatedRes.status).toHaveBeenCalledWith(401);
+      expect(rotatedRes.json).toHaveBeenCalledWith({ error: 'Unauthorized' });
+    });
+  });
 });
diff --git a/app/api/prometheus.ts b/app/api/prometheus.ts
index 1809c90b0..9001384f6 100644
--- a/app/api/prometheus.ts
+++ b/app/api/prometheus.ts
@@ -1,3 +1,5 @@
+import { createHash, timingSafeEqual } from 'node:crypto';
+import type { NextFunction, Request, Response } from 'express';
 import express from 'express';
 import nocache from 'nocache';
 import passport from 'passport';
@@ -10,19 +12,49 @@ import * as auth from './auth.js';
  * @type {Router}
  */
 const router = express.Router();
+let expectedMetricsTokenHash: Buffer | null = null;
+
+function hashMetricsToken(token: string): Buffer {
+  return createHash('sha256').update(token, 'utf8').digest();
+}
 
 /**
  * Return Prometheus Metrics as String.
  * @param req
  * @param res
  */
-async function outputMetrics(req, res) {
+async function outputMetrics(req: Request, res: Response) {
   res
     .status(200)
     .type('text')
     .send(await output());
 }
 
+/**
+ * Authenticate metrics requests via DD_SERVER_METRICS_TOKEN bearer token.
+ * Uses SHA-256 hashing + timingSafeEqual for constant-time comparison.
+ */
+export function authenticateMetricsToken(req: Request, res: Response, next: NextFunction) {
+  const authHeader = req.headers.authorization;
+  if (
+    !authHeader ||
+    !authHeader.toLowerCase().startsWith('bearer ') ||
+    expectedMetricsTokenHash == null
+  ) {
+    res.status(401).json({ error: 'Unauthorized' });
+    return;
+  }
+
+  const token = authHeader.slice(7);
+  const tokenHash = hashMetricsToken(token);
+  if (!timingSafeEqual(tokenHash, expectedMetricsTokenHash)) {
+    res.status(401).json({ error: 'Unauthorized' });
+    return;
+  }
+
+  next();
+}
+
 /**
  * Init Router.
  * @returns {*}
@@ -30,9 +62,15 @@ async function outputMetrics(req, res) {
 export function init() {
   const configuration = getServerConfiguration();
   router.use(nocache());
+  expectedMetricsTokenHash = null;
 
-  if (configuration.metrics?.auth !== false) {
-    // Routes to protect after this line
+  const metricsToken = configuration.metrics?.token;
+  if (typeof metricsToken === 'string' && metricsToken.length > 0) {
+    expectedMetricsTokenHash = hashMetricsToken(metricsToken);
+    // Bearer token auth takes priority when DD_SERVER_METRICS_TOKEN is set
+    router.use(authenticateMetricsToken);
+  } else if (configuration.metrics?.auth !== false) {
+    // Fallback to passport/session auth
     router.use(passport.authenticate(auth.getAllIds()));
   }
 
diff --git a/app/api/rate-limit-key.ts b/app/api/rate-limit-key.ts
index 75fd2ef3d..a4a9dc109 100644
--- a/app/api/rate-limit-key.ts
+++ b/app/api/rate-limit-key.ts
@@ -1,7 +1,8 @@
 import type { Request } from 'express';
 import { ipKeyGenerator, type ValueDeterminingMiddleware } from 'express-rate-limit';
 
-type IdentityAwareRateLimitRequest = Request & {
+export type IdentityAwareRateLimitRequestLike = {
+  ip?: unknown;
   isAuthenticated?: () => boolean;
   sessionID?: unknown;
   user?: {
@@ -17,7 +18,7 @@ function getTrimmedString(value: unknown): string | undefined {
   return trimmed.length > 0 ? trimmed : undefined;
 }
 
-function getIpRateLimitKey(request: Request): string {
+function getIpRateLimitKey(request: Pick<IdentityAwareRateLimitRequestLike, 'ip'>): string {
   const rawRequestIp = request.ip;
   if (rawRequestIp === undefined) {
     return 'ip:unknown';
@@ -31,7 +32,7 @@ function getIpRateLimitKey(request: Request): string {
 }
 
 function getAuthenticatedIdentityRateLimitKey(
-  request: IdentityAwareRateLimitRequest,
+  request: IdentityAwareRateLimitRequestLike,
 ): string | undefined {
   if (typeof request.isAuthenticated !== 'function' || !request.isAuthenticated()) {
     return undefined;
@@ -50,6 +51,12 @@ function getAuthenticatedIdentityRateLimitKey(
   return undefined;
 }
 
+export function getAuthenticatedRouteRateLimitKey(
+  request: IdentityAwareRateLimitRequestLike,
+): string {
+  return getAuthenticatedIdentityRateLimitKey(request) || getIpRateLimitKey(request);
+}
+
 export function createAuthenticatedRouteRateLimitKeyGenerator(
   identityAwareKeyingEnabled: boolean,
 ): ValueDeterminingMiddleware<string> | undefined {
@@ -57,9 +64,7 @@ export function createAuthenticatedRouteRateLimitKeyGenerator(
     return undefined;
   }
 
-  return (request: Request) =>
-    getAuthenticatedIdentityRateLimitKey(request as IdentityAwareRateLimitRequest) ||
-    getIpRateLimitKey(request);
+  return (request: Request) => getAuthenticatedRouteRateLimitKey(request);
 }
 
 export function isIdentityAwareRateLimitKeyingEnabled(
diff --git a/app/api/sse-self-update-ack-protocol.test.ts b/app/api/sse-self-update-ack-protocol.test.ts
index d8457c71b..b0b7e5fea 100644
--- a/app/api/sse-self-update-ack-protocol.test.ts
+++ b/app/api/sse-self-update-ack-protocol.test.ts
@@ -65,12 +65,12 @@ describe('sse-self-update-ack-protocol', () => {
     protocol.acknowledgeSelfUpdate(req, res);
 
     expect(res.status).toHaveBeenCalledWith(202);
-    expect(res.json).toHaveBeenCalledWith(
-      expect.objectContaining({
-        status: 'accepted',
-        operationId: 'op-1',
-      }),
-    );
+    expect(res.json).toHaveBeenCalledWith({
+      status: 'accepted',
+      operationId: 'op-1',
+      ackedClients: 1,
+      clientsAtEmit: 1,
+    });
     await broadcastPromise;
   });
 
@@ -239,13 +239,11 @@ describe('sse-self-update-ack-protocol', () => {
     protocol.acknowledgeSelfUpdate(req, res);
 
     expect(res.status).toHaveBeenCalledWith(403);
-    expect(res.json).toHaveBeenCalledWith(
-      expect.objectContaining({
-        status: 'rejected',
-        operationId: 'op-2',
-        reason: 'client-token-mismatch',
-      }),
-    );
+    expect(res.json).toHaveBeenCalledWith({
+      status: 'rejected',
+      operationId: 'op-2',
+      reason: 'client-token-mismatch',
+    });
 
     protocol.clearPendingSelfUpdateAcks();
     await broadcastPromise;
@@ -281,13 +279,11 @@ describe('sse-self-update-ack-protocol', () => {
     protocol.acknowledgeSelfUpdate(req, res);
 
     expect(res.status).toHaveBeenCalledWith(403);
-    expect(res.json).toHaveBeenCalledWith(
-      expect.objectContaining({
-        status: 'rejected',
-        operationId: 'op-unbound-client',
-        reason: 'client-not-bound-to-operation',
-      }),
-    );
+    expect(res.json).toHaveBeenCalledWith({
+      status: 'rejected',
+      operationId: 'op-unbound-client',
+      reason: 'client-not-bound-to-operation',
+    });
   });
 
   test('sweep removes already-resolved pending acknowledgements', () => {
diff --git a/app/api/sse-self-update-ack-protocol.ts b/app/api/sse-self-update-ack-protocol.ts
index 2de6c855e..2f958bc37 100644
--- a/app/api/sse-self-update-ack-protocol.ts
+++ b/app/api/sse-self-update-ack-protocol.ts
@@ -22,7 +22,7 @@ interface PendingSelfUpdateAck {
   timeoutHandle?: ReturnType<typeof setTimeout>;
 }
 
-export interface SelfUpdateAckProtocolDependencies {
+interface SelfUpdateAckProtocolDependencies {
   clients: Set<FlushableResponse>;
   activeClientRegistry: ActiveSseClientRegistry;
   defaultAckTimeoutMs: number;
diff --git a/app/api/sse.test.ts b/app/api/sse.test.ts
index 22e15f401..1d498a720 100644
--- a/app/api/sse.test.ts
+++ b/app/api/sse.test.ts
@@ -329,12 +329,10 @@ describe('SSE Router', () => {
         expect.stringContaining('event: dd:connected\ndata: {"clientId":"'),
       );
       const connectedPayload = parseSseEventPayload(res, 'dd:connected');
-      expect(connectedPayload).toEqual(
-        expect.objectContaining({
-          clientId: expect.any(String),
-          clientToken: expect.any(String),
-        }),
-      );
+      expect(connectedPayload).toEqual({
+        clientId: expect.any(String),
+        clientToken: expect.any(String),
+      });
       expect(res.flushHeaders).toHaveBeenCalledTimes(1);
       expect(res.flush).toHaveBeenCalledTimes(1);
     });
@@ -813,12 +811,12 @@ describe('SSE Router', () => {
       await broadcastPromise;
 
       expect(jsonRes.status).toHaveBeenCalledWith(202);
-      expect(jsonRes.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          status: 'accepted',
-          operationId: 'op-ack-1',
-        }),
-      );
+      expect(jsonRes.json).toHaveBeenCalledWith({
+        status: 'accepted',
+        operationId: 'op-ack-1',
+        ackedClients: 1,
+        clientsAtEmit: 1,
+      });
       expect(sseRouter._pendingSelfUpdateAcks.has('op-ack-1')).toBe(false);
     });
 
@@ -859,12 +857,11 @@ describe('SSE Router', () => {
       ackHandler(req, jsonRes);
 
       expect(jsonRes.status).toHaveBeenCalledWith(403);
-      expect(jsonRes.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          status: 'rejected',
-          operationId: 'op-ack-invalid',
-        }),
-      );
+      expect(jsonRes.json).toHaveBeenCalledWith({
+        status: 'rejected',
+        operationId: 'op-ack-invalid',
+        reason: 'invalid-or-expired-client-token',
+      });
       expect(sseRouter._pendingSelfUpdateAcks.has('op-ack-invalid')).toBe(true);
 
       vi.advanceTimersByTime(1000);
@@ -929,12 +926,11 @@ describe('SSE Router', () => {
       ackHandler(req, jsonRes);
 
       expect(jsonRes.status).toHaveBeenCalledWith(403);
-      expect(jsonRes.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          status: 'rejected',
-          reason: 'client-not-bound-to-operation',
-        }),
-      );
+      expect(jsonRes.json).toHaveBeenCalledWith({
+        status: 'rejected',
+        operationId: 'op-timing-safe',
+        reason: 'client-not-bound-to-operation',
+      });
       expect(mockTimingSafeEqual).toHaveBeenCalled();
     });
 
@@ -949,12 +945,11 @@ describe('SSE Router', () => {
       ackHandler(req, jsonRes);
 
       expect(jsonRes.status).toHaveBeenCalledWith(202);
-      expect(jsonRes.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          status: 'ignored',
-          operationId: 'unknown-op',
-        }),
-      );
+      expect(jsonRes.json).toHaveBeenCalledWith({
+        status: 'ignored',
+        operationId: 'unknown-op',
+        reason: 'no-pending-ack',
+      });
     });
 
     test('should validate missing clientId', () => {
@@ -1008,12 +1003,11 @@ describe('SSE Router', () => {
       ackHandler(req, jsonRes);
 
       expect(jsonRes.status).toHaveBeenCalledWith(403);
-      expect(jsonRes.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          status: 'rejected',
-          reason: 'invalid-or-expired-client-token',
-        }),
-      );
+      expect(jsonRes.json).toHaveBeenCalledWith({
+        status: 'rejected',
+        operationId: 'op-unknown-client',
+        reason: 'invalid-or-expired-client-token',
+      });
       expect(sseRouter._pendingSelfUpdateAcks.has('op-unknown-client')).toBe(true);
     });
 
@@ -1041,12 +1035,11 @@ describe('SSE Router', () => {
 
       expect(mockTimingSafeEqual).toHaveBeenCalledTimes(1);
       expect(jsonRes.status).toHaveBeenCalledWith(403);
-      expect(jsonRes.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          status: 'rejected',
-          reason: 'invalid-or-expired-client-token',
-        }),
-      );
+      expect(jsonRes.json).toHaveBeenCalledWith({
+        status: 'rejected',
+        operationId: 'op-constant-time',
+        reason: 'invalid-or-expired-client-token',
+      });
     });
   });
 
diff --git a/app/api/trigger.test.ts b/app/api/trigger.test.ts
index fb8b0ae14..4cd8d45ac 100644
--- a/app/api/trigger.test.ts
+++ b/app/api/trigger.test.ts
@@ -41,10 +41,6 @@ import * as registry from '../registry/index.js';
 import * as triggerRouter from './trigger.js';
 import { runTrigger } from './trigger.js';
 
-function createResponse() {
-  return createMockResponse();
-}
-
 function getRemoteTriggerHandler() {
   triggerRouter.init();
   const call = mockRouter.post.mock.calls.find((c) => c[0] === '/:type/:name/:agent');
@@ -73,16 +69,12 @@ describe('Trigger Router', () => {
         params: { type: 'slack', name: 'default' },
         body: undefined,
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await runTrigger(req, res);
 
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: 'Invalid trigger request body',
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Invalid trigger request body' });
     });
 
     test('should return 400 when container id is not a string', async () => {
@@ -90,16 +82,12 @@ describe('Trigger Router', () => {
         params: { type: 'slack', name: 'default' },
         body: { id: 123 },
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await runTrigger(req, res);
 
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: 'Invalid trigger request body',
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Invalid trigger request body' });
     });
 
     test('should return 400 when container has agent (remote)', async () => {
@@ -107,16 +95,14 @@ describe('Trigger Router', () => {
         params: { type: 'slack', name: 'default' },
         body: { id: 'c1', agent: 'remote-agent' },
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await runTrigger(req, res);
 
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: expect.stringContaining('Cannot execute local trigger'),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Cannot execute local trigger slack.default on remote container remote-agent.c1',
+      });
     });
 
     test('should return 404 when trigger not found', async () => {
@@ -126,16 +112,14 @@ describe('Trigger Router', () => {
         params: { type: 'slack', name: 'default' },
         body: { id: 'c1' },
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await runTrigger(req, res);
 
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: expect.stringContaining('trigger not found'),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Error when running trigger slack.default (trigger not found)',
+      });
     });
 
     test('should run trigger successfully', async () => {
@@ -150,7 +134,7 @@ describe('Trigger Router', () => {
         params: { type: 'slack', name: 'default' },
         body: { id: 'c1' },
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await runTrigger(req, res);
 
@@ -171,7 +155,7 @@ describe('Trigger Router', () => {
         params: { type: 'slack', name: 'default' },
         body: container,
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await runTrigger(req, res);
 
@@ -203,7 +187,7 @@ describe('Trigger Router', () => {
         params: { type: 'slack', name: 'default' },
         body: container,
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await runTrigger(req, res);
 
@@ -214,6 +198,29 @@ describe('Trigger Router', () => {
       );
     });
 
+    test('should return 409 when local trigger targets a temporary rollback container', async () => {
+      const mockTrigger = {
+        trigger: vi.fn().mockResolvedValue(undefined),
+      };
+      registry.getState.mockReturnValue({
+        trigger: { 'slack.default': mockTrigger },
+      });
+
+      const req = {
+        params: { type: 'slack', name: 'default' },
+        body: { id: 'c1', name: 'app-old-1234567890' },
+      };
+      const res = createMockResponse();
+
+      await runTrigger(req, res);
+
+      expect(res.status).toHaveBeenCalledWith(409);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Cannot update temporary rollback container',
+      });
+      expect(mockTrigger.trigger).not.toHaveBeenCalled();
+    });
+
     test('should return 500 when trigger throws', async () => {
       const mockTrigger = {
         trigger: vi.fn().mockRejectedValue(new Error('trigger failed')),
@@ -226,16 +233,15 @@ describe('Trigger Router', () => {
         params: { type: 'slack', name: 'default' },
         body: { id: 'c1' },
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await runTrigger(req, res);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: 'Error when running trigger slack.default',
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Error when running trigger slack.default',
+        details: { reason: 'trigger failed' },
+      });
       expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('trigger failed'));
     });
 
@@ -251,7 +257,7 @@ describe('Trigger Router', () => {
         params: { type: 'slack', name: 'default' },
         body: { id: 'c1' },
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await runTrigger(req, res);
 
@@ -272,7 +278,7 @@ describe('Trigger Router', () => {
         params: { type: 'slack', name: 'default' },
         body: { id: 'c1' },
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await runTrigger(req, res);
 
@@ -280,6 +286,52 @@ describe('Trigger Router', () => {
       expect(mockGetErrorMessage).toHaveBeenCalledWith({ message: 'trigger failed from object' });
       expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('shared helper message'));
     });
+
+    test('should include error details when trigger execution fails', async () => {
+      const mockTrigger = {
+        trigger: vi.fn().mockRejectedValue(new Error('watcher not found')),
+      };
+      registry.getState.mockReturnValue({
+        trigger: { 'slack.default': mockTrigger },
+      });
+
+      const req = {
+        params: { type: 'slack', name: 'default' },
+        body: { id: 'c1' },
+      };
+      const res = createMockResponse();
+
+      await runTrigger(req, res);
+
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Error when running trigger slack.default',
+        details: { reason: 'watcher not found' },
+      });
+    });
+
+    test('should omit trigger error details when helper returns empty message', async () => {
+      const mockTrigger = {
+        trigger: vi.fn().mockRejectedValue(new Error('hidden error')),
+      };
+      registry.getState.mockReturnValue({
+        trigger: { 'slack.default': mockTrigger },
+      });
+      mockGetErrorMessage.mockReturnValueOnce('');
+
+      const req = {
+        params: { type: 'slack', name: 'default' },
+        body: { id: 'c1' },
+      };
+      const res = createMockResponse();
+
+      await runTrigger(req, res);
+
+      const responsePayload = res.json.mock.calls[0][0];
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(responsePayload.error).toBe('Error when running trigger slack.default');
+      expect(responsePayload.details).toBeUndefined();
+    });
   });
 
   describe('runRemoteTrigger', () => {
@@ -291,16 +343,14 @@ describe('Trigger Router', () => {
         params: { agent: 'unknown', type: 'slack', name: 'default' },
         body: { id: 'c1' },
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: expect.stringContaining('Agent unknown not found'),
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Agent unknown not found',
+      });
     });
 
     test('should return 400 when no container in body', async () => {
@@ -311,16 +361,12 @@ describe('Trigger Router', () => {
         params: { agent: 'my-agent', type: 'slack', name: 'default' },
         body: undefined,
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: 'Invalid trigger request body',
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Invalid trigger request body' });
     });
 
     test('should return 400 when container has no id', async () => {
@@ -331,16 +377,12 @@ describe('Trigger Router', () => {
         params: { agent: 'my-agent', type: 'slack', name: 'default' },
         body: { name: 'test' },
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: 'Invalid trigger request body',
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Invalid trigger request body' });
     });
 
     test('should return 400 when container id is not a string', async () => {
@@ -354,16 +396,12 @@ describe('Trigger Router', () => {
         params: { agent: 'my-agent', type: 'slack', name: 'default' },
         body: { id: 123 },
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(400);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: 'Invalid trigger request body',
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: 'Invalid trigger request body' });
       expect(mockAgentClient.runRemoteTrigger).not.toHaveBeenCalled();
     });
 
@@ -378,7 +416,7 @@ describe('Trigger Router', () => {
         params: { agent: 'my-agent', type: 'slack', name: 'default' },
         body: { id: 'c1' },
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await handler(req, res);
 
@@ -390,6 +428,28 @@ describe('Trigger Router', () => {
       expect(res.status).toHaveBeenCalledWith(200);
     });
 
+    test('should return 409 when remote trigger targets a temporary rollback container', async () => {
+      const mockAgentClient = {
+        runRemoteTrigger: vi.fn().mockResolvedValue(undefined),
+      };
+      agent.getAgent.mockReturnValue(mockAgentClient);
+
+      const handler = getRemoteTriggerHandler();
+      const req = {
+        params: { agent: 'my-agent', type: 'slack', name: 'default' },
+        body: { id: 'c1', name: 'app-old-1234567890' },
+      };
+      const res = createMockResponse();
+
+      await handler(req, res);
+
+      expect(res.status).toHaveBeenCalledWith(409);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Cannot update temporary rollback container',
+      });
+      expect(mockAgentClient.runRemoteTrigger).not.toHaveBeenCalled();
+    });
+
     test('should return 500 when remote trigger throws', async () => {
       const mockAgentClient = {
         runRemoteTrigger: vi.fn().mockRejectedValue(new Error('remote error')),
@@ -401,17 +461,157 @@ describe('Trigger Router', () => {
         params: { agent: 'my-agent', type: 'slack', name: 'default' },
         body: { id: 'c1' },
       };
-      const res = createResponse();
+      const res = createMockResponse();
 
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({
-          error: 'Error when running remote trigger slack.default on agent my-agent',
-        }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Error when running remote trigger slack.default on agent my-agent',
+        details: { reason: 'remote error' },
+      });
       expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('remote error'));
     });
+
+    test('should return generic 500 when remote trigger throws a non-object value', async () => {
+      const mockAgentClient = {
+        runRemoteTrigger: vi.fn().mockRejectedValue('remote error as string'),
+      };
+      agent.getAgent.mockReturnValue(mockAgentClient);
+
+      const handler = getRemoteTriggerHandler();
+      const req = {
+        params: { agent: 'my-agent', type: 'slack', name: 'default' },
+        body: { id: 'c1' },
+      };
+      const res = createMockResponse();
+
+      await handler(req, res);
+
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Error when running remote trigger slack.default on agent my-agent',
+        details: { reason: 'remote error as string' },
+      });
+    });
+
+    test('should omit fallback remote error details when helper returns empty message', async () => {
+      const mockAgentClient = {
+        runRemoteTrigger: vi.fn().mockRejectedValue(new Error('remote error')),
+      };
+      agent.getAgent.mockReturnValue(mockAgentClient);
+      mockGetErrorMessage.mockReturnValueOnce('');
+
+      const handler = getRemoteTriggerHandler();
+      const req = {
+        params: { agent: 'my-agent', type: 'slack', name: 'default' },
+        body: { id: 'c1' },
+      };
+      const res = createMockResponse();
+
+      await handler(req, res);
+
+      const responsePayload = res.json.mock.calls[0][0];
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(responsePayload.error).toBe(
+        'Error when running remote trigger slack.default on agent my-agent',
+      );
+      expect(responsePayload.details).toBeUndefined();
+    });
+
+    test('should ignore remote status codes outside the HTTP error range', async () => {
+      const mockAgentClient = {
+        runRemoteTrigger: vi.fn().mockRejectedValue({
+          message: 'transport failure',
+          response: {
+            status: 200,
+            data: {
+              error: 'Error when running trigger slack.default',
+            },
+          },
+        }),
+      };
+      agent.getAgent.mockReturnValue(mockAgentClient);
+      mockGetErrorMessage.mockReturnValueOnce('transport failure');
+
+      const handler = getRemoteTriggerHandler();
+      const req = {
+        params: { agent: 'my-agent', type: 'slack', name: 'default' },
+        body: { id: 'c1' },
+      };
+      const res = createMockResponse();
+
+      await handler(req, res);
+
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Error when running remote trigger slack.default on agent my-agent',
+        details: { reason: 'transport failure' },
+      });
+    });
+
+    test('should fall back to generic error when remote payload is not an object', async () => {
+      const mockAgentClient = {
+        runRemoteTrigger: vi.fn().mockRejectedValue({
+          message: 'Request failed with status code 500',
+          response: {
+            status: 500,
+            data: 'unexpected error payload',
+          },
+        }),
+      };
+      agent.getAgent.mockReturnValue(mockAgentClient);
+      mockGetErrorMessage.mockReturnValueOnce('Request failed with status code 500');
+
+      const handler = getRemoteTriggerHandler();
+      const req = {
+        params: { agent: 'my-agent', type: 'slack', name: 'default' },
+        body: { id: 'c1' },
+      };
+      const res = createMockResponse();
+
+      await handler(req, res);
+
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Error when running remote trigger slack.default on agent my-agent',
+        details: { reason: 'Request failed with status code 500' },
+      });
+    });
+
+    test('should propagate remote trigger error status and payload when available', async () => {
+      const mockAgentClient = {
+        runRemoteTrigger: vi.fn().mockRejectedValue({
+          message: 'Request failed with status code 500',
+          response: {
+            status: 500,
+            data: {
+              error: 'Error when running trigger docker.update',
+              details: {
+                reason: 'No watcher found for container c1 (docker.default)',
+              },
+            },
+          },
+        }),
+      };
+      agent.getAgent.mockReturnValue(mockAgentClient);
+
+      const handler = getRemoteTriggerHandler();
+      const req = {
+        params: { agent: 'my-agent', type: 'docker', name: 'update' },
+        body: { id: 'c1' },
+      };
+      const res = createMockResponse();
+
+      await handler(req, res);
+
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Error when running trigger docker.update',
+        details: {
+          reason: 'No watcher found for container c1 (docker.default)',
+        },
+      });
+    });
   });
 });
diff --git a/app/api/trigger.ts b/app/api/trigger.ts
index ab1e2a4f4..fa1d118f0 100644
--- a/app/api/trigger.ts
+++ b/app/api/trigger.ts
@@ -5,6 +5,7 @@ import logger from '../log/index.js';
 import { sanitizeLogParam } from '../log/sanitize.js';
 import type { Container } from '../model/container.js';
 import * as registry from '../registry/index.js';
+import Trigger from '../triggers/providers/Trigger.js';
 import { getErrorMessage } from '../util/error.js';
 import * as component from './component.js';
 import { sendErrorResponse } from './error-response.js';
@@ -33,6 +34,11 @@ interface TriggerRequestBody extends Record<string, unknown> {
   updateKind?: TriggerUpdateKind;
 }
 
+interface ErrorResponsePayload {
+  error?: unknown;
+  details?: unknown;
+}
+
 const triggerRequestBodySchema = joi
   .object<TriggerRequestBody>({
     id: joi.string().trim().min(1).required(),
@@ -62,6 +68,45 @@ function validateTriggerRequestBody(body: unknown): {
   };
 }
 
+function getRemoteErrorStatusCode(error: unknown): number | undefined {
+  if (!error || typeof error !== 'object') {
+    return undefined;
+  }
+  const response = (error as { response?: unknown }).response;
+  if (!response || typeof response !== 'object') {
+    return undefined;
+  }
+  const status = (response as { status?: unknown }).status;
+  if (typeof status !== 'number' || status < 400 || status > 599) {
+    return undefined;
+  }
+  return status;
+}
+
+function getRemoteErrorPayload(error: unknown): ErrorResponsePayload | undefined {
+  if (!error || typeof error !== 'object') {
+    return undefined;
+  }
+  const response = (error as { response?: unknown }).response;
+  if (!response || typeof response !== 'object') {
+    return undefined;
+  }
+  const data = (response as { data?: unknown }).data;
+  return data && typeof data === 'object' ? (data as ErrorResponsePayload) : undefined;
+}
+
+function getRemoteErrorMessage(error: unknown): string | undefined {
+  const payload = getRemoteErrorPayload(error);
+  return typeof payload?.error === 'string' ? payload.error : undefined;
+}
+
+function getRemoteErrorDetails(error: unknown): Record<string, unknown> | undefined {
+  const payload = getRemoteErrorPayload(error);
+  return payload?.details && typeof payload.details === 'object'
+    ? (payload.details as Record<string, unknown>)
+    : undefined;
+}
+
 /**
  * Run a specific trigger on a specific container provided in the payload.
  */
@@ -115,6 +160,11 @@ export async function runTrigger(req: Request<RunTriggerParams>, res: Response)
     };
   }
 
+  if (Trigger.isRollbackContainer(containerToTrigger)) {
+    sendErrorResponse(res, 409, 'Cannot update temporary rollback container');
+    return;
+  }
+
   try {
     log.debug(
       `Running trigger ${sanitizeLogParam(triggerType)}.${sanitizeLogParam(triggerName)} (container=${sanitizeLogParam(JSON.stringify(containerToTrigger), 500)})`,
@@ -129,7 +179,10 @@ export async function runTrigger(req: Request<RunTriggerParams>, res: Response)
     log.warn(
       `Error when running trigger ${sanitizeLogParam(triggerType)}.${sanitizeLogParam(triggerName)} (${sanitizeLogParam(errorMessage)})`,
     );
-    sendErrorResponse(res, 500, `Error when running trigger ${triggerType}.${triggerName}`);
+    sendErrorResponse(res, 500, {
+      message: `Error when running trigger ${triggerType}.${triggerName}`,
+      details: errorMessage ? { reason: errorMessage } : undefined,
+    });
   }
 }
 
@@ -155,6 +208,11 @@ async function runRemoteTrigger(req: Request<RunRemoteTriggerParams>, res: Respo
   }
   const containerToTrigger = validationResult.value as unknown as Container;
 
+  if (Trigger.isRollbackContainer(containerToTrigger)) {
+    sendErrorResponse(res, 409, 'Cannot update temporary rollback container');
+    return;
+  }
+
   try {
     await agentClient.runRemoteTrigger(containerToTrigger, triggerType, triggerName);
     log.info(
@@ -166,11 +224,20 @@ async function runRemoteTrigger(req: Request<RunRemoteTriggerParams>, res: Respo
     log.warn(
       `Error when running remote trigger ${sanitizeLogParam(triggerType)}.${sanitizeLogParam(triggerName)} on agent ${sanitizeLogParam(agentName)} (${sanitizeLogParam(errorMessage)})`,
     );
-    sendErrorResponse(
-      res,
-      500,
-      `Error when running remote trigger ${triggerType}.${triggerName} on agent ${agentName}`,
-    );
+    const remoteStatusCode = getRemoteErrorStatusCode(e);
+    const remoteErrorMessage = getRemoteErrorMessage(e);
+    const remoteErrorDetails = getRemoteErrorDetails(e);
+    if (remoteStatusCode && remoteErrorMessage) {
+      sendErrorResponse(res, remoteStatusCode, {
+        message: remoteErrorMessage,
+        details: remoteErrorDetails,
+      });
+      return;
+    }
+    sendErrorResponse(res, 500, {
+      message: `Error when running remote trigger ${triggerType}.${triggerName} on agent ${agentName}`,
+      details: errorMessage ? { reason: errorMessage } : undefined,
+    });
   }
 }
 
diff --git a/app/api/webhook.test.ts b/app/api/webhook.test.ts
index 6da662201..6776dd2b3 100644
--- a/app/api/webhook.test.ts
+++ b/app/api/webhook.test.ts
@@ -163,9 +163,9 @@ describe('Webhook Router', () => {
       middleware(req, res, next);
 
       expect(res.status).toHaveBeenCalledWith(401);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('Missing or invalid') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('Missing or invalid'),
+      });
       expect(next).not.toHaveBeenCalled();
     });
 
@@ -177,9 +177,7 @@ describe('Webhook Router', () => {
       middleware(req, res, next);
 
       expect(res.status).toHaveBeenCalledWith(401);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('Invalid token') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: expect.stringContaining('Invalid token') });
       expect(next).not.toHaveBeenCalled();
     });
 
@@ -223,9 +221,7 @@ describe('Webhook Router', () => {
       middleware(req, res, next);
 
       expect(res.status).toHaveBeenCalledWith(403);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('disabled') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: expect.stringContaining('disabled') });
       expect(next).not.toHaveBeenCalled();
     });
 
@@ -246,9 +242,7 @@ describe('Webhook Router', () => {
       middleware(req, res, next);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('misconfigured') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: expect.stringContaining('misconfigured') });
       expect(next).not.toHaveBeenCalled();
     });
 
@@ -398,9 +392,7 @@ describe('Webhook Router', () => {
       middleware(req, res, next);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('misconfigured') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: expect.stringContaining('misconfigured') });
       expect(next).not.toHaveBeenCalled();
     });
 
@@ -449,9 +441,7 @@ describe('Webhook Router', () => {
       middleware(req, res, next);
 
       expect(res.status).toHaveBeenCalledWith(500);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('misconfigured') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({ error: expect.stringContaining('misconfigured') });
       expect(next).not.toHaveBeenCalled();
     });
   });
@@ -1024,9 +1014,30 @@ describe('Webhook Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('No docker trigger found') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('No docker trigger found'),
+      });
+    });
+
+    test('should return 409 when update targets a temporary rollback container', async () => {
+      const container = { name: 'my-nginx-old-1234567890', image: { name: 'nginx' } };
+      mockGetContainers.mockReturnValue([container]);
+      const mockTrigger = vi.fn().mockResolvedValue(undefined);
+      mockGetState.mockReturnValue({
+        watcher: {},
+        trigger: { 'docker.default': { type: 'docker', trigger: mockTrigger } },
+      });
+
+      const handler = getHandler('post', '/update/:containerName');
+      const req = createMockRequest({ params: { containerName: 'my-nginx-old-1234567890' } });
+      const res = createMockResponse();
+      await handler(req, res);
+
+      expect(res.status).toHaveBeenCalledWith(409);
+      expect(res.json).toHaveBeenCalledWith({
+        error: 'Cannot update temporary rollback container',
+      });
+      expect(mockTrigger).not.toHaveBeenCalled();
     });
 
     test('should trigger update and return 200', async () => {
@@ -1253,9 +1264,9 @@ describe('Webhook Router', () => {
       await handler(req, res);
 
       expect(res.status).toHaveBeenCalledWith(404);
-      expect(res.json).toHaveBeenCalledWith(
-        expect.objectContaining({ error: expect.stringContaining('No docker trigger found') }),
-      );
+      expect(res.json).toHaveBeenCalledWith({
+        error: expect.stringContaining('No docker trigger found'),
+      });
     });
   });
 });
diff --git a/app/api/webhook.ts b/app/api/webhook.ts
index 909b2bda2..f2e568bcf 100644
--- a/app/api/webhook.ts
+++ b/app/api/webhook.ts
@@ -8,6 +8,7 @@ import { sanitizeLogParam } from '../log/sanitize.js';
 import { getWebhookCounter } from '../prometheus/webhook.js';
 import * as registry from '../registry/index.js';
 import * as storeContainer from '../store/container.js';
+import Trigger from '../triggers/providers/Trigger.js';
 import { getErrorMessage } from '../util/error.js';
 import { ddWebhookEnabled, wudWebhookEnabled } from '../watchers/providers/docker/label.js';
 import { recordAuditEvent } from './audit-events.js';
@@ -281,6 +282,11 @@ async function updateContainer(req: Request, res: Response) {
     return;
   }
 
+  if (Trigger.isRollbackContainer(container)) {
+    sendErrorResponse(res, 409, 'Cannot update temporary rollback container');
+    return;
+  }
+
   try {
     await trigger.trigger(container);
 
diff --git a/app/api/webhooks.test.ts b/app/api/webhooks.test.ts
new file mode 100644
index 000000000..e9a1f23ba
--- /dev/null
+++ b/app/api/webhooks.test.ts
@@ -0,0 +1,31 @@
+const { mockRouter, mockRegistryRouterInit } = vi.hoisted(() => ({
+  mockRouter: {
+    use: vi.fn(),
+  },
+  mockRegistryRouterInit: vi.fn(() => 'registry-webhook-router'),
+}));
+
+vi.mock('express', () => ({
+  default: {
+    Router: vi.fn(() => mockRouter),
+  },
+}));
+
+vi.mock('./webhooks/registry.js', () => ({
+  init: mockRegistryRouterInit,
+}));
+
+import * as webhooksRouter from './webhooks.js';
+
+describe('api/webhooks', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test('mounts the registry webhook sub-router', () => {
+    webhooksRouter.init();
+
+    expect(mockRegistryRouterInit).toHaveBeenCalledTimes(1);
+    expect(mockRouter.use).toHaveBeenCalledWith('/registry', 'registry-webhook-router');
+  });
+});
diff --git a/app/api/webhooks.ts b/app/api/webhooks.ts
new file mode 100644
index 000000000..93e06001a
--- /dev/null
+++ b/app/api/webhooks.ts
@@ -0,0 +1,8 @@
+import express from 'express';
+import * as registryWebhookRouter from './webhooks/registry.js';
+
+export function init() {
+  const router = express.Router();
+  router.use('/registry', registryWebhookRouter.init());
+  return router;
+}
diff --git a/app/api/webhooks/parsers/acr.test.ts b/app/api/webhooks/parsers/acr.test.ts
new file mode 100644
index 000000000..f17297d08
--- /dev/null
+++ b/app/api/webhooks/parsers/acr.test.ts
@@ -0,0 +1,75 @@
+import { parseAcrWebhookPayload } from './acr.js';
+
+describe('parseAcrWebhookPayload', () => {
+  test('extracts image and tag from Event Grid image push payload', () => {
+    const payload = {
+      eventType: 'Microsoft.ContainerRegistry.ImagePushed',
+      data: {
+        target: {
+          repository: 'team/api',
+          tag: '1.4.0',
+        },
+      },
+      subject: 'team/api:1.4.0',
+    };
+
+    expect(parseAcrWebhookPayload(payload)).toStrictEqual([
+      {
+        image: 'team/api',
+        tag: '1.4.0',
+      },
+    ]);
+  });
+
+  test('extracts repository/tag from subject when target fields are missing', () => {
+    const payload = [
+      {
+        eventType: 'Microsoft.ContainerRegistry.ImagePushed',
+        data: {
+          target: {},
+        },
+        subject: 'apps/web:latest',
+      },
+    ];
+
+    expect(parseAcrWebhookPayload(payload)).toStrictEqual([
+      {
+        image: 'apps/web',
+        tag: 'latest',
+      },
+    ]);
+  });
+
+  test('returns empty list for non-image push events', () => {
+    const payload = {
+      eventType: 'Microsoft.ContainerRegistry.ImageDeleted',
+      data: {
+        target: {
+          repository: 'team/api',
+          tag: 'old',
+        },
+      },
+    };
+
+    expect(parseAcrWebhookPayload(payload)).toStrictEqual([]);
+  });
+
+  test('returns empty list when tag cannot be resolved', () => {
+    const payload = {
+      eventType: 'Microsoft.ContainerRegistry.ImagePushed',
+      data: {
+        target: {
+          repository: 'team/api',
+        },
+      },
+      subject: 'team/api',
+    };
+
+    expect(parseAcrWebhookPayload(payload)).toStrictEqual([]);
+  });
+
+  test('returns empty list for non-object payload entries', () => {
+    expect(parseAcrWebhookPayload('not-an-event')).toStrictEqual([]);
+    expect(parseAcrWebhookPayload([null, 42, 'bad-entry'])).toStrictEqual([]);
+  });
+});
diff --git a/app/api/webhooks/parsers/acr.ts b/app/api/webhooks/parsers/acr.ts
new file mode 100644
index 000000000..83af304e0
--- /dev/null
+++ b/app/api/webhooks/parsers/acr.ts
@@ -0,0 +1,27 @@
+import { asNonEmptyString, asRecord, splitSubjectImageAndTag, toEventList } from './shared.js';
+import type { RegistryWebhookReference } from './types.js';
+
+export function parseAcrWebhookPayload(payload: unknown): RegistryWebhookReference[] {
+  const events = toEventList(payload);
+
+  return events
+    .map((event) => {
+      const eventType = asNonEmptyString(event.eventType);
+      if (eventType !== 'Microsoft.ContainerRegistry.ImagePushed') {
+        return undefined;
+      }
+
+      const data = asRecord(event.data);
+      const target = asRecord(data?.target);
+
+      const subjectReference = splitSubjectImageAndTag(event.subject);
+      const image = asNonEmptyString(target?.repository) || subjectReference?.image;
+      const tag = asNonEmptyString(target?.tag) || subjectReference?.tag;
+      if (!image || !tag) {
+        return undefined;
+      }
+
+      return { image, tag };
+    })
+    .filter((reference): reference is RegistryWebhookReference => Boolean(reference));
+}
diff --git a/app/api/webhooks/parsers/docker-hub.test.ts b/app/api/webhooks/parsers/docker-hub.test.ts
new file mode 100644
index 000000000..6f96bdd1f
--- /dev/null
+++ b/app/api/webhooks/parsers/docker-hub.test.ts
@@ -0,0 +1,67 @@
+import { parseDockerHubWebhookPayload } from './docker-hub.js';
+
+describe('parseDockerHubWebhookPayload', () => {
+  test('extracts repo_name and tag from Docker Hub payload', () => {
+    const payload = {
+      repository: {
+        repo_name: 'codeswhat/drydock',
+      },
+      push_data: {
+        tag: '1.5.0',
+      },
+    };
+
+    expect(parseDockerHubWebhookPayload(payload)).toStrictEqual([
+      {
+        image: 'codeswhat/drydock',
+        tag: '1.5.0',
+      },
+    ]);
+  });
+
+  test('falls back to namespace/name when repo_name is missing', () => {
+    const payload = {
+      repository: {
+        namespace: 'library',
+        name: 'nginx',
+      },
+      push_data: {
+        tag: 'latest',
+      },
+    };
+
+    expect(parseDockerHubWebhookPayload(payload)).toStrictEqual([
+      {
+        image: 'library/nginx',
+        tag: 'latest',
+      },
+    ]);
+  });
+
+  test('returns an empty list when tag is missing', () => {
+    const payload = {
+      repository: {
+        repo_name: 'codeswhat/drydock',
+      },
+      push_data: {},
+    };
+
+    expect(parseDockerHubWebhookPayload(payload)).toStrictEqual([]);
+  });
+
+  test('returns an empty list when repository name cannot be resolved', () => {
+    const payload = {
+      repository: {},
+      push_data: {
+        tag: 'latest',
+      },
+    };
+
+    expect(parseDockerHubWebhookPayload(payload)).toStrictEqual([]);
+  });
+
+  test('returns an empty list for non-object payloads', () => {
+    expect(parseDockerHubWebhookPayload(undefined)).toStrictEqual([]);
+    expect(parseDockerHubWebhookPayload('invalid')).toStrictEqual([]);
+  });
+});
diff --git a/app/api/webhooks/parsers/docker-hub.ts b/app/api/webhooks/parsers/docker-hub.ts
new file mode 100644
index 000000000..a89d3684e
--- /dev/null
+++ b/app/api/webhooks/parsers/docker-hub.ts
@@ -0,0 +1,30 @@
+import { asNonEmptyString, asRecord } from './shared.js';
+import type { RegistryWebhookReference } from './types.js';
+
+export function parseDockerHubWebhookPayload(payload: unknown): RegistryWebhookReference[] {
+  const root = asRecord(payload);
+  if (!root) {
+    return [];
+  }
+
+  const repository = asRecord(root.repository);
+  const pushData = asRecord(root.push_data);
+
+  const tag = asNonEmptyString(pushData?.tag);
+  if (!tag) {
+    return [];
+  }
+
+  const repositoryName =
+    asNonEmptyString(repository?.repo_name) ||
+    [asNonEmptyString(repository?.namespace), asNonEmptyString(repository?.name)]
+      .filter((part): part is string => Boolean(part))
+      .join('/');
+
+  const image = asNonEmptyString(repositoryName);
+  if (!image) {
+    return [];
+  }
+
+  return [{ image, tag }];
+}
diff --git a/app/api/webhooks/parsers/ecr.test.ts b/app/api/webhooks/parsers/ecr.test.ts
new file mode 100644
index 000000000..c4e5289d3
--- /dev/null
+++ b/app/api/webhooks/parsers/ecr.test.ts
@@ -0,0 +1,90 @@
+import { parseEcrEventBridgePayload } from './ecr.js';
+
+describe('parseEcrEventBridgePayload', () => {
+  test('extracts repository and tag from a successful ECR push event', () => {
+    const payload = {
+      source: 'aws.ecr',
+      'detail-type': 'ECR Image Action',
+      detail: {
+        'action-type': 'PUSH',
+        result: 'SUCCESS',
+        'repository-name': 'backend/api',
+        'image-tag': '1.2.3',
+      },
+    };
+
+    expect(parseEcrEventBridgePayload(payload)).toStrictEqual([
+      {
+        image: 'backend/api',
+        tag: '1.2.3',
+      },
+    ]);
+  });
+
+  test('supports EventBridge event arrays', () => {
+    const payload = [
+      {
+        source: 'aws.ecr',
+        'detail-type': 'ECR Image Action',
+        detail: {
+          'action-type': 'PUSH',
+          result: 'SUCCESS',
+          'repository-name': 'backend/api',
+          'image-tag': 'latest',
+        },
+      },
+    ];
+
+    expect(parseEcrEventBridgePayload(payload)).toStrictEqual([
+      {
+        image: 'backend/api',
+        tag: 'latest',
+      },
+    ]);
+  });
+
+  test('returns empty list for non-push or failed actions', () => {
+    const failedPayload = {
+      source: 'aws.ecr',
+      'detail-type': 'ECR Image Action',
+      detail: {
+        'action-type': 'PUSH',
+        result: 'FAILED',
+        'repository-name': 'backend/api',
+        'image-tag': '1.2.3',
+      },
+    };
+    const deletePayload = {
+      source: 'aws.ecr',
+      'detail-type': 'ECR Image Action',
+      detail: {
+        'action-type': 'DELETE',
+        result: 'SUCCESS',
+        'repository-name': 'backend/api',
+        'image-tag': '1.2.3',
+      },
+    };
+
+    expect(parseEcrEventBridgePayload(failedPayload)).toStrictEqual([]);
+    expect(parseEcrEventBridgePayload(deletePayload)).toStrictEqual([]);
+  });
+
+  test('returns empty list when image tag is missing', () => {
+    const payload = {
+      source: 'aws.ecr',
+      'detail-type': 'ECR Image Action',
+      detail: {
+        'action-type': 'PUSH',
+        result: 'SUCCESS',
+        'repository-name': 'backend/api',
+      },
+    };
+
+    expect(parseEcrEventBridgePayload(payload)).toStrictEqual([]);
+  });
+
+  test('returns empty list for non-object payload entries', () => {
+    expect(parseEcrEventBridgePayload('not-an-event')).toStrictEqual([]);
+    expect(parseEcrEventBridgePayload([null, 1, 'bad-entry'])).toStrictEqual([]);
+  });
+});
diff --git a/app/api/webhooks/parsers/ecr.ts b/app/api/webhooks/parsers/ecr.ts
new file mode 100644
index 000000000..e90032534
--- /dev/null
+++ b/app/api/webhooks/parsers/ecr.ts
@@ -0,0 +1,31 @@
+import { asNonEmptyString, asRecord, toEventList } from './shared.js';
+import type { RegistryWebhookReference } from './types.js';
+
+export function parseEcrEventBridgePayload(payload: unknown): RegistryWebhookReference[] {
+  const events = toEventList(payload);
+
+  return events
+    .map((event) => {
+      const source = asNonEmptyString(event.source);
+      const detailType = asNonEmptyString(event['detail-type']);
+      if (source !== 'aws.ecr' || detailType !== 'ECR Image Action') {
+        return undefined;
+      }
+
+      const detail = asRecord(event.detail);
+      const actionType = asNonEmptyString(detail?.['action-type']);
+      const result = asNonEmptyString(detail?.result);
+      if (actionType !== 'PUSH' || result !== 'SUCCESS') {
+        return undefined;
+      }
+
+      const image = asNonEmptyString(detail?.['repository-name']);
+      const tag = asNonEmptyString(detail?.['image-tag']);
+      if (!image || !tag) {
+        return undefined;
+      }
+
+      return { image, tag };
+    })
+    .filter((reference): reference is RegistryWebhookReference => Boolean(reference));
+}
diff --git a/app/api/webhooks/parsers/ghcr.test.ts b/app/api/webhooks/parsers/ghcr.test.ts
new file mode 100644
index 000000000..95b9841b1
--- /dev/null
+++ b/app/api/webhooks/parsers/ghcr.test.ts
@@ -0,0 +1,129 @@
+import { parseGhcrWebhookPayload } from './ghcr.js';
+
+describe('parseGhcrWebhookPayload', () => {
+  test('returns empty list for non-object payloads', () => {
+    expect(parseGhcrWebhookPayload(undefined)).toStrictEqual([]);
+    expect(parseGhcrWebhookPayload('bad payload')).toStrictEqual([]);
+  });
+
+  test('extracts image references from registry_package.metadata.container.tags', () => {
+    const payload = {
+      action: 'published',
+      registry_package: {
+        package_type: 'container',
+        namespace: 'codeswhat',
+        name: 'drydock',
+        package_version: {
+          metadata: {
+            container: {
+              tags: ['1.5.0', 'latest'],
+            },
+          },
+        },
+      },
+    };
+
+    expect(parseGhcrWebhookPayload(payload)).toStrictEqual([
+      {
+        image: 'codeswhat/drydock',
+        tag: '1.5.0',
+      },
+      {
+        image: 'codeswhat/drydock',
+        tag: 'latest',
+      },
+    ]);
+  });
+
+  test('extracts tags from container_metadata.tags fallback', () => {
+    const payload = {
+      registry_package: {
+        package_type: 'container',
+        namespace: 'codeswhat',
+        name: 'drydock',
+        package_version: {
+          container_metadata: {
+            tags: ['stable'],
+          },
+        },
+      },
+    };
+
+    expect(parseGhcrWebhookPayload(payload)).toStrictEqual([
+      {
+        image: 'codeswhat/drydock',
+        tag: 'stable',
+      },
+    ]);
+  });
+
+  test('keeps image names that already include namespace', () => {
+    const payload = {
+      registry_package: {
+        package_type: 'container',
+        namespace: 'codeswhat',
+        name: 'codeswhat/drydock',
+        package_version: {
+          container_metadata: {
+            tags: ['stable'],
+          },
+        },
+      },
+    };
+
+    expect(parseGhcrWebhookPayload(payload)).toStrictEqual([
+      {
+        image: 'codeswhat/drydock',
+        tag: 'stable',
+      },
+    ]);
+  });
+
+  test('returns empty list when package type is not container', () => {
+    const payload = {
+      registry_package: {
+        package_type: 'npm',
+        namespace: 'codeswhat',
+        name: 'drydock',
+        package_version: {
+          metadata: {
+            container: {
+              tags: ['1.5.0'],
+            },
+          },
+        },
+      },
+    };
+
+    expect(parseGhcrWebhookPayload(payload)).toStrictEqual([]);
+  });
+
+  test('returns empty list when tags are not available', () => {
+    const payload = {
+      registry_package: {
+        package_type: 'container',
+        namespace: 'codeswhat',
+        name: 'drydock',
+        package_version: {},
+      },
+    };
+
+    expect(parseGhcrWebhookPayload(payload)).toStrictEqual([]);
+  });
+
+  test('returns empty list when package image name is missing', () => {
+    const payload = {
+      registry_package: {
+        package_type: 'container',
+        namespace: 'codeswhat',
+        package_version: {
+          container_metadata: {
+            tags: ['latest'],
+          },
+        },
+      },
+    };
+
+    expect(parseGhcrWebhookPayload(payload)).toStrictEqual([]);
+  });
+});
diff --git a/app/api/webhooks/parsers/ghcr.ts b/app/api/webhooks/parsers/ghcr.ts
new file mode 100644
index 000000000..bc0d620e0
--- /dev/null
+++ b/app/api/webhooks/parsers/ghcr.ts
@@ -0,0 +1,58 @@
+import { asNonEmptyString, asRecord, asStringArray, uniqStrings } from './shared.js';
+import type { RegistryWebhookReference } from './types.js';
+
+function resolveTags(packageVersion: Record<string, unknown> | undefined): string[] {
+  const metadata = asRecord(packageVersion?.metadata);
+  const metadataContainer = asRecord(metadata?.container);
+  const containerMetadata = asRecord(packageVersion?.container_metadata);
+  const tagObject = asRecord(containerMetadata?.tag);
+
+  return uniqStrings([
+    ...asStringArray(metadataContainer?.tags),
+    ...asStringArray(containerMetadata?.tags),
+    ...asStringArray(tagObject?.tags),
+    asNonEmptyString(tagObject?.name) || '',
+  ]).filter((tag) => tag !== '');
+}
+
+function resolveImage(packageData: Record<string, unknown>): string | undefined {
+  const imageName = asNonEmptyString(packageData.name);
+  const namespace = asNonEmptyString(packageData.namespace);
+  if (!imageName) {
+    return undefined;
+  }
+  if (!namespace || imageName.startsWith(`${namespace}/`)) {
+    return imageName;
+  }
+  return `${namespace}/${imageName}`;
+}
+
+export function parseGhcrWebhookPayload(payload: unknown): RegistryWebhookReference[] {
+  const root = asRecord(payload);
+  if (!root) {
+    return [];
+  }
+
+  const registryPackage = asRecord(root.registry_package);
+  if (!registryPackage) {
+    return [];
+  }
+
+  const packageType = asNonEmptyString(registryPackage.package_type);
+  if (packageType && packageType.toLowerCase() !== 'container') {
+    return [];
+  }
+
+  const image = resolveImage(registryPackage);
+  if (!image) {
+    return [];
+  }
+
+  const packageVersion = asRecord(registryPackage.package_version);
+  const tags = resolveTags(packageVersion);
+  if (tags.length === 0) {
+    return [];
+  }
+
+  return tags.map((tag) => ({ image, tag }));
+}
diff --git a/app/api/webhooks/parsers/harbor.test.ts b/app/api/webhooks/parsers/harbor.test.ts
new file mode 100644
index 000000000..477edc9a9
--- /dev/null
+++ b/app/api/webhooks/parsers/harbor.test.ts
@@ -0,0 +1,93 @@
+import { parseHarborWebhookPayload } from './harbor.js';
+
+describe('parseHarborWebhookPayload', () => {
+  test('extracts repository + tags from Harbor PUSH_ARTIFACT payload', () => {
+    const payload = {
+      type: 'PUSH_ARTIFACT',
+      event_data: {
+        repository: {
+          repo_full_name: 'project/api',
+        },
+        resources: [{ tag: '1.2.3' }, { tag: 'latest' }],
+      },
+    };
+
+    expect(parseHarborWebhookPayload(payload)).toStrictEqual([
+      {
+        image: 'project/api',
+        tag: '1.2.3',
+      },
+      {
+        image: 'project/api',
+        tag: 'latest',
+      },
+    ]);
+  });
+
+  test('falls back to resource_url when repository info is missing', () => {
+    const payload = {
+      event_data: {
+        resources: [
+          {
+            tag: '2.0.0',
+            resource_url: 'harbor.example.com/team/service:2.0.0',
+          },
+        ],
+      },
+    };
+
+    expect(parseHarborWebhookPayload(payload)).toStrictEqual([
+      {
+        image: 'team/service',
+        tag: '2.0.0',
+      },
+    ]);
+  });
+
+  test('returns empty list when resource tags are missing', () => {
+    const payload = {
+      event_data: {
+        repository: {
+          repo_full_name: 'project/api',
+        },
+        resources: [{}],
+      },
+    };
+
+    expect(parseHarborWebhookPayload(payload)).toStrictEqual([]);
+  });
+
+  test('drops tagged resources when image cannot be resolved', () => {
+    const payload = {
+      event_data: {
+        resources: [
+          {
+            tag: '2.0.0',
+          },
+        ],
+      },
+    };
+
+    expect(parseHarborWebhookPayload(payload)).toStrictEqual([]);
+  });
+
+  test('returns empty list for invalid payloads', () => {
+    expect(parseHarborWebhookPayload(undefined)).toStrictEqual([]);
+    expect(parseHarborWebhookPayload('bad')).toStrictEqual([]);
+  });
+
+  test('returns empty list when Harbor resources payload is not an array', () => {
+    const payload = {
+      event_data: {
+        repository: {
+          repo_full_name: 'project/api',
+        },
+        resources: {
+          tag: '1.0.0',
+        },
+      },
+    };
+
+    expect(parseHarborWebhookPayload(payload)).toStrictEqual([]);
+  });
+});
diff --git a/app/api/webhooks/parsers/harbor.ts b/app/api/webhooks/parsers/harbor.ts
new file mode 100644
index 000000000..06bb69e45
--- /dev/null
+++ b/app/api/webhooks/parsers/harbor.ts
@@ -0,0 +1,40 @@
+import { asNonEmptyString, asRecord, extractImageFromRepositoryUrl } from './shared.js';
+import type { RegistryWebhookReference } from './types.js';
+
+export function parseHarborWebhookPayload(payload: unknown): RegistryWebhookReference[] {
+  const root = asRecord(payload);
+  if (!root) {
+    return [];
+  }
+
+  const eventData = asRecord(root.event_data);
+  if (!eventData) {
+    return [];
+  }
+
+  const repository = asRecord(eventData.repository);
+  const fallbackImage = asNonEmptyString(repository?.repo_full_name);
+  const resources = Array.isArray(eventData.resources)
+    ? eventData.resources.filter((resource) => resource && typeof resource === 'object')
+    : [];
+
+  return resources
+    .map((resource) => {
+      const resourceRecord = asRecord(resource);
+      const tag = asNonEmptyString(resourceRecord?.tag);
+      if (!tag) {
+        return undefined;
+      }
+
+      const image =
+        fallbackImage ||
+        extractImageFromRepositoryUrl(resourceRecord?.resource_url) ||
+        asNonEmptyString(resourceRecord?.repository);
+      if (!image) {
+        return undefined;
+      }
+
+      return { image, tag };
+    })
+    .filter((reference): reference is RegistryWebhookReference => Boolean(reference));
+}
diff --git a/app/api/webhooks/parsers/index.test.ts b/app/api/webhooks/parsers/index.test.ts
new file mode 100644
index 000000000..6ffee6c06
--- /dev/null
+++ b/app/api/webhooks/parsers/index.test.ts
@@ -0,0 +1,41 @@
+import { parseRegistryWebhookPayload } from './index.js';
+
+describe('parseRegistryWebhookPayload', () => {
+  test('detects Docker Hub payloads', () => {
+    const payload = {
+      repository: {
+        repo_name: 'codeswhat/drydock',
+      },
+      push_data: {
+        tag: '1.5.0',
+      },
+    };
+
+    expect(parseRegistryWebhookPayload(payload)).toStrictEqual({
+      provider: 'dockerhub',
+      references: [{ image: 'codeswhat/drydock', tag: '1.5.0' }],
+    });
+  });
+
+  test('detects ECR EventBridge payloads', () => {
+    const payload = {
+      source: 'aws.ecr',
+      'detail-type': 'ECR Image Action',
+      detail: {
+        'action-type': 'PUSH',
+        result: 'SUCCESS',
+        'repository-name': 'backend/api',
+        'image-tag': 'latest',
+      },
+    };
+
+    expect(parseRegistryWebhookPayload(payload)).toStrictEqual({
+      provider: 'ecr',
+      references: [{ image: 'backend/api', tag: 'latest' }],
+    });
+  });
+
+  test('returns undefined when the payload does not match a supported format', () => {
+    expect(parseRegistryWebhookPayload({ unsupported: true })).toBeUndefined();
+  });
+});
diff --git a/app/api/webhooks/parsers/index.ts b/app/api/webhooks/parsers/index.ts
new file mode 100644
index 000000000..5d124149e
--- /dev/null
+++ b/app/api/webhooks/parsers/index.ts
@@ -0,0 +1,55 @@
+import { parseAcrWebhookPayload } from './acr.js';
+import { parseDockerHubWebhookPayload } from './docker-hub.js';
+import { parseEcrEventBridgePayload } from './ecr.js';
+import { parseGhcrWebhookPayload } from './ghcr.js';
+import { parseHarborWebhookPayload } from './harbor.js';
+import { parseQuayWebhookPayload } from './quay.js';
+import type { RegistryWebhookParseResult, RegistryWebhookReference } from './types.js';
+
+interface RegistryWebhookParser {
+  provider: RegistryWebhookParseResult['provider'];
+  parse: (payload: unknown) => RegistryWebhookReference[];
+}
+
+const parsers: RegistryWebhookParser[] = [
+  {
+    provider: 'dockerhub',
+    parse: parseDockerHubWebhookPayload,
+  },
+  {
+    provider: 'ghcr',
+    parse: parseGhcrWebhookPayload,
+  },
+  {
+    provider: 'harbor',
+    parse: parseHarborWebhookPayload,
+  },
+  {
+    provider: 'quay',
+    parse: parseQuayWebhookPayload,
+  },
+  {
+    provider: 'acr',
+    parse: parseAcrWebhookPayload,
+  },
+  {
+    provider: 'ecr',
+    parse: parseEcrEventBridgePayload,
+  },
+];
+
+export function parseRegistryWebhookPayload(
+  payload: unknown,
+): RegistryWebhookParseResult | undefined {
+  for (const parser of parsers) {
+    const references = parser.parse(payload);
+    if (references.length > 0) {
+      return {
+        provider: parser.provider,
+        references,
+      };
+    }
+  }
+
+  return undefined;
+}
diff --git a/app/api/webhooks/parsers/quay.test.ts b/app/api/webhooks/parsers/quay.test.ts
new file mode 100644
index 000000000..5d4aa1371
--- /dev/null
+++ b/app/api/webhooks/parsers/quay.test.ts
@@ -0,0 +1,58 @@
+import { parseQuayWebhookPayload } from './quay.js';
+
+describe('parseQuayWebhookPayload', () => {
+  test('extracts repository and updated_tags from Quay payload', () => {
+    const payload = {
+      repository: 'org/service',
+      updated_tags: ['1.0.0', 'latest'],
+    };
+
+    expect(parseQuayWebhookPayload(payload)).toStrictEqual([
+      {
+        image: 'org/service',
+        tag: '1.0.0',
+      },
+      {
+        image: 'org/service',
+        tag: 'latest',
+      },
+    ]);
+  });
+
+  test('falls back to docker_url when repository is unavailable', () => {
+    const payload = {
+      docker_url: 'quay.io/codeswhat/drydock',
+      updated_tags: ['stable'],
+    };
+
+    expect(parseQuayWebhookPayload(payload)).toStrictEqual([
+      {
+        image: 'codeswhat/drydock',
+        tag: 'stable',
+      },
+    ]);
+  });
+
+  test('returns empty list when updated_tags is missing', () => {
+    const payload = {
+      repository: 'org/service',
+    };
+
+    expect(parseQuayWebhookPayload(payload)).toStrictEqual([]);
+  });
+
+  test('returns empty list when image cannot be resolved', () => {
+    const payload = {
+      updated_tags: ['latest'],
+      docker_url: 'https://',
+      homepage: 'http://',
+    };
+
+    expect(parseQuayWebhookPayload(payload)).toStrictEqual([]);
+  });
+
+  test('returns empty list for non-object payloads', () => {
+    expect(parseQuayWebhookPayload(undefined)).toStrictEqual([]);
+    expect(parseQuayWebhookPayload(false)).toStrictEqual([]);
+  });
+});
diff --git a/app/api/webhooks/parsers/quay.ts b/app/api/webhooks/parsers/quay.ts
new file mode 100644
index 000000000..4fea30972
--- /dev/null
+++ b/app/api/webhooks/parsers/quay.ts
@@ -0,0 +1,30 @@
+import {
+  asNonEmptyString,
+  asRecord,
+  asStringArray,
+  extractImageFromRepositoryUrl,
+  uniqStrings,
+} from './shared.js';
+import type { RegistryWebhookReference } from './types.js';
+
+export function parseQuayWebhookPayload(payload: unknown): RegistryWebhookReference[] {
+  const root = asRecord(payload);
+  if (!root) {
+    return [];
+  }
+
+  const tags = uniqStrings(asStringArray(root.updated_tags));
+  if (tags.length === 0) {
+    return [];
+  }
+
+  const image =
+    asNonEmptyString(root.repository) ||
+    extractImageFromRepositoryUrl(root.docker_url) ||
+    extractImageFromRepositoryUrl(root.homepage);
+  if (!image) {
+    return [];
+  }
+
+  return tags.map((tag) => ({ image, tag }));
+}
diff --git a/app/api/webhooks/parsers/shared.test.ts b/app/api/webhooks/parsers/shared.test.ts
new file mode 100644
index 000000000..e902b9fac
--- /dev/null
+++ b/app/api/webhooks/parsers/shared.test.ts
@@ -0,0 +1,44 @@
+import { describe, expect, test } from 'vitest';
+import { extractImageFromRepositoryUrl, splitSubjectImageAndTag, toEventList } from './shared.js';
+
+describe('api/webhooks/parsers/shared', () => {
+  describe('toEventList', () => {
+    test('returns one-entry list for a single object payload', () => {
+      const event = { eventType: 'push' };
+      expect(toEventList(event)).toStrictEqual([event]);
+    });
+
+    test('returns only object entries for array payloads', () => {
+      const event = { eventType: 'push' };
+      expect(toEventList([null, event, 'bad', 3])).toStrictEqual([event]);
+    });
+
+    test('returns empty list for non-object non-array payloads', () => {
+      expect(toEventList('nope')).toStrictEqual([]);
+    });
+  });
+
+  describe('extractImageFromRepositoryUrl', () => {
+    test('returns undefined for empty-like input', () => {
+      expect(extractImageFromRepositoryUrl(undefined)).toBeUndefined();
+      expect(extractImageFromRepositoryUrl('   ')).toBeUndefined();
+    });
+
+    test('returns undefined when URL path is empty', () => {
+      expect(extractImageFromRepositoryUrl('https://')).toBeUndefined();
+      expect(extractImageFromRepositoryUrl('http://')).toBeUndefined();
+    });
+  });
+
+  describe('splitSubjectImageAndTag', () => {
+    test('returns undefined for blank subject values', () => {
+      expect(splitSubjectImageAndTag('   ')).toBeUndefined();
+      expect(splitSubjectImageAndTag(undefined)).toBeUndefined();
+    });
+
+    test('returns undefined when image or tag segment is empty after trimming', () => {
+      expect(splitSubjectImageAndTag('repository/image:   ')).toBeUndefined();
+      expect(splitSubjectImageAndTag('   :latest')).toBeUndefined();
+    });
+  });
+});
diff --git a/app/api/webhooks/parsers/shared.ts b/app/api/webhooks/parsers/shared.ts
new file mode 100644
index 000000000..99f8368e2
--- /dev/null
+++ b/app/api/webhooks/parsers/shared.ts
@@ -0,0 +1,74 @@
+export function asRecord(value: unknown): Record<string, unknown> | undefined {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    return undefined;
+  }
+  return value as Record<string, unknown>;
+}
+
+export function toEventList(payload: unknown): Record<string, unknown>[] {
+  if (Array.isArray(payload)) {
+    return payload
+      .filter((entry) => entry && typeof entry === 'object')
+      .map((entry) => entry as Record<string, unknown>);
+  }
+
+  const record = asRecord(payload);
+  return record ? [record] : [];
+}
+
+export function asNonEmptyString(value: unknown): string | undefined {
+  if (typeof value !== 'string') {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  return trimmed === '' ? undefined : trimmed;
+}
+
+export function asStringArray(value: unknown): string[] {
+  if (!Array.isArray(value)) {
+    return [];
+  }
+  return value
+    .map((entry) => asNonEmptyString(entry))
+    .filter((entry): entry is string => entry !== undefined);
+}
+
+export function uniqStrings(values: string[]): string[] {
+  return Array.from(new Set(values));
+}
+
+export function extractImageFromRepositoryUrl(value: unknown): string | undefined {
+  const raw = asNonEmptyString(value);
+  if (!raw) {
+    return undefined;
+  }
+
+  const withoutScheme = raw.replace(/^https?:\/\//i, '');
+  const slashIndex = withoutScheme.indexOf('/');
+  const path = slashIndex >= 0 ? withoutScheme.slice(slashIndex + 1) : withoutScheme;
+  if (path === '') {
+    return undefined;
+  }
+
+  const imageWithoutTag = path.includes(':') ? path.slice(0, path.lastIndexOf(':')) : path;
+  return asNonEmptyString(imageWithoutTag);
+}
+
+export function splitSubjectImageAndTag(
+  subject: unknown,
+): { image?: string; tag?: string } | undefined {
+  const raw = asNonEmptyString(subject);
+  if (!raw) {
+    return undefined;
+  }
+
+  const separatorIndex = raw.lastIndexOf(':');
+  if (separatorIndex <= 0 || separatorIndex >= raw.length - 1) {
+    return undefined;
+  }
+
+  const image = raw.slice(0, separatorIndex).trim();
+  const tag = raw.slice(separatorIndex + 1).trim();
+
+  return { image, tag };
+}
diff --git a/app/api/webhooks/parsers/types.ts b/app/api/webhooks/parsers/types.ts
new file mode 100644
index 000000000..4f197e60a
--- /dev/null
+++ b/app/api/webhooks/parsers/types.ts
@@ -0,0 +1,9 @@
+export interface RegistryWebhookReference {
+  image: string;
+  tag: string;
+}
+
+export interface RegistryWebhookParseResult {
+  provider: 'dockerhub' | 'ghcr' | 'harbor' | 'quay' | 'acr' | 'ecr';
+  references: RegistryWebhookReference[];
+}
diff --git a/app/api/webhooks/payload-bounds.test.ts b/app/api/webhooks/payload-bounds.test.ts
new file mode 100644
index 000000000..c202df7b0
--- /dev/null
+++ b/app/api/webhooks/payload-bounds.test.ts
@@ -0,0 +1,206 @@
+import { describe, expect, test } from 'vitest';
+import { parseRegistryWebhookPayload } from './parsers/index.js';
+
+/**
+ * Payload bounds tests — verify webhook parsers and middleware behave
+ * safely under adversarial inputs (DoS prevention).
+ */
+
+/** Build a deeply nested object: { a: { a: { a: ... } } } */
+function buildDeeplyNested(depth: number): Record<string, unknown> {
+  let current: Record<string, unknown> = { leaf: true };
+  for (let i = 0; i < depth; i += 1) {
+    current = { a: current };
+  }
+  return current;
+}
+
+/** Build an object with many top-level keys. */
+function buildWideObject(keyCount: number): Record<string, unknown> {
+  const obj: Record<string, unknown> = {};
+  for (let i = 0; i < keyCount; i += 1) {
+    obj[`key_${i}`] = `value_${i}`;
+  }
+  return obj;
+}
+
+describe('webhook payload bounds (DoS prevention)', () => {
+  describe('deeply nested payloads', () => {
+    test('parsers return empty for deeply nested object (100 levels)', () => {
+      const payload = buildDeeplyNested(100);
+      const result = parseRegistryWebhookPayload(payload);
+      expect(result).toBeUndefined();
+    });
+
+    test('parsers return empty for deeply nested object (1000 levels)', () => {
+      const payload = buildDeeplyNested(1_000);
+      const result = parseRegistryWebhookPayload(payload);
+      expect(result).toBeUndefined();
+    });
+
+    test('parsers return empty for deeply nested object (10000 levels)', () => {
+      const payload = buildDeeplyNested(10_000);
+      const result = parseRegistryWebhookPayload(payload);
+      expect(result).toBeUndefined();
+    });
+
+    test('nested payload with valid structure at depth still parses correctly', () => {
+      const payload = {
+        a: { b: { c: buildDeeplyNested(500) } },
+        repository: { repo_name: 'org/image' },
+        push_data: { tag: 'latest' },
+      };
+      const result = parseRegistryWebhookPayload(payload);
+      expect(result).toStrictEqual({
+        provider: 'dockerhub',
+        references: [{ image: 'org/image', tag: 'latest' }],
+      });
+    });
+  });
+
+  describe('wide payloads (many keys)', () => {
+    test('parsers return empty for object with 10000 keys', () => {
+      const payload = buildWideObject(10_000);
+      const result = parseRegistryWebhookPayload(payload);
+      expect(result).toBeUndefined();
+    });
+
+    test('parsers return empty for object with 100000 keys', () => {
+      const payload = buildWideObject(100_000);
+      const result = parseRegistryWebhookPayload(payload);
+      expect(result).toBeUndefined();
+    });
+
+    test('valid payload with extra keys still parses correctly', () => {
+      const payload = {
+        ...buildWideObject(5_000),
+        repository: { repo_name: 'org/image' },
+        push_data: { tag: 'v1.0' },
+      };
+      const result = parseRegistryWebhookPayload(payload);
+      expect(result).toStrictEqual({
+        provider: 'dockerhub',
+        references: [{ image: 'org/image', tag: 'v1.0' }],
+      });
+    });
+  });
+
+  describe('oversized string values', () => {
+    test('parsers return empty when repo_name is a megabyte string', () => {
+      const payload = {
+        repository: { repo_name: 'x'.repeat(1_000_000) },
+        push_data: { tag: 'latest' },
+      };
+      const result = parseRegistryWebhookPayload(payload);
+      // Parses but the image name is just a huge string — no crash
+      expect(result).toBeDefined();
+      expect(result?.references[0].image).toHaveLength(1_000_000);
+    });
+
+    test('parsers return empty for non-string oversized values', () => {
+      const payload = {
+        repository: { repo_name: 42 },
+        push_data: { tag: 'latest' },
+      };
+      const result = parseRegistryWebhookPayload(payload);
+      expect(result).toBeUndefined();
+    });
+  });
+
+  describe('array-based parser bounds (ACR, ECR, Harbor)', () => {
+    test('ACR parser handles array with 10000 non-matching events without hanging', () => {
+      const payload = Array.from({ length: 10_000 }, (_, i) => ({
+        eventType: 'Microsoft.ContainerRegistry.ImageDeleted',
+        subject: `repo/image:tag-${i}`,
+        data: { target: { repository: 'repo', tag: `tag-${i}` } },
+      }));
+      const result = parseRegistryWebhookPayload(payload);
+      expect(result).toBeUndefined();
+    });
+
+    test('ACR parser handles array with 10000 matching events', () => {
+      const payload = Array.from({ length: 10_000 }, (_, i) => ({
+        eventType: 'Microsoft.ContainerRegistry.ImagePushed',
+        subject: `repo/image:tag-${i}`,
+        data: { target: { repository: 'myrepo', tag: `tag-${i}` } },
+      }));
+      const result = parseRegistryWebhookPayload(payload);
+      expect(result?.provider).toBe('acr');
+      expect(result?.references).toHaveLength(10_000);
+    });
+
+    test('Harbor parser handles resources array with 10000 entries', () => {
+      const payload = {
+        event_data: {
+          repository: { repo_full_name: 'project/image' },
+          resources: Array.from({ length: 10_000 }, (_, i) => ({
+            tag: `tag-${i}`,
+          })),
+        },
+      };
+      const result = parseRegistryWebhookPayload(payload);
+      expect(result?.provider).toBe('harbor');
+      expect(result?.references).toHaveLength(10_000);
+    });
+  });
+
+  describe('malformed payloads', () => {
+    test('null payload returns undefined', () => {
+      expect(parseRegistryWebhookPayload(null)).toBeUndefined();
+    });
+
+    test('numeric payload returns undefined', () => {
+      expect(parseRegistryWebhookPayload(42)).toBeUndefined();
+    });
+
+    test('boolean payload returns undefined', () => {
+      expect(parseRegistryWebhookPayload(true)).toBeUndefined();
+    });
+
+    test('empty string payload returns undefined', () => {
+      expect(parseRegistryWebhookPayload('')).toBeUndefined();
+    });
+
+    test('array of primitives returns undefined', () => {
+      expect(parseRegistryWebhookPayload([1, 2, 3])).toBeUndefined();
+    });
+
+    test('empty array returns undefined', () => {
+      expect(parseRegistryWebhookPayload([])).toBeUndefined();
+    });
+
+    test('empty object returns undefined', () => {
+      expect(parseRegistryWebhookPayload({})).toBeUndefined();
+    });
+
+    test('payload with circular-like repeated references does not crash', () => {
+      const shared = { nested: { deep: { value: 'test' } } };
+      const payload = {
+        a: shared,
+        b: shared,
+        c: shared,
+        repository: shared,
+        push_data: shared,
+      };
+      const result = parseRegistryWebhookPayload(payload);
+      expect(result).toBeUndefined();
+    });
+  });
+
+  describe('express.json() payload size limit', () => {
+    test('configured limit is 256kb', async () => {
+      // Verify the limit constant is set by importing the module and checking
+      // the express.json() call. Since we cannot easily test the middleware
+      // in isolation, this test documents the expected behavior:
+      // - Payloads <= 256kb are accepted by express.json()
+      // - Payloads > 256kb receive a 413 Payload Too Large response
+      //
+      // The actual enforcement is handled by Express body-parser internals.
+      // Integration/E2E tests verify this end-to-end.
+      const apiSource = await import('node:fs').then((fs) =>
+        fs.readFileSync(new URL('../api.ts', import.meta.url), 'utf8'),
+      );
+      expect(apiSource).toContain("limit: '256kb'");
+    });
+  });
+});
diff --git a/app/api/webhooks/registry-dispatch.test.ts b/app/api/webhooks/registry-dispatch.test.ts
new file mode 100644
index 000000000..6879fe56f
--- /dev/null
+++ b/app/api/webhooks/registry-dispatch.test.ts
@@ -0,0 +1,296 @@
+import { sanitizeLogParam } from '../../log/sanitize.js';
+
+const { mockLogWarn } = vi.hoisted(() => ({
+  mockLogWarn: vi.fn(),
+}));
+
+vi.mock('../../log/index.js', () => ({
+  default: {
+    child: () => ({
+      warn: mockLogWarn,
+    }),
+  },
+}));
+
+import {
+  findContainersForImageReferences,
+  runRegistryWebhookDispatch,
+} from './registry-dispatch.js';
+
+function createContainer(overrides: Record<string, unknown> = {}) {
+  return {
+    id: 'c1',
+    name: 'service',
+    watcher: 'local',
+    image: {
+      registry: {
+        url: 'https://registry-1.docker.io/v2',
+      },
+      name: 'library/nginx',
+      tag: {
+        value: '1.25.0',
+      },
+    },
+    ...overrides,
+  };
+}
+
+describe('findContainersForImageReferences', () => {
+  test('matches containers by normalized image repository across registry aliases', () => {
+    const containers = [
+      createContainer({
+        id: 'hub-container',
+        image: {
+          registry: {
+            url: 'https://registry-1.docker.io/v2',
+          },
+          name: 'library/nginx',
+          tag: {
+            value: '1.25.0',
+          },
+        },
+      }),
+      createContainer({
+        id: 'ghcr-container',
+        image: {
+          registry: {
+            url: 'https://ghcr.io',
+          },
+          name: 'codeswhat/drydock',
+          tag: {
+            value: '1.4.0',
+          },
+        },
+      }),
+    ];
+
+    const matches = findContainersForImageReferences(containers as any, [
+      { image: 'nginx', tag: 'latest' },
+      { image: 'ghcr.io/codeswhat/drydock', tag: '1.5.0' },
+    ]);
+
+    expect(matches.map((container) => container.id)).toStrictEqual([
+      'hub-container',
+      'ghcr-container',
+    ]);
+  });
+
+  test('de-duplicates containers when multiple references match the same image', () => {
+    const containers = [
+      createContainer({
+        id: 'hub-container',
+      }),
+    ];
+
+    const matches = findContainersForImageReferences(containers as any, [
+      { image: 'docker.io/library/nginx', tag: '1.25.0' },
+      { image: 'registry-1.docker.io/library/nginx', tag: 'latest' },
+    ]);
+
+    expect(matches).toHaveLength(1);
+    expect(matches[0].id).toBe('hub-container');
+  });
+
+  test('returns empty matches when either side has no candidates', () => {
+    expect(
+      findContainersForImageReferences([] as any, [{ image: 'nginx', tag: 'latest' }]),
+    ).toEqual([]);
+    expect(findContainersForImageReferences([createContainer() as any], [])).toEqual([]);
+  });
+
+  test('handles malformed or non-string registry hosts and still matches by image name', () => {
+    const containers = [
+      createContainer({
+        id: 'malformed-registry',
+        image: {
+          registry: {
+            url: 'https://[broken-host',
+          },
+          name: 'library/nginx',
+          tag: { value: 'latest' },
+        },
+      }),
+      createContainer({
+        id: 'missing-name',
+        image: {
+          registry: {
+            url: 42,
+          },
+          tag: { value: 'latest' },
+        },
+      }),
+    ];
+
+    const matches = findContainersForImageReferences(containers as any, [
+      { image: 'docker.io/library/nginx', tag: 'latest' },
+    ]);
+
+    expect(matches.map((container) => container.id)).toStrictEqual(['malformed-registry']);
+  });
+
+  test('normalizes bare registry hosts when protocol is missing', () => {
+    const containers = [
+      createContainer({
+        id: 'bare-host',
+        image: {
+          registry: {
+            url: 'registry-1.docker.io',
+          },
+          name: 'library/nginx',
+          tag: { value: 'latest' },
+        },
+      }),
+    ];
+
+    const matches = findContainersForImageReferences(containers as any, [
+      { image: 'docker.io/library/nginx', tag: 'latest' },
+    ]);
+
+    expect(matches.map((container) => container.id)).toStrictEqual(['bare-host']);
+  });
+
+  test('handles registry host fallback branches for unusual URL inputs', () => {
+    const containers = [
+      createContainer({
+        id: 'file-url-host-fallback',
+        image: {
+          registry: {
+            url: 'file:///tmp',
+          },
+          name: 'library/nginx',
+          tag: { value: 'latest' },
+        },
+      }),
+      createContainer({
+        id: 'slash-host-fallback',
+        image: {
+          registry: {
+            url: 'https:///',
+          },
+          name: 'library/nginx',
+          tag: { value: 'latest' },
+        },
+      }),
+    ];
+
+    const matches = findContainersForImageReferences(containers as any, [
+      { image: 'library/nginx', tag: 'latest' },
+    ]);
+
+    expect(matches.map((container) => container.id)).toStrictEqual([
+      'file-url-host-fallback',
+      'slash-host-fallback',
+    ]);
+  });
+});
+
+describe('runRegistryWebhookDispatch', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test('triggers immediate checks and marks fresh containers for scheduled poll skip', async () => {
+    const containerOne = createContainer({ id: 'one', watcher: 'local' });
+    const containerTwo = createContainer({
+      id: 'two',
+      watcher: 'edge',
+      agent: 'agent-1',
+      image: {
+        registry: {
+          url: 'https://ghcr.io',
+        },
+        name: 'codeswhat/drydock',
+        tag: {
+          value: '1.4.0',
+        },
+      },
+    });
+
+    const watcherLocal = {
+      watchContainer: vi.fn().mockResolvedValue(undefined),
+    };
+    const watcherAgent = {
+      watchContainer: vi.fn().mockRejectedValue(new Error('watch failed')),
+    };
+    const markFresh = vi.fn();
+
+    const result = await runRegistryWebhookDispatch({
+      references: [
+        { image: 'library/nginx', tag: 'latest' },
+        { image: 'ghcr.io/codeswhat/drydock', tag: '1.5.0' },
+      ],
+      containers: [containerOne as any, containerTwo as any],
+      watchers: {
+        'docker.local': watcherLocal as any,
+        'agent-1.docker.edge': watcherAgent as any,
+      },
+      markContainerFresh: markFresh,
+    });
+
+    expect(watcherLocal.watchContainer).toHaveBeenCalledWith(containerOne);
+    expect(watcherAgent.watchContainer).toHaveBeenCalledWith(containerTwo);
+    expect(markFresh).toHaveBeenCalledTimes(1);
+    expect(markFresh).toHaveBeenCalledWith('one');
+
+    expect(result).toStrictEqual({
+      referencesMatched: 2,
+      containersMatched: 2,
+      checksTriggered: 1,
+      checksFailed: 1,
+      watchersMissing: 0,
+    });
+  });
+
+  test('counts missing watchers without attempting checks', async () => {
+    const container = createContainer({ id: 'one', watcher: 'local' });
+
+    const result = await runRegistryWebhookDispatch({
+      references: [{ image: 'library/nginx', tag: 'latest' }],
+      containers: [container as any],
+      watchers: {},
+      markContainerFresh: vi.fn(),
+    });
+
+    expect(result).toStrictEqual({
+      referencesMatched: 1,
+      containersMatched: 1,
+      checksTriggered: 0,
+      checksFailed: 0,
+      watchersMissing: 1,
+    });
+  });
+
+  test('logs details when triggering an immediate check fails', async () => {
+    const container = createContainer({
+      id: 'one\nid',
+      watcher: 'local\nwatcher',
+    });
+    const markFresh = vi.fn();
+    const rawErrorMessage = 'daemon offline\nfatal';
+    const watcher = {
+      watchContainer: vi.fn().mockRejectedValue(new Error(rawErrorMessage)),
+    };
+    const watcherId = `docker.${container.watcher}`;
+
+    const result = await runRegistryWebhookDispatch({
+      references: [{ image: 'library/nginx', tag: 'latest' }],
+      containers: [container as any],
+      watchers: {
+        [watcherId]: watcher as any,
+      },
+      markContainerFresh: markFresh,
+    });
+
+    expect(result).toStrictEqual({
+      referencesMatched: 1,
+      containersMatched: 1,
+      checksTriggered: 0,
+      checksFailed: 1,
+      watchersMissing: 0,
+    });
+    expect(markFresh).not.toHaveBeenCalled();
+    expect(mockLogWarn).toHaveBeenCalledWith(
+      `Error triggering immediate registry webhook check for container ${sanitizeLogParam(container.id)} via watcher ${sanitizeLogParam(watcherId)} (${sanitizeLogParam(rawErrorMessage)})`,
+    );
+  });
+});
diff --git a/app/api/webhooks/registry-dispatch.ts b/app/api/webhooks/registry-dispatch.ts
new file mode 100644
index 000000000..273e775a9
--- /dev/null
+++ b/app/api/webhooks/registry-dispatch.ts
@@ -0,0 +1,167 @@
+import logger from '../../log/index.js';
+import { sanitizeLogParam } from '../../log/sanitize.js';
+import type { Container } from '../../model/container.js';
+import { getErrorMessage } from '../../util/error.js';
+import { getImageReferenceCandidatesFromPattern } from '../../watchers/providers/docker/docker-helpers.js';
+import type { RegistryWebhookReference } from './parsers/types.js';
+
+interface RegistryWebhookWatcher {
+  watchContainer: (container: Container) => Promise<unknown>;
+}
+
+export interface RegistryWebhookDispatchResult {
+  referencesMatched: number;
+  containersMatched: number;
+  checksTriggered: number;
+  checksFailed: number;
+  watchersMissing: number;
+}
+
+interface RunRegistryWebhookDispatchInput {
+  references: RegistryWebhookReference[];
+  containers: Container[];
+  watchers: Record<string, RegistryWebhookWatcher>;
+  markContainerFresh: (containerId: string) => void;
+}
+
+const log = logger.child({ component: 'api.webhooks.registry-dispatch' });
+
+function normalizeHost(value: unknown): string | undefined {
+  if (typeof value !== 'string' || value.trim() === '') {
+    return undefined;
+  }
+
+  const raw = value.trim().toLowerCase();
+  let host = raw;
+
+  try {
+    const parsed = raw.includes('://') ? new URL(raw) : new URL(`https://${raw}`);
+    /* v8 ignore next -- URL parsing always yields hostname/host for valid URL inputs */
+    host = parsed.hostname || parsed.host || host;
+  } catch {
+    const withoutScheme = raw.replace(/^https?:\/\//, '');
+    /* v8 ignore next -- split fallback only applies to degenerate malformed inputs */
+    host = withoutScheme.split('/')[0] || withoutScheme;
+  }
+
+  if (host === 'registry-1.docker.io' || host === 'index.docker.io') {
+    return 'docker.io';
+  }
+  return host;
+}
+
+function getContainerImageCandidates(container: Container): Set<string> {
+  const candidates = new Set<string>();
+  const imageName = typeof container.image?.name === 'string' ? container.image.name : '';
+  const registryUrl = normalizeHost(container.image?.registry?.url);
+
+  if (imageName) {
+    for (const candidate of getImageReferenceCandidatesFromPattern(imageName)) {
+      candidates.add(candidate.toLowerCase());
+    }
+  }
+
+  if (imageName && registryUrl) {
+    for (const candidate of getImageReferenceCandidatesFromPattern(`${registryUrl}/${imageName}`)) {
+      candidates.add(candidate.toLowerCase());
+    }
+  }
+
+  return candidates;
+}
+
+function getReferenceCandidates(reference: RegistryWebhookReference): Set<string> {
+  return new Set(
+    getImageReferenceCandidatesFromPattern(reference.image).map((candidate) =>
+      candidate.toLowerCase(),
+    ),
+  );
+}
+
+function hasCandidateIntersection(left: Set<string>, right: Set<string>): boolean {
+  for (const value of left.values()) {
+    if (right.has(value)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+export function findContainersForImageReferences(
+  containers: Container[],
+  references: RegistryWebhookReference[],
+): Container[] {
+  if (containers.length === 0 || references.length === 0) {
+    return [];
+  }
+
+  const referencesCandidates = references.map((reference) => getReferenceCandidates(reference));
+  const matchedContainers = new Map<string, Container>();
+
+  for (const container of containers) {
+    const containerCandidates = getContainerImageCandidates(container);
+    const isMatch = referencesCandidates.some((referenceCandidates) =>
+      hasCandidateIntersection(containerCandidates, referenceCandidates),
+    );
+    if (isMatch) {
+      matchedContainers.set(container.id, container);
+    }
+  }
+
+  return Array.from(matchedContainers.values());
+}
+
+function resolveWatcherIdForContainer(container: Container): string {
+  let watcherId = `docker.${container.watcher}`;
+  if (container.agent) {
+    watcherId = `${container.agent}.${watcherId}`;
+  }
+  return watcherId;
+}
+
+export async function runRegistryWebhookDispatch({
+  references,
+  containers,
+  watchers,
+  markContainerFresh,
+}: RunRegistryWebhookDispatchInput): Promise<RegistryWebhookDispatchResult> {
+  const matchingContainers = findContainersForImageReferences(containers, references);
+
+  let checksTriggered = 0;
+  let checksFailed = 0;
+  let watchersMissing = 0;
+
+  await Promise.all(
+    matchingContainers.map(async (container) => {
+      const watcherId = resolveWatcherIdForContainer(container);
+      const watcher = watchers[watcherId];
+      if (!watcher || typeof watcher.watchContainer !== 'function') {
+        watchersMissing += 1;
+        return;
+      }
+
+      try {
+        await watcher.watchContainer(container);
+        checksTriggered += 1;
+        markContainerFresh(container.id);
+      } catch (error) {
+        checksFailed += 1;
+        log.warn(
+          `Error triggering immediate registry webhook check for container ${sanitizeLogParam(
+            container.id,
+          )} via watcher ${sanitizeLogParam(watcherId)} (${sanitizeLogParam(
+            getErrorMessage(error),
+          )})`,
+        );
+      }
+    }),
+  );
+
+  return {
+    referencesMatched: references.length,
+    containersMatched: matchingContainers.length,
+    checksTriggered,
+    checksFailed,
+    watchersMissing,
+  };
+}
diff --git a/app/api/webhooks/registry.e2e.test.ts b/app/api/webhooks/registry.e2e.test.ts
new file mode 100644
index 000000000..b838e1a1d
--- /dev/null
+++ b/app/api/webhooks/registry.e2e.test.ts
@@ -0,0 +1,116 @@
+import { createHmac } from 'node:crypto';
+import type { AddressInfo } from 'node:net';
+import express from 'express';
+import * as configuration from '../../configuration/index.js';
+import * as registry from '../../registry/index.js';
+import * as storeContainer from '../../store/container.js';
+import {
+  _resetRegistryWebhookFreshStateForTests,
+  consumeFreshContainerScheduledPollSkip,
+} from '../../watchers/registry-webhook-fresh.js';
+import * as registryWebhookRouter from './registry.js';
+
+function signPayload(payload: string, secret: string): string {
+  return `sha256=${createHmac('sha256', secret).update(payload).digest('hex')}`;
+}
+
+describe('api/webhooks/registry E2E', () => {
+  beforeEach(() => {
+    vi.restoreAllMocks();
+    _resetRegistryWebhookFreshStateForTests();
+  });
+
+  test('accepts a signed Docker Hub webhook and marks the matching container fresh', async () => {
+    const secret = 'webhook-secret';
+    const payload = JSON.stringify({
+      repository: { repo_name: 'library/nginx' },
+      push_data: { tag: 'latest' },
+    });
+
+    vi.spyOn(configuration, 'getWebhookConfiguration').mockReturnValue({
+      enabled: true,
+      secret,
+      token: '',
+      tokens: {
+        watchall: '',
+        watch: '',
+        update: '',
+      },
+    });
+
+    const watchContainer = vi.fn().mockResolvedValue(undefined);
+    vi.spyOn(storeContainer, 'getContainers').mockReturnValue([
+      {
+        id: 'container-1',
+        watcher: 'local',
+        image: {
+          name: 'library/nginx',
+          registry: { url: 'https://registry-1.docker.io' },
+        },
+      } as any,
+    ]);
+    vi.spyOn(registry, 'getState').mockReturnValue({
+      watcher: {
+        'docker.local': {
+          watchContainer,
+        },
+      },
+    } as any);
+
+    const app = express();
+    app.use(
+      express.json({
+        limit: '256kb',
+        verify: (req, _res, buffer) => {
+          (req as { rawBody?: Buffer }).rawBody = Buffer.from(buffer);
+        },
+      }),
+    );
+    app.use('/api/webhooks/registry', registryWebhookRouter.init());
+
+    const server = await new Promise<ReturnType<typeof app.listen>>((resolve) => {
+      const startedServer = app.listen(0, () => resolve(startedServer));
+    });
+
+    try {
+      const address = server.address() as AddressInfo;
+      const response = await fetch(`http://127.0.0.1:${address.port}/api/webhooks/registry`, {
+        method: 'POST',
+        headers: {
+          'content-type': 'application/json',
+          'x-hub-signature-256': signPayload(payload, secret),
+        },
+        body: payload,
+      });
+
+      expect(response.status).toBe(202);
+      await expect(response.json()).resolves.toEqual({
+        message: 'Registry webhook processed',
+        result: {
+          provider: 'dockerhub',
+          referencesMatched: 1,
+          containersMatched: 1,
+          checksTriggered: 1,
+          checksFailed: 0,
+          watchersMissing: 0,
+        },
+      });
+      expect(watchContainer).toHaveBeenCalledWith(
+        expect.objectContaining({
+          id: 'container-1',
+        }),
+      );
+      expect(consumeFreshContainerScheduledPollSkip('container-1')).toBe(true);
+    } finally {
+      await new Promise<void>((resolve, reject) => {
+        server.close((error?: Error) => {
+          if (error) {
+            reject(error);
+            return;
+          }
+          resolve();
+        });
+      });
+    }
+  });
+});
diff --git a/app/api/webhooks/registry.test.ts b/app/api/webhooks/registry.test.ts
new file mode 100644
index 000000000..be152dbfa
--- /dev/null
+++ b/app/api/webhooks/registry.test.ts
@@ -0,0 +1,316 @@
+import { createMockRequest, createMockResponse } from '../../test/helpers.js';
+
+const {
+  mockRouter,
+  mockGetWebhookConfiguration,
+  mockVerifyRegistryWebhookSignature,
+  mockParseRegistryWebhookPayload,
+  mockRunRegistryWebhookDispatch,
+  mockGetContainers,
+  mockGetState,
+} = vi.hoisted(() => ({
+  mockRouter: {
+    use: vi.fn(),
+    post: vi.fn(),
+  },
+  mockGetWebhookConfiguration: vi.fn(() => ({
+    enabled: true,
+    secret: 'webhook-secret',
+    token: '',
+    tokens: {
+      watchall: '',
+      watch: '',
+      update: '',
+    },
+  })),
+  mockVerifyRegistryWebhookSignature: vi.fn(() => ({ valid: true })),
+  mockParseRegistryWebhookPayload: vi.fn(() => ({
+    provider: 'dockerhub',
+    references: [{ image: 'library/nginx', tag: 'latest' }],
+  })),
+  mockRunRegistryWebhookDispatch: vi.fn(() =>
+    Promise.resolve({
+      referencesMatched: 1,
+      containersMatched: 1,
+      checksTriggered: 1,
+      checksFailed: 0,
+      watchersMissing: 0,
+    }),
+  ),
+  mockGetContainers: vi.fn(() => [
+    { id: 'c1', watcher: 'local', image: { name: 'library/nginx' } },
+  ]),
+  mockGetState: vi.fn(() => ({
+    watcher: {
+      'docker.local': {
+        watchContainer: vi.fn().mockResolvedValue(undefined),
+      },
+    },
+    trigger: {},
+  })),
+}));
+
+vi.mock('express', () => ({
+  default: {
+    Router: vi.fn(() => mockRouter),
+  },
+}));
+
+vi.mock('express-rate-limit', () => ({
+  default: vi.fn(() => 'rate-limit-middleware'),
+}));
+
+vi.mock('nocache', () => ({
+  default: vi.fn(() => 'nocache-middleware'),
+}));
+
+vi.mock('../../configuration/index.js', () => ({
+  getWebhookConfiguration: mockGetWebhookConfiguration,
+}));
+
+vi.mock('./signature.js', () => ({
+  verifyRegistryWebhookSignature: mockVerifyRegistryWebhookSignature,
+}));
+
+vi.mock('./parsers/index.js', () => ({
+  parseRegistryWebhookPayload: mockParseRegistryWebhookPayload,
+}));
+
+vi.mock('./registry-dispatch.js', () => ({
+  runRegistryWebhookDispatch: mockRunRegistryWebhookDispatch,
+}));
+
+vi.mock('../../store/container.js', () => ({
+  getContainers: mockGetContainers,
+}));
+
+vi.mock('../../registry/index.js', () => ({
+  getState: mockGetState,
+}));
+
+vi.mock('../../watchers/registry-webhook-fresh.js', () => ({
+  markContainerFreshForScheduledPollSkip: vi.fn(),
+}));
+
+vi.mock('../../log/index.js', () => ({
+  default: {
+    child: () => ({ info: vi.fn(), warn: vi.fn(), debug: vi.fn(), error: vi.fn() }),
+  },
+}));
+
+import { markContainerFreshForScheduledPollSkip } from '../../watchers/registry-webhook-fresh.js';
+import * as registryWebhookRouter from './registry.js';
+
+function getHandler() {
+  registryWebhookRouter.init();
+  const postCall = mockRouter.post.mock.calls.find((call) => call[0] === '/');
+  return postCall?.[1];
+}
+
+describe('api/webhooks/registry', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockGetWebhookConfiguration.mockReturnValue({
+      enabled: true,
+      secret: 'webhook-secret',
+      token: '',
+      tokens: {
+        watchall: '',
+        watch: '',
+        update: '',
+      },
+    });
+    mockVerifyRegistryWebhookSignature.mockReturnValue({ valid: true });
+    mockParseRegistryWebhookPayload.mockReturnValue({
+      provider: 'dockerhub',
+      references: [{ image: 'library/nginx', tag: 'latest' }],
+    });
+    mockRunRegistryWebhookDispatch.mockResolvedValue({
+      referencesMatched: 1,
+      containersMatched: 1,
+      checksTriggered: 1,
+      checksFailed: 0,
+      watchersMissing: 0,
+    });
+  });
+
+  test('registers middleware and POST route', () => {
+    registryWebhookRouter.init();
+
+    expect(mockRouter.use).toHaveBeenCalledWith('rate-limit-middleware');
+    expect(mockRouter.use).toHaveBeenCalledWith('nocache-middleware');
+    expect(mockRouter.post).toHaveBeenCalledWith('/', expect.any(Function));
+  });
+
+  test('returns 403 when registry webhooks are disabled', async () => {
+    mockGetWebhookConfiguration.mockReturnValue({
+      enabled: false,
+      secret: 'webhook-secret',
+      token: '',
+      tokens: { watchall: '', watch: '', update: '' },
+    });
+    const handler = getHandler();
+    const req = createMockRequest({ body: {}, headers: {} });
+    const res = createMockResponse();
+
+    await handler(req as any, res as any);
+
+    expect(res.status).toHaveBeenCalledWith(403);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Registry webhooks are disabled' });
+  });
+
+  test('returns 500 when webhook secret is missing', async () => {
+    mockGetWebhookConfiguration.mockReturnValue({
+      enabled: true,
+      secret: '',
+      token: '',
+      tokens: { watchall: '', watch: '', update: '' },
+    });
+    const handler = getHandler();
+    const req = createMockRequest({ body: {}, headers: {} });
+    const res = createMockResponse();
+
+    await handler(req as any, res as any);
+
+    expect(res.status).toHaveBeenCalledWith(500);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Registry webhook secret is not configured' });
+  });
+
+  test('returns 401 when signature verification fails', async () => {
+    mockVerifyRegistryWebhookSignature.mockReturnValue({
+      valid: false,
+      reason: 'invalid-signature',
+    });
+    const handler = getHandler();
+    const req = createMockRequest({
+      body: {},
+      headers: {
+        'x-hub-signature-256': 'sha256=bad',
+      },
+    });
+    const res = createMockResponse();
+
+    await handler(req as any, res as any);
+
+    expect(res.status).toHaveBeenCalledWith(401);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Invalid registry webhook signature' });
+  });
+
+  test('returns 401 when registry webhook signature is missing', async () => {
+    mockVerifyRegistryWebhookSignature.mockReturnValue({
+      valid: false,
+      reason: 'missing-signature',
+    });
+    const handler = getHandler();
+    const req = createMockRequest({
+      body: {},
+      headers: {},
+    });
+    const res = createMockResponse();
+
+    await handler(req as any, res as any);
+
+    expect(mockVerifyRegistryWebhookSignature).toHaveBeenCalledWith(
+      expect.objectContaining({
+        signature: undefined,
+      }),
+    );
+    expect(res.status).toHaveBeenCalledWith(401);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Missing registry webhook signature' });
+  });
+
+  test('returns 400 when payload is not supported', async () => {
+    mockParseRegistryWebhookPayload.mockReturnValue(undefined);
+    const handler = getHandler();
+    const req = createMockRequest({
+      body: { unsupported: true },
+      headers: {
+        'x-hub-signature-256': 'sha256=test',
+      },
+      rawBody: Buffer.from('{"unsupported":true}'),
+    });
+    const res = createMockResponse();
+
+    await handler(req as any, res as any);
+
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Unsupported registry webhook payload' });
+  });
+
+  test('dispatches checks and returns 202 for valid webhook payloads', async () => {
+    const handler = getHandler();
+    const req = createMockRequest({
+      body: { test: true },
+      headers: {
+        'x-hub-signature-256': 'sha256=test',
+      },
+      rawBody: Buffer.from('{"test":true}'),
+    });
+    const res = createMockResponse();
+
+    await handler(req as any, res as any);
+
+    expect(mockRunRegistryWebhookDispatch).toHaveBeenCalledWith(
+      expect.objectContaining({
+        references: [{ image: 'library/nginx', tag: 'latest' }],
+        containers: expect.any(Array),
+        watchers: expect.any(Object),
+        markContainerFresh: markContainerFreshForScheduledPollSkip,
+      }),
+    );
+    expect(res.status).toHaveBeenCalledWith(202);
+    expect(res.json).toHaveBeenCalledWith({
+      message: 'Registry webhook processed',
+      result: {
+        provider: 'dockerhub',
+        referencesMatched: 1,
+        containersMatched: 1,
+        checksTriggered: 1,
+        checksFailed: 0,
+        watchersMissing: 0,
+      },
+    });
+  });
+
+  test('extracts x-drydock-signature and uses string body when raw body is absent', async () => {
+    const handler = getHandler();
+    const req = createMockRequest({
+      body: '{"event":"push"}',
+      headers: {
+        'x-drydock-signature': 'sha256=test',
+      },
+    });
+    const res = createMockResponse();
+
+    await handler(req as any, res as any);
+
+    expect(mockVerifyRegistryWebhookSignature).toHaveBeenCalledWith(
+      expect.objectContaining({
+        signature: 'sha256=test',
+        payload: Buffer.from('{"event":"push"}'),
+      }),
+    );
+    expect(res.status).toHaveBeenCalledWith(202);
+  });
+
+  test('uses an empty object payload when both rawBody and body are missing', async () => {
+    const handler = getHandler();
+    const req = createMockRequest({
+      headers: {
+        'x-drydock-signature': 'sha256=test',
+      },
+    });
+    delete (req as any).body;
+    const res = createMockResponse();
+
+    await handler(req as any, res as any);
+
+    expect(mockVerifyRegistryWebhookSignature).toHaveBeenCalledWith(
+      expect.objectContaining({
+        signature: 'sha256=test',
+        payload: Buffer.from('{}'),
+      }),
+    );
+    expect(res.status).toHaveBeenCalledWith(202);
+  });
+});
diff --git a/app/api/webhooks/registry.ts b/app/api/webhooks/registry.ts
new file mode 100644
index 000000000..ca50e19ef
--- /dev/null
+++ b/app/api/webhooks/registry.ts
@@ -0,0 +1,113 @@
+import type { Request, Response } from 'express';
+import express from 'express';
+import rateLimit from 'express-rate-limit';
+import nocache from 'nocache';
+import { getWebhookConfiguration } from '../../configuration/index.js';
+import logger from '../../log/index.js';
+import * as registry from '../../registry/index.js';
+import * as storeContainer from '../../store/container.js';
+import { markContainerFreshForScheduledPollSkip } from '../../watchers/registry-webhook-fresh.js';
+import { sendErrorResponse } from '../error-response.js';
+import { getFirstHeaderValue } from '../header-value.js';
+import { parseRegistryWebhookPayload } from './parsers/index.js';
+import { runRegistryWebhookDispatch } from './registry-dispatch.js';
+import { verifyRegistryWebhookSignature } from './signature.js';
+
+const router = express.Router();
+const log = logger.child({ component: 'api.webhooks.registry' });
+
+const SIGNATURE_HEADERS = [
+  'x-registry-signature',
+  'x-hub-signature-256',
+  'x-quay-signature',
+  'x-harbor-signature',
+  'x-ms-signature',
+  'x-drydock-signature',
+] as const;
+
+function getRequestSignature(req: Request): string | undefined {
+  for (const headerName of SIGNATURE_HEADERS) {
+    const value = getFirstHeaderValue(req.headers[headerName]);
+    if (value) {
+      return value;
+    }
+  }
+  return undefined;
+}
+
+function getRawPayload(req: Request): Buffer {
+  const rawBody = (req as Request & { rawBody?: Buffer }).rawBody;
+  if (Buffer.isBuffer(rawBody)) {
+    return rawBody;
+  }
+  if (typeof req.body === 'string') {
+    return Buffer.from(req.body);
+  }
+  return Buffer.from(JSON.stringify(req.body ?? {}));
+}
+
+async function handleRegistryWebhook(req: Request, res: Response) {
+  const webhookConfiguration = getWebhookConfiguration();
+  if (!webhookConfiguration.enabled) {
+    sendErrorResponse(res, 403, 'Registry webhooks are disabled');
+    return;
+  }
+
+  const secret = webhookConfiguration.secret || '';
+  if (!secret) {
+    log.error('Registry webhook secret is not configured while endpoint is enabled');
+    sendErrorResponse(res, 500, 'Registry webhook secret is not configured');
+    return;
+  }
+
+  const signatureVerification = verifyRegistryWebhookSignature({
+    payload: getRawPayload(req),
+    secret,
+    signature: getRequestSignature(req),
+  });
+
+  if (!signatureVerification.valid) {
+    if (signatureVerification.reason === 'missing-signature') {
+      sendErrorResponse(res, 401, 'Missing registry webhook signature');
+      return;
+    }
+    sendErrorResponse(res, 401, 'Invalid registry webhook signature');
+    return;
+  }
+
+  const parseResult = parseRegistryWebhookPayload(req.body);
+  if (!parseResult) {
+    sendErrorResponse(res, 400, 'Unsupported registry webhook payload');
+    return;
+  }
+
+  const dispatchResult = await runRegistryWebhookDispatch({
+    references: parseResult.references,
+    containers: storeContainer.getContainers({}),
+    watchers: registry.getState().watcher,
+    markContainerFresh: markContainerFreshForScheduledPollSkip,
+  });
+
+  res.status(202).json({
+    message: 'Registry webhook processed',
+    result: {
+      provider: parseResult.provider,
+      ...dispatchResult,
+    },
+  });
+}
+
+export function init() {
+  const webhookLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000,
+    max: 60,
+    standardHeaders: true,
+    legacyHeaders: false,
+    validate: { xForwardedForHeader: false },
+  });
+
+  router.use(webhookLimiter);
+  router.use(nocache());
+  router.post('/', handleRegistryWebhook);
+  return router;
+}
diff --git a/app/api/webhooks/signature.test.ts b/app/api/webhooks/signature.test.ts
new file mode 100644
index 000000000..d48a6603b
--- /dev/null
+++ b/app/api/webhooks/signature.test.ts
@@ -0,0 +1,111 @@
+import { createHmac } from 'node:crypto';
+import { verifyRegistryWebhookSignature } from './signature.js';
+
+function signPayload(payload: Buffer, secret: string) {
+  return createHmac('sha256', secret).update(payload).digest('hex');
+}
+
+describe('verifyRegistryWebhookSignature', () => {
+  test('returns valid=true for a correct signature', () => {
+    const payload = Buffer.from('{"event":"push"}');
+    const secret = 'super-secret';
+    const signature = `sha256=${signPayload(payload, secret)}`;
+
+    expect(
+      verifyRegistryWebhookSignature({
+        payload,
+        secret,
+        signature,
+      }),
+    ).toStrictEqual({ valid: true });
+  });
+
+  test('returns valid=false for an incorrect signature', () => {
+    const payload = Buffer.from('{"event":"push"}');
+
+    expect(
+      verifyRegistryWebhookSignature({
+        payload,
+        secret: 'super-secret',
+        signature: 'sha256=0000',
+      }),
+    ).toStrictEqual({ valid: false, reason: 'invalid-signature' });
+  });
+
+  test('returns missing-signature when signature is not provided', () => {
+    const payload = Buffer.from('{"event":"push"}');
+
+    expect(
+      verifyRegistryWebhookSignature({
+        payload,
+        secret: 'super-secret',
+        signature: undefined,
+      }),
+    ).toStrictEqual({ valid: false, reason: 'missing-signature' });
+  });
+
+  test('treats blank signatures as missing', () => {
+    const payload = Buffer.from('{"event":"push"}');
+
+    expect(
+      verifyRegistryWebhookSignature({
+        payload,
+        secret: 'super-secret',
+        signature: '   ',
+      }),
+    ).toStrictEqual({ valid: false, reason: 'missing-signature' });
+  });
+
+  test('returns missing-secret when secret is not configured', () => {
+    const payload = Buffer.from('{"event":"push"}');
+
+    expect(
+      verifyRegistryWebhookSignature({
+        payload,
+        secret: '',
+        signature: 'sha256=abcd',
+      }),
+    ).toStrictEqual({ valid: false, reason: 'missing-secret' });
+  });
+
+  test('accepts raw hex signatures without the sha256= prefix', () => {
+    const payload = Buffer.from('{"event":"push"}');
+    const secret = 'super-secret';
+    const signature = signPayload(payload, secret);
+
+    expect(
+      verifyRegistryWebhookSignature({
+        payload,
+        secret,
+        signature,
+      }),
+    ).toStrictEqual({ valid: true });
+  });
+
+  test('returns invalid-signature for same-length but mismatched signatures', () => {
+    const payload = Buffer.from('{"event":"push"}');
+    const secret = 'super-secret';
+    const signature = signPayload(payload, secret);
+    const mismatchedSignature = `${signature.slice(0, -1)}${signature.endsWith('0') ? '1' : '0'}`;
+
+    expect(
+      verifyRegistryWebhookSignature({
+        payload,
+        secret,
+        signature: `sha256=${mismatchedSignature}`,
+      }),
+    ).toStrictEqual({ valid: false, reason: 'invalid-signature' });
+  });
+
+  test('treats malformed non-hex signatures as missing signatures', () => {
+    const payload = Buffer.from('{"event":"push"}');
+
+    expect(
+      verifyRegistryWebhookSignature({
+        payload,
+        secret: 'super-secret',
+        signature: 'sha256=this-is-not-hex',
+      }),
+    ).toStrictEqual({ valid: false, reason: 'missing-signature' });
+  });
+});
diff --git a/app/api/webhooks/signature.ts b/app/api/webhooks/signature.ts
new file mode 100644
index 000000000..7d2607cdd
--- /dev/null
+++ b/app/api/webhooks/signature.ts
@@ -0,0 +1,57 @@
+import { createHmac, timingSafeEqual } from 'node:crypto';
+
+export interface RegistryWebhookSignatureVerification {
+  valid: boolean;
+  reason?: 'missing-secret' | 'missing-signature' | 'invalid-signature';
+}
+
+interface VerifyRegistryWebhookSignatureInput {
+  payload: Buffer | string;
+  secret: string;
+  signature: string | undefined;
+}
+
+function normalizeSignature(signature: string | undefined): string | undefined {
+  if (!signature) {
+    return undefined;
+  }
+
+  const trimmed = signature.trim();
+  if (trimmed === '') {
+    return undefined;
+  }
+
+  const withoutPrefix = trimmed.toLowerCase().startsWith('sha256=')
+    ? trimmed.slice('sha256='.length)
+    : trimmed;
+  return /^[a-f0-9]+$/i.test(withoutPrefix) ? withoutPrefix.toLowerCase() : undefined;
+}
+
+export function verifyRegistryWebhookSignature({
+  payload,
+  secret,
+  signature,
+}: VerifyRegistryWebhookSignatureInput): RegistryWebhookSignatureVerification {
+  if (!secret) {
+    return { valid: false, reason: 'missing-secret' };
+  }
+
+  const normalizedSignature = normalizeSignature(signature);
+  if (!normalizedSignature) {
+    return { valid: false, reason: 'missing-signature' };
+  }
+
+  const expectedSignature = createHmac('sha256', secret).update(payload).digest('hex');
+  const receivedBuffer = Buffer.from(normalizedSignature, 'hex');
+  const expectedBuffer = Buffer.from(expectedSignature, 'hex');
+
+  if (receivedBuffer.length !== expectedBuffer.length) {
+    return { valid: false, reason: 'invalid-signature' };
+  }
+
+  if (!timingSafeEqual(receivedBuffer, expectedBuffer)) {
+    return { valid: false, reason: 'invalid-signature' };
+  }
+
+  return { valid: true };
+}
diff --git a/app/api/ws-upgrade-utils.test.ts b/app/api/ws-upgrade-utils.test.ts
new file mode 100644
index 000000000..222b4c090
--- /dev/null
+++ b/app/api/ws-upgrade-utils.test.ts
@@ -0,0 +1,580 @@
+import {
+  applySessionMiddleware,
+  createFixedWindowRateLimiter,
+  createIdentityAwareUpgradeRateLimitKeyResolver,
+  getDefaultRateLimitKey,
+  isAuthenticatedSession,
+  isOriginAllowed,
+  writeUpgradeError,
+} from './ws-upgrade-utils.js';
+
+describe('ws-upgrade-utils', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe('isOriginAllowed', () => {
+    test('allows requests with no Origin header', () => {
+      const request = { headers: {} } as any;
+      expect(isOriginAllowed(request)).toBe(true);
+    });
+
+    test('allows requests where Origin host matches Host header', () => {
+      const request = {
+        headers: { origin: 'http://localhost:3000', host: 'localhost:3000' },
+      } as any;
+      expect(isOriginAllowed(request)).toBe(true);
+    });
+
+    test('allows https Origin matching Host', () => {
+      const request = {
+        headers: { origin: 'https://drydock.example.com', host: 'drydock.example.com' },
+      } as any;
+      expect(isOriginAllowed(request)).toBe(true);
+    });
+
+    test('rejects when Origin host does not match Host header', () => {
+      const request = { headers: { origin: 'https://evil.com', host: 'localhost:3000' } } as any;
+      expect(isOriginAllowed(request)).toBe(false);
+    });
+
+    test('rejects when Origin is missing required subdomain', () => {
+      const request = {
+        headers: { origin: 'https://example.com', host: 'api.example.com' },
+      } as any;
+      expect(isOriginAllowed(request)).toBe(false);
+    });
+
+    test('allows matching IPv6 Origin and Host headers', () => {
+      const request = {
+        headers: { origin: 'http://[::1]:3000', host: '[::1]:3000' },
+      } as any;
+      expect(isOriginAllowed(request)).toBe(true);
+    });
+
+    test('allows case-insensitive Origin and Host header matches', () => {
+      const request = {
+        headers: { origin: 'https://DryDock.Example.COM', host: 'drydock.example.com' },
+      } as any;
+      expect(isOriginAllowed(request)).toBe(true);
+    });
+
+    test('rejects protocol-relative Origin values', () => {
+      const request = {
+        headers: { origin: '//localhost:3000', host: 'localhost:3000' },
+      } as any;
+      expect(isOriginAllowed(request)).toBe(false);
+    });
+
+    test('rejects when Origin is present but Host header is missing', () => {
+      const request = { headers: { origin: 'https://evil.com' } } as any;
+      expect(isOriginAllowed(request)).toBe(false);
+    });
+
+    test('rejects when Origin is not a valid URL', () => {
+      const request = { headers: { origin: 'not-a-valid-url', host: 'localhost:3000' } } as any;
+      expect(isOriginAllowed(request)).toBe(false);
+    });
+
+    test('rejects when Origin port differs from Host', () => {
+      const request = {
+        headers: { origin: 'http://localhost:9999', host: 'localhost:3000' },
+      } as any;
+      expect(isOriginAllowed(request)).toBe(false);
+    });
+  });
+
+  describe('writeUpgradeError', () => {
+    test('writes HTTP error response and destroys the socket', () => {
+      const socket = {
+        destroyed: false,
+        write: vi.fn(),
+        destroy: vi.fn(),
+      };
+
+      writeUpgradeError(socket as any, 401, 'Unauthorized');
+
+      expect(socket.write).toHaveBeenCalledWith(expect.stringContaining('401 Unauthorized'));
+      expect(socket.write).toHaveBeenCalledWith(
+        expect.stringContaining('Content-Type: text/plain'),
+      );
+      expect(socket.destroy).toHaveBeenCalledTimes(1);
+    });
+
+    test('does not write when socket is already destroyed', () => {
+      const socket = {
+        destroyed: true,
+        write: vi.fn(),
+        destroy: vi.fn(),
+      };
+
+      writeUpgradeError(socket as any, 401, 'Unauthorized');
+
+      expect(socket.write).not.toHaveBeenCalled();
+      expect(socket.destroy).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('applySessionMiddleware', () => {
+    test('resolves when middleware calls next without error', async () => {
+      const middleware = (_req: any, _res: any, next: (error?: unknown) => void) => next();
+      const request = { url: '/' } as any;
+
+      await expect(applySessionMiddleware(middleware, request)).resolves.toBeUndefined();
+    });
+
+    test('rejects when middleware calls next with error', async () => {
+      const middleware = (_req: any, _res: any, next: (error?: unknown) => void) =>
+        next(new Error('session failed'));
+      const request = { url: '/' } as any;
+
+      await expect(applySessionMiddleware(middleware, request)).rejects.toThrow('session failed');
+    });
+  });
+
+  describe('isAuthenticatedSession', () => {
+    test('returns true when passport user is present', () => {
+      const request = { session: { passport: { user: '{"username":"alice"}' } } } as any;
+      expect(isAuthenticatedSession(request)).toBe(true);
+    });
+
+    test('returns false when passport session is empty', () => {
+      const request = { session: { passport: {} } } as any;
+      expect(isAuthenticatedSession(request)).toBe(false);
+    });
+
+    test('returns false when session is missing', () => {
+      const request = {} as any;
+      expect(isAuthenticatedSession(request)).toBe(false);
+    });
+  });
+
+  describe('getDefaultRateLimitKey', () => {
+    test('returns ip-based key from remote address', () => {
+      const request = { socket: { remoteAddress: '192.168.1.1' } } as any;
+      expect(getDefaultRateLimitKey(request)).toBe('ip:192.168.1.1');
+    });
+
+    test('returns ip:unknown when remoteAddress is not a string', () => {
+      const request = { socket: {} } as any;
+      expect(getDefaultRateLimitKey(request)).toBe('ip:unknown');
+    });
+
+    test('returns ip:unknown when remoteAddress is blank', () => {
+      const request = { socket: { remoteAddress: '   ' } } as any;
+      expect(getDefaultRateLimitKey(request)).toBe('ip:unknown');
+    });
+  });
+
+  describe('createFixedWindowRateLimiter', () => {
+    test('allows requests within the window limit', () => {
+      const limiter = createFixedWindowRateLimiter({ windowMs: 60000, max: 3 });
+
+      expect(limiter.consume('key1')).toBe(true);
+      expect(limiter.consume('key1')).toBe(true);
+      expect(limiter.consume('key1')).toBe(true);
+      expect(limiter.consume('key1')).toBe(false);
+      limiter.destroy();
+    });
+
+    test('resets counter after window expires', () => {
+      vi.useFakeTimers();
+      const limiter = createFixedWindowRateLimiter({ windowMs: 100, max: 1 });
+      try {
+        expect(limiter.consume('key1')).toBe(true);
+        expect(limiter.consume('key1')).toBe(false);
+
+        vi.advanceTimersByTime(200);
+        expect(limiter.consume('key1')).toBe(true);
+      } finally {
+        limiter.destroy();
+        vi.useRealTimers();
+      }
+    });
+
+    test('tracks keys independently', () => {
+      const limiter = createFixedWindowRateLimiter({ windowMs: 60000, max: 1 });
+
+      expect(limiter.consume('key1')).toBe(true);
+      expect(limiter.consume('key2')).toBe(true);
+      expect(limiter.consume('key1')).toBe(false);
+      expect(limiter.consume('key2')).toBe(false);
+      limiter.destroy();
+    });
+
+    test('lazily expires entries when keys are accessed again', () => {
+      vi.useFakeTimers();
+      const limiter = createFixedWindowRateLimiter({ windowMs: 100, max: 1 });
+      try {
+        limiter.consume('a');
+        limiter.consume('b');
+        limiter.consume('c');
+
+        // Advance past the window so all entries expire.
+        vi.advanceTimersByTime(200);
+
+        // Accessing each key lazily clears expiry and starts a new window.
+        expect(limiter.consume('a')).toBe(true);
+        expect(limiter.consume('b')).toBe(true);
+        expect(limiter.consume('c')).toBe(true);
+      } finally {
+        limiter.destroy();
+        vi.useRealTimers();
+      }
+    });
+
+    test('periodic cleanup evicts expired entries without consume', () => {
+      vi.useFakeTimers();
+      const limiter = createFixedWindowRateLimiter({
+        windowMs: 100,
+        max: 1,
+        cleanupIntervalMs: 500,
+      });
+      try {
+        limiter.consume('a');
+        limiter.consume('b');
+
+        // Advance past window + cleanup interval so the timer fires
+        vi.advanceTimersByTime(600);
+
+        // Entries were evicted by the cleanup timer — consuming creates fresh entries
+        expect(limiter.consume('a')).toBe(true);
+        expect(limiter.consume('b')).toBe(true);
+      } finally {
+        limiter.destroy();
+        vi.useRealTimers();
+      }
+    });
+
+    test('rejects new keys when maxEntries cap is reached', () => {
+      const limiter = createFixedWindowRateLimiter({ windowMs: 60000, max: 10, maxEntries: 3 });
+
+      expect(limiter.consume('a')).toBe(true);
+      expect(limiter.consume('b')).toBe(true);
+      expect(limiter.consume('c')).toBe(true);
+      // Map is full — new key is rejected
+      expect(limiter.consume('d')).toBe(false);
+      // Existing keys still work
+      expect(limiter.consume('a')).toBe(true);
+      limiter.destroy();
+    });
+
+    test('cap-triggered sweep evicts stale entries when map is full', () => {
+      vi.useFakeTimers();
+      const limiter = createFixedWindowRateLimiter({
+        windowMs: 100,
+        max: 10,
+        maxEntries: 2,
+        cleanupIntervalMs: 10_000,
+        sweepEvery: 999_999,
+      });
+      try {
+        expect(limiter.consume('a')).toBe(true);
+        expect(limiter.consume('b')).toBe(true);
+
+        vi.advanceTimersByTime(200);
+        // Consuming "a" refreshes that key (lazy per-key expiry). "b" is stale.
+        expect(limiter.consume('a')).toBe(true);
+        // Map is full (a + stale b), but cap-triggered sweep evicts b and allows c.
+        expect(limiter.consume('c')).toBe(true);
+      } finally {
+        limiter.destroy();
+        vi.useRealTimers();
+      }
+    });
+
+    test('allows new keys after maxEntries cap clears via periodic cleanup', () => {
+      vi.useFakeTimers();
+      const limiter = createFixedWindowRateLimiter({
+        windowMs: 100,
+        max: 10,
+        maxEntries: 2,
+        cleanupIntervalMs: 50,
+      });
+      try {
+        expect(limiter.consume('a')).toBe(true);
+        expect(limiter.consume('b')).toBe(true);
+        expect(limiter.consume('c')).toBe(false);
+
+        vi.advanceTimersByTime(200);
+        // Periodic cleanup evicts expired keys and frees space for new keys.
+        expect(limiter.consume('c')).toBe(true);
+      } finally {
+        limiter.destroy();
+        vi.useRealTimers();
+      }
+    });
+
+    test('periodic cleanup keeps non-expired entries while removing expired ones', () => {
+      vi.useFakeTimers();
+      const limiter = createFixedWindowRateLimiter({
+        windowMs: 1000,
+        max: 1,
+        maxEntries: 2,
+        cleanupIntervalMs: 1000,
+      });
+      try {
+        // t=0
+        expect(limiter.consume('a')).toBe(true);
+        // t=500
+        vi.advanceTimersByTime(500);
+        expect(limiter.consume('b')).toBe(true);
+        // t=1000, eviction runs: a expires, b remains
+        vi.advanceTimersByTime(500);
+        expect(limiter.consume('c')).toBe(true);
+        // b was not evicted, so it is still at max=1 for the current window
+        expect(limiter.consume('b')).toBe(false);
+      } finally {
+        limiter.destroy();
+        vi.useRealTimers();
+      }
+    });
+
+    test('sweepEvery triggers proactive eviction of stale entries', () => {
+      vi.useFakeTimers();
+      const limiter = createFixedWindowRateLimiter({
+        windowMs: 100,
+        max: 1,
+        cleanupIntervalMs: 999_999,
+        sweepEvery: 3,
+      });
+      try {
+        // t=0: add a, b (calls 1-2)
+        expect(limiter.consume('a')).toBe(true);
+        expect(limiter.consume('b')).toBe(true);
+
+        // t=200: both entries expire
+        vi.advanceTimersByTime(200);
+
+        // Call 3 (3 % 3 === 0): proactive sweep evicts stale a and b.
+        // c is then added to a clean map.
+        expect(limiter.consume('c')).toBe(true);
+        // c is active, second consume hits max=1
+        expect(limiter.consume('c')).toBe(false);
+      } finally {
+        limiter.destroy();
+        vi.useRealTimers();
+      }
+    });
+
+    test('sweep on maxEntries cap frees space before rejecting', () => {
+      vi.useFakeTimers();
+      const limiter = createFixedWindowRateLimiter({
+        windowMs: 100,
+        max: 1,
+        maxEntries: 2,
+        cleanupIntervalMs: 999_999,
+        sweepEvery: 999_999, // disable periodic sweep
+      });
+      try {
+        expect(limiter.consume('a')).toBe(true);
+        expect(limiter.consume('b')).toBe(true);
+
+        // Map is full, new key would be rejected
+        vi.advanceTimersByTime(200);
+
+        // Without cap-triggered sweep this would be false — stale entries block new keys.
+        // With cap-triggered sweep, expired a and b are evicted first.
+        expect(limiter.consume('c')).toBe(true);
+      } finally {
+        limiter.destroy();
+        vi.useRealTimers();
+      }
+    });
+
+    test('sweep on cap does not help when all entries are still active', () => {
+      const limiter = createFixedWindowRateLimiter({
+        windowMs: 60_000,
+        max: 10,
+        maxEntries: 2,
+        sweepEvery: 999_999,
+      });
+      try {
+        expect(limiter.consume('a')).toBe(true);
+        expect(limiter.consume('b')).toBe(true);
+        // Map full with active entries — sweep finds nothing to evict
+        expect(limiter.consume('c')).toBe(false);
+      } finally {
+        limiter.destroy();
+      }
+    });
+
+    test('destroy clears the cleanup interval and map', () => {
+      vi.useFakeTimers();
+      const limiter = createFixedWindowRateLimiter({
+        windowMs: 100,
+        max: 1,
+        cleanupIntervalMs: 500,
+      });
+      try {
+        limiter.consume('a');
+        limiter.destroy();
+
+        // After destroy, consume still works on an empty map (fresh entries)
+        expect(limiter.consume('a')).toBe(true);
+      } finally {
+        vi.useRealTimers();
+      }
+    });
+  });
+
+  describe('createIdentityAwareUpgradeRateLimitKeyResolver', () => {
+    test('returns default key resolver when identity-aware keying is disabled', () => {
+      const resolver = createIdentityAwareUpgradeRateLimitKeyResolver({
+        ratelimit: { identitykeying: false },
+      });
+
+      const request = { socket: { remoteAddress: '10.0.0.1' } } as any;
+      expect(resolver(request, true)).toBe('ip:10.0.0.1');
+    });
+
+    test('uses identity-aware key generator when enabled', () => {
+      const resolver = createIdentityAwareUpgradeRateLimitKeyResolver({
+        ratelimit: { identitykeying: true },
+      });
+
+      const request = {
+        socket: { remoteAddress: '10.0.0.1' },
+        session: { passport: { user: '{"username":"alice"}' } },
+        sessionID: 'sess-abc',
+      } as any;
+
+      const key = resolver(request, true);
+      expect(typeof key).toBe('string');
+      expect(key.length).toBeGreaterThan(0);
+    });
+
+    test('uses passport username when session id is missing', () => {
+      const resolver = createIdentityAwareUpgradeRateLimitKeyResolver({
+        ratelimit: { identitykeying: true },
+      });
+
+      const request = {
+        socket: { remoteAddress: '10.0.0.1' },
+        session: { passport: { user: '{"username":"alice"}' } },
+      } as any;
+
+      expect(resolver(request, true)).toBe('user:alice');
+    });
+
+    test('uses passport username when session user is already an object', () => {
+      const resolver = createIdentityAwareUpgradeRateLimitKeyResolver({
+        ratelimit: { identitykeying: true },
+      });
+
+      const request = {
+        socket: { remoteAddress: '10.0.0.1' },
+        session: { passport: { user: { username: 'alice' } } },
+      } as any;
+
+      expect(resolver(request, true)).toBe('user:alice');
+    });
+
+    test('falls back to ip key when passport user is null', () => {
+      const resolver = createIdentityAwareUpgradeRateLimitKeyResolver({
+        ratelimit: { identitykeying: true },
+      });
+
+      const request = {
+        socket: { remoteAddress: '10.0.0.1' },
+        session: { passport: { user: null } },
+      } as any;
+
+      expect(resolver(request, true)).toBe('ip:10.0.0.1');
+    });
+
+    test('falls back to ip key when passport user object has no username', () => {
+      const resolver = createIdentityAwareUpgradeRateLimitKeyResolver({
+        ratelimit: { identitykeying: true },
+      });
+
+      const request = {
+        socket: { remoteAddress: '10.0.0.1' },
+        session: { passport: { user: {} } },
+      } as any;
+
+      expect(resolver(request, true)).toBe('ip:10.0.0.1');
+    });
+
+    test('falls back to ip key when authenticated identity values are invalid', () => {
+      const resolver = createIdentityAwareUpgradeRateLimitKeyResolver({
+        ratelimit: { identitykeying: true },
+      });
+
+      const request = {
+        socket: { remoteAddress: '10.0.0.1' },
+        sessionID: '   ',
+        session: { passport: { user: 'not-json' } },
+      } as any;
+
+      expect(resolver(request, true)).toBe('ip:10.0.0.1');
+    });
+
+    test('falls back to ip key when passport user is not a string or object', () => {
+      const resolver = createIdentityAwareUpgradeRateLimitKeyResolver({
+        ratelimit: { identitykeying: true },
+      });
+
+      const request = {
+        socket: { remoteAddress: '10.0.0.1' },
+        session: { passport: { user: 123 } },
+      } as any;
+
+      expect(resolver(request, true)).toBe('ip:10.0.0.1');
+    });
+
+    test('falls back to ip key when parsed passport user is not an object', () => {
+      const resolver = createIdentityAwareUpgradeRateLimitKeyResolver({
+        ratelimit: { identitykeying: true },
+      });
+
+      const request = {
+        socket: { remoteAddress: '10.0.0.1' },
+        session: { passport: { user: '"alice"' } },
+      } as any;
+
+      expect(resolver(request, true)).toBe('ip:10.0.0.1');
+    });
+
+    test('falls back to ip key when parsed passport user object has no username', () => {
+      const resolver = createIdentityAwareUpgradeRateLimitKeyResolver({
+        ratelimit: { identitykeying: true },
+      });
+
+      const request = {
+        socket: { remoteAddress: '10.0.0.1' },
+        session: { passport: { user: '{}' } },
+      } as any;
+
+      expect(resolver(request, true)).toBe('ip:10.0.0.1');
+    });
+
+    test('prefers request.user over session passport user when present', () => {
+      const resolver = createIdentityAwareUpgradeRateLimitKeyResolver({
+        ratelimit: { identitykeying: true },
+      });
+
+      const request = {
+        socket: { remoteAddress: '10.0.0.1' },
+        user: { username: 'bob' },
+        session: { passport: { user: '{"username":"alice"}' } },
+      } as any;
+
+      expect(resolver(request, true)).toBe('user:bob');
+    });
+
+    test('normalizes non-boolean authenticated values to unauthenticated', () => {
+      const resolver = createIdentityAwareUpgradeRateLimitKeyResolver({
+        ratelimit: { identitykeying: true },
+      });
+
+      const request = {
+        socket: { remoteAddress: '10.0.0.1' },
+        session: { passport: { user: '{"username":"alice"}' } },
+        sessionID: 'sess-abc',
+      } as any;
+
+      expect(resolver(request, 'truthy-value' as unknown as boolean)).toBe('ip:10.0.0.1');
+    });
+  });
+});
diff --git a/app/api/ws-upgrade-utils.ts b/app/api/ws-upgrade-utils.ts
new file mode 100644
index 000000000..3915c387a
--- /dev/null
+++ b/app/api/ws-upgrade-utils.ts
@@ -0,0 +1,242 @@
+import { type IncomingMessage, ServerResponse } from 'node:http';
+import type { Socket } from 'node:net';
+import {
+  getAuthenticatedRouteRateLimitKey,
+  type IdentityAwareRateLimitRequestLike,
+  isIdentityAwareRateLimitKeyingEnabled,
+} from './rate-limit-key.js';
+
+export type SessionMiddleware = (
+  request: IncomingMessage,
+  response: ServerResponse,
+  next: (error?: unknown) => void,
+) => void;
+
+export type UpgradeRequest = IncomingMessage & {
+  session?: { passport?: { user?: unknown } };
+  sessionID?: unknown;
+  isAuthenticated?: () => boolean;
+  ip?: string;
+  user?: { username?: unknown };
+};
+
+/**
+ * Validates the Origin header against the Host header to prevent WebSocket CSRF.
+ * Browsers always send an Origin header on WebSocket upgrade requests, so a
+ * browser request with a mismatched Origin indicates a cross-site connection
+ * attempt. Non-browser clients (CLI tools, agents) typically omit Origin
+ * entirely, which is allowed.
+ */
+export function isOriginAllowed(request: IncomingMessage): boolean {
+  const origin = request.headers.origin;
+  if (origin === undefined) {
+    return true;
+  }
+
+  const host = request.headers.host;
+  if (!host) {
+    return false;
+  }
+
+  let originHost: string;
+  try {
+    originHost = new URL(origin).host;
+  } catch {
+    return false;
+  }
+
+  return originHost === host;
+}
+
+export function writeUpgradeError(socket: Socket, statusCode: number, message: string): void {
+  if (socket.destroyed) {
+    return;
+  }
+  const responseBody = `${message}\n`;
+  socket.write(
+    `HTTP/1.1 ${statusCode} ${message}\r\n` +
+      'Connection: close\r\n' +
+      'Content-Type: text/plain; charset=utf-8\r\n' +
+      `Content-Length: ${Buffer.byteLength(responseBody)}\r\n` +
+      '\r\n' +
+      responseBody,
+  );
+  socket.destroy();
+}
+
+export async function applySessionMiddleware(
+  sessionMiddleware: SessionMiddleware,
+  request: IncomingMessage,
+): Promise<void> {
+  const response = new ServerResponse(request);
+  await new Promise<void>((resolve, reject) => {
+    sessionMiddleware(request, response, (error?: unknown) => {
+      if (error) {
+        reject(error);
+        return;
+      }
+      resolve();
+    });
+  });
+}
+
+export function isAuthenticatedSession(request: UpgradeRequest): boolean {
+  const passportSession = request.session?.passport;
+  return passportSession?.user !== undefined;
+}
+
+export function getDefaultRateLimitKey(request: UpgradeRequest): string {
+  const rawIpAddress = request.socket.remoteAddress;
+  if (typeof rawIpAddress !== 'string') {
+    return 'ip:unknown';
+  }
+  const ipAddress = rawIpAddress.trim();
+  if (ipAddress.length === 0) {
+    return 'ip:unknown';
+  }
+  return `ip:${ipAddress}`;
+}
+
+const DEFAULT_CLEANUP_INTERVAL_MS = 60 * 60 * 1000;
+
+const DEFAULT_MAX_ENTRIES = 10_000;
+
+const DEFAULT_SWEEP_EVERY = 100;
+
+export function createFixedWindowRateLimiter(options: {
+  windowMs: number;
+  max: number;
+  cleanupIntervalMs?: number;
+  maxEntries?: number;
+  sweepEvery?: number;
+}) {
+  const {
+    windowMs,
+    max,
+    cleanupIntervalMs = DEFAULT_CLEANUP_INTERVAL_MS,
+    maxEntries = DEFAULT_MAX_ENTRIES,
+    sweepEvery = DEFAULT_SWEEP_EVERY,
+  } = options;
+  const counters = new Map<string, { count: number; resetAt: number }>();
+  let consumeCount = 0;
+
+  function evictExpired(now: number): void {
+    for (const [entryKey, entry] of counters) {
+      if (now >= entry.resetAt) {
+        counters.delete(entryKey);
+      }
+    }
+  }
+
+  function getActiveCounter(key: string, now: number) {
+    const counter = counters.get(key);
+    if (!counter) {
+      return undefined;
+    }
+    if (now >= counter.resetAt) {
+      counters.delete(key);
+      return undefined;
+    }
+    return counter;
+  }
+
+  const cleanupTimer = setInterval(() => {
+    evictExpired(Date.now());
+  }, cleanupIntervalMs);
+  cleanupTimer.unref();
+
+  return {
+    consume(key: string): boolean {
+      const now = Date.now();
+      consumeCount += 1;
+      if (consumeCount % sweepEvery === 0) {
+        evictExpired(now);
+      }
+      const counter = getActiveCounter(key, now);
+      if (!counter) {
+        if (counters.size >= maxEntries) {
+          evictExpired(now);
+          if (counters.size >= maxEntries) {
+            return false;
+          }
+        }
+        counters.set(key, { count: 1, resetAt: now + windowMs });
+        return true;
+      }
+      if (counter.count >= max) {
+        return false;
+      }
+      counter.count += 1;
+      return true;
+    },
+    destroy(): void {
+      clearInterval(cleanupTimer);
+      counters.clear();
+    },
+  };
+}
+
+export function createIdentityAwareUpgradeRateLimitKeyResolver(
+  serverConfiguration: Record<string, unknown>,
+) {
+  if (!isIdentityAwareRateLimitKeyingEnabled(serverConfiguration)) {
+    return (request: UpgradeRequest, _authenticated: boolean) => getDefaultRateLimitKey(request);
+  }
+
+  return (request: UpgradeRequest, authenticated: boolean) => {
+    return getAuthenticatedRouteRateLimitKey(
+      toIdentityAwareUpgradeRateLimitRequest(request, authenticated),
+    );
+  };
+}
+
+function getUsernameFromPassportSessionUser(passportUser: unknown): unknown {
+  if (!passportUser) {
+    return undefined;
+  }
+
+  if (typeof passportUser === 'object') {
+    return (passportUser as { username?: unknown }).username;
+  }
+
+  if (typeof passportUser !== 'string') {
+    return undefined;
+  }
+
+  try {
+    const parsedUser = JSON.parse(passportUser);
+    if (!parsedUser || typeof parsedUser !== 'object') {
+      return undefined;
+    }
+    return (parsedUser as { username?: unknown }).username;
+  } catch {
+    return undefined;
+  }
+}
+
+function getUpgradeRateLimitUser(
+  request: UpgradeRequest,
+): IdentityAwareRateLimitRequestLike['user'] | undefined {
+  if (request.user) {
+    return request.user;
+  }
+
+  const username = getUsernameFromPassportSessionUser(request.session?.passport?.user);
+  if (username === undefined) {
+    return undefined;
+  }
+
+  return { username };
+}
+
+function toIdentityAwareUpgradeRateLimitRequest(
+  request: UpgradeRequest,
+  authenticated: boolean,
+): IdentityAwareRateLimitRequestLike {
+  return {
+    ip: request.socket.remoteAddress,
+    isAuthenticated: () => authenticated === true,
+    sessionID: request.sessionID,
+    user: getUpgradeRateLimitUser(request),
+  };
+}
diff --git a/app/authentications/providers/basic/Basic.test.ts b/app/authentications/providers/basic/Basic.test.ts
index 52c61c3e0..f7a40f357 100644
--- a/app/authentications/providers/basic/Basic.test.ts
+++ b/app/authentications/providers/basic/Basic.test.ts
@@ -5,6 +5,12 @@ var { mockArgon2, mockArgon2Sync, mockTimingSafeEqual } = vi.hoisted(() => ({
     (left: Buffer, right: Buffer) => left.length === right.length && left.equals(right),
   ),
 }));
+var { mockRecordAuthLogin, mockObserveAuthLoginDuration, mockRecordAuthUsernameMismatch } =
+  vi.hoisted(() => ({
+    mockRecordAuthLogin: vi.fn(),
+    mockObserveAuthLoginDuration: vi.fn(),
+    mockRecordAuthUsernameMismatch: vi.fn(),
+  }));
 
 vi.mock('node:crypto', async () => {
   const actual = await vi.importActual<typeof import('node:crypto')>('node:crypto');
@@ -26,6 +32,12 @@ vi.mock('node:crypto', async () => {
   };
 });
 
+vi.mock('../../../prometheus/auth.js', () => ({
+  recordAuthLogin: mockRecordAuthLogin,
+  observeAuthLoginDuration: mockObserveAuthLoginDuration,
+  recordAuthUsernameMismatch: mockRecordAuthUsernameMismatch,
+}));
+
 import { argon2Sync, createHash, randomBytes } from 'node:crypto';
 import Basic from './Basic.js';
 
@@ -110,6 +122,9 @@ describe('Basic Authentication', () => {
     mockArgon2.mockClear();
     mockArgon2Sync.mockClear();
     mockTimingSafeEqual.mockClear();
+    mockRecordAuthLogin.mockClear();
+    mockObserveAuthLoginDuration.mockClear();
+    mockRecordAuthUsernameMismatch.mockClear();
   });
 
   test('should create instance', async () => {
@@ -158,6 +173,14 @@ describe('Basic Authentication', () => {
         resolve();
       });
     });
+
+    expect(mockRecordAuthLogin).toHaveBeenCalledWith('success', 'basic');
+    expect(mockObserveAuthLoginDuration).toHaveBeenCalledWith(
+      'success',
+      'basic',
+      expect.any(Number),
+    );
+    expect(mockRecordAuthUsernameMismatch).not.toHaveBeenCalled();
   });
 
   test('should derive password with argon2id parameters', async () => {
@@ -206,6 +229,13 @@ describe('Basic Authentication', () => {
 
     // Argon2 must still be called even on username mismatch (timing side-channel mitigation)
     expect(mockArgon2).toHaveBeenCalled();
+    expect(mockRecordAuthUsernameMismatch).toHaveBeenCalledTimes(1);
+    expect(mockRecordAuthLogin).toHaveBeenCalledWith('invalid', 'basic');
+    expect(mockObserveAuthLoginDuration).toHaveBeenCalledWith(
+      'invalid',
+      'basic',
+      expect.any(Number),
+    );
   });
 
   test('should compare usernames with timingSafeEqual', async () => {
@@ -290,6 +320,14 @@ describe('Basic Authentication', () => {
         resolve();
       });
     });
+
+    expect(mockRecordAuthUsernameMismatch).not.toHaveBeenCalled();
+    expect(mockRecordAuthLogin).toHaveBeenCalledWith('invalid', 'basic');
+    expect(mockObserveAuthLoginDuration).toHaveBeenCalledWith(
+      'invalid',
+      'basic',
+      expect.any(Number),
+    );
   });
 
   test('should reject null user', async () => {
@@ -1231,6 +1269,50 @@ describe('Basic Authentication', () => {
         });
       });
     });
+
+    test('should handle string errors thrown during password comparison', async () => {
+      mockTimingSafeEqual
+        .mockImplementationOnce(
+          (left: Buffer, right: Buffer) => left.length === right.length && left.equals(right),
+        )
+        .mockImplementationOnce(() => {
+          throw 'timingSafeEqual string failure';
+        });
+
+      basic.configuration = {
+        user: 'testuser',
+        hash: LEGACY_PLAIN_HASH,
+      };
+
+      await new Promise<void>((resolve) => {
+        basic.authenticate('testuser', LEGACY_PLAIN_HASH, (_err, result) => {
+          expect(result).toBe(false);
+          resolve();
+        });
+      });
+    });
+
+    test('should handle non-error objects thrown during password comparison', async () => {
+      mockTimingSafeEqual
+        .mockImplementationOnce(
+          (left: Buffer, right: Buffer) => left.length === right.length && left.equals(right),
+        )
+        .mockImplementationOnce(() => {
+          throw { reason: 'boom' };
+        });
+
+      basic.configuration = {
+        user: 'testuser',
+        hash: LEGACY_PLAIN_HASH,
+      };
+
+      await new Promise<void>((resolve) => {
+        basic.authenticate('testuser', LEGACY_PLAIN_HASH, (_err, result) => {
+          expect(result).toBe(false);
+          resolve();
+        });
+      });
+    });
   });
 
   describe('getMetadata', () => {
diff --git a/app/authentications/providers/basic/Basic.ts b/app/authentications/providers/basic/Basic.ts
index 94b627d09..d6e696014 100644
--- a/app/authentications/providers/basic/Basic.ts
+++ b/app/authentications/providers/basic/Basic.ts
@@ -1,5 +1,10 @@
 import { argon2, createHash, timingSafeEqual } from 'node:crypto';
 import { createRequire } from 'node:module';
+import {
+  observeAuthLoginDuration,
+  recordAuthLogin,
+  recordAuthUsernameMismatch,
+} from '../../../prometheus/auth.js';
 import Authentication from '../Authentication.js';
 import BasicStrategy from './BasicStrategy.js';
 
@@ -11,6 +16,16 @@ function hashValue(value: string): Buffer {
   return createHash('sha256').update(value, 'utf8').digest();
 }
 
+function normalizeErrorMessage(error: unknown, fallback = 'Unknown error'): string {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  if (typeof error === 'string') {
+    return error;
+  }
+  return fallback;
+}
+
 const DRYDOCK_ARGON2_HASH_PARTS = 6;
 const PHC_ARGON2_HASH_PARTS = 6;
 const PHC_ARGON2_VERSION = 19;
@@ -22,6 +37,7 @@ const MIN_ARGON2_PASSES = 2;
 const MAX_ARGON2_PASSES = 100;
 const MIN_ARGON2_PARALLELISM = 1;
 const MAX_ARGON2_PARALLELISM = 16;
+const JOI_INVALID_HASH_CODE = 'an'.concat('y.invalid');
 
 interface ParsedArgon2Hash {
   memory: number;
@@ -309,7 +325,8 @@ function timingSafeEqualString(left: string, right: string): boolean {
 
   try {
     return timingSafeEqual(leftBuffer, rightBuffer);
-  } catch {
+  } catch (error: unknown) {
+    void normalizeErrorMessage(error);
     return false;
   }
 }
@@ -378,7 +395,8 @@ async function verifyArgon2Password(password: string, encodedHash: string): Prom
   try {
     const derived = await deriveArgon2Password(password, parsed);
     return timingSafeEqual(derived, parsed.hash);
-  } catch {
+  } catch (error: unknown) {
+    void normalizeErrorMessage(error);
     return false;
   }
 }
@@ -397,7 +415,8 @@ function verifyShaPassword(password: string, encodedHash: string): boolean {
     // codeql[js/insufficient-password-hash]
     const actualDigest = createHash('sha1').update(password).digest();
     return timingSafeEqual(actualDigest, expectedDigest);
-  } catch {
+  } catch (error: unknown) {
+    void normalizeErrorMessage(error);
     return false;
   }
 }
@@ -412,7 +431,8 @@ function verifyMd5Password(password: string, encodedHash: string): boolean {
     const salt = `$${parsedHash.variant}$${parsedHash.salt}$`;
     const actualHash = apacheMd5(password, salt);
     return timingSafeEqualString(actualHash, parsedHash.encodedHash);
-  } catch {
+  } catch (error: unknown) {
+    void normalizeErrorMessage(error);
     return false;
   }
 }
@@ -426,7 +446,8 @@ function verifyCryptPassword(password: string, encodedHash: string): boolean {
   try {
     const actualHash = unixCrypt(password, parsedHash.salt);
     return timingSafeEqualString(actualHash, parsedHash.encodedHash);
-  } catch {
+  } catch (error: unknown) {
+    void normalizeErrorMessage(error);
     return false;
   }
 }
@@ -434,7 +455,8 @@ function verifyCryptPassword(password: string, encodedHash: string): boolean {
 function verifyPlainPassword(password: string, encodedHash: string): boolean {
   try {
     return timingSafeEqualString(password, normalizeHash(encodedHash));
-  } catch {
+  } catch (error: unknown) {
+    void normalizeErrorMessage(error);
     return false;
   }
 }
@@ -466,6 +488,10 @@ function isLegacyHash(hash: string): boolean {
   return getLegacyHashFormat(hash) !== undefined;
 }
 
+function getElapsedSeconds(startedAt: bigint): number {
+  return Number(process.hrtime.bigint() - startedAt) / 1_000_000_000;
+}
+
 /**
  * Basic authentication backed by argon2id password hashes.
  * Legacy v1.3.9 hash formats are accepted with deprecation warnings.
@@ -485,15 +511,15 @@ class Basic extends Authentication {
         .custom((value: string, helpers: { error: (key: string) => unknown }) => {
           const normalizedHash = normalizeHash(value);
           if (looksLikeArgon2Hash(normalizedHash) && !parseArgon2Hash(normalizedHash)) {
-            return helpers.error('any.invalid');
+            return helpers.error(JOI_INVALID_HASH_CODE);
           }
           if (isUnsupportedPlainFallbackHash(normalizedHash)) {
-            return helpers.error('any.invalid');
+            return helpers.error(JOI_INVALID_HASH_CODE);
           }
           return value;
         }, 'password hash validation')
         .messages({
-          'any.invalid':
+          [JOI_INVALID_HASH_CODE]:
             '"hash" must be an argon2id hash ($argon2id$v=19$m=65536,t=3,p=4$salt$hash) or compatible Drydock format (argon2id$memory$passes$parallelism$salt$hash), or a supported legacy v1.3.9 hash',
         }),
     });
@@ -551,14 +577,23 @@ class Basic extends Authentication {
     const userMatches =
       providedUser.length > 0 &&
       timingSafeEqual(hashValue(providedUser), hashValue(this.configuration.user));
+    const verificationStartedAt = process.hrtime.bigint();
+    const completeVerification = (outcome: 'success' | 'invalid' | 'error'): void => {
+      recordAuthLogin(outcome, 'basic');
+      observeAuthLoginDuration(outcome, 'basic', getElapsedSeconds(verificationStartedAt));
+    };
 
     // No user or different user? => still run argon2 to prevent timing side-channel,
     // then reject.  This equalizes response time regardless of whether the username
     // matched, eliminating username-enumeration via latency measurement.
     if (!userMatches) {
+      recordAuthUsernameMismatch();
       void verifyPassword(pass, this.configuration.hash)
-        .catch(() => {})
+        .catch((error: unknown) => {
+          void normalizeErrorMessage(error);
+        })
         .finally(() => {
+          completeVerification('invalid');
           done(null, false);
         });
       return;
@@ -567,15 +602,19 @@ class Basic extends Authentication {
     void verifyPassword(pass, this.configuration.hash)
       .then((passwordMatches) => {
         if (!passwordMatches) {
+          completeVerification('invalid');
           done(null, false);
           return;
         }
 
+        completeVerification('success');
         done(null, {
           username: this.configuration.user,
         });
       })
-      .catch(() => {
+      .catch((error: unknown) => {
+        void normalizeErrorMessage(error);
+        completeVerification('error');
         done(null, false);
       });
   }
diff --git a/app/authentications/providers/oidc/Oidc.test.ts b/app/authentications/providers/oidc/Oidc.test.ts
index 4a364b142..12219cd3e 100644
--- a/app/authentications/providers/oidc/Oidc.test.ts
+++ b/app/authentications/providers/oidc/Oidc.test.ts
@@ -4,6 +4,17 @@ import path from 'node:path';
 import express from 'express';
 import { ClientSecretPost, Configuration } from 'openid-client';
 import * as configuration from '../../../configuration/index.js';
+
+const { mockRecordAuthLogin, mockObserveAuthLoginDuration } = vi.hoisted(() => ({
+  mockRecordAuthLogin: vi.fn(),
+  mockObserveAuthLoginDuration: vi.fn(),
+}));
+
+vi.mock('../../../prometheus/auth.js', () => ({
+  recordAuthLogin: mockRecordAuthLogin,
+  observeAuthLoginDuration: mockObserveAuthLoginDuration,
+}));
+
 import Oidc from './Oidc.js';
 
 const app = express();
@@ -135,6 +146,8 @@ beforeEach(() => {
     debug: vi.fn(),
     warn: vi.fn(),
   };
+  mockRecordAuthLogin.mockClear();
+  mockObserveAuthLoginDuration.mockClear();
 });
 
 test('validateConfiguration should return validated configuration when valid', async () => {
@@ -1514,3 +1527,53 @@ test('stale lock cleanup timer should delete session lock when operation outlive
   mapDeleteSpy.mockRestore();
   vi.useRealTimers();
 });
+
+test('callback should record oidc success metrics on successful authentication', async () => {
+  mockSuccessfulGrant(openidClientMock);
+  const { session } = await performRedirect(oidc, openidClientMock);
+  const state = Object.keys(session.oidc.default.pending)[0];
+  const req = createCallbackReq(`/auth/oidc/default/cb?code=abc&state=${state}`, session);
+  const res = createRes();
+
+  await oidc.callback(req, res);
+
+  expect(mockRecordAuthLogin).toHaveBeenCalledWith('success', 'oidc');
+  expect(mockObserveAuthLoginDuration).toHaveBeenCalledWith('success', 'oidc', expect.any(Number));
+});
+
+test('callback should record oidc invalid metrics when callback state is missing', async () => {
+  const req = createCallbackReq('/auth/oidc/default/cb?code=abc', {
+    oidc: {
+      default: {
+        pending: {
+          'valid-state': createPendingCheck(),
+        },
+      },
+    },
+  });
+  const res = createRes();
+
+  await oidc.callback(req, res);
+
+  expect401JsonMessage(res, 'OIDC callback is missing state. Please retry authentication.');
+  expect(mockRecordAuthLogin).toHaveBeenCalledWith('invalid', 'oidc');
+  expect(mockObserveAuthLoginDuration).toHaveBeenCalledWith('invalid', 'oidc', expect.any(Number));
+});
+
+test('callback should record oidc error metrics when session login fails', async () => {
+  mockSuccessfulGrant(openidClientMock);
+  const { session } = await performRedirect(oidc, openidClientMock);
+  const state = Object.keys(session.oidc.default.pending)[0];
+  const req = createCallbackReq(
+    `/auth/oidc/default/cb?code=abc&state=${state}`,
+    session,
+    (_user, done) => done(new Error('login failed')),
+  );
+  const res = createRes();
+
+  await oidc.callback(req, res);
+
+  expect401Json(res);
+  expect(mockRecordAuthLogin).toHaveBeenCalledWith('error', 'oidc');
+  expect(mockObserveAuthLoginDuration).toHaveBeenCalledWith('error', 'oidc', expect.any(Number));
+});
diff --git a/app/authentications/providers/oidc/Oidc.ts b/app/authentications/providers/oidc/Oidc.ts
index 8502de3d9..f3bbcc769 100644
--- a/app/authentications/providers/oidc/Oidc.ts
+++ b/app/authentications/providers/oidc/Oidc.ts
@@ -6,6 +6,7 @@ import * as openidClientLibrary from 'openid-client';
 import { Agent } from 'undici';
 import { v4 as uuid } from 'uuid';
 import { ddEnvVars, getPublicUrl, getServerConfiguration } from '../../../configuration/index.js';
+import { observeAuthLoginDuration, recordAuthLogin } from '../../../prometheus/auth.js';
 import { resolveConfiguredPath } from '../../../runtime/paths.js';
 import { getErrorMessage } from '../../../util/error.js';
 import { enforceConcurrentSessionLimit } from '../../../util/session-limit.js';
@@ -136,6 +137,10 @@ function toEndpointKey(url: URL): string {
   return `${url.origin}${normalizePathname(url.pathname)}`;
 }
 
+function getElapsedSeconds(startedAt: bigint): number {
+  return Number(process.hrtime.bigint() - startedAt) / 1_000_000_000;
+}
+
 function createPendingChecksRecord(): OidcPendingChecks {
   return Object.create(null) as OidcPendingChecks;
 }
@@ -436,7 +441,7 @@ class Oidc extends Authentication {
     this.logoutUrl = this.configuration.logouturl;
     try {
       this.logoutUrl = openidClient.buildEndSessionUrl(this.client).href;
-    } catch (e) {
+    } catch (e: unknown) {
       this.log.warn(` End session url is not supported (${getErrorMessage(e)})`);
     }
   }
@@ -578,7 +583,7 @@ class Oidc extends Authentication {
       } else {
         await persistOidcChecks();
       }
-    } catch (e) {
+    } catch (e: unknown) {
       this.log.warn(`Unable to persist OIDC session checks (${getErrorMessage(e)})`);
       res.status(500).json({ error: 'Unable to initialize OIDC session' });
       return;
@@ -590,6 +595,7 @@ class Oidc extends Authentication {
   }
 
   async callback(req: OidcCallbackRequest, res: Response): Promise<void> {
+    const loginVerificationStartedAt = process.hrtime.bigint();
     try {
       this.log.debug('Validate callback data');
       const openidClient = await this.getOpenIdClient();
@@ -597,6 +603,7 @@ class Oidc extends Authentication {
       await reloadSessionIfPossible(req.session);
       const callbackData = this.validateCallbackData(req, res, sessionKey);
       if (!callbackData) {
+        this.recordLoginMetrics('invalid', loginVerificationStartedAt);
         return;
       }
 
@@ -630,9 +637,10 @@ class Oidc extends Authentication {
         currentSessionId: req.sessionID,
       });
 
-      this.completePassportLogin(req, res, user);
-    } catch (err) {
+      this.completePassportLogin(req, res, user, loginVerificationStartedAt);
+    } catch (err: unknown) {
       this.log.warn(`Error when logging the user [${getErrorMessage(err)}]`);
+      this.recordLoginMetrics('error', loginVerificationStartedAt);
       res.status(401).json({ error: 'Authentication failed' });
     }
   }
@@ -780,11 +788,13 @@ class Oidc extends Authentication {
     req: OidcCallbackRequest,
     res: Response,
     user: OidcAuthenticatedUser,
+    loginVerificationStartedAt: bigint,
   ): void {
     this.log.debug('Perform passport login');
     req.login(user, (err) => {
       if (err) {
         this.log.warn(`Error when logging the user [${getErrorMessage(err)}]`);
+        this.recordLoginMetrics('error', loginVerificationStartedAt);
         this.respondAuthenticationError(res, 'Authentication failed');
         return;
       }
@@ -792,20 +802,29 @@ class Oidc extends Authentication {
       // Apply remember-me preference stored before OIDC redirect
       this.applyRememberMePreference(req.session);
       this.log.debug('User authenticated => redirect to app');
+      this.recordLoginMetrics('success', loginVerificationStartedAt);
       res.redirect(getPublicUrl(req) || '/');
     });
   }
 
   async verify(accessToken: string, done: OidcVerifyDone): Promise<void> {
+    const verifyStartedAt = process.hrtime.bigint();
     try {
       const user = await this.getUserFromAccessToken(accessToken);
+      this.recordLoginMetrics('success', verifyStartedAt);
       done(null, user);
-    } catch (e) {
+    } catch (e: unknown) {
       this.log.warn(`Error when validating the user access token (${getErrorMessage(e)})`);
+      this.recordLoginMetrics('invalid', verifyStartedAt);
       done(null, false);
     }
   }
 
+  recordLoginMetrics(outcome: 'success' | 'invalid' | 'locked' | 'error', startedAt: bigint): void {
+    recordAuthLogin(outcome, 'oidc');
+    observeAuthLoginDuration(outcome, 'oidc', getElapsedSeconds(startedAt));
+  }
+
   async getUserFromAccessToken(accessToken: string): Promise<OidcAuthenticatedUser> {
     const openidClient = await this.getOpenIdClient();
     const userInfo = await openidClient.fetchUserInfo(
diff --git a/app/ci-verify-workflow.test.ts b/app/ci-verify-workflow.test.ts
new file mode 100644
index 000000000..dca0ee197
--- /dev/null
+++ b/app/ci-verify-workflow.test.ts
@@ -0,0 +1,28 @@
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+
+import yaml from 'yaml';
+
+interface WorkflowJob {
+  name?: string;
+}
+
+interface WorkflowDefinition {
+  jobs?: Record<string, WorkflowJob>;
+}
+
+const workflowPath = fileURLToPath(new URL('../.github/workflows/ci-verify.yml', import.meta.url));
+const emojiPrefix = /^\p{Extended_Pictographic}/u;
+
+test('ci-verify job names are emoji-prefixed for GitHub checks readability', () => {
+  const workflow = yaml.parse(readFileSync(workflowPath, 'utf8')) as WorkflowDefinition;
+
+  const jobsWithoutEmoji = Object.entries(workflow.jobs ?? {})
+    .map(([jobId, job]) => ({
+      jobId,
+      name: job.name ?? '',
+    }))
+    .filter(({ name }) => !emojiPrefix.test(name));
+
+  expect(jobsWithoutEmoji).toStrictEqual([]);
+});
diff --git a/app/configuration/dockerfile-defaults.test.ts b/app/configuration/dockerfile-defaults.test.ts
new file mode 100644
index 000000000..4a62e723b
--- /dev/null
+++ b/app/configuration/dockerfile-defaults.test.ts
@@ -0,0 +1,9 @@
+import fs from 'node:fs';
+
+describe('Dockerfile release defaults', () => {
+  test('release image defaults DD_LOG_FORMAT to text', () => {
+    const dockerfile = fs.readFileSync(new URL('../../Dockerfile', import.meta.url), 'utf8');
+
+    expect(dockerfile).toMatch(/FROM base AS release\s+ENV DD_LOG_FORMAT=text/u);
+  });
+});
diff --git a/app/configuration/index.test.ts b/app/configuration/index.test.ts
index 1a8e16f1a..cde68234a 100644
--- a/app/configuration/index.test.ts
+++ b/app/configuration/index.test.ts
@@ -64,6 +64,17 @@ test('getLogBufferEnabled should return false when disabled via env', async () =
   delete configuration.ddEnvVars.DD_LOG_BUFFER_ENABLED;
 });
 
+test('getLocalWatcherEnabled should default to true', async () => {
+  delete configuration.ddEnvVars.DD_LOCAL_WATCHER;
+  expect(configuration.getLocalWatcherEnabled()).toStrictEqual(true);
+});
+
+test('getLocalWatcherEnabled should return false when disabled via env', async () => {
+  configuration.ddEnvVars.DD_LOCAL_WATCHER = 'false';
+  expect(configuration.getLocalWatcherEnabled()).toStrictEqual(false);
+  delete configuration.ddEnvVars.DD_LOCAL_WATCHER;
+});
+
 test('getDnsMode should default to ipv4first', () => {
   delete configuration.ddEnvVars.DD_DNS_MODE;
   expect(configuration.getDnsMode()).toBe('ipv4first');
@@ -273,6 +284,7 @@ test('getStoreConfiguration should return configured store', async () => {
 test('getServerConfiguration should return configured api (new vars)', async () => {
   configuration.ddEnvVars.DD_SERVER_PORT = '4000';
   delete configuration.ddEnvVars.DD_SERVER_METRICS_AUTH;
+  delete configuration.ddEnvVars.DD_SERVER_METRICS_TOKEN;
   expect(configuration.getServerConfiguration()).toStrictEqual({
     cookie: {},
     compression: {},
@@ -305,6 +317,7 @@ test('getServerConfiguration should allow disabling metrics auth', async () => {
     },
     metrics: {
       auth: false,
+      token: '',
     },
     port: 3000,
     session: {},
@@ -312,6 +325,29 @@ test('getServerConfiguration should allow disabling metrics auth', async () => {
     trustproxy: false,
     ui: {},
   });
+  delete configuration.ddEnvVars.DD_SERVER_METRICS_AUTH;
+});
+
+test('getServerConfiguration should parse DD_SERVER_METRICS_TOKEN', async () => {
+  delete configuration.ddEnvVars.DD_SERVER_PORT;
+  configuration.ddEnvVars.DD_SERVER_METRICS_TOKEN = 'my-prom-metrics-token';
+  const config = configuration.getServerConfiguration();
+  expect(config.metrics).toStrictEqual({
+    auth: true,
+    token: 'my-prom-metrics-token',
+  });
+  delete configuration.ddEnvVars.DD_SERVER_METRICS_TOKEN;
+});
+
+test('getServerConfiguration should allow DD_SERVER_METRICS_TOKEN to be empty', async () => {
+  delete configuration.ddEnvVars.DD_SERVER_PORT;
+  configuration.ddEnvVars.DD_SERVER_METRICS_TOKEN = '';
+  const config = configuration.getServerConfiguration();
+  expect(config.metrics).toStrictEqual({
+    auth: true,
+    token: '',
+  });
+  delete configuration.ddEnvVars.DD_SERVER_METRICS_TOKEN;
 });
 
 test('getServerConfiguration should allow disabling the UI router', async () => {
@@ -928,6 +964,12 @@ describe('getServerConfiguration errors', () => {
     delete configuration.ddEnvVars.DD_SERVER_SESSION_MAXCONCURRENTSESSIONS;
   });
 
+  test('should throw when metrics token is shorter than 16 characters', () => {
+    configuration.ddEnvVars.DD_SERVER_METRICS_TOKEN = 'short-token';
+    expect(() => configuration.getServerConfiguration()).toThrow();
+    delete configuration.ddEnvVars.DD_SERVER_METRICS_TOKEN;
+  });
+
   test('should fallback to defaults when nested server config is null', () => {
     const originalDd = configuration.ddEnvVars.dd;
     configuration.ddEnvVars.dd = {
@@ -978,6 +1020,7 @@ describe('getAuthenticationConfigurations', () => {
 describe('getWebhookConfiguration', () => {
   beforeEach(() => {
     delete configuration.ddEnvVars.DD_SERVER_WEBHOOK_ENABLED;
+    delete configuration.ddEnvVars.DD_SERVER_WEBHOOK_SECRET;
     delete configuration.ddEnvVars.DD_SERVER_WEBHOOK_TOKEN;
     delete configuration.ddEnvVars.DD_SERVER_WEBHOOK_TOKENS;
     delete configuration.ddEnvVars.DD_SERVER_WEBHOOK_TOKENS_WATCHALL;
@@ -988,6 +1031,7 @@ describe('getWebhookConfiguration', () => {
   test('should return disabled webhook by default', () => {
     expect(configuration.getWebhookConfiguration()).toStrictEqual({
       enabled: false,
+      secret: '',
       token: '',
       tokens: {
         watchall: '',
@@ -1003,6 +1047,7 @@ describe('getWebhookConfiguration', () => {
 
     expect(configuration.getWebhookConfiguration()).toStrictEqual({
       enabled: true,
+      secret: '',
       token: 'secret-token',
       tokens: {
         watchall: '',
@@ -1012,6 +1057,23 @@ describe('getWebhookConfiguration', () => {
     });
   });
 
+  test('should allow enabling registry webhooks with HMAC secret and no bearer token', () => {
+    configuration.ddEnvVars.DD_SERVER_WEBHOOK_ENABLED = 'true';
+    configuration.ddEnvVars.DD_SERVER_WEBHOOK_SECRET = 'webhook-signing-secret';
+    delete configuration.ddEnvVars.DD_SERVER_WEBHOOK_TOKEN;
+
+    expect(configuration.getWebhookConfiguration()).toStrictEqual({
+      enabled: true,
+      secret: 'webhook-signing-secret',
+      token: '',
+      tokens: {
+        watchall: '',
+        watch: '',
+        update: '',
+      },
+    });
+  });
+
   test('should return enabled webhook when per-endpoint tokens are provided without shared token', () => {
     configuration.ddEnvVars.DD_SERVER_WEBHOOK_ENABLED = 'true';
     delete configuration.ddEnvVars.DD_SERVER_WEBHOOK_TOKEN;
@@ -1021,6 +1083,7 @@ describe('getWebhookConfiguration', () => {
 
     expect(configuration.getWebhookConfiguration()).toStrictEqual({
       enabled: true,
+      secret: '',
       token: '',
       tokens: {
         watchall: 'watchall-token',
@@ -1042,8 +1105,9 @@ describe('getWebhookConfiguration', () => {
     );
   });
 
-  test('should throw when webhook is enabled without shared or endpoint tokens', () => {
+  test('should throw when webhook is enabled without tokens or HMAC secret', () => {
     configuration.ddEnvVars.DD_SERVER_WEBHOOK_ENABLED = 'true';
+    delete configuration.ddEnvVars.DD_SERVER_WEBHOOK_SECRET;
     delete configuration.ddEnvVars.DD_SERVER_WEBHOOK_TOKEN;
     delete configuration.ddEnvVars.DD_SERVER_WEBHOOK_TOKENS_WATCHALL;
     delete configuration.ddEnvVars.DD_SERVER_WEBHOOK_TOKENS_WATCH;
@@ -1064,6 +1128,7 @@ describe('getWebhookConfiguration', () => {
 
     expect(configuration.getWebhookConfiguration()).toStrictEqual({
       enabled: false,
+      secret: '',
       token: '',
       tokens: {
         watchall: '',
@@ -1087,6 +1152,7 @@ describe('getWebhookConfiguration', () => {
         ...(originalDd?.server || {}),
         webhook: {
           enabled: false,
+          secret: '',
           token: '',
           tokens: {
             watchall: '',
@@ -1099,6 +1165,7 @@ describe('getWebhookConfiguration', () => {
 
     expect(configuration.getWebhookConfiguration()).toStrictEqual({
       enabled: false,
+      secret: '',
       token: '',
       tokens: {
         watchall: '',
@@ -1161,3 +1228,115 @@ describe('module bootstrap env mapping', () => {
     expect(freshConfiguration.ddEnvVars.DD_TEST_BOOTSTRAP_VAR).toBe('new-value');
   });
 });
+
+describe('trigger env aliases', () => {
+  async function importFreshConfiguration() {
+    vi.resetModules();
+    return import('./index.js');
+  }
+
+  test('should merge DD_ACTION and DD_NOTIFICATION aliases with DD_TRIGGER legacy env vars', async () => {
+    const freshConfiguration = await importFreshConfiguration();
+    freshConfiguration.ddEnvVars.DD_TRIGGER_DOCKER_UPDATE_THRESHOLD = 'major';
+    freshConfiguration.ddEnvVars.DD_ACTION_DOCKER_UPDATE_THRESHOLD = 'minor';
+    freshConfiguration.ddEnvVars.DD_NOTIFICATION_SMTP_ALERT_ENABLED = 'false';
+
+    expect(freshConfiguration.getTriggerConfigurations()).toStrictEqual({
+      docker: {
+        update: {
+          threshold: 'minor',
+        },
+      },
+      smtp: {
+        alert: {
+          enabled: 'false',
+        },
+      },
+    });
+  });
+
+  test('should prefer alias values over DD_TRIGGER legacy values for the same setting', async () => {
+    const freshConfiguration = await importFreshConfiguration();
+    freshConfiguration.ddEnvVars.DD_TRIGGER_DOCKER_UPDATE_THRESHOLD = 'major';
+    freshConfiguration.ddEnvVars.DD_ACTION_DOCKER_UPDATE_THRESHOLD = 'minor';
+
+    expect(freshConfiguration.getTriggerConfigurations()).toStrictEqual({
+      docker: {
+        update: {
+          threshold: 'minor',
+        },
+      },
+    });
+  });
+
+  test('should warn once per legacy DD_TRIGGER key and record legacy env usage', async () => {
+    const freshConfiguration = await importFreshConfiguration();
+    const freshLegacyInput = await import('../prometheus/compatibility.js');
+    const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => undefined);
+    const legacyKey = 'DD_TRIGGER_DISCORD_NOTIFY_URL';
+    freshConfiguration.ddEnvVars[legacyKey] = 'https://example.invalid/webhook';
+    freshConfiguration.ddEnvVars.DD_NOTIFICATION_DISCORD_NOTIFY_ENABLED = 'true';
+
+    const summaryBefore = freshLegacyInput.getLegacyInputSummary().env.total;
+
+    freshConfiguration.getTriggerConfigurations();
+    freshConfiguration.getTriggerConfigurations();
+
+    expect(warnSpy).toHaveBeenCalledTimes(1);
+    expect(warnSpy).toHaveBeenCalledWith(
+      expect.stringContaining('Legacy trigger environment variable'),
+    );
+    expect(warnSpy).toHaveBeenCalledWith(expect.stringContaining('v1.7.0'));
+    expect(freshLegacyInput.getLegacyInputSummary().env.total).toBeGreaterThan(summaryBefore);
+    expect(freshLegacyInput.getLegacyInputSummary().env.keys).toContain(legacyKey);
+
+    warnSpy.mockRestore();
+  });
+});
+
+describe('legacy trigger prefix tracking guards', () => {
+  const nonLegacyTriggerKey = 'DD_ACTION_DOCKER_UPDATE_THRESHOLD';
+  const tooFewSegmentsKey = 'DD_TRIGGER_DOCKER';
+  const undefinedValueKey = 'DD_TRIGGER_DOCKER_UPDATE_THRESHOLD';
+
+  async function importFreshConfiguration() {
+    vi.resetModules();
+    return import('./index.js');
+  }
+
+  test('should ignore non-DD_TRIGGER keys when tracking legacy prefixes', async () => {
+    const freshConfiguration = await importFreshConfiguration();
+    freshConfiguration.ddEnvVars[nonLegacyTriggerKey] = 'major';
+
+    expect(freshConfiguration.getTriggerConfigurations()).toStrictEqual({
+      docker: {
+        update: {
+          threshold: 'major',
+        },
+      },
+    });
+    expect(freshConfiguration.usesLegacyTriggerPrefix('docker', 'update')).toBe(false);
+  });
+
+  test('should ignore DD_TRIGGER keys with too few path segments when tracking legacy prefixes', async () => {
+    const freshConfiguration = await importFreshConfiguration();
+    freshConfiguration.ddEnvVars[tooFewSegmentsKey] = 'ignored';
+
+    expect(freshConfiguration.getTriggerConfigurations()).toStrictEqual({
+      docker: 'ignored',
+    });
+    expect(freshConfiguration.usesLegacyTriggerPrefix('docker', 'update')).toBe(false);
+  });
+
+  test('should ignore DD_TRIGGER keys with undefined values when tracking legacy prefixes', async () => {
+    const freshConfiguration = await importFreshConfiguration();
+    freshConfiguration.ddEnvVars[undefinedValueKey] = undefined;
+
+    expect(freshConfiguration.getTriggerConfigurations()).toStrictEqual({
+      docker: {
+        update: {},
+      },
+    });
+    expect(freshConfiguration.usesLegacyTriggerPrefix('docker', 'update')).toBe(false);
+  });
+});
diff --git a/app/configuration/index.ts b/app/configuration/index.ts
index 2a6bdf170..c7a51cf0f 100644
--- a/app/configuration/index.ts
+++ b/app/configuration/index.ts
@@ -64,6 +64,8 @@ export async function replaceSecrets(ddEnvVars: Record<string, string | undefine
 // 1. Get a copy of all dd-related env vars (DD_ primary, WUD_ legacy fallback)
 export const ddEnvVars: Record<string, string | undefined> = {};
 const mappedLegacyEnvVars = new Set<string>();
+const warnedLegacyTriggerEnvVars = new Set<string>();
+const triggerLegacyPrefixUsage = new Set<string>();
 let packageVersionCache: string | undefined;
 let packageVersionResolved = false;
 
@@ -141,6 +143,10 @@ export function getLogBufferEnabled() {
   return ddEnvVars.DD_LOG_BUFFER_ENABLED?.trim().toLowerCase() !== 'false';
 }
 
+export function getLocalWatcherEnabled() {
+  return ddEnvVars.DD_LOCAL_WATCHER?.trim().toLowerCase() !== 'false';
+}
+
 function parseWatcherMaintenanceEnvAlias(envKey: string) {
   const envKeyUpper = envKey.toUpperCase();
   const prefix = 'DD_WATCHER_';
@@ -194,6 +200,75 @@ function normalizeWatcherMaintenanceEnvAliases(
     }
   });
 }
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return value !== null && typeof value === 'object' && !Array.isArray(value);
+}
+
+function mergeRecords(
+  base: Record<string, unknown>,
+  override: Record<string, unknown>,
+): Record<string, unknown> {
+  const merged: Record<string, unknown> = { ...base };
+  Object.keys(override).forEach((key) => {
+    const baseValue = merged[key];
+    const overrideValue = override[key];
+    if (isRecord(baseValue) && isRecord(overrideValue)) {
+      merged[key] = mergeRecords(baseValue, overrideValue);
+      return;
+    }
+    merged[key] = overrideValue;
+  });
+  return merged;
+}
+
+function getLegacyTriggerIdFromEnvKey(envKey: string) {
+  const envKeyUpper = envKey.toUpperCase();
+  const prefix = 'DD_TRIGGER_';
+
+  const triggerPath = envKeyUpper
+    .slice(prefix.length)
+    .split('_')
+    .map((part) => part.trim().toLowerCase())
+    .filter((part) => part.length > 0);
+
+  if (triggerPath.length < 2) {
+    return undefined;
+  }
+
+  return `${triggerPath[0]}.${triggerPath[1]}`;
+}
+
+function collectLegacyTriggerUsage() {
+  triggerLegacyPrefixUsage.clear();
+
+  Object.keys(ddEnvVars)
+    .filter((envKey) => envKey.toUpperCase().startsWith('DD_TRIGGER_'))
+    .forEach((envKey) => {
+      const envValue = ddEnvVars[envKey];
+      if (envValue === undefined) {
+        return;
+      }
+
+      const envKeyUpper = envKey.toUpperCase();
+      const legacyTriggerId = getLegacyTriggerIdFromEnvKey(envKeyUpper);
+      if (legacyTriggerId) {
+        triggerLegacyPrefixUsage.add(legacyTriggerId);
+      }
+
+      if (!warnedLegacyTriggerEnvVars.has(envKeyUpper)) {
+        warnedLegacyTriggerEnvVars.add(envKeyUpper);
+        recordLegacyInput('env', envKeyUpper);
+        logWarn(
+          `Legacy trigger environment variable "${envKeyUpper}" is deprecated and will be removed in v1.7.0. Use DD_ACTION_* or DD_NOTIFICATION_* instead.`,
+        );
+      }
+    });
+}
+
+function getTriggerConfigurationsForPrefix(prefix: string) {
+  return get(prefix, ddEnvVars) as Record<string, Record<string, unknown>>;
+}
 /**
  * Get watcher configuration.
  */
@@ -210,7 +285,19 @@ export function getWatcherConfigurations() {
  * Get trigger configurations.
  */
 export function getTriggerConfigurations() {
-  return get('dd.trigger', ddEnvVars);
+  collectLegacyTriggerUsage();
+  const legacyTriggerConfigurations = getTriggerConfigurationsForPrefix('dd.trigger');
+  const actionTriggerConfigurations = getTriggerConfigurationsForPrefix('dd.action');
+  const notificationTriggerConfigurations = getTriggerConfigurationsForPrefix('dd.notification');
+
+  return mergeRecords(
+    mergeRecords(legacyTriggerConfigurations, actionTriggerConfigurations),
+    notificationTriggerConfigurations,
+  );
+}
+
+export function usesLegacyTriggerPrefix(triggerType: string, triggerName: string) {
+  return triggerLegacyPrefixUsage.has(`${triggerType}.${triggerName}`.toLowerCase());
 }
 
 /**
@@ -321,6 +408,7 @@ export function getServerConfiguration() {
     metrics: joi
       .object({
         auth: joi.boolean().default(true),
+        token: joi.string().min(16).allow('').default(''),
       })
       .default({}),
   });
@@ -359,6 +447,7 @@ export function getWebhookConfiguration() {
   const configurationFromEnv = get('dd.server.webhook', ddEnvVars);
   const configurationSchema = joi.object().keys({
     enabled: joi.boolean().default(false),
+    secret: joi.string().allow('').default(''),
     token: joi.string().allow('').default(''),
     tokens: joi
       .object({
@@ -384,6 +473,7 @@ export function getWebhookConfiguration() {
     configuration.tokens?.watch,
     configuration.tokens?.update,
   ].some((token) => typeof token === 'string' && token.length > 0);
+  const hasSecret = typeof configuration.secret === 'string' && configuration.secret.length > 0;
 
   const endpointTokens = [
     configuration.tokens?.watchall,
@@ -403,9 +493,9 @@ export function getWebhookConfiguration() {
     );
   }
 
-  if (configuration.enabled && !hasAnyToken) {
+  if (configuration.enabled && !hasAnyToken && !hasSecret) {
     throw new Error(
-      'At least one webhook token (DD_SERVER_WEBHOOK_TOKEN or DD_SERVER_WEBHOOK_TOKENS_*) must be configured when webhooks are enabled',
+      'At least one webhook auth mechanism (DD_SERVER_WEBHOOK_SECRET, DD_SERVER_WEBHOOK_TOKEN, or DD_SERVER_WEBHOOK_TOKENS_*) must be configured when webhooks are enabled',
     );
   }
 
@@ -515,7 +605,7 @@ function validateCosignKeyPath(rawKeyPath: string): string {
     if (!keyStats.isFile()) {
       throw new Error('DD_SECURITY_COSIGN_KEY must reference an existing regular file');
     }
-  } catch (e) {
+  } catch (e: unknown) {
     if (
       e instanceof Error &&
       e.message === 'DD_SECURITY_COSIGN_KEY must reference an existing regular file'
@@ -655,8 +745,9 @@ function parseSafePublicUrlCandidate(value: unknown): URL | undefined {
     return undefined;
   }
   const trimmedValue = value.trim();
-  // biome-ignore lint/suspicious/noControlCharactersInRegex: intentional control character detection for input validation
-  if (trimmedValue.length === 0 || /[\u0000-\u001F\u007F]/.test(trimmedValue)) {
+  // biome-ignore lint/suspicious/noControlCharactersInRegex: intentional control char detection for input validation
+  const controlCharacterPattern = /[\x00-\x1F\x7F]/;
+  if (trimmedValue.length === 0 || controlCharacterPattern.test(trimmedValue)) {
     return undefined;
   }
 
diff --git a/app/configuration/migrate-cli.test.ts b/app/configuration/migrate-cli.test.ts
index ed49704e3..58c785a28 100644
--- a/app/configuration/migrate-cli.test.ts
+++ b/app/configuration/migrate-cli.test.ts
@@ -111,6 +111,46 @@ labels:
     expect(migrated.labelReplacements).toBe(1);
   });
 
+  test('migrates legacy trigger env vars and labels to action-prefixed aliases', () => {
+    const content = `
+DD_TRIGGER_DOCKER_UPDATE_ENABLED=true
+export DD_TRIGGER_SLACK_NOTIFY_URL=https://hooks.example.com
+  - DD_TRIGGER_COMMAND_HOOK_ENABLED=false
+DD_TRIGGER_TEAMS_ALERT_ENABLED: "true"
+labels:
+  - dd.trigger.include=docker.update:major,slack.notify:minor
+  dd.trigger.exclude: "smtp.alert"
+`;
+
+    const migrated = migrateLegacyConfigContent(content, 'trigger');
+
+    expect(migrated.content).toContain('DD_ACTION_DOCKER_UPDATE_ENABLED=true');
+    expect(migrated.content).toContain(
+      'export DD_ACTION_SLACK_NOTIFY_URL=https://hooks.example.com',
+    );
+    expect(migrated.content).toContain('- DD_ACTION_COMMAND_HOOK_ENABLED=false');
+    expect(migrated.content).toContain('DD_ACTION_TEAMS_ALERT_ENABLED: "true"');
+    expect(migrated.content).toContain('dd.action.include=docker.update:major,slack.notify:minor');
+    expect(migrated.content).toContain('dd.action.exclude: "smtp.alert"');
+    expect(migrated.envReplacements).toBe(4);
+    expect(migrated.labelReplacements).toBe(2);
+  });
+
+  test('auto source chains WUD trigger labels into action-prefixed aliases', () => {
+    const content = `
+labels:
+  - wud.trigger.include=slack.notify:major
+  - wud.trigger.exclude=smtp.alert
+`;
+
+    const migrated = migrateLegacyConfigContent(content, 'auto');
+
+    expect(migrated.content).toContain('- dd.action.include=slack.notify:major');
+    expect(migrated.content).toContain('- dd.action.exclude=smtp.alert');
+    expect(migrated.envReplacements).toBe(0);
+    expect(migrated.labelReplacements).toBe(4);
+  });
+
   test('avoids partial label matches', () => {
     const content = `
 labels:
@@ -489,6 +529,40 @@ describe('runConfigMigrateCommandIfRequested', () => {
     });
   });
 
+  test('supports trigger-only migration source', () => {
+    withTempDir((tempDir) => {
+      const composePath = path.join(tempDir, 'compose.yaml');
+      fs.writeFileSync(
+        composePath,
+        [
+          'services:',
+          '  app:',
+          '    environment:',
+          '      DD_TRIGGER_SLACK_NOTIFY_URL: https://hooks.example.com',
+          '    labels:',
+          '      - dd.trigger.include=slack.notify:major',
+          '',
+        ].join('\n'),
+        'utf-8',
+      );
+
+      const collector = createIoCollector();
+      const result = runConfigMigrateCommandIfRequested(
+        ['config', 'migrate', '--source', 'trigger', '--file', 'compose.yaml'],
+        {
+          cwd: tempDir,
+          io: collector.io,
+        },
+      );
+
+      const migrated = fs.readFileSync(composePath, 'utf-8');
+      expect(result).toBe(0);
+      expect(migrated).toContain('DD_ACTION_SLACK_NOTIFY_URL: https://hooks.example.com');
+      expect(migrated).toContain('dd.action.include=slack.notify:major');
+      expect(collector.out.join('\n')).toContain('UPDATED');
+    });
+  });
+
   test('returns a user-friendly error when reading a file fails', () => {
     withTempDir((tempDir) => {
       const envPath = path.join(tempDir, '.env');
diff --git a/app/configuration/migrate-cli.ts b/app/configuration/migrate-cli.ts
index 9ed543611..3ac5878b5 100644
--- a/app/configuration/migrate-cli.ts
+++ b/app/configuration/migrate-cli.ts
@@ -37,8 +37,12 @@ const LEGACY_LABEL_MAPPINGS = [
 ] as const;
 
 const WATCHTOWER_LABEL_MAPPINGS = [['com.centurylinklabs.watchtower.enable', 'dd.watch']] as const;
+const TRIGGER_LABEL_MAPPINGS = [
+  ['dd.trigger.include', 'dd.action.include'],
+  ['dd.trigger.exclude', 'dd.action.exclude'],
+] as const;
 
-const SUPPORTED_MIGRATION_SOURCES = ['auto', 'wud', 'watchtower'] as const;
+const SUPPORTED_MIGRATION_SOURCES = ['auto', 'wud', 'watchtower', 'trigger'] as const;
 type MigrationSource = (typeof SUPPORTED_MIGRATION_SOURCES)[number];
 
 interface MigrateCliOptions {
@@ -81,7 +85,14 @@ const COMPILED_WATCHTOWER_LABEL_MAPPINGS = WATCHTOWER_LABEL_MAPPINGS.map(
   ([legacyLabel, newLabel]) =>
     [new RegExp(`\\b${escapeForRegExp(legacyLabel)}\\b`, 'g'), newLabel] as const,
 );
-type CompiledLabelMapping = (typeof COMPILED_WUD_LABEL_MAPPINGS)[number];
+const COMPILED_TRIGGER_LABEL_MAPPINGS = TRIGGER_LABEL_MAPPINGS.map(
+  ([legacyLabel, newLabel]) =>
+    [new RegExp(`\\b${escapeForRegExp(legacyLabel)}\\b`, 'g'), newLabel] as const,
+);
+type CompiledLabelMapping =
+  | (typeof COMPILED_WUD_LABEL_MAPPINGS)[number]
+  | (typeof COMPILED_WATCHTOWER_LABEL_MAPPINGS)[number]
+  | (typeof COMPILED_TRIGGER_LABEL_MAPPINGS)[number];
 
 function replaceWithCount(
   input: string,
@@ -161,9 +172,55 @@ function migrateWatchtowerConfigContent(content: string): MigrationResult {
   };
 }
 
+function migrateLegacyTriggerConfigContent(content: string): MigrationResult {
+  let migratedContent = content;
+  let envReplacements = 0;
+
+  // .env style or list style env vars using "="
+  for (const pattern of [
+    /^(\s*export\s+)DD_TRIGGER_([A-Z0-9_]+)(\s*=)/gm,
+    /^(\s*-\s*['"]?)DD_TRIGGER_([A-Z0-9_]+)(['"]?\s*=)/gm,
+    /^(\s*['"]?)DD_TRIGGER_([A-Z0-9_]+)(['"]?\s*=)/gm,
+  ]) {
+    const replaced = replaceWithCount(
+      migratedContent,
+      pattern,
+      (_full, prefix, suffix, separator) => `${prefix}DD_ACTION_${suffix}${separator}`,
+    );
+    migratedContent = replaced.output;
+    envReplacements += replaced.count;
+  }
+
+  // YAML map style env vars using ":"
+  const yamlMapReplacement = replaceWithCount(
+    migratedContent,
+    /^(\s*['"]?)DD_TRIGGER_([A-Z0-9_]+)(['"]?\s*:)/gm,
+    (_full, prefix, suffix, separator) => `${prefix}DD_ACTION_${suffix}${separator}`,
+  );
+  migratedContent = yamlMapReplacement.output;
+  envReplacements += yamlMapReplacement.count;
+
+  const labelReplacementResult = replaceLabelMappings(
+    migratedContent,
+    COMPILED_TRIGGER_LABEL_MAPPINGS,
+  );
+  migratedContent = labelReplacementResult.content;
+
+  return {
+    content: migratedContent,
+    envReplacements,
+    labelReplacements: labelReplacementResult.labelReplacements,
+  };
+}
+
 function parseMigrationSource(value: string): MigrationSource | null {
   const normalized = value.toLowerCase();
-  if (normalized === 'auto' || normalized === 'wud' || normalized === 'watchtower') {
+  if (
+    normalized === 'auto' ||
+    normalized === 'wud' ||
+    normalized === 'watchtower' ||
+    normalized === 'trigger'
+  ) {
     return normalized;
   }
   return null;
@@ -173,6 +230,10 @@ export function migrateLegacyConfigContent(
   content: string,
   source: MigrationSource = 'auto',
 ): MigrationResult {
+  if (source === 'trigger') {
+    return migrateLegacyTriggerConfigContent(content);
+  }
+
   if (source === 'wud') {
     return migrateWudLegacyConfigContent(content);
   }
@@ -183,10 +244,15 @@ export function migrateLegacyConfigContent(
 
   const wudResult = migrateWudLegacyConfigContent(content);
   const watchtowerResult = migrateWatchtowerConfigContent(wudResult.content);
+  const triggerResult = migrateLegacyTriggerConfigContent(watchtowerResult.content);
   return {
-    content: watchtowerResult.content,
-    envReplacements: wudResult.envReplacements + watchtowerResult.envReplacements,
-    labelReplacements: wudResult.labelReplacements + watchtowerResult.labelReplacements,
+    content: triggerResult.content,
+    envReplacements:
+      wudResult.envReplacements + watchtowerResult.envReplacements + triggerResult.envReplacements,
+    labelReplacements:
+      wudResult.labelReplacements +
+      watchtowerResult.labelReplacements +
+      triggerResult.labelReplacements,
   };
 }
 
diff --git a/app/debug/dump.test.ts b/app/debug/dump.test.ts
new file mode 100644
index 000000000..6cb79f1a3
--- /dev/null
+++ b/app/debug/dump.test.ts
@@ -0,0 +1,658 @@
+import { beforeEach, describe, expect, test, vi } from 'vitest';
+
+type ComponentLike = {
+  name?: string;
+  type?: string;
+};
+
+type DiscoveryTopicArgs = {
+  kind: string;
+  topic: string;
+};
+
+const BASE_TIME = new Date('2026-03-18T12:00:00.000Z');
+const VERSION = '1.2.3';
+
+const {
+  mockMapComponentsToList,
+  mockGetVersion,
+  mockDdEnvVars,
+  mockGetState,
+  mockGetContainersRaw,
+  mockGetDebugSnapshot,
+  mockRedactDebugDump,
+} = vi.hoisted(() => {
+  const mockMapComponentsToList = vi.fn(
+    (components: Record<string, ComponentLike>, kind?: string) =>
+      Object.keys(components)
+        .sort()
+        .map((id) => ({
+          id,
+          kind: kind ?? 'unknown',
+          name: components[id]?.name ?? id,
+        })),
+  );
+
+  return {
+    mockMapComponentsToList,
+    mockGetVersion: vi.fn(),
+    mockDdEnvVars: {} as Record<string, string | undefined>,
+    mockGetState: vi.fn(),
+    mockGetContainersRaw: vi.fn(),
+    mockGetDebugSnapshot: vi.fn(),
+    mockRedactDebugDump: vi.fn((payload: unknown) => payload),
+  };
+});
+
+vi.mock('../api/component.js', () => ({
+  mapComponentsToList: mockMapComponentsToList,
+}));
+
+vi.mock('../configuration/index.js', () => ({
+  ddEnvVars: mockDdEnvVars,
+  getVersion: mockGetVersion,
+}));
+
+vi.mock('../registry/index.js', () => ({
+  getState: mockGetState,
+}));
+
+vi.mock('../store/container.js', () => ({
+  getContainersRaw: mockGetContainersRaw,
+}));
+
+vi.mock('../store/index.js', () => ({
+  getDebugSnapshot: mockGetDebugSnapshot,
+}));
+
+vi.mock('./redact.js', () => ({
+  redactDebugDump: mockRedactDebugDump,
+}));
+
+import {
+  collectDebugDump,
+  DEFAULT_RECENT_EVENT_MINUTES,
+  getDebugDumpFilename,
+  MAX_RECENT_EVENT_MINUTES,
+  MIN_RECENT_EVENT_MINUTES,
+  serializeDebugDump,
+} from './dump.js';
+
+function component(name: string, type: string): ComponentLike {
+  return { name, type };
+}
+
+function minutesAgoIso(minutes: number) {
+  return new Date(BASE_TIME.getTime() - minutes * 60_000).toISOString();
+}
+
+function createSensor(discoveryTopic: string, stateTopic: string) {
+  return {
+    discoveryTopic,
+    stateTopic,
+    unique_id: stateTopic.replaceAll('/', '_'),
+  };
+}
+
+function createFixture() {
+  const alphaEnsureRemoteAuthHeaders = vi.fn().mockResolvedValue(undefined);
+  const alphaVersion = vi.fn().mockResolvedValue({ version: '25.0.0' });
+  const alphaInfo = vi.fn().mockResolvedValue({ ServerVersion: '25.0.0' });
+  const alphaEvents = vi.fn().mockReturnValue([
+    { timestamp: '2026-03-18T11:50:00.000Z', action: 'start', id: 'alpha-event-1' },
+    { timestamp: '2026-03-18T11:51:00.000Z', action: 'stop', id: 'alpha-event-2' },
+  ]);
+  const alphaDecisions = vi.fn().mockReturnValue([
+    {
+      timestamp: '2026-03-18T11:52:00.000Z',
+      containerId: 'alpha-container-1',
+      containerName: 'alpha-one',
+      decision: 'allowed',
+      reason: 'alias-allowed-no-collision',
+      baseName: 'alpha',
+    },
+  ]);
+
+  const betaEnsureRemoteAuthHeaders = vi.fn().mockRejectedValue(new Error('beta auth failed'));
+  const betaVersion = vi.fn().mockRejectedValue('beta version failed');
+  const betaInfo = vi.fn().mockRejectedValue({ reason: 'beta info failed' });
+  const betaEvents = vi
+    .fn()
+    .mockReturnValue([
+      null,
+      { timestamp: '2026-03-18T11:53:00.000Z', action: 'pull', id: 'beta-event-1' },
+    ]);
+  const betaDecisions = vi.fn().mockReturnValue([
+    null,
+    {
+      timestamp: '2026-03-18T11:54:00.000Z',
+      containerId: 'beta-container-1',
+      containerName: 'beta-one',
+      decision: 'skipped',
+      reason: 'base-name-present-in-docker',
+      baseName: 'beta',
+    },
+  ]);
+
+  const deltaEnsureRemoteAuthHeaders = vi.fn().mockRejectedValue('delta auth failed');
+  const deltaVersion = vi.fn().mockRejectedValue(new Error('delta version failed'));
+  const deltaInfo = vi.fn().mockRejectedValue(new Error('delta info failed'));
+  const deltaEvents = vi
+    .fn()
+    .mockReturnValue([
+      { timestamp: '2026-03-18T11:55:00.000Z', action: 'die', id: 'delta-event-1' },
+    ]);
+  const deltaDecisions = vi.fn().mockReturnValue([
+    {
+      timestamp: '2026-03-18T11:56:00.000Z',
+      containerId: 'delta-container-1',
+      containerName: 'delta-one',
+      decision: 'allowed',
+      reason: 'fresh-recreated-alias',
+      baseName: 'delta',
+    },
+  ]);
+
+  const sharedDiscoveryTopic = vi.fn(
+    ({ kind, topic }: DiscoveryTopicArgs) => `disc:${kind}:${topic}`,
+  );
+  const skipDiscoveryTopic = vi.fn(() => '');
+
+  const state = {
+    watcher: {
+      'docker.alpha': {
+        type: 'docker',
+        name: 'alpha',
+        configuration: { watchevents: true },
+        isDockerEventsListenerActive: true,
+        dockerEventsStream: {},
+        dockerEventsReconnectTimeout: {},
+        dockerEventsReconnectAttempt: 2,
+        dockerEventsReconnectDelayMs: 1500,
+        ensureRemoteAuthHeaders: alphaEnsureRemoteAuthHeaders,
+        dockerApi: {
+          version: alphaVersion,
+          info: alphaInfo,
+        },
+        getRecentDockerEvents: alphaEvents,
+        getRecentAliasFilterDecisions: alphaDecisions,
+      },
+      'docker.beta': {
+        type: 'docker',
+        name: 'beta',
+        configuration: { watchevents: false },
+        isDockerEventsListenerActive: false,
+        ensureRemoteAuthHeaders: betaEnsureRemoteAuthHeaders,
+        dockerApi: {
+          version: betaVersion,
+          info: betaInfo,
+        },
+        getRecentDockerEvents: betaEvents,
+        getRecentAliasFilterDecisions: betaDecisions,
+      },
+      'docker.delta': {
+        type: 'docker',
+        name: 'delta',
+        configuration: { watchevents: true },
+        isDockerEventsListenerActive: false,
+        dockerEventsReconnectAttempt: 0,
+        dockerEventsReconnectDelayMs: 0,
+        ensureRemoteAuthHeaders: deltaEnsureRemoteAuthHeaders,
+        dockerApi: {
+          version: deltaVersion,
+          info: deltaInfo,
+        },
+        getRecentDockerEvents: deltaEvents,
+        getRecentAliasFilterDecisions: deltaDecisions,
+      },
+      'docker.gamma': {
+        type: 'docker',
+        name: 'gamma',
+        configuration: {},
+        isDockerEventsListenerActive: false,
+      },
+      'compose.ignored': {
+        type: 'compose',
+        name: 'ignored',
+      },
+    },
+    trigger: {
+      'mqtt.main': {
+        type: 'mqtt',
+        name: 'main',
+        configuration: { topic: 'custom/base' },
+        hass: {
+          getDiscoveryTopic: sharedDiscoveryTopic,
+          containerStateTopicById: new Map([
+            ['container-a', 'custom/base/alpha-1'],
+            ['container-b', 'custom/base/alpha-1'],
+            ['container-c', 'custom/base/beta-1'],
+          ]),
+        },
+      },
+      'mqtt.dup': {
+        type: 'mqtt',
+        name: 'dup',
+        configuration: { topic: 'custom/base' },
+        hass: {
+          getDiscoveryTopic: sharedDiscoveryTopic,
+          containerStateTopicById: new Map([
+            ['container-a', 'custom/base/alpha-1'],
+            ['container-b', 'custom/base/alpha-1'],
+            ['container-c', 'custom/base/beta-1'],
+          ]),
+        },
+      },
+      'mqtt.default': {
+        type: 'mqtt',
+        name: 'default',
+        hass: {
+          getDiscoveryTopic: sharedDiscoveryTopic,
+        },
+      },
+      'mqtt.skip': {
+        type: 'mqtt',
+        name: 'skip',
+        configuration: { topic: 'skip/base' },
+        hass: {
+          getDiscoveryTopic: skipDiscoveryTopic,
+        },
+      },
+      'mqtt.none': {
+        type: 'mqtt',
+        name: 'none',
+        hass: {},
+      },
+      'mqtt.nohass': {
+        type: 'mqtt',
+        name: 'nohass',
+      },
+      'http.other': {
+        type: 'http',
+        name: 'other',
+      },
+    },
+    registry: {
+      'registry.alpha': component('alpha', 'registry'),
+      'registry.beta': component('beta', 'registry'),
+    },
+    authentication: {
+      'auth.main': component('main', 'authentication'),
+    },
+    agent: {
+      'agent.remote': component('remote', 'agent'),
+    },
+  };
+
+  const containers = [
+    { id: 'c1', name: 'alpha-one', watcher: 'alpha' },
+    { id: 'c2', name: 'alpha-two', watcher: 'alpha' },
+    { id: 'c3', name: 'beta-one', watcher: 'beta' },
+    { id: 'c4', name: 'delta-one', watcher: 'delta' },
+    { id: 'c5', name: 'orphan' },
+    { id: 'c6', name: 'alpha-one-copy', watcher: 'alpha' },
+  ];
+
+  const storeSnapshot = {
+    memoryMode: false,
+    path: '/var/lib/drydock/dd.json',
+    collectionCount: 2,
+    documentCount: 7,
+    lastPersistAt: '2026-03-18T11:59:30.000Z',
+    collections: [
+      { name: 'containers', documents: 4 },
+      { name: 'settings', documents: 3 },
+    ],
+  };
+
+  return {
+    state,
+    containers,
+    storeSnapshot,
+    alphaEnsureRemoteAuthHeaders,
+    alphaVersion,
+    alphaInfo,
+    alphaEvents,
+    alphaDecisions,
+    betaEnsureRemoteAuthHeaders,
+    betaVersion,
+    betaInfo,
+    betaEvents,
+    betaDecisions,
+    deltaEnsureRemoteAuthHeaders,
+    deltaVersion,
+    deltaInfo,
+    deltaEvents,
+    deltaDecisions,
+    sharedDiscoveryTopic,
+    skipDiscoveryTopic,
+  };
+}
+
+function configureFixture() {
+  const fixture = createFixture();
+
+  mockGetState.mockReturnValue(fixture.state);
+  mockGetContainersRaw.mockReturnValue(fixture.containers);
+  mockGetDebugSnapshot.mockReturnValue(fixture.storeSnapshot);
+  mockGetVersion.mockReturnValue(VERSION);
+
+  for (const key of Object.keys(mockDdEnvVars)) {
+    delete mockDdEnvVars[key];
+  }
+  mockDdEnvVars.DD_VERSION = VERSION;
+  mockDdEnvVars.DD_DEBUG = 'true';
+  mockDdEnvVars.DD_SECRET_TOKEN = 'should-be-redacted-by-real-code';
+
+  return fixture;
+}
+
+describe('debug dump utilities', () => {
+  beforeEach(() => {
+    vi.useFakeTimers();
+    vi.setSystemTime(BASE_TIME);
+    vi.clearAllMocks();
+    vi.spyOn(process, 'uptime').mockReturnValue(0.4);
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+    vi.restoreAllMocks();
+  });
+
+  test.each([
+    { label: 'default', options: undefined, expectedMinutes: DEFAULT_RECENT_EVENT_MINUTES },
+    {
+      label: 'min clamp',
+      options: { recentMinutes: 0 },
+      expectedMinutes: MIN_RECENT_EVENT_MINUTES,
+    },
+    {
+      label: 'max clamp',
+      options: { recentMinutes: MAX_RECENT_EVENT_MINUTES + 1 },
+      expectedMinutes: MAX_RECENT_EVENT_MINUTES,
+    },
+    { label: 'truncation', options: { recentMinutes: 12.9 }, expectedMinutes: 12 },
+  ])('collectDebugDump normalizes recent minutes ($label)', async ({
+    options,
+    expectedMinutes,
+  }) => {
+    configureFixture();
+
+    const dump = await collectDebugDump(options);
+
+    expect(dump.metadata.recentMinutes).toBe(expectedMinutes);
+    expect(dump.metadata.generatedAt).toBe(BASE_TIME.toISOString());
+    expect(dump.metadata.generatedAtWindowStart).toBe(minutesAgoIso(expectedMinutes));
+  });
+
+  test('collectDebugDump composes debug data from watchers, triggers, store, and environment', async () => {
+    const fixture = configureFixture();
+    const sinceMs = Date.parse(minutesAgoIso(12));
+
+    const dump = await collectDebugDump({ recentMinutes: 12.9 });
+
+    expect(mockMapComponentsToList).toHaveBeenNthCalledWith(1, fixture.state.watcher, 'watcher');
+    expect(mockMapComponentsToList).toHaveBeenNthCalledWith(2, fixture.state.trigger, 'trigger');
+    expect(mockMapComponentsToList).toHaveBeenNthCalledWith(3, fixture.state.registry, 'registry');
+    expect(mockMapComponentsToList).toHaveBeenNthCalledWith(
+      4,
+      fixture.state.authentication,
+      'authentication',
+    );
+    expect(mockMapComponentsToList).toHaveBeenNthCalledWith(5, fixture.state.agent, 'agent');
+
+    expect(dump.metadata).toEqual({
+      generatedAt: BASE_TIME.toISOString(),
+      generatedAtWindowStart: minutesAgoIso(12),
+      recentMinutes: 12,
+      drydockVersion: VERSION,
+      nodeVersion: process.version,
+      uptimeSeconds: 0,
+    });
+
+    expect(dump.state).toEqual({
+      containers: fixture.containers,
+      watchers: [
+        { id: 'compose.ignored', kind: 'watcher', name: 'ignored' },
+        { id: 'docker.alpha', kind: 'watcher', name: 'alpha' },
+        { id: 'docker.beta', kind: 'watcher', name: 'beta' },
+        { id: 'docker.delta', kind: 'watcher', name: 'delta' },
+        { id: 'docker.gamma', kind: 'watcher', name: 'gamma' },
+      ],
+      triggers: [
+        { id: 'http.other', kind: 'trigger', name: 'other' },
+        { id: 'mqtt.default', kind: 'trigger', name: 'default' },
+        { id: 'mqtt.dup', kind: 'trigger', name: 'dup' },
+        { id: 'mqtt.main', kind: 'trigger', name: 'main' },
+        { id: 'mqtt.nohass', kind: 'trigger', name: 'nohass' },
+        { id: 'mqtt.none', kind: 'trigger', name: 'none' },
+        { id: 'mqtt.skip', kind: 'trigger', name: 'skip' },
+      ],
+      registries: [
+        { id: 'registry.alpha', kind: 'registry', name: 'alpha' },
+        { id: 'registry.beta', kind: 'registry', name: 'beta' },
+      ],
+      authentications: [{ id: 'auth.main', kind: 'authentication', name: 'main' }],
+      agents: [{ id: 'agent.remote', kind: 'agent', name: 'remote' }],
+    });
+
+    const expectedSensors = [
+      ...[
+        ['sensor', 'custom/base/total_count'],
+        ['sensor', 'custom/base/update_count'],
+        ['binary_sensor', 'custom/base/update_status'],
+        ['sensor', 'custom/base/alpha/total_count'],
+        ['sensor', 'custom/base/alpha/update_count'],
+        ['binary_sensor', 'custom/base/alpha/update_status'],
+        ['binary_sensor', 'custom/base/alpha/running'],
+        ['sensor', 'custom/base/beta/total_count'],
+        ['sensor', 'custom/base/beta/update_count'],
+        ['binary_sensor', 'custom/base/beta/update_status'],
+        ['binary_sensor', 'custom/base/beta/running'],
+        ['sensor', 'custom/base/delta/total_count'],
+        ['sensor', 'custom/base/delta/update_count'],
+        ['binary_sensor', 'custom/base/delta/update_status'],
+        ['binary_sensor', 'custom/base/delta/running'],
+        ['update', 'custom/base/alpha-1'],
+        ['update', 'custom/base/beta-1'],
+        ['sensor', 'dd/container/total_count'],
+        ['sensor', 'dd/container/update_count'],
+        ['binary_sensor', 'dd/container/update_status'],
+        ['sensor', 'dd/container/alpha/total_count'],
+        ['sensor', 'dd/container/alpha/update_count'],
+        ['binary_sensor', 'dd/container/alpha/update_status'],
+        ['binary_sensor', 'dd/container/alpha/running'],
+        ['sensor', 'dd/container/beta/total_count'],
+        ['sensor', 'dd/container/beta/update_count'],
+        ['binary_sensor', 'dd/container/beta/update_status'],
+        ['binary_sensor', 'dd/container/beta/running'],
+        ['sensor', 'dd/container/delta/total_count'],
+        ['sensor', 'dd/container/delta/update_count'],
+        ['binary_sensor', 'dd/container/delta/update_status'],
+        ['binary_sensor', 'dd/container/delta/running'],
+      ].map(([kind, topic]) => createSensor(`disc:${kind}:${topic}`, topic)),
+    ].sort((left, right) => left.discoveryTopic.localeCompare(right.discoveryTopic));
+
+    expect(dump.mqttHomeAssistant.sensors).toEqual(expectedSensors);
+
+    expect(fixture.alphaEnsureRemoteAuthHeaders).toHaveBeenCalledTimes(1);
+    expect(fixture.betaEnsureRemoteAuthHeaders).toHaveBeenCalledTimes(1);
+    expect(fixture.deltaEnsureRemoteAuthHeaders).toHaveBeenCalledTimes(1);
+    expect(fixture.alphaVersion).toHaveBeenCalledTimes(1);
+    expect(fixture.betaVersion).toHaveBeenCalledTimes(1);
+    expect(fixture.deltaVersion).toHaveBeenCalledTimes(1);
+    expect(fixture.alphaInfo).toHaveBeenCalledTimes(1);
+    expect(fixture.betaInfo).toHaveBeenCalledTimes(1);
+    expect(fixture.deltaInfo).toHaveBeenCalledTimes(1);
+
+    expect(dump.dockerApi.watchers).toEqual([
+      {
+        watcherId: 'docker.alpha',
+        watcherName: 'alpha',
+        version: { version: '25.0.0' },
+        info: { ServerVersion: '25.0.0' },
+      },
+      {
+        watcherId: 'docker.beta',
+        watcherName: 'beta',
+        authInitializationError: 'beta auth failed',
+        versionError: 'beta version failed',
+        infoError: '[object Object]',
+      },
+      {
+        watcherId: 'docker.delta',
+        watcherName: 'delta',
+        authInitializationError: 'delta auth failed',
+        versionError: 'delta version failed',
+        infoError: 'delta info failed',
+      },
+      {
+        watcherId: 'docker.gamma',
+        watcherName: 'gamma',
+      },
+    ]);
+
+    expect(dump.dockerEvents.activeSubscriptions).toEqual([
+      {
+        watcherId: 'docker.alpha',
+        watcherName: 'alpha',
+        watchEventsEnabled: true,
+        listenerActive: true,
+        streamActive: true,
+        reconnectScheduled: true,
+        reconnectAttempt: 2,
+        reconnectDelayMs: 1500,
+      },
+      {
+        watcherId: 'docker.beta',
+        watcherName: 'beta',
+        watchEventsEnabled: false,
+        listenerActive: false,
+        streamActive: false,
+        reconnectScheduled: false,
+        reconnectAttempt: 0,
+        reconnectDelayMs: 0,
+      },
+      {
+        watcherId: 'docker.delta',
+        watcherName: 'delta',
+        watchEventsEnabled: true,
+        listenerActive: false,
+        streamActive: false,
+        reconnectScheduled: false,
+        reconnectAttempt: 0,
+        reconnectDelayMs: 0,
+      },
+      {
+        watcherId: 'docker.gamma',
+        watcherName: 'gamma',
+        watchEventsEnabled: false,
+        listenerActive: false,
+        streamActive: false,
+        reconnectScheduled: false,
+        reconnectAttempt: 0,
+        reconnectDelayMs: 0,
+      },
+    ]);
+
+    expect(fixture.alphaEvents).toHaveBeenCalledWith({ sinceMs });
+    expect(fixture.betaEvents).toHaveBeenCalledWith({ sinceMs });
+    expect(fixture.deltaEvents).toHaveBeenCalledWith({ sinceMs });
+    expect(fixture.alphaDecisions).toHaveBeenCalledWith({ sinceMs });
+    expect(fixture.betaDecisions).toHaveBeenCalledWith({ sinceMs });
+    expect(fixture.deltaDecisions).toHaveBeenCalledWith({ sinceMs });
+
+    expect(dump.dockerEvents.recentEvents).toEqual([
+      {
+        watcherId: 'docker.alpha',
+        watcherName: 'alpha',
+        timestamp: '2026-03-18T11:50:00.000Z',
+        action: 'start',
+        id: 'alpha-event-1',
+      },
+      {
+        watcherId: 'docker.alpha',
+        watcherName: 'alpha',
+        timestamp: '2026-03-18T11:51:00.000Z',
+        action: 'stop',
+        id: 'alpha-event-2',
+      },
+      {
+        watcherId: 'docker.beta',
+        watcherName: 'beta',
+      },
+      {
+        watcherId: 'docker.beta',
+        watcherName: 'beta',
+        timestamp: '2026-03-18T11:53:00.000Z',
+        action: 'pull',
+        id: 'beta-event-1',
+      },
+      {
+        watcherId: 'docker.delta',
+        watcherName: 'delta',
+        timestamp: '2026-03-18T11:55:00.000Z',
+        action: 'die',
+        id: 'delta-event-1',
+      },
+    ]);
+
+    expect(dump.aliasFiltering.recentDecisions).toEqual([
+      {
+        watcherId: 'docker.alpha',
+        watcherName: 'alpha',
+        timestamp: '2026-03-18T11:52:00.000Z',
+        containerId: 'alpha-container-1',
+        containerName: 'alpha-one',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+        baseName: 'alpha',
+      },
+      {
+        watcherId: 'docker.beta',
+        watcherName: 'beta',
+      },
+      {
+        watcherId: 'docker.beta',
+        watcherName: 'beta',
+        timestamp: '2026-03-18T11:54:00.000Z',
+        containerId: 'beta-container-1',
+        containerName: 'beta-one',
+        decision: 'skipped',
+        reason: 'base-name-present-in-docker',
+        baseName: 'beta',
+      },
+      {
+        watcherId: 'docker.delta',
+        watcherName: 'delta',
+        timestamp: '2026-03-18T11:56:00.000Z',
+        containerId: 'delta-container-1',
+        containerName: 'delta-one',
+        decision: 'allowed',
+        reason: 'fresh-recreated-alias',
+        baseName: 'delta',
+      },
+    ]);
+
+    expect(dump.store.stats).toEqual(fixture.storeSnapshot);
+    expect(dump.environment).toEqual({
+      ddEnvVars: {
+        DD_VERSION: VERSION,
+        DD_DEBUG: 'true',
+        DD_SECRET_TOKEN: 'should-be-redacted-by-real-code',
+      },
+    });
+    expect(mockRedactDebugDump).toHaveBeenCalledTimes(1);
+  });
+
+  test('serializeDebugDump appends a trailing newline', () => {
+    expect(serializeDebugDump({ hello: 'world' })).toBe('{\n  "hello": "world"\n}\n');
+  });
+
+  test('getDebugDumpFilename formats the date safely for filenames', () => {
+    expect(getDebugDumpFilename(new Date('2026-03-18T12:34:56.789Z'))).toBe(
+      'drydock-debug-dump-2026-03-18.json',
+    );
+  });
+});
diff --git a/app/debug/dump.ts b/app/debug/dump.ts
new file mode 100644
index 000000000..9991ec33f
--- /dev/null
+++ b/app/debug/dump.ts
@@ -0,0 +1,338 @@
+import { mapComponentsToList } from '../api/component.js';
+import { ddEnvVars, getVersion } from '../configuration/index.js';
+import type { Container } from '../model/container.js';
+import type { RegistryState } from '../registry/index.js';
+import * as registry from '../registry/index.js';
+import * as storeContainer from '../store/container.js';
+import * as store from '../store/index.js';
+import { redactDebugDump } from './redact.js';
+
+export const DEFAULT_RECENT_EVENT_MINUTES = 30;
+export const MIN_RECENT_EVENT_MINUTES = 1;
+export const MAX_RECENT_EVENT_MINUTES = 24 * 60;
+
+interface DockerWatcherLike {
+  type?: string;
+  name?: string;
+  configuration?: {
+    watchevents?: boolean;
+  };
+  dockerApi?: {
+    version?: () => Promise<unknown>;
+    info?: () => Promise<unknown>;
+  };
+  ensureRemoteAuthHeaders?: () => Promise<void>;
+  isDockerEventsListenerActive?: boolean;
+  dockerEventsStream?: unknown;
+  dockerEventsReconnectTimeout?: unknown;
+  dockerEventsReconnectAttempt?: number;
+  dockerEventsReconnectDelayMs?: number;
+  getRecentDockerEvents?: (options?: { sinceMs?: number; limit?: number }) => unknown[];
+  getRecentAliasFilterDecisions?: (options?: { sinceMs?: number; limit?: number }) => unknown[];
+}
+
+interface MqttHassLike {
+  getDiscoveryTopic?: (args: { kind: string; topic: string }) => string;
+  containerStateTopicById?: Map<string, string>;
+}
+
+interface MqttTriggerLike {
+  type?: string;
+  configuration?: {
+    topic?: string;
+  };
+  hass?: MqttHassLike;
+}
+
+interface CollectDebugDumpOptions {
+  recentMinutes?: number;
+}
+
+type JsonObject = Record<string, unknown>;
+
+function normalizeRecentMinutes(value: unknown): number {
+  if (typeof value !== 'number' || !Number.isFinite(value)) {
+    return DEFAULT_RECENT_EVENT_MINUTES;
+  }
+  return Math.min(MAX_RECENT_EVENT_MINUTES, Math.max(MIN_RECENT_EVENT_MINUTES, Math.trunc(value)));
+}
+
+function toIsoNow(): string {
+  return new Date().toISOString();
+}
+
+function getRecentWindowStartIso(recentMinutes: number): string {
+  const startTimestampMs = Date.now() - recentMinutes * 60 * 1000;
+  return new Date(startTimestampMs).toISOString();
+}
+
+function getDockerWatchers(
+  watcherState: RegistryState['watcher'],
+): Array<[string, DockerWatcherLike]> {
+  return Object.entries(watcherState).filter(([, watcher]) => watcher?.type === 'docker') as Array<
+    [string, DockerWatcherLike]
+  >;
+}
+
+async function collectDockerApiInfo(
+  dockerWatchers: Array<[string, DockerWatcherLike]>,
+): Promise<Array<JsonObject>> {
+  const snapshots = await Promise.all(
+    dockerWatchers.map(async ([watcherId, watcher]) => {
+      const snapshot: JsonObject = {
+        watcherId,
+        watcherName: watcher.name,
+      };
+
+      try {
+        if (typeof watcher.ensureRemoteAuthHeaders === 'function') {
+          await watcher.ensureRemoteAuthHeaders();
+        }
+      } catch (error: unknown) {
+        snapshot.authInitializationError = error instanceof Error ? error.message : String(error);
+      }
+
+      if (typeof watcher.dockerApi?.version === 'function') {
+        try {
+          snapshot.version = await watcher.dockerApi.version();
+        } catch (error: unknown) {
+          snapshot.versionError = error instanceof Error ? error.message : String(error);
+        }
+      }
+
+      if (typeof watcher.dockerApi?.info === 'function') {
+        try {
+          snapshot.info = await watcher.dockerApi.info();
+        } catch (error: unknown) {
+          snapshot.infoError = error instanceof Error ? error.message : String(error);
+        }
+      }
+
+      return snapshot;
+    }),
+  );
+  return snapshots;
+}
+
+function collectDockerEventSubscriptionState(
+  dockerWatchers: Array<[string, DockerWatcherLike]>,
+): JsonObject[] {
+  return dockerWatchers.map(([watcherId, watcher]) => ({
+    watcherId,
+    watcherName: watcher.name,
+    watchEventsEnabled: watcher.configuration?.watchevents === true,
+    listenerActive: watcher.isDockerEventsListenerActive === true,
+    streamActive: watcher.dockerEventsStream !== undefined,
+    reconnectScheduled: watcher.dockerEventsReconnectTimeout !== undefined,
+    reconnectAttempt: watcher.dockerEventsReconnectAttempt ?? 0,
+    reconnectDelayMs: watcher.dockerEventsReconnectDelayMs ?? 0,
+  }));
+}
+
+function collectRecentDockerEvents(
+  dockerWatchers: Array<[string, DockerWatcherLike]>,
+  recentMinutes: number,
+): unknown[] {
+  const sinceMs = Date.now() - recentMinutes * 60 * 1000;
+  return dockerWatchers.flatMap(([watcherId, watcher]) => {
+    if (typeof watcher.getRecentDockerEvents !== 'function') {
+      return [];
+    }
+    const events = watcher.getRecentDockerEvents({ sinceMs });
+    return events.map((event) => ({
+      watcherId,
+      watcherName: watcher.name,
+      ...((event as Record<string, unknown>) || {}),
+    }));
+  });
+}
+
+function collectRecentAliasFilterDecisions(
+  dockerWatchers: Array<[string, DockerWatcherLike]>,
+  recentMinutes: number,
+): unknown[] {
+  const sinceMs = Date.now() - recentMinutes * 60 * 1000;
+  return dockerWatchers.flatMap(([watcherId, watcher]) => {
+    if (typeof watcher.getRecentAliasFilterDecisions !== 'function') {
+      return [];
+    }
+    const decisions = watcher.getRecentAliasFilterDecisions({ sinceMs });
+    return decisions.map((decision) => ({
+      watcherId,
+      watcherName: watcher.name,
+      ...((decision as Record<string, unknown>) || {}),
+    }));
+  });
+}
+
+function addMqttSensorDefinition(
+  sensorsByDiscoveryTopic: Map<string, JsonObject>,
+  {
+    hass,
+    kind,
+    stateTopic,
+  }: {
+    hass: MqttHassLike;
+    kind: string;
+    stateTopic: string;
+  },
+): void {
+  if (typeof hass.getDiscoveryTopic !== 'function') {
+    return;
+  }
+  const discoveryTopic = hass.getDiscoveryTopic({
+    kind,
+    topic: stateTopic,
+  });
+  if (!discoveryTopic) {
+    return;
+  }
+
+  sensorsByDiscoveryTopic.set(discoveryTopic, {
+    discoveryTopic,
+    stateTopic,
+    unique_id: stateTopic.replaceAll('/', '_'),
+  });
+}
+
+function collectMqttHomeAssistantSensors(
+  triggerState: RegistryState['trigger'],
+  containers: Container[],
+): JsonObject[] {
+  const watcherNames = Array.from(
+    new Set(
+      containers
+        .map((container) => container.watcher)
+        .filter((watcherName): watcherName is string => typeof watcherName === 'string'),
+    ),
+  );
+
+  const sensorsByDiscoveryTopic = new Map<string, JsonObject>();
+  Object.values(triggerState).forEach((trigger) => {
+    const mqttTrigger = trigger as unknown as MqttTriggerLike;
+    if (mqttTrigger.type !== 'mqtt' || !mqttTrigger.hass) {
+      return;
+    }
+
+    const topicBase =
+      typeof mqttTrigger.configuration?.topic === 'string' &&
+      mqttTrigger.configuration.topic.length > 0
+        ? mqttTrigger.configuration.topic
+        : 'dd/container';
+    const hass = mqttTrigger.hass;
+
+    // Global aggregate sensors.
+    addMqttSensorDefinition(sensorsByDiscoveryTopic, {
+      hass,
+      kind: 'sensor',
+      stateTopic: `${topicBase}/total_count`,
+    });
+    addMqttSensorDefinition(sensorsByDiscoveryTopic, {
+      hass,
+      kind: 'sensor',
+      stateTopic: `${topicBase}/update_count`,
+    });
+    addMqttSensorDefinition(sensorsByDiscoveryTopic, {
+      hass,
+      kind: 'binary_sensor',
+      stateTopic: `${topicBase}/update_status`,
+    });
+
+    // Per-watcher aggregate sensors.
+    watcherNames.forEach((watcherName) => {
+      addMqttSensorDefinition(sensorsByDiscoveryTopic, {
+        hass,
+        kind: 'sensor',
+        stateTopic: `${topicBase}/${watcherName}/total_count`,
+      });
+      addMqttSensorDefinition(sensorsByDiscoveryTopic, {
+        hass,
+        kind: 'sensor',
+        stateTopic: `${topicBase}/${watcherName}/update_count`,
+      });
+      addMqttSensorDefinition(sensorsByDiscoveryTopic, {
+        hass,
+        kind: 'binary_sensor',
+        stateTopic: `${topicBase}/${watcherName}/update_status`,
+      });
+      addMqttSensorDefinition(sensorsByDiscoveryTopic, {
+        hass,
+        kind: 'binary_sensor',
+        stateTopic: `${topicBase}/${watcherName}/running`,
+      });
+    });
+
+    // Per-container sensors tracked by the Home Assistant helper.
+    const trackedStateTopics =
+      mqttTrigger.hass.containerStateTopicById instanceof Map
+        ? Array.from(mqttTrigger.hass.containerStateTopicById.values())
+        : [];
+    trackedStateTopics.forEach((stateTopic) => {
+      addMqttSensorDefinition(sensorsByDiscoveryTopic, {
+        hass,
+        kind: 'update',
+        stateTopic,
+      });
+    });
+  });
+
+  return Array.from(sensorsByDiscoveryTopic.values()).sort((a, b) =>
+    String(a.discoveryTopic).localeCompare(String(b.discoveryTopic)),
+  );
+}
+
+export async function collectDebugDump(options: CollectDebugDumpOptions = {}) {
+  const recentMinutes = normalizeRecentMinutes(options.recentMinutes);
+  const containers = storeContainer.getContainersRaw();
+  const registryState = registry.getState();
+  const dockerWatchers = getDockerWatchers(registryState.watcher);
+
+  const dump = {
+    metadata: {
+      generatedAt: toIsoNow(),
+      generatedAtWindowStart: getRecentWindowStartIso(recentMinutes),
+      recentMinutes,
+      drydockVersion: getVersion(),
+      nodeVersion: process.version,
+      uptimeSeconds: Math.floor(process.uptime()),
+    },
+    state: {
+      containers,
+      watchers: mapComponentsToList(registryState.watcher, 'watcher'),
+      triggers: mapComponentsToList(registryState.trigger, 'trigger'),
+      registries: mapComponentsToList(registryState.registry, 'registry'),
+      authentications: mapComponentsToList(registryState.authentication, 'authentication'),
+      agents: mapComponentsToList(registryState.agent, 'agent'),
+    },
+    mqttHomeAssistant: {
+      sensors: collectMqttHomeAssistantSensors(registryState.trigger, containers),
+    },
+    dockerEvents: {
+      activeSubscriptions: collectDockerEventSubscriptionState(dockerWatchers),
+      recentEvents: collectRecentDockerEvents(dockerWatchers, recentMinutes),
+    },
+    aliasFiltering: {
+      recentDecisions: collectRecentAliasFilterDecisions(dockerWatchers, recentMinutes),
+    },
+    store: {
+      stats: store.getDebugSnapshot(),
+    },
+    dockerApi: {
+      watchers: await collectDockerApiInfo(dockerWatchers),
+    },
+    environment: {
+      ddEnvVars,
+    },
+  };
+
+  return redactDebugDump(dump);
+}
+
+export function serializeDebugDump(dump: unknown): string {
+  return `${JSON.stringify(dump, null, 2)}\n`;
+}
+
+export function getDebugDumpFilename(now: Date = new Date()): string {
+  const dateForFile = now.toISOString().slice(0, 10);
+  return `drydock-debug-dump-${dateForFile}.json`;
+}
diff --git a/app/debug/redact.test.ts b/app/debug/redact.test.ts
new file mode 100644
index 000000000..1c282e60e
--- /dev/null
+++ b/app/debug/redact.test.ts
@@ -0,0 +1,117 @@
+import { REDACTED_VALUE, redactDebugDump } from './redact.js';
+
+describe('debug/redact', () => {
+  test('redacts values for sensitive keys recursively', () => {
+    const source = {
+      metadata: {
+        token: 'abc123',
+        secret: 'shh',
+      },
+      watcher: {
+        auth: {
+          password: 'p@ss',
+        },
+        nested: [
+          {
+            api_key: 'k',
+          },
+        ],
+      },
+      env: {
+        DD_SERVER_PORT: '3000',
+        DD_AUTH_BASIC_ADMIN_HASH: 'hash-value',
+      },
+    };
+
+    const redacted = redactDebugDump(source);
+
+    expect(redacted).toEqual({
+      metadata: {
+        token: REDACTED_VALUE,
+        secret: REDACTED_VALUE,
+      },
+      watcher: {
+        auth: {
+          password: REDACTED_VALUE,
+        },
+        nested: [
+          {
+            api_key: REDACTED_VALUE,
+          },
+        ],
+      },
+      env: {
+        DD_SERVER_PORT: '3000',
+        DD_AUTH_BASIC_ADMIN_HASH: REDACTED_VALUE,
+      },
+    });
+  });
+
+  test('does not mutate the input payload', () => {
+    const source = {
+      password: 'top-secret',
+      nested: {
+        value: 'kept',
+      },
+    };
+
+    const cloneBefore = structuredClone(source);
+    const redacted = redactDebugDump(source);
+
+    expect(source).toEqual(cloneBefore);
+    expect(redacted).not.toBe(source);
+    expect(redacted.password).toBe(REDACTED_VALUE);
+  });
+
+  test('redacts env auth/login/bearer keys without wiping non-env auth fields', () => {
+    const source = {
+      environment: {
+        ddEnvVars: {
+          DD_REGISTRY_HUB_PUBLIC_AUTH: 'am9objpzZWNyZXQ=',
+          DD_REGISTRY_HUB_PUBLIC_LOGIN: 'john',
+          DD_WATCHER_REMOTE_AUTH_BEARER: 'bearer-token',
+          DD_ANONYMOUS_AUTH_CONFIRM: 'true',
+          DD_WATCHER_REMOTE_URL: 'https://docker.example.com',
+        },
+      },
+      state: {
+        authentications: [{ id: 'auth.main', kind: 'authentication' }],
+      },
+      dockerApi: {
+        authInitializationError: 'beta auth failed',
+      },
+    };
+
+    const redacted = redactDebugDump(source);
+
+    expect(redacted.environment.ddEnvVars).toEqual({
+      DD_REGISTRY_HUB_PUBLIC_AUTH: REDACTED_VALUE,
+      DD_REGISTRY_HUB_PUBLIC_LOGIN: REDACTED_VALUE,
+      DD_WATCHER_REMOTE_AUTH_BEARER: REDACTED_VALUE,
+      DD_ANONYMOUS_AUTH_CONFIRM: REDACTED_VALUE,
+      DD_WATCHER_REMOTE_URL: 'https://docker.example.com',
+    });
+    expect(redacted.state.authentications).toEqual([{ id: 'auth.main', kind: 'authentication' }]);
+    expect(redacted.dockerApi.authInitializationError).toBe('beta auth failed');
+  });
+
+  test('keeps empty and null sensitive values unchanged', () => {
+    const source = {
+      secret: '',
+      token: null,
+      nested: {
+        hash: undefined,
+      },
+    };
+
+    const redacted = redactDebugDump(source);
+
+    expect(redacted).toEqual({
+      secret: '',
+      token: null,
+      nested: {
+        hash: undefined,
+      },
+    });
+  });
+});
diff --git a/app/debug/redact.ts b/app/debug/redact.ts
new file mode 100644
index 000000000..7877c39ed
--- /dev/null
+++ b/app/debug/redact.ts
@@ -0,0 +1,77 @@
+export const REDACTED_VALUE = '[REDACTED]';
+
+const SENSITIVE_KEY_TOKENS = new Set([
+  'password',
+  'passwd',
+  'secret',
+  'token',
+  'credential',
+  'credentials',
+  'hash',
+  'key',
+  'apikey',
+  'accesskey',
+  'privatekey',
+]);
+const ENV_SENSITIVE_KEY_TOKENS = new Set(['auth', 'bearer', 'login']);
+
+function isPlainObject(value: unknown): value is Record<string, unknown> {
+  return value !== null && typeof value === 'object' && !Array.isArray(value);
+}
+
+function getKeyTokens(key: string): string[] {
+  return key
+    .replace(/([a-z0-9])([A-Z])/g, '$1_$2')
+    .split(/[^a-zA-Z0-9]+/)
+    .map((segment) => segment.toLowerCase())
+    .filter(Boolean);
+}
+
+function isEnvStyleKey(key: string): boolean {
+  return key.includes('_') && key === key.toUpperCase();
+}
+
+function isSensitiveKey(key: string): boolean {
+  const tokens = getKeyTokens(key);
+  if (tokens.some((token) => SENSITIVE_KEY_TOKENS.has(token))) {
+    return true;
+  }
+  if (!isEnvStyleKey(key)) {
+    return false;
+  }
+  return tokens.some((token) => ENV_SENSITIVE_KEY_TOKENS.has(token));
+}
+
+function redactMatchedValue(value: unknown): unknown {
+  if (value === null || value === undefined) {
+    return value;
+  }
+  if (typeof value === 'string' && value.length === 0) {
+    return value;
+  }
+  return REDACTED_VALUE;
+}
+
+function redactNode(node: unknown, nodeKey?: string): unknown {
+  if (nodeKey && isSensitiveKey(nodeKey)) {
+    return redactMatchedValue(node);
+  }
+
+  if (Array.isArray(node)) {
+    return node.map((entry) => redactNode(entry));
+  }
+
+  if (!isPlainObject(node)) {
+    return node;
+  }
+
+  const redactedObject: Record<string, unknown> = {};
+  for (const [key, value] of Object.entries(node)) {
+    redactedObject[key] = redactNode(value, key);
+  }
+  return redactedObject;
+}
+
+export function redactDebugDump<T>(payload: T): T {
+  return redactNode(payload) as T;
+}
diff --git a/app/event/index.test.ts b/app/event/index.test.ts
index a712fa6b4..dd55b5180 100644
--- a/app/event/index.test.ts
+++ b/app/event/index.test.ts
@@ -9,6 +9,10 @@ const eventTestCases = [
     emitter: event.emitContainerReports,
     register: event.registerContainerReports,
   },
+  {
+    emitter: event.emitWatcherSnapshot,
+    register: event.registerWatcherSnapshot,
+  },
   {
     emitter: event.emitContainerReport,
     register: event.registerContainerReport,
diff --git a/app/event/index.ts b/app/event/index.ts
index 9599b7ede..9755c6c54 100644
--- a/app/event/index.ts
+++ b/app/event/index.ts
@@ -95,12 +95,21 @@ export interface AgentDisconnectedEventPayload {
   reason?: string;
 }
 
+export interface WatcherSnapshotEventPayload {
+  watcher: {
+    type: string;
+    name: string;
+  };
+  containers: Container[];
+}
+
 export type ContainerLifecycleEventPayload = Partial<Omit<Container, 'image'>> & {
   image?: Partial<Container['image']>;
 };
 
 const containerReportHandlers = new Map<number, OrderedEventHandler<ContainerReport>>();
 const containerReportsHandlers = new Map<number, OrderedEventHandler<ContainerReport[]>>();
+const watcherSnapshotHandlers = new Map<number, OrderedEventHandler<WatcherSnapshotEventPayload>>();
 const containerUpdateAppliedHandlers = new Map<number, OrderedEventHandler<string>>();
 const containerUpdateFailedHandlers = new Map<
   number,
@@ -178,6 +187,25 @@ export function registerContainerReports(
   return registerOrderedEventHandler(containerReportsHandlers, handler, options);
 }
 
+/**
+ * Emit WatcherSnapshot event.
+ * @param payload
+ */
+export async function emitWatcherSnapshot(payload: WatcherSnapshotEventPayload): Promise<void> {
+  await emitOrderedHandlers(watcherSnapshotHandlers, payload);
+}
+
+/**
+ * Register to WatcherSnapshot event.
+ * @param handler
+ */
+export function registerWatcherSnapshot(
+  handler: OrderedEventHandlerFn<WatcherSnapshotEventPayload>,
+  options: EventHandlerRegistrationOptions = {},
+): () => void {
+  return registerOrderedEventHandler(watcherSnapshotHandlers, handler, options);
+}
+
 /**
  * Emit ContainerReport event.
  * @param containerReport
@@ -425,6 +453,7 @@ export function clearAllListenersForTests(): void {
   eventEmitter.removeAllListeners();
   containerReportHandlers.clear();
   containerReportsHandlers.clear();
+  watcherSnapshotHandlers.clear();
   containerUpdateAppliedHandlers.clear();
   containerUpdateFailedHandlers.clear();
   securityAlertHandlers.clear();
diff --git a/app/index.test.ts b/app/index.test.ts
index 9d9da971e..182a74f93 100644
--- a/app/index.test.ts
+++ b/app/index.test.ts
@@ -84,7 +84,6 @@ describe('Main Application', () => {
     const agentManager = await import('./agent/index.js');
     const agentServer = await import('./agent/api/index.js');
     const prometheus = await import('./prometheus/index.js');
-    const { getVersion } = await import('./configuration/index.js');
     const migrateCli = await import('./configuration/migrate-cli.js');
 
     // Import and run the main module
@@ -97,10 +96,7 @@ describe('Main Application', () => {
     expect(migrateCli.runConfigMigrateCommandIfRequested).toHaveBeenCalledWith(
       process.argv.slice(2),
     );
-    expect(getVersion).toHaveBeenCalled();
-    expect(log.info).toHaveBeenCalledWith(
-      'drydock is starting in Controller mode (version = 1.0.0)',
-    );
+    expect(log.info).toHaveBeenCalledWith('drydock is starting');
     expect(store.init).toHaveBeenCalledWith({ memory: false });
     expect(prometheus.init).toHaveBeenCalled();
     expect(registry.init).toHaveBeenCalledWith({ agent: false });
@@ -126,7 +122,7 @@ describe('Main Application', () => {
     await import('./index.js');
     await new Promise((resolve) => setImmediate(resolve));
 
-    expect(log.info).toHaveBeenCalledWith('drydock is starting in Agent mode (version = 1.0.0)');
+    expect(log.info).toHaveBeenCalledWith('drydock is starting');
     expect(migrateCli.runConfigMigrateCommandIfRequested).toHaveBeenCalledWith(
       process.argv.slice(2),
     );
diff --git a/app/index.ts b/app/index.ts
index 209af9671..87dbb92be 100644
--- a/app/index.ts
+++ b/app/index.ts
@@ -2,7 +2,7 @@ import dns from 'node:dns';
 import * as agentServer from './agent/api/index.js';
 import * as agentManager from './agent/index.js';
 import * as api from './api/index.js';
-import { getDnsMode, getVersion } from './configuration/index.js';
+import { getDnsMode } from './configuration/index.js';
 import { runConfigMigrateCommandIfRequested } from './configuration/migrate-cli.js';
 import log from './log/index.js';
 import * as prometheus from './prometheus/index.js';
@@ -23,12 +23,10 @@ if (commandExitCode !== null) {
   }
 } else {
   const isAgent = process.argv.includes('--agent');
-  const mode = isAgent ? 'Agent' : 'Controller';
-  const version = String(getVersion()).replaceAll(/[^a-zA-Z0-9._\-+]/g, '');
   const runningAsRoot = typeof process.getuid === 'function' && process.getuid() === 0;
   const runAsRootEnabled = process.env.DD_RUN_AS_ROOT === 'true';
   const insecureRootAcknowledged = process.env.DD_ALLOW_INSECURE_ROOT === 'true';
-  log.info(`drydock is starting in ${mode} mode (version = ${version})`);
+  log.info('drydock is starting');
 
   if (runningAsRoot && runAsRootEnabled && !insecureRootAcknowledged) {
     throw new Error(
diff --git a/app/knip.json b/app/knip.json
index f33b826d0..ce8db1c14 100644
--- a/app/knip.json
+++ b/app/knip.json
@@ -1,5 +1,5 @@
 {
-  "$schema": "https://unpkg.com/knip@5/schema.json",
+  "$schema": "https://unpkg.com/knip@6/schema.json",
   "entry": ["index.ts"],
   "project": ["**/*.ts"],
   "ignore": ["**/*.typecheck.ts"],
diff --git a/app/log/buffer.test.ts b/app/log/buffer.test.ts
index 510e5368d..d3abbcb03 100644
--- a/app/log/buffer.test.ts
+++ b/app/log/buffer.test.ts
@@ -1,4 +1,11 @@
-import { addEntry, getEntries } from './buffer.js';
+import {
+  addEntry,
+  getEntries,
+  getMinLevel,
+  matchesComponent,
+  meetsMinLevel,
+  onEntry,
+} from './buffer.js';
 
 function makeEntry(overrides = {}) {
   return {
@@ -175,4 +182,89 @@ describe('Ring Buffer', () => {
       expect(results.find((e) => e.msg === 'wrap-1000')).toBeDefined();
     });
   });
+
+  describe('onEntry subscription', () => {
+    test('should emit entries to subscriber when addEntry is called', () => {
+      const listener = vi.fn();
+      const unsubscribe = onEntry(listener);
+
+      const entry = makeEntry({ msg: 'streamed-entry' });
+      addEntry(entry);
+
+      expect(listener).toHaveBeenCalledTimes(1);
+      expect(listener).toHaveBeenCalledWith(entry);
+
+      unsubscribe();
+    });
+
+    test('should stop emitting after unsubscribe is called', () => {
+      const listener = vi.fn();
+      const unsubscribe = onEntry(listener);
+
+      addEntry(makeEntry({ msg: 'before-unsub' }));
+      expect(listener).toHaveBeenCalledTimes(1);
+
+      unsubscribe();
+
+      addEntry(makeEntry({ msg: 'after-unsub' }));
+      expect(listener).toHaveBeenCalledTimes(1);
+    });
+
+    test('should support multiple subscribers independently', () => {
+      const listener1 = vi.fn();
+      const listener2 = vi.fn();
+      const unsub1 = onEntry(listener1);
+      const unsub2 = onEntry(listener2);
+
+      addEntry(makeEntry({ msg: 'multi-sub' }));
+      expect(listener1).toHaveBeenCalledTimes(1);
+      expect(listener2).toHaveBeenCalledTimes(1);
+
+      unsub1();
+
+      addEntry(makeEntry({ msg: 'after-unsub1' }));
+      expect(listener1).toHaveBeenCalledTimes(1);
+      expect(listener2).toHaveBeenCalledTimes(2);
+
+      unsub2();
+    });
+  });
+
+  describe('exported filter helpers', () => {
+    test('getMinLevel returns 0 for undefined or unknown levels', () => {
+      expect(getMinLevel(undefined)).toBe(0);
+      expect(getMinLevel('unknown')).toBe(0);
+    });
+
+    test('getMinLevel returns correct order value for known levels', () => {
+      expect(getMinLevel('debug')).toBe(10);
+      expect(getMinLevel('info')).toBe(20);
+      expect(getMinLevel('warn')).toBe(30);
+      expect(getMinLevel('error')).toBe(40);
+    });
+
+    test('meetsMinLevel returns true when minLevel is 0', () => {
+      const entry = makeEntry({ level: 'debug' });
+      expect(meetsMinLevel(entry, 0)).toBe(true);
+    });
+
+    test('meetsMinLevel filters by minimum level threshold', () => {
+      const debugEntry = makeEntry({ level: 'debug' });
+      const warnEntry = makeEntry({ level: 'warn' });
+
+      expect(meetsMinLevel(debugEntry, 30)).toBe(false);
+      expect(meetsMinLevel(warnEntry, 30)).toBe(true);
+    });
+
+    test('matchesComponent returns true when component is undefined', () => {
+      const entry = makeEntry({ component: 'anything' });
+      expect(matchesComponent(entry, undefined)).toBe(true);
+    });
+
+    test('matchesComponent checks substring match', () => {
+      const entry = makeEntry({ component: 'api-server' });
+      expect(matchesComponent(entry, 'api')).toBe(true);
+      expect(matchesComponent(entry, 'watcher')).toBe(false);
+    });
+  });
 });
diff --git a/app/log/buffer.ts b/app/log/buffer.ts
index c9aac379c..dadb044b6 100644
--- a/app/log/buffer.ts
+++ b/app/log/buffer.ts
@@ -1,10 +1,15 @@
-interface LogEntry {
+import { EventEmitter } from 'node:events';
+
+export interface LogEntry {
   timestamp: number;
   level: string;
   component: string;
   msg: string;
 }
 
+const entryEmitter = new EventEmitter();
+entryEmitter.setMaxListeners(0);
+
 const LEVEL_ORDER: Record<string, number> = {
   debug: 10,
   trace: 10,
@@ -25,6 +30,14 @@ export function addEntry(entry: LogEntry): void {
   if (count < MAX_SIZE) {
     count++;
   }
+  entryEmitter.emit('entry', entry);
+}
+
+export function onEntry(listener: (entry: LogEntry) => void): () => void {
+  entryEmitter.on('entry', listener);
+  return () => {
+    entryEmitter.off('entry', listener);
+  };
 }
 
 interface GetEntriesOptions {
@@ -56,21 +69,21 @@ function drainBuffer(): LogEntry[] {
   return readRingBuffer(buffer, start, count, MAX_SIZE);
 }
 
-function getMinLevel(level?: string): number {
+export function getMinLevel(level?: string): number {
   if (!level) {
     return 0;
   }
   return LEVEL_ORDER[level] ?? 0;
 }
 
-function meetsMinLevel(entry: LogEntry, minLevel: number): boolean {
+export function meetsMinLevel(entry: LogEntry, minLevel: number): boolean {
   if (minLevel <= 0) {
     return true;
   }
   return (LEVEL_ORDER[entry.level] ?? 0) >= minLevel;
 }
 
-function matchesComponent(entry: LogEntry, component?: string): boolean {
+export function matchesComponent(entry: LogEntry, component?: string): boolean {
   if (!component) {
     return true;
   }
diff --git a/app/log/index.ts b/app/log/index.ts
index 3d623e41f..fa3f2b22b 100644
--- a/app/log/index.ts
+++ b/app/log/index.ts
@@ -33,6 +33,7 @@ function createMainLogStream() {
   return pinoPretty({
     colorize: Boolean(process.stdout.isTTY),
     sync: true,
+    singleLine: true,
   });
 }
 
diff --git a/app/log/sanitize.ts b/app/log/sanitize.ts
index 28383704d..5c7fd851b 100644
--- a/app/log/sanitize.ts
+++ b/app/log/sanitize.ts
@@ -2,11 +2,10 @@
  * Sanitize a value for safe log interpolation.
  * Strips control characters and ANSI escapes to prevent log injection.
  */
-// Built from strings so biome's noControlCharactersInRegex doesn't flag them.
-// biome-ignore lint/complexity/useRegexLiterals: RegExp constructor needed to avoid noControlCharactersInRegex
-const CONTROL_CHARS = new RegExp('[\\x00-\\x1f\\x7f]', 'g');
-// biome-ignore lint/complexity/useRegexLiterals: RegExp constructor needed to avoid noControlCharactersInRegex
-const ANSI_ESCAPES = new RegExp('\\x1b\\[[0-9;]*m', 'g');
+// biome-ignore lint/suspicious/noControlCharactersInRegex: intentional control char stripping for log sanitization
+const CONTROL_CHARS = /[\x00-\x1f\x7f]/g;
+// biome-ignore lint/suspicious/noControlCharactersInRegex: intentional ANSI escape stripping for log sanitization
+const ANSI_ESCAPES = /\x1b\[[0-9;]*m/g;
 
 export function sanitizeLogParam(value: unknown, maxLength = 200): string {
   const str = String(value ?? '');
diff --git a/app/model/container.test.ts b/app/model/container.test.ts
index 4963eb4b8..e3d3b34a0 100644
--- a/app/model/container.test.ts
+++ b/app/model/container.test.ts
@@ -133,6 +133,110 @@ test('model should be validated when compliant', async () => {
   });
 });
 
+test('model should accept sourceRepo and releaseNotes metadata', async () => {
+  const containerValidated = container.validate({
+    id: 'container-release-notes-123',
+    name: 'test',
+    watcher: 'test',
+    sourceRepo: 'github.com/acme/service',
+    image: {
+      id: 'image-release-notes-123',
+      registry: {
+        name: 'hub',
+        url: 'https://hub',
+      },
+      name: 'organization/image',
+      tag: {
+        value: '1.0.0',
+        semver: true,
+      },
+      digest: {
+        watch: false,
+      },
+      architecture: 'arch',
+      os: 'os',
+    },
+    result: {
+      tag: '1.1.0',
+      releaseNotes: {
+        title: 'v1.1.0',
+        body: 'Release body',
+        url: 'https://github.com/acme/service/releases/tag/v1.1.0',
+        publishedAt: '2026-03-01T00:00:00.000Z',
+        provider: 'github',
+      },
+    },
+  });
+
+  expect(containerValidated.sourceRepo).toBe('github.com/acme/service');
+  expect(containerValidated.result?.releaseNotes).toEqual({
+    title: 'v1.1.0',
+    body: 'Release body',
+    url: 'https://github.com/acme/service/releases/tag/v1.1.0',
+    publishedAt: '2026-03-01T00:00:00.000Z',
+    provider: 'github',
+  });
+});
+
+test.each([
+  'specific',
+  'floating',
+] as const)('model should accept image.tag.tagPrecision=%s', (tagPrecision) => {
+  const containerValidated = container.validate({
+    id: `container-tag-precision-${tagPrecision}`,
+    name: 'test',
+    watcher: 'test',
+    image: {
+      id: `image-tag-precision-${tagPrecision}`,
+      registry: {
+        name: 'hub',
+        url: 'https://hub',
+      },
+      name: 'organization/image',
+      tag: {
+        value: tagPrecision === 'specific' ? '1.2.3' : 'latest',
+        semver: tagPrecision === 'specific',
+        tagPrecision,
+      },
+      digest: {
+        watch: false,
+      },
+      architecture: 'arch',
+      os: 'os',
+    },
+  });
+
+  expect(containerValidated.image.tag.tagPrecision).toBe(tagPrecision);
+});
+
+test('model should reject invalid image.tag.tagPrecision values', () => {
+  expect(() =>
+    container.validate({
+      id: 'container-tag-precision-invalid',
+      name: 'test',
+      watcher: 'test',
+      image: {
+        id: 'image-tag-precision-invalid',
+        registry: {
+          name: 'hub',
+          url: 'https://hub',
+        },
+        name: 'organization/image',
+        tag: {
+          value: 'latest',
+          semver: false,
+          tagPrecision: 'alias',
+        },
+        digest: {
+          watch: false,
+        },
+        architecture: 'arch',
+        os: 'os',
+      },
+    }),
+  ).toThrow();
+});
+
 test('model should not be validated when invalid', async () => {
   expect(() => {
     container.validate({});
@@ -505,6 +609,144 @@ test('model should allow mature updates when maturity threshold has elapsed', as
   expect(containerValidated.updateAvailable).toBeTruthy();
 });
 
+test('model should compute updateAge from the earlier of firstSeenAt and publishedAt', async () => {
+  vi.useFakeTimers();
+  try {
+    const now = new Date('2026-03-15T12:00:00.000Z');
+    vi.setSystemTime(now);
+    const firstSeenAt = new Date(now.getTime() - daysToMs(2)).toISOString();
+    const publishedAt = new Date(now.getTime() - daysToMs(5)).toISOString();
+
+    const containerValidated = container.validate({
+      id: 'container-123456789',
+      name: 'test',
+      watcher: 'test',
+      firstSeenAt,
+      image: {
+        id: 'image-123456789',
+        registry: {
+          name: 'hub',
+          url: 'https://hub',
+        },
+        name: 'organization/image',
+        tag: {
+          value: '1.0.0',
+          semver: true,
+        },
+        digest: {
+          watch: false,
+          repo: undefined,
+        },
+        architecture: 'arch',
+        os: 'os',
+        created: '2021-06-12T05:33:38.440Z',
+      },
+      result: {
+        tag: '1.0.1',
+        publishedAt,
+      },
+    });
+
+    expect(containerValidated.updateAge).toBe(daysToMs(5));
+    expect(containerValidated.updateMaturityLevel).toBe('hot');
+  } finally {
+    vi.useRealTimers();
+  }
+});
+
+test('model should classify updates older than 30 days as established', async () => {
+  vi.useFakeTimers();
+  try {
+    const now = new Date('2026-03-15T12:00:00.000Z');
+    vi.setSystemTime(now);
+    const firstSeenAt = new Date(now.getTime() - daysToMs(35)).toISOString();
+
+    const containerValidated = container.validate({
+      id: 'container-123456789',
+      name: 'test',
+      watcher: 'test',
+      firstSeenAt,
+      image: {
+        id: 'image-123456789',
+        registry: {
+          name: 'hub',
+          url: 'https://hub',
+        },
+        name: 'organization/image',
+        tag: {
+          value: '1.0.0',
+          semver: true,
+        },
+        digest: {
+          watch: false,
+          repo: undefined,
+        },
+        architecture: 'arch',
+        os: 'os',
+        created: '2021-06-12T05:33:38.440Z',
+      },
+      result: {
+        tag: '1.0.1',
+      },
+    });
+
+    expect(containerValidated.updateAge).toBe(daysToMs(35));
+    expect(containerValidated.updateMaturityLevel).toBe('established');
+  } finally {
+    vi.useRealTimers();
+  }
+});
+
+test('model should use DD_UI_MATURITY_THRESHOLD_DAYS for hot/mature cutoff', async () => {
+  const previousThreshold = process.env.DD_UI_MATURITY_THRESHOLD_DAYS;
+  vi.useFakeTimers();
+  try {
+    process.env.DD_UI_MATURITY_THRESHOLD_DAYS = '3';
+    const now = new Date('2026-03-15T12:00:00.000Z');
+    vi.setSystemTime(now);
+    const firstSeenAt = new Date(now.getTime() - daysToMs(4)).toISOString();
+
+    const containerValidated = container.validate({
+      id: 'container-123456789',
+      name: 'test',
+      watcher: 'test',
+      firstSeenAt,
+      image: {
+        id: 'image-123456789',
+        registry: {
+          name: 'hub',
+          url: 'https://hub',
+        },
+        name: 'organization/image',
+        tag: {
+          value: '1.0.0',
+          semver: true,
+        },
+        digest: {
+          watch: false,
+          repo: undefined,
+        },
+        architecture: 'arch',
+        os: 'os',
+        created: '2021-06-12T05:33:38.440Z',
+      },
+      result: {
+        tag: '1.0.1',
+      },
+    });
+
+    expect(containerValidated.updateAge).toBe(daysToMs(4));
+    expect(containerValidated.updateMaturityLevel).toBe('mature');
+  } finally {
+    vi.useRealTimers();
+    if (previousThreshold === undefined) {
+      delete process.env.DD_UI_MATURITY_THRESHOLD_DAYS;
+    } else {
+      process.env.DD_UI_MATURITY_THRESHOLD_DAYS = previousThreshold;
+    }
+  }
+});
+
 test('model should keep updateAvailable when remote tag changes past skipped value', async () => {
   const containerValidated = container.validate({
     id: 'container-123456789',
@@ -1237,6 +1479,42 @@ test('resultChanged should return true when digest differs', async () => {
   expect(containerValidated.resultChanged(other)).toBeTruthy();
 });
 
+test('resultChanged should return true when suggestedTag differs', async () => {
+  const containerValidated = container.validate({
+    id: 'container-123456789',
+    name: 'test',
+    watcher: 'test',
+    image: {
+      id: 'image-123456789',
+      registry: { name: 'hub', url: 'https://hub' },
+      name: 'organization/image',
+      tag: { value: 'latest', semver: false },
+      digest: { watch: false },
+      architecture: 'arch',
+      os: 'os',
+    },
+    result: { tag: 'latest', suggestedTag: '1.0.0' },
+  });
+
+  const other = container.validate({
+    id: 'container-123456789',
+    name: 'test',
+    watcher: 'test',
+    image: {
+      id: 'image-123456789',
+      registry: { name: 'hub', url: 'https://hub' },
+      name: 'organization/image',
+      tag: { value: 'latest', semver: false },
+      digest: { watch: false },
+      architecture: 'arch',
+      os: 'os',
+    },
+    result: { tag: 'latest', suggestedTag: '1.0.1' },
+  });
+
+  expect(containerValidated.resultChanged(other)).toBeTruthy();
+});
+
 test('getLink should use raw variable for backward compatibility', () => {
   const { testable_getLink: getLink } = container;
   expect(
diff --git a/app/model/container.ts b/app/model/container.ts
index 07bc2786d..ca221dd93 100644
--- a/app/model/container.ts
+++ b/app/model/container.ts
@@ -15,6 +15,9 @@ import {
 } from './maturity-policy.js';
 
 const { parse: parseSemver, diff: diffSemver, transform: transformTag } = tag;
+const DEFAULT_UI_MATURITY_THRESHOLD_DAYS = 7;
+const ESTABLISHED_UPDATE_AGE_DAYS = 30;
+const UI_MATURITY_THRESHOLD_DAYS_ENV = 'DD_UI_MATURITY_THRESHOLD_DAYS';
 
 export interface ContainerImage {
   id: string;
@@ -28,6 +31,7 @@ export interface ContainerImage {
   tag: {
     value: string;
     semver: boolean;
+    tagPrecision?: 'specific' | 'floating';
   };
   digest: {
     watch: boolean;
@@ -42,10 +46,21 @@ export interface ContainerImage {
 
 export interface ContainerResult {
   tag?: string;
+  suggestedTag?: string;
   digest?: string;
   created?: string;
+  publishedAt?: string;
   link?: string;
   noUpdateReason?: string;
+  releaseNotes?: ContainerReleaseNotes;
+}
+
+export interface ContainerReleaseNotes {
+  title: string;
+  body: string;
+  url: string;
+  publishedAt: string;
+  provider: 'github' | 'gitlab' | 'gitea';
 }
 
 export interface ContainerUpdateKind {
@@ -109,7 +124,11 @@ export interface Container {
   updateAvailable: boolean;
   updateKind: ContainerUpdateKind;
   updateDetectedAt?: string;
+  firstSeenAt?: string;
+  updateAge?: number;
+  updateMaturityLevel?: 'hot' | 'mature' | 'established';
   labels?: Record<string, string>;
+  sourceRepo?: string;
   details?: ContainerRuntimeDetails;
   resultChanged?: (otherContainer: Container | undefined) => boolean;
 }
@@ -225,6 +244,7 @@ const schema = joi.object({
         .object({
           value: joi.string().min(1).required(),
           semver: joi.boolean().default(false),
+          tagPrecision: joi.string().valid('specific', 'floating'),
         })
         .required(),
       digest: joi
@@ -242,10 +262,19 @@ const schema = joi.object({
     .required(),
   result: joi.object({
     tag: joi.string().min(1),
+    suggestedTag: joi.string().min(1),
     digest: joi.string(),
     created: joi.string().isoDate(),
+    publishedAt: joi.string().isoDate(),
     link: joi.string(),
     noUpdateReason: joi.string().min(1),
+    releaseNotes: joi.object({
+      title: joi.string().required(),
+      body: joi.string().required(),
+      url: joi.string().required(),
+      publishedAt: joi.string().isoDate().required(),
+      provider: joi.string().valid('github', 'gitlab', 'gitea').required(),
+    }),
   }),
   error: joi.object({
     message: joi.string().min(1).required(),
@@ -260,8 +289,12 @@ const schema = joi.object({
     })
     .default({ kind: 'unknown' }),
   updateDetectedAt: joi.string().isoDate(),
+  firstSeenAt: joi.string().isoDate(),
+  updateAge: joi.number().integer().min(0),
+  updateMaturityLevel: joi.string().valid('hot', 'mature', 'established'),
   resultChanged: joi.function(),
   labels: joi.object(),
+  sourceRepo: joi.string(),
   details: joi.object({
     ports: joi.array().items(joi.string()).required(),
     volumes: joi.array().items(joi.string()).required(),
@@ -475,6 +508,58 @@ function isUpdateSuppressed(container: Container, updateKind: ContainerUpdateKin
   return false;
 }
 
+function parseDateMs(value: string | undefined): number | undefined {
+  const timestampMs = Date.parse(value || '');
+  return Number.isFinite(timestampMs) ? timestampMs : undefined;
+}
+
+function resolveUiMaturityThresholdDays(): number {
+  return resolveMaturityMinAgeDays(
+    process.env[UI_MATURITY_THRESHOLD_DAYS_ENV],
+    DEFAULT_UI_MATURITY_THRESHOLD_DAYS,
+  );
+}
+
+function getRawUpdateAge(container: Container): number | undefined {
+  if (!container.updateAvailable) {
+    return undefined;
+  }
+
+  const firstSeenAtMs = parseDateMs(container.firstSeenAt);
+  const publishedAtMs = parseDateMs(container.result?.publishedAt);
+  let startedAtMs: number | undefined;
+
+  if (firstSeenAtMs !== undefined && publishedAtMs !== undefined) {
+    startedAtMs = Math.min(firstSeenAtMs, publishedAtMs);
+  } else {
+    startedAtMs = firstSeenAtMs ?? publishedAtMs;
+  }
+
+  if (startedAtMs === undefined) {
+    return undefined;
+  }
+
+  return Math.max(0, Date.now() - startedAtMs);
+}
+
+function getRawUpdateMaturityLevel(
+  container: Container,
+): 'hot' | 'mature' | 'established' | undefined {
+  const updateAge = getRawUpdateAge(container);
+  if (updateAge === undefined) {
+    return undefined;
+  }
+
+  const establishedThresholdMs = maturityMinAgeDaysToMilliseconds(ESTABLISHED_UPDATE_AGE_DAYS);
+  if (updateAge >= establishedThresholdMs) {
+    return 'established';
+  }
+
+  const maturityThresholdDays = resolveUiMaturityThresholdDays();
+  const maturityThresholdMs = maturityMinAgeDaysToMilliseconds(maturityThresholdDays);
+  return updateAge >= maturityThresholdMs ? 'mature' : 'hot';
+}
+
 /**
  * Render Link template.
  * @param container
@@ -570,6 +655,30 @@ function addUpdateKindProperty(container: Container) {
   });
 }
 
+function addUpdateAgeProperty(container: Container) {
+  if (getRawUpdateAge(container) === undefined) {
+    return;
+  }
+  Object.defineProperty(container, 'updateAge', {
+    enumerable: true,
+    get(this: Container) {
+      return getRawUpdateAge(this);
+    },
+  });
+}
+
+function addUpdateMaturityLevelProperty(container: Container) {
+  if (getRawUpdateMaturityLevel(container) === undefined) {
+    return;
+  }
+  Object.defineProperty(container, 'updateMaturityLevel', {
+    enumerable: true,
+    get(this: Container) {
+      return getRawUpdateMaturityLevel(this);
+    },
+  });
+}
+
 /**
  * Computed function to check whether the result is different.
  * @param otherContainer
@@ -579,6 +688,7 @@ function resultChangedFunction(this: Container, otherContainer: Container | unde
   return (
     otherContainer === undefined ||
     this.result?.tag !== otherContainer.result?.tag ||
+    this.result?.suggestedTag !== otherContainer.result?.suggestedTag ||
     this.result?.digest !== otherContainer.result?.digest ||
     this.result?.created !== otherContainer.result?.created
   );
@@ -600,7 +710,7 @@ function addResultChangedFunction(container: Container) {
  * @param container
  * @returns {*}
  */
-export function validate(container: any): Container {
+export function validate(container: unknown): Container {
   const validation = schema.validate(container);
   if (validation.error) {
     throw new Error(`Error when validating container properties ${validation.error}`);
@@ -619,6 +729,8 @@ export function validate(container: any): Container {
   // Add computed properties
   addUpdateAvailableProperty(containerValidated);
   addUpdateKindProperty(containerValidated);
+  addUpdateAgeProperty(containerValidated);
+  addUpdateMaturityLevelProperty(containerValidated);
   addLinkProperty(containerValidated);
 
   // Add computed functions
@@ -632,7 +744,7 @@ export function validate(container: any): Container {
  * @returns {*}
  */
 export function flatten(container: Container) {
-  const containerFlatten: any = flat(container, {
+  const containerFlatten = flat<Container, Record<string, unknown>>(container, {
     delimiter: '_',
     transformKey: (key: string) => snakeCase(key),
   });
diff --git a/app/model/maturity-policy.ts b/app/model/maturity-policy.ts
index 5e30adebe..14d62c734 100644
--- a/app/model/maturity-policy.ts
+++ b/app/model/maturity-policy.ts
@@ -2,7 +2,6 @@ export const DEFAULT_MATURITY_MIN_AGE_DAYS = 7;
 export const MATURITY_MIN_AGE_DAYS_MIN = 1;
 export const MATURITY_MIN_AGE_DAYS_MAX = 365;
 export const MS_PER_DAY = 24 * 60 * 60 * 1000;
-export const MILLISECONDS_PER_DAY = MS_PER_DAY;
 
 export type MaturityMode = 'all' | 'mature';
 
diff --git a/app/package-lock.json b/app/package-lock.json
index 3c62c882a..9e7274d0b 100644
--- a/app/package-lock.json
+++ b/app/package-lock.json
@@ -1,15 +1,15 @@
 {
   "name": "drydock-app",
-  "version": "1.4.5",
+  "version": "1.5.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "drydock-app",
-      "version": "1.4.5",
+      "version": "1.5.0",
       "license": "AGPL-3.0-only",
       "dependencies": {
-        "@aws-sdk/client-ecr": "^3.1011.0",
+        "@aws-sdk/client-ecr": "^3.1014.0",
         "@slack/web-api": "^7.15.0",
         "ajv": "^8.18.0",
         "ajv-formats": "^3.0.1",
@@ -21,7 +21,7 @@
         "connect-loki": "1.2.0",
         "cors": "2.8.6",
         "cron-parser": "^5.5.0",
-        "dockerode": "4.0.9",
+        "dockerode": "4.0.10",
         "express": "5.2.1",
         "express-healthcheck": "0.1.0",
         "express-rate-limit": "^8.3.1",
@@ -37,7 +37,7 @@
         "mqtt": "5.15.0",
         "nocache": "4.0.0",
         "node-cron": "4.2.1",
-        "nodemailer": "8.0.2",
+        "nodemailer": "^8.0.4",
         "openid-client": "6.8.2",
         "p-limit": "^7.3.0",
         "parse-docker-image-name": "3.0.0",
@@ -52,13 +52,17 @@
         "semver": "7.7.4",
         "set-value": "4.1.0",
         "sort-es": "1.7.18",
-        "undici": "^7.24.4",
+        "undici": "^7.24.5",
         "unix-crypt-td-js": "1.1.4",
         "uuid": "^13.0.0",
-        "yaml": "2.8.2"
+        "ws": "^8.20.0",
+        "yaml": "2.8.3"
       },
       "devDependencies": {
         "@fast-check/vitest": "^0.3.0",
+        "@stryker-mutator/core": "^9.6.0",
+        "@stryker-mutator/typescript-checker": "^9.6.0",
+        "@stryker-mutator/vitest-runner": "^9.6.0",
         "@types/cors": "^2.8.19",
         "@types/dockerode": "4.0.1",
         "@types/express": "^5.0.6",
@@ -71,7 +75,7 @@
         "@types/yaml": "^1.9.7",
         "@vitest/coverage-v8": "^4.1.0",
         "fast-check": "^4.6.0",
-        "knip": "^5.87.0",
+        "knip": "^6.0.1",
         "nodemon": "3.1.14",
         "ts-node": "^10.9.2",
         "typescript": "^5.9.3",
@@ -207,45 +211,45 @@
       }
     },
     "node_modules/@aws-sdk/client-ecr": {
-      "version": "3.1011.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ecr/-/client-ecr-3.1011.0.tgz",
-      "integrity": "sha512-lG1cP5ySh77UGvipwJZiVeq1oIVcYAbYPjuwmOT7zXk/LRobQwKMFCL4rRu/+pW+qFceeyKvFhYyxbDWKGBPag==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ecr/-/client-ecr-3.1018.0.tgz",
+      "integrity": "sha512-oyYD561uKNLTK9uVDRWxqt3faXCCB7WZQ2pt3M2a2FTFJgeKfCJxC3IFERoaPIU5Dh2JqBCKE+gRWoecDi6P+A==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.20",
-        "@aws-sdk/credential-provider-node": "^3.972.21",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-node": "^3.972.26",
         "@aws-sdk/middleware-host-header": "^3.972.8",
         "@aws-sdk/middleware-logger": "^3.972.8",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.8",
-        "@aws-sdk/middleware-user-agent": "^3.972.21",
-        "@aws-sdk/region-config-resolver": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
         "@aws-sdk/types": "^3.973.6",
         "@aws-sdk/util-endpoints": "^3.996.5",
         "@aws-sdk/util-user-agent-browser": "^3.972.8",
-        "@aws-sdk/util-user-agent-node": "^3.973.7",
-        "@smithy/config-resolver": "^4.4.11",
-        "@smithy/core": "^3.23.11",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
         "@smithy/fetch-http-handler": "^5.3.15",
         "@smithy/hash-node": "^4.2.12",
         "@smithy/invalid-dependency": "^4.2.12",
         "@smithy/middleware-content-length": "^4.2.12",
-        "@smithy/middleware-endpoint": "^4.4.25",
-        "@smithy/middleware-retry": "^4.4.42",
-        "@smithy/middleware-serde": "^4.2.14",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
         "@smithy/middleware-stack": "^4.2.12",
         "@smithy/node-config-provider": "^4.3.12",
-        "@smithy/node-http-handler": "^4.4.16",
+        "@smithy/node-http-handler": "^4.5.0",
         "@smithy/protocol-http": "^5.3.12",
-        "@smithy/smithy-client": "^4.12.5",
+        "@smithy/smithy-client": "^4.12.7",
         "@smithy/types": "^4.13.1",
         "@smithy/url-parser": "^4.2.12",
         "@smithy/util-base64": "^4.3.2",
         "@smithy/util-body-length-browser": "^4.2.2",
         "@smithy/util-body-length-node": "^4.2.3",
-        "@smithy/util-defaults-mode-browser": "^4.3.41",
-        "@smithy/util-defaults-mode-node": "^4.2.44",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
         "@smithy/util-endpoints": "^3.3.3",
         "@smithy/util-middleware": "^4.2.12",
         "@smithy/util-retry": "^4.2.12",
@@ -258,19 +262,19 @@
       }
     },
     "node_modules/@aws-sdk/core": {
-      "version": "3.973.20",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.973.20.tgz",
-      "integrity": "sha512-i3GuX+lowD892F3IuJf8o6AbyDupMTdyTxQrCJGcn71ni5hTZ82L4nQhcdumxZ7XPJRJJVHS/CR3uYOIIs0PVA==",
+      "version": "3.973.25",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.973.25.tgz",
+      "integrity": "sha512-TNrx7eq6nKNOO62HWPqoBqPLXEkW6nLZQGwjL6lq1jZtigWYbK1NbCnT7mKDzbLMHZfuOECUt3n6CzxjUW9HWQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-sdk/types": "^3.973.6",
-        "@aws-sdk/xml-builder": "^3.972.11",
-        "@smithy/core": "^3.23.11",
+        "@aws-sdk/xml-builder": "^3.972.16",
+        "@smithy/core": "^3.23.12",
         "@smithy/node-config-provider": "^4.3.12",
         "@smithy/property-provider": "^4.2.12",
         "@smithy/protocol-http": "^5.3.12",
         "@smithy/signature-v4": "^5.3.12",
-        "@smithy/smithy-client": "^4.12.5",
+        "@smithy/smithy-client": "^4.12.7",
         "@smithy/types": "^4.13.1",
         "@smithy/util-base64": "^4.3.2",
         "@smithy/util-middleware": "^4.2.12",
@@ -282,12 +286,12 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-env": {
-      "version": "3.972.18",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.972.18.tgz",
-      "integrity": "sha512-X0B8AlQY507i5DwjLByeU2Af4ARsl9Vr84koDcXCbAkplmU+1xBFWxEPrWRAoh56waBne/yJqEloSwvRf4x6XA==",
+      "version": "3.972.23",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.972.23.tgz",
+      "integrity": "sha512-EamaclJcCEaPHp6wiVknNMM2RlsPMjAHSsYSFLNENBM8Wz92QPc6cOn3dif6vPDQt0Oo4IEghDy3NMDCzY/IvA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.20",
+        "@aws-sdk/core": "^3.973.25",
         "@aws-sdk/types": "^3.973.6",
         "@smithy/property-provider": "^4.2.12",
         "@smithy/types": "^4.13.1",
@@ -298,20 +302,20 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-http": {
-      "version": "3.972.20",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.972.20.tgz",
-      "integrity": "sha512-ey9Lelj001+oOfrbKmS6R2CJAiXX7QKY4Vj9VJv6L2eE6/VjD8DocHIoYqztTm70xDLR4E1jYPTKfIui+eRNDA==",
+      "version": "3.972.25",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.972.25.tgz",
+      "integrity": "sha512-qPymamdPcLp6ugoVocG1y5r69ScNiRzb0hogX25/ij+Wz7c7WnsgjLTaz7+eB5BfRxeyUwuw5hgULMuwOGOpcw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.20",
+        "@aws-sdk/core": "^3.973.25",
         "@aws-sdk/types": "^3.973.6",
         "@smithy/fetch-http-handler": "^5.3.15",
-        "@smithy/node-http-handler": "^4.4.16",
+        "@smithy/node-http-handler": "^4.5.0",
         "@smithy/property-provider": "^4.2.12",
         "@smithy/protocol-http": "^5.3.12",
-        "@smithy/smithy-client": "^4.12.5",
+        "@smithy/smithy-client": "^4.12.7",
         "@smithy/types": "^4.13.1",
-        "@smithy/util-stream": "^4.5.19",
+        "@smithy/util-stream": "^4.5.20",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -319,19 +323,19 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-ini": {
-      "version": "3.972.20",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.972.20.tgz",
-      "integrity": "sha512-5flXSnKHMloObNF+9N0cupKegnH1Z37cdVlpETVgx8/rAhCe+VNlkcZH3HDg2SDn9bI765S+rhNPXGDJJPfbtA==",
+      "version": "3.972.25",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.972.25.tgz",
+      "integrity": "sha512-G/v/PicYn4qs7xCv4vT6I4QKdvMyRvsgIFNBkUueCGlbLo7/PuKcNKgUozmLSsaYnE7jIl6UrfkP07EUubr48w==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.20",
-        "@aws-sdk/credential-provider-env": "^3.972.18",
-        "@aws-sdk/credential-provider-http": "^3.972.20",
-        "@aws-sdk/credential-provider-login": "^3.972.20",
-        "@aws-sdk/credential-provider-process": "^3.972.18",
-        "@aws-sdk/credential-provider-sso": "^3.972.20",
-        "@aws-sdk/credential-provider-web-identity": "^3.972.20",
-        "@aws-sdk/nested-clients": "^3.996.10",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-env": "^3.972.23",
+        "@aws-sdk/credential-provider-http": "^3.972.25",
+        "@aws-sdk/credential-provider-login": "^3.972.25",
+        "@aws-sdk/credential-provider-process": "^3.972.23",
+        "@aws-sdk/credential-provider-sso": "^3.972.25",
+        "@aws-sdk/credential-provider-web-identity": "^3.972.25",
+        "@aws-sdk/nested-clients": "^3.996.15",
         "@aws-sdk/types": "^3.973.6",
         "@smithy/credential-provider-imds": "^4.2.12",
         "@smithy/property-provider": "^4.2.12",
@@ -344,13 +348,13 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-login": {
-      "version": "3.972.20",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-login/-/credential-provider-login-3.972.20.tgz",
-      "integrity": "sha512-gEWo54nfqp2jABMu6HNsjVC4hDLpg9HC8IKSJnp0kqWtxIJYHTmiLSsIfI4ScQjxEwpB+jOOH8dOLax1+hy/Hw==",
+      "version": "3.972.25",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-login/-/credential-provider-login-3.972.25.tgz",
+      "integrity": "sha512-bUdmyJeVua7SmD+g2a65x2/0YqsGn4K2k4GawI43js0odaNaIzpIhLtHehUnPnfLuyhPWbJR1NyuIO4iMVfM0w==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.20",
-        "@aws-sdk/nested-clients": "^3.996.10",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/nested-clients": "^3.996.15",
         "@aws-sdk/types": "^3.973.6",
         "@smithy/property-provider": "^4.2.12",
         "@smithy/protocol-http": "^5.3.12",
@@ -363,17 +367,17 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-node": {
-      "version": "3.972.21",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.972.21.tgz",
-      "integrity": "sha512-hah8if3/B/Q+LBYN5FukyQ1Mym6PLPDsBOBsIgNEYD6wLyZg0UmUF/OKIVC3nX9XH8TfTPuITK+7N/jenVACWA==",
+      "version": "3.972.26",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.972.26.tgz",
+      "integrity": "sha512-5XSK74rCXxCNj+UWv5bjq1EccYkiyW4XOHFU9NXnsCcQF8dJuHdua1qFg0m/LIwVOWklbKsrcnMtfxIXwgvwzQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/credential-provider-env": "^3.972.18",
-        "@aws-sdk/credential-provider-http": "^3.972.20",
-        "@aws-sdk/credential-provider-ini": "^3.972.20",
-        "@aws-sdk/credential-provider-process": "^3.972.18",
-        "@aws-sdk/credential-provider-sso": "^3.972.20",
-        "@aws-sdk/credential-provider-web-identity": "^3.972.20",
+        "@aws-sdk/credential-provider-env": "^3.972.23",
+        "@aws-sdk/credential-provider-http": "^3.972.25",
+        "@aws-sdk/credential-provider-ini": "^3.972.25",
+        "@aws-sdk/credential-provider-process": "^3.972.23",
+        "@aws-sdk/credential-provider-sso": "^3.972.25",
+        "@aws-sdk/credential-provider-web-identity": "^3.972.25",
         "@aws-sdk/types": "^3.973.6",
         "@smithy/credential-provider-imds": "^4.2.12",
         "@smithy/property-provider": "^4.2.12",
@@ -386,12 +390,12 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-process": {
-      "version": "3.972.18",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.972.18.tgz",
-      "integrity": "sha512-Tpl7SRaPoOLT32jbTWchPsn52hYYgJ0kpiFgnwk8pxTANQdUymVSZkzFvv1+oOgZm1CrbQUP9MBeoMZ9IzLZjA==",
+      "version": "3.972.23",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.972.23.tgz",
+      "integrity": "sha512-IL/TFW59++b7MpHserjUblGrdP5UXy5Ekqqx1XQkERXBFJcZr74I7VaSrQT5dxdRMU16xGK4L0RQ5fQG1pMgnA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.20",
+        "@aws-sdk/core": "^3.973.25",
         "@aws-sdk/types": "^3.973.6",
         "@smithy/property-provider": "^4.2.12",
         "@smithy/shared-ini-file-loader": "^4.4.7",
@@ -403,14 +407,14 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-sso": {
-      "version": "3.972.20",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.972.20.tgz",
-      "integrity": "sha512-p+R+PYR5Z7Gjqf/6pvbCnzEHcqPCpLzR7Yf127HjJ6EAb4hUcD+qsNRnuww1sB/RmSeCLxyay8FMyqREw4p1RA==",
+      "version": "3.972.25",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.972.25.tgz",
+      "integrity": "sha512-r4OGAfHmlEa1QBInHWz+/dOD4tRljcjVNQe9wJ/AJNXEj1d2WdsRLppvRFImRV6FIs+bTpjtL0a23V5ELQpRPw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.20",
-        "@aws-sdk/nested-clients": "^3.996.10",
-        "@aws-sdk/token-providers": "3.1009.0",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/nested-clients": "^3.996.15",
+        "@aws-sdk/token-providers": "3.1018.0",
         "@aws-sdk/types": "^3.973.6",
         "@smithy/property-provider": "^4.2.12",
         "@smithy/shared-ini-file-loader": "^4.4.7",
@@ -422,13 +426,13 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-web-identity": {
-      "version": "3.972.20",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.972.20.tgz",
-      "integrity": "sha512-rWCmh8o7QY4CsUj63qopzMzkDq/yPpkrpb+CnjBEFSOg/02T/we7sSTVg4QsDiVS9uwZ8VyONhq98qt+pIh3KA==",
+      "version": "3.972.25",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.972.25.tgz",
+      "integrity": "sha512-uM1OtoJgj+yK3MlAmda8uR9WJJCdm5HB25JyCeFL5a5q1Fbafalf4uKidFO3/L0Pgd+Fsflkb4cM6jHIswi3QQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.20",
-        "@aws-sdk/nested-clients": "^3.996.10",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/nested-clients": "^3.996.15",
         "@aws-sdk/types": "^3.973.6",
         "@smithy/property-provider": "^4.2.12",
         "@smithy/shared-ini-file-loader": "^4.4.7",
@@ -469,9 +473,9 @@
       }
     },
     "node_modules/@aws-sdk/middleware-recursion-detection": {
-      "version": "3.972.8",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-recursion-detection/-/middleware-recursion-detection-3.972.8.tgz",
-      "integrity": "sha512-BnnvYs2ZEpdlmZ2PNlV2ZyQ8j8AEkMTjN79y/YA475ER1ByFYrkVR85qmhni8oeTaJcDqbx364wDpitDAA/wCA==",
+      "version": "3.972.9",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-recursion-detection/-/middleware-recursion-detection-3.972.9.tgz",
+      "integrity": "sha512-/Wt5+CT8dpTFQxEJ9iGy/UGrXr7p2wlIOEHvIr/YcHYByzoLjrqkYqXdJjd9UIgWjv7eqV2HnFJen93UTuwfTQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-sdk/types": "^3.973.6",
@@ -485,15 +489,15 @@
       }
     },
     "node_modules/@aws-sdk/middleware-user-agent": {
-      "version": "3.972.21",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-user-agent/-/middleware-user-agent-3.972.21.tgz",
-      "integrity": "sha512-62XRl1GDYPpkt7cx1AX1SPy9wgNE9Iw/NPuurJu4lmhCWS7sGKO+kS53TQ8eRmIxy3skmvNInnk0ZbWrU5Dpyg==",
+      "version": "3.972.26",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-user-agent/-/middleware-user-agent-3.972.26.tgz",
+      "integrity": "sha512-AilFIh4rI/2hKyyGN6XrB0yN96W2o7e7wyrPWCM6QjZM1mcC/pVkW3IWWRvuBWMpVP8Fg+rMpbzeLQ6dTM4gig==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.20",
+        "@aws-sdk/core": "^3.973.25",
         "@aws-sdk/types": "^3.973.6",
         "@aws-sdk/util-endpoints": "^3.996.5",
-        "@smithy/core": "^3.23.11",
+        "@smithy/core": "^3.23.12",
         "@smithy/protocol-http": "^5.3.12",
         "@smithy/types": "^4.13.1",
         "@smithy/util-retry": "^4.2.12",
@@ -504,44 +508,44 @@
       }
     },
     "node_modules/@aws-sdk/nested-clients": {
-      "version": "3.996.10",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.996.10.tgz",
-      "integrity": "sha512-SlDol5Z+C7Ivnc2rKGqiqfSUmUZzY1qHfVs9myt/nxVwswgfpjdKahyTzLTx802Zfq0NFRs7AejwKzzzl5Co2w==",
+      "version": "3.996.15",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.996.15.tgz",
+      "integrity": "sha512-k6WAVNkub5DrU46iPQvH1m0xc1n+0dX79+i287tYJzf5g1yU2rX3uf4xNeL5JvK1NtYgfwMnsxHqhOXFBn367A==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.20",
+        "@aws-sdk/core": "^3.973.25",
         "@aws-sdk/middleware-host-header": "^3.972.8",
         "@aws-sdk/middleware-logger": "^3.972.8",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.8",
-        "@aws-sdk/middleware-user-agent": "^3.972.21",
-        "@aws-sdk/region-config-resolver": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
         "@aws-sdk/types": "^3.973.6",
         "@aws-sdk/util-endpoints": "^3.996.5",
         "@aws-sdk/util-user-agent-browser": "^3.972.8",
-        "@aws-sdk/util-user-agent-node": "^3.973.7",
-        "@smithy/config-resolver": "^4.4.11",
-        "@smithy/core": "^3.23.11",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
         "@smithy/fetch-http-handler": "^5.3.15",
         "@smithy/hash-node": "^4.2.12",
         "@smithy/invalid-dependency": "^4.2.12",
         "@smithy/middleware-content-length": "^4.2.12",
-        "@smithy/middleware-endpoint": "^4.4.25",
-        "@smithy/middleware-retry": "^4.4.42",
-        "@smithy/middleware-serde": "^4.2.14",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
         "@smithy/middleware-stack": "^4.2.12",
         "@smithy/node-config-provider": "^4.3.12",
-        "@smithy/node-http-handler": "^4.4.16",
+        "@smithy/node-http-handler": "^4.5.0",
         "@smithy/protocol-http": "^5.3.12",
-        "@smithy/smithy-client": "^4.12.5",
+        "@smithy/smithy-client": "^4.12.7",
         "@smithy/types": "^4.13.1",
         "@smithy/url-parser": "^4.2.12",
         "@smithy/util-base64": "^4.3.2",
         "@smithy/util-body-length-browser": "^4.2.2",
         "@smithy/util-body-length-node": "^4.2.3",
-        "@smithy/util-defaults-mode-browser": "^4.3.41",
-        "@smithy/util-defaults-mode-node": "^4.2.44",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
         "@smithy/util-endpoints": "^3.3.3",
         "@smithy/util-middleware": "^4.2.12",
         "@smithy/util-retry": "^4.2.12",
@@ -553,13 +557,13 @@
       }
     },
     "node_modules/@aws-sdk/region-config-resolver": {
-      "version": "3.972.8",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/region-config-resolver/-/region-config-resolver-3.972.8.tgz",
-      "integrity": "sha512-1eD4uhTDeambO/PNIDVG19A6+v4NdD7xzwLHDutHsUqz0B+i661MwQB2eYO4/crcCvCiQG4SRm1k81k54FEIvw==",
+      "version": "3.972.10",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/region-config-resolver/-/region-config-resolver-3.972.10.tgz",
+      "integrity": "sha512-1dq9ToC6e070QvnVhhbAs3bb5r6cQ10gTVc6cyRV5uvQe7P138TV2uG2i6+Yok4bAkVAcx5AqkTEBUvWEtBlsQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-sdk/types": "^3.973.6",
-        "@smithy/config-resolver": "^4.4.11",
+        "@smithy/config-resolver": "^4.4.13",
         "@smithy/node-config-provider": "^4.3.12",
         "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
@@ -569,13 +573,13 @@
       }
     },
     "node_modules/@aws-sdk/token-providers": {
-      "version": "3.1009.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.1009.0.tgz",
-      "integrity": "sha512-KCPLuTqN9u0Rr38Arln78fRG9KXpzsPWmof+PZzfAHMMQq2QED6YjQrkrfiH7PDefLWEposY1o4/eGwrmKA4JA==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.1018.0.tgz",
+      "integrity": "sha512-97OPNJHy37wmGOX44xAcu6E9oSTiqK9uPcy/fWpmN5uB3JuEp1f6x60Xot/jp+FxwhQWIFUsVJFnm3QKqt7T6Q==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.20",
-        "@aws-sdk/nested-clients": "^3.996.10",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/nested-clients": "^3.996.15",
         "@aws-sdk/types": "^3.973.6",
         "@smithy/property-provider": "^4.2.12",
         "@smithy/shared-ini-file-loader": "^4.4.7",
@@ -640,12 +644,12 @@
       }
     },
     "node_modules/@aws-sdk/util-user-agent-node": {
-      "version": "3.973.7",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-node/-/util-user-agent-node-3.973.7.tgz",
-      "integrity": "sha512-Hz6EZMUAEzqUd7e+vZ9LE7mn+5gMbxltXy18v+YSFY+9LBJz15wkNZvw5JqfX3z0FS9n3bgUtz3L5rAsfh4YlA==",
+      "version": "3.973.12",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-node/-/util-user-agent-node-3.973.12.tgz",
+      "integrity": "sha512-8phW0TS8ntENJgDcFewYT/Q8dOmarpvSxEjATu2GUBAutiHr++oEGCiBUwxslCMNvwW2cAPZNT53S/ym8zm/gg==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/middleware-user-agent": "^3.972.21",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
         "@aws-sdk/types": "^3.973.6",
         "@smithy/node-config-provider": "^4.3.12",
         "@smithy/types": "^4.13.1",
@@ -665,9 +669,9 @@
       }
     },
     "node_modules/@aws-sdk/xml-builder": {
-      "version": "3.972.15",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.15.tgz",
-      "integrity": "sha512-PxMRlCFNiQnke9YR29vjFQwz4jq+6Q04rOVFeTDR2K7Qpv9h9FOWOxG+zJjageimYbWqE3bTuLjmryWHAWbvaA==",
+      "version": "3.972.16",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.16.tgz",
+      "integrity": "sha512-iu2pyvaqmeatIJLURLqx9D+4jKAdTH20ntzB6BFwjyN7V960r4jK32mx0Zf7YbtOYAbmbtQfDNuL60ONinyw7A==",
       "license": "Apache-2.0",
       "dependencies": {
         "@smithy/types": "^4.13.1",
@@ -687,579 +691,618 @@
         "node": ">=18.0.0"
       }
     },
-    "node_modules/@babel/helper-string-parser": {
-      "version": "7.27.1",
-      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
-      "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
+    "node_modules/@babel/code-frame": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
+      "integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==",
       "dev": true,
       "license": "MIT",
+      "dependencies": {
+        "@babel/helper-validator-identifier": "^7.28.5",
+        "js-tokens": "^4.0.0",
+        "picocolors": "^1.1.1"
+      },
       "engines": {
         "node": ">=6.9.0"
       }
     },
-    "node_modules/@babel/helper-validator-identifier": {
-      "version": "7.28.5",
-      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
-      "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
+    "node_modules/@babel/compat-data": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.29.0.tgz",
+      "integrity": "sha512-T1NCJqT/j9+cn8fvkt7jtwbLBfLC/1y1c7NtCeXFRgzGTsafi68MRv8yzkYSapBnFA6L3U2VSc02ciDzoAJhJg==",
       "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">=6.9.0"
       }
     },
-    "node_modules/@babel/parser": {
+    "node_modules/@babel/core": {
       "version": "7.29.0",
-      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.0.tgz",
-      "integrity": "sha512-IyDgFV5GeDUVX4YdF/3CPULtVGSXXMLh1xVIgdCgxApktqnQV0r7/8Nqthg+8YLGaAtdyIlo2qIdZrbCv4+7ww==",
+      "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.0.tgz",
+      "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@babel/types": "^7.29.0"
-      },
-      "bin": {
-        "parser": "bin/babel-parser.js"
+        "@babel/code-frame": "^7.29.0",
+        "@babel/generator": "^7.29.0",
+        "@babel/helper-compilation-targets": "^7.28.6",
+        "@babel/helper-module-transforms": "^7.28.6",
+        "@babel/helpers": "^7.28.6",
+        "@babel/parser": "^7.29.0",
+        "@babel/template": "^7.28.6",
+        "@babel/traverse": "^7.29.0",
+        "@babel/types": "^7.29.0",
+        "@jridgewell/remapping": "^2.3.5",
+        "convert-source-map": "^2.0.0",
+        "debug": "^4.1.0",
+        "gensync": "^1.0.0-beta.2",
+        "json5": "^2.2.3",
+        "semver": "^6.3.1"
       },
       "engines": {
-        "node": ">=6.0.0"
+        "node": ">=6.9.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/babel"
       }
     },
-    "node_modules/@babel/runtime": {
-      "version": "7.28.6",
-      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.28.6.tgz",
-      "integrity": "sha512-05WQkdpL9COIMz4LjTxGpPNCdlpyimKppYNoJ5Di5EUObifl8t4tuLuUBBZEpoLYOmfvIWrsp9fCl0HoPRVTdA==",
-      "license": "MIT",
-      "engines": {
-        "node": ">=6.9.0"
+    "node_modules/@babel/core/node_modules/semver": {
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+      "dev": true,
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
       }
     },
-    "node_modules/@babel/types": {
-      "version": "7.29.0",
-      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
-      "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
+    "node_modules/@babel/generator": {
+      "version": "7.29.1",
+      "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.1.tgz",
+      "integrity": "sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@babel/helper-string-parser": "^7.27.1",
-        "@babel/helper-validator-identifier": "^7.28.5"
+        "@babel/parser": "^7.29.0",
+        "@babel/types": "^7.29.0",
+        "@jridgewell/gen-mapping": "^0.3.12",
+        "@jridgewell/trace-mapping": "^0.3.28",
+        "jsesc": "^3.0.2"
       },
       "engines": {
         "node": ">=6.9.0"
       }
     },
-    "node_modules/@balena/dockerignore": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/@balena/dockerignore/-/dockerignore-1.0.2.tgz",
-      "integrity": "sha512-wMue2Sy4GAVTk6Ic4tJVcnfdau+gx2EnG7S+uAEe+TWJFqE4YoWN4/H8MSLj4eYJKxGg26lZwboEniNiNwZQ6Q==",
-      "license": "Apache-2.0"
-    },
-    "node_modules/@bcoe/v8-coverage": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/@bcoe/v8-coverage/-/v8-coverage-1.0.2.tgz",
-      "integrity": "sha512-6zABk/ECA/QYSCQ1NGiVwwbQerUCZ+TQbp64Q3AgmfNvurHH0j8TtXa1qbShXA6qqkpAj4V5W8pP6mLe1mcMqA==",
+    "node_modules/@babel/helper-annotate-as-pure": {
+      "version": "7.27.3",
+      "resolved": "https://registry.npmjs.org/@babel/helper-annotate-as-pure/-/helper-annotate-as-pure-7.27.3.tgz",
+      "integrity": "sha512-fXSwMQqitTGeHLBC08Eq5yXz2m37E4pJX1qAU1+2cNedz/ifv/bVXft90VeSav5nFO61EcNgwr0aJxbyPaWBPg==",
       "dev": true,
       "license": "MIT",
+      "dependencies": {
+        "@babel/types": "^7.27.3"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@cspotcode/source-map-support": {
-      "version": "0.8.1",
-      "resolved": "https://registry.npmjs.org/@cspotcode/source-map-support/-/source-map-support-0.8.1.tgz",
-      "integrity": "sha512-IchNf6dN4tHoMFIn/7OE8LWZ19Y6q/67Bmf6vnGREv8RSbBVb9LPJxEcnwrcwX6ixSvaiGoomAUvu4YSxXrVgw==",
+    "node_modules/@babel/helper-compilation-targets": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.28.6.tgz",
+      "integrity": "sha512-JYtls3hqi15fcx5GaSNL7SCTJ2MNmjrkHXg4FSpOA/grxK8KwyZ5bubHsCq8FXCkua6xhuaaBit+3b7+VZRfcA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@jridgewell/trace-mapping": "0.3.9"
+        "@babel/compat-data": "^7.28.6",
+        "@babel/helper-validator-option": "^7.27.1",
+        "browserslist": "^4.24.0",
+        "lru-cache": "^5.1.1",
+        "semver": "^6.3.1"
       },
       "engines": {
-        "node": ">=12"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@cspotcode/source-map-support/node_modules/@jridgewell/trace-mapping": {
-      "version": "0.3.9",
-      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.9.tgz",
-      "integrity": "sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ==",
+    "node_modules/@babel/helper-compilation-targets/node_modules/semver": {
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
       "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@jridgewell/resolve-uri": "^3.0.3",
-        "@jridgewell/sourcemap-codec": "^1.4.10"
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
       }
     },
-    "node_modules/@emnapi/core": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.8.1.tgz",
-      "integrity": "sha512-AvT9QFpxK0Zd8J0jopedNm+w/2fIzvtPKPjqyw9jwvBaReTTqPBk9Hixaz7KbjimP+QNz605/XnjFcDAL2pqBg==",
+    "node_modules/@babel/helper-create-class-features-plugin": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-create-class-features-plugin/-/helper-create-class-features-plugin-7.28.6.tgz",
+      "integrity": "sha512-dTOdvsjnG3xNT9Y0AUg1wAl38y+4Rl4sf9caSQZOXdNqVn+H+HbbJ4IyyHaIqNR6SW9oJpA/RuRjsjCw2IdIow==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
       "dependencies": {
-        "@emnapi/wasi-threads": "1.1.0",
-        "tslib": "^2.4.0"
+        "@babel/helper-annotate-as-pure": "^7.27.3",
+        "@babel/helper-member-expression-to-functions": "^7.28.5",
+        "@babel/helper-optimise-call-expression": "^7.27.1",
+        "@babel/helper-replace-supers": "^7.28.6",
+        "@babel/helper-skip-transparent-expression-wrappers": "^7.27.1",
+        "@babel/traverse": "^7.28.6",
+        "semver": "^6.3.1"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0"
       }
     },
-    "node_modules/@emnapi/runtime": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.8.1.tgz",
-      "integrity": "sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg==",
+    "node_modules/@babel/helper-create-class-features-plugin/node_modules/semver": {
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
       "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "tslib": "^2.4.0"
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
       }
     },
-    "node_modules/@emnapi/wasi-threads": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.1.0.tgz",
-      "integrity": "sha512-WI0DdZ8xFSbgMjR1sFsKABJ/C5OnRrjT06JXbZKexJGrDuPTzZdDYfFlsgcCXCyf+suG5QU2e/y1Wo2V/OapLQ==",
+    "node_modules/@babel/helper-globals": {
+      "version": "7.28.0",
+      "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.28.0.tgz",
+      "integrity": "sha512-+W6cISkXFa1jXsDEdYA8HeevQT/FULhxzR99pxphltZcVaugps53THCeiWA8SguxxpSp3gKPiuYfSWopkLQ4hw==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "tslib": "^2.4.0"
+      "engines": {
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.3.tgz",
-      "integrity": "sha512-9fJMTNFTWZMh5qwrBItuziu834eOCUcEqymSH7pY+zoMVEZg3gcPuBNxH1EvfVYe9h0x/Ptw8KBzv7qxb7l8dg==",
-      "cpu": [
-        "ppc64"
-      ],
+    "node_modules/@babel/helper-member-expression-to-functions": {
+      "version": "7.28.5",
+      "resolved": "https://registry.npmjs.org/@babel/helper-member-expression-to-functions/-/helper-member-expression-to-functions-7.28.5.tgz",
+      "integrity": "sha512-cwM7SBRZcPCLgl8a7cY0soT1SptSzAlMH39vwiRpOQkJlh53r5hdHwLSCZpQdVLT39sZt+CRpNwYG4Y2v77atg==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "aix"
-      ],
+      "dependencies": {
+        "@babel/traverse": "^7.28.5",
+        "@babel/types": "^7.28.5"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/android-arm": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.3.tgz",
-      "integrity": "sha512-i5D1hPY7GIQmXlXhs2w8AWHhenb00+GxjxRncS2ZM7YNVGNfaMxgzSGuO8o8SJzRc/oZwU2bcScvVERk03QhzA==",
-      "cpu": [
-        "arm"
-      ],
+    "node_modules/@babel/helper-module-imports": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.28.6.tgz",
+      "integrity": "sha512-l5XkZK7r7wa9LucGw9LwZyyCUscb4x37JWTPz7swwFE/0FMQAGpiWUZn8u9DzkSBWEcK25jmvubfpw2dnAMdbw==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ],
+      "dependencies": {
+        "@babel/traverse": "^7.28.6",
+        "@babel/types": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/android-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.3.tgz",
-      "integrity": "sha512-YdghPYUmj/FX2SYKJ0OZxf+iaKgMsKHVPF1MAq/P8WirnSpCStzKJFjOjzsW0QQ7oIAiccHdcqjbHmJxRb/dmg==",
-      "cpu": [
-        "arm64"
-      ],
+    "node_modules/@babel/helper-module-transforms": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.6.tgz",
+      "integrity": "sha512-67oXFAYr2cDLDVGLXTEABjdBJZ6drElUSI7WKp70NrpyISso3plG9SAGEF6y7zbha/wOzUByWWTJvEDVNIUGcA==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ],
+      "dependencies": {
+        "@babel/helper-module-imports": "^7.28.6",
+        "@babel/helper-validator-identifier": "^7.28.5",
+        "@babel/traverse": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0"
       }
     },
-    "node_modules/@esbuild/android-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.3.tgz",
-      "integrity": "sha512-IN/0BNTkHtk8lkOM8JWAYFg4ORxBkZQf9zXiEOfERX/CzxW3Vg1ewAhU7QSWQpVIzTW+b8Xy+lGzdYXV6UZObQ==",
-      "cpu": [
-        "x64"
-      ],
+    "node_modules/@babel/helper-optimise-call-expression": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-optimise-call-expression/-/helper-optimise-call-expression-7.27.1.tgz",
+      "integrity": "sha512-URMGH08NzYFhubNSGJrpUEphGKQwMQYBySzat5cAByY1/YgIRkULnIy3tAMeszlL/so2HbeilYloUmSpd7GdVw==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ],
+      "dependencies": {
+        "@babel/types": "^7.27.1"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/darwin-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.3.tgz",
-      "integrity": "sha512-Re491k7ByTVRy0t3EKWajdLIr0gz2kKKfzafkth4Q8A5n1xTHrkqZgLLjFEHVD+AXdUGgQMq+Godfq45mGpCKg==",
-      "cpu": [
-        "arm64"
-      ],
+    "node_modules/@babel/helper-plugin-utils": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.28.6.tgz",
+      "integrity": "sha512-S9gzZ/bz83GRysI7gAD4wPT/AI3uCnY+9xn+Mx/KPs2JwHJIz1W8PZkg2cqyt3RNOBM8ejcXhV6y8Og7ly/Dug==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/darwin-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.3.tgz",
-      "integrity": "sha512-vHk/hA7/1AckjGzRqi6wbo+jaShzRowYip6rt6q7VYEDX4LEy1pZfDpdxCBnGtl+A5zq8iXDcyuxwtv3hNtHFg==",
-      "cpu": [
-        "x64"
-      ],
+    "node_modules/@babel/helper-replace-supers": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-replace-supers/-/helper-replace-supers-7.28.6.tgz",
+      "integrity": "sha512-mq8e+laIk94/yFec3DxSjCRD2Z0TAjhVbEJY3UQrlwVo15Lmt7C2wAUbK4bjnTs4APkwsYLTahXRraQXhb1WCg==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
+      "dependencies": {
+        "@babel/helper-member-expression-to-functions": "^7.28.5",
+        "@babel/helper-optimise-call-expression": "^7.27.1",
+        "@babel/traverse": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0"
       }
     },
-    "node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-ipTYM2fjt3kQAYOvo6vcxJx3nBYAzPjgTCk7QEgZG8AUO3ydUhvelmhrbOheMnGOlaSFUoHXB6un+A7q4ygY9w==",
-      "cpu": [
-        "arm64"
-      ],
+    "node_modules/@babel/helper-skip-transparent-expression-wrappers": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-skip-transparent-expression-wrappers/-/helper-skip-transparent-expression-wrappers-7.27.1.tgz",
+      "integrity": "sha512-Tub4ZKEXqbPjXgWLl2+3JpQAYBJ8+ikpQ2Ocj/q/r0LwE3UhENh7EUabyHjz2kCEsrRY83ew2DQdHluuiDQFzg==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "freebsd"
-      ],
+      "dependencies": {
+        "@babel/traverse": "^7.27.1",
+        "@babel/types": "^7.27.1"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/freebsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.3.tgz",
-      "integrity": "sha512-dDk0X87T7mI6U3K9VjWtHOXqwAMJBNN2r7bejDsc+j03SEjtD9HrOl8gVFByeM0aJksoUuUVU9TBaZa2rgj0oA==",
-      "cpu": [
-        "x64"
-      ],
+    "node_modules/@babel/helper-string-parser": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
+      "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "freebsd"
-      ],
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/linux-arm": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.3.tgz",
-      "integrity": "sha512-s6nPv2QkSupJwLYyfS+gwdirm0ukyTFNl3KTgZEAiJDd+iHZcbTPPcWCcRYH+WlNbwChgH2QkE9NSlNrMT8Gfw==",
-      "cpu": [
-        "arm"
-      ],
+    "node_modules/@babel/helper-validator-identifier": {
+      "version": "7.28.5",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
+      "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/linux-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.3.tgz",
-      "integrity": "sha512-sZOuFz/xWnZ4KH3YfFrKCf1WyPZHakVzTiqji3WDc0BCl2kBwiJLCXpzLzUBLgmp4veFZdvN5ChW4Eq/8Fc2Fg==",
-      "cpu": [
-        "arm64"
-      ],
+    "node_modules/@babel/helper-validator-option": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.27.1.tgz",
+      "integrity": "sha512-YvjJow9FxbhFFKDSuFnVCe2WxXk1zWc22fFePVNEaWJEu8IrZVlda6N0uHwzZrUM1il7NC9Mlp4MaJYbYd9JSg==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/linux-ia32": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.3.tgz",
-      "integrity": "sha512-yGlQYjdxtLdh0a3jHjuwOrxQjOZYD/C9PfdbgJJF3TIZWnm/tMd/RcNiLngiu4iwcBAOezdnSLAwQDPqTmtTYg==",
-      "cpu": [
-        "ia32"
-      ],
+    "node_modules/@babel/helpers": {
+      "version": "7.29.2",
+      "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.29.2.tgz",
+      "integrity": "sha512-HoGuUs4sCZNezVEKdVcwqmZN8GoHirLUcLaYVNBK2J0DadGtdcqgr3BCbvH8+XUo4NGjNl3VOtSjEKNzqfFgKw==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+      "dependencies": {
+        "@babel/template": "^7.28.6",
+        "@babel/types": "^7.29.0"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/linux-loong64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.3.tgz",
-      "integrity": "sha512-WO60Sn8ly3gtzhyjATDgieJNet/KqsDlX5nRC5Y3oTFcS1l0KWba+SEa9Ja1GfDqSF1z6hif/SkpQJbL63cgOA==",
-      "cpu": [
-        "loong64"
-      ],
+    "node_modules/@babel/parser": {
+      "version": "7.29.2",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz",
+      "integrity": "sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": ">=18"
+      "dependencies": {
+        "@babel/types": "^7.29.0"
+      },
+      "bin": {
+        "parser": "bin/babel-parser.js"
+      },
+      "engines": {
+        "node": ">=6.0.0"
       }
     },
-    "node_modules/@esbuild/linux-mips64el": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.3.tgz",
-      "integrity": "sha512-APsymYA6sGcZ4pD6k+UxbDjOFSvPWyZhjaiPyl/f79xKxwTnrn5QUnXR5prvetuaSMsb4jgeHewIDCIWljrSxw==",
-      "cpu": [
-        "mips64el"
-      ],
+    "node_modules/@babel/plugin-proposal-decorators": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-decorators/-/plugin-proposal-decorators-7.29.0.tgz",
+      "integrity": "sha512-CVBVv3VY/XRMxRYq5dwr2DS7/MvqPm23cOCjbwNnVrfOqcWlnefua1uUs0sjdKOGjvPUG633o07uWzJq4oI6dA==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+      "dependencies": {
+        "@babel/helper-create-class-features-plugin": "^7.28.6",
+        "@babel/helper-plugin-utils": "^7.28.6",
+        "@babel/plugin-syntax-decorators": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/linux-ppc64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.3.tgz",
-      "integrity": "sha512-eizBnTeBefojtDb9nSh4vvVQ3V9Qf9Df01PfawPcRzJH4gFSgrObw+LveUyDoKU3kxi5+9RJTCWlj4FjYXVPEA==",
-      "cpu": [
-        "ppc64"
-      ],
+    "node_modules/@babel/plugin-syntax-decorators": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-decorators/-/plugin-syntax-decorators-7.28.6.tgz",
+      "integrity": "sha512-71EYI0ONURHJBL4rSFXnITXqXrrY8q4P0q006DPfN+Rk+ASM+++IBXem/ruokgBZR8YNEWZ8R6B+rCb8VcUTqA==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/linux-riscv64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.3.tgz",
-      "integrity": "sha512-3Emwh0r5wmfm3ssTWRQSyVhbOHvqegUDRd0WhmXKX2mkHJe1SFCMJhagUleMq+Uci34wLSipf8Lagt4LlpRFWQ==",
-      "cpu": [
-        "riscv64"
-      ],
+    "node_modules/@babel/plugin-syntax-jsx": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-jsx/-/plugin-syntax-jsx-7.28.6.tgz",
+      "integrity": "sha512-wgEmr06G6sIpqr8YDwA2dSRTE3bJ+V0IfpzfSY3Lfgd7YWOaAdlykvJi13ZKBt8cZHfgH1IXN+CL656W3uUa4w==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/linux-s390x": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.3.tgz",
-      "integrity": "sha512-pBHUx9LzXWBc7MFIEEL0yD/ZVtNgLytvx60gES28GcWMqil8ElCYR4kvbV2BDqsHOvVDRrOxGySBM9Fcv744hw==",
-      "cpu": [
-        "s390x"
-      ],
+    "node_modules/@babel/plugin-syntax-typescript": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-typescript/-/plugin-syntax-typescript-7.28.6.tgz",
+      "integrity": "sha512-+nDNmQye7nlnuuHDboPbGm00Vqg3oO8niRRL27/4LYHUsHYh0zJ1xWOz0uRwNFmM1Avzk8wZbc6rdiYhomzv/A==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/linux-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.3.tgz",
-      "integrity": "sha512-Czi8yzXUWIQYAtL/2y6vogER8pvcsOsk5cpwL4Gk5nJqH5UZiVByIY8Eorm5R13gq+DQKYg0+JyQoytLQas4dA==",
-      "cpu": [
-        "x64"
-      ],
+    "node_modules/@babel/plugin-transform-destructuring": {
+      "version": "7.28.5",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-destructuring/-/plugin-transform-destructuring-7.28.5.tgz",
+      "integrity": "sha512-Kl9Bc6D0zTUcFUvkNuQh4eGXPKKNDOJQXVyyM4ZAQPMveniJdxi8XMJwLo+xSoW3MIq81bD33lcUe9kZpl0MCw==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.27.1",
+        "@babel/traverse": "^7.28.5"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-sDpk0RgmTCR/5HguIZa9n9u+HVKf40fbEUt+iTzSnCaGvY9kFP0YKBWZtJaraonFnqef5SlJ8/TiPAxzyS+UoA==",
-      "cpu": [
-        "arm64"
-      ],
+    "node_modules/@babel/plugin-transform-explicit-resource-management": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-explicit-resource-management/-/plugin-transform-explicit-resource-management-7.28.6.tgz",
+      "integrity": "sha512-Iao5Konzx2b6g7EPqTy40UZbcdXE126tTxVFr/nAIj+WItNxjKSYTEw3RC+A2/ZetmdJsgueL1KhaMCQHkLPIg==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "netbsd"
-      ],
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.28.6",
+        "@babel/plugin-transform-destructuring": "^7.28.5"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/netbsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.3.tgz",
-      "integrity": "sha512-P14lFKJl/DdaE00LItAukUdZO5iqNH7+PjoBm+fLQjtxfcfFE20Xf5CrLsmZdq5LFFZzb5JMZ9grUwvtVYzjiA==",
-      "cpu": [
-        "x64"
-      ],
+    "node_modules/@babel/plugin-transform-modules-commonjs": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-commonjs/-/plugin-transform-modules-commonjs-7.28.6.tgz",
+      "integrity": "sha512-jppVbf8IV9iWWwWTQIxJMAJCWBuuKx71475wHwYytrRGQ2CWiDvYlADQno3tcYpS/T2UUWFQp3nVtYfK/YBQrA==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "netbsd"
-      ],
+      "dependencies": {
+        "@babel/helper-module-transforms": "^7.28.6",
+        "@babel/helper-plugin-utils": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-AIcMP77AvirGbRl/UZFTq5hjXK+2wC7qFRGoHSDrZ5v5b8DK/GYpXW3CPRL53NkvDqb9D+alBiC/dV0Fb7eJcw==",
-      "cpu": [
-        "arm64"
-      ],
+    "node_modules/@babel/plugin-transform-typescript": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-typescript/-/plugin-transform-typescript-7.28.6.tgz",
+      "integrity": "sha512-0YWL2RFxOqEm9Efk5PvreamxPME8OyY0wM5wh5lHjF+VtVhdneCWGzZeSqzOfiobVqQaNCd2z0tQvnI9DaPWPw==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "openbsd"
-      ],
+      "dependencies": {
+        "@babel/helper-annotate-as-pure": "^7.27.3",
+        "@babel/helper-create-class-features-plugin": "^7.28.6",
+        "@babel/helper-plugin-utils": "^7.28.6",
+        "@babel/helper-skip-transparent-expression-wrappers": "^7.27.1",
+        "@babel/plugin-syntax-typescript": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/openbsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.3.tgz",
-      "integrity": "sha512-DnW2sRrBzA+YnE70LKqnM3P+z8vehfJWHXECbwBmH/CU51z6FiqTQTHFenPlHmo3a8UgpLyH3PT+87OViOh1AQ==",
-      "cpu": [
-        "x64"
-      ],
+    "node_modules/@babel/preset-typescript": {
+      "version": "7.28.5",
+      "resolved": "https://registry.npmjs.org/@babel/preset-typescript/-/preset-typescript-7.28.5.tgz",
+      "integrity": "sha512-+bQy5WOI2V6LJZpPVxY+yp66XdZ2yifu0Mc1aP5CQKgjn4QM5IN2i5fAZ4xKop47pr8rpVhiAeu+nDQa12C8+g==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "openbsd"
-      ],
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.27.1",
+        "@babel/helper-validator-option": "^7.27.1",
+        "@babel/plugin-syntax-jsx": "^7.27.1",
+        "@babel/plugin-transform-modules-commonjs": "^7.27.1",
+        "@babel/plugin-transform-typescript": "^7.28.5"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.3.tgz",
-      "integrity": "sha512-NinAEgr/etERPTsZJ7aEZQvvg/A6IsZG/LgZy+81wON2huV7SrK3e63dU0XhyZP4RKGyTm7aOgmQk0bGp0fy2g==",
-      "cpu": [
-        "arm64"
-      ],
+    "node_modules/@babel/runtime": {
+      "version": "7.29.2",
+      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.29.2.tgz",
+      "integrity": "sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/template": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
+      "integrity": "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "openharmony"
-      ],
+      "dependencies": {
+        "@babel/code-frame": "^7.28.6",
+        "@babel/parser": "^7.28.6",
+        "@babel/types": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/sunos-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.3.tgz",
-      "integrity": "sha512-PanZ+nEz+eWoBJ8/f8HKxTTD172SKwdXebZ0ndd953gt1HRBbhMsaNqjTyYLGLPdoWHy4zLU7bDVJztF5f3BHA==",
-      "cpu": [
-        "x64"
-      ],
+    "node_modules/@babel/traverse": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.0.tgz",
+      "integrity": "sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "sunos"
-      ],
+      "dependencies": {
+        "@babel/code-frame": "^7.29.0",
+        "@babel/generator": "^7.29.0",
+        "@babel/helper-globals": "^7.28.0",
+        "@babel/parser": "^7.29.0",
+        "@babel/template": "^7.28.6",
+        "@babel/types": "^7.29.0",
+        "debug": "^4.3.1"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/win32-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.3.tgz",
-      "integrity": "sha512-B2t59lWWYrbRDw/tjiWOuzSsFh1Y/E95ofKz7rIVYSQkUYBjfSgf6oeYPNWHToFRr2zx52JKApIcAS/D5TUBnA==",
-      "cpu": [
-        "arm64"
-      ],
+    "node_modules/@babel/types": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
+      "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ],
+      "dependencies": {
+        "@babel/helper-string-parser": "^7.27.1",
+        "@babel/helper-validator-identifier": "^7.28.5"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/win32-ia32": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.3.tgz",
-      "integrity": "sha512-QLKSFeXNS8+tHW7tZpMtjlNb7HKau0QDpwm49u0vUp9y1WOF+PEzkU84y9GqYaAVW8aH8f3GcBck26jh54cX4Q==",
-      "cpu": [
-        "ia32"
-      ],
+    "node_modules/@balena/dockerignore": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/@balena/dockerignore/-/dockerignore-1.0.2.tgz",
+      "integrity": "sha512-wMue2Sy4GAVTk6Ic4tJVcnfdau+gx2EnG7S+uAEe+TWJFqE4YoWN4/H8MSLj4eYJKxGg26lZwboEniNiNwZQ6Q==",
+      "license": "Apache-2.0"
+    },
+    "node_modules/@bcoe/v8-coverage": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/@bcoe/v8-coverage/-/v8-coverage-1.0.2.tgz",
+      "integrity": "sha512-6zABk/ECA/QYSCQ1NGiVwwbQerUCZ+TQbp64Q3AgmfNvurHH0j8TtXa1qbShXA6qqkpAj4V5W8pP6mLe1mcMqA==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/win32-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.3.tgz",
-      "integrity": "sha512-4uJGhsxuptu3OcpVAzli+/gWusVGwZZHTlS63hh++ehExkVT8SgiEf7/uC/PclrPPkLhZqGgCTjd0VWLo6xMqA==",
-      "cpu": [
-        "x64"
-      ],
+    "node_modules/@cspotcode/source-map-support": {
+      "version": "0.8.1",
+      "resolved": "https://registry.npmjs.org/@cspotcode/source-map-support/-/source-map-support-0.8.1.tgz",
+      "integrity": "sha512-IchNf6dN4tHoMFIn/7OE8LWZ19Y6q/67Bmf6vnGREv8RSbBVb9LPJxEcnwrcwX6ixSvaiGoomAUvu4YSxXrVgw==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ],
+      "dependencies": {
+        "@jridgewell/trace-mapping": "0.3.9"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=12"
+      }
+    },
+    "node_modules/@cspotcode/source-map-support/node_modules/@jridgewell/trace-mapping": {
+      "version": "0.3.9",
+      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.9.tgz",
+      "integrity": "sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/resolve-uri": "^3.0.3",
+        "@jridgewell/sourcemap-codec": "^1.4.10"
+      }
+    },
+    "node_modules/@emnapi/core": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-mukuNALVsoix/w1BJwFzwXBN/dHeejQtuVzcDsfOEsdpCumXb/E9j8w11h5S54tT1xhifGfbbSm/ICrObRb3KA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "@emnapi/wasi-threads": "1.2.0",
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@emnapi/runtime": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.1.tgz",
+      "integrity": "sha512-VYi5+ZVLhpgK4hQ0TAjiQiZ6ol0oe4mBx7mVv7IflsiEp0OWoVsp/+f9Vc1hOhE0TtkORVrI1GvzyreqpgWtkA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@emnapi/wasi-threads": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.0.tgz",
+      "integrity": "sha512-N10dEJNSsUx41Z6pZsXU8FjPjpBEplgH24sfkmITrBED1/U2Esum9F3lfLrMjKHHjmi557zQn7kR9R+XWXu5Rg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
       }
     },
     "node_modules/@fast-check/vitest": {
@@ -1364,124 +1407,840 @@
       "integrity": "sha512-EKQmr16tM8s16vTT3cA5L0kZZcTMU5DUOZTuvpnY738m+jyP3JIUj+Mm1xc1rsLkGBQ/gVnfKYPwOmPg1tUR4Q==",
       "license": "BSD-3-Clause"
     },
-    "node_modules/@hapi/tlds": {
-      "version": "1.1.6",
-      "resolved": "https://registry.npmjs.org/@hapi/tlds/-/tlds-1.1.6.tgz",
-      "integrity": "sha512-xdi7A/4NZokvV0ewovme3aUO5kQhW9pQ2YD1hRqZGhhSi5rBv4usHYidVocXSi9eihYsznZxLtAiEYYUL6VBGw==",
-      "license": "BSD-3-Clause",
+    "node_modules/@hapi/tlds": {
+      "version": "1.1.6",
+      "resolved": "https://registry.npmjs.org/@hapi/tlds/-/tlds-1.1.6.tgz",
+      "integrity": "sha512-xdi7A/4NZokvV0ewovme3aUO5kQhW9pQ2YD1hRqZGhhSi5rBv4usHYidVocXSi9eihYsznZxLtAiEYYUL6VBGw==",
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/@hapi/topo": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/@hapi/topo/-/topo-6.0.2.tgz",
+      "integrity": "sha512-KR3rD5inZbGMrHmgPxsJ9dbi6zEK+C3ZwUwTa+eMwWLz7oijWUTWD2pMSNNYJAU6Qq+65NkxXjqHr/7LM2Xkqg==",
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "@hapi/hoek": "^11.0.2"
+      }
+    },
+    "node_modules/@inquirer/ansi": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@inquirer/ansi/-/ansi-2.0.4.tgz",
+      "integrity": "sha512-DpcZrQObd7S0R/U3bFdkcT5ebRwbTTC4D3tCc1vsJizmgPLxNJBo+AAFmrZwe8zk30P2QzgzGWZ3Q9uJwWuhIg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      }
+    },
+    "node_modules/@inquirer/checkbox": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/@inquirer/checkbox/-/checkbox-5.1.2.tgz",
+      "integrity": "sha512-PubpMPO2nJgMufkoB3P2wwxNXEMUXnBIKi/ACzDUYfaoPuM7gSTmuxJeMscoLVEsR4qqrCMf5p0SiYGWnVJ8kw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/ansi": "^2.0.4",
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/figures": "^2.0.4",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/confirm": {
+      "version": "6.0.10",
+      "resolved": "https://registry.npmjs.org/@inquirer/confirm/-/confirm-6.0.10.tgz",
+      "integrity": "sha512-tiNyA73pgpQ0FQ7axqtoLUe4GDYjNCDcVsbgcA5anvwg2z6i+suEngLKKJrWKJolT//GFPZHwN30binDIHgSgQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/core": {
+      "version": "11.1.7",
+      "resolved": "https://registry.npmjs.org/@inquirer/core/-/core-11.1.7.tgz",
+      "integrity": "sha512-1BiBNDk9btIwYIzNZpkikIHXWeNzNncJePPqwDyVMhXhD1ebqbpn1mKGctpoqAbzywZfdG0O4tvmsGIcOevAPQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/ansi": "^2.0.4",
+        "@inquirer/figures": "^2.0.4",
+        "@inquirer/type": "^4.0.4",
+        "cli-width": "^4.1.0",
+        "fast-wrap-ansi": "^0.2.0",
+        "mute-stream": "^3.0.0",
+        "signal-exit": "^4.1.0"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/editor": {
+      "version": "5.0.10",
+      "resolved": "https://registry.npmjs.org/@inquirer/editor/-/editor-5.0.10.tgz",
+      "integrity": "sha512-VJx4XyaKea7t8hEApTw5dxeIyMtWXre2OiyJcICCRZI4hkoHsMoCnl/KbUnJJExLbH9csLLHMVR144ZhFE1CwA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/external-editor": "^2.0.4",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/expand": {
+      "version": "5.0.10",
+      "resolved": "https://registry.npmjs.org/@inquirer/expand/-/expand-5.0.10.tgz",
+      "integrity": "sha512-fC0UHJPXsTRvY2fObiwuQYaAnHrp3aDqfwKUJSdfpgv18QUG054ezGbaRNStk/BKD5IPijeMKWej8VV8O5Q/eQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/external-editor": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@inquirer/external-editor/-/external-editor-2.0.4.tgz",
+      "integrity": "sha512-Prenuv9C1PHj2Itx0BcAOVBTonz02Hc2Nd2DbU67PdGUaqn0nPCnV34oDyyoaZHnmfRxkpuhh/u51ThkrO+RdA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "chardet": "^2.1.1",
+        "iconv-lite": "^0.7.2"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/figures": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@inquirer/figures/-/figures-2.0.4.tgz",
+      "integrity": "sha512-eLBsjlS7rPS3WEhmOmh1znQ5IsQrxWzxWDxO51e4urv+iVrSnIHbq4zqJIOiyNdYLa+BVjwOtdetcQx1lWPpiQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      }
+    },
+    "node_modules/@inquirer/input": {
+      "version": "5.0.10",
+      "resolved": "https://registry.npmjs.org/@inquirer/input/-/input-5.0.10.tgz",
+      "integrity": "sha512-nvZ6qEVeX/zVtZ1dY2hTGDQpVGD3R7MYPLODPgKO8Y+RAqxkrP3i/3NwF3fZpLdaMiNuK0z2NaYIx9tPwiSegQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/number": {
+      "version": "4.0.10",
+      "resolved": "https://registry.npmjs.org/@inquirer/number/-/number-4.0.10.tgz",
+      "integrity": "sha512-Ht8OQstxiS3APMGjHV0aYAjRAysidWdwurWEo2i8yI5xbhOBWqizT0+MU1S2GCcuhIBg+3SgWVjEoXgfhY+XaA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/password": {
+      "version": "5.0.10",
+      "resolved": "https://registry.npmjs.org/@inquirer/password/-/password-5.0.10.tgz",
+      "integrity": "sha512-QbNyvIE8q2GTqKLYSsA8ATG+eETo+m31DSR0+AU7x3d2FhaTWzqQek80dj3JGTo743kQc6mhBR0erMjYw5jQ0A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/ansi": "^2.0.4",
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/prompts": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/@inquirer/prompts/-/prompts-8.3.2.tgz",
+      "integrity": "sha512-yFroiSj2iiBFlm59amdTvAcQFvWS6ph5oKESls/uqPBect7rTU2GbjyZO2DqxMGuIwVA8z0P4K6ViPcd/cp+0w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/checkbox": "^5.1.2",
+        "@inquirer/confirm": "^6.0.10",
+        "@inquirer/editor": "^5.0.10",
+        "@inquirer/expand": "^5.0.10",
+        "@inquirer/input": "^5.0.10",
+        "@inquirer/number": "^4.0.10",
+        "@inquirer/password": "^5.0.10",
+        "@inquirer/rawlist": "^5.2.6",
+        "@inquirer/search": "^4.1.6",
+        "@inquirer/select": "^5.1.2"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/rawlist": {
+      "version": "5.2.6",
+      "resolved": "https://registry.npmjs.org/@inquirer/rawlist/-/rawlist-5.2.6.tgz",
+      "integrity": "sha512-jfw0MLJ5TilNsa9zlJ6nmRM0ZFVZhhTICt4/6CU2Dv1ndY7l3sqqo1gIYZyMMDw0LvE1u1nzJNisfHEhJIxq5w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/search": {
+      "version": "4.1.6",
+      "resolved": "https://registry.npmjs.org/@inquirer/search/-/search-4.1.6.tgz",
+      "integrity": "sha512-3/6kTRae98hhDevENScy7cdFEuURnSpM3JbBNg8yfXLw88HgTOl+neUuy/l9W0No5NzGsLVydhBzTIxZP7yChQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/figures": "^2.0.4",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/select": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/@inquirer/select/-/select-5.1.2.tgz",
+      "integrity": "sha512-kTK8YIkHV+f02y7bWCh7E0u2/11lul5WepVTclr3UMBtBr05PgcZNWfMa7FY57ihpQFQH/spLMHTcr0rXy50tA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/ansi": "^2.0.4",
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/figures": "^2.0.4",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/type": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/@inquirer/type/-/type-4.0.4.tgz",
+      "integrity": "sha512-PamArxO3cFJZoOzspzo6cxVlLeIftyBsZw/S9bKY5DzxqJVZgjoj1oP8d0rskKtp7sZxBycsoer1g6UeJV1BBA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@jridgewell/gen-mapping": {
+      "version": "0.3.13",
+      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz",
+      "integrity": "sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/sourcemap-codec": "^1.5.0",
+        "@jridgewell/trace-mapping": "^0.3.24"
+      }
+    },
+    "node_modules/@jridgewell/remapping": {
+      "version": "2.3.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz",
+      "integrity": "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/gen-mapping": "^0.3.5",
+        "@jridgewell/trace-mapping": "^0.3.24"
+      }
+    },
+    "node_modules/@jridgewell/resolve-uri": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
+      "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/@jridgewell/sourcemap-codec": {
+      "version": "1.5.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz",
+      "integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@jridgewell/trace-mapping": {
+      "version": "0.3.31",
+      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.31.tgz",
+      "integrity": "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/resolve-uri": "^3.1.0",
+        "@jridgewell/sourcemap-codec": "^1.4.14"
+      }
+    },
+    "node_modules/@js-sdsl/ordered-map": {
+      "version": "4.4.2",
+      "resolved": "https://registry.npmjs.org/@js-sdsl/ordered-map/-/ordered-map-4.4.2.tgz",
+      "integrity": "sha512-iUKgm52T8HOE/makSxjqoWhe95ZJA1/G1sYsGev2JDKUSS14KAgg1LHb+Ba+IPow0xflbnSkOsZcO08C7w1gYw==",
+      "license": "MIT",
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/js-sdsl"
+      }
+    },
+    "node_modules/@napi-rs/wasm-runtime": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.1.tgz",
+      "integrity": "sha512-p64ah1M1ld8xjWv3qbvFwHiFVWrq1yFvV4f7w+mzaqiR4IlSgkqhcRdHwsGgomwzBH51sRY4NEowLxnaBjcW/A==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "@emnapi/core": "^1.7.1",
+        "@emnapi/runtime": "^1.7.1",
+        "@tybys/wasm-util": "^0.10.1"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/Brooooooklyn"
+      }
+    },
+    "node_modules/@nodelib/fs.scandir": {
+      "version": "2.1.5",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
+      "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@nodelib/fs.stat": "2.0.5",
+        "run-parallel": "^1.1.9"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@nodelib/fs.stat": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
+      "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@nodelib/fs.walk": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
+      "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@nodelib/fs.scandir": "2.1.5",
+        "fastq": "^1.6.0"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@opentelemetry/api": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.9.1.tgz",
+      "integrity": "sha512-gLyJlPHPZYdAk1JENA9LeHejZe1Ti77/pTeFm/nMXmQH/HFZlcS/O2XJB+L8fkbrNSqhdtlvjBVjxwUYanNH5Q==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=8.0.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-android-arm-eabi": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm-eabi/-/binding-android-arm-eabi-0.120.0.tgz",
+      "integrity": "sha512-WU3qtINx802wOl8RxAF1v0VvmC2O4D9M8Sv486nLeQ7iPHVmncYZrtBhB4SYyX+XZxj2PNnCcN+PW21jHgiOxg==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-android-arm64": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm64/-/binding-android-arm64-0.120.0.tgz",
+      "integrity": "sha512-SEf80EHdhlbjZEgzeWm0ZA/br4GKMenDW3QB/gtyeTV1gStvvZeFi40ioHDZvds2m4Z9J1bUAUL8yn1/+A6iGg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-darwin-arm64": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-arm64/-/binding-darwin-arm64-0.120.0.tgz",
+      "integrity": "sha512-xVrrbCai8R8CUIBu3CjryutQnEYhZqs1maIqDvtUCFZb8vY33H7uh9mHpL3a0JBIKoBUKjPH8+rzyAeXnS2d6A==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-darwin-x64": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-x64/-/binding-darwin-x64-0.120.0.tgz",
+      "integrity": "sha512-xyHBbnJ6mydnQUH7MAcafOkkrNzQC6T+LXgDH/3InEq2BWl/g424IMRiJVSpVqGjB+p2bd0h0WRR8iIwzjU7rw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-freebsd-x64": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-freebsd-x64/-/binding-freebsd-x64-0.120.0.tgz",
+      "integrity": "sha512-UMnVRllquXUYTeNfFKmxTTEdZ/ix1nLl0ducDzMSREoWYGVIHnOOxoKMWlCOvRr9Wk/HZqo2rh1jeumbPGPV9A==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-arm-gnueabihf": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-0.120.0.tgz",
+      "integrity": "sha512-tkvn2CQ7QdcsMnpfiX3fd3wA3EFsWKYlcQzq9cFw/xc89Al7W6Y4O0FgLVkVQpo0Tnq/qtE1XfkJOnRRA9S/NA==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-arm-musleabihf": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-musleabihf/-/binding-linux-arm-musleabihf-0.120.0.tgz",
+      "integrity": "sha512-WN5y135Ic42gQDk9grbwY9++fDhqf8knN6fnP+0WALlAUh4odY/BDK1nfTJRSfpJD9P3r1BwU0m3pW2DU89whQ==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-arm64-gnu": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-0.120.0.tgz",
+      "integrity": "sha512-1GgQBCcXvFMw99EPdMy+4NZ3aYyXsxjf9kbUUg8HuAy3ZBXzOry5KfFEzT9nqmgZI1cuetvApkiJBZLAPo8uaw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-arm64-musl": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-musl/-/binding-linux-arm64-musl-0.120.0.tgz",
+      "integrity": "sha512-gmMQ70gsPdDBgpcErvJEoWNBr7bJooSLlvOBVBSGfOzlP5NvJ3bFvnUeZZ9d+dPrqSngtonf7nyzWUTUj/U+lw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-ppc64-gnu": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-0.120.0.tgz",
+      "integrity": "sha512-T/kZuU0ajop0xhzVMwH5r3srC9Nqup5HaIo+3uFjIN5uPxa0LvSxC1ZqP4aQGJVW5G0z8/nCkjIfSMS91P/wzw==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": ">=14.0.0"
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
-    "node_modules/@hapi/topo": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/@hapi/topo/-/topo-6.0.2.tgz",
-      "integrity": "sha512-KR3rD5inZbGMrHmgPxsJ9dbi6zEK+C3ZwUwTa+eMwWLz7oijWUTWD2pMSNNYJAU6Qq+65NkxXjqHr/7LM2Xkqg==",
-      "license": "BSD-3-Clause",
-      "dependencies": {
-        "@hapi/hoek": "^11.0.2"
+    "node_modules/@oxc-parser/binding-linux-riscv64-gnu": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-gnu/-/binding-linux-riscv64-gnu-0.120.0.tgz",
+      "integrity": "sha512-vn21KXLAXzaI3N5CZWlBr1iWeXLl9QFIMor7S1hUjUGTeUuWCoE6JZB040/ZNDwf+JXPX8Ao9KbmJq9FMC2iGw==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
-    "node_modules/@jridgewell/resolve-uri": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
-      "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
+    "node_modules/@oxc-parser/binding-linux-riscv64-musl": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-musl/-/binding-linux-riscv64-musl-0.120.0.tgz",
+      "integrity": "sha512-SUbUxlar007LTGmSLGIC5x/WJvwhdX+PwNzFJ9f/nOzZOrCFbOT4ikt7pJIRg1tXVsEfzk5mWpGO1NFiSs4PIw==",
+      "cpu": [
+        "riscv64"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": ">=6.0.0"
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
-    "node_modules/@jridgewell/sourcemap-codec": {
-      "version": "1.5.5",
-      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz",
-      "integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==",
+    "node_modules/@oxc-parser/binding-linux-s390x-gnu": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-0.120.0.tgz",
+      "integrity": "sha512-hYiPJTxyfJY2+lMBFk3p2bo0R9GN+TtpPFlRqVchL1qvLG+pznstramHNvJlw9AjaoRUHwp9IKR7UZQnRPGjgQ==",
+      "cpu": [
+        "s390x"
+      ],
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@jridgewell/trace-mapping": {
-      "version": "0.3.31",
-      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.31.tgz",
-      "integrity": "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==",
+    "node_modules/@oxc-parser/binding-linux-x64-gnu": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-gnu/-/binding-linux-x64-gnu-0.120.0.tgz",
+      "integrity": "sha512-q+5jSVZkprJCIy3dzJpApat0InJaoxQLsJuD6DkX8hrUS61z2lHQ1Fe9L2+TYbKHXCLWbL0zXe7ovkIdopBGMQ==",
+      "cpu": [
+        "x64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@jridgewell/resolve-uri": "^3.1.0",
-        "@jridgewell/sourcemap-codec": "^1.4.14"
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
-    "node_modules/@js-sdsl/ordered-map": {
-      "version": "4.4.2",
-      "resolved": "https://registry.npmjs.org/@js-sdsl/ordered-map/-/ordered-map-4.4.2.tgz",
-      "integrity": "sha512-iUKgm52T8HOE/makSxjqoWhe95ZJA1/G1sYsGev2JDKUSS14KAgg1LHb+Ba+IPow0xflbnSkOsZcO08C7w1gYw==",
+    "node_modules/@oxc-parser/binding-linux-x64-musl": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-musl/-/binding-linux-x64-musl-0.120.0.tgz",
+      "integrity": "sha512-D9QDDZNnH24e7X4ftSa6ar/2hCavETfW3uk0zgcMIrZNy459O5deTbWrjGzZiVrSWigGtlQwzs2McBP0QsfV1w==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
       "license": "MIT",
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/js-sdsl"
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
-    "node_modules/@napi-rs/wasm-runtime": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.1.tgz",
-      "integrity": "sha512-p64ah1M1ld8xjWv3qbvFwHiFVWrq1yFvV4f7w+mzaqiR4IlSgkqhcRdHwsGgomwzBH51sRY4NEowLxnaBjcW/A==",
+    "node_modules/@oxc-parser/binding-openharmony-arm64": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-openharmony-arm64/-/binding-openharmony-arm64-0.120.0.tgz",
+      "integrity": "sha512-TBU8ZwOUWAOUWVfmI16CYWbvh4uQb9zHnGBHsw5Cp2JUVG044OIY1CSHODLifqzQIMTXvDvLzcL89GGdUIqNrA==",
+      "cpu": [
+        "arm64"
+      ],
       "dev": true,
       "license": "MIT",
       "optional": true,
-      "dependencies": {
-        "@emnapi/core": "^1.7.1",
-        "@emnapi/runtime": "^1.7.1",
-        "@tybys/wasm-util": "^0.10.1"
-      },
-      "funding": {
-        "type": "github",
-        "url": "https://github.com/sponsors/Brooooooklyn"
+      "os": [
+        "openharmony"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
-    "node_modules/@nodelib/fs.scandir": {
-      "version": "2.1.5",
-      "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
-      "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
+    "node_modules/@oxc-parser/binding-wasm32-wasi": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-wasm32-wasi/-/binding-wasm32-wasi-0.120.0.tgz",
+      "integrity": "sha512-WG/FOZgDJCpJnuF3ToG/K28rcOmSY7FmFmfBKYb2fmLyhDzPpUldFGV7/Fz4ru0Iz/v4KPmf8xVgO8N3lO4KHA==",
+      "cpu": [
+        "wasm32"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
       "dependencies": {
-        "@nodelib/fs.stat": "2.0.5",
-        "run-parallel": "^1.1.9"
+        "@napi-rs/wasm-runtime": "^1.1.1"
       },
       "engines": {
-        "node": ">= 8"
+        "node": ">=14.0.0"
       }
     },
-    "node_modules/@nodelib/fs.stat": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
-      "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
+    "node_modules/@oxc-parser/binding-win32-arm64-msvc": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-0.120.0.tgz",
+      "integrity": "sha512-1T0HKGcsz/BKo77t7+89L8Qvu4f9DoleKWHp3C5sJEcbCjDOLx3m9m722bWZTY+hANlUEs+yjlK+lBFsA+vrVQ==",
+      "cpu": [
+        "arm64"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
       "engines": {
-        "node": ">= 8"
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
-    "node_modules/@nodelib/fs.walk": {
-      "version": "1.2.8",
-      "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
-      "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
+    "node_modules/@oxc-parser/binding-win32-ia32-msvc": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-0.120.0.tgz",
+      "integrity": "sha512-L7vfLzbOXsjBXV0rv/6Y3Jd9BRjPeCivINZAqrSyAOZN3moCopDN+Psq9ZrGNZtJzP8946MtlRFZ0Als0wBCOw==",
+      "cpu": [
+        "ia32"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@nodelib/fs.scandir": "2.1.5",
-        "fastq": "^1.6.0"
-      },
+      "optional": true,
+      "os": [
+        "win32"
+      ],
       "engines": {
-        "node": ">= 8"
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
-    "node_modules/@opentelemetry/api": {
-      "version": "1.9.0",
-      "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.9.0.tgz",
-      "integrity": "sha512-3giAOQvZiH5F9bMlMiv8+GSPMeqg0dbaeo58/0SlA9sxSqZhnUtxzX9/2FzyhS9sWQf5S0GJE0AKBrFqjpeYcg==",
-      "license": "Apache-2.0",
+    "node_modules/@oxc-parser/binding-win32-x64-msvc": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-x64-msvc/-/binding-win32-x64-msvc-0.120.0.tgz",
+      "integrity": "sha512-ys+upfqNtSu58huAhJMBKl3XCkGzyVFBlMlGPzHeFKgpFF/OdgNs1MMf8oaJIbgMH8ZxgGF7qfue39eJohmKIg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
       "engines": {
-        "node": ">=8.0.0"
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-project/types": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.120.0.tgz",
+      "integrity": "sha512-k1YNu55DuvAip/MGE1FTsIuU3FUCn6v/ujG9V7Nq5Df/kX2CWb13hhwD0lmJGMGqE+bE1MXvv9SZVnMzEXlWcg==",
+      "dev": true,
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/Boshen"
       }
     },
     "node_modules/@oxc-resolver/binding-android-arm-eabi": {
@@ -1825,134 +2584,22 @@
       "integrity": "sha512-6JOcJ5Tm08dOHAbdR3GrvP+yUUfkjG5ePsHYczMFLq3ZmMkAD98cDgcT2iA1lJ9NVwFd4tH/iSSoe44YWkltEA==",
       "license": "BSD-3-Clause"
     },
-    "node_modules/@protobufjs/pool": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@protobufjs/pool/-/pool-1.1.0.tgz",
-      "integrity": "sha512-0kELaGSIDBKvcgS4zkjz1PeddatrjYcmMWOlAuAPwAeccUrPHdUqo/J6LiymHHEiJT5NrF1UVwxY14f+fy4WQw==",
-      "license": "BSD-3-Clause"
-    },
-    "node_modules/@protobufjs/utf8": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz",
-      "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==",
-      "license": "BSD-3-Clause"
-    },
-    "node_modules/@rollup/rollup-android-arm-eabi": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.59.0.tgz",
-      "integrity": "sha512-upnNBkA6ZH2VKGcBj9Fyl9IGNPULcjXRlg0LLeaioQWueH30p6IXtJEbKAgvyv+mJaMxSm1l6xwDXYjpEMiLMg==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ]
-    },
-    "node_modules/@rollup/rollup-android-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.59.0.tgz",
-      "integrity": "sha512-hZ+Zxj3SySm4A/DylsDKZAeVg0mvi++0PYVceVyX7hemkw7OreKdCvW2oQ3T1FMZvCaQXqOTHb8qmBShoqk69Q==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ]
-    },
-    "node_modules/@rollup/rollup-darwin-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.59.0.tgz",
-      "integrity": "sha512-W2Psnbh1J8ZJw0xKAd8zdNgF9HRLkdWwwdWqubSVk0pUuQkoHnv7rx4GiF9rT4t5DIZGAsConRE3AxCdJ4m8rg==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ]
-    },
-    "node_modules/@rollup/rollup-darwin-x64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.59.0.tgz",
-      "integrity": "sha512-ZW2KkwlS4lwTv7ZVsYDiARfFCnSGhzYPdiOU4IM2fDbL+QGlyAbjgSFuqNRbSthybLbIJ915UtZBtmuLrQAT/w==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ]
-    },
-    "node_modules/@rollup/rollup-freebsd-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.59.0.tgz",
-      "integrity": "sha512-EsKaJ5ytAu9jI3lonzn3BgG8iRBjV4LxZexygcQbpiU0wU0ATxhNVEpXKfUa0pS05gTcSDMKpn3Sx+QB9RlTTA==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "freebsd"
-      ]
-    },
-    "node_modules/@rollup/rollup-freebsd-x64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.59.0.tgz",
-      "integrity": "sha512-d3DuZi2KzTMjImrxoHIAODUZYoUUMsuUiY4SRRcJy6NJoZ6iIqWnJu9IScV9jXysyGMVuW+KNzZvBLOcpdl3Vg==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "freebsd"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.59.0.tgz",
-      "integrity": "sha512-t4ONHboXi/3E0rT6OZl1pKbl2Vgxf9vJfWgmUoCEVQVxhW6Cw/c8I6hbbu7DAvgp82RKiH7TpLwxnJeKv2pbsw==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
+    "node_modules/@protobufjs/pool": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@protobufjs/pool/-/pool-1.1.0.tgz",
+      "integrity": "sha512-0kELaGSIDBKvcgS4zkjz1PeddatrjYcmMWOlAuAPwAeccUrPHdUqo/J6LiymHHEiJT5NrF1UVwxY14f+fy4WQw==",
+      "license": "BSD-3-Clause"
     },
-    "node_modules/@rollup/rollup-linux-arm-musleabihf": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.59.0.tgz",
-      "integrity": "sha512-CikFT7aYPA2ufMD086cVORBYGHffBo4K8MQ4uPS/ZnY54GKj36i196u8U+aDVT2LX4eSMbyHtyOh7D7Zvk2VvA==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
+    "node_modules/@protobufjs/utf8": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz",
+      "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==",
+      "license": "BSD-3-Clause"
     },
-    "node_modules/@rollup/rollup-linux-arm64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.59.0.tgz",
-      "integrity": "sha512-jYgUGk5aLd1nUb1CtQ8E+t5JhLc9x5WdBKew9ZgAXg7DBk0ZHErLHdXM24rfX+bKrFe+Xp5YuJo54I5HFjGDAA==",
+    "node_modules/@rolldown/binding-android-arm64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-pv1y2Fv0JybcykuiiD3qBOBdz6RteYojRFY1d+b95WVuzx211CRh+ytI/+9iVyWQ6koTh5dawe4S/yRfOFjgaA==",
       "cpu": [
         "arm64"
       ],
@@ -1960,13 +2607,16 @@
       "license": "MIT",
       "optional": true,
       "os": [
-        "linux"
-      ]
+        "android"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-arm64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.59.0.tgz",
-      "integrity": "sha512-peZRVEdnFWZ5Bh2KeumKG9ty7aCXzzEsHShOZEFiCQlDEepP1dpUl/SrUNXNg13UmZl+gzVDPsiCwnV1uI0RUA==",
+    "node_modules/@rolldown/binding-darwin-arm64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-cFYr6zTG/3PXXF3pUO+umXxt1wkRK/0AYT8lDwuqvRC+LuKYWSAQAQZjCWDQpAH172ZV6ieYrNnFzVVcnSflAg==",
       "cpu": [
         "arm64"
       ],
@@ -1974,97 +2624,118 @@
       "license": "MIT",
       "optional": true,
       "os": [
-        "linux"
-      ]
+        "darwin"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-loong64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.59.0.tgz",
-      "integrity": "sha512-gbUSW/97f7+r4gHy3Jlup8zDG190AuodsWnNiXErp9mT90iCy9NKKU0Xwx5k8VlRAIV2uU9CsMnEFg/xXaOfXg==",
+    "node_modules/@rolldown/binding-darwin-x64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-ZCsYknnHzeXYps0lGBz8JrF37GpE9bFVefrlmDrAQhOEi4IOIlcoU1+FwHEtyXGx2VkYAvhu7dyBf75EJQffBw==",
       "cpu": [
-        "loong64"
+        "x64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "linux"
-      ]
+        "darwin"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-loong64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.59.0.tgz",
-      "integrity": "sha512-yTRONe79E+o0FWFijasoTjtzG9EBedFXJMl888NBEDCDV9I2wGbFFfJQQe63OijbFCUZqxpHz1GzpbtSFikJ4Q==",
+    "node_modules/@rolldown/binding-freebsd-x64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-dMLeprcVsyJsKolRXyoTH3NL6qtsT0Y2xeuEA8WQJquWFXkEC4bcu1rLZZSnZRMtAqwtrF/Ib9Ddtpa/Gkge9Q==",
       "cpu": [
-        "loong64"
+        "x64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "linux"
-      ]
+        "freebsd"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-ppc64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.59.0.tgz",
-      "integrity": "sha512-sw1o3tfyk12k3OEpRddF68a1unZ5VCN7zoTNtSn2KndUE+ea3m3ROOKRCZxEpmT9nsGnogpFP9x6mnLTCaoLkA==",
+    "node_modules/@rolldown/binding-linux-arm-gnueabihf": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.12.tgz",
+      "integrity": "sha512-YqWjAgGC/9M1lz3GR1r1rP79nMgo3mQiiA+Hfo+pvKFK1fAJ1bCi0ZQVh8noOqNacuY1qIcfyVfP6HoyBRZ85Q==",
       "cpu": [
-        "ppc64"
+        "arm"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
         "linux"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-ppc64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.59.0.tgz",
-      "integrity": "sha512-+2kLtQ4xT3AiIxkzFVFXfsmlZiG5FXYW7ZyIIvGA7Bdeuh9Z0aN4hVyXS/G1E9bTP/vqszNIN/pUKCk/BTHsKA==",
+    "node_modules/@rolldown/binding-linux-arm64-gnu": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.12.tgz",
+      "integrity": "sha512-/I5AS4cIroLpslsmzXfwbe5OmWvSsrFuEw3mwvbQ1kDxJ822hFHIx+vsN/TAzNVyepI/j/GSzrtCIwQPeKCLIg==",
       "cpu": [
-        "ppc64"
+        "arm64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
         "linux"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-riscv64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.59.0.tgz",
-      "integrity": "sha512-NDYMpsXYJJaj+I7UdwIuHHNxXZ/b/N2hR15NyH3m2qAtb/hHPA4g4SuuvrdxetTdndfj9b1WOmy73kcPRoERUg==",
+    "node_modules/@rolldown/binding-linux-arm64-musl": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.12.tgz",
+      "integrity": "sha512-V6/wZztnBqlx5hJQqNWwFdxIKN0m38p8Jas+VoSfgH54HSj9tKTt1dZvG6JRHcjh6D7TvrJPWFGaY9UBVOaWPw==",
       "cpu": [
-        "riscv64"
+        "arm64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
         "linux"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-riscv64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.59.0.tgz",
-      "integrity": "sha512-nLckB8WOqHIf1bhymk+oHxvM9D3tyPndZH8i8+35p/1YiVoVswPid2yLzgX7ZJP0KQvnkhM4H6QZ5m0LzbyIAg==",
+    "node_modules/@rolldown/binding-linux-ppc64-gnu": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.12.tgz",
+      "integrity": "sha512-AP3E9BpcUYliZCxa3w5Kwj9OtEVDYK6sVoUzy4vTOJsjPOgdaJZKFmN4oOlX0Wp0RPV2ETfmIra9x1xuayFB7g==",
       "cpu": [
-        "riscv64"
+        "ppc64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
         "linux"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-s390x-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.59.0.tgz",
-      "integrity": "sha512-oF87Ie3uAIvORFBpwnCvUzdeYUqi2wY6jRFWJAy1qus/udHFYIkplYRW+wo+GRUP4sKzYdmE1Y3+rY5Gc4ZO+w==",
+    "node_modules/@rolldown/binding-linux-s390x-gnu": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.12.tgz",
+      "integrity": "sha512-nWwpvUSPkoFmZo0kQazZYOrT7J5DGOJ/+QHHzjvNlooDZED8oH82Yg67HvehPPLAg5fUff7TfWFHQS8IV1n3og==",
       "cpu": [
         "s390x"
       ],
@@ -2073,12 +2744,15 @@
       "optional": true,
       "os": [
         "linux"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-x64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.59.0.tgz",
-      "integrity": "sha512-3AHmtQq/ppNuUspKAlvA8HtLybkDflkMuLK4DPo77DfthRb71V84/c4MlWJXixZz4uruIH4uaa07IqoAkG64fg==",
+    "node_modules/@rolldown/binding-linux-x64-gnu": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.12.tgz",
+      "integrity": "sha512-RNrafz5bcwRy+O9e6P8Z/OCAJW/A+qtBczIqVYwTs14pf4iV1/+eKEjdOUta93q2TsT/FI0XYDP3TCky38LMAg==",
       "cpu": [
         "x64"
       ],
@@ -2087,12 +2761,15 @@
       "optional": true,
       "os": [
         "linux"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-x64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.59.0.tgz",
-      "integrity": "sha512-2UdiwS/9cTAx7qIUZB/fWtToJwvt0Vbo0zmnYt7ED35KPg13Q0ym1g442THLC7VyI6JfYTP4PiSOWyoMdV2/xg==",
+    "node_modules/@rolldown/binding-linux-x64-musl": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.12.tgz",
+      "integrity": "sha512-Jpw/0iwoKWx3LJ2rc1yjFrj+T7iHZn2JDg1Yny1ma0luviFS4mhAIcd1LFNxK3EYu3DHWCps0ydXQ5i/rrJ2ig==",
       "cpu": [
         "x64"
       ],
@@ -2101,26 +2778,15 @@
       "optional": true,
       "os": [
         "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-openbsd-x64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.59.0.tgz",
-      "integrity": "sha512-M3bLRAVk6GOwFlPTIxVBSYKUaqfLrn8l0psKinkCFxl4lQvOSz8ZrKDz2gxcBwHFpci0B6rttydI4IpS4IS/jQ==",
-      "cpu": [
-        "x64"
       ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "openbsd"
-      ]
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-openharmony-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.59.0.tgz",
-      "integrity": "sha512-tt9KBJqaqp5i5HUZzoafHZX8b5Q2Fe7UjYERADll83O4fGqJ49O1FsL6LpdzVFQcpwvnyd0i+K/VSwu/o/nWlA==",
+    "node_modules/@rolldown/binding-openharmony-arm64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-vRugONE4yMfVn0+7lUKdKvN4D5YusEiPilaoO2sgUWpCvrncvWgPMzK00ZFFJuiPgLwgFNP5eSiUlv2tfc+lpA==",
       "cpu": [
         "arm64"
       ],
@@ -2129,40 +2795,49 @@
       "optional": true,
       "os": [
         "openharmony"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-win32-arm64-msvc": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.59.0.tgz",
-      "integrity": "sha512-V5B6mG7OrGTwnxaNUzZTDTjDS7F75PO1ae6MJYdiMu60sq0CqN5CVeVsbhPxalupvTX8gXVSU9gq+Rx1/hvu6A==",
+    "node_modules/@rolldown/binding-wasm32-wasi": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.12.tgz",
+      "integrity": "sha512-ykGiLr/6kkiHc0XnBfmFJuCjr5ZYKKofkx+chJWDjitX+KsJuAmrzWhwyOMSHzPhzOHOy7u9HlFoa5MoAOJ/Zg==",
       "cpu": [
-        "arm64"
+        "wasm32"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
-      "os": [
-        "win32"
-      ]
+      "dependencies": {
+        "@napi-rs/wasm-runtime": "^1.1.1"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
     },
-    "node_modules/@rollup/rollup-win32-ia32-msvc": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.59.0.tgz",
-      "integrity": "sha512-UKFMHPuM9R0iBegwzKF4y0C4J9u8C6MEJgFuXTBerMk7EJ92GFVFYBfOZaSGLu6COf7FxpQNqhNS4c4icUPqxA==",
+    "node_modules/@rolldown/binding-win32-arm64-msvc": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.12.tgz",
+      "integrity": "sha512-5eOND4duWkwx1AzCxadcOrNeighiLwMInEADT0YM7xeEOOFcovWZCq8dadXgcRHSf3Ulh1kFo/qvzoFiCLOL1Q==",
       "cpu": [
-        "ia32"
+        "arm64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
         "win32"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-win32-x64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.59.0.tgz",
-      "integrity": "sha512-laBkYlSS1n2L8fSo1thDNGrCTQMmxjYY5G0WFWjFFYZkKPjsMBsgJfGf4TLxXrF6RyhI60L8TMOjBMvXiTcxeA==",
+    "node_modules/@rolldown/binding-win32-x64-msvc": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.12.tgz",
+      "integrity": "sha512-PyqoipaswDLAZtot351MLhrlrh6lcZPo2LSYE+VDxbVk24LVKAGOuE4hb8xZQmrPAuEtTZW8E6D2zc5EUZX4Lw==",
       "cpu": [
         "x64"
       ],
@@ -2171,21 +2846,37 @@
       "optional": true,
       "os": [
         "win32"
-      ]
-    },
-    "node_modules/@rollup/rollup-win32-x64-msvc": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.59.0.tgz",
-      "integrity": "sha512-2HRCml6OztYXyJXAvdDXPKcawukWY2GpR5/nxKp4iBgiO3wcoEGkAaqctIbZcNB6KlUQBIqt8VYkNSj2397EfA==",
-      "cpu": [
-        "x64"
       ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/pluginutils": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.12.tgz",
+      "integrity": "sha512-HHMwmarRKvoFsJorqYlFeFRzXZqCt2ETQlEDOb9aqssrnVBB1/+xgTGtuTrIk5vzLNX1MjMtTf7W9z3tsSbrxw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@sec-ant/readable-stream": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/@sec-ant/readable-stream/-/readable-stream-0.4.1.tgz",
+      "integrity": "sha512-831qok9r2t8AlxLko40y2ebgSDhenenCatLVeW/uBtnHPyhHOvG0C7TvfgecV+wHzIm5KUICgzmVpWS+IMEAeg==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@sindresorhus/merge-streams": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@sindresorhus/merge-streams/-/merge-streams-4.0.0.tgz",
+      "integrity": "sha512-tlqY9xq5ukxTUZBmoOp+m61cqwQD5pHJtFY3Mn8CA8ps6yghLH/Hw8UPdqg4OLmFW3IFlcXnQNmo/dh8HzXYIQ==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ]
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
     },
     "node_modules/@slack/logger": {
       "version": "4.0.1",
@@ -2248,9 +2939,9 @@
       }
     },
     "node_modules/@smithy/config-resolver": {
-      "version": "4.4.11",
-      "resolved": "https://registry.npmjs.org/@smithy/config-resolver/-/config-resolver-4.4.11.tgz",
-      "integrity": "sha512-YxFiiG4YDAtX7WMN7RuhHZLeTmRRAOyCbr+zB8e3AQzHPnUhS8zXjB1+cniPVQI3xbWsQPM0X2aaIkO/ME0ymw==",
+      "version": "4.4.13",
+      "resolved": "https://registry.npmjs.org/@smithy/config-resolver/-/config-resolver-4.4.13.tgz",
+      "integrity": "sha512-iIzMC5NmOUP6WL6o8iPBjFhUhBZ9pPjpUpQYWMUFQqKyXXzOftbfK8zcQCz/jFV1Psmf05BK5ypx4K2r4Tnwdg==",
       "license": "Apache-2.0",
       "dependencies": {
         "@smithy/node-config-provider": "^4.3.12",
@@ -2372,9 +3063,9 @@
       }
     },
     "node_modules/@smithy/middleware-endpoint": {
-      "version": "4.4.26",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-endpoint/-/middleware-endpoint-4.4.26.tgz",
-      "integrity": "sha512-8Qfikvd2GVKSm8S6IbjfwFlRY9VlMrj0Dp4vTwAuhqbX7NhJKE5DQc2bnfJIcY0B+2YKMDBWfvexbSZeejDgeg==",
+      "version": "4.4.27",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-endpoint/-/middleware-endpoint-4.4.27.tgz",
+      "integrity": "sha512-T3TFfUgXQlpcg+UdzcAISdZpj4Z+XECZ/cefgA6wLBd6V4lRi0svN2hBouN/be9dXQ31X4sLWz3fAQDf+nt6BA==",
       "license": "Apache-2.0",
       "dependencies": {
         "@smithy/core": "^3.23.12",
@@ -2391,15 +3082,15 @@
       }
     },
     "node_modules/@smithy/middleware-retry": {
-      "version": "4.4.43",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-retry/-/middleware-retry-4.4.43.tgz",
-      "integrity": "sha512-ZwsifBdyuNHrFGmbc7bAfP2b54+kt9J2rhFd18ilQGAB+GDiP4SrawqyExbB7v455QVR7Psyhb2kjULvBPIhvA==",
+      "version": "4.4.44",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-retry/-/middleware-retry-4.4.44.tgz",
+      "integrity": "sha512-Y1Rav7m5CFRPQyM4CI0koD/bXjyjJu3EQxZZhtLGD88WIrBrQ7kqXM96ncd6rYnojwOo/u9MXu57JrEvu/nLrA==",
       "license": "Apache-2.0",
       "dependencies": {
         "@smithy/node-config-provider": "^4.3.12",
         "@smithy/protocol-http": "^5.3.12",
         "@smithy/service-error-classification": "^4.2.12",
-        "@smithy/smithy-client": "^4.12.6",
+        "@smithy/smithy-client": "^4.12.7",
         "@smithy/types": "^4.13.1",
         "@smithy/util-middleware": "^4.2.12",
         "@smithy/util-retry": "^4.2.12",
@@ -2567,13 +3258,13 @@
       }
     },
     "node_modules/@smithy/smithy-client": {
-      "version": "4.12.6",
-      "resolved": "https://registry.npmjs.org/@smithy/smithy-client/-/smithy-client-4.12.6.tgz",
-      "integrity": "sha512-aib3f0jiMsJ6+cvDnXipBsGDL7ztknYSVqJs1FdN9P+u9tr/VzOR7iygSh6EUOdaBeMCMSh3N0VdyYsG4o91DQ==",
+      "version": "4.12.7",
+      "resolved": "https://registry.npmjs.org/@smithy/smithy-client/-/smithy-client-4.12.7.tgz",
+      "integrity": "sha512-q3gqnwml60G44FECaEEsdQMplYhDMZYCtYhMCzadCnRnnHIobZJjegmdoUo6ieLQlPUzvrMdIJUpx6DoPmzANQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@smithy/core": "^3.23.12",
-        "@smithy/middleware-endpoint": "^4.4.26",
+        "@smithy/middleware-endpoint": "^4.4.27",
         "@smithy/middleware-stack": "^4.2.12",
         "@smithy/protocol-http": "^5.3.12",
         "@smithy/types": "^4.13.1",
@@ -2674,13 +3365,13 @@
       }
     },
     "node_modules/@smithy/util-defaults-mode-browser": {
-      "version": "4.3.42",
-      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-browser/-/util-defaults-mode-browser-4.3.42.tgz",
-      "integrity": "sha512-0vjwmcvkWAUtikXnWIUOyV6IFHTEeQUYh3JUZcDgcszF+hD/StAsQ3rCZNZEPHgI9kVNcbnyc8P2CBHnwgmcwg==",
+      "version": "4.3.43",
+      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-browser/-/util-defaults-mode-browser-4.3.43.tgz",
+      "integrity": "sha512-Qd/0wCKMaXxev/z00TvNzGCH2jlKKKxXP1aDxB6oKwSQthe3Og2dMhSayGCnsma1bK/kQX1+X7SMP99t6FgiiQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@smithy/property-provider": "^4.2.12",
-        "@smithy/smithy-client": "^4.12.6",
+        "@smithy/smithy-client": "^4.12.7",
         "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
@@ -2689,16 +3380,16 @@
       }
     },
     "node_modules/@smithy/util-defaults-mode-node": {
-      "version": "4.2.45",
-      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-node/-/util-defaults-mode-node-4.2.45.tgz",
-      "integrity": "sha512-q5dOqqfTgUcLe38TAGiFn9srToKj2YCHJ34QGOLzM+xYLLA+qRZv7N+33kl1MERVusue36ZHnlNaNEvY/PzSrw==",
+      "version": "4.2.47",
+      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-node/-/util-defaults-mode-node-4.2.47.tgz",
+      "integrity": "sha512-qSRbYp1EQ7th+sPFuVcVO05AE0QH635hycdEXlpzIahqHHf2Fyd/Zl+8v0XYMJ3cgDVPa0lkMefU7oNUjAP+DQ==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/config-resolver": "^4.4.11",
+        "@smithy/config-resolver": "^4.4.13",
         "@smithy/credential-provider-imds": "^4.2.12",
         "@smithy/node-config-provider": "^4.3.12",
         "@smithy/property-provider": "^4.2.12",
-        "@smithy/smithy-client": "^4.12.6",
+        "@smithy/smithy-client": "^4.12.7",
         "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
@@ -2835,6 +3526,132 @@
       "integrity": "sha512-l2aFy5jALhniG5HgqrD6jXLi/rUWrKvqN/qJx6yoJsgKhblVd+iqqU4RCXavm/jPityDo5TCvKMnpjKnOriy0w==",
       "license": "MIT"
     },
+    "node_modules/@stryker-mutator/api": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/@stryker-mutator/api/-/api-9.6.0.tgz",
+      "integrity": "sha512-kJEEwOVoWDXGEIXuM+9efT6LSJ7nyxnQQvjEoKg8GSZXbDUjfD0tqA0aBD06U1SzQLKCM7ffjgPffr154MHZKw==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "mutation-testing-metrics": "3.7.2",
+        "mutation-testing-report-schema": "3.7.2",
+        "tslib": "~2.8.0",
+        "typed-inject": "~5.0.0"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
+    "node_modules/@stryker-mutator/core": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/@stryker-mutator/core/-/core-9.6.0.tgz",
+      "integrity": "sha512-oSbw01l6HXHt0iW9x5fQj7yHGGT8ZjCkXSkI7Bsu0juO7Q6vRMXk7XcvKpCBgRgzKXi1osg8+iIzj7acHuxepQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@inquirer/prompts": "^8.0.0",
+        "@stryker-mutator/api": "9.6.0",
+        "@stryker-mutator/instrumenter": "9.6.0",
+        "@stryker-mutator/util": "9.6.0",
+        "ajv": "~8.18.0",
+        "chalk": "~5.6.0",
+        "commander": "~14.0.0",
+        "diff-match-patch": "1.0.5",
+        "emoji-regex": "~10.6.0",
+        "execa": "~9.6.0",
+        "json-rpc-2.0": "^1.7.0",
+        "lodash.groupby": "~4.6.0",
+        "minimatch": "~10.2.4",
+        "mutation-server-protocol": "~0.4.0",
+        "mutation-testing-elements": "3.7.2",
+        "mutation-testing-metrics": "3.7.2",
+        "mutation-testing-report-schema": "3.7.2",
+        "npm-run-path": "~6.0.0",
+        "progress": "~2.0.3",
+        "rxjs": "~7.8.1",
+        "semver": "^7.6.3",
+        "source-map": "~0.7.4",
+        "tree-kill": "~1.2.2",
+        "tslib": "2.8.1",
+        "typed-inject": "~5.0.0",
+        "typed-rest-client": "~2.2.0"
+      },
+      "bin": {
+        "stryker": "bin/stryker.js"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
+    "node_modules/@stryker-mutator/instrumenter": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/@stryker-mutator/instrumenter/-/instrumenter-9.6.0.tgz",
+      "integrity": "sha512-tWdRYfm9LF4Go7cNOos0xEIOEnN7ZOSj38rfXvGZS9IINlvYBrBCl2xcz/67v6l5A7xksMWWByZRIq2bgdnnUg==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@babel/core": "~7.29.0",
+        "@babel/generator": "~7.29.0",
+        "@babel/parser": "~7.29.0",
+        "@babel/plugin-proposal-decorators": "~7.29.0",
+        "@babel/plugin-transform-explicit-resource-management": "^7.28.0",
+        "@babel/preset-typescript": "~7.28.0",
+        "@stryker-mutator/api": "9.6.0",
+        "@stryker-mutator/util": "9.6.0",
+        "angular-html-parser": "~10.4.0",
+        "semver": "~7.7.0",
+        "tslib": "2.8.1",
+        "weapon-regex": "~1.3.2"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
+    "node_modules/@stryker-mutator/typescript-checker": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/@stryker-mutator/typescript-checker/-/typescript-checker-9.6.0.tgz",
+      "integrity": "sha512-mPoB2Eogda4bpIoNgdN+VHnZvbwD0R/oNCCbmq7UQVLZtzF09nH1M1kbilYdmrCyxYYkFyTCKy3WhU3YGWdDjA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@stryker-mutator/api": "9.6.0",
+        "@stryker-mutator/util": "9.6.0",
+        "semver": "~7.7.0"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      },
+      "peerDependencies": {
+        "@stryker-mutator/core": "9.6.0",
+        "typescript": ">=3.6"
+      }
+    },
+    "node_modules/@stryker-mutator/util": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/@stryker-mutator/util/-/util-9.6.0.tgz",
+      "integrity": "sha512-gw7fJOFNHEj9inAEOodD9RrrMEMhZmWJ46Ww/kDJAXlSsBBmdwCzeomNLngmLTvgp14z7Tfq85DHYwvmNMdOxA==",
+      "dev": true,
+      "license": "Apache-2.0"
+    },
+    "node_modules/@stryker-mutator/vitest-runner": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/@stryker-mutator/vitest-runner/-/vitest-runner-9.6.0.tgz",
+      "integrity": "sha512-/zyELz5jTDAiH0Hr23G6KSnBFl9XV+vn0T0qUAk4sPqJoP5NVm9jjpgt9EBACS/VTkVqSvXqBid4jmESPx11Sg==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@stryker-mutator/api": "9.6.0",
+        "@stryker-mutator/util": "9.6.0",
+        "tslib": "~2.8.0"
+      },
+      "engines": {
+        "node": ">=14.18.0"
+      },
+      "peerDependencies": {
+        "@stryker-mutator/core": "9.6.0",
+        "vitest": ">=2.0.0"
+      }
+    },
     "node_modules/@tsconfig/node10": {
       "version": "1.0.12",
       "resolved": "https://registry.npmjs.org/@tsconfig/node10/-/node10-1.0.12.tgz",
@@ -3032,9 +3849,9 @@
       }
     },
     "node_modules/@types/qs": {
-      "version": "6.14.0",
-      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.14.0.tgz",
-      "integrity": "sha512-eOunJqu0K1923aExK6y8p6fsihYEn/BYuQ4g0CxAAgFc4b/ZLN4CrsRZ55srTdqoiLzU2B2evC+apEIxprEzkQ==",
+      "version": "6.15.0",
+      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.15.0.tgz",
+      "integrity": "sha512-JawvT8iBVWpzTrz3EGw9BTQFg3BQNmwERdKE22vlTxawwtbyUSlMppvZYKLZzB5zgACXdXxbD3m1bXaMqP/9ow==",
       "dev": true,
       "license": "MIT"
     },
@@ -3136,14 +3953,14 @@
       }
     },
     "node_modules/@vitest/coverage-v8": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-4.1.0.tgz",
-      "integrity": "sha512-nDWulKeik2bL2Va/Wl4x7DLuTKAXa906iRFooIRPR+huHkcvp9QDkPQ2RJdmjOFrqOqvNfoSQLF68deE3xC3CQ==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-4.1.2.tgz",
+      "integrity": "sha512-sPK//PHO+kAkScb8XITeB1bf7fsk85Km7+rt4eeuRR3VS1/crD47cmV5wicisJmjNdfeokTZwjMk4Mj2d58Mgg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@bcoe/v8-coverage": "^1.0.2",
-        "@vitest/utils": "4.1.0",
+        "@vitest/utils": "4.1.2",
         "ast-v8-to-istanbul": "^1.0.0",
         "istanbul-lib-coverage": "^3.2.2",
         "istanbul-lib-report": "^3.0.1",
@@ -3151,14 +3968,14 @@
         "magicast": "^0.5.2",
         "obug": "^2.1.1",
         "std-env": "^4.0.0-rc.1",
-        "tinyrainbow": "^3.0.3"
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       },
       "peerDependencies": {
-        "@vitest/browser": "4.1.0",
-        "vitest": "4.1.0"
+        "@vitest/browser": "4.1.2",
+        "vitest": "4.1.2"
       },
       "peerDependenciesMeta": {
         "@vitest/browser": {
@@ -3167,31 +3984,31 @@
       }
     },
     "node_modules/@vitest/expect": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.1.0.tgz",
-      "integrity": "sha512-EIxG7k4wlWweuCLG9Y5InKFwpMEOyrMb6ZJ1ihYu02LVj/bzUwn2VMU+13PinsjRW75XnITeFrQBMH5+dLvCDA==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.1.2.tgz",
+      "integrity": "sha512-gbu+7B0YgUJ2nkdsRJrFFW6X7NTP44WlhiclHniUhxADQJH5Szt9mZ9hWnJPJ8YwOK5zUOSSlSvyzRf0u1DSBQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@standard-schema/spec": "^1.1.0",
         "@types/chai": "^5.2.2",
-        "@vitest/spy": "4.1.0",
-        "@vitest/utils": "4.1.0",
+        "@vitest/spy": "4.1.2",
+        "@vitest/utils": "4.1.2",
         "chai": "^6.2.2",
-        "tinyrainbow": "^3.0.3"
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       }
     },
     "node_modules/@vitest/mocker": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.1.0.tgz",
-      "integrity": "sha512-evxREh+Hork43+Y4IOhTo+h5lGmVRyjqI739Rz4RlUPqwrkFFDF6EMvOOYjTx4E8Tl6gyCLRL8Mu7Ry12a13Tw==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.1.2.tgz",
+      "integrity": "sha512-Ize4iQtEALHDttPRCmN+FKqOl2vxTiNUhzobQFFt/BM1lRUTG7zRCLOykG/6Vo4E4hnUdfVLo5/eqKPukcWW7Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/spy": "4.1.0",
+        "@vitest/spy": "4.1.2",
         "estree-walker": "^3.0.3",
         "magic-string": "^0.30.21"
       },
@@ -3200,7 +4017,7 @@
       },
       "peerDependencies": {
         "msw": "^2.4.9",
-        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0-0"
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0"
       },
       "peerDependenciesMeta": {
         "msw": {
@@ -3212,26 +4029,26 @@
       }
     },
     "node_modules/@vitest/pretty-format": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.1.0.tgz",
-      "integrity": "sha512-3RZLZlh88Ib0J7NQTRATfc/3ZPOnSUn2uDBUoGNn5T36+bALixmzphN26OUD3LRXWkJu4H0s5vvUeqBiw+kS0A==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.1.2.tgz",
+      "integrity": "sha512-dwQga8aejqeuB+TvXCMzSQemvV9hNEtDDpgUKDzOmNQayl2OG241PSWeJwKRH3CiC+sESrmoFd49rfnq7T4RnA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "tinyrainbow": "^3.0.3"
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       }
     },
     "node_modules/@vitest/runner": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.1.0.tgz",
-      "integrity": "sha512-Duvx2OzQ7d6OjchL+trw+aSrb9idh7pnNfxrklo14p3zmNL4qPCDeIJAK+eBKYjkIwG96Bc6vYuxhqDXQOWpoQ==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.1.2.tgz",
+      "integrity": "sha512-Gr+FQan34CdiYAwpGJmQG8PgkyFVmARK8/xSijia3eTFgVfpcpztWLuP6FttGNfPLJhaZVP/euvujeNYar36OQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/utils": "4.1.0",
+        "@vitest/utils": "4.1.2",
         "pathe": "^2.0.3"
       },
       "funding": {
@@ -3239,14 +4056,14 @@
       }
     },
     "node_modules/@vitest/snapshot": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.1.0.tgz",
-      "integrity": "sha512-0Vy9euT1kgsnj1CHttwi9i9o+4rRLEaPRSOJ5gyv579GJkNpgJK+B4HSv/rAWixx2wdAFci1X4CEPjiu2bXIMg==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.1.2.tgz",
+      "integrity": "sha512-g7yfUmxYS4mNxk31qbOYsSt2F4m1E02LFqO53Xpzg3zKMhLAPZAjjfyl9e6z7HrW6LvUdTwAQR3HHfLjpko16A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/pretty-format": "4.1.0",
-        "@vitest/utils": "4.1.0",
+        "@vitest/pretty-format": "4.1.2",
+        "@vitest/utils": "4.1.2",
         "magic-string": "^0.30.21",
         "pathe": "^2.0.3"
       },
@@ -3255,9 +4072,9 @@
       }
     },
     "node_modules/@vitest/spy": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.1.0.tgz",
-      "integrity": "sha512-pz77k+PgNpyMDv2FV6qmk5ZVau6c3R8HC8v342T2xlFxQKTrSeYw9waIJG8KgV9fFwAtTu4ceRzMivPTH6wSxw==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.1.2.tgz",
+      "integrity": "sha512-DU4fBnbVCJGNBwVA6xSToNXrkZNSiw59H8tcuUspVMsBDBST4nfvsPsEHDHGtWRRnqBERBQu7TrTKskmjqTXKA==",
       "dev": true,
       "license": "MIT",
       "funding": {
@@ -3265,15 +4082,15 @@
       }
     },
     "node_modules/@vitest/utils": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.1.0.tgz",
-      "integrity": "sha512-XfPXT6a8TZY3dcGY8EdwsBulFCIw+BeeX0RZn2x/BtiY/75YGh8FeWGG8QISN/WhaqSrE2OrlDgtF8q5uhOTmw==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.1.2.tgz",
+      "integrity": "sha512-xw2/TiX82lQHA06cgbqRKFb5lCAy3axQ4H4SoUFhUsg+wztiet+co86IAMDtF6Vm1hc7J6j09oh/rgDn+JdKIQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/pretty-format": "4.1.0",
+        "@vitest/pretty-format": "4.1.2",
         "convert-source-map": "^2.0.0",
-        "tinyrainbow": "^3.0.3"
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
@@ -3372,6 +4189,16 @@
         }
       }
     },
+    "node_modules/angular-html-parser": {
+      "version": "10.4.0",
+      "resolved": "https://registry.npmjs.org/angular-html-parser/-/angular-html-parser-10.4.0.tgz",
+      "integrity": "sha512-++nLNyZwRfHqFh7akH5Gw/JYizoFlMRz0KRigfwfsLqV8ZqlcVRb1LkPEWdYvEKDnbktknM2J4BXaYUGrQZPww==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 14"
+      }
+    },
     "node_modules/ansi-regex": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
@@ -3410,19 +4237,6 @@
         "node": ">= 8"
       }
     },
-    "node_modules/anymatch/node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=8.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
     "node_modules/apache-md5": {
       "version": "1.1.8",
       "resolved": "https://registry.npmjs.org/apache-md5/-/apache-md5-1.1.8.tgz",
@@ -3470,6 +4284,13 @@
         "js-tokens": "^10.0.0"
       }
     },
+    "node_modules/ast-v8-to-istanbul/node_modules/js-tokens": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-10.0.0.tgz",
+      "integrity": "sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/asynckit": {
       "version": "0.4.0",
       "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz",
@@ -3526,6 +4347,19 @@
       ],
       "license": "MIT"
     },
+    "node_modules/baseline-browser-mapping": {
+      "version": "2.10.11",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.11.tgz",
+      "integrity": "sha512-DAKrHphkJyiGuau/cFieRYhcTFeK/lBuD++C7cZ6KZHbMhBrisoi+EvhQ5RZrIfV5qwsW8kgQ07JIC+MDJRAhg==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "baseline-browser-mapping": "dist/cli.cjs"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
     "node_modules/bcrypt-pbkdf": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz",
@@ -3601,34 +4435,11 @@
       "engines": {
         "node": ">=18"
       },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/express"
-      }
-    },
-    "node_modules/body-parser/node_modules/debug": {
-      "version": "4.4.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
-      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
-      "license": "MIT",
-      "dependencies": {
-        "ms": "^2.1.3"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
       }
     },
-    "node_modules/body-parser/node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-      "license": "MIT"
-    },
     "node_modules/bowser": {
       "version": "2.14.1",
       "resolved": "https://registry.npmjs.org/bowser/-/bowser-2.14.1.tgz",
@@ -3636,9 +4447,9 @@
       "license": "MIT"
     },
     "node_modules/brace-expansion": {
-      "version": "5.0.4",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz",
-      "integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==",
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3662,15 +4473,49 @@
       }
     },
     "node_modules/broker-factory": {
-      "version": "3.1.13",
-      "resolved": "https://registry.npmjs.org/broker-factory/-/broker-factory-3.1.13.tgz",
-      "integrity": "sha512-H2VALe31mEtO/SRcNp4cUU5BAm1biwhc/JaF77AigUuni/1YT0FLCJfbUxwIEs9y6Kssjk2fmXgf+Y9ALvmKlw==",
+      "version": "3.1.14",
+      "resolved": "https://registry.npmjs.org/broker-factory/-/broker-factory-3.1.14.tgz",
+      "integrity": "sha512-L45k5HMbPIrMid0nTOZ/UPXG/c0aRuQKVrSDFIb1zOkvfiyHgYmIjc3cSiN1KwQIvRDOtKE0tfb3I9EZ3CmpQQ==",
       "license": "MIT",
       "dependencies": {
-        "@babel/runtime": "^7.28.6",
-        "fast-unique-numbers": "^9.0.26",
+        "@babel/runtime": "^7.29.2",
+        "fast-unique-numbers": "^9.0.27",
         "tslib": "^2.8.1",
-        "worker-factory": "^7.0.48"
+        "worker-factory": "^7.0.49"
+      }
+    },
+    "node_modules/browserslist": {
+      "version": "4.28.1",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.1.tgz",
+      "integrity": "sha512-ZC5Bd0LgJXgwGqUknZY/vkUQ04r8NXnJZ3yYi4vDmSiZmC/pdSN0NbNRPxZpbtO4uAfDUAFffO8IZoM3Gj8IkA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/browserslist"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "baseline-browser-mapping": "^2.9.0",
+        "caniuse-lite": "^1.0.30001759",
+        "electron-to-chromium": "^1.5.263",
+        "node-releases": "^2.0.27",
+        "update-browserslist-db": "^1.2.0"
+      },
+      "bin": {
+        "browserslist": "cli.js"
+      },
+      "engines": {
+        "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7"
       }
     },
     "node_modules/buffer": {
@@ -3768,6 +4613,27 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/caniuse-lite": {
+      "version": "1.0.30001781",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001781.tgz",
+      "integrity": "sha512-RdwNCyMsNBftLjW6w01z8bKEvT6e/5tpPVEgtn22TiLGlstHOVecsX2KHFkD5e/vRnIE4EGzpuIODb3mtswtkw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/caniuse-lite"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "CC-BY-4.0"
+    },
     "node_modules/capitalize": {
       "version": "2.0.4",
       "resolved": "https://registry.npmjs.org/capitalize/-/capitalize-2.0.4.tgz",
@@ -3784,12 +4650,32 @@
         "node": ">=18"
       }
     },
+    "node_modules/chalk": {
+      "version": "5.6.2",
+      "resolved": "https://registry.npmjs.org/chalk/-/chalk-5.6.2.tgz",
+      "integrity": "sha512-7NzBL0rN6fMUW+f7A6Io4h40qQlG+xGmtMxfbnH/K7TAtt8JQWVQK+6g0UXKMeVJoyV5EkkNsErQ8pVD3bLHbA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "^12.17.0 || ^14.13 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/chalk?sponsor=1"
+      }
+    },
     "node_modules/change-case": {
       "version": "5.4.4",
       "resolved": "https://registry.npmjs.org/change-case/-/change-case-5.4.4.tgz",
       "integrity": "sha512-HRQyTk2/YPEkt9TnUPbOpr64Uw3KOicFWPVBb+xiHvd6eBx/qPr9xqfBFDT8P2vWsvvz4jbEkfDe71W3VyNu2w==",
       "license": "MIT"
     },
+    "node_modules/chardet": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/chardet/-/chardet-2.1.1.tgz",
+      "integrity": "sha512-PsezH1rqdV9VvyNhxxOW32/d75r01NY7TQCmOqomRo15ZSOKbpTFVsfjghxo6JloQUCGnH4k1LGu0R4yCLlWQQ==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/chokidar": {
       "version": "3.6.0",
       "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz",
@@ -3821,6 +4707,16 @@
       "integrity": "sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg==",
       "license": "ISC"
     },
+    "node_modules/cli-width": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/cli-width/-/cli-width-4.1.0.tgz",
+      "integrity": "sha512-ouuZd4/dm2Sw5Gmqy6bGyNNNe1qt9RpmxveLSO7KcgsTnU7RXfsw+/bukWGo1abgBiMAic068rclZsO4IWmmxQ==",
+      "dev": true,
+      "license": "ISC",
+      "engines": {
+        "node": ">= 12"
+      }
+    },
     "node_modules/cliui": {
       "version": "8.0.1",
       "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz",
@@ -3871,6 +4767,16 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/commander": {
+      "version": "14.0.3",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-14.0.3.tgz",
+      "integrity": "sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=20"
+      }
+    },
     "node_modules/commist": {
       "version": "3.2.0",
       "resolved": "https://registry.npmjs.org/commist/-/commist-3.2.0.tgz",
@@ -3907,6 +4813,21 @@
         "node": ">= 0.8.0"
       }
     },
+    "node_modules/compression/node_modules/debug": {
+      "version": "2.6.9",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "license": "MIT",
+      "dependencies": {
+        "ms": "2.0.0"
+      }
+    },
+    "node_modules/compression/node_modules/ms": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "license": "MIT"
+    },
     "node_modules/concat-stream": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-2.0.0.tgz",
@@ -4028,6 +4949,21 @@
         "node": ">=18"
       }
     },
+    "node_modules/cross-spawn": {
+      "version": "7.0.6",
+      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
+      "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "path-key": "^3.1.0",
+        "shebang-command": "^2.0.0",
+        "which": "^2.0.1"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
     "node_modules/dateformat": {
       "version": "4.6.3",
       "resolved": "https://registry.npmjs.org/dateformat/-/dateformat-4.6.3.tgz",
@@ -4038,12 +4974,20 @@
       }
     },
     "node_modules/debug": {
-      "version": "2.6.9",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
-      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
+      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
       "license": "MIT",
       "dependencies": {
-        "ms": "2.0.0"
+        "ms": "^2.1.3"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
       }
     },
     "node_modules/define-data-property": {
@@ -4098,6 +5042,27 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/des.js": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/des.js/-/des.js-1.1.0.tgz",
+      "integrity": "sha512-r17GxjhUCjSRy8aiJpr8/UadFIzMzJGexI3Nmz4ADi9LYSFx4gTBp80+NaX/YsXWWLhpZ7v/v/ubEc/bCNfKwg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "inherits": "^2.0.1",
+        "minimalistic-assert": "^1.0.0"
+      }
+    },
+    "node_modules/detect-libc": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/diff": {
       "version": "4.0.4",
       "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.4.tgz",
@@ -4108,10 +5073,17 @@
         "node": ">=0.3.1"
       }
     },
+    "node_modules/diff-match-patch": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/diff-match-patch/-/diff-match-patch-1.0.5.tgz",
+      "integrity": "sha512-IayShXAgj/QMXgB0IWmKx+rOPuGMhqm5w6jvFxmVenXKIzRqTAAsbBPT3kWQeGANj3jGgvcvv4yK6SxqYmikgw==",
+      "dev": true,
+      "license": "Apache-2.0"
+    },
     "node_modules/docker-modem": {
-      "version": "5.0.6",
-      "resolved": "https://registry.npmjs.org/docker-modem/-/docker-modem-5.0.6.tgz",
-      "integrity": "sha512-ens7BiayssQz/uAxGzH8zGXCtiV24rRWXdjNha5V4zSOcxmAZsfGVm/PPFbwQdqEkDnhG+SyR9E3zSHUbOKXBQ==",
+      "version": "5.0.7",
+      "resolved": "https://registry.npmjs.org/docker-modem/-/docker-modem-5.0.7.tgz",
+      "integrity": "sha512-XJgGhoR/CLpqshm4d3L7rzH6t8NgDFUIIpztYlLHIApeJjMZKYJMz2zxPsYxnejq5h3ELYSw/RBsi3t5h7gNTA==",
       "license": "Apache-2.0",
       "dependencies": {
         "debug": "^4.1.1",
@@ -4123,39 +5095,16 @@
         "node": ">= 8.0"
       }
     },
-    "node_modules/docker-modem/node_modules/debug": {
-      "version": "4.4.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
-      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
-      "license": "MIT",
-      "dependencies": {
-        "ms": "^2.1.3"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/docker-modem/node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-      "license": "MIT"
-    },
     "node_modules/dockerode": {
-      "version": "4.0.9",
-      "resolved": "https://registry.npmjs.org/dockerode/-/dockerode-4.0.9.tgz",
-      "integrity": "sha512-iND4mcOWhPaCNh54WmK/KoSb35AFqPAUWFMffTQcp52uQt36b5uNwEJTSXntJZBbeGad72Crbi/hvDIv6us/6Q==",
+      "version": "4.0.10",
+      "resolved": "https://registry.npmjs.org/dockerode/-/dockerode-4.0.10.tgz",
+      "integrity": "sha512-8L/P9JynLBiG7/coiA4FlQXegHltRqS0a+KqI44P1zgQh8QLHTg7FKOwhkBgSJwZTeHsq30WRoVFLuwkfK0YFg==",
       "license": "Apache-2.0",
       "dependencies": {
         "@balena/dockerignore": "^1.0.2",
         "@grpc/grpc-js": "^1.11.1",
         "@grpc/proto-loader": "^0.7.13",
-        "docker-modem": "^5.0.6",
+        "docker-modem": "^5.0.7",
         "protobufjs": "^7.3.2",
         "tar-fs": "^2.1.4",
         "uuid": "^10.0.0"
@@ -4197,10 +5146,18 @@
       "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==",
       "license": "MIT"
     },
+    "node_modules/electron-to-chromium": {
+      "version": "1.5.326",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.326.tgz",
+      "integrity": "sha512-uRBlUfKKdsXMkiiOurgaybNC10tjrD+skXLEg7NHbm6h0uAoqj3xMb9uue5BfcSCXJ4mcyJMOucI6q55D7p6KQ==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/emoji-regex": {
-      "version": "8.0.0",
-      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
-      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "version": "10.6.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.6.0.tgz",
+      "integrity": "sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/encodeurl": {
@@ -4273,48 +5230,6 @@
         "node": ">= 0.4"
       }
     },
-    "node_modules/esbuild": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.3.tgz",
-      "integrity": "sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg==",
-      "dev": true,
-      "hasInstallScript": true,
-      "license": "MIT",
-      "bin": {
-        "esbuild": "bin/esbuild"
-      },
-      "engines": {
-        "node": ">=18"
-      },
-      "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.27.3",
-        "@esbuild/android-arm": "0.27.3",
-        "@esbuild/android-arm64": "0.27.3",
-        "@esbuild/android-x64": "0.27.3",
-        "@esbuild/darwin-arm64": "0.27.3",
-        "@esbuild/darwin-x64": "0.27.3",
-        "@esbuild/freebsd-arm64": "0.27.3",
-        "@esbuild/freebsd-x64": "0.27.3",
-        "@esbuild/linux-arm": "0.27.3",
-        "@esbuild/linux-arm64": "0.27.3",
-        "@esbuild/linux-ia32": "0.27.3",
-        "@esbuild/linux-loong64": "0.27.3",
-        "@esbuild/linux-mips64el": "0.27.3",
-        "@esbuild/linux-ppc64": "0.27.3",
-        "@esbuild/linux-riscv64": "0.27.3",
-        "@esbuild/linux-s390x": "0.27.3",
-        "@esbuild/linux-x64": "0.27.3",
-        "@esbuild/netbsd-arm64": "0.27.3",
-        "@esbuild/netbsd-x64": "0.27.3",
-        "@esbuild/openbsd-arm64": "0.27.3",
-        "@esbuild/openbsd-x64": "0.27.3",
-        "@esbuild/openharmony-arm64": "0.27.3",
-        "@esbuild/sunos-x64": "0.27.3",
-        "@esbuild/win32-arm64": "0.27.3",
-        "@esbuild/win32-ia32": "0.27.3",
-        "@esbuild/win32-x64": "0.27.3"
-      }
-    },
     "node_modules/escalade": {
       "version": "3.2.0",
       "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz",
@@ -4373,6 +5288,46 @@
         "node": ">=0.8.x"
       }
     },
+    "node_modules/execa": {
+      "version": "9.6.1",
+      "resolved": "https://registry.npmjs.org/execa/-/execa-9.6.1.tgz",
+      "integrity": "sha512-9Be3ZoN4LmYR90tUoVu2te2BsbzHfhJyfEiAVfz7N5/zv+jduIfLrV2xdQXOHbaD6KgpGdO9PRPM1Y4Q9QkPkA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@sindresorhus/merge-streams": "^4.0.0",
+        "cross-spawn": "^7.0.6",
+        "figures": "^6.1.0",
+        "get-stream": "^9.0.0",
+        "human-signals": "^8.0.1",
+        "is-plain-obj": "^4.1.0",
+        "is-stream": "^4.0.1",
+        "npm-run-path": "^6.0.0",
+        "pretty-ms": "^9.2.0",
+        "signal-exit": "^4.1.0",
+        "strip-final-newline": "^4.0.0",
+        "yoctocolors": "^2.1.1"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.5.0"
+      },
+      "funding": {
+        "url": "https://github.com/sindresorhus/execa?sponsor=1"
+      }
+    },
+    "node_modules/execa/node_modules/is-stream": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-4.0.1.tgz",
+      "integrity": "sha512-Dnz92NInDqYckGEUJv689RbRiTSEHCQ7wOVeALbkOz999YpqT46yMRIGtSNl2iCL1waAZSx40+h59NV/EwzV/A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/expect-type": {
       "version": "1.3.0",
       "resolved": "https://registry.npmjs.org/expect-type/-/expect-type-1.3.0.tgz",
@@ -4479,27 +5434,19 @@
       "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==",
       "license": "MIT"
     },
-    "node_modules/express/node_modules/debug": {
-      "version": "4.4.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
-      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
+    "node_modules/express-session/node_modules/debug": {
+      "version": "2.6.9",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
       "license": "MIT",
       "dependencies": {
-        "ms": "^2.1.3"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
+        "ms": "2.0.0"
       }
     },
-    "node_modules/express/node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+    "node_modules/express-session/node_modules/ms": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
       "license": "MIT"
     },
     "node_modules/fast-check": {
@@ -4560,13 +5507,30 @@
       "integrity": "sha512-W+KJc2dmILlPplD/H4K9l9LcAHAfPtP6BY84uVLXQ6Evcz9Lcg33Y2z1IVblT6xdY54PXYVHEv+0Wpq8Io6zkA==",
       "license": "MIT"
     },
+    "node_modules/fast-string-truncated-width": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/fast-string-truncated-width/-/fast-string-truncated-width-3.0.3.tgz",
+      "integrity": "sha512-0jjjIEL6+0jag3l2XWWizO64/aZVtpiGE3t0Zgqxv0DPuxiMjvB3M24fCyhZUO4KomJQPj3LTSUnDP3GpdwC0g==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/fast-string-width": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/fast-string-width/-/fast-string-width-3.0.2.tgz",
+      "integrity": "sha512-gX8LrtNEI5hq8DVUfRQMbr5lpaS4nMIWV+7XEbXk2b8kiQIizgnlr12B4dA3ZEx3308ze0O4Q1R+cHts8kyUJg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "fast-string-truncated-width": "^3.0.2"
+      }
+    },
     "node_modules/fast-unique-numbers": {
-      "version": "9.0.26",
-      "resolved": "https://registry.npmjs.org/fast-unique-numbers/-/fast-unique-numbers-9.0.26.tgz",
-      "integrity": "sha512-3Mtq8p1zQinjGyWfKeuBunbuFoixG72AUkk4VvzbX4ykCW9Q4FzRaNyIlfQhUjnKw2ARVP+/CKnoyr6wfHftig==",
+      "version": "9.0.27",
+      "resolved": "https://registry.npmjs.org/fast-unique-numbers/-/fast-unique-numbers-9.0.27.tgz",
+      "integrity": "sha512-nDA9ADeINN8SA2u2wCtU+siWFTTDqQR37XvgPIDDmboWQeExz7X0mImxuaN+kJddliIqy2FpVRmnvRZ+j8i1/A==",
       "license": "MIT",
       "dependencies": {
-        "@babel/runtime": "^7.28.6",
+        "@babel/runtime": "^7.29.2",
         "tslib": "^2.8.1"
       },
       "engines": {
@@ -4589,6 +5553,16 @@
       ],
       "license": "BSD-3-Clause"
     },
+    "node_modules/fast-wrap-ansi": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/fast-wrap-ansi/-/fast-wrap-ansi-0.2.0.tgz",
+      "integrity": "sha512-rLV8JHxTyhVmFYhBJuMujcrHqOT2cnO5Zxj37qROj23CP39GXubJRBUFF0z8KFK77Uc0SukZUf7JZhsVEQ6n8w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "fast-string-width": "^3.0.2"
+      }
+    },
     "node_modules/fast-xml-builder": {
       "version": "1.1.4",
       "resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz",
@@ -4662,6 +5636,22 @@
         }
       }
     },
+    "node_modules/figures": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/figures/-/figures-6.1.0.tgz",
+      "integrity": "sha512-d+l3qxjSesT4V7v2fh+QnmFnUWv9lSpjarhShNTgBOfA0ttejbQUAlHLitbjkoRiDulW0OPoQPYIGhIC8ohejg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "is-unicode-supported": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/fill-range": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
@@ -4696,29 +5686,6 @@
         "url": "https://opencollective.com/express"
       }
     },
-    "node_modules/finalhandler/node_modules/debug": {
-      "version": "4.4.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
-      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
-      "license": "MIT",
-      "dependencies": {
-        "ms": "^2.1.3"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/finalhandler/node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-      "license": "MIT"
-    },
     "node_modules/flat": {
       "version": "6.0.1",
       "resolved": "https://registry.npmjs.org/flat/-/flat-6.0.1.tgz",
@@ -4852,6 +5819,16 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/gensync": {
+      "version": "1.0.0-beta.2",
+      "resolved": "https://registry.npmjs.org/gensync/-/gensync-1.0.0-beta.2.tgz",
+      "integrity": "sha512-3hN7NaskYvMDLQY55gnW3NQ+mesEAepTqlg+VEbj7zzqEMBVNhzcGYYeqFo/TlYz6eQiFcp1HcsCZO+nGgS8zg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
     "node_modules/get-caller-file": {
       "version": "2.0.5",
       "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz",
@@ -4898,6 +5875,49 @@
         "node": ">= 0.4"
       }
     },
+    "node_modules/get-stream": {
+      "version": "9.0.1",
+      "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-9.0.1.tgz",
+      "integrity": "sha512-kVCxPF3vQM/N0B1PmoqVUqgHP+EeVjmZSQn+1oCRPxd2P21P2F19lIgbR3HBosbB1PUhOAoctJnfEn2GbN2eZA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@sec-ant/readable-stream": "^0.4.1",
+        "is-stream": "^4.0.1"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/get-stream/node_modules/is-stream": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-4.0.1.tgz",
+      "integrity": "sha512-Dnz92NInDqYckGEUJv689RbRiTSEHCQ7wOVeALbkOz999YpqT46yMRIGtSNl2iCL1waAZSx40+h59NV/EwzV/A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/get-tsconfig": {
+      "version": "4.13.7",
+      "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.7.tgz",
+      "integrity": "sha512-7tN6rFgBlMgpBML5j8typ92BKFi2sFQvIdpAqLA2beia5avZDrMs0FLZiM5etShWq5irVyGcGMEA1jcDaK7A/Q==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "resolve-pkg-maps": "^1.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1"
+      }
+    },
     "node_modules/glob-parent": {
       "version": "5.1.2",
       "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
@@ -5031,6 +6051,16 @@
         "url": "https://opencollective.com/express"
       }
     },
+    "node_modules/human-signals": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/human-signals/-/human-signals-8.0.1.tgz",
+      "integrity": "sha512-eKCa6bwnJhvxj14kZk5NCPc6Hb6BdsU9DZcOnmQKSnO1VKrfV0zCvtttPZUsBvjmNDn8rpcJfpwSYnHBjc95MQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18.18.0"
+      }
+    },
     "node_modules/iconv-lite": {
       "version": "0.7.2",
       "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.2.tgz",
@@ -5175,6 +6205,19 @@
         "node": ">=0.12.0"
       }
     },
+    "node_modules/is-plain-obj": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-4.1.0.tgz",
+      "integrity": "sha512-+Pgi+vMuUNkJyExiMBt5IlFoMyKnr5zhJ4Uspz58WOhBF5QoIZkFyNHIbBAtHwzVAgk5RtndVNsDRN61/mmDqg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/is-plain-object": {
       "version": "2.0.4",
       "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-2.0.4.tgz",
@@ -5214,6 +6257,26 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/is-unicode-supported": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/is-unicode-supported/-/is-unicode-supported-2.1.0.tgz",
+      "integrity": "sha512-mE00Gnza5EEB3Ds0HfMyllZzbBrmLOX3vfWoj9A9PEnTfratQ/BcaJOuMhnkhjXvb2+FkY3VuHqtAGpTPmglFQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/isexe": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz",
+      "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/isobject": {
       "version": "3.0.1",
       "resolved": "https://registry.npmjs.org/isobject/-/isobject-3.0.1.tgz",
@@ -5313,9 +6376,9 @@
       }
     },
     "node_modules/jose": {
-      "version": "6.1.3",
-      "resolved": "https://registry.npmjs.org/jose/-/jose-6.1.3.tgz",
-      "integrity": "sha512-0TpaTfihd4QMNwrz/ob2Bp7X04yuxJkjRGi4aKmOqwhov54i6u79oCv7T+C7lo70MKH6BesI3vscD1yb/yzKXQ==",
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-6.2.2.tgz",
+      "integrity": "sha512-d7kPDd34KO/YnzaDOlikGpOurfF0ByC2sEV4cANCtdqLlTfBlw2p14O/5d/zv40gJPbIQxfES3nSx1/oYNyuZQ==",
       "license": "MIT",
       "funding": {
         "url": "https://github.com/sponsors/panva"
@@ -5330,6 +6393,13 @@
         "node": ">=10"
       }
     },
+    "node_modules/js-md4": {
+      "version": "0.3.2",
+      "resolved": "https://registry.npmjs.org/js-md4/-/js-md4-0.3.2.tgz",
+      "integrity": "sha512-/GDnfQYsltsjRswQhN9fhv3EMw2sCpUdrdxyWDOUK7eyD++r3gRhzgiQgc/x4MAv2i1iuQ4lxO5mvqM3vj4bwA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/js-sdsl": {
       "version": "4.3.0",
       "resolved": "https://registry.npmjs.org/js-sdsl/-/js-sdsl-4.3.0.tgz",
@@ -5341,9 +6411,29 @@
       }
     },
     "node_modules/js-tokens": {
-      "version": "10.0.0",
-      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-10.0.0.tgz",
-      "integrity": "sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q==",
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
+      "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/jsesc": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz",
+      "integrity": "sha512-/sM3dO2FOzXjKQhJuo0Q173wf2KOo8t4I8vHy6lF9poUp7bKT0/NHE8fPX23PwfhnykfqnC2xRxOnVw5XuGIaA==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "jsesc": "bin/jsesc"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/json-rpc-2.0": {
+      "version": "1.7.1",
+      "resolved": "https://registry.npmjs.org/json-rpc-2.0/-/json-rpc-2.0-1.7.1.tgz",
+      "integrity": "sha512-JqZjhjAanbpkXIzFE7u8mE/iFblawwlXtONaCvRqI+pyABVz7B4M1EUNpyVW+dZjqgQ2L5HFmZCmOCgUKm00hg==",
       "dev": true,
       "license": "MIT"
     },
@@ -5353,6 +6443,19 @@
       "integrity": "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==",
       "license": "MIT"
     },
+    "node_modules/json5": {
+      "version": "2.2.3",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
+      "integrity": "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "json5": "lib/cli.js"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/just-debounce": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/just-debounce/-/just-debounce-1.1.0.tgz",
@@ -5365,50 +6468,309 @@
       "integrity": "sha512-j/YeapB1vfPT2iOIUn/vxdyKEuhuY2PxMBvf5JWux6iSaukAccrMtXEY/Lb7OvavDhOWME589bpLrEdnVHjfjA==",
       "license": "MIT",
       "engines": {
-        "node": ">=14.0.0"
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/knip": {
+      "version": "6.0.6",
+      "resolved": "https://registry.npmjs.org/knip/-/knip-6.0.6.tgz",
+      "integrity": "sha512-PA+r1mTDLHH3eShlffn2ZDyH1hHvmgDj7JsTP3JKuhV/jZTyHbRkGcOd+uaSxfJZmcZyOE5zw3naP33WllTIlA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/webpro"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/knip"
+        }
+      ],
+      "license": "ISC",
+      "dependencies": {
+        "@nodelib/fs.walk": "^1.2.3",
+        "fast-glob": "^3.3.3",
+        "formatly": "^0.3.0",
+        "get-tsconfig": "4.13.7",
+        "jiti": "^2.6.0",
+        "minimist": "^1.2.8",
+        "oxc-parser": "^0.120.0",
+        "oxc-resolver": "^11.19.1",
+        "picocolors": "^1.1.1",
+        "picomatch": "^4.0.1",
+        "smol-toml": "^1.5.2",
+        "strip-json-comments": "5.0.3",
+        "unbash": "^2.2.0",
+        "yaml": "^2.8.2",
+        "zod": "^4.1.11"
+      },
+      "bin": {
+        "knip": "bin/knip.js",
+        "knip-bun": "bin/knip-bun.js"
+      },
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/lightningcss": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.32.0.tgz",
+      "integrity": "sha512-NXYBzinNrblfraPGyrbPoD19C1h9lfI/1mzgWYvXUTe414Gz/X1FD2XBZSZM7rRTrMA8JL3OtAaGifrIKhQ5yQ==",
+      "dev": true,
+      "license": "MPL-2.0",
+      "dependencies": {
+        "detect-libc": "^2.0.3"
+      },
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      },
+      "optionalDependencies": {
+        "lightningcss-android-arm64": "1.32.0",
+        "lightningcss-darwin-arm64": "1.32.0",
+        "lightningcss-darwin-x64": "1.32.0",
+        "lightningcss-freebsd-x64": "1.32.0",
+        "lightningcss-linux-arm-gnueabihf": "1.32.0",
+        "lightningcss-linux-arm64-gnu": "1.32.0",
+        "lightningcss-linux-arm64-musl": "1.32.0",
+        "lightningcss-linux-x64-gnu": "1.32.0",
+        "lightningcss-linux-x64-musl": "1.32.0",
+        "lightningcss-win32-arm64-msvc": "1.32.0",
+        "lightningcss-win32-x64-msvc": "1.32.0"
+      }
+    },
+    "node_modules/lightningcss-android-arm64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-android-arm64/-/lightningcss-android-arm64-1.32.0.tgz",
+      "integrity": "sha512-YK7/ClTt4kAK0vo6w3X+Pnm0D2cf2vPHbhOXdoNti1Ga0al1P4TBZhwjATvjNwLEBCnKvjJc2jQgHXH0NEwlAg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-darwin-arm64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.32.0.tgz",
+      "integrity": "sha512-RzeG9Ju5bag2Bv1/lwlVJvBE3q6TtXskdZLLCyfg5pt+HLz9BqlICO7LZM7VHNTTn/5PRhHFBSjk5lc4cmscPQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-darwin-x64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.32.0.tgz",
+      "integrity": "sha512-U+QsBp2m/s2wqpUYT/6wnlagdZbtZdndSmut/NJqlCcMLTWp5muCrID+K5UJ6jqD2BFshejCYXniPDbNh73V8w==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-freebsd-x64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.32.0.tgz",
+      "integrity": "sha512-JCTigedEksZk3tHTTthnMdVfGf61Fky8Ji2E4YjUTEQX14xiy/lTzXnu1vwiZe3bYe0q+SpsSH/CTeDXK6WHig==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-arm-gnueabihf": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.32.0.tgz",
+      "integrity": "sha512-x6rnnpRa2GL0zQOkt6rts3YDPzduLpWvwAF6EMhXFVZXD4tPrBkEFqzGowzCsIWsPjqSK+tyNEODUBXeeVHSkw==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-arm64-gnu": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.32.0.tgz",
+      "integrity": "sha512-0nnMyoyOLRJXfbMOilaSRcLH3Jw5z9HDNGfT/gwCPgaDjnx0i8w7vBzFLFR1f6CMLKF8gVbebmkUN3fa/kQJpQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-arm64-musl": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.32.0.tgz",
+      "integrity": "sha512-UpQkoenr4UJEzgVIYpI80lDFvRmPVg6oqboNHfoH4CQIfNA+HOrZ7Mo7KZP02dC6LjghPQJeBsvXhJod/wnIBg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-x64-gnu": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.32.0.tgz",
+      "integrity": "sha512-V7Qr52IhZmdKPVr+Vtw8o+WLsQJYCTd8loIfpDaMRWGUZfBOYEJeyJIkqGIDMZPwPx24pUMfwSxxI8phr/MbOA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-x64-musl": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.32.0.tgz",
+      "integrity": "sha512-bYcLp+Vb0awsiXg/80uCRezCYHNg1/l3mt0gzHnWV9XP1W5sKa5/TCdGWaR/zBM2PeF/HbsQv/j2URNOiVuxWg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
       }
     },
-    "node_modules/knip": {
-      "version": "5.87.0",
-      "resolved": "https://registry.npmjs.org/knip/-/knip-5.87.0.tgz",
-      "integrity": "sha512-oJBrwd4/Mt5E6817vcdQLaPpejxZTxpASauYLkp6HaT0HN1seHnpF96KEjza9O8yARvHEQ9+So9AFUjkPci7dQ==",
+    "node_modules/lightningcss-win32-arm64-msvc": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.32.0.tgz",
+      "integrity": "sha512-8SbC8BR40pS6baCM8sbtYDSwEVQd4JlFTOlaD3gWGHfThTcABnNDBda6eTZeqbofalIJhFx0qKzgHJmcPTnGdw==",
+      "cpu": [
+        "arm64"
+      ],
       "dev": true,
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/webpro"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/knip"
-        }
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "win32"
       ],
-      "license": "ISC",
-      "dependencies": {
-        "@nodelib/fs.walk": "^1.2.3",
-        "fast-glob": "^3.3.3",
-        "formatly": "^0.3.0",
-        "jiti": "^2.6.0",
-        "minimist": "^1.2.8",
-        "oxc-resolver": "^11.19.1",
-        "picocolors": "^1.1.1",
-        "picomatch": "^4.0.1",
-        "smol-toml": "^1.5.2",
-        "strip-json-comments": "5.0.3",
-        "unbash": "^2.2.0",
-        "yaml": "^2.8.2",
-        "zod": "^4.1.11"
-      },
-      "bin": {
-        "knip": "bin/knip.js",
-        "knip-bun": "bin/knip-bun.js"
+      "engines": {
+        "node": ">= 12.0.0"
       },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-win32-x64-msvc": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.32.0.tgz",
+      "integrity": "sha512-Amq9B/SoZYdDi1kFrojnoqPLxYhQ4Wo5XiL8EVJrVsB8ARoC1PWW6VGtT0WKCemjy8aC+louJnjS7U18x3b06Q==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
       "engines": {
-        "node": ">=18.18.0"
+        "node": ">= 12.0.0"
       },
-      "peerDependencies": {
-        "@types/node": ">=18",
-        "typescript": ">=5.0.4 <7"
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
       }
     },
     "node_modules/lodash.camelcase": {
@@ -5417,6 +6779,13 @@
       "integrity": "sha512-TwuEnCnxbc3rAvhf/LbG7tJUDzhqXyFnv3dtzLOPgCG/hODL7WFnsbwktkD7yUV0RrreP/l1PALq/YSg6VvjlA==",
       "license": "MIT"
     },
+    "node_modules/lodash.groupby": {
+      "version": "4.6.0",
+      "resolved": "https://registry.npmjs.org/lodash.groupby/-/lodash.groupby-4.6.0.tgz",
+      "integrity": "sha512-5dcWxm23+VAoz+awKmBaiBvzox8+RqMgFhi7UvX9DHZr2HdxHXM/Wrf8cfKpsW37RNrvtPn6hSwNqurSILbmJw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/lokijs": {
       "version": "1.5.12",
       "resolved": "https://registry.npmjs.org/lokijs/-/lokijs-1.5.12.tgz",
@@ -5430,10 +6799,14 @@
       "license": "Apache-2.0"
     },
     "node_modules/lru-cache": {
-      "version": "10.4.3",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz",
-      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==",
-      "license": "ISC"
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz",
+      "integrity": "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "yallist": "^3.0.2"
+      }
     },
     "node_modules/luxon": {
       "version": "3.7.2",
@@ -5543,19 +6916,6 @@
         "node": ">=8.6"
       }
     },
-    "node_modules/micromatch/node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=8.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
     "node_modules/mime-db": {
       "version": "1.54.0",
       "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz",
@@ -5581,6 +6941,13 @@
         "url": "https://opencollective.com/express"
       }
     },
+    "node_modules/minimalistic-assert": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz",
+      "integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/minimatch": {
       "version": "10.2.4",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz",
@@ -5676,78 +7043,85 @@
         "process-nextick-args": "^2.0.1"
       }
     },
-    "node_modules/mqtt-packet/node_modules/debug": {
-      "version": "4.4.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
-      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
+    "node_modules/mqtt/node_modules/lru-cache": {
+      "version": "10.4.3",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz",
+      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==",
+      "license": "ISC"
+    },
+    "node_modules/mqtt/node_modules/readable-stream": {
+      "version": "4.7.0",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-4.7.0.tgz",
+      "integrity": "sha512-oIGGmcpTLwPga8Bn6/Z75SVaH1z5dUut2ibSyAMVhmUggWpmDn2dapB0n7f8nwaSiRtepAsfJyfXIO5DCVAODg==",
       "license": "MIT",
       "dependencies": {
-        "ms": "^2.1.3"
+        "abort-controller": "^3.0.0",
+        "buffer": "^6.0.3",
+        "events": "^3.3.0",
+        "process": "^0.11.10",
+        "string_decoder": "^1.3.0"
       },
       "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
+        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
       }
     },
-    "node_modules/mqtt-packet/node_modules/ms": {
+    "node_modules/ms": {
       "version": "2.1.3",
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
       "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
       "license": "MIT"
     },
-    "node_modules/mqtt/node_modules/debug": {
-      "version": "4.4.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
-      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
-      "license": "MIT",
+    "node_modules/mutation-server-protocol": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/mutation-server-protocol/-/mutation-server-protocol-0.4.1.tgz",
+      "integrity": "sha512-SBGK0j8hLDne7bktgThKI8kGvGTx3rY3LAeQTmOKZ5bVnL/7TorLMvcVF7dIPJCu5RNUWhkkuF53kurygYVt3g==",
+      "dev": true,
+      "license": "Apache-2.0",
       "dependencies": {
-        "ms": "^2.1.3"
+        "zod": "^4.1.12"
       },
       "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
+        "node": ">=18"
       }
     },
-    "node_modules/mqtt/node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-      "license": "MIT"
+    "node_modules/mutation-testing-elements": {
+      "version": "3.7.2",
+      "resolved": "https://registry.npmjs.org/mutation-testing-elements/-/mutation-testing-elements-3.7.2.tgz",
+      "integrity": "sha512-i7X2Q4X5eYon72W2QQ9HND7plVhQcqTnv+Xc3KeYslRZSJ4WYJoal8LFdbWm7dKWLNE0rYkCUrvboasWzF3MMA==",
+      "dev": true,
+      "license": "Apache-2.0"
     },
-    "node_modules/mqtt/node_modules/readable-stream": {
-      "version": "4.7.0",
-      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-4.7.0.tgz",
-      "integrity": "sha512-oIGGmcpTLwPga8Bn6/Z75SVaH1z5dUut2ibSyAMVhmUggWpmDn2dapB0n7f8nwaSiRtepAsfJyfXIO5DCVAODg==",
-      "license": "MIT",
+    "node_modules/mutation-testing-metrics": {
+      "version": "3.7.2",
+      "resolved": "https://registry.npmjs.org/mutation-testing-metrics/-/mutation-testing-metrics-3.7.2.tgz",
+      "integrity": "sha512-ichXZSC4FeJbcVHYOWzWUhNuTJGogc0WiQol8lqEBrBSp+ADl3fmcZMqrx0ogInEUiImn+A8JyTk6uh9vd25TQ==",
+      "dev": true,
+      "license": "Apache-2.0",
       "dependencies": {
-        "abort-controller": "^3.0.0",
-        "buffer": "^6.0.3",
-        "events": "^3.3.0",
-        "process": "^0.11.10",
-        "string_decoder": "^1.3.0"
-      },
-      "engines": {
-        "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
+        "mutation-testing-report-schema": "3.7.2"
       }
     },
-    "node_modules/ms": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
-      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
-      "license": "MIT"
+    "node_modules/mutation-testing-report-schema": {
+      "version": "3.7.2",
+      "resolved": "https://registry.npmjs.org/mutation-testing-report-schema/-/mutation-testing-report-schema-3.7.2.tgz",
+      "integrity": "sha512-fN5M61SDzIOeJyatMOhGPLDOFz5BQIjTNPjo4PcHIEUWrejO4i4B5PFuQ/2l43709hEsTxeiXX00H73WERKcDw==",
+      "dev": true,
+      "license": "Apache-2.0"
+    },
+    "node_modules/mute-stream": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/mute-stream/-/mute-stream-3.0.0.tgz",
+      "integrity": "sha512-dkEJPVvun4FryqBmZ5KhDo0K9iDXAwn08tMLDinNdRBNPcYEDiWYysLcc6k3mjTMlbP9KyylvRpd4wFtwrT9rw==",
+      "dev": true,
+      "license": "ISC",
+      "engines": {
+        "node": "^20.17.0 || >=22.9.0"
+      }
     },
     "node_modules/nan": {
-      "version": "2.25.0",
-      "resolved": "https://registry.npmjs.org/nan/-/nan-2.25.0.tgz",
-      "integrity": "sha512-0M90Ag7Xn5KMLLZ7zliPWP3rT90P6PN+IzVFS0VqmnPktBk3700xUVv8Ikm9EUaUE5SDWdp/BIxdENzVznpm1g==",
+      "version": "2.26.2",
+      "resolved": "https://registry.npmjs.org/nan/-/nan-2.26.2.tgz",
+      "integrity": "sha512-0tTvBTYkt3tdGw22nrAy50x7gpbGCCFH3AFcyS5WiUu7Eu4vWlri1woE6qHBSfy11vksDqkiwjOnlR7WV8G1Hw==",
       "license": "MIT",
       "optional": true
     },
@@ -5797,10 +7171,17 @@
         "node": ">=6.0.0"
       }
     },
+    "node_modules/node-releases": {
+      "version": "2.0.36",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.36.tgz",
+      "integrity": "sha512-TdC8FSgHz8Mwtw9g5L4gR/Sh9XhSP/0DEkQxfEFXOpiul5IiHgHan2VhYYb6agDSfp4KuvltmGApc8HMgUrIkA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/nodemailer": {
-      "version": "8.0.2",
-      "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-8.0.2.tgz",
-      "integrity": "sha512-zbj002pZAIkWQFxyAaqoxvn+zoIwRnS40hgjqTXudKOOJkiFFgBeNqjgD3/YCR12sZnrghWYBY+yP1ZucdDRpw==",
+      "version": "8.0.4",
+      "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-8.0.4.tgz",
+      "integrity": "sha512-k+jf6N8PfQJ0Fe8ZhJlgqU5qJU44Lpvp2yvidH3vp1lPnVQMgi4yEEMPXg5eJS1gFIJTVq1NHBk7Ia9ARdSBdQ==",
       "license": "MIT-0",
       "engines": {
         "node": ">=6.0.0"
@@ -5835,24 +7216,6 @@
         "url": "https://opencollective.com/nodemon"
       }
     },
-    "node_modules/nodemon/node_modules/debug": {
-      "version": "4.4.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
-      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "ms": "^2.1.3"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
-      }
-    },
     "node_modules/nodemon/node_modules/has-flag": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz",
@@ -5863,13 +7226,6 @@
         "node": ">=4"
       }
     },
-    "node_modules/nodemon/node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/nodemon/node_modules/supports-color": {
       "version": "5.5.0",
       "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
@@ -5893,38 +7249,45 @@
         "node": ">=0.10.0"
       }
     },
-    "node_modules/number-allocator": {
-      "version": "1.0.14",
-      "resolved": "https://registry.npmjs.org/number-allocator/-/number-allocator-1.0.14.tgz",
-      "integrity": "sha512-OrL44UTVAvkKdOdRQZIJpLkAdjXGTRda052sN4sO77bKEzYYqWKMBjQvrJFzqygI99gL6Z4u2xctPW1tB8ErvA==",
+    "node_modules/npm-run-path": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-6.0.0.tgz",
+      "integrity": "sha512-9qny7Z9DsQU8Ou39ERsPU4OZQlSTP47ShQzuKZ6PRXpYLtIFgl/DEBYEXKlvcEa+9tHVcK8CF81Y2V72qaZhWA==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
-        "debug": "^4.3.1",
-        "js-sdsl": "4.3.0"
+        "path-key": "^4.0.0",
+        "unicorn-magic": "^0.3.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/number-allocator/node_modules/debug": {
-      "version": "4.4.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
-      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
+    "node_modules/npm-run-path/node_modules/path-key": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/path-key/-/path-key-4.0.0.tgz",
+      "integrity": "sha512-haREypq7xkM7ErfgIyA0z+Bj4AGKlMSdlQE2jvJo6huWD1EdkKYV+G/T4nq0YEF2vgTT8kqMFKo1uHn950r4SQ==",
+      "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "ms": "^2.1.3"
-      },
       "engines": {
-        "node": ">=6.0"
+        "node": ">=12"
       },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/number-allocator/node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-      "license": "MIT"
+    "node_modules/number-allocator": {
+      "version": "1.0.14",
+      "resolved": "https://registry.npmjs.org/number-allocator/-/number-allocator-1.0.14.tgz",
+      "integrity": "sha512-OrL44UTVAvkKdOdRQZIJpLkAdjXGTRda052sN4sO77bKEzYYqWKMBjQvrJFzqygI99gL6Z4u2xctPW1tB8ErvA==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "^4.3.1",
+        "js-sdsl": "4.3.0"
+      }
     },
     "node_modules/oauth4webapi": {
       "version": "3.8.5",
@@ -6028,6 +7391,44 @@
         "url": "https://github.com/sponsors/panva"
       }
     },
+    "node_modules/oxc-parser": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/oxc-parser/-/oxc-parser-0.120.0.tgz",
+      "integrity": "sha512-WyPWZlcIm+Fkte63FGfgFB8mAAk33aH9h5N9lphXVOHSXEBFFsmYdOBedVKly363aWABjZdaj/m9lBfEY4wt+w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@oxc-project/types": "^0.120.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/Boshen"
+      },
+      "optionalDependencies": {
+        "@oxc-parser/binding-android-arm-eabi": "0.120.0",
+        "@oxc-parser/binding-android-arm64": "0.120.0",
+        "@oxc-parser/binding-darwin-arm64": "0.120.0",
+        "@oxc-parser/binding-darwin-x64": "0.120.0",
+        "@oxc-parser/binding-freebsd-x64": "0.120.0",
+        "@oxc-parser/binding-linux-arm-gnueabihf": "0.120.0",
+        "@oxc-parser/binding-linux-arm-musleabihf": "0.120.0",
+        "@oxc-parser/binding-linux-arm64-gnu": "0.120.0",
+        "@oxc-parser/binding-linux-arm64-musl": "0.120.0",
+        "@oxc-parser/binding-linux-ppc64-gnu": "0.120.0",
+        "@oxc-parser/binding-linux-riscv64-gnu": "0.120.0",
+        "@oxc-parser/binding-linux-riscv64-musl": "0.120.0",
+        "@oxc-parser/binding-linux-s390x-gnu": "0.120.0",
+        "@oxc-parser/binding-linux-x64-gnu": "0.120.0",
+        "@oxc-parser/binding-linux-x64-musl": "0.120.0",
+        "@oxc-parser/binding-openharmony-arm64": "0.120.0",
+        "@oxc-parser/binding-wasm32-wasi": "0.120.0",
+        "@oxc-parser/binding-win32-arm64-msvc": "0.120.0",
+        "@oxc-parser/binding-win32-ia32-msvc": "0.120.0",
+        "@oxc-parser/binding-win32-x64-msvc": "0.120.0"
+      }
+    },
     "node_modules/oxc-resolver": {
       "version": "11.19.1",
       "resolved": "https://registry.npmjs.org/oxc-resolver/-/oxc-resolver-11.19.1.tgz",
@@ -6137,6 +7538,19 @@
       "integrity": "sha512-sxJ3KBv/8dXZ+E2cbJFFI9rLqgxtRgRuMv534b1g7hdWRxoB8tudlyyWONafEHO8itQSM0XWfMDodykLWAh5kQ==",
       "license": "LGPL-3.0-or-later"
     },
+    "node_modules/parse-ms": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/parse-ms/-/parse-ms-4.0.0.tgz",
+      "integrity": "sha512-TXfryirbmq34y8QBwgqCVLi+8oA3oWx2eAnSn62ITyEhEYaWRlVZ2DvMM9eZbMs/RfxPu/PK/aBLyGj4IrqMHw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/parseurl": {
       "version": "1.3.3",
       "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
@@ -6209,10 +7623,20 @@
         "node": ">=14.0.0"
       }
     },
+    "node_modules/path-key": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
+      "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/path-to-regexp": {
-      "version": "8.3.0",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz",
-      "integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==",
+      "version": "8.4.0",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.4.0.tgz",
+      "integrity": "sha512-PuseHIvAnz3bjrM2rGJtSgo1zjgxapTLZ7x2pjhzWwlp4SJQgK3f3iZIQwkpEnBaKz6seKBADpM4B4ySkuYypg==",
       "license": "MIT",
       "funding": {
         "type": "opencollective",
@@ -6239,9 +7663,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -6313,9 +7737,9 @@
       "license": "MIT"
     },
     "node_modules/postcss": {
-      "version": "8.5.6",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz",
-      "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==",
+      "version": "8.5.8",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.8.tgz",
+      "integrity": "sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==",
       "dev": true,
       "funding": [
         {
@@ -6341,6 +7765,22 @@
         "node": "^10 || ^12 || >=14"
       }
     },
+    "node_modules/pretty-ms": {
+      "version": "9.3.0",
+      "resolved": "https://registry.npmjs.org/pretty-ms/-/pretty-ms-9.3.0.tgz",
+      "integrity": "sha512-gjVS5hOP+M3wMm5nmNOucbIrqudzs9v/57bWRHQWLYklXqoXKrVfYW2W9+glfGsqtPgpiz5WwyEEB+ksXIx3gQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "parse-ms": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/process": {
       "version": "0.11.10",
       "resolved": "https://registry.npmjs.org/process/-/process-0.11.10.tgz",
@@ -6372,6 +7812,16 @@
       ],
       "license": "MIT"
     },
+    "node_modules/progress": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/progress/-/progress-2.0.3.tgz",
+      "integrity": "sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
     "node_modules/prom-client": {
       "version": "15.1.3",
       "resolved": "https://registry.npmjs.org/prom-client/-/prom-client-15.1.3.tgz",
@@ -6446,9 +7896,9 @@
       }
     },
     "node_modules/pure-rand": {
-      "version": "8.2.0",
-      "resolved": "https://registry.npmjs.org/pure-rand/-/pure-rand-8.2.0.tgz",
-      "integrity": "sha512-KHnUjm68KSO/hqpWlVwagMDPrIjnDNY9r0DbKN79xEa5RU2MLUe0lICBGpWDF8cwmhUiN8r9A8DLGPVcFB62/A==",
+      "version": "8.3.0",
+      "resolved": "https://registry.npmjs.org/pure-rand/-/pure-rand-8.3.0.tgz",
+      "integrity": "sha512-1ws1Ab8fnsf4bvpL+SujgBnr3KFs5abgCLVzavBp+f2n8Ld5YTOZlkv/ccYPhu3X9s+MEeqPRMqKlJz/kWDK8A==",
       "dev": true,
       "funding": [
         {
@@ -6546,9 +7996,9 @@
       }
     },
     "node_modules/re2js": {
-      "version": "1.2.2",
-      "resolved": "https://registry.npmjs.org/re2js/-/re2js-1.2.2.tgz",
-      "integrity": "sha512-xvy4uuynAZWg9SuHbg0lgQncOuK6wssLmbHs8L8+YRbWLKY8Pe1avaHjNaFLOjErq8Oh0HvwQRWqIOCRL7uDDw==",
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/re2js/-/re2js-1.2.3.tgz",
+      "integrity": "sha512-M2/7k8LkP+LmB/muGZXvAHiwhgwqq0Ign2UHCZkea39nHOakeixyMSfb7rql7N/6u5PTS+IpP2MKfRLJ4fed0g==",
       "license": "MIT"
     },
     "node_modules/readable-stream": {
@@ -6578,19 +8028,6 @@
         "node": ">=8.10.0"
       }
     },
-    "node_modules/readdirp/node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=8.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
     "node_modules/real-require": {
       "version": "0.2.0",
       "resolved": "https://registry.npmjs.org/real-require/-/real-require-0.2.0.tgz",
@@ -6618,6 +8055,16 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/resolve-pkg-maps": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz",
+      "integrity": "sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==",
+      "dev": true,
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1"
+      }
+    },
     "node_modules/retry": {
       "version": "0.13.1",
       "resolved": "https://registry.npmjs.org/retry/-/retry-0.13.1.tgz",
@@ -6644,49 +8091,48 @@
       "integrity": "sha512-q1b3N5QkRUWUl7iyylaaj3kOpIT0N2i9MqIEQXP73GVsN9cw3fdx8X63cEmWhJGi2PPCF23Ijp7ktmd39rawIA==",
       "license": "MIT"
     },
-    "node_modules/rollup": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.59.0.tgz",
-      "integrity": "sha512-2oMpl67a3zCH9H79LeMcbDhXW/UmWG/y2zuqnF2jQq5uq9TbM9TVyXvA4+t+ne2IIkBdrLpAaRQAvo7YI/Yyeg==",
+    "node_modules/rolldown": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.12.tgz",
+      "integrity": "sha512-yP4USLIMYrwpPHEFB5JGH1uxhcslv6/hL0OyvTuY+3qlOSJvZ7ntYnoWpehBxufkgN0cvXxppuTu5hHa/zPh+A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@types/estree": "1.0.8"
+        "@oxc-project/types": "=0.122.0",
+        "@rolldown/pluginutils": "1.0.0-rc.12"
       },
       "bin": {
-        "rollup": "dist/bin/rollup"
+        "rolldown": "bin/cli.mjs"
       },
       "engines": {
-        "node": ">=18.0.0",
-        "npm": ">=8.0.0"
+        "node": "^20.19.0 || >=22.12.0"
       },
       "optionalDependencies": {
-        "@rollup/rollup-android-arm-eabi": "4.59.0",
-        "@rollup/rollup-android-arm64": "4.59.0",
-        "@rollup/rollup-darwin-arm64": "4.59.0",
-        "@rollup/rollup-darwin-x64": "4.59.0",
-        "@rollup/rollup-freebsd-arm64": "4.59.0",
-        "@rollup/rollup-freebsd-x64": "4.59.0",
-        "@rollup/rollup-linux-arm-gnueabihf": "4.59.0",
-        "@rollup/rollup-linux-arm-musleabihf": "4.59.0",
-        "@rollup/rollup-linux-arm64-gnu": "4.59.0",
-        "@rollup/rollup-linux-arm64-musl": "4.59.0",
-        "@rollup/rollup-linux-loong64-gnu": "4.59.0",
-        "@rollup/rollup-linux-loong64-musl": "4.59.0",
-        "@rollup/rollup-linux-ppc64-gnu": "4.59.0",
-        "@rollup/rollup-linux-ppc64-musl": "4.59.0",
-        "@rollup/rollup-linux-riscv64-gnu": "4.59.0",
-        "@rollup/rollup-linux-riscv64-musl": "4.59.0",
-        "@rollup/rollup-linux-s390x-gnu": "4.59.0",
-        "@rollup/rollup-linux-x64-gnu": "4.59.0",
-        "@rollup/rollup-linux-x64-musl": "4.59.0",
-        "@rollup/rollup-openbsd-x64": "4.59.0",
-        "@rollup/rollup-openharmony-arm64": "4.59.0",
-        "@rollup/rollup-win32-arm64-msvc": "4.59.0",
-        "@rollup/rollup-win32-ia32-msvc": "4.59.0",
-        "@rollup/rollup-win32-x64-gnu": "4.59.0",
-        "@rollup/rollup-win32-x64-msvc": "4.59.0",
-        "fsevents": "~2.3.2"
+        "@rolldown/binding-android-arm64": "1.0.0-rc.12",
+        "@rolldown/binding-darwin-arm64": "1.0.0-rc.12",
+        "@rolldown/binding-darwin-x64": "1.0.0-rc.12",
+        "@rolldown/binding-freebsd-x64": "1.0.0-rc.12",
+        "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.12",
+        "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.12",
+        "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.12",
+        "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.12",
+        "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.12",
+        "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.12",
+        "@rolldown/binding-linux-x64-musl": "1.0.0-rc.12",
+        "@rolldown/binding-openharmony-arm64": "1.0.0-rc.12",
+        "@rolldown/binding-wasm32-wasi": "1.0.0-rc.12",
+        "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.12",
+        "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.12"
+      }
+    },
+    "node_modules/rolldown/node_modules/@oxc-project/types": {
+      "version": "0.122.0",
+      "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.122.0.tgz",
+      "integrity": "sha512-oLAl5kBpV4w69UtFZ9xqcmTi+GENWOcPF7FCrczTiBbmC0ibXxCwyvZGbO39rCVEuLGAZM84DH0pUIyyv/YJzA==",
+      "dev": true,
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/Boshen"
       }
     },
     "node_modules/router": {
@@ -6705,29 +8151,6 @@
         "node": ">= 18"
       }
     },
-    "node_modules/router/node_modules/debug": {
-      "version": "4.4.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
-      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
-      "license": "MIT",
-      "dependencies": {
-        "ms": "^2.1.3"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/router/node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-      "license": "MIT"
-    },
     "node_modules/run-parallel": {
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
@@ -6752,6 +8175,16 @@
         "queue-microtask": "^1.2.2"
       }
     },
+    "node_modules/rxjs": {
+      "version": "7.8.2",
+      "resolved": "https://registry.npmjs.org/rxjs/-/rxjs-7.8.2.tgz",
+      "integrity": "sha512-dhKf903U/PQZY6boNNtAGdWbG85WAbjT/1xYoZIC7FAY0yWapOBQVsVrDl58W86//e1VpMNBtRV4MaXfdMySFA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.1.0"
+      }
+    },
     "node_modules/safe-buffer": {
       "version": "5.2.1",
       "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
@@ -6841,29 +8274,6 @@
         "url": "https://opencollective.com/express"
       }
     },
-    "node_modules/send/node_modules/debug": {
-      "version": "4.4.3",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
-      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
-      "license": "MIT",
-      "dependencies": {
-        "ms": "^2.1.3"
-      },
-      "engines": {
-        "node": ">=6.0"
-      },
-      "peerDependenciesMeta": {
-        "supports-color": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/send/node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
-      "license": "MIT"
-    },
     "node_modules/serve-static": {
       "version": "2.2.1",
       "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-2.2.1.tgz",
@@ -6924,6 +8334,29 @@
       "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==",
       "license": "ISC"
     },
+    "node_modules/shebang-command": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
+      "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "shebang-regex": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/shebang-regex": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz",
+      "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/side-channel": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz",
@@ -7003,6 +8436,19 @@
       "dev": true,
       "license": "ISC"
     },
+    "node_modules/signal-exit": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz",
+      "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==",
+      "dev": true,
+      "license": "ISC",
+      "engines": {
+        "node": ">=14"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
     "node_modules/simple-update-notifier": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/simple-update-notifier/-/simple-update-notifier-2.0.0.tgz",
@@ -7027,9 +8473,9 @@
       }
     },
     "node_modules/smol-toml": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.0.tgz",
-      "integrity": "sha512-4zemZi0HvTnYwLfrpk/CF9LOd9Lt87kAt50GnqhMpyF9U3poDAP2+iukq2bZsO/ufegbYehBkqINbsWxj4l4cw==",
+      "version": "1.6.1",
+      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.1.tgz",
+      "integrity": "sha512-dWUG8F5sIIARXih1DTaQAX4SsiTXhInKf1buxdY9DIg4ZYPZK5nGM1VRIYmEbDbsHt7USo99xSLFu5Q1IqTmsg==",
       "dev": true,
       "license": "BSD-3-Clause",
       "engines": {
@@ -7068,6 +8514,16 @@
       "integrity": "sha512-lEHZvTQFC0EyNl/9VfeZADrpCuYAiXlezIeuLrqRco54WJekyDuf0DFRCEXvt4fkSTbGdNOszB1g681PgQgR4w==",
       "license": "MIT"
     },
+    "node_modules/source-map": {
+      "version": "0.7.6",
+      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.7.6.tgz",
+      "integrity": "sha512-i5uvt8C3ikiWeNZSVZNWcfZPItFQOsYTUAOkcUPGd8DqDy1uOUikjt5dG+uRlwyvR108Fb9DOd4GvXfT0N2/uQ==",
+      "dev": true,
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">= 12"
+      }
+    },
     "node_modules/source-map-js": {
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
@@ -7156,6 +8612,12 @@
         "node": ">=8"
       }
     },
+    "node_modules/string-width/node_modules/emoji-regex": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "license": "MIT"
+    },
     "node_modules/strip-ansi": {
       "version": "6.0.1",
       "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
@@ -7168,6 +8630,19 @@
         "node": ">=8"
       }
     },
+    "node_modules/strip-final-newline": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/strip-final-newline/-/strip-final-newline-4.0.0.tgz",
+      "integrity": "sha512-aulFJcD6YK8V1G7iRB5tigAP4TsHBZZrOV8pjV++zdUwmeV8uzbY7yn6h9MswN62adStNZFuCIx4haBnRuMDaw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/strip-json-comments": {
       "version": "5.0.3",
       "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-5.0.3.tgz",
@@ -7181,9 +8656,9 @@
       }
     },
     "node_modules/strnum": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.0.tgz",
-      "integrity": "sha512-Y7Bj8XyJxnPAORMZj/xltsfo55uOiyHcU2tnAVzHUnSJR/KsEX+9RoDeXEnsXtl/CX4fAcrt64gZ13aGaWPeBg==",
+      "version": "2.2.2",
+      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.2.tgz",
+      "integrity": "sha512-DnR90I+jtXNSTXWdwrEy9FakW7UX+qUZg28gj5fk2vxxl7uS/3bpI4fjFYVmdK9etptYBPNkpahuQnEwhwECqA==",
       "funding": [
         {
           "type": "github",
@@ -7297,9 +8772,9 @@
       "license": "MIT"
     },
     "node_modules/tinyexec": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.0.2.tgz",
-      "integrity": "sha512-W/KYk+NFhkmsYpuHq5JykngiOCnxeVL8v8dFnqxSD8qEEdRfXk1SDM6JzNqcERbcGYj9tMrDQBYV9cjgnunFIg==",
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.0.4.tgz",
+      "integrity": "sha512-u9r3uZC0bdpGOXtlxUIdwf9pkmvhqJdrVCH9fapQtgy/OeTTMZ1nqH7agtvEfmGui6e1XxjcdrlxvxJvc3sMqw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -7324,9 +8799,9 @@
       }
     },
     "node_modules/tinyrainbow": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-3.0.3.tgz",
-      "integrity": "sha512-PSkbLUoxOFRzJYjjxHJt9xro7D+iilgMX/C9lawzVuYiIdcihh9DXmVibBe8lmcFrRi/VzlPjBxbN7rH24q8/Q==",
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-3.1.0.tgz",
+      "integrity": "sha512-Bf+ILmBgretUrdJxzXM0SgXLZ3XfiaUuOj/IKQHuTXip+05Xn+uyEYdVg0kYDipTBcLrCVyUzAPz7QmArb0mmw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -7365,6 +8840,16 @@
         "nodetouch": "bin/nodetouch.js"
       }
     },
+    "node_modules/tree-kill": {
+      "version": "1.2.2",
+      "resolved": "https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.2.tgz",
+      "integrity": "sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "tree-kill": "cli.js"
+      }
+    },
     "node_modules/ts-node": {
       "version": "10.9.2",
       "resolved": "https://registry.npmjs.org/ts-node/-/ts-node-10.9.2.tgz",
@@ -7415,6 +8900,16 @@
       "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
       "license": "0BSD"
     },
+    "node_modules/tunnel": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+      "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.6.11 <=0.7.0 || >=0.7.3"
+      }
+    },
     "node_modules/tweetnacl": {
       "version": "0.14.5",
       "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz",
@@ -7435,6 +8930,33 @@
         "node": ">= 0.6"
       }
     },
+    "node_modules/typed-inject": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/typed-inject/-/typed-inject-5.0.0.tgz",
+      "integrity": "sha512-0Ql2ORqBORLMdAW89TQKZsb1PQkFGImFfVmncXWe7a+AA3+7dh7Se9exxZowH4kbnlvKEFkMxUYdHUpjYWFJaA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/typed-rest-client": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/typed-rest-client/-/typed-rest-client-2.2.0.tgz",
+      "integrity": "sha512-/e2Rk9g20N0r44kaQLb3v6QGuryOD8SPb53t43Y5kqXXA+SqWuU7zLiMxetw61jNn/JFrxTdr5nPDhGY/eTNhQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "des.js": "^1.1.0",
+        "js-md4": "^0.3.2",
+        "qs": "^6.14.1",
+        "tunnel": "0.0.6",
+        "underscore": "^1.12.1"
+      },
+      "engines": {
+        "node": ">= 16.0.0"
+      }
+    },
     "node_modules/typedarray": {
       "version": "0.0.6",
       "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz",
@@ -7484,10 +9006,17 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/underscore": {
+      "version": "1.13.8",
+      "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.13.8.tgz",
+      "integrity": "sha512-DXtD3ZtEQzc7M8m4cXotyHR+FAS18C64asBYY5vqZexfYryNNnDc02W4hKg3rdQuqOYas1jkseX0+nZXjTXnvQ==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/undici": {
-      "version": "7.24.4",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.4.tgz",
-      "integrity": "sha512-BM/JzwwaRXxrLdElV2Uo6cTLEjhSb3WXboncJamZ15NgUURmvlXvxa6xkwIOILIjPNo9i8ku136ZvWV0Uly8+w==",
+      "version": "7.24.6",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.6.tgz",
+      "integrity": "sha512-Xi4agocCbRzt0yYMZGMA6ApD7gvtUFaxm4ZmeacWI4cZxaF6C+8I8QfofC20NAePiB/IcvZmzkJ7XPa471AEtA==",
       "license": "MIT",
       "engines": {
         "node": ">=20.18.1"
@@ -7499,6 +9028,19 @@
       "integrity": "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==",
       "license": "MIT"
     },
+    "node_modules/unicorn-magic": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/unicorn-magic/-/unicorn-magic-0.3.0.tgz",
+      "integrity": "sha512-+QBBXBCvifc56fsbuxZQ6Sic3wqqc3WWaqxs58gvJrcOuN83HGTCwz3oS5phzU9LthRNE9VrJCFCLUgHeeFnfA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/unix-crypt-td-js": {
       "version": "1.1.4",
       "resolved": "https://registry.npmjs.org/unix-crypt-td-js/-/unix-crypt-td-js-1.1.4.tgz",
@@ -7514,6 +9056,37 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/update-browserslist-db": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.2.3.tgz",
+      "integrity": "sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/browserslist"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "escalade": "^3.2.0",
+        "picocolors": "^1.1.1"
+      },
+      "bin": {
+        "update-browserslist-db": "cli.js"
+      },
+      "peerDependencies": {
+        "browserslist": ">= 4.21.0"
+      }
+    },
     "node_modules/util-deprecate": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
@@ -7559,17 +9132,16 @@
       }
     },
     "node_modules/vite": {
-      "version": "7.3.1",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.1.tgz",
-      "integrity": "sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==",
+      "version": "8.0.3",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.3.tgz",
+      "integrity": "sha512-B9ifbFudT1TFhfltfaIPgjo9Z3mDynBTJSUYxTjOQruf/zHH+ezCQKcoqO+h7a9Pw9Nm/OtlXAiGT1axBgwqrQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "esbuild": "^0.27.0",
-        "fdir": "^6.5.0",
-        "picomatch": "^4.0.3",
-        "postcss": "^8.5.6",
-        "rollup": "^4.43.0",
+        "lightningcss": "^1.32.0",
+        "picomatch": "^4.0.4",
+        "postcss": "^8.5.8",
+        "rolldown": "1.0.0-rc.12",
         "tinyglobby": "^0.2.15"
       },
       "bin": {
@@ -7586,9 +9158,10 @@
       },
       "peerDependencies": {
         "@types/node": "^20.19.0 || >=22.12.0",
+        "@vitejs/devtools": "^0.1.0",
+        "esbuild": "^0.27.0",
         "jiti": ">=1.21.0",
         "less": "^4.0.0",
-        "lightningcss": "^1.21.0",
         "sass": "^1.70.0",
         "sass-embedded": "^1.70.0",
         "stylus": ">=0.54.8",
@@ -7601,13 +9174,16 @@
         "@types/node": {
           "optional": true
         },
-        "jiti": {
+        "@vitejs/devtools": {
           "optional": true
         },
-        "less": {
+        "esbuild": {
+          "optional": true
+        },
+        "jiti": {
           "optional": true
         },
-        "lightningcss": {
+        "less": {
           "optional": true
         },
         "sass": {
@@ -7634,19 +9210,19 @@
       }
     },
     "node_modules/vitest": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.1.0.tgz",
-      "integrity": "sha512-YbDrMF9jM2Lqc++2530UourxZHmkKLxrs4+mYhEwqWS97WJ7wOYEkcr+QfRgJ3PW9wz3odRijLZjHEaRLTNbqw==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.1.2.tgz",
+      "integrity": "sha512-xjR1dMTVHlFLh98JE3i/f/WePqJsah4A0FK9cc8Ehp9Udk0AZk6ccpIZhh1qJ/yxVWRZ+Q54ocnD8TXmkhspGg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/expect": "4.1.0",
-        "@vitest/mocker": "4.1.0",
-        "@vitest/pretty-format": "4.1.0",
-        "@vitest/runner": "4.1.0",
-        "@vitest/snapshot": "4.1.0",
-        "@vitest/spy": "4.1.0",
-        "@vitest/utils": "4.1.0",
+        "@vitest/expect": "4.1.2",
+        "@vitest/mocker": "4.1.2",
+        "@vitest/pretty-format": "4.1.2",
+        "@vitest/runner": "4.1.2",
+        "@vitest/snapshot": "4.1.2",
+        "@vitest/spy": "4.1.2",
+        "@vitest/utils": "4.1.2",
         "es-module-lexer": "^2.0.0",
         "expect-type": "^1.3.0",
         "magic-string": "^0.30.21",
@@ -7657,8 +9233,8 @@
         "tinybench": "^2.9.0",
         "tinyexec": "^1.0.2",
         "tinyglobby": "^0.2.15",
-        "tinyrainbow": "^3.0.3",
-        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0-0",
+        "tinyrainbow": "^3.1.0",
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0",
         "why-is-node-running": "^2.3.0"
       },
       "bin": {
@@ -7674,13 +9250,13 @@
         "@edge-runtime/vm": "*",
         "@opentelemetry/api": "^1.9.0",
         "@types/node": "^20.0.0 || ^22.0.0 || >=24.0.0",
-        "@vitest/browser-playwright": "4.1.0",
-        "@vitest/browser-preview": "4.1.0",
-        "@vitest/browser-webdriverio": "4.1.0",
-        "@vitest/ui": "4.1.0",
+        "@vitest/browser-playwright": "4.1.2",
+        "@vitest/browser-preview": "4.1.2",
+        "@vitest/browser-webdriverio": "4.1.2",
+        "@vitest/ui": "4.1.2",
         "happy-dom": "*",
         "jsdom": "*",
-        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0-0"
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0"
       },
       "peerDependenciesMeta": {
         "@edge-runtime/vm": {
@@ -7725,6 +9301,29 @@
         "node": "20 || >=22"
       }
     },
+    "node_modules/weapon-regex": {
+      "version": "1.3.6",
+      "resolved": "https://registry.npmjs.org/weapon-regex/-/weapon-regex-1.3.6.tgz",
+      "integrity": "sha512-wsf1m1jmMrso5nhwVFJJHSubEBf3+pereGd7+nBKtYJ18KoB/PWJOHS3WRkwS04VrOU0iJr2bZU+l1QaTJ+9nA==",
+      "dev": true,
+      "license": "Apache-2.0"
+    },
+    "node_modules/which": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
+      "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "isexe": "^2.0.0"
+      },
+      "bin": {
+        "node-which": "bin/node-which"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
     "node_modules/why-is-node-running": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/why-is-node-running/-/why-is-node-running-2.3.0.tgz",
@@ -7743,50 +9342,50 @@
       }
     },
     "node_modules/worker-factory": {
-      "version": "7.0.48",
-      "resolved": "https://registry.npmjs.org/worker-factory/-/worker-factory-7.0.48.tgz",
-      "integrity": "sha512-CGmBy3tJvpBPjUvb0t4PrpKubUsfkI1Ohg0/GGFU2RvA9j/tiVYwKU8O7yu7gH06YtzbeJLzdUR29lmZKn5pag==",
+      "version": "7.0.49",
+      "resolved": "https://registry.npmjs.org/worker-factory/-/worker-factory-7.0.49.tgz",
+      "integrity": "sha512-lW7tpgy6aUv2dFsQhv1yv+XFzdkCf/leoKRTGMPVK5/die6RrUjqgJHJf556qO+ZfytNG6wPXc17E8zzsOLUDw==",
       "license": "MIT",
       "dependencies": {
-        "@babel/runtime": "^7.28.6",
-        "fast-unique-numbers": "^9.0.26",
+        "@babel/runtime": "^7.29.2",
+        "fast-unique-numbers": "^9.0.27",
         "tslib": "^2.8.1"
       }
     },
     "node_modules/worker-timers": {
-      "version": "8.0.30",
-      "resolved": "https://registry.npmjs.org/worker-timers/-/worker-timers-8.0.30.tgz",
-      "integrity": "sha512-8P7YoMHWN0Tz7mg+9oEhuZdjBIn2z6gfjlJqFcHiDd9no/oLnMGCARCDkV1LR3ccQus62ZdtIp7t3aTKrMLHOg==",
+      "version": "8.0.31",
+      "resolved": "https://registry.npmjs.org/worker-timers/-/worker-timers-8.0.31.tgz",
+      "integrity": "sha512-ngkq5S6JuZyztom8tDgBzorLo9byhBMko/sXfgiUD945AuzKGg1GCgDMCC3NaYkicLpGKXutONM36wEX8UbBCA==",
       "license": "MIT",
       "dependencies": {
-        "@babel/runtime": "^7.28.6",
+        "@babel/runtime": "^7.29.2",
         "tslib": "^2.8.1",
-        "worker-timers-broker": "^8.0.15",
-        "worker-timers-worker": "^9.0.13"
+        "worker-timers-broker": "^8.0.16",
+        "worker-timers-worker": "^9.0.14"
       }
     },
     "node_modules/worker-timers-broker": {
-      "version": "8.0.15",
-      "resolved": "https://registry.npmjs.org/worker-timers-broker/-/worker-timers-broker-8.0.15.tgz",
-      "integrity": "sha512-Te+EiVUMzG5TtHdmaBZvBrZSFNauym6ImDaCAnzQUxvjnw+oGjMT2idmAOgDy30vOZMLejd0bcsc90Axu6XPWA==",
+      "version": "8.0.16",
+      "resolved": "https://registry.npmjs.org/worker-timers-broker/-/worker-timers-broker-8.0.16.tgz",
+      "integrity": "sha512-JyP3AvUGyPGbBGW7XiUewm2+0pN/aYo1QpVf5kdXAfkDZcN3p7NbWrG6XnyDEpDIvfHk/+LCnOW/NsuiU9riYA==",
       "license": "MIT",
       "dependencies": {
-        "@babel/runtime": "^7.28.6",
-        "broker-factory": "^3.1.13",
-        "fast-unique-numbers": "^9.0.26",
+        "@babel/runtime": "^7.29.2",
+        "broker-factory": "^3.1.14",
+        "fast-unique-numbers": "^9.0.27",
         "tslib": "^2.8.1",
-        "worker-timers-worker": "^9.0.13"
+        "worker-timers-worker": "^9.0.14"
       }
     },
     "node_modules/worker-timers-worker": {
-      "version": "9.0.13",
-      "resolved": "https://registry.npmjs.org/worker-timers-worker/-/worker-timers-worker-9.0.13.tgz",
-      "integrity": "sha512-qjn18szGb1kjcmh2traAdki1eiIS5ikFo+L90nfMOvSRpuDw1hAcR1nzkP2+Hkdqz5thIRnfuWx7QSpsEUsA6Q==",
+      "version": "9.0.14",
+      "resolved": "https://registry.npmjs.org/worker-timers-worker/-/worker-timers-worker-9.0.14.tgz",
+      "integrity": "sha512-/qF06C60sXmSLfUl7WglvrDIbspmPOM8UrG63Dnn4bi2x4/DfqHS/+dxF5B+MdHnYO5tVuZYLHdAodrKdabTIg==",
       "license": "MIT",
       "dependencies": {
-        "@babel/runtime": "^7.28.6",
+        "@babel/runtime": "^7.29.2",
         "tslib": "^2.8.1",
-        "worker-factory": "^7.0.48"
+        "worker-factory": "^7.0.49"
       }
     },
     "node_modules/wrap-ansi": {
@@ -7813,9 +9412,9 @@
       "license": "ISC"
     },
     "node_modules/ws": {
-      "version": "8.19.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.19.0.tgz",
-      "integrity": "sha512-blAT2mjOEIi0ZzruJfIhb3nps74PRWTCz1IjglWEEpQl5XS/UNama6u2/rjFkDDouqr4L67ry+1aGIALViWjDg==",
+      "version": "8.20.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz",
+      "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==",
       "license": "MIT",
       "engines": {
         "node": ">=10.0.0"
@@ -7842,10 +9441,17 @@
         "node": ">=10"
       }
     },
+    "node_modules/yallist": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-3.1.1.tgz",
+      "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/yaml": {
-      "version": "2.8.2",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz",
-      "integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==",
+      "version": "2.8.3",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
+      "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
       "license": "ISC",
       "bin": {
         "yaml": "bin.mjs"
@@ -7906,6 +9512,19 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/yoctocolors": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/yoctocolors/-/yoctocolors-2.1.2.tgz",
+      "integrity": "sha512-CzhO+pFNo8ajLM2d2IW/R93ipy99LWjtwblvC1RsoSUMZgyLbYFr221TnSNT7GjGdYui6P459mw9JH/g/zW2ug==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/zod": {
       "version": "4.3.6",
       "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
diff --git a/app/package.json b/app/package.json
index 6dc37a5da..177f29ded 100644
--- a/app/package.json
+++ b/app/package.json
@@ -1,6 +1,6 @@
 {
   "name": "drydock-app",
-  "version": "1.4.5",
+  "version": "1.5.0",
   "description": "Drydock backend — Docker container update manager",
   "engines": {
     "node": ">=24.0.0"
@@ -13,14 +13,16 @@
     "format": "biome format --write .",
     "lint:fix": "biome check --fix .",
     "lint": "biome check .",
+    "test:security": "node ./node_modules/vitest/vitest.mjs run security/*.test.ts --maxWorkers=1 --fileParallelism=false",
     "test": "\"$npm_node_execpath\" -e \"const major = Number(process.versions.node.split('.')[0]); if (!Number.isInteger(major) || major < 24) { console.error('Drydock backend tests require Node.js >=24. Current: ' + process.version); process.exit(1); }\" && \"$npm_node_execpath\" ./node_modules/vitest/vitest.mjs run --coverage --maxWorkers=1 --fileParallelism=false",
+    "test:mutation": "stryker run",
     "knip": "knip"
   },
   "author": "CodesWhat",
   "repository": "CodesWhat/drydock",
   "license": "AGPL-3.0-only",
   "dependencies": {
-    "@aws-sdk/client-ecr": "^3.1011.0",
+    "@aws-sdk/client-ecr": "^3.1014.0",
     "@slack/web-api": "^7.15.0",
     "ajv": "^8.18.0",
     "ajv-formats": "^3.0.1",
@@ -32,7 +34,7 @@
     "connect-loki": "1.2.0",
     "cors": "2.8.6",
     "cron-parser": "^5.5.0",
-    "dockerode": "4.0.9",
+    "dockerode": "4.0.10",
     "express": "5.2.1",
     "express-healthcheck": "0.1.0",
     "express-rate-limit": "^8.3.1",
@@ -48,7 +50,7 @@
     "mqtt": "5.15.0",
     "nocache": "4.0.0",
     "node-cron": "4.2.1",
-    "nodemailer": "8.0.2",
+    "nodemailer": "^8.0.4",
     "openid-client": "6.8.2",
     "p-limit": "^7.3.0",
     "parse-docker-image-name": "3.0.0",
@@ -63,18 +65,23 @@
     "semver": "7.7.4",
     "set-value": "4.1.0",
     "sort-es": "1.7.18",
-    "undici": "^7.24.4",
+    "undici": "^7.24.5",
     "unix-crypt-td-js": "1.1.4",
     "uuid": "^13.0.0",
-    "yaml": "2.8.2"
+    "ws": "^8.20.0",
+    "yaml": "2.8.3"
   },
   "overrides": {
     "body-parser": "2.2.2",
     "fast-xml-parser": "5.5.8",
+    "picomatch": "4.0.4",
     "qs": "6.15.0"
   },
   "devDependencies": {
     "@fast-check/vitest": "^0.3.0",
+    "@stryker-mutator/core": "^9.6.0",
+    "@stryker-mutator/typescript-checker": "^9.6.0",
+    "@stryker-mutator/vitest-runner": "^9.6.0",
     "@types/cors": "^2.8.19",
     "@types/dockerode": "4.0.1",
     "@types/express": "^5.0.6",
@@ -87,7 +94,7 @@
     "@types/yaml": "^1.9.7",
     "@vitest/coverage-v8": "^4.1.0",
     "fast-check": "^4.6.0",
-    "knip": "^5.87.0",
+    "knip": "^6.0.1",
     "nodemon": "3.1.14",
     "ts-node": "^10.9.2",
     "typescript": "^5.9.3",
diff --git a/app/prometheus/auth.test.ts b/app/prometheus/auth.test.ts
new file mode 100644
index 000000000..f26367f47
--- /dev/null
+++ b/app/prometheus/auth.test.ts
@@ -0,0 +1,97 @@
+import * as auth from './auth.js';
+
+beforeEach(() => {
+  auth._resetAuthPrometheusStateForTests();
+});
+
+test('auth prometheus metrics should be properly configured', () => {
+  auth.init();
+
+  const loginCounter = auth.getAuthLoginCounter();
+  const loginDuration = auth.getAuthLoginDurationHistogram();
+  const usernameMismatchCounter = auth.getAuthUsernameMismatchCounter();
+  const accountLockedGauge = auth.getAuthAccountLockedGauge();
+  const ipLockedGauge = auth.getAuthIpLockedGauge();
+
+  expect(loginCounter?.name).toBe('drydock_auth_login_total');
+  expect(loginCounter?.labelNames).toEqual(['outcome', 'provider']);
+
+  expect(loginDuration?.name).toBe('drydock_auth_login_duration_seconds');
+  expect(loginDuration?.labelNames).toEqual(['outcome', 'provider']);
+
+  expect(usernameMismatchCounter?.name).toBe('drydock_auth_username_mismatch_total');
+  expect(usernameMismatchCounter?.labelNames).toEqual([]);
+
+  expect(accountLockedGauge?.name).toBe('drydock_auth_account_locked_total');
+  expect(accountLockedGauge?.labelNames).toEqual([]);
+
+  expect(ipLockedGauge?.name).toBe('drydock_auth_ip_locked_total');
+  expect(ipLockedGauge?.labelNames).toEqual([]);
+});
+
+test('helpers should no-op before metrics initialization', () => {
+  expect(() => auth.recordAuthLogin('invalid', 'basic')).not.toThrow();
+  expect(() => auth.observeAuthLoginDuration('invalid', 'basic', 0.123)).not.toThrow();
+  expect(() => auth.recordAuthUsernameMismatch()).not.toThrow();
+  expect(() => auth.setAuthAccountLockedTotal(1)).not.toThrow();
+  expect(() => auth.setAuthIpLockedTotal(2)).not.toThrow();
+});
+
+test('helpers should record values after initialization', () => {
+  auth.init();
+
+  const loginCounter = auth.getAuthLoginCounter();
+  const loginDuration = auth.getAuthLoginDurationHistogram();
+  const usernameMismatchCounter = auth.getAuthUsernameMismatchCounter();
+  const accountLockedGauge = auth.getAuthAccountLockedGauge();
+  const ipLockedGauge = auth.getAuthIpLockedGauge();
+
+  const loginCounterIncSpy = vi.spyOn(loginCounter as { inc: (labels: unknown) => void }, 'inc');
+  const loginDurationObserveSpy = vi.spyOn(
+    loginDuration as { observe: (labels: unknown, value: number) => void },
+    'observe',
+  );
+  const usernameMismatchCounterIncSpy = vi.spyOn(
+    usernameMismatchCounter as { inc: () => void },
+    'inc',
+  );
+  const accountLockedGaugeSetSpy = vi.spyOn(
+    accountLockedGauge as { set: (value: number) => void },
+    'set',
+  );
+  const ipLockedGaugeSetSpy = vi.spyOn(ipLockedGauge as { set: (value: number) => void }, 'set');
+
+  auth.recordAuthLogin('success', 'basic');
+  auth.observeAuthLoginDuration('success', 'basic', 0.042);
+  auth.recordAuthUsernameMismatch();
+  auth.setAuthAccountLockedTotal(3);
+  auth.setAuthIpLockedTotal(5);
+
+  expect(loginCounterIncSpy).toHaveBeenCalledWith({ outcome: 'success', provider: 'basic' });
+  expect(loginDurationObserveSpy).toHaveBeenCalledWith(
+    { outcome: 'success', provider: 'basic' },
+    0.042,
+  );
+  expect(usernameMismatchCounterIncSpy).toHaveBeenCalledTimes(1);
+  expect(accountLockedGaugeSetSpy).toHaveBeenCalledWith(3);
+  expect(ipLockedGaugeSetSpy).toHaveBeenCalledWith(5);
+});
+
+test('init should replace existing auth metrics when called twice', () => {
+  auth.init();
+
+  const firstLoginCounter = auth.getAuthLoginCounter();
+  const firstLoginDuration = auth.getAuthLoginDurationHistogram();
+  const firstUsernameMismatchCounter = auth.getAuthUsernameMismatchCounter();
+  const firstAccountLockedGauge = auth.getAuthAccountLockedGauge();
+  const firstIpLockedGauge = auth.getAuthIpLockedGauge();
+
+  auth.init();
+
+  expect(auth.getAuthLoginCounter()).toBeDefined();
+  expect(auth.getAuthLoginCounter()).not.toBe(firstLoginCounter);
+  expect(auth.getAuthLoginDurationHistogram()).not.toBe(firstLoginDuration);
+  expect(auth.getAuthUsernameMismatchCounter()).not.toBe(firstUsernameMismatchCounter);
+  expect(auth.getAuthAccountLockedGauge()).not.toBe(firstAccountLockedGauge);
+  expect(auth.getAuthIpLockedGauge()).not.toBe(firstIpLockedGauge);
+});
diff --git a/app/prometheus/auth.ts b/app/prometheus/auth.ts
new file mode 100644
index 000000000..531a51dcd
--- /dev/null
+++ b/app/prometheus/auth.ts
@@ -0,0 +1,129 @@
+import { Counter, Gauge, Histogram, register } from 'prom-client';
+
+export type AuthLoginOutcome = 'success' | 'invalid' | 'locked' | 'error';
+export type AuthProvider = 'basic' | 'oidc';
+
+const METRIC_LOGIN_TOTAL = 'drydock_auth_login_total';
+const METRIC_LOGIN_DURATION = 'drydock_auth_login_duration_seconds';
+const METRIC_USERNAME_MISMATCH = 'drydock_auth_username_mismatch_total';
+const METRIC_ACCOUNT_LOCKED = 'drydock_auth_account_locked_total';
+const METRIC_IP_LOCKED = 'drydock_auth_ip_locked_total';
+
+let authLoginCounter: Counter<string> | undefined;
+let authLoginDurationHistogram: Histogram<string> | undefined;
+let authUsernameMismatchCounter: Counter<string> | undefined;
+let authAccountLockedGauge: Gauge<string> | undefined;
+let authIpLockedGauge: Gauge<string> | undefined;
+
+export function init() {
+  if (authLoginCounter) {
+    register.removeSingleMetric(METRIC_LOGIN_TOTAL);
+  }
+  authLoginCounter = new Counter({
+    name: METRIC_LOGIN_TOTAL,
+    help: 'Authentication login attempts by outcome and provider',
+    labelNames: ['outcome', 'provider'],
+  });
+
+  if (authLoginDurationHistogram) {
+    register.removeSingleMetric(METRIC_LOGIN_DURATION);
+  }
+  authLoginDurationHistogram = new Histogram({
+    name: METRIC_LOGIN_DURATION,
+    help: 'Authentication login verification duration by outcome and provider',
+    labelNames: ['outcome', 'provider'],
+    buckets: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2, 5],
+  });
+
+  if (authUsernameMismatchCounter) {
+    register.removeSingleMetric(METRIC_USERNAME_MISMATCH);
+  }
+  authUsernameMismatchCounter = new Counter({
+    name: METRIC_USERNAME_MISMATCH,
+    help: 'Authentication username mismatches detected during login verification',
+  });
+
+  if (authAccountLockedGauge) {
+    register.removeSingleMetric(METRIC_ACCOUNT_LOCKED);
+  }
+  authAccountLockedGauge = new Gauge({
+    name: METRIC_ACCOUNT_LOCKED,
+    help: 'Current number of locked accounts',
+  });
+
+  if (authIpLockedGauge) {
+    register.removeSingleMetric(METRIC_IP_LOCKED);
+  }
+  authIpLockedGauge = new Gauge({
+    name: METRIC_IP_LOCKED,
+    help: 'Current number of locked IPs',
+  });
+}
+
+export function getAuthLoginCounter() {
+  return authLoginCounter;
+}
+
+export function getAuthLoginDurationHistogram() {
+  return authLoginDurationHistogram;
+}
+
+export function getAuthUsernameMismatchCounter() {
+  return authUsernameMismatchCounter;
+}
+
+export function getAuthAccountLockedGauge() {
+  return authAccountLockedGauge;
+}
+
+export function getAuthIpLockedGauge() {
+  return authIpLockedGauge;
+}
+
+export function recordAuthLogin(outcome: AuthLoginOutcome, provider: AuthProvider): void {
+  authLoginCounter?.inc({ outcome, provider });
+}
+
+export function observeAuthLoginDuration(
+  outcome: AuthLoginOutcome,
+  provider: AuthProvider,
+  durationSeconds: number,
+): void {
+  authLoginDurationHistogram?.observe({ outcome, provider }, durationSeconds);
+}
+
+export function recordAuthUsernameMismatch(): void {
+  authUsernameMismatchCounter?.inc();
+}
+
+export function setAuthAccountLockedTotal(total: number): void {
+  authAccountLockedGauge?.set(total);
+}
+
+export function setAuthIpLockedTotal(total: number): void {
+  authIpLockedGauge?.set(total);
+}
+
+export function _resetAuthPrometheusStateForTests(): void {
+  if (authLoginCounter) {
+    register.removeSingleMetric(METRIC_LOGIN_TOTAL);
+  }
+  if (authLoginDurationHistogram) {
+    register.removeSingleMetric(METRIC_LOGIN_DURATION);
+  }
+  if (authUsernameMismatchCounter) {
+    register.removeSingleMetric(METRIC_USERNAME_MISMATCH);
+  }
+  if (authAccountLockedGauge) {
+    register.removeSingleMetric(METRIC_ACCOUNT_LOCKED);
+  }
+  if (authIpLockedGauge) {
+    register.removeSingleMetric(METRIC_IP_LOCKED);
+  }
+
+  authLoginCounter = undefined;
+  authLoginDurationHistogram = undefined;
+  authUsernameMismatchCounter = undefined;
+  authAccountLockedGauge = undefined;
+  authIpLockedGauge = undefined;
+}
diff --git a/app/prometheus/index.test.ts b/app/prometheus/index.test.ts
index 1b32f458b..50a47b8f4 100644
--- a/app/prometheus/index.test.ts
+++ b/app/prometheus/index.test.ts
@@ -51,6 +51,10 @@ vi.mock('./rollback', () => ({
   init: vi.fn(),
 }));
 
+vi.mock('./auth', () => ({
+  init: vi.fn(),
+}));
+
 vi.mock('../log', () => ({ default: { child: vi.fn(() => ({ info: vi.fn() })) } }));
 
 describe('Prometheus Module', () => {
@@ -71,6 +75,7 @@ describe('Prometheus Module', () => {
     const containerActions = await import('./container-actions.js');
     const webhook = await import('./webhook.js');
     const rollback = await import('./rollback.js');
+    const auth = await import('./auth.js');
 
     prometheus.init();
 
@@ -84,6 +89,7 @@ describe('Prometheus Module', () => {
     expect(containerActions.init).toHaveBeenCalled();
     expect(webhook.init).toHaveBeenCalled();
     expect(rollback.init).toHaveBeenCalled();
+    expect(auth.init).toHaveBeenCalled();
   });
 
   test('should NOT initialize metrics when disabled', async () => {
@@ -100,6 +106,7 @@ describe('Prometheus Module', () => {
     const containerActions = await import('./container-actions.js');
     const webhook = await import('./webhook.js');
     const rollback = await import('./rollback.js');
+    const auth = await import('./auth.js');
 
     prometheus.init();
 
@@ -113,6 +120,7 @@ describe('Prometheus Module', () => {
     expect(containerActions.init).not.toHaveBeenCalled();
     expect(webhook.init).not.toHaveBeenCalled();
     expect(rollback.init).not.toHaveBeenCalled();
+    expect(auth.init).not.toHaveBeenCalled();
   });
 
   test('should return metrics output', async () => {
diff --git a/app/prometheus/index.ts b/app/prometheus/index.ts
index 028f47878..be29ae7e1 100644
--- a/app/prometheus/index.ts
+++ b/app/prometheus/index.ts
@@ -6,6 +6,7 @@ const log = logger.child({ component: 'prometheus' });
 
 import { getPrometheusConfiguration } from '../configuration/index.js';
 import * as audit from './audit.js';
+import * as auth from './auth.js';
 import * as compatibility from './compatibility.js';
 import * as container from './container.js';
 import * as containerActions from './container-actions.js';
@@ -32,6 +33,7 @@ export function init() {
   trigger.init();
   watcher.init();
   audit.init();
+  auth.init();
   containerActions.init();
   webhook.init();
   rollback.init();
diff --git a/app/prometheus/registry.test.ts b/app/prometheus/registry.test.ts
index 9dd8f97b9..6d770a06a 100644
--- a/app/prometheus/registry.test.ts
+++ b/app/prometheus/registry.test.ts
@@ -5,16 +5,26 @@ test('registry histogram should be properly configured', async () => {
   const summary = registry.getSummaryTags();
   expect(summary.name).toStrictEqual('dd_registry_response');
   expect(summary.labelNames).toStrictEqual(['type', 'name']);
+  const digestCacheHitsCounter = registry.getDigestCacheHitsCounter();
+  expect(digestCacheHitsCounter.name).toStrictEqual('drydock_digest_cache_hits_total');
+  const digestCacheMissesCounter = registry.getDigestCacheMissesCounter();
+  expect(digestCacheMissesCounter.name).toStrictEqual('drydock_digest_cache_misses_total');
 });
 
 test('registry init should replace existing metric when called twice', async () => {
   registry.init();
   const first = registry.getSummaryTags();
+  const firstHitsCounter = registry.getDigestCacheHitsCounter();
+  const firstMissesCounter = registry.getDigestCacheMissesCounter();
   registry.init();
   const second = registry.getSummaryTags();
+  const secondHitsCounter = registry.getDigestCacheHitsCounter();
+  const secondMissesCounter = registry.getDigestCacheMissesCounter();
   expect(second.name).toStrictEqual('dd_registry_response');
   // The second call should create a new summary (not the same object)
   expect(second).not.toBe(first);
+  expect(secondHitsCounter).not.toBe(firstHitsCounter);
+  expect(secondMissesCounter).not.toBe(firstMissesCounter);
 });
 
 test('getSummaryTags should return undefined before init', async () => {
@@ -22,4 +32,6 @@ test('getSummaryTags should return undefined before init', async () => {
   vi.resetModules();
   const fresh = await import('./registry.js');
   expect(fresh.getSummaryTags()).toBeUndefined();
+  expect(fresh.getDigestCacheHitsCounter()).toBeUndefined();
+  expect(fresh.getDigestCacheMissesCounter()).toBeUndefined();
 });
diff --git a/app/prometheus/registry.ts b/app/prometheus/registry.ts
index 312b22728..23310ae9a 100644
--- a/app/prometheus/registry.ts
+++ b/app/prometheus/registry.ts
@@ -1,6 +1,8 @@
-import { register, Summary } from 'prom-client';
+import { Counter, register, Summary } from 'prom-client';
 
 let summaryGetTags;
+let digestCacheHitsCounter;
+let digestCacheMissesCounter;
 
 export function init() {
   // Replace summary if init is called more than once
@@ -12,8 +14,32 @@ export function init() {
     help: 'The Registry response time (in second)',
     labelNames: ['type', 'name'],
   });
+
+  if (digestCacheHitsCounter) {
+    register.removeSingleMetric(digestCacheHitsCounter.name);
+  }
+  digestCacheHitsCounter = new Counter({
+    name: 'drydock_digest_cache_hits_total',
+    help: 'Total number of digest cache hits',
+  });
+
+  if (digestCacheMissesCounter) {
+    register.removeSingleMetric(digestCacheMissesCounter.name);
+  }
+  digestCacheMissesCounter = new Counter({
+    name: 'drydock_digest_cache_misses_total',
+    help: 'Total number of digest cache misses',
+  });
 }
 
 export function getSummaryTags() {
   return summaryGetTags;
 }
+
+export function getDigestCacheHitsCounter() {
+  return digestCacheHitsCounter;
+}
+
+export function getDigestCacheMissesCounter() {
+  return digestCacheMissesCounter;
+}
diff --git a/app/registries/BaseRegistry.test.ts b/app/registries/BaseRegistry.test.ts
index d506138f0..8bc5aca70 100644
--- a/app/registries/BaseRegistry.test.ts
+++ b/app/registries/BaseRegistry.test.ts
@@ -1,8 +1,8 @@
 import fs from 'node:fs';
-import os from 'node:os';
-import path from 'node:path';
+import * as registryPrometheus from '../prometheus/registry.js';
 import BaseRegistry from './BaseRegistry.js';
 import { REGISTRY_BEARER_TOKEN_CACHE_TTL_MS } from './configuration.js';
+import Registry from './Registry.js';
 
 vi.mock('axios', () => ({
   default: vi.fn(),
@@ -119,18 +119,20 @@ test('authenticateBasic should attach httpsAgent when insecure=true', async () =
 });
 
 test('authenticateBearer should attach CA from cafile when configured', async () => {
-  const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'drydock-baseregistry-'));
-  const caPath = path.join(tempDir, 'ca.pem');
+  const caPath = '/tmp/test-ca.pem';
+  const readFileSyncSpy = vi
+    .spyOn(fs, 'readFileSync')
+    .mockReturnValue(Buffer.from('test-ca-content'));
   try {
-    fs.writeFileSync(caPath, 'test-ca-content');
     baseRegistry.configuration = { cafile: caPath };
     const result = await baseRegistry.authenticateBearer({ headers: {} }, 'token-value');
+    expect(readFileSyncSpy).toHaveBeenCalledWith(caPath);
     expect(result.headers.Authorization).toBe('Bearer token-value');
     expect(result.httpsAgent).toBeDefined();
     expect(result.httpsAgent.options.rejectUnauthorized).toBe(true);
     expect(result.httpsAgent.options.ca.toString('utf-8')).toBe('test-ca-content');
   } finally {
-    fs.rmSync(tempDir, { recursive: true, force: true });
+    readFileSyncSpy.mockRestore();
   }
 });
 
@@ -495,3 +497,719 @@ test('authenticateBearerFromAuthUrl should evict expired cache entries from othe
     vi.useRealTimers();
   }
 });
+
+test('getImagePublishedAt should return created date from manifest metadata', async () => {
+  const getImageManifestDigestSpy = vi
+    .spyOn(baseRegistry, 'getImageManifestDigest')
+    .mockResolvedValue({
+      digest: 'sha256:abc123',
+      created: '2026-03-06T08:00:00.000Z',
+      version: 2,
+    });
+
+  const publishedAt = await baseRegistry.getImagePublishedAt({
+    name: 'library/nginx',
+    tag: { value: 'latest' },
+    registry: { url: 'https://registry.example.com/v2' },
+  });
+
+  expect(getImageManifestDigestSpy).toHaveBeenCalledWith(
+    expect.objectContaining({
+      tag: { value: 'latest' },
+    }),
+  );
+  expect(publishedAt).toBe('2026-03-06T08:00:00.000Z');
+});
+
+test('getImagePublishedAt should use provided tag override for lookup', async () => {
+  const getImageManifestDigestSpy = vi
+    .spyOn(baseRegistry, 'getImageManifestDigest')
+    .mockResolvedValue({
+      created: '2026-03-06T08:00:00.000Z',
+    });
+
+  await baseRegistry.getImagePublishedAt(
+    {
+      name: 'library/nginx',
+      tag: { value: 'latest' },
+      registry: { url: 'https://registry.example.com/v2' },
+    },
+    '1.26.0',
+  );
+
+  expect(getImageManifestDigestSpy).toHaveBeenCalledWith(
+    expect.objectContaining({
+      tag: { value: '1.26.0' },
+    }),
+  );
+});
+
+test('getImagePublishedAt should return undefined when manifest metadata has no created field', async () => {
+  vi.spyOn(baseRegistry, 'getImageManifestDigest').mockResolvedValue({
+    digest: 'sha256:abc123',
+    version: 2,
+  });
+
+  const publishedAt = await baseRegistry.getImagePublishedAt({
+    name: 'library/nginx',
+    tag: { value: 'latest' },
+    registry: { url: 'https://registry.example.com/v2' },
+  });
+
+  expect(publishedAt).toBeUndefined();
+});
+
+test('getImagePublishedAt should return undefined when created timestamp is invalid', async () => {
+  vi.spyOn(baseRegistry, 'getImageManifestDigest').mockResolvedValue({
+    digest: 'sha256:abc123',
+    created: 'not-a-date',
+    version: 2,
+  });
+
+  const publishedAt = await baseRegistry.getImagePublishedAt({
+    name: 'library/nginx',
+    tag: { value: 'latest' },
+    registry: { url: 'https://registry.example.com/v2' },
+  });
+
+  expect(publishedAt).toBeUndefined();
+});
+
+test('getImagePublishedAt should handle images without tag metadata', async () => {
+  const getImageManifestDigestSpy = vi
+    .spyOn(baseRegistry, 'getImageManifestDigest')
+    .mockResolvedValue({
+      digest: 'sha256:abc123',
+      created: '2026-03-06T08:00:00.000Z',
+      version: 2,
+    });
+
+  await baseRegistry.getImagePublishedAt({
+    name: 'library/nginx',
+    registry: { url: 'https://registry.example.com/v2' },
+  } as any);
+
+  expect(getImageManifestDigestSpy).toHaveBeenCalledWith(
+    expect.objectContaining({
+      name: 'library/nginx',
+    }),
+  );
+});
+
+test('getImageManifestDigest should deduplicate sequential lookups within a poll cycle', async () => {
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockResolvedValue({
+      digest: 'sha256:manifest-123',
+      created: '2026-03-10T12:00:00.000Z',
+      version: 2,
+    });
+
+  baseRegistry.startDigestCachePollCycle();
+
+  const image = {
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'https://registry-1.docker.io/v2' },
+  };
+
+  const first = await baseRegistry.getImageManifestDigest(image);
+  const second = await baseRegistry.getImageManifestDigest(image);
+
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(1);
+  expect(first).toEqual(second);
+});
+
+test('getImageManifestDigest should deduplicate concurrent lookups within a poll cycle', async () => {
+  let resolveDigest: (manifest: { digest: string; created: string; version: number }) => void;
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockImplementation(
+      () =>
+        new Promise((resolve) => {
+          resolveDigest = resolve;
+        }),
+    );
+
+  baseRegistry.startDigestCachePollCycle();
+  const image = {
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'https://registry-1.docker.io/v2' },
+  };
+
+  const firstLookup = baseRegistry.getImageManifestDigest(image);
+  const secondLookup = baseRegistry.getImageManifestDigest(image);
+
+  resolveDigest({
+    digest: 'sha256:manifest-456',
+    created: '2026-03-10T12:00:00.000Z',
+    version: 2,
+  });
+
+  const [first, second] = await Promise.all([firstLookup, secondLookup]);
+
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(1);
+  expect(first).toEqual(second);
+});
+
+test('startDigestCachePollCycle should clear previous digest cache entries', async () => {
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockResolvedValue({
+      digest: 'sha256:manifest-789',
+      created: '2026-03-10T12:00:00.000Z',
+      version: 2,
+    });
+
+  const image = {
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'https://registry-1.docker.io/v2' },
+  };
+
+  baseRegistry.startDigestCachePollCycle();
+  await baseRegistry.getImageManifestDigest(image);
+  await baseRegistry.getImageManifestDigest(image);
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(1);
+
+  baseRegistry.startDigestCachePollCycle();
+  await baseRegistry.getImageManifestDigest(image);
+
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(2);
+});
+
+test('getImageManifestDigest should include architecture in digest cache keys', async () => {
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockResolvedValue({
+      digest: 'sha256:manifest-arch',
+      created: '2026-03-10T12:00:00.000Z',
+      version: 2,
+    });
+
+  baseRegistry.startDigestCachePollCycle();
+  await baseRegistry.getImageManifestDigest({
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'https://registry-1.docker.io/v2' },
+  });
+  await baseRegistry.getImageManifestDigest({
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'arm64',
+    os: 'linux',
+    registry: { url: 'https://registry-1.docker.io/v2' },
+  });
+
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(2);
+});
+
+test('getImageManifestDigest should normalize docker hub references to canonical cache key', async () => {
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockResolvedValue({
+      digest: 'sha256:manifest-canonical',
+      created: '2026-03-10T12:00:00.000Z',
+      version: 2,
+    });
+
+  baseRegistry.startDigestCachePollCycle();
+
+  await baseRegistry.getImageManifestDigest({
+    name: 'postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'registry-1.docker.io' },
+  });
+  await baseRegistry.getImageManifestDigest({
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'docker.io' },
+  });
+
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(1);
+});
+
+test('getImageManifestDigest should treat blank registry URLs as docker.io for cache keys', async () => {
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockResolvedValue({
+      digest: 'sha256:manifest-blank-registry',
+      created: '2026-03-10T12:00:00.000Z',
+      version: 2,
+    });
+
+  baseRegistry.startDigestCachePollCycle();
+  await baseRegistry.getImageManifestDigest({
+    name: 'postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: '   ' },
+  });
+  await baseRegistry.getImageManifestDigest({
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'docker.io' },
+  });
+
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(1);
+});
+
+test('getImageManifestDigest should fall back to original image when normalizeImage throws during cache key generation', async () => {
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockResolvedValue({
+      digest: 'sha256:manifest-normalize-throw',
+      created: '2026-03-10T12:00:00.000Z',
+      version: 2,
+    });
+  const normalizeImageSpy = vi.spyOn(baseRegistry, 'normalizeImage').mockImplementation(() => {
+    throw new Error('normalize failed');
+  });
+
+  baseRegistry.startDigestCachePollCycle();
+  const image = {
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'docker.io' },
+  };
+  await baseRegistry.getImageManifestDigest(image);
+  await baseRegistry.getImageManifestDigest(image);
+
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(1);
+  normalizeImageSpy.mockRestore();
+});
+
+test('getImageManifestDigest should build cache key with defensive defaults for missing fields', async () => {
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockResolvedValue({
+      digest: 'sha256:manifest-defaults',
+      created: '2026-03-10T12:00:00.000Z',
+      version: 2,
+    });
+
+  baseRegistry.startDigestCachePollCycle();
+  const image = {
+    registry: { url: 'docker.io' },
+    tag: { value: '' },
+  } as any;
+
+  await baseRegistry.getImageManifestDigest(image);
+  await baseRegistry.getImageManifestDigest(image);
+
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(1);
+});
+
+test('getImageManifestDigest should include variant and explicit digest in cache keys', async () => {
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockResolvedValue({
+      digest: 'sha256:manifest-variant',
+      created: '2026-03-10T12:00:00.000Z',
+      version: 2,
+    });
+
+  baseRegistry.startDigestCachePollCycle();
+  const image = {
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    variant: 'v8',
+    registry: { url: 'docker.io' },
+  };
+
+  await baseRegistry.getImageManifestDigest(image, 'sha256:explicit-digest');
+  await baseRegistry.getImageManifestDigest(image, 'sha256:explicit-digest');
+
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(1);
+});
+
+test('authenticateBearerFromAuthUrl should include ECONNREFUSED in error message', async () => {
+  const { default: axios } = await import('axios');
+  const error = new Error('connect ECONNREFUSED 127.0.0.1:443');
+  (error as any).code = 'ECONNREFUSED';
+  axios.mockRejectedValue(error);
+
+  await expect(
+    baseRegistry.authenticateBearerFromAuthUrl(
+      { headers: {}, url: 'https://auth.example.com/v2/library/nginx/manifests/latest' },
+      'https://auth.example.com/token',
+      undefined,
+    ),
+  ).rejects.toThrow('token request failed (connect ECONNREFUSED 127.0.0.1:443)');
+});
+
+test('authenticateBearerFromAuthUrl should include ETIMEDOUT in error message', async () => {
+  const { default: axios } = await import('axios');
+  const error = new Error('connect ETIMEDOUT 10.0.0.1:443');
+  (error as any).code = 'ETIMEDOUT';
+  axios.mockRejectedValue(error);
+
+  await expect(
+    baseRegistry.authenticateBearerFromAuthUrl(
+      { headers: {}, url: 'https://auth.example.com/v2/library/nginx/manifests/latest' },
+      'https://auth.example.com/token',
+      undefined,
+    ),
+  ).rejects.toThrow('token request failed (connect ETIMEDOUT 10.0.0.1:443)');
+});
+
+test('authenticateBearerFromAuthUrl should include ECONNRESET in error message', async () => {
+  const { default: axios } = await import('axios');
+  const error = new Error('read ECONNRESET');
+  (error as any).code = 'ECONNRESET';
+  axios.mockRejectedValue(error);
+
+  await expect(
+    baseRegistry.authenticateBearerFromAuthUrl(
+      { headers: {}, url: 'https://auth.example.com/v2/library/nginx/manifests/latest' },
+      'https://auth.example.com/token',
+      undefined,
+    ),
+  ).rejects.toThrow('token request failed (read ECONNRESET)');
+});
+
+test('authenticateBearerFromAuthUrl should wrap 401 Unauthorized in error message', async () => {
+  const { default: axios } = await import('axios');
+  const error = new Error('Request failed with status code 401');
+  (error as any).response = { status: 401 };
+  axios.mockRejectedValue(error);
+
+  await expect(
+    baseRegistry.authenticateBearerFromAuthUrl(
+      { headers: {}, url: 'https://auth.example.com/v2/library/nginx/manifests/latest' },
+      'https://auth.example.com/token',
+      'dXNlcjpwYXNz',
+    ),
+  ).rejects.toThrow('token request failed (Request failed with status code 401)');
+});
+
+test('authenticateBearerFromAuthUrl should wrap 429 rate limit in error message', async () => {
+  const { default: axios } = await import('axios');
+  const error = new Error('Request failed with status code 429');
+  (error as any).response = { status: 429, headers: { 'retry-after': '60' } };
+  axios.mockRejectedValue(error);
+
+  await expect(
+    baseRegistry.authenticateBearerFromAuthUrl(
+      { headers: {}, url: 'https://auth.example.com/v2/library/nginx/manifests/latest' },
+      'https://auth.example.com/token',
+      undefined,
+    ),
+  ).rejects.toThrow('token request failed (Request failed with status code 429)');
+});
+
+test('authenticateBearerFromAuthUrl should wrap 502 Bad Gateway in error message', async () => {
+  const { default: axios } = await import('axios');
+  axios.mockRejectedValue(new Error('Request failed with status code 502'));
+
+  await expect(
+    baseRegistry.authenticateBearerFromAuthUrl(
+      { headers: {}, url: 'https://auth.example.com/v2/library/nginx/manifests/latest' },
+      'https://auth.example.com/token',
+      undefined,
+    ),
+  ).rejects.toThrow('token request failed (Request failed with status code 502)');
+});
+
+test('authenticateBearerFromAuthUrl should wrap 503 Service Unavailable in error message', async () => {
+  const { default: axios } = await import('axios');
+  axios.mockRejectedValue(new Error('Request failed with status code 503'));
+
+  await expect(
+    baseRegistry.authenticateBearerFromAuthUrl(
+      { headers: {}, url: 'https://auth.example.com/v2/library/nginx/manifests/latest' },
+      'https://auth.example.com/token',
+      undefined,
+    ),
+  ).rejects.toThrow('token request failed (Request failed with status code 503)');
+});
+
+test('authenticateBearerFromAuthUrl should handle non-Error rejection values', async () => {
+  const { default: axios } = await import('axios');
+  axios.mockRejectedValue('string rejection');
+
+  await expect(
+    baseRegistry.authenticateBearerFromAuthUrl(
+      { headers: {}, url: 'https://auth.example.com/v2/library/nginx/manifests/latest' },
+      'https://auth.example.com/token',
+      undefined,
+    ),
+  ).rejects.toThrow('token request failed');
+});
+
+test('authenticateBearerFromAuthUrl should handle null response data', async () => {
+  const { default: axios } = await import('axios');
+  axios.mockResolvedValue({ data: null });
+
+  await expect(
+    baseRegistry.authenticateBearerFromAuthUrl(
+      { headers: {}, url: 'https://auth.example.com/v2/library/nginx/manifests/latest' },
+      'https://auth.example.com/token',
+      undefined,
+    ),
+  ).rejects.toThrow('token endpoint response does not contain token');
+});
+
+test('authenticateBearerFromAuthUrl should handle response with empty string token', async () => {
+  const { default: axios } = await import('axios');
+  axios.mockResolvedValue({ data: { token: '' } });
+
+  await expect(
+    baseRegistry.authenticateBearerFromAuthUrl(
+      { headers: {}, url: 'https://auth.example.com/v2/library/nginx/manifests/latest' },
+      'https://auth.example.com/token',
+      undefined,
+    ),
+  ).rejects.toThrow('token endpoint response does not contain token');
+});
+
+test('authenticateBearerFromAuthUrl should handle response with whitespace-only token', async () => {
+  const { default: axios } = await import('axios');
+  axios.mockResolvedValue({ data: { token: '   ' } });
+
+  await expect(
+    baseRegistry.authenticateBearerFromAuthUrl(
+      { headers: {}, url: 'https://auth.example.com/v2/library/nginx/manifests/latest' },
+      'https://auth.example.com/token',
+      undefined,
+    ),
+  ).rejects.toThrow('token endpoint response does not contain token');
+});
+
+test('authenticateBearerFromAuthUrl should handle token refresh failure after cache expiry', async () => {
+  const { default: axios } = await import('axios');
+  vi.useFakeTimers();
+  const startedAtMs = new Date('2026-03-05T10:00:00.000Z').getTime();
+
+  try {
+    vi.setSystemTime(startedAtMs);
+    axios.mockResolvedValueOnce({ data: { token: 'initial-token' } });
+    await baseRegistry.authenticateBearerFromAuthUrl(
+      { headers: {}, url: 'https://auth.example.com/v2/library/nginx/manifests/latest' },
+      'https://auth.example.com/token',
+      'dXNlcjpwYXNz',
+    );
+
+    vi.setSystemTime(startedAtMs + REGISTRY_BEARER_TOKEN_CACHE_TTL_MS + 1);
+    axios.mockRejectedValueOnce(new Error('connect ECONNREFUSED 127.0.0.1:443'));
+
+    await expect(
+      baseRegistry.authenticateBearerFromAuthUrl(
+        { headers: {}, url: 'https://auth.example.com/v2/library/nginx/manifests/latest' },
+        'https://auth.example.com/token',
+        'dXNlcjpwYXNz',
+      ),
+    ).rejects.toThrow('token request failed (connect ECONNREFUSED 127.0.0.1:443)');
+
+    expect(axios).toHaveBeenCalledTimes(2);
+  } finally {
+    vi.useRealTimers();
+  }
+});
+
+test('getImageManifestDigest should propagate errors through digest cache', async () => {
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockRejectedValue(new Error('registry unavailable'));
+
+  baseRegistry.startDigestCachePollCycle();
+  const image = {
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'docker.io' },
+  };
+
+  await expect(baseRegistry.getImageManifestDigest(image)).rejects.toThrow('registry unavailable');
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(1);
+});
+
+test('getImageManifestDigest should not cache failed lookups', async () => {
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockRejectedValueOnce(new Error('temporary failure'))
+    .mockResolvedValueOnce({
+      digest: 'sha256:recovered',
+      created: '2026-03-10T12:00:00.000Z',
+      version: 2,
+    });
+
+  baseRegistry.startDigestCachePollCycle();
+  const image = {
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'docker.io' },
+  };
+
+  await expect(baseRegistry.getImageManifestDigest(image)).rejects.toThrow('temporary failure');
+  const result = await baseRegistry.getImageManifestDigest(image);
+
+  expect(result.digest).toBe('sha256:recovered');
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(2);
+});
+
+test('getImageManifestDigest should clear in-flight entry after rejection', async () => {
+  let rejectDigest: (error: Error) => void;
+  vi.spyOn(Registry.prototype, 'getImageManifestDigest').mockImplementation(
+    () =>
+      new Promise((_resolve, reject) => {
+        rejectDigest = reject;
+      }),
+  );
+
+  baseRegistry.startDigestCachePollCycle();
+  const image = {
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'docker.io' },
+  };
+
+  const lookup = baseRegistry.getImageManifestDigest(image);
+  rejectDigest(new Error('connection reset'));
+
+  await expect(lookup).rejects.toThrow('connection reset');
+
+  const inFlightMap = (
+    baseRegistry as unknown as {
+      digestManifestCacheInFlight: Map<string, unknown>;
+    }
+  ).digestManifestCacheInFlight;
+  expect(inFlightMap.size).toBe(0);
+});
+
+test('getImagePublishedAt should return undefined when getImageManifestDigest throws', async () => {
+  vi.spyOn(baseRegistry, 'getImageManifestDigest').mockRejectedValue(new Error('registry offline'));
+
+  await expect(
+    baseRegistry.getImagePublishedAt({
+      name: 'library/nginx',
+      tag: { value: 'latest' },
+      registry: { url: 'https://registry.example.com/v2' },
+    }),
+  ).rejects.toThrow('registry offline');
+});
+
+test('getImageManifestDigest should not cache responses without a digest string', async () => {
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockResolvedValue({
+      digest: '',
+      created: '2026-03-10T12:00:00.000Z',
+      version: 2,
+    });
+
+  baseRegistry.startDigestCachePollCycle();
+  const image = {
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'docker.io' },
+  };
+
+  await baseRegistry.getImageManifestDigest(image);
+  await baseRegistry.getImageManifestDigest(image);
+
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(2);
+});
+
+test('endDigestCachePollCycle should return zero hit rate when no requests were recorded', () => {
+  baseRegistry.startDigestCachePollCycle();
+  baseRegistry.log = {} as any;
+
+  expect(baseRegistry.endDigestCachePollCycle()).toEqual({
+    hits: 0,
+    misses: 0,
+    hitRate: 0,
+  });
+});
+
+test('endDigestCachePollCycle should log debug hit rate summary', async () => {
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockResolvedValue({
+      digest: 'sha256:manifest-stats',
+      created: '2026-03-10T12:00:00.000Z',
+      version: 2,
+    });
+  const debug = vi.fn();
+  baseRegistry.log = {
+    debug,
+  } as any;
+
+  baseRegistry.startDigestCachePollCycle();
+  await baseRegistry.getImageManifestDigest({
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'docker.io' },
+  });
+  await baseRegistry.getImageManifestDigest({
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'docker.io' },
+  });
+  baseRegistry.endDigestCachePollCycle();
+
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(1);
+  expect(debug).toHaveBeenCalledWith(expect.stringContaining('digest cache hit rate'));
+});
+
+test('getImageManifestDigest should increment digest cache hit and miss counters when metrics are initialized', async () => {
+  const superGetImageManifestDigestSpy = vi
+    .spyOn(Registry.prototype, 'getImageManifestDigest')
+    .mockResolvedValue({
+      digest: 'sha256:manifest-metrics',
+      created: '2026-03-10T12:00:00.000Z',
+      version: 2,
+    });
+
+  registryPrometheus.init();
+  const hitsCounter = registryPrometheus.getDigestCacheHitsCounter();
+  const missesCounter = registryPrometheus.getDigestCacheMissesCounter();
+  const hitsIncSpy = vi.spyOn(hitsCounter, 'inc');
+  const missesIncSpy = vi.spyOn(missesCounter, 'inc');
+
+  baseRegistry.startDigestCachePollCycle();
+  const image = {
+    name: 'library/postgres',
+    tag: { value: '16' },
+    architecture: 'amd64',
+    os: 'linux',
+    registry: { url: 'docker.io' },
+  };
+  await baseRegistry.getImageManifestDigest(image);
+  await baseRegistry.getImageManifestDigest(image);
+
+  expect(superGetImageManifestDigestSpy).toHaveBeenCalledTimes(1);
+  expect(hitsIncSpy).toHaveBeenCalledTimes(1);
+  expect(missesIncSpy).toHaveBeenCalledTimes(1);
+});
diff --git a/app/registries/BaseRegistry.ts b/app/registries/BaseRegistry.ts
index 7d2abf770..88927c4da 100644
--- a/app/registries/BaseRegistry.ts
+++ b/app/registries/BaseRegistry.ts
@@ -1,12 +1,21 @@
 import fs from 'node:fs';
 import https from 'node:https';
 import axios, { type AxiosRequestConfig } from 'axios';
+import type { ContainerImage } from '../model/container.js';
+import * as registryPrometheus from '../prometheus/registry.js';
 import { resolveConfiguredPath } from '../runtime/paths.js';
 import { failClosedAuth, requireAuthString, withAuthorizationHeader } from '../security/auth.js';
 import { REGISTRY_BEARER_TOKEN_CACHE_TTL_MS } from './configuration.js';
 import Registry from './Registry.js';
 
 type RegistryRequestOptions = AxiosRequestConfig;
+type RegistryManifestLookupResult = Awaited<ReturnType<Registry['getImageManifestDigest']>>;
+type DigestCacheEntry = {
+  digest: string;
+  created?: string;
+  version?: number;
+  fetchedAt: number;
+};
 
 /**
  * Base Registry with common patterns
@@ -14,6 +23,10 @@ type RegistryRequestOptions = AxiosRequestConfig;
 class BaseRegistry extends Registry {
   private httpsAgent?: https.Agent;
   private bearerTokenCache = new Map<string, { token: string; expiresAt: number }>();
+  private digestManifestCache = new Map<string, DigestCacheEntry>();
+  private digestManifestCacheInFlight = new Map<string, Promise<RegistryManifestLookupResult>>();
+  private digestCacheHits = 0;
+  private digestCacheMisses = 0;
 
   private getBearerTokenCacheKey(authUrl: string, credentials?: string) {
     return `${authUrl}|${credentials || ''}`;
@@ -27,6 +40,87 @@ class BaseRegistry extends Registry {
     }
   }
 
+  private getCanonicalRegistryHost(registryUrl: string | undefined): string {
+    if (!registryUrl || registryUrl.trim().length === 0) {
+      return 'docker.io';
+    }
+
+    const host = this.getRegistryHostname(registryUrl);
+    if (host === 'registry-1.docker.io' || host === 'index.docker.io') {
+      return 'docker.io';
+    }
+    return host;
+  }
+
+  private buildDigestCacheKey(image: ContainerImage, digest?: string): string {
+    let normalizedImage: ContainerImage;
+    try {
+      normalizedImage = this.normalizeImage(structuredClone(image));
+    } catch {
+      normalizedImage = image;
+    }
+
+    const registryHost = this.getCanonicalRegistryHost(normalizedImage?.registry?.url);
+    /* v8 ignore next -- missing/empty image names are defensive-only in production call paths */
+    const imageName = normalizedImage?.name || '';
+    const repository =
+      registryHost === 'docker.io' && imageName.length > 0 && !imageName.includes('/')
+        ? `library/${imageName}`
+        : imageName;
+    /* v8 ignore next -- digest/tag fallback matrix is covered by integration paths */
+    const tagOrDigest =
+      (typeof digest === 'string' && digest.length > 0 ? digest : normalizedImage?.tag?.value) ||
+      'latest';
+    /* v8 ignore next -- architecture fallback is defensive for malformed image payloads */
+    const architecture = normalizedImage?.architecture || 'unknown';
+    /* v8 ignore next -- os fallback is defensive for malformed image payloads */
+    const os = normalizedImage?.os || 'unknown';
+    /* v8 ignore next -- variant is optional and omitted for most image descriptors */
+    const variant = normalizedImage?.variant ? `/${normalizedImage.variant}` : '';
+
+    return `${registryHost}/${repository}:${tagOrDigest}|${os}/${architecture}${variant}`;
+  }
+
+  private recordDigestCacheHit() {
+    this.digestCacheHits += 1;
+    const counter = registryPrometheus.getDigestCacheHitsCounter?.();
+    if (counter) {
+      counter.inc();
+    }
+  }
+
+  private recordDigestCacheMiss() {
+    this.digestCacheMisses += 1;
+    const counter = registryPrometheus.getDigestCacheMissesCounter?.();
+    if (counter) {
+      counter.inc();
+    }
+  }
+
+  public startDigestCachePollCycle() {
+    this.digestManifestCache.clear();
+    this.digestManifestCacheInFlight.clear();
+    this.digestCacheHits = 0;
+    this.digestCacheMisses = 0;
+  }
+
+  public endDigestCachePollCycle() {
+    const totalRequests = this.digestCacheHits + this.digestCacheMisses;
+    /* v8 ignore next -- zero-request cycles are trivial defensive accounting */
+    const hitRate = totalRequests === 0 ? 0 : (this.digestCacheHits / totalRequests) * 100;
+    /* v8 ignore next -- debug logger may be absent depending on registry initialization mode */
+    if (this.log && typeof this.log.debug === 'function') {
+      this.log.debug(
+        `${this.getId()} digest cache hit rate ${hitRate.toFixed(2)}% (${this.digestCacheHits} hits, ${this.digestCacheMisses} misses)`,
+      );
+    }
+    return {
+      hits: this.digestCacheHits,
+      misses: this.digestCacheMisses,
+      hitRate,
+    };
+  }
+
   /**
    * Additional hosts the provider considers legitimate auth endpoints.
    * Override in subclasses that delegate auth to a different host
@@ -176,6 +270,50 @@ class BaseRegistry extends Registry {
     return requestOptionsWithAuth;
   }
 
+  async getImageManifestDigest(
+    image: ContainerImage,
+    digest?: string,
+  ): Promise<RegistryManifestLookupResult> {
+    const cacheKey = this.buildDigestCacheKey(image, digest);
+    const cachedEntry = this.digestManifestCache.get(cacheKey);
+    if (cachedEntry) {
+      this.recordDigestCacheHit();
+      return {
+        digest: cachedEntry.digest,
+        created: cachedEntry.created,
+        version: cachedEntry.version,
+      };
+    }
+
+    const inFlightLookup = this.digestManifestCacheInFlight.get(cacheKey);
+    if (inFlightLookup) {
+      this.recordDigestCacheHit();
+      return inFlightLookup;
+    }
+
+    this.recordDigestCacheMiss();
+    const manifestLookup = (async () => {
+      const manifest = await super.getImageManifestDigest(image, digest);
+      /* v8 ignore next -- empty digest responses are treated as non-cacheable defensive fallback */
+      if (typeof manifest?.digest === 'string' && manifest.digest.length > 0) {
+        this.digestManifestCache.set(cacheKey, {
+          digest: manifest.digest,
+          created: manifest.created,
+          version: manifest.version,
+          fetchedAt: Date.now(),
+        });
+      }
+      return manifest;
+    })();
+
+    this.digestManifestCacheInFlight.set(cacheKey, manifestLookup);
+    try {
+      return await manifestLookup;
+    } finally {
+      this.digestManifestCacheInFlight.delete(cacheKey);
+    }
+  }
+
   /**
    * Common Bearer token authentication via auth URL.
    * Fetches a token from an auth endpoint using optional Basic credentials,
@@ -284,6 +422,25 @@ class BaseRegistry extends Registry {
     return pattern.test(image.registry.url);
   }
 
+  /**
+   * Resolve the remote image publish date from manifest metadata.
+   * Provider-specific implementations can override this when richer APIs exist.
+   */
+  async getImagePublishedAt(image, tag?: string): Promise<string | undefined> {
+    const imageToInspect = structuredClone(image);
+    const tagToLookup = typeof tag === 'string' && tag.length > 0 ? tag : imageToInspect.tag?.value;
+    if (typeof tagToLookup === 'string' && tagToLookup.length > 0 && imageToInspect.tag) {
+      imageToInspect.tag.value = tagToLookup;
+    }
+
+    const manifest = await this.getImageManifestDigest(imageToInspect);
+    if (typeof manifest?.created !== 'string') {
+      return undefined;
+    }
+
+    return Number.isNaN(Date.parse(manifest.created)) ? undefined : manifest.created;
+  }
+
   /**
    * Normalize a registry URL-like value into a lowercase hostname.
    */
diff --git a/app/registries/Registry.test.ts b/app/registries/Registry.test.ts
index 44230ccf6..36388a276 100644
--- a/app/registries/Registry.test.ts
+++ b/app/registries/Registry.test.ts
@@ -96,6 +96,10 @@ test('getAuthPull should return undefined by default', async () => {
 // --- getTags tests ---
 
 describe('getTags', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
   const tagsImage = { name: 'test', registry: { url: 'test' } };
 
   test.each([
@@ -109,6 +113,51 @@ describe('getTags', () => {
     expect(result).toStrictEqual(expected);
   });
 
+  test('should propagate network errors from callRegistry', async () => {
+    const registryMocked = createMockedRegistry();
+    registryMocked.callRegistry = () => {
+      throw new Error('connect ECONNREFUSED 127.0.0.1:443');
+    };
+    await expect(registryMocked.getTags(tagsImage)).rejects.toThrow(
+      'connect ECONNREFUSED 127.0.0.1:443',
+    );
+  });
+
+  test('should propagate timeout errors from callRegistry', async () => {
+    const registryMocked = createMockedRegistry();
+    registryMocked.callRegistry = () => {
+      throw new Error('timeout of 15000ms exceeded');
+    };
+    await expect(registryMocked.getTags(tagsImage)).rejects.toThrow('timeout of 15000ms exceeded');
+  });
+
+  test('should propagate 401 errors from callRegistry', async () => {
+    const registryMocked = createMockedRegistry();
+    registryMocked.callRegistry = () => {
+      const error = new Error('Request failed with status code 401');
+      (error as any).response = { status: 401 };
+      throw error;
+    };
+    await expect(registryMocked.getTags(tagsImage)).rejects.toThrow(
+      'Request failed with status code 401',
+    );
+  });
+
+  test('should propagate errors during pagination', async () => {
+    const registryMocked = createMockedRegistry();
+    let callCount = 0;
+    registryMocked.callRegistry = () => {
+      callCount++;
+      if (callCount === 1) {
+        return { headers: { link: 'next' }, data: { tags: ['v1', 'v2'] } };
+      }
+      throw new Error('Request failed with status code 429');
+    };
+    await expect(registryMocked.getTags(tagsImage)).rejects.toThrow(
+      'Request failed with status code 429',
+    );
+  });
+
   test('should handle undefined data and tags in page', async () => {
     const registryMocked = createMockedRegistry();
     registryMocked.callRegistry = () => ({ headers: {}, data: undefined });
@@ -210,6 +259,111 @@ describe('getImageManifestDigest', () => {
     );
   });
 
+  test('should include created date from schemaVersion 2 manifest config blob', async () => {
+    const registryMocked = createMockedRegistry();
+    registryMocked.callRegistry = vi.fn((options) => {
+      if (options.method === 'head') {
+        return { headers: { 'docker-content-digest': 'sha256:manifest' } };
+      }
+      if (options.url === 'url/image/manifests/tag') {
+        return {
+          schemaVersion: 2,
+          mediaType: 'application/vnd.docker.distribution.manifest.v2+json',
+        };
+      }
+      if (
+        options.url === 'url/image/manifests/sha256:manifest' &&
+        options.method === 'get' &&
+        options.headers?.Accept === 'application/vnd.docker.distribution.manifest.v2+json'
+      ) {
+        return {
+          schemaVersion: 2,
+          config: {
+            digest: 'sha256:config',
+          },
+        };
+      }
+      if (options.url === 'url/image/blobs/sha256:config') {
+        return {
+          created: '2026-03-04T11:22:33.000Z',
+        };
+      }
+      throw new Error(`Unexpected request: ${JSON.stringify(options)}`);
+    });
+
+    await expect(registryMocked.getImageManifestDigest(imageInput())).resolves.toStrictEqual({
+      version: 2,
+      digest: 'sha256:manifest',
+      created: '2026-03-04T11:22:33.000Z',
+    });
+  });
+
+  test('should ignore invalid created date from schemaVersion 2 config blob', async () => {
+    const registryMocked = createMockedRegistry();
+    registryMocked.callRegistry = vi.fn((options) => {
+      if (options.method === 'head') {
+        return { headers: { 'docker-content-digest': 'sha256:manifest' } };
+      }
+      if (options.url === 'url/image/manifests/tag') {
+        return {
+          schemaVersion: 2,
+          mediaType: 'application/vnd.docker.distribution.manifest.v2+json',
+        };
+      }
+      if (
+        options.url === 'url/image/manifests/sha256:manifest' &&
+        options.method === 'get' &&
+        options.headers?.Accept === 'application/vnd.docker.distribution.manifest.v2+json'
+      ) {
+        return {
+          schemaVersion: 2,
+          config: {
+            digest: 'sha256:config',
+          },
+        };
+      }
+      if (options.url === 'url/image/blobs/sha256:config') {
+        return {
+          created: 'invalid-date',
+        };
+      }
+      throw new Error(`Unexpected request: ${JSON.stringify(options)}`);
+    });
+
+    await expect(registryMocked.getImageManifestDigest(imageInput())).resolves.toStrictEqual({
+      version: 2,
+      digest: 'sha256:manifest',
+    });
+  });
+
+  test('should continue when schemaVersion 2 manifest config fetch fails', async () => {
+    const registryMocked = createMockedRegistry();
+    registryMocked.callRegistry = vi.fn((options) => {
+      if (options.method === 'head') {
+        return { headers: { 'docker-content-digest': 'sha256:manifest' } };
+      }
+      if (options.url === 'url/image/manifests/tag') {
+        return {
+          schemaVersion: 2,
+          mediaType: 'application/vnd.docker.distribution.manifest.v2+json',
+        };
+      }
+      if (
+        options.url === 'url/image/manifests/sha256:manifest' &&
+        options.method === 'get' &&
+        options.headers?.Accept === 'application/vnd.docker.distribution.manifest.v2+json'
+      ) {
+        throw new Error('manifest config unavailable');
+      }
+      throw new Error(`Unexpected request: ${JSON.stringify(options)}`);
+    });
+
+    await expect(registryMocked.getImageManifestDigest(imageInput())).resolves.toStrictEqual({
+      version: 2,
+      digest: 'sha256:manifest',
+    });
+  });
+
   test('should return digest for container.image.v1 (schemaVersion 1)', async () => {
     const registryMocked = createMockedRegistry();
     registryMocked.callRegistry = (options) => {
@@ -379,6 +533,115 @@ describe('getImageManifestDigest', () => {
     expect(result).toStrictEqual({ version: 2, digest: 'first-match-digest' });
   });
 
+  test('should propagate network errors from callRegistry during manifest fetch', async () => {
+    const registryMocked = createMockedRegistry();
+    registryMocked.callRegistry = () => {
+      throw new Error('connect ECONNREFUSED 10.0.0.1:443');
+    };
+    await expect(registryMocked.getImageManifestDigest(imageInput())).rejects.toThrow(
+      'connect ECONNREFUSED 10.0.0.1:443',
+    );
+  });
+
+  test('should propagate timeout errors from callRegistry during manifest fetch', async () => {
+    const registryMocked = createMockedRegistry();
+    registryMocked.callRegistry = () => {
+      throw new Error('timeout of 15000ms exceeded');
+    };
+    await expect(registryMocked.getImageManifestDigest(imageInput())).rejects.toThrow(
+      'timeout of 15000ms exceeded',
+    );
+  });
+
+  test('should propagate 401 errors from callRegistry during manifest fetch', async () => {
+    const registryMocked = createMockedRegistry();
+    registryMocked.callRegistry = () => {
+      const error = new Error('Request failed with status code 401');
+      (error as any).response = { status: 401 };
+      throw error;
+    };
+    await expect(registryMocked.getImageManifestDigest(imageInput())).rejects.toThrow(
+      'Request failed with status code 401',
+    );
+  });
+
+  test('should propagate 429 rate limit errors from callRegistry during manifest fetch', async () => {
+    const registryMocked = createMockedRegistry();
+    registryMocked.callRegistry = () => {
+      const error = new Error('Request failed with status code 429');
+      (error as any).response = { status: 429 };
+      throw error;
+    };
+    await expect(registryMocked.getImageManifestDigest(imageInput())).rejects.toThrow(
+      'Request failed with status code 429',
+    );
+  });
+
+  test('should propagate 500 errors from callRegistry during manifest fetch', async () => {
+    const registryMocked = createMockedRegistry();
+    registryMocked.callRegistry = () => {
+      const error = new Error('Request failed with status code 500');
+      (error as any).response = { status: 500 };
+      throw error;
+    };
+    await expect(registryMocked.getImageManifestDigest(imageInput())).rejects.toThrow(
+      'Request failed with status code 500',
+    );
+  });
+
+  test('should handle malformed JSON in schemaVersion 1 v1Compatibility', async () => {
+    const registryMocked = createMockedRegistry();
+    registryMocked.callRegistry = () => ({
+      schemaVersion: 1,
+      history: [{ v1Compatibility: 'not valid json' }],
+    });
+    await expect(registryMocked.getImageManifestDigest(imageInput())).rejects.toThrow();
+  });
+
+  test('should gracefully handle blob fetch error for legacy manifest config', async () => {
+    const registryMocked = createMockedRegistry();
+    registryMocked.callRegistry = vi.fn((options) => {
+      if (options.headers?.Accept === ALL_MANIFEST_ACCEPT) {
+        return manifestListResponse([
+          platformManifest(
+            'amd64',
+            'linux',
+            'digest_x',
+            'application/vnd.docker.container.image.v1+json',
+          ),
+        ]);
+      }
+      if (options.url?.includes('/blobs/')) {
+        throw new Error('blob fetch failed');
+      }
+      throw new Error(`Unexpected request: ${JSON.stringify(options)}`);
+    });
+    const result = await registryMocked.getImageManifestDigest(imageInput());
+    expect(result).toStrictEqual({ version: 1, digest: 'digest_x' });
+  });
+
+  test('should propagate errors from head request during manifest digest resolution', async () => {
+    const registryMocked = createMockedRegistry();
+    let callCount = 0;
+    registryMocked.callRegistry = vi.fn(() => {
+      callCount++;
+      if (callCount === 1) {
+        return manifestListResponse([
+          platformManifest(
+            'amd64',
+            'linux',
+            'digest_x',
+            'application/vnd.docker.distribution.manifest.v2+json',
+          ),
+        ]);
+      }
+      throw new Error('Request failed with status code 502');
+    });
+    await expect(registryMocked.getImageManifestDigest(imageInput())).rejects.toThrow(
+      'Request failed with status code 502',
+    );
+  });
+
   test.each([
     ['no digest found (empty object)', () => ({})],
     ['undefined response', () => undefined],
@@ -392,6 +655,85 @@ describe('getImageManifestDigest', () => {
   });
 });
 
+// --- getImagePublishedAt tests ---
+
+describe('getImagePublishedAt', () => {
+  test('should return created date from manifest metadata', async () => {
+    const registryMocked = createMockedRegistry();
+    vi.spyOn(registryMocked, 'getImageManifestDigest').mockResolvedValue({
+      digest: 'sha256:manifest',
+      created: '2026-03-04T11:22:33.000Z',
+      version: 2,
+    });
+
+    const publishedAt = await registryMocked.getImagePublishedAt(
+      imageInput({ tag: { value: 'latest' } }),
+      '1.2.3',
+    );
+
+    expect(publishedAt).toBe('2026-03-04T11:22:33.000Z');
+  });
+
+  test('should return undefined when manifest created is missing or invalid', async () => {
+    const registryMocked = createMockedRegistry();
+    const manifestSpy = vi.spyOn(registryMocked, 'getImageManifestDigest');
+    manifestSpy.mockResolvedValueOnce({
+      digest: 'sha256:manifest',
+      version: 2,
+    } as any);
+    manifestSpy.mockResolvedValueOnce({
+      digest: 'sha256:manifest',
+      created: 'invalid-date',
+      version: 2,
+    } as any);
+
+    const missingCreated = await registryMocked.getImagePublishedAt(imageInput());
+    const invalidCreated = await registryMocked.getImagePublishedAt(imageInput());
+
+    expect(missingCreated).toBeUndefined();
+    expect(invalidCreated).toBeUndefined();
+  });
+
+  test('should propagate network errors from getImageManifestDigest', async () => {
+    const registryMocked = createMockedRegistry();
+    vi.spyOn(registryMocked, 'getImageManifestDigest').mockRejectedValue(
+      new Error('connect ECONNREFUSED 127.0.0.1:443'),
+    );
+
+    await expect(
+      registryMocked.getImagePublishedAt(imageInput({ tag: { value: 'latest' } })),
+    ).rejects.toThrow('connect ECONNREFUSED 127.0.0.1:443');
+  });
+
+  test('should propagate timeout errors from getImageManifestDigest', async () => {
+    const registryMocked = createMockedRegistry();
+    vi.spyOn(registryMocked, 'getImageManifestDigest').mockRejectedValue(
+      new Error('timeout of 15000ms exceeded'),
+    );
+
+    await expect(
+      registryMocked.getImagePublishedAt(imageInput({ tag: { value: 'latest' } })),
+    ).rejects.toThrow('timeout of 15000ms exceeded');
+  });
+
+  test('should handle publish date lookup when image tag metadata is absent', async () => {
+    const registryMocked = createMockedRegistry();
+    const manifestSpy = vi.spyOn(registryMocked, 'getImageManifestDigest').mockResolvedValue({
+      digest: 'sha256:manifest',
+      created: '2026-03-04T11:22:33.000Z',
+      version: 2,
+    });
+
+    await registryMocked.getImagePublishedAt(imageInput({ tag: undefined }) as any);
+
+    expect(manifestSpy).toHaveBeenCalledWith(
+      expect.objectContaining({
+        name: 'image',
+      }),
+    );
+  });
+});
+
 // --- getImageFullName tests ---
 
 describe('getImageFullName', () => {
@@ -494,6 +836,160 @@ describe('callRegistry', () => {
     expect(requestOptions.httpsAgent).toBe(customHttpsAgent);
   });
 
+  test('should rethrow ECONNREFUSED with original error message', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('connect ECONNREFUSED 127.0.0.1:443');
+    (error as any).code = 'ECONNREFUSED';
+    axios.mockRejectedValue(error);
+    const registryMocked = createMockedRegistry();
+    registryMocked.type = 'hub';
+    registryMocked.name = 'test';
+    await expect(
+      registryMocked.callRegistry({ image: {}, url: 'url', method: 'get' }),
+    ).rejects.toThrow('connect ECONNREFUSED 127.0.0.1:443');
+  });
+
+  test('should rethrow ETIMEDOUT with original error message', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('connect ETIMEDOUT 10.0.0.1:443');
+    (error as any).code = 'ETIMEDOUT';
+    axios.mockRejectedValue(error);
+    const registryMocked = createMockedRegistry();
+    registryMocked.type = 'hub';
+    registryMocked.name = 'test';
+    await expect(
+      registryMocked.callRegistry({ image: {}, url: 'url', method: 'get' }),
+    ).rejects.toThrow('connect ETIMEDOUT 10.0.0.1:443');
+  });
+
+  test('should rethrow ECONNRESET with original error message', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('read ECONNRESET');
+    (error as any).code = 'ECONNRESET';
+    axios.mockRejectedValue(error);
+    const registryMocked = createMockedRegistry();
+    registryMocked.type = 'hub';
+    registryMocked.name = 'test';
+    await expect(
+      registryMocked.callRegistry({ image: {}, url: 'url', method: 'get' }),
+    ).rejects.toThrow('read ECONNRESET');
+  });
+
+  test('should rethrow 401 Unauthorized errors', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('Request failed with status code 401');
+    (error as any).response = { status: 401 };
+    axios.mockRejectedValue(error);
+    const registryMocked = createMockedRegistry();
+    registryMocked.type = 'hub';
+    registryMocked.name = 'test';
+    await expect(
+      registryMocked.callRegistry({ image: {}, url: 'url', method: 'get' }),
+    ).rejects.toThrow('Request failed with status code 401');
+  });
+
+  test('should rethrow 403 Forbidden errors', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('Request failed with status code 403');
+    (error as any).response = { status: 403 };
+    axios.mockRejectedValue(error);
+    const registryMocked = createMockedRegistry();
+    registryMocked.type = 'hub';
+    registryMocked.name = 'test';
+    await expect(
+      registryMocked.callRegistry({ image: {}, url: 'url', method: 'get' }),
+    ).rejects.toThrow('Request failed with status code 403');
+  });
+
+  test('should rethrow 429 rate limit errors', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('Request failed with status code 429');
+    (error as any).response = { status: 429, headers: { 'retry-after': '30' } };
+    axios.mockRejectedValue(error);
+    const registryMocked = createMockedRegistry();
+    registryMocked.type = 'hub';
+    registryMocked.name = 'test';
+    await expect(
+      registryMocked.callRegistry({ image: {}, url: 'url', method: 'get' }),
+    ).rejects.toThrow('Request failed with status code 429');
+  });
+
+  test('should rethrow 500 Internal Server Error', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('Request failed with status code 500');
+    (error as any).response = { status: 500 };
+    axios.mockRejectedValue(error);
+    const registryMocked = createMockedRegistry();
+    registryMocked.type = 'hub';
+    registryMocked.name = 'test';
+    await expect(
+      registryMocked.callRegistry({ image: {}, url: 'url', method: 'get' }),
+    ).rejects.toThrow('Request failed with status code 500');
+  });
+
+  test('should rethrow 502 Bad Gateway errors', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('Request failed with status code 502');
+    (error as any).response = { status: 502 };
+    axios.mockRejectedValue(error);
+    const registryMocked = createMockedRegistry();
+    registryMocked.type = 'hub';
+    registryMocked.name = 'test';
+    await expect(
+      registryMocked.callRegistry({ image: {}, url: 'url', method: 'get' }),
+    ).rejects.toThrow('Request failed with status code 502');
+  });
+
+  test('should rethrow 503 Service Unavailable errors', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('Request failed with status code 503');
+    (error as any).response = { status: 503 };
+    axios.mockRejectedValue(error);
+    const registryMocked = createMockedRegistry();
+    registryMocked.type = 'hub';
+    registryMocked.name = 'test';
+    await expect(
+      registryMocked.callRegistry({ image: {}, url: 'url', method: 'get' }),
+    ).rejects.toThrow('Request failed with status code 503');
+  });
+
+  test('should rethrow timeout errors', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('timeout of 15000ms exceeded');
+    (error as any).code = 'ECONNABORTED';
+    axios.mockRejectedValue(error);
+    const registryMocked = createMockedRegistry();
+    registryMocked.type = 'hub';
+    registryMocked.name = 'test';
+    await expect(
+      registryMocked.callRegistry({ image: {}, url: 'url', method: 'get' }),
+    ).rejects.toThrow('timeout of 15000ms exceeded');
+  });
+
+  test('should rethrow DNS resolution failure errors', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('getaddrinfo ENOTFOUND registry.nonexistent.tld');
+    (error as any).code = 'ENOTFOUND';
+    axios.mockRejectedValue(error);
+    const registryMocked = createMockedRegistry();
+    registryMocked.type = 'hub';
+    registryMocked.name = 'test';
+    await expect(
+      registryMocked.callRegistry({ image: {}, url: 'url', method: 'get' }),
+    ).rejects.toThrow('getaddrinfo ENOTFOUND registry.nonexistent.tld');
+  });
+
+  test('should rethrow non-Error rejection values', async () => {
+    const { default: axios } = await import('axios');
+    axios.mockRejectedValue('plain string error');
+    const registryMocked = createMockedRegistry();
+    registryMocked.type = 'hub';
+    registryMocked.name = 'test';
+    await expect(
+      registryMocked.callRegistry({ image: {}, url: 'url', method: 'get' }),
+    ).rejects.toBe('plain string error');
+  });
+
   test('should return full response when resolveWithFullResponse is true', async () => {
     const { default: axios } = await import('axios');
     const mockResponse = { data: { tags: ['v1'] }, headers: {} };
diff --git a/app/registries/Registry.ts b/app/registries/Registry.ts
index 280f2e740..c8823205a 100644
--- a/app/registries/Registry.ts
+++ b/app/registries/Registry.ts
@@ -5,10 +5,11 @@ import log from '../log/index.js';
 import type { ContainerImage } from '../model/container.js';
 import { getSummaryTags } from '../prometheus/registry.js';
 import Component from '../registry/Component.js';
+import { getErrorMessage } from '../util/error.js';
 import { getRegistryRequestTimeoutMs } from './configuration.js';
 
 interface RegistryImage extends ContainerImage {
-  // Add any registry specific properties if needed
+  // Add registry-specific properties if needed
 }
 
 interface RegistryManifest {
@@ -17,7 +18,7 @@ interface RegistryManifest {
   created?: string;
 }
 
-interface RegistryTagsList {
+export interface RegistryTagsList {
   name: string;
   tags: string[];
 }
@@ -45,6 +46,10 @@ interface RegistryManifestResponse {
   }[];
 }
 
+interface RegistryManifestConfigResponse {
+  created?: string;
+}
+
 /** Media types representing a manifest list / OCI index (multi-platform). */
 function isManifestList(mediaType: string | undefined): boolean {
   return (
@@ -242,6 +247,23 @@ class Registry extends Component {
     throw new Error('Unexpected error; no manifest found');
   }
 
+  /**
+   * Resolve published date for an image tag.
+   * Registries with richer metadata endpoints can override this.
+   */
+  async getImagePublishedAt(image: ContainerImage, tag?: string): Promise<string | undefined> {
+    const imageToInspect = structuredClone(image);
+    const tagToLookup = typeof tag === 'string' && tag.length > 0 ? tag : imageToInspect.tag?.value;
+    if (tagToLookup && imageToInspect.tag) {
+      imageToInspect.tag.value = tagToLookup;
+    }
+    const manifest = await this.getImageManifestDigest(imageToInspect);
+    if (typeof manifest?.created !== 'string') {
+      return undefined;
+    }
+    return Number.isNaN(Date.parse(manifest.created)) ? undefined : manifest.created;
+  }
+
   /**
    * Handle schemaVersion 2 manifests (multi-platform list or single manifest).
    */
@@ -285,7 +307,14 @@ class Registry extends Component {
       return this.fetchManifestDigestFromHead(image, manifestDigest, manifestMediaType);
     }
     if (manifestDigest && isLegacyImageConfig(manifestMediaType)) {
-      const result = { digest: manifestDigest, version: 1 };
+      const created = await this.fetchImageCreatedFromBlob(image, manifestDigest);
+      const result = {
+        digest: manifestDigest,
+        version: 1,
+        /* v8 ignore start -- legacy manifest created timestamps are optional */
+        ...(created ? { created } : {}),
+        /* v8 ignore stop */
+      };
       log.debug(`Manifest found with [digest=${result.digest}, version=${result.version}]`);
       return result;
     }
@@ -310,31 +339,100 @@ class Registry extends Component {
       },
       resolveWithFullResponse: true,
     });
+    const resolvedManifestDigest =
+      /* v8 ignore start -- some registries omit docker-content-digest on HEAD responses */
+      responseManifest.headers['docker-content-digest'] || manifestDigest;
+    /* v8 ignore stop */
+    const created = await this.fetchImageCreatedFromManifestConfig(
+      image,
+      resolvedManifestDigest,
+      mediaType,
+    );
     const result = {
       digest: responseManifest.headers['docker-content-digest'],
       version: 2,
+      ...(created ? { created } : {}),
     };
     log.debug(`Manifest found with [digest=${result.digest}, version=${result.version}]`);
     return result;
   }
 
-  async callRegistry<T = any>(options: {
+  private async fetchImageCreatedFromManifestConfig(
+    image: ContainerImage,
+    manifestDigest: string,
+    mediaType: string,
+  ): Promise<string | undefined> {
+    try {
+      const manifestResponse = await this.callRegistry<RegistryManifestResponse>({
+        image,
+        method: 'get',
+        url: `${image.registry.url}/${image.name}/manifests/${manifestDigest}`,
+        headers: {
+          Accept: mediaType,
+        },
+      });
+      const configDigest = manifestResponse?.config?.digest;
+      if (!configDigest) {
+        return undefined;
+      }
+      return this.fetchImageCreatedFromBlob(image, configDigest);
+    } catch (error: unknown) {
+      log.debug(
+        `Unable to fetch manifest config created date for ${this.getImageFullName(
+          image,
+          manifestDigest,
+        )} (${getErrorMessage(error)})`,
+      );
+      return undefined;
+    }
+  }
+
+  private async fetchImageCreatedFromBlob(
+    image: ContainerImage,
+    digest: string,
+  ): Promise<string | undefined> {
+    try {
+      const configResponse = await this.callRegistry<RegistryManifestConfigResponse>({
+        image,
+        method: 'get',
+        url: `${image.registry.url}/${image.name}/blobs/${digest}`,
+        headers: {
+          Accept:
+            'application/vnd.oci.image.config.v1+json, application/vnd.docker.container.image.v1+json, application/json',
+        },
+      });
+      if (typeof configResponse?.created !== 'string') {
+        return undefined;
+      }
+      return Number.isNaN(Date.parse(configResponse.created)) ? undefined : configResponse.created;
+    } catch (error: unknown) {
+      log.debug(
+        `Unable to fetch image config blob created date for ${this.getImageFullName(
+          image,
+          digest,
+        )} (${getErrorMessage(error)})`,
+      );
+      return undefined;
+    }
+  }
+
+  async callRegistry<T = unknown>(options: {
     image: ContainerImage;
     url: string;
     method?: Method;
-    headers?: any;
+    headers?: AxiosRequestConfig['headers'];
     resolveWithFullResponse: true;
   }): Promise<AxiosResponse<T>>;
 
-  async callRegistry<T = any>(options: {
+  async callRegistry<T = unknown>(options: {
     image: ContainerImage;
     url: string;
     method?: Method;
-    headers?: any;
+    headers?: AxiosRequestConfig['headers'];
     resolveWithFullResponse?: false;
   }): Promise<T>;
 
-  async callRegistry<T = any>({
+  async callRegistry<T = unknown>({
     image,
     url,
     method = 'get',
@@ -346,7 +444,7 @@ class Registry extends Component {
     image: ContainerImage;
     url: string;
     method?: Method;
-    headers?: any;
+    headers?: AxiosRequestConfig['headers'];
     resolveWithFullResponse?: boolean;
   }): Promise<T | AxiosResponse<T>> {
     const start = Date.now();
diff --git a/app/registries/providers/artifactory/Artifactory.ts b/app/registries/providers/artifactory/Artifactory.ts
index 7998f5b26..f11618f30 100644
--- a/app/registries/providers/artifactory/Artifactory.ts
+++ b/app/registries/providers/artifactory/Artifactory.ts
@@ -3,11 +3,6 @@ import SelfHostedBasic from '../shared/SelfHostedBasic.js';
 /**
  * JFrog Artifactory Docker Registry integration.
  */
-class Artifactory extends SelfHostedBasic {
-  // biome-ignore lint/complexity/noUselessConstructor: required for coverage of empty subclass
-  constructor() {
-    super();
-  }
-}
+class Artifactory extends SelfHostedBasic {}
 
 export default Artifactory;
diff --git a/app/registries/providers/codeberg/Codeberg.ts b/app/registries/providers/codeberg/Codeberg.ts
index 3c34bd5ee..66e337115 100644
--- a/app/registries/providers/codeberg/Codeberg.ts
+++ b/app/registries/providers/codeberg/Codeberg.ts
@@ -19,7 +19,7 @@ class Codeberg extends Forgejo {
       .and('login', 'password')
       .without('login', 'auth');
 
-    return this.joi.alternatives().try(this.joi.string().allow(''), credentialsSchema);
+    return credentialsSchema.allow('');
   }
 
   init() {
diff --git a/app/registries/providers/dhi/Dhi.test.ts b/app/registries/providers/dhi/Dhi.test.ts
index dcdedcf90..c01ca8f91 100644
--- a/app/registries/providers/dhi/Dhi.test.ts
+++ b/app/registries/providers/dhi/Dhi.test.ts
@@ -112,6 +112,38 @@ describe('DHI Registry', () => {
     );
   });
 
+  test('should propagate network errors from authenticate', async () => {
+    const { default: axios } = await import('axios');
+    axios.mockRejectedValue(new Error('connect ECONNREFUSED 127.0.0.1:443'));
+    const image = { name: 'python' };
+
+    await expect(dhi.authenticate(image, { headers: {} })).rejects.toThrow(
+      'connect ECONNREFUSED 127.0.0.1:443',
+    );
+  });
+
+  test('should propagate timeout errors from authenticate', async () => {
+    const { default: axios } = await import('axios');
+    axios.mockRejectedValue(new Error('timeout of 15000ms exceeded'));
+    const image = { name: 'python' };
+
+    await expect(dhi.authenticate(image, { headers: {} })).rejects.toThrow(
+      'timeout of 15000ms exceeded',
+    );
+  });
+
+  test('should propagate 429 rate limit errors from authenticate', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('Request failed with status code 429');
+    (error as any).response = { status: 429 };
+    axios.mockRejectedValue(error);
+    const image = { name: 'python' };
+
+    await expect(dhi.authenticate(image, { headers: {} })).rejects.toThrow(
+      'Request failed with status code 429',
+    );
+  });
+
   test('should mask all configuration fields', async () => {
     dhi.configuration = {
       url: 'https://dhi.io',
diff --git a/app/registries/providers/forgejo/Forgejo.ts b/app/registries/providers/forgejo/Forgejo.ts
index 8b68251bd..b6bbb5bc5 100644
--- a/app/registries/providers/forgejo/Forgejo.ts
+++ b/app/registries/providers/forgejo/Forgejo.ts
@@ -3,11 +3,6 @@ import Gitea from '../gitea/Gitea.js';
 /**
  * Forgejo Container Registry integration.
  */
-class Forgejo extends Gitea {
-  // biome-ignore lint/complexity/noUselessConstructor: required for coverage of empty subclass
-  constructor() {
-    super();
-  }
-}
+class Forgejo extends Gitea {}
 
 export default Forgejo;
diff --git a/app/registries/providers/gar/Gar.test.ts b/app/registries/providers/gar/Gar.test.ts
index 6954ec25a..3410331c6 100644
--- a/app/registries/providers/gar/Gar.test.ts
+++ b/app/registries/providers/gar/Gar.test.ts
@@ -16,6 +16,10 @@ gar.configuration = {
   privatekey: TEST_PRIVATE_KEY,
 };
 
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+
 test('validatedConfiguration should initialize when configuration is valid', async () => {
   expect(
     gar.validateConfiguration({
@@ -172,6 +176,70 @@ test('authenticate should throw when token response is missing token fields', as
   ).rejects.toThrow('GAR token endpoint response does not contain token');
 });
 
+test('authenticate should propagate network errors', async () => {
+  const { default: axios } = await import('axios');
+  axios.mockRejectedValueOnce(new Error('connect ECONNREFUSED 127.0.0.1:443'));
+
+  await expect(
+    gar.authenticate(
+      {
+        name: 'project/repository/image',
+        registry: { url: 'us-central1-docker.pkg.dev' },
+      },
+      { headers: {} },
+    ),
+  ).rejects.toThrow('connect ECONNREFUSED 127.0.0.1:443');
+});
+
+test('authenticate should propagate timeout errors', async () => {
+  const { default: axios } = await import('axios');
+  axios.mockRejectedValueOnce(new Error('timeout of 15000ms exceeded'));
+
+  await expect(
+    gar.authenticate(
+      {
+        name: 'project/repository/image',
+        registry: { url: 'us-central1-docker.pkg.dev' },
+      },
+      { headers: {} },
+    ),
+  ).rejects.toThrow('timeout of 15000ms exceeded');
+});
+
+test('authenticate should propagate 429 rate limit errors', async () => {
+  const { default: axios } = await import('axios');
+  const error = new Error('Request failed with status code 429');
+  (error as any).response = { status: 429 };
+  axios.mockRejectedValueOnce(error);
+
+  await expect(
+    gar.authenticate(
+      {
+        name: 'project/repository/image',
+        registry: { url: 'us-central1-docker.pkg.dev' },
+      },
+      { headers: {} },
+    ),
+  ).rejects.toThrow('Request failed with status code 429');
+});
+
+test('authenticate should propagate 503 errors', async () => {
+  const { default: axios } = await import('axios');
+  const error = new Error('Request failed with status code 503');
+  (error as any).response = { status: 503 };
+  axios.mockRejectedValueOnce(error);
+
+  await expect(
+    gar.authenticate(
+      {
+        name: 'project/repository/image',
+        registry: { url: 'us-central1-docker.pkg.dev' },
+      },
+      { headers: {} },
+    ),
+  ).rejects.toThrow('Request failed with status code 503');
+});
+
 test('match should gracefully handle missing registry URL', async () => {
   expect(
     gar.match({
diff --git a/app/registries/providers/gcr/Gcr.test.ts b/app/registries/providers/gcr/Gcr.test.ts
index efcde9d43..088a7d050 100644
--- a/app/registries/providers/gcr/Gcr.test.ts
+++ b/app/registries/providers/gcr/Gcr.test.ts
@@ -16,6 +16,10 @@ gcr.configuration = {
   privatekey: TEST_PRIVATE_KEY,
 };
 
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+
 test('validatedConfiguration should initialize when configuration is valid', async () => {
   expect(
     gcr.validateConfiguration({
@@ -124,6 +128,35 @@ test('authenticate should throw when gcr token is missing', async () => {
   );
 });
 
+test('authenticate should propagate network errors', async () => {
+  const { default: axios } = await import('axios');
+  axios.mockRejectedValueOnce(new Error('connect ECONNREFUSED 127.0.0.1:443'));
+
+  await expect(gcr.authenticate({}, { headers: {} })).rejects.toThrow(
+    'connect ECONNREFUSED 127.0.0.1:443',
+  );
+});
+
+test('authenticate should propagate timeout errors', async () => {
+  const { default: axios } = await import('axios');
+  axios.mockRejectedValueOnce(new Error('timeout of 15000ms exceeded'));
+
+  await expect(gcr.authenticate({}, { headers: {} })).rejects.toThrow(
+    'timeout of 15000ms exceeded',
+  );
+});
+
+test('authenticate should propagate 429 rate limit errors', async () => {
+  const { default: axios } = await import('axios');
+  const error = new Error('Request failed with status code 429');
+  (error as any).response = { status: 429 };
+  axios.mockRejectedValueOnce(error);
+
+  await expect(gcr.authenticate({}, { headers: {} })).rejects.toThrow(
+    'Request failed with status code 429',
+  );
+});
+
 test('getAuthPull should return credentials', async () => {
   const result = await gcr.getAuthPull();
   expect(result).toEqual({
diff --git a/app/registries/providers/ghcr/Ghcr.test.ts b/app/registries/providers/ghcr/Ghcr.test.ts
index 566a110df..2f5691dc7 100644
--- a/app/registries/providers/ghcr/Ghcr.test.ts
+++ b/app/registries/providers/ghcr/Ghcr.test.ts
@@ -196,6 +196,210 @@ describe('GitHub Container Registry', () => {
     expect(result.headers.Authorization).toBe('Bearer access-token');
   });
 
+  test('should fetch published date from GHCR package versions API (org endpoint)', async () => {
+    axios.mockResolvedValueOnce({
+      data: [
+        {
+          updated_at: '2026-03-02T09:30:00.000Z',
+          metadata: {
+            container: {
+              tags: ['1.2.3', 'latest'],
+            },
+          },
+        },
+      ],
+    });
+
+    const publishedAt = await ghcr.getImagePublishedAt(
+      { name: 'acme/widgets', tag: { value: 'latest' } },
+      '1.2.3',
+    );
+
+    expect(axios).toHaveBeenCalledWith({
+      method: 'GET',
+      url: 'https://api.github.com/orgs/acme/packages/container/widgets/versions?per_page=100',
+      headers: {
+        Accept: 'application/vnd.github+json',
+        Authorization: 'Bearer testtoken',
+      },
+    });
+    expect(publishedAt).toBe('2026-03-02T09:30:00.000Z');
+  });
+
+  test('should fallback to GHCR user endpoint when org package lookup returns 404', async () => {
+    axios
+      .mockRejectedValueOnce(new Error('Request failed with status code 404'))
+      .mockResolvedValueOnce({
+        data: [
+          {
+            updated_at: '2026-03-05T10:00:00.000Z',
+            metadata: {
+              container: {
+                tags: ['2.0.0'],
+              },
+            },
+          },
+        ],
+      });
+
+    const publishedAt = await ghcr.getImagePublishedAt({
+      name: 'octocat/demo',
+      tag: { value: '2.0.0' },
+    });
+
+    expect(axios).toHaveBeenNthCalledWith(1, {
+      method: 'GET',
+      url: 'https://api.github.com/orgs/octocat/packages/container/demo/versions?per_page=100',
+      headers: {
+        Accept: 'application/vnd.github+json',
+        Authorization: 'Bearer testtoken',
+      },
+    });
+    expect(axios).toHaveBeenNthCalledWith(2, {
+      method: 'GET',
+      url: 'https://api.github.com/users/octocat/packages/container/demo/versions?per_page=100',
+      headers: {
+        Accept: 'application/vnd.github+json',
+        Authorization: 'Bearer testtoken',
+      },
+    });
+    expect(publishedAt).toBe('2026-03-05T10:00:00.000Z');
+  });
+
+  test('should return undefined when GHCR versions do not include the requested tag', async () => {
+    axios.mockResolvedValueOnce({
+      data: [
+        {
+          updated_at: '2026-03-02T09:30:00.000Z',
+          metadata: {
+            container: {
+              tags: ['not-requested'],
+            },
+          },
+        },
+      ],
+    });
+
+    const publishedAt = await ghcr.getImagePublishedAt({
+      name: 'acme/widgets',
+      tag: { value: '1.2.3' },
+    });
+
+    expect(publishedAt).toBeUndefined();
+  });
+
+  test('should return undefined for invalid GHCR image/tag inputs', async () => {
+    const missingTag = await ghcr.getImagePublishedAt({
+      name: 'acme/widgets',
+      tag: { value: '' },
+    });
+    const missingPackagePath = await ghcr.getImagePublishedAt({
+      name: 'acme',
+      tag: { value: '1.2.3' },
+    });
+    const missingName = await ghcr.getImagePublishedAt({
+      name: '',
+      tag: { value: '1.2.3' },
+    });
+
+    expect(missingTag).toBeUndefined();
+    expect(missingPackagePath).toBeUndefined();
+    expect(missingName).toBeUndefined();
+    expect(axios).not.toHaveBeenCalled();
+  });
+
+  test('should return undefined when GHCR versions payload is not an array', async () => {
+    axios.mockResolvedValueOnce({
+      data: { message: 'not-an-array' },
+    });
+
+    const publishedAt = await ghcr.getImagePublishedAt({
+      name: 'acme/widgets',
+      tag: { value: '1.2.3' },
+    });
+
+    expect(publishedAt).toBeUndefined();
+  });
+
+  test('should return undefined when GHCR updated_at is not a valid date', async () => {
+    axios.mockResolvedValueOnce({
+      data: [
+        {
+          updated_at: 'invalid-date',
+          metadata: {
+            container: {
+              tags: ['1.2.3'],
+            },
+          },
+        },
+      ],
+    });
+
+    const publishedAt = await ghcr.getImagePublishedAt({
+      name: 'acme/widgets',
+      tag: { value: '1.2.3' },
+    });
+
+    expect(publishedAt).toBeUndefined();
+  });
+
+  test('should rethrow GHCR org lookup errors that are not 404', async () => {
+    axios.mockRejectedValueOnce(new Error('Request failed with status code 500'));
+
+    await expect(
+      ghcr.getImagePublishedAt({
+        name: 'acme/widgets',
+        tag: { value: '1.2.3' },
+      }),
+    ).rejects.toThrow('status code 500');
+  });
+
+  test('should return undefined when both GHCR org and user lookups return 404', async () => {
+    axios
+      .mockRejectedValueOnce(new Error('Request failed with status code 404'))
+      .mockRejectedValueOnce(new Error('Request failed with status code 404'));
+
+    const publishedAt = await ghcr.getImagePublishedAt({
+      name: 'octocat/demo',
+      tag: { value: '2.0.0' },
+    });
+
+    expect(publishedAt).toBeUndefined();
+  });
+
+  test('should rethrow non-404 errors from GHCR user lookup fallback', async () => {
+    axios
+      .mockRejectedValueOnce(new Error('Request failed with status code 404'))
+      .mockRejectedValueOnce(new Error('Request failed with status code 500'));
+
+    await expect(
+      ghcr.getImagePublishedAt({
+        name: 'octocat/demo',
+        tag: { value: '2.0.0' },
+      }),
+    ).rejects.toThrow('status code 500');
+  });
+
+  test('should call GHCR versions API without Authorization header when token is missing', async () => {
+    ghcr.configuration = {};
+    axios.mockResolvedValueOnce({
+      data: [],
+    });
+
+    await ghcr.getImagePublishedAt({
+      name: 'acme/widgets',
+      tag: { value: '1.2.3' },
+    });
+
+    expect(axios).toHaveBeenCalledWith(
+      expect.objectContaining({
+        headers: {
+          Accept: 'application/vnd.github+json',
+        },
+      }),
+    );
+  });
+
   test('should ignore non-Error values when parsing rejected credential status', async () => {
     expect((ghcr as any).getRejectedCredentialStatus('raw-failure')).toBeUndefined();
   });
diff --git a/app/registries/providers/ghcr/Ghcr.ts b/app/registries/providers/ghcr/Ghcr.ts
index fc3550e83..91b01f9fe 100644
--- a/app/registries/providers/ghcr/Ghcr.ts
+++ b/app/registries/providers/ghcr/Ghcr.ts
@@ -1,3 +1,4 @@
+import axios from 'axios';
 import BaseRegistry from '../../BaseRegistry.js';
 
 /**
@@ -18,6 +19,36 @@ class Ghcr extends BaseRegistry {
     return match ? match[1] : undefined;
   }
 
+  private isNotFoundError(error) {
+    return error instanceof Error && error.message.includes('status code 404');
+  }
+
+  private getGithubApiHeaders() {
+    const headers: Record<string, string> = {
+      Accept: 'application/vnd.github+json',
+    };
+    if (typeof this.configuration?.token === 'string' && this.configuration.token.length > 0) {
+      headers.Authorization = `Bearer ${this.configuration.token}`;
+    }
+    return headers;
+  }
+
+  private getVersionUpdatedAt(versions, tagToLookup: string): string | undefined {
+    if (!Array.isArray(versions)) {
+      return undefined;
+    }
+
+    const matchingVersion = versions.find((version) => {
+      const tags = version?.metadata?.container?.tags;
+      return Array.isArray(tags) && tags.includes(tagToLookup);
+    });
+    const updatedAt = matchingVersion?.updated_at;
+    if (typeof updatedAt !== 'string') {
+      return undefined;
+    }
+    return Number.isNaN(Date.parse(updatedAt)) ? undefined : updatedAt;
+  }
+
   getConfigurationSchema() {
     return this.joi.alternatives([
       this.joi.string().allow(''),
@@ -69,6 +100,51 @@ class Ghcr extends BaseRegistry {
       return this.authenticateBearerFromAuthUrl(requestOptions, authUrl, undefined, tokenExtractor);
     }
   }
+
+  async getImagePublishedAt(image, tag?: string): Promise<string | undefined> {
+    const tagToLookup = typeof tag === 'string' && tag.length > 0 ? tag : image.tag?.value;
+    if (!tagToLookup || typeof image.name !== 'string' || image.name.length === 0) {
+      return undefined;
+    }
+
+    const [owner, ...packageNameParts] = image.name.split('/');
+    if (!owner || packageNameParts.length === 0) {
+      return undefined;
+    }
+    const packageName = packageNameParts.join('/');
+    const ownerPath = encodeURIComponent(owner);
+    const packagePath = encodeURIComponent(packageName);
+    const headers = this.getGithubApiHeaders();
+    const orgUrl = `https://api.github.com/orgs/${ownerPath}/packages/container/${packagePath}/versions?per_page=100`;
+    const userUrl = `https://api.github.com/users/${ownerPath}/packages/container/${packagePath}/versions?per_page=100`;
+
+    try {
+      const orgResponse = await axios({
+        method: 'GET',
+        url: orgUrl,
+        headers,
+      });
+      return this.getVersionUpdatedAt(orgResponse?.data, tagToLookup);
+    } catch (error) {
+      if (!this.isNotFoundError(error)) {
+        throw error;
+      }
+    }
+
+    try {
+      const userResponse = await axios({
+        method: 'GET',
+        url: userUrl,
+        headers,
+      });
+      return this.getVersionUpdatedAt(userResponse?.data, tagToLookup);
+    } catch (error) {
+      if (this.isNotFoundError(error)) {
+        return undefined;
+      }
+      throw error;
+    }
+  }
 }
 
 export default Ghcr;
diff --git a/app/registries/providers/gitea/Gitea.ts b/app/registries/providers/gitea/Gitea.ts
index c62fab752..1e5fb6fa1 100644
--- a/app/registries/providers/gitea/Gitea.ts
+++ b/app/registries/providers/gitea/Gitea.ts
@@ -3,11 +3,6 @@ import SelfHostedBasic from '../shared/SelfHostedBasic.js';
 /**
  * Gitea Container Registry integration.
  */
-class Gitea extends SelfHostedBasic {
-  // biome-ignore lint/complexity/noUselessConstructor: required for coverage of empty subclass
-  constructor() {
-    super();
-  }
-}
+class Gitea extends SelfHostedBasic {}
 
 export default Gitea;
diff --git a/app/registries/providers/gitlab/Gitlab.test.ts b/app/registries/providers/gitlab/Gitlab.test.ts
index 83892014e..f0727a245 100644
--- a/app/registries/providers/gitlab/Gitlab.test.ts
+++ b/app/registries/providers/gitlab/Gitlab.test.ts
@@ -13,6 +13,10 @@ gitlab.configuration = {
 
 vi.mock('axios');
 
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+
 test('validatedConfiguration should initialize when configuration is valid', async () => {
   expect(
     gitlab.validateConfiguration({
@@ -131,6 +135,42 @@ test('authenticate should throw when token response is missing token', async ()
   ).rejects.toThrow('GitLab token endpoint response does not contain token');
 });
 
+test('authenticate should propagate network errors', async () => {
+  axios.mockRejectedValue(new Error('connect ECONNREFUSED 127.0.0.1:443'));
+
+  await expect(gitlab.authenticate({}, { headers: {} })).rejects.toThrow(
+    'connect ECONNREFUSED 127.0.0.1:443',
+  );
+});
+
+test('authenticate should propagate timeout errors', async () => {
+  axios.mockRejectedValue(new Error('timeout of 15000ms exceeded'));
+
+  await expect(gitlab.authenticate({}, { headers: {} })).rejects.toThrow(
+    'timeout of 15000ms exceeded',
+  );
+});
+
+test('authenticate should propagate 401 errors', async () => {
+  const error = new Error('Request failed with status code 401');
+  (error as any).response = { status: 401 };
+  axios.mockRejectedValue(error);
+
+  await expect(gitlab.authenticate({}, { headers: {} })).rejects.toThrow(
+    'Request failed with status code 401',
+  );
+});
+
+test('authenticate should propagate 429 rate limit errors', async () => {
+  const error = new Error('Request failed with status code 429');
+  (error as any).response = { status: 429 };
+  axios.mockRejectedValue(error);
+
+  await expect(gitlab.authenticate({}, { headers: {} })).rejects.toThrow(
+    'Request failed with status code 429',
+  );
+});
+
 test('normalizeImage should return the proper registry v2 endpoint', async () => {
   expect(
     gitlab.normalizeImage({
diff --git a/app/registries/providers/gitlab/Gitlab.ts b/app/registries/providers/gitlab/Gitlab.ts
index 462b8fcdf..5c5264158 100644
--- a/app/registries/providers/gitlab/Gitlab.ts
+++ b/app/registries/providers/gitlab/Gitlab.ts
@@ -10,7 +10,7 @@ class Gitlab extends BaseRegistry {
    * Get the Gitlab configuration schema.
    * @returns {*}
    */
-  getConfigurationSchema() {
+  getConfigurationSchema(): import('joi').Schema {
     return this.joi.object().keys({
       url: this.joi.string().uri().default('https://registry.gitlab.com'),
       authurl: this.joi.string().uri().default('https://gitlab.com'),
diff --git a/app/registries/providers/harbor/Harbor.ts b/app/registries/providers/harbor/Harbor.ts
index 8f8b2f089..ba4a551af 100644
--- a/app/registries/providers/harbor/Harbor.ts
+++ b/app/registries/providers/harbor/Harbor.ts
@@ -3,11 +3,6 @@ import SelfHostedBasic from '../shared/SelfHostedBasic.js';
 /**
  * Harbor Container Registry integration.
  */
-class Harbor extends SelfHostedBasic {
-  // biome-ignore lint/complexity/noUselessConstructor: required for coverage of empty subclass
-  constructor() {
-    super();
-  }
-}
+class Harbor extends SelfHostedBasic {}
 
 export default Harbor;
diff --git a/app/registries/providers/hub/Hub.test.ts b/app/registries/providers/hub/Hub.test.ts
index 39606473b..3c8383151 100644
--- a/app/registries/providers/hub/Hub.test.ts
+++ b/app/registries/providers/hub/Hub.test.ts
@@ -137,6 +137,65 @@ describe('Docker Hub Registry', () => {
     expect(result.headers.Authorization).toBe('Bearer public-token');
   });
 
+  test('should fetch published date from Docker Hub tag metadata', async () => {
+    const { default: axios } = await import('axios');
+    axios.mockResolvedValue({ data: { last_updated: '2026-03-01T12:34:56.000Z' } });
+
+    const publishedAt = await hub.getImagePublishedAt(
+      { name: 'library/nginx', tag: { value: 'latest' } },
+      '1.26.0',
+    );
+
+    expect(axios).toHaveBeenCalledWith({
+      method: 'GET',
+      url: 'https://hub.docker.com/v2/repositories/library/nginx/tags/1.26.0',
+      headers: {
+        Accept: 'application/json',
+      },
+    });
+    expect(publishedAt).toBe('2026-03-01T12:34:56.000Z');
+  });
+
+  test('should return undefined when Docker Hub tag metadata has no last_updated', async () => {
+    const { default: axios } = await import('axios');
+    axios.mockResolvedValue({ data: {} });
+
+    const publishedAt = await hub.getImagePublishedAt({
+      name: 'library/nginx',
+      tag: { value: 'latest' },
+    });
+
+    expect(publishedAt).toBeUndefined();
+  });
+
+  test('should return undefined when Docker Hub image name or tag is missing', async () => {
+    const { default: axios } = await import('axios');
+
+    const missingName = await hub.getImagePublishedAt({
+      tag: { value: 'latest' },
+    } as any);
+    const missingTag = await hub.getImagePublishedAt({
+      name: 'library/nginx',
+      tag: { value: '' },
+    });
+
+    expect(missingName).toBeUndefined();
+    expect(missingTag).toBeUndefined();
+    expect(axios).not.toHaveBeenCalled();
+  });
+
+  test('should return undefined when Docker Hub last_updated is not a valid date', async () => {
+    const { default: axios } = await import('axios');
+    axios.mockResolvedValue({ data: { last_updated: 'invalid-date' } });
+
+    const publishedAt = await hub.getImagePublishedAt({
+      name: 'library/nginx',
+      tag: { value: 'latest' },
+    });
+
+    expect(publishedAt).toBeUndefined();
+  });
+
   test('should validate string configuration', async () => {
     expect(() => hub.validateConfiguration('')).not.toThrow();
     expect(() => hub.validateConfiguration('some-string')).toThrow();
@@ -187,4 +246,80 @@ describe('Docker Hub Registry', () => {
       'Docker Hub token endpoint response does not contain token',
     );
   });
+
+  test('should propagate network errors from authenticate', async () => {
+    const { default: axios } = await import('axios');
+    axios.mockRejectedValue(new Error('connect ECONNREFUSED 127.0.0.1:443'));
+    const image = { name: 'library/nginx' };
+
+    await expect(hub.authenticate(image, { headers: {} })).rejects.toThrow(
+      'connect ECONNREFUSED 127.0.0.1:443',
+    );
+  });
+
+  test('should propagate timeout errors from authenticate', async () => {
+    const { default: axios } = await import('axios');
+    axios.mockRejectedValue(new Error('timeout of 15000ms exceeded'));
+    const image = { name: 'library/nginx' };
+
+    await expect(hub.authenticate(image, { headers: {} })).rejects.toThrow(
+      'timeout of 15000ms exceeded',
+    );
+  });
+
+  test('should propagate 401 errors from authenticate', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('Request failed with status code 401');
+    (error as any).response = { status: 401 };
+    axios.mockRejectedValue(error);
+    const image = { name: 'library/nginx' };
+
+    await expect(hub.authenticate(image, { headers: {} })).rejects.toThrow(
+      'Request failed with status code 401',
+    );
+  });
+
+  test('should propagate 429 rate limit errors from authenticate', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('Request failed with status code 429');
+    (error as any).response = { status: 429 };
+    axios.mockRejectedValue(error);
+    const image = { name: 'library/nginx' };
+
+    await expect(hub.authenticate(image, { headers: {} })).rejects.toThrow(
+      'Request failed with status code 429',
+    );
+  });
+
+  test('should propagate network errors from getImagePublishedAt', async () => {
+    const { default: axios } = await import('axios');
+    axios.mockRejectedValue(new Error('connect ETIMEDOUT 10.0.0.1:443'));
+    const image = { name: 'library/nginx', tag: { value: 'latest' } };
+
+    await expect(hub.getImagePublishedAt(image)).rejects.toThrow('connect ETIMEDOUT 10.0.0.1:443');
+  });
+
+  test('should propagate 404 errors from getImagePublishedAt', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('Request failed with status code 404');
+    (error as any).response = { status: 404 };
+    axios.mockRejectedValue(error);
+    const image = { name: 'library/nginx', tag: { value: 'nonexistent' } };
+
+    await expect(hub.getImagePublishedAt(image)).rejects.toThrow(
+      'Request failed with status code 404',
+    );
+  });
+
+  test('should propagate 429 rate limit errors from getImagePublishedAt', async () => {
+    const { default: axios } = await import('axios');
+    const error = new Error('Request failed with status code 429');
+    (error as any).response = { status: 429 };
+    axios.mockRejectedValue(error);
+    const image = { name: 'library/nginx', tag: { value: 'latest' } };
+
+    await expect(hub.getImagePublishedAt(image)).rejects.toThrow(
+      'Request failed with status code 429',
+    );
+  });
 });
diff --git a/app/registries/providers/hub/Hub.ts b/app/registries/providers/hub/Hub.ts
index 8c0156d20..779a79140 100644
--- a/app/registries/providers/hub/Hub.ts
+++ b/app/registries/providers/hub/Hub.ts
@@ -1,8 +1,19 @@
 import axios from 'axios';
+import type { ContainerImage } from '../../../model/container.js';
 import { withAuthorizationHeader } from '../../../security/auth.js';
 import Custom from '../custom/Custom.js';
 import { getTokenAuthConfigurationSchema } from '../shared/tokenAuthConfigurationSchema.js';
 
+type AuthRequestOptions = Parameters<typeof withAuthorizationHeader>[0];
+
+interface HubTokenResponse {
+  token?: unknown;
+}
+
+interface HubTagMetadataResponse {
+  last_updated?: unknown;
+}
+
 /**
  * Docker Hub integration.
  */
@@ -36,7 +47,7 @@ class Hub extends Custom {
    * @returns {boolean}
    */
 
-  match(image) {
+  match(image: ContainerImage) {
     const registryUrl = image?.registry?.url;
     return (
       !registryUrl ||
@@ -50,7 +61,7 @@ class Hub extends Custom {
    * @param image
    * @returns {*}
    */
-  normalizeImage(image) {
+  normalizeImage(image: ContainerImage) {
     const imageNormalized = super.normalizeImage(image);
     if (imageNormalized.name) {
       imageNormalized.name = imageNormalized.name.includes('/')
@@ -66,7 +77,7 @@ class Hub extends Custom {
    * @param requestOptions
    * @returns {Promise<*>}
    */
-  async authenticate(image, requestOptions) {
+  async authenticate(image: ContainerImage, requestOptions: AuthRequestOptions) {
     const scope = encodeURIComponent(`repository:${image.name}:pull`);
     const axiosConfig = {
       method: 'GET',
@@ -76,13 +87,13 @@ class Hub extends Custom {
       } as Record<string, string>,
     };
 
-    // Add Authorization if any
+    // Add Authorization when credentials are available
     const credentials = this.getAuthCredentials();
     if (credentials) {
       axiosConfig.headers.Authorization = `Basic ${credentials}`;
     }
 
-    const response = await axios(axiosConfig);
+    const response = await axios<HubTokenResponse>(axiosConfig);
     return withAuthorizationHeader(
       requestOptions,
       'Bearer',
@@ -91,12 +102,34 @@ class Hub extends Custom {
     );
   }
 
-  getImageFullName(image, tagOrDigest) {
+  getImageFullName(image: ContainerImage, tagOrDigest: string) {
     let fullName = super.getImageFullName(image, tagOrDigest);
     fullName = fullName.replaceAll('registry-1.docker.io/', '');
     fullName = fullName.replaceAll('library/', '');
     return fullName;
   }
+
+  async getImagePublishedAt(image: ContainerImage, tag?: string): Promise<string | undefined> {
+    const tagToLookup = typeof tag === 'string' && tag.length > 0 ? tag : image.tag?.value;
+    if (typeof image.name !== 'string' || image.name.length === 0 || !tagToLookup) {
+      return undefined;
+    }
+
+    const response = await axios<HubTagMetadataResponse>({
+      method: 'GET',
+      url: `https://hub.docker.com/v2/repositories/${image.name}/tags/${encodeURIComponent(
+        tagToLookup,
+      )}`,
+      headers: {
+        Accept: 'application/json',
+      },
+    });
+    const publishedAt = response?.data?.last_updated;
+    if (typeof publishedAt !== 'string') {
+      return undefined;
+    }
+    return Number.isNaN(Date.parse(publishedAt)) ? undefined : publishedAt;
+  }
 }
 
 export default Hub;
diff --git a/app/registries/providers/lscr/Lscr.test.ts b/app/registries/providers/lscr/Lscr.test.ts
index 464ea049e..31a6064ba 100644
--- a/app/registries/providers/lscr/Lscr.test.ts
+++ b/app/registries/providers/lscr/Lscr.test.ts
@@ -6,6 +6,7 @@ vi.mock('axios');
 let lscr;
 
 beforeEach(() => {
+  vi.clearAllMocks();
   axios.mockReset();
   axios.mockResolvedValue({ data: { token: 'xxxxx' } });
   lscr = new Lscr();
@@ -74,6 +75,50 @@ test('normalizeImage should return the proper registry v2 endpoint', async () =>
   });
 });
 
+test('authenticate should propagate network errors', async () => {
+  axios.mockRejectedValue(new Error('connect ECONNREFUSED 127.0.0.1:443'));
+  lscr.configuration = { username: 'test-user', token: 'test-token' };
+  const image = { name: 'linuxserver/sonarr' };
+  const requestOptions = {
+    headers: {},
+    url: 'https://lscr.io/v2/linuxserver/sonarr/manifests/latest',
+  };
+
+  await expect(lscr.authenticate(image, requestOptions)).rejects.toThrow(
+    'connect ECONNREFUSED 127.0.0.1:443',
+  );
+});
+
+test('authenticate should propagate timeout errors', async () => {
+  axios.mockRejectedValue(new Error('timeout of 15000ms exceeded'));
+  lscr.configuration = { username: 'test-user', token: 'test-token' };
+  const image = { name: 'linuxserver/sonarr' };
+  const requestOptions = {
+    headers: {},
+    url: 'https://lscr.io/v2/linuxserver/sonarr/manifests/latest',
+  };
+
+  await expect(lscr.authenticate(image, requestOptions)).rejects.toThrow(
+    'timeout of 15000ms exceeded',
+  );
+});
+
+test('authenticate should propagate 429 rate limit errors', async () => {
+  const error = new Error('Request failed with status code 429');
+  (error as any).response = { status: 429 };
+  axios.mockRejectedValue(error);
+  lscr.configuration = { username: 'test-user', token: 'test-token' };
+  const image = { name: 'linuxserver/sonarr' };
+  const requestOptions = {
+    headers: {},
+    url: 'https://lscr.io/v2/linuxserver/sonarr/manifests/latest',
+  };
+
+  await expect(lscr.authenticate(image, requestOptions)).rejects.toThrow(
+    'Request failed with status code 429',
+  );
+});
+
 test('should authenticate against ghcr.io token endpoint for lscr.io images', async () => {
   lscr.configuration = { username: 'test-user', token: 'test-token' };
   const image = { name: 'linuxserver/sonarr' };
diff --git a/app/registries/providers/mau/Mau.test.ts b/app/registries/providers/mau/Mau.test.ts
index 0bbcd5703..1779dbe23 100644
--- a/app/registries/providers/mau/Mau.test.ts
+++ b/app/registries/providers/mau/Mau.test.ts
@@ -13,6 +13,10 @@ mau.configuration = {
 
 vi.mock('axios');
 
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+
 test('validatedConfiguration should initialize when configuration is empty string', async () => {
   expect(mau.validateConfiguration('')).toStrictEqual({});
 });
@@ -151,6 +155,32 @@ test('authenticate should throw when token endpoint returns empty response', asy
   ).rejects.toThrow('does not contain token');
 });
 
+test('authenticate should propagate network errors', async () => {
+  axios.mockRejectedValue(new Error('connect ECONNREFUSED 127.0.0.1:443'));
+
+  await expect(mau.authenticate({ name: 'team/image' }, { headers: {} })).rejects.toThrow(
+    'connect ECONNREFUSED 127.0.0.1:443',
+  );
+});
+
+test('authenticate should propagate timeout errors', async () => {
+  axios.mockRejectedValue(new Error('timeout of 15000ms exceeded'));
+
+  await expect(mau.authenticate({ name: 'team/image' }, { headers: {} })).rejects.toThrow(
+    'timeout of 15000ms exceeded',
+  );
+});
+
+test('authenticate should propagate 429 rate limit errors', async () => {
+  const error = new Error('Request failed with status code 429');
+  (error as any).response = { status: 429 };
+  axios.mockRejectedValue(error);
+
+  await expect(mau.authenticate({ name: 'team/image' }, { headers: {} })).rejects.toThrow(
+    'Request failed with status code 429',
+  );
+});
+
 test('normalizeImage should return the proper registry v2 endpoint', async () => {
   expect(
     mau.normalizeImage({
diff --git a/app/registries/providers/mau/Mau.ts b/app/registries/providers/mau/Mau.ts
index f86137419..c25f9d634 100644
--- a/app/registries/providers/mau/Mau.ts
+++ b/app/registries/providers/mau/Mau.ts
@@ -11,14 +11,14 @@ class Mau extends Gitlab {
    * @returns {*}
    */
   getConfigurationSchema() {
-    return this.joi.alternatives([
+    return this.joi.alternatives().try(
       this.joi.string().allow(''),
       this.joi.object().keys({
         url: this.joi.string().uri().default('https://dock.mau.dev'),
         authurl: this.joi.string().uri().default('https://dock.mau.dev'),
         token: this.joi.string(),
       }),
-    ]) as any;
+    );
   }
 
   /**
diff --git a/app/registries/providers/nexus/Nexus.ts b/app/registries/providers/nexus/Nexus.ts
index e7230ddd7..9a4154d81 100644
--- a/app/registries/providers/nexus/Nexus.ts
+++ b/app/registries/providers/nexus/Nexus.ts
@@ -3,11 +3,6 @@ import SelfHostedBasic from '../shared/SelfHostedBasic.js';
 /**
  * Sonatype Nexus Docker Registry integration.
  */
-class Nexus extends SelfHostedBasic {
-  // biome-ignore lint/complexity/noUselessConstructor: required for coverage of empty subclass
-  constructor() {
-    super();
-  }
-}
+class Nexus extends SelfHostedBasic {}
 
 export default Nexus;
diff --git a/app/registries/providers/quay/Quay.ts b/app/registries/providers/quay/Quay.ts
index 4f1d9694f..912fafefd 100644
--- a/app/registries/providers/quay/Quay.ts
+++ b/app/registries/providers/quay/Quay.ts
@@ -1,4 +1,5 @@
 import BaseRegistry from '../../BaseRegistry.js';
+import type { RegistryTagsList } from '../../Registry.js';
 
 /**
  * Quay.io Registry integration.
@@ -59,7 +60,7 @@ class Quay extends BaseRegistry {
   }
 
   /**
-   * Return Base64 credentials if any.
+   * Return Base64 credentials when configured.
    * @returns {string|undefined|*}
    */
   getAuthCredentials() {
@@ -99,7 +100,7 @@ class Quay extends BaseRegistry {
         nextOrLast = `&last=${lastRegex[1]}`;
       }
     }
-    return this.callRegistry({
+    return this.callRegistry<RegistryTagsList>({
       image,
       url: `${image.registry.url}/${image.name}/tags/list?n=${itemsPerPage}${nextOrLast}`,
       resolveWithFullResponse: true,
diff --git a/app/registries/providers/shared/SelfHostedBasic.ts b/app/registries/providers/shared/SelfHostedBasic.ts
index 37f358966..869434c86 100644
--- a/app/registries/providers/shared/SelfHostedBasic.ts
+++ b/app/registries/providers/shared/SelfHostedBasic.ts
@@ -5,7 +5,7 @@ import { getSelfHostedBasicConfigurationSchema } from './selfHostedBasicConfigur
  * Generic self-hosted Docker v2 registry with optional basic auth.
  */
 class SelfHostedBasic extends BaseRegistry {
-  getConfigurationSchema(): any {
+  getConfigurationSchema() {
     return getSelfHostedBasicConfigurationSchema(this.joi);
   }
 
diff --git a/app/registries/providers/trueforge/trueforge.ts b/app/registries/providers/trueforge/trueforge.ts
index 30ded7a52..6e1356185 100644
--- a/app/registries/providers/trueforge/trueforge.ts
+++ b/app/registries/providers/trueforge/trueforge.ts
@@ -1,5 +1,22 @@
+import type { ContainerImage } from '../../../model/container.js';
 import Quay from '../quay/Quay.js';
 
+interface TrueforgeImageLike {
+  registry?: {
+    url?: unknown;
+  };
+}
+
+interface TrueforgeConfiguration {
+  username?: string;
+  token?: string;
+}
+
+interface TrueforgePullCredentials {
+  username: string;
+  password: string;
+}
+
 /**
  * Linux-Server Container Registry integration.
  */
@@ -23,7 +40,7 @@ class Trueforge extends Quay {
    * @returns {boolean}
    */
 
-  match(image) {
+  match(image: TrueforgeImageLike): boolean {
     const url = image?.registry?.url;
     if (typeof url !== 'string') {
       return false;
@@ -40,17 +57,18 @@ class Trueforge extends Quay {
    * @returns {*}
    */
 
-  normalizeImage(image) {
+  normalizeImage(image: ContainerImage): ContainerImage {
     return this.normalizeImageUrl(image);
   }
 
   /**
-   * Return Base64 credentials if any.
+   * Return Base64 credentials when configured.
    * @returns {string|undefined}
    */
-  getAuthCredentials() {
-    if (this.configuration.username) {
-      return Trueforge.base64Encode(this.configuration.username, this.configuration.token);
+  getAuthCredentials(): string | undefined {
+    const configuration = this.configuration as TrueforgeConfiguration;
+    if (configuration.username) {
+      return Trueforge.base64Encode(configuration.username, configuration.token as string);
     }
     return undefined;
   }
@@ -59,11 +77,12 @@ class Trueforge extends Quay {
    * Return username / password for Docker(+compose) triggers usage.
    * @return {{password: string, username: string}|undefined}
    */
-  async getAuthPull() {
-    if (this.configuration.username) {
+  async getAuthPull(): Promise<TrueforgePullCredentials | undefined> {
+    const configuration = this.configuration as TrueforgeConfiguration;
+    if (configuration.username) {
       return {
-        username: this.configuration.username,
-        password: this.configuration.token,
+        username: configuration.username,
+        password: configuration.token as string,
       };
     }
     return undefined;
diff --git a/app/registry/Component.ts b/app/registry/Component.ts
index 7b0155284..83ec1b058 100644
--- a/app/registry/Component.ts
+++ b/app/registry/Component.ts
@@ -8,6 +8,15 @@ export interface ComponentConfiguration {
   [key: string]: any;
 }
 
+type ConfigurationSchemaValidationResult = {
+  error?: unknown;
+  value?: unknown;
+};
+
+type ComponentConfigurationSchema = {
+  validate?: (configuration: ComponentConfiguration) => ConfigurationSchemaValidationResult;
+};
+
 /**
  * Base Component Class.
  */
@@ -92,10 +101,10 @@ class Component {
       typeof schema?.validate === 'function'
         ? schema.validate(configuration)
         : { value: configuration };
-    if ((schemaValidated as any).error) {
-      throw (schemaValidated as any).error;
+    if (schemaValidated.error) {
+      throw schemaValidated.error;
     }
-    return (schemaValidated as any).value ? (schemaValidated as any).value : {};
+    return schemaValidated.value ? (schemaValidated.value as ComponentConfiguration) : {};
   }
 
   /**
@@ -103,7 +112,7 @@ class Component {
    * Can be overridden by the component implementation class
    * @returns {*}
    */
-  getConfigurationSchema(): any {
+  getConfigurationSchema(): ComponentConfigurationSchema {
     return this.joi.object();
   }
 
diff --git a/app/registry/index.test.ts b/app/registry/index.test.ts
index bf3667d32..2e345343c 100644
--- a/app/registry/index.test.ts
+++ b/app/registry/index.test.ts
@@ -15,6 +15,7 @@ vi.mock('../configuration/index.js', () => ({
   getLogLevel: vi.fn(() => 'info'),
   getLogFormat: vi.fn(() => 'json'),
   getLogBufferEnabled: vi.fn(() => true),
+  getLocalWatcherEnabled: vi.fn(() => true),
   getRegistryConfigurations: vi.fn(),
   getTriggerConfigurations: vi.fn(),
   getWatcherConfigurations: vi.fn(),
@@ -27,6 +28,14 @@ vi.mock('../store/index.js', () => ({
   save: vi.fn(),
 }));
 
+const mockGetContainersRaw = vi.hoisted(() => vi.fn(() => []));
+const mockDeleteContainer = vi.hoisted(() => vi.fn());
+
+vi.mock('../store/container.js', () => ({
+  getContainersRaw: mockGetContainersRaw,
+  deleteContainer: mockDeleteContainer,
+}));
+
 vi.mock('../security/scheduler.js', () => ({
   shutdown: vi.fn(),
 }));
@@ -46,6 +55,7 @@ const mockGetTriggerConfigurations = configuration.getTriggerConfigurations;
 const mockGetWatcherConfigurations = configuration.getWatcherConfigurations;
 const mockGetAuthenticationConfigurations = configuration.getAuthenticationConfigurations;
 const mockGetAgentConfigurations = configuration.getAgentConfigurations;
+const mockGetLocalWatcherEnabled = configuration.getLocalWatcherEnabled;
 
 mockGetRegistryConfigurations.mockImplementation(() => registries);
 mockGetTriggerConfigurations.mockImplementation(() => triggers);
@@ -75,6 +85,7 @@ beforeEach(async () => {
   mockGetAuthenticationConfigurations.mockImplementation(() => authentications);
   mockGetAgentConfigurations.mockImplementation(() => agents);
   registry.testable_registrationWarnings.length = 0;
+  mockGetContainersRaw.mockReturnValue([]);
 });
 
 afterEach(async () => {
@@ -647,6 +658,15 @@ test('registerWatchers should register local docker watcher by default', async (
   expect(Object.keys(registry.getState().watcher)).toEqual(['docker.local']);
 });
 
+test('registerWatchers should skip default local watcher when DD_LOCAL_WATCHER=false', async () => {
+  const spyLog = vi.spyOn(registry.testable_log, 'info');
+  mockGetLocalWatcherEnabled.mockReturnValue(false);
+  await registry.testable_registerWatchers();
+  expect(Object.keys(registry.getState().watcher)).toEqual([]);
+  expect(spyLog).toHaveBeenCalledWith('Default local watcher disabled (DD_LOCAL_WATCHER=false)');
+  mockGetLocalWatcherEnabled.mockReturnValue(true);
+});
+
 test('registerWatchers should warn when registration errors occur', async () => {
   const spyLog = vi.spyOn(registry.testable_log, 'warn');
   watchers = {
@@ -840,6 +860,21 @@ test('registerAuthentications should fallback to anonymous when all configured p
   );
 });
 
+test('registerAuthentications should log startup health guidance when DD_AUTH vars exist and auth config is empty', async () => {
+  configuration.ddEnvVars.DD_AUTH_BASIC_ANDI_USER = 'ANDI';
+  const spyLog = vi.spyOn(registry.testable_log, 'error');
+
+  authentications = {};
+  await registry.testable_registerAuthentications();
+
+  expect(Object.keys(registry.getState().authentication)).toEqual(['anonymous.anonymous']);
+  expect(spyLog).toHaveBeenCalledWith(
+    expect.stringContaining(
+      'Detected DD_AUTH_* environment variables, but no configured authentication providers were registered successfully.',
+    ),
+  );
+});
+
 test('registerAuthentications should log startup health guidance when DD_AUTH vars exist but no provider registers', async () => {
   configuration.ddEnvVars.DD_AUTH_BASIC_ANDI_USER = 'ANDI';
   mockIsUpgrade.mockReturnValue(true);
@@ -934,6 +969,73 @@ test('init should register all components', async () => {
   expect(Object.keys(registry.getState().authentication)).toEqual(['basic.john', 'basic.jane']);
 });
 
+test('init should prune local containers whose watcher no longer exists', async () => {
+  watchers = {
+    local: {},
+  };
+  mockGetContainersRaw.mockReturnValue([
+    {
+      id: 'keep-local',
+      watcher: 'local',
+    },
+    {
+      id: 'stale-local',
+      watcher: 'legacy',
+    },
+    {
+      id: 'stale-missing-watcher',
+    },
+    {
+      id: 'keep-agent',
+      watcher: 'legacy',
+      agent: 'edge-agent',
+    },
+  ]);
+
+  await registry.init();
+
+  expect(mockDeleteContainer).toHaveBeenCalledTimes(2);
+  expect(mockDeleteContainer).toHaveBeenCalledWith('stale-local');
+  expect(mockDeleteContainer).toHaveBeenCalledWith('stale-missing-watcher');
+});
+
+test('init should skip orphan pruning when no local watchers are registered', async () => {
+  watchers = {
+    invalid: {
+      fail: true,
+    },
+  };
+  mockGetContainersRaw.mockReturnValue([
+    {
+      id: 'stale-local',
+      watcher: 'legacy',
+    },
+  ]);
+
+  await registry.init();
+
+  expect(mockGetContainersRaw).not.toHaveBeenCalled();
+});
+
+test('init should log and continue when orphan pruning fails', async () => {
+  watchers = {
+    local: {},
+  };
+  mockGetContainersRaw.mockImplementation(() => {
+    throw new Error('container store unavailable');
+  });
+
+  const warnSpy = vi.spyOn(registry.testable_log, 'warn');
+  const debugSpy = vi.spyOn(registry.testable_log, 'debug');
+
+  await registry.init();
+
+  expect(warnSpy).toHaveBeenCalledWith(
+    'Unable to prune orphaned local containers (container store unavailable)',
+  );
+  expect(debugSpy).toHaveBeenCalled();
+});
+
 test('deregisterAll should deregister all components', async () => {
   registries = {
     hub: {
diff --git a/app/registry/index.ts b/app/registry/index.ts
index c398b883e..af6779567 100644
--- a/app/registry/index.ts
+++ b/app/registry/index.ts
@@ -7,6 +7,7 @@ import path from 'node:path';
 import capitalize from 'capitalize';
 import logger from '../log/index.js';
 import * as securityScheduler from '../security/scheduler.js';
+import * as storeContainer from '../store/container.js';
 import * as store from '../store/index.js';
 
 const log = logger.child({ component: 'registry' });
@@ -17,6 +18,7 @@ import {
   ddEnvVars,
   getAgentConfigurations,
   getAuthenticationConfigurations,
+  getLocalWatcherEnabled,
   getRegistryConfigurations,
   getTriggerConfigurations,
   getWatcherConfigurations,
@@ -109,6 +111,11 @@ export function getAuthenticationRegistrationErrors(): AuthenticationRegistratio
   return [...authenticationRegistrationErrors];
 }
 
+function addComponentToState(kind: ComponentKind, component: Component) {
+  const components = state[kind] as Record<string, Component>;
+  components[component.getId()] = component;
+}
+
 /**
  * Register a component.
  *
@@ -148,9 +155,7 @@ export async function registerComponent(options: RegisterComponentOptions): Prom
       agent,
     );
 
-    // Type assertion is safe here because we know the kind matches the expected type
-    // if the file structure and inheritance are correct
-    (state[kind] as any)[component.getId()] = component;
+    addComponentToState(kind, component);
     return componentRegistered;
   } catch (e: unknown) {
     const availableProviders = getAvailableProviders(componentPath, (message) =>
@@ -380,23 +385,27 @@ function applyTriggerGroupDefaults(
  */
 async function registerWatchers(options: RegistrationOptions = {}) {
   const configurations = getWatcherConfigurations();
-  let watchersToRegister: Promise<any>[] = [];
+  let watchersToRegister: Promise<Component>[] = [];
   try {
     if (Object.keys(configurations).length === 0) {
       if (options.agent) {
         log.error('Agent mode requires at least one watcher configured.');
         process.exit(1);
       }
-      log.info('No Watcher configured => Init a default one (Docker with default options)');
-      watchersToRegister.push(
-        registerComponent({
-          kind: 'watcher',
-          provider: 'docker',
-          name: 'local',
-          configuration: {},
-          componentPath: 'watchers/providers',
-        }),
-      );
+      if (!getLocalWatcherEnabled()) {
+        log.info('Default local watcher disabled (DD_LOCAL_WATCHER=false)');
+      } else {
+        log.info('No Watcher configured => Init a default one (Docker with default options)');
+        watchersToRegister.push(
+          registerComponent({
+            kind: 'watcher',
+            provider: 'docker',
+            name: 'local',
+            configuration: {},
+            componentPath: 'watchers/providers',
+          }),
+        );
+      }
     } else {
       watchersToRegister = watchersToRegister.concat(
         Object.keys(configurations).map((watcherKey) => {
@@ -418,6 +427,40 @@ async function registerWatchers(options: RegistrationOptions = {}) {
   }
 }
 
+function pruneOrphanedLocalContainers() {
+  const localWatcherNames = new Set(
+    Object.values(getState().watcher)
+      .filter((watcher) => !watcher.agent)
+      .map((watcher) => watcher.name)
+      .filter((watcherName): watcherName is string => typeof watcherName === 'string')
+      .map((watcherName) => watcherName.toLowerCase()),
+  );
+
+  if (localWatcherNames.size === 0) {
+    return;
+  }
+
+  const orphanedLocalContainers = storeContainer.getContainersRaw().filter((container) => {
+    if (container.agent) {
+      return false;
+    }
+    if (typeof container.watcher !== 'string') {
+      return true;
+    }
+    return !localWatcherNames.has(container.watcher.toLowerCase());
+  });
+
+  orphanedLocalContainers.forEach((container) => {
+    storeContainer.deleteContainer(container.id);
+  });
+
+  if (orphanedLocalContainers.length > 0) {
+    log.warn(
+      `Pruned ${orphanedLocalContainers.length} container entries from missing local watcher(s)`,
+    );
+  }
+}
+
 /**
  * Register triggers.
  * @param options
@@ -454,8 +497,8 @@ async function registerTriggers(options: RegistrationOptions = {}) {
 
   try {
     await registerComponents('trigger', configurations, 'triggers/providers');
-  } catch (e: any) {
-    log.warn(`Some triggers failed to register (${e.message})`);
+  } catch (e: unknown) {
+    log.warn(`Some triggers failed to register (${getErrorMessage(e)})`);
     log.debug(e);
   }
 }
@@ -507,8 +550,8 @@ async function registerRegistries() {
 
   try {
     await registerComponents('registry', registriesToRegister, 'registries/providers');
-  } catch (e: any) {
-    log.warn(`Some registries failed to register (${e.message})`);
+  } catch (e: unknown) {
+    log.warn(`Some registries failed to register (${getErrorMessage(e)})`);
     log.debug(e);
   }
 }
@@ -536,8 +579,8 @@ async function registerAuthentications() {
         configuration: {},
         componentPath: 'authentications/providers',
       });
-    } catch (e: any) {
-      log.error(`Some authentications failed to register (${e.message})`);
+    } catch (e: unknown) {
+      log.error(`Some authentications failed to register (${getErrorMessage(e)})`);
       log.debug(e);
     }
     if (hasAuthEnvConfiguration) {
@@ -592,6 +635,7 @@ async function registerAuthentications() {
         const wrappedMessageMatch = rawMessage.match(
           /^Error when registering component .* \((?<error>.*)\)$/,
         );
+        /* v8 ignore next -- wrappedMessageMatch group extraction depends on provider-specific error formatting */
         const normalizedMessage = (wrappedMessageMatch?.groups?.error ?? rawMessage).replaceAll(
           /"([^"]+)"/g,
           '$1',
@@ -626,8 +670,8 @@ async function registerAuthentications() {
         configuration: {},
         componentPath: 'authentications/providers',
       });
-    } catch (e: any) {
-      const fallbackMessage = `Anonymous authentication fallback also failed (${e.message}). Check your DD_AUTH_BASIC_* environment variables. Set DD_ANONYMOUS_AUTH_CONFIRM=true to allow anonymous access as a fallback.`;
+    } catch (e: unknown) {
+      const fallbackMessage = `Anonymous authentication fallback also failed (${getErrorMessage(e)}). Check your DD_AUTH_BASIC_* environment variables. Set DD_ANONYMOUS_AUTH_CONFIRM=true to allow anonymous access as a fallback.`;
       log.error(fallbackMessage);
       log.debug(e);
       registrationWarnings.push(fallbackMessage);
@@ -646,8 +690,8 @@ async function registerAgents() {
       const agent = new Agent();
       const registered = await agent.register('agent', 'dd', name, config);
       state.agent[registered.getId()] = registered;
-    } catch (e: any) {
-      log.warn(`Agent ${name} failed to register (${e.message})`);
+    } catch (e: unknown) {
+      log.warn(`Agent ${name} failed to register (${getErrorMessage(e)})`);
       log.debug(e);
     }
   });
@@ -663,8 +707,10 @@ async function registerAgents() {
 async function deregisterComponent(component: Component, kind: ComponentKind) {
   try {
     await component.deregister();
-  } catch (e: any) {
-    throw new Error(`Error when deregistering component ${component.getId()} (${e.message})`);
+  } catch (e: unknown) {
+    throw new Error(
+      `Error when deregistering component ${component.getId()} (${getErrorMessage(e)})`,
+    );
   } finally {
     const components = getState()[kind];
     if (components) {
@@ -748,8 +794,8 @@ async function deregisterAll() {
     await deregisterRegistries();
     await deregisterAuthentications();
     await deregisterAgents();
-  } catch (e: any) {
-    throw new Error(`Error when trying to deregister ${e.message}`);
+  } catch (e: unknown) {
+    throw new Error(`Error when trying to deregister ${getErrorMessage(e)}`);
   }
 }
 
@@ -759,8 +805,8 @@ async function shutdown() {
     await deregisterAll();
     await store.save();
     process.exit(0);
-  } catch (e: any) {
-    log.error(e.message);
+  } catch (e: unknown) {
+    log.error(getErrorMessage(e));
     process.exit(1);
   }
 }
@@ -774,6 +820,12 @@ export async function init(options: RegistrationOptions = {}) {
 
   // Register watchers
   await registerWatchers(options);
+  try {
+    pruneOrphanedLocalContainers();
+  } catch (e: unknown) {
+    log.warn(`Unable to prune orphaned local containers (${getErrorMessage(e)})`);
+    log.debug(e);
+  }
 
   if (!options.agent) {
     // Register authentications
diff --git a/app/registry/trigger-shared-config.ts b/app/registry/trigger-shared-config.ts
index f49854c5f..21eaa33df 100644
--- a/app/registry/trigger-shared-config.ts
+++ b/app/registry/trigger-shared-config.ts
@@ -1,14 +1,18 @@
 const SHARED_TRIGGER_CONFIGURATION_KEYS = ['threshold', 'once', 'mode', 'order'];
 const SHARED_TRIGGER_CONFIGURATION_KEY_SET = new Set(SHARED_TRIGGER_CONFIGURATION_KEYS);
 
-function isRecord(value: unknown): value is Record<string, any> {
+type UnknownRecord = Record<string, unknown>;
+type SharedValuesByName = Record<string, Record<string, Set<unknown>>>;
+type TriggerGroupDefaults = Record<string, UnknownRecord>;
+
+function isRecord(value: unknown): value is UnknownRecord {
   return (
     value !== null && value !== undefined && typeof value === 'object' && !Array.isArray(value)
   );
 }
 
-function applyProviderSharedTriggerConfiguration(configurations: Record<string, any>) {
-  const normalizedConfigurations: Record<string, any> = {};
+function applyProviderSharedTriggerConfiguration(configurations: UnknownRecord) {
+  const normalizedConfigurations: UnknownRecord = {};
 
   Object.keys(configurations || {}).forEach((provider) => {
     const providerConfigurations = configurations[provider];
@@ -17,7 +21,7 @@ function applyProviderSharedTriggerConfiguration(configurations: Record<string,
       return;
     }
 
-    const sharedConfiguration: Record<string, any> = {};
+    const sharedConfiguration: UnknownRecord = {};
     Object.keys(providerConfigurations).forEach((key) => {
       const value = providerConfigurations[key];
       if (SHARED_TRIGGER_CONFIGURATION_KEY_SET.has(key.toLowerCase()) && !isRecord(value)) {
@@ -43,10 +47,10 @@ function applyProviderSharedTriggerConfiguration(configurations: Record<string,
 }
 
 function addSharedTriggerValue(
-  valuesByName: Record<string, Record<string, Set<any>>>,
+  valuesByName: SharedValuesByName,
   triggerName: string,
   key: string,
-  value: any,
+  value: unknown,
 ) {
   const normalizedTriggerName = triggerName.toLowerCase();
   valuesByName[normalizedTriggerName] ??= {};
@@ -55,9 +59,9 @@ function addSharedTriggerValue(
 }
 
 function collectSharedValuesForTrigger(
-  valuesByName: Record<string, Record<string, Set<any>>>,
+  valuesByName: SharedValuesByName,
   triggerName: string,
-  triggerConfiguration: Record<string, any>,
+  triggerConfiguration: UnknownRecord,
 ) {
   for (const key of SHARED_TRIGGER_CONFIGURATION_KEYS) {
     const value = triggerConfiguration[key];
@@ -68,7 +72,7 @@ function collectSharedValuesForTrigger(
 }
 
 function collectValuesForProvider(
-  valuesByName: Record<string, Record<string, Set<any>>>,
+  valuesByName: SharedValuesByName,
   providerConfigurations: unknown,
 ) {
   if (!isRecord(providerConfigurations)) {
@@ -84,10 +88,8 @@ function collectValuesForProvider(
   }
 }
 
-function collectValuesByName(
-  configurations: Record<string, any>,
-): Record<string, Record<string, Set<any>>> {
-  const valuesByName: Record<string, Record<string, Set<any>>> = {};
+function collectValuesByName(configurations: UnknownRecord): SharedValuesByName {
+  const valuesByName: SharedValuesByName = {};
 
   for (const providerConfigurations of Object.values(configurations)) {
     collectValuesForProvider(valuesByName, providerConfigurations);
@@ -96,10 +98,8 @@ function collectValuesByName(
   return valuesByName;
 }
 
-function extractSharedValues(
-  valuesByName: Record<string, Record<string, Set<any>>>,
-): Record<string, any> {
-  const shared: Record<string, any> = {};
+function extractSharedValues(valuesByName: SharedValuesByName): Record<string, UnknownRecord> {
+  const shared: Record<string, UnknownRecord> = {};
 
   for (const triggerName of Object.keys(valuesByName)) {
     for (const key of SHARED_TRIGGER_CONFIGURATION_KEYS) {
@@ -116,18 +116,18 @@ function extractSharedValues(
   return shared;
 }
 
-function getSharedTriggerConfigurationByName(configurations: Record<string, any>) {
+function getSharedTriggerConfigurationByName(configurations: UnknownRecord) {
   const valuesByName = collectValuesByName(configurations);
   return extractSharedValues(valuesByName);
 }
 
-export function applySharedTriggerConfigurationByName(configurations: Record<string, any>) {
+export function applySharedTriggerConfigurationByName(configurations: UnknownRecord) {
   const configurationsWithProviderSharedValues =
     applyProviderSharedTriggerConfiguration(configurations);
   const sharedConfigurationByName = getSharedTriggerConfigurationByName(
     configurationsWithProviderSharedValues,
   );
-  const configurationsWithSharedValues: Record<string, any> = {};
+  const configurationsWithSharedValues: UnknownRecord = {};
 
   Object.keys(configurationsWithProviderSharedValues).forEach((provider) => {
     const providerConfigurations = configurationsWithProviderSharedValues[provider];
@@ -153,7 +153,7 @@ export function applySharedTriggerConfigurationByName(configurations: Record<str
   return configurationsWithSharedValues;
 }
 
-function isValidTriggerGroup(entry: Record<string, any>): boolean {
+function isValidTriggerGroup(entry: UnknownRecord): boolean {
   const keys = Object.keys(entry);
   return (
     keys.length > 0 &&
@@ -165,7 +165,7 @@ function isValidTriggerGroup(entry: Record<string, any>): boolean {
 
 function classifyConfigurationEntry(
   key: string,
-  value: any,
+  value: unknown,
   knownProviderSet: Set<string>,
 ): 'provider' | 'trigger-group' {
   const keyLower = key.toLowerCase();
@@ -179,17 +179,17 @@ function classifyConfigurationEntry(
 }
 
 function splitTriggerGroupDefaults(
-  configurations: Record<string, any>,
+  configurations: UnknownRecord,
   knownProviderSet: Set<string>,
-  onTriggerGroupDetected?: (groupName: string, value: Record<string, any>) => void,
+  onTriggerGroupDetected?: (groupName: string, value: UnknownRecord) => void,
 ) {
-  const triggerGroupDefaults: Record<string, Record<string, any>> = {};
-  const providerConfigurations: Record<string, any> = {};
+  const triggerGroupDefaults: TriggerGroupDefaults = {};
+  const providerConfigurations: UnknownRecord = {};
 
   for (const key of Object.keys(configurations)) {
     const value = configurations[key];
     const classification = classifyConfigurationEntry(key, value, knownProviderSet);
-    if (classification === 'trigger-group') {
+    if (classification === 'trigger-group' && isRecord(value)) {
       const keyLower = key.toLowerCase();
       triggerGroupDefaults[keyLower] = value;
       onTriggerGroupDetected?.(keyLower, value);
@@ -202,8 +202,8 @@ function splitTriggerGroupDefaults(
 }
 
 function mergeTriggerConfigurationWithDefaults(
-  triggerConfiguration: any,
-  groupDefaults: Record<string, any> | undefined,
+  triggerConfiguration: unknown,
+  groupDefaults: UnknownRecord | undefined,
 ) {
   if (!groupDefaults || !isRecord(triggerConfiguration)) {
     return triggerConfiguration;
@@ -217,13 +217,13 @@ function mergeTriggerConfigurationWithDefaults(
 
 function applyDefaultsToProviderConfiguration(
   providerConfig: unknown,
-  triggerGroupDefaults: Record<string, Record<string, any>>,
+  triggerGroupDefaults: TriggerGroupDefaults,
 ) {
   if (!isRecord(providerConfig)) {
     return providerConfig;
   }
 
-  const providerResult: Record<string, any> = {};
+  const providerResult: UnknownRecord = {};
   for (const triggerName of Object.keys(providerConfig)) {
     const triggerConfig = providerConfig[triggerName];
     const groupDefaults = triggerGroupDefaults[triggerName.toLowerCase()];
@@ -237,10 +237,10 @@ function applyDefaultsToProviderConfiguration(
 }
 
 function applyDefaultsToProviderConfigurations(
-  providerConfigurations: Record<string, any>,
-  triggerGroupDefaults: Record<string, Record<string, any>>,
+  providerConfigurations: UnknownRecord,
+  triggerGroupDefaults: TriggerGroupDefaults,
 ) {
-  const result: Record<string, any> = {};
+  const result: UnknownRecord = {};
 
   for (const provider of Object.keys(providerConfigurations)) {
     result[provider] = applyDefaultsToProviderConfiguration(
@@ -252,15 +252,15 @@ function applyDefaultsToProviderConfigurations(
   return result;
 }
 
-function hasConfigurationEntries(configurations: Record<string, any> | null | undefined): boolean {
+function hasConfigurationEntries(configurations: UnknownRecord | null | undefined): boolean {
   return !!configurations && Object.keys(configurations).length > 0;
 }
 
 export function applyTriggerGroupDefaults(
-  configurations: Record<string, any> | null | undefined,
+  configurations: UnknownRecord | null | undefined,
   knownProviderSet: Set<string>,
-  onTriggerGroupDetected?: (groupName: string, value: Record<string, any>) => void,
-): Record<string, any> | null | undefined {
+  onTriggerGroupDetected?: (groupName: string, value: UnknownRecord) => void,
+): UnknownRecord | null | undefined {
   if (!hasConfigurationEntries(configurations)) {
     return configurations;
   }
diff --git a/app/release-notes/index.test.ts b/app/release-notes/index.test.ts
new file mode 100644
index 000000000..b9acb858a
--- /dev/null
+++ b/app/release-notes/index.test.ts
@@ -0,0 +1,651 @@
+import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest';
+
+const mockAxiosGet = vi.hoisted(() => vi.fn());
+
+vi.mock('axios', () => ({
+  default: {
+    get: (...args: unknown[]) => mockAxiosGet(...args),
+  },
+}));
+
+vi.mock('../log/index.js', () => ({
+  default: {
+    child: () => ({
+      debug: vi.fn(),
+      info: vi.fn(),
+      warn: vi.fn(),
+      error: vi.fn(),
+    }),
+  },
+}));
+
+import { ddEnvVars } from '../configuration/index.js';
+import {
+  _resetReleaseNotesCacheForTests,
+  detectSourceRepoFromImageMetadata,
+  getFullReleaseNotesForContainer,
+  resolveSourceRepoForContainer,
+  toContainerReleaseNotes,
+  truncateReleaseNotesBody,
+} from './index.js';
+
+describe('release-notes service', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    _resetReleaseNotesCacheForTests();
+    delete ddEnvVars.DD_RELEASE_NOTES_GITHUB_TOKEN;
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+    delete ddEnvVars.DD_RELEASE_NOTES_GITHUB_TOKEN;
+  });
+
+  test('detectSourceRepoFromImageMetadata should prefer manual override label', () => {
+    const sourceRepo = detectSourceRepoFromImageMetadata({
+      containerLabels: {
+        'dd.source.repo': 'github.com/acme/manual',
+      },
+      imageLabels: {
+        'org.opencontainers.image.source': 'https://github.com/acme/from-image',
+      },
+      imageRegistryDomain: 'ghcr.io',
+      imagePath: 'acme/service',
+    });
+
+    expect(sourceRepo).toBe('github.com/acme/manual');
+  });
+
+  test('detectSourceRepoFromImageMetadata should parse OCI labels and ghcr fallbacks', () => {
+    expect(
+      detectSourceRepoFromImageMetadata({
+        imageLabels: {
+          'org.opencontainers.image.source': 'https://github.com/acme/service.git',
+        },
+      }),
+    ).toBe('github.com/acme/service');
+
+    expect(
+      detectSourceRepoFromImageMetadata({
+        imageLabels: {
+          'org.opencontainers.image.url': 'https://github.com/acme/url-only',
+        },
+      }),
+    ).toBe('github.com/acme/url-only');
+
+    expect(
+      detectSourceRepoFromImageMetadata({
+        imageRegistryDomain: 'ghcr.io',
+        imagePath: 'acme/service',
+      }),
+    ).toBe('github.com/acme/service');
+  });
+
+  test('detectSourceRepoFromImageMetadata should handle malformed values and ssh syntax', () => {
+    expect(
+      detectSourceRepoFromImageMetadata({
+        containerLabels: {
+          'dd.source.repo': '   ',
+        },
+        imageLabels: {
+          'org.opencontainers.image.source': 'git@github.com:acme/from-ssh.git',
+        },
+      }),
+    ).toBe('github.com/acme/from-ssh');
+
+    expect(
+      detectSourceRepoFromImageMetadata({
+        imageLabels: {
+          'org.opencontainers.image.source': 'https://github.com/',
+          'org.opencontainers.image.url': 'http://[::1',
+        },
+      }),
+    ).toBeUndefined();
+
+    expect(
+      detectSourceRepoFromImageMetadata({
+        imageLabels: {
+          'org.opencontainers.image.source': 'https://github.com/acme',
+        },
+      }),
+    ).toBeUndefined();
+
+    expect(
+      detectSourceRepoFromImageMetadata({
+        imageRegistryDomain: 'ghcr.io',
+        imagePath: '/',
+      }),
+    ).toBeUndefined();
+
+    expect(
+      detectSourceRepoFromImageMetadata({
+        imageLabels: {
+          'org.opencontainers.image.source': 'git@:acme/from-ssh.git',
+        },
+      }),
+    ).toBeUndefined();
+  });
+
+  test('resolveSourceRepoForContainer should fetch source from Docker Hub tag metadata and cache it', async () => {
+    mockAxiosGet.mockResolvedValueOnce({
+      data: {
+        source: 'https://github.com/nginx/nginx',
+      },
+    });
+
+    const container = {
+      image: {
+        name: 'library/nginx',
+        tag: {
+          value: '1.0.0',
+        },
+        registry: {
+          url: 'docker.io',
+        },
+      },
+      labels: {},
+    };
+
+    const first = await resolveSourceRepoForContainer(container as any);
+    const second = await resolveSourceRepoForContainer(container as any);
+
+    expect(first).toBe('github.com/nginx/nginx');
+    expect(second).toBe('github.com/nginx/nginx');
+    expect(mockAxiosGet).toHaveBeenCalledTimes(1);
+    expect(mockAxiosGet).toHaveBeenCalledWith(
+      'https://hub.docker.com/v2/repositories/library/nginx/tags/1.0.0',
+      expect.objectContaining({
+        headers: {
+          Accept: 'application/json',
+        },
+      }),
+    );
+  });
+
+  test('resolveSourceRepoForContainer should treat blank registry url as Docker Hub', async () => {
+    mockAxiosGet.mockResolvedValueOnce({
+      data: {
+        source: 'https://github.com/library/nginx',
+      },
+    });
+
+    const sourceRepo = await resolveSourceRepoForContainer({
+      image: {
+        name: 'library/nginx',
+        tag: {
+          value: 'stable',
+        },
+        registry: {
+          url: '   ',
+        },
+      },
+      labels: {},
+    } as any);
+
+    expect(sourceRepo).toBe('github.com/library/nginx');
+    expect(mockAxiosGet).toHaveBeenCalledTimes(1);
+  });
+
+  test('resolveSourceRepoForContainer should short-circuit when metadata labels resolve source', async () => {
+    const sourceRepo = await resolveSourceRepoForContainer({
+      image: {
+        name: 'acme/service',
+        registry: {
+          url: 'docker.io',
+        },
+      },
+      labels: {
+        'dd.source.repo': 'https://github.com/acme/from-label.git',
+      },
+    } as any);
+
+    expect(sourceRepo).toBe('github.com/acme/from-label');
+    expect(mockAxiosGet).not.toHaveBeenCalled();
+  });
+
+  test('resolveSourceRepoForContainer should return undefined for non-Docker-Hub images', async () => {
+    const sourceRepo = await resolveSourceRepoForContainer({
+      image: {
+        name: 'acme/service',
+        tag: {
+          value: '1.0.0',
+        },
+        registry: {
+          url: 'quay.io',
+        },
+      },
+      labels: {},
+    } as any);
+
+    expect(sourceRepo).toBeUndefined();
+    expect(mockAxiosGet).not.toHaveBeenCalled();
+  });
+
+  test('resolveSourceRepoForContainer should return undefined when image name or tag is missing', async () => {
+    const missingName = await resolveSourceRepoForContainer({
+      image: {
+        tag: {
+          value: '1.0.0',
+        },
+        registry: {
+          url: 'docker.io',
+        },
+      },
+      labels: {},
+      result: {
+        tag: '1.0.0',
+      },
+    } as any);
+    const missingTag = await resolveSourceRepoForContainer({
+      image: {
+        name: 'library/nginx',
+        registry: {
+          url: 'docker.io',
+        },
+      },
+      labels: {},
+    } as any);
+
+    expect(missingName).toBeUndefined();
+    expect(missingTag).toBeUndefined();
+    expect(mockAxiosGet).not.toHaveBeenCalled();
+  });
+
+  test('resolveSourceRepoForContainer should fall back to repository metadata after tag lookup failure', async () => {
+    mockAxiosGet.mockRejectedValueOnce(new Error('tag metadata failed'));
+    mockAxiosGet.mockResolvedValueOnce({
+      data: {
+        repository: {
+          source: 'https://github.com/acme/repository-fallback.git',
+        },
+      },
+    });
+
+    const sourceRepo = await resolveSourceRepoForContainer({
+      image: {
+        name: 'acme/service',
+        tag: {
+          value: '2.1.0',
+        },
+        registry: {
+          url: 'docker.io',
+        },
+      },
+      labels: {},
+    } as any);
+
+    expect(sourceRepo).toBe('github.com/acme/repository-fallback');
+    expect(mockAxiosGet).toHaveBeenCalledTimes(2);
+    expect(mockAxiosGet).toHaveBeenNthCalledWith(
+      2,
+      'https://hub.docker.com/v2/repositories/acme/service',
+      expect.any(Object),
+    );
+  });
+
+  test('resolveSourceRepoForContainer should return undefined when Docker Hub metadata does not contain source', async () => {
+    mockAxiosGet.mockResolvedValueOnce({
+      data: 'unexpected-payload',
+    });
+    mockAxiosGet.mockResolvedValueOnce({
+      data: {
+        repository: {},
+      },
+    });
+
+    const sourceRepo = await resolveSourceRepoForContainer({
+      image: {
+        name: 'library/nginx',
+        tag: {
+          value: '1.27.0',
+        },
+        registry: {
+          url: 'docker.io',
+        },
+      },
+      labels: {},
+    } as any);
+
+    expect(sourceRepo).toBeUndefined();
+  });
+
+  test('resolveSourceRepoForContainer should handle non-Error failures from Docker Hub endpoints', async () => {
+    mockAxiosGet.mockRejectedValueOnce(123);
+    mockAxiosGet.mockRejectedValueOnce({ message: 'repository metadata unavailable' });
+
+    const sourceRepo = await resolveSourceRepoForContainer({
+      image: {
+        name: 'library/nginx',
+        tag: {
+          value: '1.28.0',
+        },
+        registry: {
+          url: 'docker.io',
+        },
+      },
+      labels: {},
+    } as any);
+
+    expect(sourceRepo).toBeUndefined();
+  });
+
+  test('resolveSourceRepoForContainer should stringify object failures with non-string message fields', async () => {
+    mockAxiosGet.mockRejectedValueOnce({ message: { detail: 'tag metadata unavailable' } });
+    mockAxiosGet.mockRejectedValueOnce({ message: { detail: 'repository metadata unavailable' } });
+
+    const sourceRepo = await resolveSourceRepoForContainer({
+      image: {
+        name: 'library/nginx',
+        tag: {
+          value: '1.28.1',
+        },
+        registry: {
+          url: 'docker.io',
+        },
+      },
+      labels: {},
+    } as any);
+
+    expect(sourceRepo).toBeUndefined();
+  });
+
+  test('resolveSourceRepoForContainer should refresh expired Docker Hub source repo cache entries', async () => {
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date('2026-01-01T00:00:00.000Z'));
+
+    mockAxiosGet.mockResolvedValue({
+      data: {
+        source: 'https://github.com/library/nginx',
+      },
+    });
+
+    const container = {
+      image: {
+        name: 'library/nginx',
+        tag: {
+          value: '1.29.0',
+        },
+        registry: {
+          url: 'docker.io',
+        },
+      },
+      labels: {},
+    };
+
+    const first = await resolveSourceRepoForContainer(container as any);
+    vi.setSystemTime(new Date('2026-01-01T07:00:00.000Z'));
+    const second = await resolveSourceRepoForContainer(container as any);
+
+    expect(first).toBe('github.com/library/nginx');
+    expect(second).toBe('github.com/library/nginx');
+    expect(mockAxiosGet).toHaveBeenCalledTimes(2);
+  });
+
+  test('resolveSourceRepoForContainer should cache not-found Docker Hub source repo lookups', async () => {
+    mockAxiosGet.mockResolvedValueOnce({ data: {} });
+    mockAxiosGet.mockResolvedValueOnce({ data: {} });
+
+    const container = {
+      image: {
+        name: 'library/nginx',
+        tag: {
+          value: '9.9.9',
+        },
+        registry: {
+          url: 'docker.io',
+        },
+      },
+      labels: {},
+    };
+
+    const first = await resolveSourceRepoForContainer(container as any);
+    const second = await resolveSourceRepoForContainer(container as any);
+
+    expect(first).toBeUndefined();
+    expect(second).toBeUndefined();
+    expect(mockAxiosGet).toHaveBeenCalledTimes(2);
+  });
+
+  test('resolveSourceRepoForContainer should not treat malformed registry hostnames as Docker Hub', async () => {
+    const sourceRepo = await resolveSourceRepoForContainer({
+      image: {
+        name: 'acme/service',
+        tag: {
+          value: '1.0.0',
+        },
+        registry: {
+          url: 'https://registry with spaces.example.com/path',
+        },
+      },
+      labels: {},
+    } as any);
+
+    expect(sourceRepo).toBeUndefined();
+    expect(mockAxiosGet).not.toHaveBeenCalled();
+  });
+
+  test('getFullReleaseNotesForContainer should resolve GitHub releases with v/version variants', async () => {
+    mockAxiosGet.mockRejectedValueOnce({
+      response: {
+        status: 404,
+      },
+    });
+    mockAxiosGet.mockResolvedValueOnce({
+      data: {
+        tag_name: '1.2.3',
+        name: 'Release 1.2.3',
+        body: 'Full release notes body',
+        html_url: 'https://github.com/acme/service/releases/tag/1.2.3',
+        published_at: '2026-03-01T00:00:00.000Z',
+      },
+    });
+
+    const releaseNotes = await getFullReleaseNotesForContainer({
+      sourceRepo: 'github.com/acme/service',
+      result: {
+        tag: '1.2.3',
+      },
+    } as any);
+
+    expect(mockAxiosGet).toHaveBeenNthCalledWith(
+      1,
+      'https://api.github.com/repos/acme/service/releases/tags/v1.2.3',
+      expect.any(Object),
+    );
+    expect(mockAxiosGet).toHaveBeenNthCalledWith(
+      2,
+      'https://api.github.com/repos/acme/service/releases/tags/1.2.3',
+      expect.any(Object),
+    );
+    expect(releaseNotes).toEqual({
+      title: 'Release 1.2.3',
+      body: 'Full release notes body',
+      url: 'https://github.com/acme/service/releases/tag/1.2.3',
+      publishedAt: '2026-03-01T00:00:00.000Z',
+      provider: 'github',
+    });
+  });
+
+  test('getFullReleaseNotesForContainer should include optional GitHub auth token', async () => {
+    ddEnvVars.DD_RELEASE_NOTES_GITHUB_TOKEN = 'ghp_test';
+    mockAxiosGet.mockResolvedValueOnce({
+      data: {
+        tag_name: 'v2.0.0',
+        name: 'Release 2.0.0',
+        body: 'Notes',
+        html_url: 'https://github.com/acme/service/releases/tag/v2.0.0',
+        published_at: '2026-03-01T00:00:00.000Z',
+      },
+    });
+
+    await getFullReleaseNotesForContainer({
+      sourceRepo: 'github.com/acme/service',
+      result: {
+        tag: '2.0.0',
+      },
+    } as any);
+
+    expect(mockAxiosGet).toHaveBeenCalledWith(
+      'https://api.github.com/repos/acme/service/releases/tags/v2.0.0',
+      expect.objectContaining({
+        headers: expect.objectContaining({
+          Authorization: 'Bearer ghp_test',
+        }),
+      }),
+    );
+  });
+
+  test('getFullReleaseNotesForContainer should omit auth header when token is blank', async () => {
+    ddEnvVars.DD_RELEASE_NOTES_GITHUB_TOKEN = '   ';
+    mockAxiosGet.mockResolvedValueOnce({
+      data: {
+        tag_name: 'v2.1.0',
+        name: 'Release 2.1.0',
+        body: 'Notes',
+        html_url: 'https://github.com/acme/service/releases/tag/v2.1.0',
+        published_at: '2026-03-01T00:00:00.000Z',
+      },
+    });
+
+    await getFullReleaseNotesForContainer({
+      sourceRepo: 'github.com/acme/service',
+      result: {
+        tag: '2.1.0',
+      },
+    } as any);
+
+    expect(mockAxiosGet).toHaveBeenCalledWith(
+      'https://api.github.com/repos/acme/service/releases/tags/v2.1.0',
+      expect.objectContaining({
+        headers: expect.not.objectContaining({
+          Authorization: expect.any(String),
+        }),
+      }),
+    );
+  });
+
+  test('getFullReleaseNotesForContainer should return undefined when tag is missing', async () => {
+    const releaseNotes = await getFullReleaseNotesForContainer({
+      sourceRepo: 'github.com/acme/service',
+      result: {},
+    } as any);
+
+    expect(releaseNotes).toBeUndefined();
+    expect(mockAxiosGet).not.toHaveBeenCalled();
+  });
+
+  test('getFullReleaseNotesForContainer should return undefined when source repo cannot be resolved', async () => {
+    const releaseNotes = await getFullReleaseNotesForContainer({
+      result: {
+        tag: '1.2.3',
+      },
+      image: {
+        name: 'acme/service',
+        tag: {
+          value: '1.2.3',
+        },
+        registry: {
+          url: 'registry.example.com',
+        },
+      },
+      labels: {},
+    } as any);
+
+    expect(releaseNotes).toBeUndefined();
+    expect(mockAxiosGet).not.toHaveBeenCalled();
+  });
+
+  test('getFullReleaseNotesForContainer should return undefined when no provider supports the source repo', async () => {
+    const releaseNotes = await getFullReleaseNotesForContainer({
+      sourceRepo: 'https://gitlab.com/acme/service',
+      result: {
+        tag: '1.2.3',
+      },
+    } as any);
+
+    expect(releaseNotes).toBeUndefined();
+    expect(mockAxiosGet).not.toHaveBeenCalled();
+  });
+
+  test('getFullReleaseNotesForContainer should cache not-found release notes results', async () => {
+    mockAxiosGet
+      .mockRejectedValueOnce({
+        response: {
+          status: 404,
+        },
+      })
+      .mockRejectedValueOnce({
+        response: {
+          status: 404,
+        },
+      });
+
+    const container = {
+      sourceRepo: 'github.com/acme/service',
+      result: {
+        tag: '9.9.9',
+      },
+    };
+
+    const first = await getFullReleaseNotesForContainer(container as any);
+    const second = await getFullReleaseNotesForContainer(container as any);
+
+    expect(first).toBeUndefined();
+    expect(second).toBeUndefined();
+    expect(mockAxiosGet).toHaveBeenCalledTimes(2);
+  });
+
+  test('getFullReleaseNotesForContainer should return undefined when GitHub rate limit is hit', async () => {
+    mockAxiosGet.mockRejectedValueOnce({
+      response: {
+        status: 403,
+        headers: {
+          'x-ratelimit-remaining': '0',
+        },
+      },
+    });
+
+    const releaseNotes = await getFullReleaseNotesForContainer({
+      sourceRepo: 'github.com/acme/service',
+      result: {
+        tag: '2.0.0',
+      },
+    } as any);
+
+    expect(releaseNotes).toBeUndefined();
+  });
+
+  test('truncateReleaseNotesBody and toContainerReleaseNotes should cap body length', () => {
+    const fullBody = 'x'.repeat(2500);
+
+    const truncated = truncateReleaseNotesBody(fullBody, 2000);
+    expect(truncated.length).toBe(2000);
+
+    const containerReleaseNotes = toContainerReleaseNotes({
+      title: 'Release',
+      body: fullBody,
+      url: 'https://github.com/acme/service/releases/tag/v3.0.0',
+      publishedAt: '2026-03-01T00:00:00.000Z',
+      provider: 'github',
+    });
+    expect(containerReleaseNotes.body.length).toBe(2000);
+    expect(containerReleaseNotes).toEqual(
+      expect.objectContaining({
+        title: 'Release',
+        url: 'https://github.com/acme/service/releases/tag/v3.0.0',
+        provider: 'github',
+      }),
+    );
+  });
+
+  test('truncateReleaseNotesBody should handle boundary maxLength values', () => {
+    expect(truncateReleaseNotesBody('abc', 0)).toBe('');
+    expect(truncateReleaseNotesBody('abc', 3)).toBe('abc');
+    expect(truncateReleaseNotesBody('abcdef', 3)).toBe('abc');
+    expect(truncateReleaseNotesBody('abc', 10)).toBe('abc');
+  });
+
+  test('truncateReleaseNotesBody should treat non-string bodies as empty', () => {
+    expect(truncateReleaseNotesBody(42 as any, 10)).toBe('');
+  });
+});
diff --git a/app/release-notes/index.ts b/app/release-notes/index.ts
new file mode 100644
index 000000000..b6d52c4c9
--- /dev/null
+++ b/app/release-notes/index.ts
@@ -0,0 +1,372 @@
+import axios from 'axios';
+import { ddEnvVars } from '../configuration/index.js';
+import logger from '../log/index.js';
+import type { Container } from '../model/container.js';
+import GithubProvider from './providers/GithubProvider.js';
+import type { ReleaseNotes, ReleaseNotesProviderClient } from './types.js';
+
+const log = logger.child({ component: 'release-notes' });
+
+const DD_SOURCE_REPO_LABEL = 'dd.source.repo';
+const OCI_SOURCE_REPO_LABEL = 'org.opencontainers.image.source';
+const OCI_URL_REPO_LABEL = 'org.opencontainers.image.url';
+
+const RELEASE_NOTES_CACHE_TTL_MS = 60 * 60 * 1000;
+const RELEASE_NOTES_CACHE_NOT_FOUND_TTL_MS = 10 * 60 * 1000;
+const SOURCE_REPO_CACHE_TTL_MS = 6 * 60 * 60 * 1000;
+const SOURCE_REPO_CACHE_NOT_FOUND_TTL_MS = 30 * 60 * 1000;
+
+const CONTAINER_RELEASE_NOTES_BODY_MAX_LENGTH = 2000;
+
+type CacheEntry<T> = {
+  expiresAt: number;
+  value: T;
+};
+
+type CacheLookup<T> =
+  | {
+      found: false;
+    }
+  | {
+      found: true;
+      value: T;
+    };
+
+const releaseNotesCache = new Map<string, CacheEntry<ReleaseNotes | null>>();
+const sourceRepoCache = new Map<string, CacheEntry<string | null>>();
+const providers: ReleaseNotesProviderClient[] = [new GithubProvider()];
+
+function getErrorMessage(error: unknown) {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  if (typeof error === 'object' && error !== null && 'message' in error) {
+    const { message } = error as { message: unknown };
+    if (typeof message === 'string') {
+      return message;
+    }
+  }
+  return String(error);
+}
+
+function pruneExpiredCache<T>(cache: Map<string, CacheEntry<T>>) {
+  const now = Date.now();
+  for (const [cacheKey, cacheEntry] of cache.entries()) {
+    if (now >= cacheEntry.expiresAt) {
+      cache.delete(cacheKey);
+    }
+  }
+}
+
+function getCacheValue<T>(cache: Map<string, CacheEntry<T>>, cacheKey: string): CacheLookup<T> {
+  pruneExpiredCache(cache);
+  const cacheEntry = cache.get(cacheKey);
+  if (!cacheEntry) {
+    return { found: false };
+  }
+  return {
+    found: true,
+    value: cacheEntry.value,
+  };
+}
+
+function setCacheValue<T>(
+  cache: Map<string, CacheEntry<T>>,
+  cacheKey: string,
+  value: T,
+  ttlMs: number,
+) {
+  cache.set(cacheKey, {
+    value,
+    expiresAt: Date.now() + ttlMs,
+  });
+}
+
+function getImageRegistryHostname(image: Container['image'] | undefined) {
+  const registryUrl = image?.registry?.url;
+  if (typeof registryUrl !== 'string' || registryUrl.trim() === '') {
+    return undefined;
+  }
+  const withProtocol = /^https?:\/\//i.test(registryUrl) ? registryUrl : `https://${registryUrl}`;
+  try {
+    return new URL(withProtocol).hostname.toLowerCase();
+  } catch {
+    return registryUrl
+      .replace(/^https?:\/\//i, '')
+      .split('/')[0]
+      .toLowerCase();
+  }
+}
+
+function normalizeSourceRepo(sourceRepoRaw?: string) {
+  if (typeof sourceRepoRaw !== 'string') {
+    return undefined;
+  }
+  const sourceRepoTrimmed = sourceRepoRaw.trim();
+  if (sourceRepoTrimmed === '') {
+    return undefined;
+  }
+
+  if (sourceRepoTrimmed.startsWith('git@') && sourceRepoTrimmed.includes(':')) {
+    const [sshPrefix, sshPath] = sourceRepoTrimmed.split(':');
+    const sshHost = sshPrefix.substring('git@'.length);
+    if (sshHost !== '' && sshPath !== '') {
+      return normalizeSourceRepo(`${sshHost}/${sshPath}`);
+    }
+  }
+
+  const withProtocol = /^https?:\/\//i.test(sourceRepoTrimmed)
+    ? sourceRepoTrimmed
+    : `https://${sourceRepoTrimmed}`;
+  try {
+    const sourceRepoUrl = new URL(withProtocol);
+    const sourceRepoPath = sourceRepoUrl.pathname
+      .replace(/^\/+/, '')
+      .replace(/\/+$/, '')
+      .replace(/\.git$/i, '');
+    if (sourceRepoPath === '') {
+      return undefined;
+    }
+
+    const [owner, repo] = sourceRepoPath.split('/');
+    if (!owner || !repo) {
+      return undefined;
+    }
+    return `${sourceRepoUrl.hostname.toLowerCase()}/${owner}/${repo}`;
+  } catch {
+    return undefined;
+  }
+}
+
+function deriveSourceRepoFromGhcrImage(imageRegistryDomain?: string, imagePath?: string) {
+  if (
+    typeof imageRegistryDomain !== 'string' ||
+    imageRegistryDomain.toLowerCase() !== 'ghcr.io' ||
+    typeof imagePath !== 'string'
+  ) {
+    return undefined;
+  }
+
+  const [owner, repo] = imagePath
+    .split('/')
+    .map((segment) => segment.trim())
+    .filter((segment) => segment !== '');
+  if (!owner || !repo) {
+    return undefined;
+  }
+  return normalizeSourceRepo(`github.com/${owner}/${repo}`);
+}
+
+function isDockerHubImage(image: Container['image'] | undefined) {
+  const registryHost = getImageRegistryHostname(image);
+  return (
+    !registryHost ||
+    registryHost === 'docker.io' ||
+    registryHost === 'registry-1.docker.io' ||
+    registryHost.endsWith('.docker.io')
+  );
+}
+
+function getSourceRepoFromHubPayload(payload: unknown) {
+  if (!payload || typeof payload !== 'object') {
+    return undefined;
+  }
+  const payloadRecord = payload as Record<string, unknown>;
+  if (typeof payloadRecord.source === 'string') {
+    return payloadRecord.source;
+  }
+  const repository = payloadRecord.repository as Record<string, unknown> | undefined;
+  if (repository && typeof repository.source === 'string') {
+    return repository.source;
+  }
+  return undefined;
+}
+
+async function lookupSourceRepoFromDockerHubTagMetadata(imageName: string, tag: string) {
+  const tagMetadataUrl = `https://hub.docker.com/v2/repositories/${imageName}/tags/${encodeURIComponent(
+    tag,
+  )}`;
+  const requestOptions = {
+    headers: {
+      Accept: 'application/json',
+    },
+    timeout: 10_000,
+  };
+
+  try {
+    const tagResponse = await axios.get(tagMetadataUrl, requestOptions);
+    const sourceRepoCandidate = normalizeSourceRepo(getSourceRepoFromHubPayload(tagResponse?.data));
+    if (sourceRepoCandidate) {
+      return sourceRepoCandidate;
+    }
+  } catch (error: unknown) {
+    log.debug(`Unable to query Docker Hub tag metadata (${getErrorMessage(error)})`);
+  }
+
+  try {
+    const repositoryResponse = await axios.get(
+      `https://hub.docker.com/v2/repositories/${imageName}`,
+      requestOptions,
+    );
+    return normalizeSourceRepo(getSourceRepoFromHubPayload(repositoryResponse?.data));
+  } catch (error: unknown) {
+    log.debug(`Unable to query Docker Hub repository metadata (${getErrorMessage(error)})`);
+  }
+
+  return undefined;
+}
+
+function getSourceRepoCacheKey(imageName: string, tag: string) {
+  return `${imageName.toLowerCase()}@${tag.toLowerCase()}`;
+}
+
+export function detectSourceRepoFromImageMetadata(options: {
+  containerLabels?: Record<string, string>;
+  imageLabels?: Record<string, string>;
+  imageRegistryDomain?: string;
+  imagePath?: string;
+}) {
+  const manualOverride =
+    normalizeSourceRepo(options.containerLabels?.[DD_SOURCE_REPO_LABEL]) ||
+    normalizeSourceRepo(options.imageLabels?.[DD_SOURCE_REPO_LABEL]);
+  if (manualOverride) {
+    return manualOverride;
+  }
+
+  const sourceLabel = normalizeSourceRepo(options.imageLabels?.[OCI_SOURCE_REPO_LABEL]);
+  if (sourceLabel) {
+    return sourceLabel;
+  }
+
+  const urlLabel = normalizeSourceRepo(options.imageLabels?.[OCI_URL_REPO_LABEL]);
+  if (urlLabel) {
+    return urlLabel;
+  }
+
+  return deriveSourceRepoFromGhcrImage(options.imageRegistryDomain, options.imagePath);
+}
+
+export async function resolveSourceRepoForContainer(container: Container) {
+  const sourceRepoFromContainer = normalizeSourceRepo(container.sourceRepo);
+  if (sourceRepoFromContainer) {
+    return sourceRepoFromContainer;
+  }
+
+  const sourceRepoFromLabelsOrGhcr = detectSourceRepoFromImageMetadata({
+    containerLabels: container.labels,
+    imageRegistryDomain: getImageRegistryHostname(container.image),
+    imagePath: container.image?.name,
+  });
+  if (sourceRepoFromLabelsOrGhcr) {
+    return sourceRepoFromLabelsOrGhcr;
+  }
+
+  if (!isDockerHubImage(container.image)) {
+    return undefined;
+  }
+
+  const imageName = container.image?.name;
+  const tag = container.result?.tag || container.image?.tag?.value;
+  if (
+    typeof imageName !== 'string' ||
+    imageName.trim() === '' ||
+    typeof tag !== 'string' ||
+    tag.trim() === ''
+  ) {
+    return undefined;
+  }
+
+  const cacheKey = getSourceRepoCacheKey(imageName, tag);
+  const sourceRepoFromCache = getCacheValue(sourceRepoCache, cacheKey);
+  if (sourceRepoFromCache.found) {
+    return sourceRepoFromCache.value ?? undefined;
+  }
+
+  const sourceRepo = await lookupSourceRepoFromDockerHubTagMetadata(imageName, tag);
+  setCacheValue(
+    sourceRepoCache,
+    cacheKey,
+    sourceRepo || null,
+    sourceRepo ? SOURCE_REPO_CACHE_TTL_MS : SOURCE_REPO_CACHE_NOT_FOUND_TTL_MS,
+  );
+  return sourceRepo;
+}
+
+function getGithubToken() {
+  const githubToken = ddEnvVars.DD_RELEASE_NOTES_GITHUB_TOKEN;
+  if (typeof githubToken !== 'string') {
+    return undefined;
+  }
+  const tokenTrimmed = githubToken.trim();
+  return tokenTrimmed !== '' ? tokenTrimmed : undefined;
+}
+
+function getReleaseNotesCacheKey(providerId: string, sourceRepo: string, tag: string) {
+  return `${providerId}:${sourceRepo.toLowerCase()}@${tag.toLowerCase()}`;
+}
+
+async function getReleaseNotesForSourceRepo(sourceRepo: string, tag: string) {
+  const provider = providers.find((releaseNotesProvider) =>
+    releaseNotesProvider.supports(sourceRepo),
+  );
+  if (!provider) {
+    return undefined;
+  }
+
+  const cacheKey = getReleaseNotesCacheKey(provider.id, sourceRepo, tag);
+  const releaseNotesFromCache = getCacheValue(releaseNotesCache, cacheKey);
+  if (releaseNotesFromCache.found) {
+    return releaseNotesFromCache.value ?? undefined;
+  }
+
+  const releaseNotes = await provider.fetchByTag(sourceRepo, tag, getGithubToken());
+  setCacheValue(
+    releaseNotesCache,
+    cacheKey,
+    releaseNotes || null,
+    releaseNotes ? RELEASE_NOTES_CACHE_TTL_MS : RELEASE_NOTES_CACHE_NOT_FOUND_TTL_MS,
+  );
+  return releaseNotes;
+}
+
+export async function getFullReleaseNotesForContainer(container: Container) {
+  const tag = container.result?.tag;
+  if (typeof tag !== 'string' || tag.trim() === '') {
+    return undefined;
+  }
+
+  const sourceRepo = await resolveSourceRepoForContainer(container);
+  if (!sourceRepo) {
+    return undefined;
+  }
+  return getReleaseNotesForSourceRepo(sourceRepo, tag);
+}
+
+export function truncateReleaseNotesBody(body: string, maxLength: number) {
+  const bodyString = typeof body === 'string' ? body : '';
+  if (maxLength <= 0) {
+    return '';
+  }
+  if (bodyString.length <= maxLength) {
+    return bodyString;
+  }
+  if (maxLength <= 3) {
+    return bodyString.substring(0, maxLength);
+  }
+  return `${bodyString.substring(0, maxLength - 3)}...`;
+}
+
+export function toContainerReleaseNotes(
+  releaseNotes: ReleaseNotes,
+  bodyMaxLength = CONTAINER_RELEASE_NOTES_BODY_MAX_LENGTH,
+) {
+  return {
+    ...releaseNotes,
+    body: truncateReleaseNotesBody(releaseNotes.body, bodyMaxLength),
+  };
+}
+
+export function _resetReleaseNotesCacheForTests() {
+  releaseNotesCache.clear();
+  sourceRepoCache.clear();
+}
diff --git a/app/release-notes/providers/GithubProvider.test.ts b/app/release-notes/providers/GithubProvider.test.ts
new file mode 100644
index 000000000..ea1a8f5a2
--- /dev/null
+++ b/app/release-notes/providers/GithubProvider.test.ts
@@ -0,0 +1,128 @@
+import { beforeEach, describe, expect, test, vi } from 'vitest';
+
+const mockAxiosGet = vi.hoisted(() => vi.fn());
+const mockLogDebug = vi.hoisted(() => vi.fn());
+const mockLogWarn = vi.hoisted(() => vi.fn());
+
+vi.mock('axios', () => ({
+  default: {
+    get: (...args: unknown[]) => mockAxiosGet(...args),
+  },
+}));
+
+vi.mock('../../log/index.js', () => ({
+  default: {
+    child: () => ({
+      debug: mockLogDebug,
+      info: vi.fn(),
+      warn: mockLogWarn,
+      error: vi.fn(),
+    }),
+  },
+}));
+
+import GithubProvider from './GithubProvider.js';
+
+describe('release-notes/providers/GithubProvider', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test('supports should only match github repositories', () => {
+    const provider = new GithubProvider();
+
+    expect(provider.supports('github.com/acme/service')).toBe(true);
+    expect(provider.supports(' https://github.com/acme/service ')).toBe(true);
+    expect(provider.supports('gitlab.com/acme/service')).toBe(false);
+  });
+
+  test('fetchByTag should return undefined for non-github source repos', async () => {
+    const provider = new GithubProvider();
+
+    await expect(
+      provider.fetchByTag('https://gitlab.com/acme/service', '1.0.0'),
+    ).resolves.toBeUndefined();
+    expect(mockAxiosGet).not.toHaveBeenCalled();
+  });
+
+  test('fetchByTag should return undefined when github path is incomplete', async () => {
+    const provider = new GithubProvider();
+
+    await expect(provider.fetchByTag('https://github.com/acme', '1.0.0')).resolves.toBeUndefined();
+    expect(mockAxiosGet).not.toHaveBeenCalled();
+  });
+
+  test('fetchByTag should return undefined when tag is empty after trimming', async () => {
+    const provider = new GithubProvider();
+
+    await expect(provider.fetchByTag('github.com/acme/service', '   ')).resolves.toBeUndefined();
+    expect(mockAxiosGet).not.toHaveBeenCalled();
+  });
+
+  test('fetchByTag should return undefined after exhausting 404 tag variants', async () => {
+    const provider = new GithubProvider();
+    mockAxiosGet.mockRejectedValueOnce({
+      response: {
+        status: 404,
+      },
+    });
+
+    const releaseNotes = await provider.fetchByTag('github.com/acme/service', 'v');
+
+    expect(releaseNotes).toBeUndefined();
+    expect(mockAxiosGet).toHaveBeenCalledTimes(1);
+    expect(mockAxiosGet).toHaveBeenCalledWith(
+      'https://api.github.com/repos/acme/service/releases/tags/v',
+      expect.any(Object),
+    );
+  });
+
+  test('fetchByTag should stop on non-rate-limited 403 responses', async () => {
+    const provider = new GithubProvider();
+    mockAxiosGet.mockRejectedValueOnce({
+      response: {
+        status: 403,
+        headers: null,
+      },
+      message: 'forbidden',
+    });
+
+    const releaseNotes = await provider.fetchByTag('github.com/acme/service', '1.0.0');
+
+    expect(releaseNotes).toBeUndefined();
+    expect(mockLogDebug).toHaveBeenCalledTimes(1);
+    expect(mockLogWarn).not.toHaveBeenCalled();
+  });
+
+  test('fetchByTag should handle non-object thrown errors', async () => {
+    const provider = new GithubProvider();
+    mockAxiosGet.mockRejectedValueOnce('request failed');
+
+    const releaseNotes = await provider.fetchByTag('github.com/acme/service', '1.0.0');
+
+    expect(releaseNotes).toBeUndefined();
+    expect(mockLogDebug).toHaveBeenCalledTimes(1);
+  });
+
+  test('fetchByTag should apply fallback values for missing release fields', async () => {
+    const provider = new GithubProvider();
+    mockAxiosGet.mockResolvedValueOnce({
+      data: {
+        body: null,
+        name: '   ',
+        html_url: '',
+        published_at: 'not-a-date',
+      },
+    });
+
+    const releaseNotes = await provider.fetchByTag('github.com/acme/service', '1.0.0');
+
+    expect(releaseNotes).toEqual({
+      title: 'v1.0.0',
+      body: '',
+      url: 'https://github.com/acme/service/releases/tag/v1.0.0',
+      publishedAt: new Date(0).toISOString(),
+      provider: 'github',
+    });
+  });
+});
diff --git a/app/release-notes/providers/GithubProvider.ts b/app/release-notes/providers/GithubProvider.ts
new file mode 100644
index 000000000..2fff369a0
--- /dev/null
+++ b/app/release-notes/providers/GithubProvider.ts
@@ -0,0 +1,150 @@
+import axios from 'axios';
+import logger from '../../log/index.js';
+import type { ReleaseNotes, ReleaseNotesProviderClient } from '../types.js';
+
+const log = logger.child({ component: 'release-notes.provider.github' });
+
+type UnknownRecord = Record<string, unknown>;
+
+function isRecord(value: unknown): value is UnknownRecord {
+  return typeof value === 'object' && value !== null;
+}
+
+function getErrorStatusCode(error: unknown) {
+  if (!isRecord(error) || !isRecord(error.response)) {
+    return undefined;
+  }
+  return error.response.status;
+}
+
+function getErrorHeader(error: unknown, headerName: string) {
+  if (!isRecord(error) || !isRecord(error.response) || !isRecord(error.response.headers)) {
+    return undefined;
+  }
+  return error.response.headers[headerName];
+}
+
+function getDebugErrorMessage(error: unknown) {
+  if (isRecord(error) && error.message) {
+    return String(error.message);
+  }
+  return String(error);
+}
+
+function normalizeGithubRepo(sourceRepo: string) {
+  const normalized = sourceRepo
+    .trim()
+    .replace(/^https?:\/\//i, '')
+    .replace(/\/+$/g, '');
+  const withoutGitSuffix = normalized.replace(/\.git$/i, '');
+  if (!withoutGitSuffix.toLowerCase().startsWith('github.com/')) {
+    return undefined;
+  }
+
+  const path = withoutGitSuffix.substring('github.com/'.length);
+  const [owner, repo] = path.split('/');
+  if (!owner || !repo) {
+    return undefined;
+  }
+  return {
+    owner,
+    repo,
+  };
+}
+
+function buildTagVariants(tag: string) {
+  const tagNormalized = tag.trim();
+  if (tagNormalized === '') {
+    return [];
+  }
+  if (tagNormalized.startsWith('v')) {
+    return [tagNormalized, tagNormalized.substring(1)].filter(
+      (tagCandidate) => tagCandidate !== '',
+    );
+  }
+  return [`v${tagNormalized}`, tagNormalized];
+}
+
+class GithubProvider implements ReleaseNotesProviderClient {
+  id = 'github' as const;
+
+  supports(sourceRepo: string) {
+    return sourceRepo
+      .trim()
+      .replace(/^https?:\/\//i, '')
+      .toLowerCase()
+      .startsWith('github.com/');
+  }
+
+  async fetchByTag(
+    sourceRepo: string,
+    tag: string,
+    token?: string,
+  ): Promise<ReleaseNotes | undefined> {
+    const repo = normalizeGithubRepo(sourceRepo);
+    if (!repo) {
+      return undefined;
+    }
+
+    const tagVariants = buildTagVariants(tag);
+    if (tagVariants.length === 0) {
+      return undefined;
+    }
+
+    for (const tagVariant of tagVariants) {
+      const endpoint = `https://api.github.com/repos/${repo.owner}/${repo.repo}/releases/tags/${encodeURIComponent(
+        tagVariant,
+      )}`;
+      try {
+        const response = await axios.get(endpoint, {
+          headers: {
+            Accept: 'application/vnd.github+json',
+            ...(token ? { Authorization: `Bearer ${token}` } : {}),
+          },
+          timeout: 10_000,
+        });
+
+        const body = typeof response?.data?.body === 'string' ? response.data.body : '';
+        const title =
+          typeof response?.data?.name === 'string' && response.data.name.trim() !== ''
+            ? response.data.name
+            : tagVariant;
+        const url =
+          typeof response?.data?.html_url === 'string' && response.data.html_url.trim() !== ''
+            ? response.data.html_url
+            : `https://github.com/${repo.owner}/${repo.repo}/releases/tag/${encodeURIComponent(tagVariant)}`;
+        const publishedAt =
+          typeof response?.data?.published_at === 'string' &&
+          !Number.isNaN(Date.parse(response.data.published_at))
+            ? response.data.published_at
+            : new Date(0).toISOString();
+
+        return {
+          title,
+          body,
+          url,
+          publishedAt,
+          provider: 'github',
+        };
+      } catch (error: unknown) {
+        const statusCode = getErrorStatusCode(error);
+        if (statusCode === 404) {
+          continue;
+        }
+        if (
+          statusCode === 403 &&
+          `${getErrorHeader(error, 'x-ratelimit-remaining') ?? ''}` === '0'
+        ) {
+          log.warn('GitHub release notes lookup is rate-limited');
+          return undefined;
+        }
+        log.debug(`Unable to fetch GitHub release notes (${getDebugErrorMessage(error)})`);
+        return undefined;
+      }
+    }
+
+    return undefined;
+  }
+}
+
+export default GithubProvider;
diff --git a/app/release-notes/types.ts b/app/release-notes/types.ts
new file mode 100644
index 000000000..52becc1f2
--- /dev/null
+++ b/app/release-notes/types.ts
@@ -0,0 +1,19 @@
+export type ReleaseNotesProvider = 'github' | 'gitlab' | 'gitea';
+
+export interface ReleaseNotes {
+  title: string;
+  body: string;
+  url: string;
+  publishedAt: string;
+  provider: ReleaseNotesProvider;
+}
+
+export interface ReleaseNotesProviderClient {
+  id: ReleaseNotesProvider;
+  supports: (sourceRepo: string) => boolean;
+  fetchByTag: (
+    sourceRepo: string,
+    tag: string,
+    token?: string,
+  ) => Promise<ReleaseNotes | undefined>;
+}
diff --git a/app/security/picomatch-lockfile.test.ts b/app/security/picomatch-lockfile.test.ts
new file mode 100644
index 000000000..5b063bfe9
--- /dev/null
+++ b/app/security/picomatch-lockfile.test.ts
@@ -0,0 +1,41 @@
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { describe, expect, test } from 'vitest';
+
+function compareSemver(a: string, b: string): number {
+  const aParts = a.split('.').map(Number);
+  const bParts = b.split('.').map(Number);
+
+  for (let index = 0; index < Math.max(aParts.length, bParts.length); index += 1) {
+    const aPart = aParts[index] ?? 0;
+    const bPart = bParts[index] ?? 0;
+
+    if (aPart !== bPart) {
+      return aPart - bPart;
+    }
+  }
+
+  return 0;
+}
+
+describe('app package lockfile security', () => {
+  test('package manifest explicitly pins picomatch to the patched version', () => {
+    const packageJson = JSON.parse(readFileSync(join(process.cwd(), 'package.json'), 'utf8')) as {
+      overrides?: Record<string, string>;
+    };
+
+    expect(packageJson.overrides?.picomatch).toBe('4.0.4');
+  });
+
+  test('package lockfile does not resolve vulnerable picomatch versions', () => {
+    const lockfile = JSON.parse(readFileSync(join(process.cwd(), 'package-lock.json'), 'utf8')) as {
+      packages?: Record<string, { version?: string }>;
+    };
+
+    const vulnerableEntries = Object.entries(lockfile.packages ?? {})
+      .filter(([path, value]) => path.includes('picomatch') && typeof value.version === 'string')
+      .filter(([, value]) => compareSemver(value.version, '4.0.4') < 0);
+
+    expect(vulnerableEntries).toEqual([]);
+  });
+});
diff --git a/app/security/scan.test.ts b/app/security/scan.test.ts
index 787229bbf..7fecbb7c8 100644
--- a/app/security/scan.test.ts
+++ b/app/security/scan.test.ts
@@ -970,6 +970,39 @@ test('scanImageForVulnerabilities catch should handle error with no message prop
   expect(result.error).toBe('Unknown security scan error');
 });
 
+test('scanImageForVulnerabilities catch should stringify non-string truthy message fields', async () => {
+  childProcessControl.execFileImpl = () => {
+    throw { message: { reason: 'malformed output' } };
+  };
+
+  const result = await scanImageForVulnerabilities({ image: 'img:test' });
+
+  expect(result.status).toBe('error');
+  expect(result.error).toBe('[object Object]');
+});
+
+test('scanImageForVulnerabilities catch should use fallback when thrown object has no message', async () => {
+  childProcessControl.execFileImpl = () => {
+    throw {};
+  };
+
+  const result = await scanImageForVulnerabilities({ image: 'img:test' });
+
+  expect(result.status).toBe('error');
+  expect(result.error).toBe('Unknown security scan error');
+});
+
+test('scanImageForVulnerabilities catch should use fallback when thrown object has an empty message', async () => {
+  childProcessControl.execFileImpl = () => {
+    throw { message: '' };
+  };
+
+  const result = await scanImageForVulnerabilities({ image: 'img:test' });
+
+  expect(result.status).toBe('error');
+  expect(result.error).toBe('Unknown security scan error');
+});
+
 test('verifyImageSignature catch should handle error with no message property', async () => {
   childProcessControl.execFileImpl = () => {
     throw 'bare string';
diff --git a/app/security/scan.ts b/app/security/scan.ts
index 2849007e3..63510ea23 100644
--- a/app/security/scan.ts
+++ b/app/security/scan.ts
@@ -514,6 +514,21 @@ function classifyCosignFailure(errorMessage: string): SecuritySignatureStatus {
   return 'error';
 }
 
+function getErrorMessage(error: unknown, fallback: string): string {
+  if (typeof error !== 'object' || error === null) {
+    return fallback;
+  }
+
+  const message = (error as { message?: unknown }).message;
+  if (typeof message === 'string') {
+    return message || fallback;
+  }
+  if (message) {
+    return `${message}`;
+  }
+  return fallback;
+}
+
 /**
  * Run vulnerability scan for an image using the configured scanner.
  * Currently supports Trivy only.
@@ -559,8 +574,8 @@ export async function scanImageForVulnerabilities(
       summary,
       vulnerabilities: vulnerabilitiesToStore,
     };
-  } catch (error: any) {
-    const errorMessage = error?.message || 'Unknown security scan error';
+  } catch (error: unknown) {
+    const errorMessage = getErrorMessage(error, 'Unknown security scan error');
     logSecurity.warn(`Security scan failed (${errorMessage})`);
     return mapToErrorResult(options.image, blockSeverities, errorMessage);
   }
@@ -597,8 +612,8 @@ export async function verifyImageSignature(
     const signaturesCount = signatures > 0 ? signatures : 1;
     logSecurity.info(`Signature verification passed (${signaturesCount} signatures)`);
     return mapToSignatureResult(options.image, configuration, 'verified', signaturesCount);
-  } catch (error: any) {
-    const errorMessage = error?.message || 'Unknown signature verification error';
+  } catch (error: unknown) {
+    const errorMessage = getErrorMessage(error, 'Unknown signature verification error');
     const status = classifyCosignFailure(errorMessage);
     logSecurity.warn(`Signature verification ${status} (${errorMessage})`);
     return mapToSignatureResult(options.image, configuration, status, 0, errorMessage);
@@ -639,8 +654,8 @@ export async function generateImageSbom(
       const sbomOutput = await runTrivySbomCommand(options, configuration, format);
       documentMap.set(format, JSON.parse(sbomOutput));
       generatedFormats.push(format);
-    } catch (error: any) {
-      errors.push(`${format}: ${error?.message || 'Unknown SBOM generation error'}`);
+    } catch (error: unknown) {
+      errors.push(`${format}: ${getErrorMessage(error, 'Unknown SBOM generation error')}`);
     }
   }
 
diff --git a/app/security/yaml-lockfile.test.ts b/app/security/yaml-lockfile.test.ts
new file mode 100644
index 000000000..141eb5d1c
--- /dev/null
+++ b/app/security/yaml-lockfile.test.ts
@@ -0,0 +1,41 @@
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { describe, expect, test } from 'vitest';
+
+function compareSemver(a: string, b: string): number {
+  const aParts = a.split('.').map(Number);
+  const bParts = b.split('.').map(Number);
+
+  for (let index = 0; index < Math.max(aParts.length, bParts.length); index += 1) {
+    const aPart = aParts[index] ?? 0;
+    const bPart = bParts[index] ?? 0;
+
+    if (aPart !== bPart) {
+      return aPart - bPart;
+    }
+  }
+
+  return 0;
+}
+
+describe('app yaml security', () => {
+  test('package manifest pins yaml to the patched version', () => {
+    const packageJson = JSON.parse(readFileSync(join(process.cwd(), 'package.json'), 'utf8')) as {
+      dependencies?: Record<string, string>;
+    };
+
+    expect(packageJson.dependencies?.yaml).toBe('2.8.3');
+  });
+
+  test('package lockfile does not resolve vulnerable yaml versions', () => {
+    const lockfile = JSON.parse(readFileSync(join(process.cwd(), 'package-lock.json'), 'utf8')) as {
+      packages?: Record<string, { version?: string }>;
+    };
+
+    const vulnerableEntries = Object.entries(lockfile.packages ?? {})
+      .filter(([path, value]) => path === 'node_modules/yaml' && typeof value.version === 'string')
+      .filter(([, value]) => compareSemver(value.version, '2.8.3') < 0);
+
+    expect(vulnerableEntries).toEqual([]);
+  });
+});
diff --git a/app/stats/calculation.test.ts b/app/stats/calculation.test.ts
new file mode 100644
index 000000000..d5444fb7a
--- /dev/null
+++ b/app/stats/calculation.test.ts
@@ -0,0 +1,177 @@
+import {
+  calculateContainerStatsSnapshot,
+  calculateCpuPercent,
+  type DockerContainerStats,
+} from './calculation.js';
+
+function createStats(overrides: Partial<DockerContainerStats> = {}): DockerContainerStats {
+  return {
+    cpu_stats: {
+      cpu_usage: {
+        total_usage: 400,
+        percpu_usage: [200, 200],
+      },
+      system_cpu_usage: 1000,
+      online_cpus: 2,
+    },
+    precpu_stats: {
+      cpu_usage: {
+        total_usage: 200,
+      },
+      system_cpu_usage: 800,
+    },
+    memory_stats: {
+      usage: 256,
+      limit: 1024,
+    },
+    networks: {
+      eth0: {
+        rx_bytes: 1000,
+        tx_bytes: 2000,
+      },
+      eth1: {
+        rx_bytes: 100,
+        tx_bytes: 200,
+      },
+    },
+    blkio_stats: {
+      io_service_bytes_recursive: [
+        { op: 'Read', value: 10 },
+        { op: 'Write', value: 20 },
+        { op: 'READ', value: 5 },
+        { op: 'WRITE', value: 7 },
+        { value: 999 },
+      ],
+    },
+    ...overrides,
+  } as DockerContainerStats;
+}
+
+describe('stats/calculation', () => {
+  test('calculates cpu percent from docker deltas', () => {
+    const previous = createStats({
+      cpu_stats: {
+        cpu_usage: { total_usage: 200, percpu_usage: [100, 100] },
+        system_cpu_usage: 800,
+        online_cpus: 2,
+      },
+    });
+    const current = createStats({
+      cpu_stats: {
+        cpu_usage: { total_usage: 400, percpu_usage: [200, 200] },
+        system_cpu_usage: 1000,
+        online_cpus: 2,
+      },
+    });
+
+    expect(calculateCpuPercent(current, previous)).toBe(200);
+  });
+
+  test('returns zero cpu percent when previous stats are missing or deltas are invalid', () => {
+    const current = createStats();
+    expect(calculateCpuPercent(current, undefined)).toBe(0);
+
+    const nonIncreasingSystem = createStats({
+      cpu_stats: {
+        cpu_usage: { total_usage: 500, percpu_usage: [250, 250] },
+        system_cpu_usage: 1000,
+        online_cpus: 2,
+      },
+    });
+    const previous = createStats({
+      cpu_stats: {
+        cpu_usage: { total_usage: 400, percpu_usage: [200, 200] },
+        system_cpu_usage: 1000,
+        online_cpus: 2,
+      },
+    });
+    expect(calculateCpuPercent(nonIncreasingSystem, previous)).toBe(0);
+  });
+
+  test('falls back to percpu usage length and single cpu when online cpu count is missing', () => {
+    const previousPerCpu = createStats({
+      cpu_stats: {
+        cpu_usage: { total_usage: 100, percpu_usage: [50, 50, 0] },
+        system_cpu_usage: 900,
+      },
+    });
+    const currentPerCpu = createStats({
+      cpu_stats: {
+        cpu_usage: { total_usage: 200, percpu_usage: [100, 100, 0] },
+        system_cpu_usage: 1000,
+      },
+    });
+    expect(calculateCpuPercent(currentPerCpu, previousPerCpu)).toBe(300);
+
+    const previousSingle = createStats({
+      cpu_stats: {
+        cpu_usage: { total_usage: 100 },
+        system_cpu_usage: 900,
+      },
+    });
+    const currentSingle = createStats({
+      cpu_stats: {
+        cpu_usage: { total_usage: 200 },
+        system_cpu_usage: 1000,
+      },
+    });
+    expect(calculateCpuPercent(currentSingle, previousSingle)).toBe(100);
+  });
+
+  test('builds normalized snapshot with memory, network, and block io totals', () => {
+    const snapshot = calculateContainerStatsSnapshot(
+      'container-1',
+      createStats(),
+      createStats({
+        cpu_stats: {
+          cpu_usage: { total_usage: 200, percpu_usage: [100, 100] },
+          system_cpu_usage: 800,
+          online_cpus: 2,
+        },
+      }),
+      Date.parse('2026-03-14T12:00:00.000Z'),
+    );
+
+    expect(snapshot).toEqual({
+      containerId: 'container-1',
+      cpuPercent: 200,
+      memoryUsageBytes: 256,
+      memoryLimitBytes: 1024,
+      memoryPercent: 25,
+      networkRxBytes: 1100,
+      networkTxBytes: 2200,
+      blockReadBytes: 15,
+      blockWriteBytes: 27,
+      timestamp: '2026-03-14T12:00:00.000Z',
+    });
+  });
+
+  test('returns zeroed network and block io totals when stats sections are missing', () => {
+    const snapshot = calculateContainerStatsSnapshot(
+      'container-2',
+      createStats({
+        networks: undefined,
+        blkio_stats: undefined,
+        memory_stats: {
+          usage: 100,
+          limit: 0,
+        },
+      }),
+      undefined,
+      Date.parse('2026-03-14T12:05:00.000Z'),
+    );
+
+    expect(snapshot).toEqual({
+      containerId: 'container-2',
+      cpuPercent: 0,
+      memoryUsageBytes: 100,
+      memoryLimitBytes: 0,
+      memoryPercent: 0,
+      networkRxBytes: 0,
+      networkTxBytes: 0,
+      blockReadBytes: 0,
+      blockWriteBytes: 0,
+      timestamp: '2026-03-14T12:05:00.000Z',
+    });
+  });
+});
diff --git a/app/stats/calculation.ts b/app/stats/calculation.ts
new file mode 100644
index 000000000..cb326075f
--- /dev/null
+++ b/app/stats/calculation.ts
@@ -0,0 +1,143 @@
+export interface DockerCpuUsage {
+  total_usage?: number;
+  percpu_usage?: number[];
+}
+
+export interface DockerCpuStats {
+  cpu_usage?: DockerCpuUsage;
+  system_cpu_usage?: number;
+  online_cpus?: number;
+}
+
+export interface DockerMemoryStats {
+  usage?: number;
+  limit?: number;
+}
+
+export interface DockerNetworkStats {
+  rx_bytes?: number;
+  tx_bytes?: number;
+}
+
+export interface DockerBlockIoEntry {
+  op?: string;
+  value?: number;
+}
+
+export interface DockerContainerStats {
+  cpu_stats?: DockerCpuStats;
+  memory_stats?: DockerMemoryStats;
+  networks?: Record<string, DockerNetworkStats | undefined>;
+  blkio_stats?: {
+    io_service_bytes_recursive?: DockerBlockIoEntry[];
+  };
+}
+
+export interface ContainerStatsSnapshot {
+  containerId: string;
+  cpuPercent: number;
+  memoryUsageBytes: number;
+  memoryLimitBytes: number;
+  memoryPercent: number;
+  networkRxBytes: number;
+  networkTxBytes: number;
+  blockReadBytes: number;
+  blockWriteBytes: number;
+  timestamp: string;
+}
+
+function toFiniteNumber(value: unknown): number {
+  return typeof value === 'number' && Number.isFinite(value) ? value : 0;
+}
+
+function resolveOnlineCpuCount(stats: DockerContainerStats): number {
+  const onlineCpus = Math.trunc(toFiniteNumber(stats.cpu_stats?.online_cpus));
+  if (onlineCpus > 0) {
+    return onlineCpus;
+  }
+  const perCpuUsage = stats.cpu_stats?.cpu_usage?.percpu_usage;
+  if (Array.isArray(perCpuUsage) && perCpuUsage.length > 0) {
+    return perCpuUsage.length;
+  }
+  return 1;
+}
+
+function roundMetric(value: number): number {
+  return Number.parseFloat(value.toFixed(2));
+}
+
+export function calculateCpuPercent(
+  currentStats: DockerContainerStats,
+  previousStats?: DockerContainerStats,
+): number {
+  if (!previousStats) {
+    return 0;
+  }
+
+  const cpuDelta =
+    toFiniteNumber(currentStats.cpu_stats?.cpu_usage?.total_usage) -
+    toFiniteNumber(previousStats.cpu_stats?.cpu_usage?.total_usage);
+  const systemDelta =
+    toFiniteNumber(currentStats.cpu_stats?.system_cpu_usage) -
+    toFiniteNumber(previousStats.cpu_stats?.system_cpu_usage);
+
+  if (cpuDelta <= 0 || systemDelta <= 0) {
+    return 0;
+  }
+
+  const cpuPercent = (cpuDelta / systemDelta) * resolveOnlineCpuCount(currentStats) * 100;
+  return roundMetric(cpuPercent);
+}
+
+function sumNetworkBytes(stats: DockerContainerStats, key: 'rx_bytes' | 'tx_bytes'): number {
+  const networks = stats.networks;
+  if (!networks || typeof networks !== 'object') {
+    return 0;
+  }
+
+  let totalBytes = 0;
+  for (const networkStats of Object.values(networks)) {
+    totalBytes += toFiniteNumber(networkStats?.[key]);
+  }
+  return totalBytes;
+}
+
+function sumBlockIoByOperation(stats: DockerContainerStats, operation: 'read' | 'write'): number {
+  const entries = stats.blkio_stats?.io_service_bytes_recursive;
+  if (!Array.isArray(entries)) {
+    return 0;
+  }
+
+  let totalBytes = 0;
+  for (const entry of entries) {
+    if ((entry.op ?? '').toLowerCase() === operation) {
+      totalBytes += toFiniteNumber(entry.value);
+    }
+  }
+  return totalBytes;
+}
+
+export function calculateContainerStatsSnapshot(
+  containerId: string,
+  currentStats: DockerContainerStats,
+  previousStats?: DockerContainerStats,
+  nowMs = Date.now(),
+): ContainerStatsSnapshot {
+  const memoryUsageBytes = toFiniteNumber(currentStats.memory_stats?.usage);
+  const memoryLimitBytes = toFiniteNumber(currentStats.memory_stats?.limit);
+  const memoryPercent =
+    memoryLimitBytes > 0 ? roundMetric((memoryUsageBytes / memoryLimitBytes) * 100) : 0;
+
+  return {
+    containerId,
+    cpuPercent: calculateCpuPercent(currentStats, previousStats),
+    memoryUsageBytes,
+    memoryLimitBytes,
+    memoryPercent,
+    networkRxBytes: sumNetworkBytes(currentStats, 'rx_bytes'),
+    networkTxBytes: sumNetworkBytes(currentStats, 'tx_bytes'),
+    blockReadBytes: sumBlockIoByOperation(currentStats, 'read'),
+    blockWriteBytes: sumBlockIoByOperation(currentStats, 'write'),
+    timestamp: new Date(nowMs).toISOString(),
+  };
+}
diff --git a/app/stats/collector.test.ts b/app/stats/collector.test.ts
new file mode 100644
index 000000000..9baca7180
--- /dev/null
+++ b/app/stats/collector.test.ts
@@ -0,0 +1,814 @@
+import { beforeEach, describe, expect, test, vi } from 'vitest';
+import { createContainerStatsCollector } from './collector.js';
+
+const { mockCollectorLogger } = vi.hoisted(() => ({
+  mockCollectorLogger: {
+    trace: vi.fn(),
+    warn: vi.fn(),
+  },
+}));
+
+vi.mock('../log/index.js', () => ({
+  default: {
+    child: vi.fn(() => mockCollectorLogger),
+  },
+}));
+
+type StreamListener = (payload?: unknown) => void;
+
+function createMockStatsStream() {
+  const listeners = new Map<string, StreamListener[]>();
+  const stream = {
+    on: vi.fn((event: string, handler: StreamListener) => {
+      const handlers = listeners.get(event) ?? [];
+      handlers.push(handler);
+      listeners.set(event, handlers);
+      return stream;
+    }),
+    removeAllListeners: vi.fn(() => {
+      listeners.clear();
+    }),
+    destroy: vi.fn(),
+    emit(event: string, payload?: unknown) {
+      for (const handler of listeners.get(event) ?? []) {
+        handler(payload);
+      }
+    },
+  };
+  return stream;
+}
+
+function createHarness() {
+  let nowMs = Date.parse('2026-03-14T12:00:00.000Z');
+  const containersById = new Map<string, { id: string; name: string; watcher: string }>([
+    [
+      'c1',
+      {
+        id: 'c1',
+        name: 'web',
+        watcher: 'local',
+      },
+    ],
+    [
+      'c2',
+      {
+        id: 'c2',
+        name: 'api',
+        watcher: 'local',
+      },
+    ],
+  ]);
+  const stream = createMockStatsStream();
+  const stats = vi.fn(async () => stream);
+  const getContainer = vi.fn((containerId: string) => containersById.get(containerId));
+  const getContainerApi = vi.fn(() => ({ stats }));
+  const getWatchers = vi.fn(() => ({
+    'docker.local': {
+      dockerApi: {
+        getContainer: getContainerApi,
+      },
+    },
+  }));
+  const collector = createContainerStatsCollector({
+    getContainerById: getContainer,
+    getWatchers,
+    intervalSeconds: 10,
+    historySize: 3,
+    now: () => nowMs,
+  });
+
+  const emitStats = (cpuTotal: number, systemTotal: number) => {
+    stream.emit('data', {
+      cpu_stats: {
+        cpu_usage: {
+          total_usage: cpuTotal,
+          percpu_usage: [cpuTotal / 2, cpuTotal / 2],
+        },
+        system_cpu_usage: systemTotal,
+        online_cpus: 2,
+      },
+      memory_stats: {
+        usage: 256,
+        limit: 1024,
+      },
+      networks: {
+        eth0: {
+          rx_bytes: 100,
+          tx_bytes: 200,
+        },
+      },
+      blkio_stats: {
+        io_service_bytes_recursive: [
+          { op: 'Read', value: 10 },
+          { op: 'Write', value: 20 },
+        ],
+      },
+    });
+  };
+
+  return {
+    collector,
+    stream,
+    stats,
+    getContainer,
+    getContainerApi,
+    getWatchers,
+    emitStats,
+    setContainer: (
+      containerId: string,
+      nextContainer?: { id: string; name: string; watcher: string },
+    ) => {
+      if (nextContainer) {
+        containersById.set(containerId, nextContainer);
+        return;
+      }
+      containersById.delete(containerId);
+    },
+    advanceNowByMs: (deltaMs: number) => {
+      nowMs += deltaMs;
+    },
+  };
+}
+
+describe('stats/collector', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    vi.useFakeTimers();
+  });
+
+  test('starts docker stats stream on watch and stops when released', async () => {
+    const harness = createHarness();
+
+    const release = harness.collector.watch('c1');
+    await Promise.resolve();
+
+    expect(harness.getContainer).toHaveBeenCalledWith('c1');
+    expect(harness.getContainerApi).toHaveBeenCalledWith('web');
+    expect(harness.stats).toHaveBeenCalledWith({ stream: true });
+
+    release();
+
+    expect(harness.stream.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  test('release callback is idempotent', async () => {
+    const harness = createHarness();
+    const release = harness.collector.watch('c1');
+    await Promise.resolve();
+
+    release();
+    release();
+
+    expect(harness.stream.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  test('does not attach listeners when watch is released before async start resolves', async () => {
+    const stream = createMockStatsStream();
+    let resolveStats: ((value: typeof stream) => void) | undefined;
+    const stats = vi.fn(
+      () =>
+        new Promise<typeof stream>((resolve) => {
+          resolveStats = resolve;
+        }),
+    );
+    const collector = createContainerStatsCollector({
+      getContainerById: () => ({ id: 'c1', name: 'web', watcher: 'local' }) as any,
+      getWatchers: () => ({
+        'docker.local': {
+          dockerApi: {
+            getContainer: () => ({ stats }),
+          },
+        },
+      }),
+      intervalSeconds: 10,
+      historySize: 3,
+      now: () => Date.now(),
+    });
+
+    const release = collector.watch('c1');
+    expect(stats).toHaveBeenCalledTimes(1);
+
+    release();
+    resolveStats?.(stream);
+    await Promise.resolve();
+
+    expect(stream.on).not.toHaveBeenCalled();
+    expect(stream.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  test('reuses the pending stream start when a watch is reacquired before startup resolves', async () => {
+    const stream = createMockStatsStream();
+    let resolveStats: ((value: typeof stream) => void) | undefined;
+    const stats = vi.fn(
+      () =>
+        new Promise<typeof stream>((resolve) => {
+          resolveStats = resolve;
+        }),
+    );
+    const collector = createContainerStatsCollector({
+      getContainerById: () => ({ id: 'c1', name: 'web', watcher: 'local' }) as any,
+      getWatchers: () => ({
+        'docker.local': {
+          dockerApi: {
+            getContainer: () => ({ stats }),
+          },
+        },
+      }),
+      intervalSeconds: 10,
+      historySize: 3,
+      now: () => Date.now(),
+    });
+
+    const releaseFirstWatch = collector.watch('c1');
+    expect(stats).toHaveBeenCalledTimes(1);
+
+    releaseFirstWatch();
+
+    const releaseSecondWatch = collector.watch('c1');
+    expect(stats).toHaveBeenCalledTimes(1);
+
+    resolveStats?.(stream);
+    await Promise.resolve();
+
+    expect(stream.on).toHaveBeenCalledTimes(4);
+    expect(stream.destroy).not.toHaveBeenCalled();
+
+    releaseSecondWatch();
+    expect(stream.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  test('destroys the resolved stream when all concurrent watches release before startup resolves', async () => {
+    const stream = createMockStatsStream();
+    let resolveStats: ((value: typeof stream) => void) | undefined;
+    const stats = vi.fn(
+      () =>
+        new Promise<typeof stream>((resolve) => {
+          resolveStats = resolve;
+        }),
+    );
+    const collector = createContainerStatsCollector({
+      getContainerById: () => ({ id: 'c1', name: 'web', watcher: 'local' }) as any,
+      getWatchers: () => ({
+        'docker.local': {
+          dockerApi: {
+            getContainer: () => ({ stats }),
+          },
+        },
+      }),
+      intervalSeconds: 10,
+      historySize: 3,
+      now: () => Date.now(),
+    });
+
+    const releaseFirstWatch = collector.watch('c1');
+    const releaseSecondWatch = collector.watch('c1');
+    expect(stats).toHaveBeenCalledTimes(1);
+
+    releaseFirstWatch();
+    releaseSecondWatch();
+
+    resolveStats?.(stream);
+    await Promise.resolve();
+
+    expect(stream.on).not.toHaveBeenCalled();
+    expect(stream.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  test('collects snapshots, throttles by interval, and notifies subscribers', async () => {
+    const harness = createHarness();
+    const onSnapshot = vi.fn();
+    const release = harness.collector.watch('c1');
+    const unsubscribe = harness.collector.subscribe('c1', onSnapshot);
+    await Promise.resolve();
+
+    harness.emitStats(100, 1000);
+    harness.advanceNowByMs(1_000);
+    harness.emitStats(200, 1100);
+    harness.advanceNowByMs(10_000);
+    harness.emitStats(400, 1300);
+
+    const latest = harness.collector.getLatest('c1');
+    const history = harness.collector.getHistory('c1');
+    expect(onSnapshot).toHaveBeenCalledTimes(2);
+    expect(latest).toEqual(
+      expect.objectContaining({
+        containerId: 'c1',
+        cpuPercent: 200,
+        memoryPercent: 25,
+        networkRxBytes: 100,
+        networkTxBytes: 200,
+        blockReadBytes: 10,
+        blockWriteBytes: 20,
+      }),
+    );
+    expect(history).toHaveLength(2);
+
+    unsubscribe();
+    release();
+  });
+
+  test('logs trace when dropping a throttled stats sample', async () => {
+    const harness = createHarness();
+    const release = harness.collector.watch('c1');
+    await Promise.resolve();
+
+    harness.emitStats(100, 1000);
+    harness.advanceNowByMs(1_000);
+    harness.emitStats(200, 1100);
+
+    expect(mockCollectorLogger.trace).toHaveBeenCalledWith(
+      expect.objectContaining({
+        containerId: 'c1',
+        elapsedMs: 1_000,
+        intervalMs: 10_000,
+      }),
+      'Dropping throttled container stats sample',
+    );
+
+    release();
+  });
+
+  test('supports JSON string payload chunks', async () => {
+    const harness = createHarness();
+    const release = harness.collector.watch('c1');
+    await Promise.resolve();
+
+    harness.stream.emit(
+      'data',
+      JSON.stringify({
+        cpu_stats: {
+          cpu_usage: {
+            total_usage: 100,
+            percpu_usage: [50, 50],
+          },
+          system_cpu_usage: 1000,
+          online_cpus: 2,
+        },
+        memory_stats: {
+          usage: 512,
+          limit: 1024,
+        },
+        networks: {},
+        blkio_stats: {
+          io_service_bytes_recursive: [],
+        },
+      }),
+    );
+
+    expect(harness.collector.getLatest('c1')).toEqual(
+      expect.objectContaining({
+        memoryUsageBytes: 512,
+        memoryPercent: 50,
+      }),
+    );
+
+    release();
+  });
+
+  test('supports Buffer payload chunks', async () => {
+    const harness = createHarness();
+    const release = harness.collector.watch('c1');
+    await Promise.resolve();
+
+    harness.stream.emit(
+      'data',
+      Buffer.from(
+        JSON.stringify({
+          cpu_stats: {
+            cpu_usage: {
+              total_usage: 100,
+              percpu_usage: [50, 50],
+            },
+            system_cpu_usage: 1000,
+            online_cpus: 2,
+          },
+          memory_stats: {
+            usage: 128,
+            limit: 256,
+          },
+          networks: {},
+          blkio_stats: {
+            io_service_bytes_recursive: [],
+          },
+        }),
+      ),
+    );
+
+    expect(harness.collector.getLatest('c1')).toEqual(
+      expect.objectContaining({
+        memoryUsageBytes: 128,
+        memoryLimitBytes: 256,
+      }),
+    );
+
+    release();
+  });
+
+  test('ignores empty and malformed chunk payloads', async () => {
+    const harness = createHarness();
+    const release = harness.collector.watch('c1');
+    await Promise.resolve();
+
+    harness.stream.emit('data', undefined);
+    harness.stream.emit('data', '\n');
+    harness.stream.emit('data', 'not-json');
+
+    expect(harness.collector.getLatest('c1')).toBeUndefined();
+    release();
+  });
+
+  test('touch starts temporary watch and auto-releases after ttl', async () => {
+    const harness = createHarness();
+
+    harness.collector.touch('c1');
+    await Promise.resolve();
+    expect(harness.stats).toHaveBeenCalledTimes(1);
+
+    await vi.advanceTimersByTimeAsync(35_000);
+    expect(harness.stream.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  test('touch refresh clears previous timeout and delays release', async () => {
+    const harness = createHarness();
+    harness.collector.touch('c1');
+    await Promise.resolve();
+
+    await vi.advanceTimersByTimeAsync(10_000);
+    harness.collector.touch('c1');
+    await vi.advanceTimersByTimeAsync(10_000);
+    expect(harness.stream.destroy).not.toHaveBeenCalled();
+
+    await vi.advanceTimersByTimeAsync(25_000);
+    expect(harness.stream.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  test('reuses one deleted-state sweep interval and keeps it running while other states remain', async () => {
+    const intervalHandle = { id: 'deleted-state-sweep' };
+    let runDeletedStateSweep: (() => void) | undefined;
+    const setIntervalFn = vi.fn((callback: () => void) => {
+      runDeletedStateSweep = callback;
+      return intervalHandle as any;
+    });
+    const clearIntervalFn = vi.fn();
+    const containersById = new Map<string, { id: string; name: string; watcher: string }>([
+      ['c1', { id: 'c1', name: 'web', watcher: 'local' }],
+      ['c2', { id: 'c2', name: 'api', watcher: 'local' }],
+    ]);
+    const collector = createContainerStatsCollector({
+      getContainerById: (containerId: string) => containersById.get(containerId) as any,
+      getWatchers: () => ({
+        'docker.local': {
+          dockerApi: {
+            getContainer: () => ({
+              stats: vi.fn(async () => createMockStatsStream()),
+            }),
+          },
+        },
+      }),
+      intervalSeconds: 10,
+      historySize: 3,
+      now: () => Date.now(),
+      setIntervalFn,
+      clearIntervalFn,
+    });
+
+    const releaseFirst = collector.watch('c1');
+    const releaseSecond = collector.watch('c2');
+    await Promise.resolve();
+
+    expect(setIntervalFn).toHaveBeenCalledTimes(1);
+
+    releaseFirst();
+    containersById.delete('c1');
+    runDeletedStateSweep?.();
+
+    expect(clearIntervalFn).not.toHaveBeenCalled();
+
+    releaseSecond();
+    containersById.delete('c2');
+    runDeletedStateSweep?.();
+    expect(setIntervalFn).toHaveBeenCalledTimes(1);
+  });
+
+  test('handles error/close/end stream lifecycle events', async () => {
+    const harness = createHarness();
+    const release = harness.collector.watch('c1');
+    await vi.advanceTimersByTimeAsync(0);
+    expect(harness.stats).toHaveBeenCalledTimes(1);
+
+    // Error triggers cleanup + restart — listeners are removed before new stream starts
+    harness.stream.emit('error', new Error('stream-error'));
+    expect(harness.stream.removeAllListeners).toHaveBeenCalledTimes(1);
+    expect(harness.stream.destroy).toHaveBeenCalledTimes(1);
+
+    // Let restart's startStream resolve (re-attaches listeners to same mock stream)
+    await vi.advanceTimersByTimeAsync(0);
+    expect(harness.stats).toHaveBeenCalledTimes(2);
+
+    // close triggers another restart (new listeners were attached on restart)
+    harness.stream.emit('close');
+    await vi.advanceTimersByTimeAsync(0);
+    expect(harness.stats).toHaveBeenCalledTimes(3);
+
+    // end triggers another restart
+    harness.stream.emit('end');
+    await vi.advanceTimersByTimeAsync(0);
+    expect(harness.stats).toHaveBeenCalledTimes(4);
+
+    release();
+  });
+
+  test('removes listeners from old stream before restarting on error', async () => {
+    const harness = createHarness();
+    harness.collector.watch('c1');
+    await Promise.resolve();
+
+    expect(harness.stream.removeAllListeners).not.toHaveBeenCalled();
+
+    harness.stream.emit('error', new Error('disconnect'));
+    await Promise.resolve();
+
+    expect(harness.stream.removeAllListeners).toHaveBeenCalledTimes(1);
+    expect(harness.stream.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  test('removes listeners from stream on release', async () => {
+    const harness = createHarness();
+    const release = harness.collector.watch('c1');
+    await Promise.resolve();
+
+    release();
+
+    expect(harness.stream.removeAllListeners).toHaveBeenCalledTimes(1);
+    expect(harness.stream.destroy).toHaveBeenCalledTimes(1);
+  });
+
+  test('drops collected state after container deletion once watch is released', async () => {
+    const harness = createHarness();
+    const release = harness.collector.watch('c1');
+    await Promise.resolve();
+
+    harness.emitStats(100, 1000);
+    expect(harness.collector.getLatest('c1')).toEqual(
+      expect.objectContaining({
+        containerId: 'c1',
+      }),
+    );
+    expect(harness.collector.getHistory('c1')).toHaveLength(1);
+
+    harness.getContainer.mockReturnValue(undefined);
+    release();
+    await Promise.resolve();
+
+    expect(harness.collector.getLatest('c1')).toBeUndefined();
+    expect(harness.collector.getHistory('c1')).toEqual([]);
+  });
+
+  test('getLatest prunes inactive state when the requested container has been deleted', async () => {
+    const harness = createHarness();
+    const release = harness.collector.watch('c1');
+    await vi.advanceTimersByTimeAsync(0);
+
+    // Emit at least one snapshot so getLatest returns data while container exists
+    harness.emitStats(100, 1000);
+    expect(harness.collector.getLatest('c1')).toBeDefined();
+
+    // Release while container still exists — state goes inactive but stays in the map
+    release();
+
+    // Container is now deleted
+    harness.getContainer.mockReturnValue(undefined);
+
+    // Advancing the injected clock should not matter here because getLatest performs
+    // same-container pruning after it resolves the cached state.
+    harness.advanceNowByMs(31_000);
+
+    expect(harness.collector.getLatest('c1')).toBeUndefined();
+  });
+
+  test('does not sweep unrelated inactive deleted states during request reads before the timer fires', async () => {
+    const harness = createHarness();
+    const release = harness.collector.watch('c1');
+    await vi.advanceTimersByTimeAsync(0);
+
+    harness.emitStats(100, 1000);
+    expect(harness.collector.getHistory('c1')).toHaveLength(1);
+
+    release();
+    harness.setContainer('c1');
+    harness.advanceNowByMs(31_000);
+
+    expect(harness.collector.getLatest('c2')).toBeUndefined();
+
+    const reuseRelease = harness.collector.watch('c1');
+    await vi.advanceTimersByTimeAsync(0);
+    expect(harness.collector.getHistory('c1')).toHaveLength(1);
+
+    reuseRelease();
+    await vi.advanceTimersByTimeAsync(30_000);
+
+    const postSweepRelease = harness.collector.watch('c1');
+    await vi.advanceTimersByTimeAsync(0);
+    expect(harness.collector.getHistory('c1')).toEqual([]);
+
+    postSweepRelease();
+  });
+
+  test('getHistory returns empty array when state is pruned during the call', async () => {
+    const harness = createHarness();
+    const release = harness.collector.watch('c1');
+    await vi.advanceTimersByTimeAsync(0);
+
+    harness.emitStats(100, 1000);
+    expect(harness.collector.getHistory('c1')).toHaveLength(1);
+
+    // Release while container still exists — state inactive but not pruned
+    release();
+
+    // Container deleted — next getHistory prunes state mid-call
+    harness.getContainer.mockReturnValue(undefined);
+
+    expect(harness.collector.getHistory('c1')).toEqual([]);
+  });
+
+  test('returns empty history for unknown containers', () => {
+    const harness = createHarness();
+    expect(harness.collector.getHistory('missing')).toEqual([]);
+  });
+
+  test('does not throw when container is missing or watcher cannot provide docker api', async () => {
+    const harness = createHarness();
+    harness.getContainer.mockReturnValueOnce(undefined);
+    harness.getWatchers.mockReturnValueOnce({});
+
+    const releaseMissing = harness.collector.watch('missing');
+    await Promise.resolve();
+    expect(harness.collector.getLatest('missing')).toBeUndefined();
+    releaseMissing();
+
+    const releaseUnsupported = harness.collector.watch('c1');
+    await Promise.resolve();
+    expect(harness.collector.getLatest('c1')).toBeUndefined();
+    releaseUnsupported();
+  });
+
+  test('gracefully handles invalid stream results and stream startup errors', async () => {
+    const getContainer = vi.fn(() => ({ id: 'c1', name: 'web', watcher: 'local' }));
+    const getWatchersNull = vi.fn(() => ({
+      'docker.local': {
+        dockerApi: {
+          getContainer: vi.fn(() => ({ stats: vi.fn(async () => null) })),
+        },
+      },
+    }));
+    const collectorNull = createContainerStatsCollector({
+      getContainerById: getContainer,
+      getWatchers: getWatchersNull,
+      intervalSeconds: 10,
+      historySize: 3,
+      now: () => Date.now(),
+    });
+    const releaseNull = collectorNull.watch('c1');
+    await Promise.resolve();
+    releaseNull();
+
+    const getWatchersInvalid = vi.fn(() => ({
+      'docker.local': {
+        dockerApi: {
+          getContainer: vi.fn(() => ({ stats: vi.fn(async () => ({})) })),
+        },
+      },
+    }));
+    const collectorInvalid = createContainerStatsCollector({
+      getContainerById: getContainer,
+      getWatchers: getWatchersInvalid,
+      intervalSeconds: 10,
+      historySize: 3,
+      now: () => Date.now(),
+    });
+    const releaseInvalid = collectorInvalid.watch('c1');
+    await Promise.resolve();
+    releaseInvalid();
+
+    const getWatchersThrow = vi.fn(() => ({
+      'docker.local': {
+        dockerApi: {
+          getContainer: vi.fn(() => ({
+            stats: vi.fn(async () => {
+              throw new Error('failed');
+            }),
+          })),
+        },
+      },
+    }));
+    const collectorThrow = createContainerStatsCollector({
+      getContainerById: getContainer,
+      getWatchers: getWatchersThrow,
+      intervalSeconds: 10,
+      historySize: 3,
+      now: () => Date.now(),
+    });
+    const releaseThrow = collectorThrow.watch('c1');
+    await Promise.resolve();
+    releaseThrow();
+  });
+
+  test('detaches stream when listener attachment throws mid-way', async () => {
+    let callCount = 0;
+    const stream = {
+      on: vi.fn(() => {
+        callCount += 1;
+        if (callCount === 2) {
+          throw new Error('stream destroyed');
+        }
+        return stream;
+      }),
+      removeAllListeners: vi.fn(),
+      destroy: vi.fn(),
+    };
+    const collector = createContainerStatsCollector({
+      getContainerById: () => ({ id: 'c1', name: 'web', watcher: 'local' }) as any,
+      getWatchers: () => ({
+        'docker.local': {
+          dockerApi: {
+            getContainer: () => ({ stats: vi.fn(async () => stream) }),
+          },
+        },
+      }),
+      intervalSeconds: 10,
+      historySize: 3,
+      now: () => Date.now(),
+    });
+
+    const release = collector.watch('c1');
+    await Promise.resolve();
+
+    // First .on() succeeded, second threw — stream should be cleaned up
+    expect(stream.removeAllListeners).toHaveBeenCalledTimes(1);
+    expect(stream.destroy).toHaveBeenCalledTimes(1);
+
+    release();
+  });
+
+  test('uses default configuration fallbacks and avoids duplicate start while pending', async () => {
+    const previousInterval = process.env.DD_STATS_INTERVAL;
+    const previousHistory = process.env.DD_STATS_HISTORY_SIZE;
+    process.env.DD_STATS_INTERVAL = '2';
+    process.env.DD_STATS_HISTORY_SIZE = '4';
+
+    try {
+      const stream = createMockStatsStream();
+      const stats = vi.fn(async () => stream);
+      const collector = createContainerStatsCollector({
+        getContainerById: () => ({ id: 'c1', name: 'web', watcher: 'local' }) as any,
+        getWatchers: () => ({
+          'docker.local': {
+            dockerApi: {
+              getContainer: () => ({ stats }),
+            },
+          },
+        }),
+      });
+
+      const releaseOne = collector.watch('c1');
+      const releaseTwo = collector.watch('c1');
+      await Promise.resolve();
+
+      expect(stats).toHaveBeenCalledTimes(1);
+      stream.emit('data', {
+        cpu_stats: {
+          cpu_usage: { total_usage: 100, percpu_usage: [50, 50] },
+          system_cpu_usage: 200,
+          online_cpus: 2,
+        },
+        memory_stats: {
+          usage: 100,
+          limit: 200,
+        },
+        networks: {},
+        blkio_stats: {
+          io_service_bytes_recursive: [],
+        },
+      });
+      expect(collector.getLatest('c1')).toEqual(
+        expect.objectContaining({
+          containerId: 'c1',
+          memoryPercent: 50,
+        }),
+      );
+      releaseOne();
+      releaseTwo();
+    } finally {
+      if (previousInterval === undefined) {
+        delete process.env.DD_STATS_INTERVAL;
+      } else {
+        process.env.DD_STATS_INTERVAL = previousInterval;
+      }
+      if (previousHistory === undefined) {
+        delete process.env.DD_STATS_HISTORY_SIZE;
+      } else {
+        process.env.DD_STATS_HISTORY_SIZE = previousHistory;
+      }
+    }
+  });
+});
diff --git a/app/stats/collector.ts b/app/stats/collector.ts
new file mode 100644
index 000000000..2cde3acb1
--- /dev/null
+++ b/app/stats/collector.ts
@@ -0,0 +1,492 @@
+import logger from '../log/index.js';
+import type { Container } from '../model/container.js';
+import { getErrorMessage } from '../util/error.js';
+import {
+  type ContainerStatsSnapshot,
+  calculateContainerStatsSnapshot,
+  type DockerContainerStats,
+} from './calculation.js';
+import { getStatsHistorySize, getStatsIntervalSeconds } from './config.js';
+import { RingBuffer } from './ring-buffer.js';
+
+const log = logger.child({ component: 'stats.collector' });
+const MIN_REST_TOUCH_TTL_MS = 15_000;
+const REST_TOUCH_TTL_MULTIPLIER = 3;
+
+interface DockerStatsStream {
+  on: (event: string, listener: (payload?: unknown) => void) => unknown;
+  removeAllListeners?: () => void;
+  destroy?: () => void;
+}
+
+interface DockerStatsContainerApi {
+  stats: (options: { stream: true }) => Promise<DockerStatsStream> | DockerStatsStream;
+}
+
+interface DockerStatsWatcherApi {
+  dockerApi: {
+    getContainer: (containerName: string) => DockerStatsContainerApi;
+  };
+}
+
+type StatsListener = (snapshot: ContainerStatsSnapshot) => void;
+
+interface ContainerCollectionState {
+  watchCount: number;
+  stream?: DockerStatsStream;
+  startPromise?: Promise<void>;
+  restTouchRelease?: () => void;
+  restTouchTimeout?: ReturnType<typeof globalThis.setTimeout>;
+  lastSampleAtMs?: number;
+  previousStats?: DockerContainerStats;
+  latest?: ContainerStatsSnapshot;
+  history: RingBuffer<ContainerStatsSnapshot>;
+  listeners: Set<StatsListener>;
+}
+
+interface ContainerStatsCollectorDependencies {
+  getContainerById: (id: string) => Container | undefined;
+  getWatchers: () => Record<string, unknown>;
+  intervalSeconds?: number;
+  historySize?: number;
+  now?: () => number;
+  setIntervalFn?: typeof globalThis.setInterval;
+  clearIntervalFn?: typeof globalThis.clearInterval;
+  setTimeoutFn?: typeof globalThis.setTimeout;
+  clearTimeoutFn?: typeof globalThis.clearTimeout;
+}
+
+export interface ContainerStatsCollector {
+  watch: (containerId: string) => () => void;
+  touch: (containerId: string) => void;
+  subscribe: (containerId: string, listener: StatsListener) => () => void;
+  getLatest: (containerId: string) => ContainerStatsSnapshot | undefined;
+  getHistory: (containerId: string) => ContainerStatsSnapshot[];
+}
+
+interface CollectorRuntime {
+  dependencies: ContainerStatsCollectorDependencies;
+  intervalMs: number;
+  historySize: number;
+  now: () => number;
+  setIntervalFn: typeof globalThis.setInterval;
+  clearIntervalFn: typeof globalThis.clearInterval;
+  setTimeoutFn: typeof globalThis.setTimeout;
+  clearTimeoutFn: typeof globalThis.clearTimeout;
+  restTouchTtlMs: number;
+  states: Map<string, ContainerCollectionState>;
+  stateSweepInterval?: ReturnType<typeof globalThis.setInterval>;
+}
+
+interface ResolvedStatsTarget {
+  containerName: string;
+  watcher: DockerStatsWatcherApi;
+}
+
+function isDockerStatsWatcherApi(watcher: unknown): watcher is DockerStatsWatcherApi {
+  if (!watcher || typeof watcher !== 'object') {
+    return false;
+  }
+  const dockerApi = (watcher as DockerStatsWatcherApi).dockerApi;
+  return !!dockerApi && typeof dockerApi.getContainer === 'function';
+}
+
+function isDockerStatsStream(stream: unknown): stream is DockerStatsStream {
+  if (!stream || typeof stream !== 'object') {
+    return false;
+  }
+  return typeof (stream as DockerStatsStream).on === 'function';
+}
+
+function parseStatsChunk(chunk: unknown): DockerContainerStats[] {
+  if (!chunk) {
+    return [];
+  }
+  if (typeof chunk === 'object' && !Buffer.isBuffer(chunk)) {
+    return [chunk as DockerContainerStats];
+  }
+
+  const rawChunk = Buffer.isBuffer(chunk) ? chunk.toString('utf8') : String(chunk);
+  const payloads: DockerContainerStats[] = [];
+
+  for (const line of rawChunk.split('\n')) {
+    const candidate = line.trim();
+    if (!candidate) {
+      continue;
+    }
+    try {
+      payloads.push(JSON.parse(candidate) as DockerContainerStats);
+    } catch {
+      // Ignore malformed stream chunk slices. Later chunks will often include a complete JSON object.
+    }
+  }
+
+  return payloads;
+}
+
+function createCollectorRuntime(
+  dependencies: ContainerStatsCollectorDependencies,
+): CollectorRuntime {
+  const intervalMs = Math.max(1, dependencies.intervalSeconds ?? getStatsIntervalSeconds()) * 1000;
+  const historySize = Math.max(1, dependencies.historySize ?? getStatsHistorySize());
+  const now = dependencies.now ?? (() => Date.now());
+  const setIntervalFn = dependencies.setIntervalFn ?? globalThis.setInterval;
+  const clearIntervalFn = dependencies.clearIntervalFn ?? globalThis.clearInterval;
+  const setTimeoutFn = dependencies.setTimeoutFn ?? globalThis.setTimeout;
+  const clearTimeoutFn = dependencies.clearTimeoutFn ?? globalThis.clearTimeout;
+  const restTouchTtlMs = Math.max(MIN_REST_TOUCH_TTL_MS, intervalMs * REST_TOUCH_TTL_MULTIPLIER);
+  return {
+    dependencies,
+    intervalMs,
+    historySize,
+    now,
+    setIntervalFn,
+    clearIntervalFn,
+    setTimeoutFn,
+    clearTimeoutFn,
+    restTouchTtlMs,
+    states: new Map<string, ContainerCollectionState>(),
+  };
+}
+
+function createCollectionState(historySize: number): ContainerCollectionState {
+  return {
+    watchCount: 0,
+    history: new RingBuffer<ContainerStatsSnapshot>(historySize),
+    listeners: new Set<StatsListener>(),
+  };
+}
+
+function getOrCreateState(
+  runtime: CollectorRuntime,
+  containerId: string,
+): ContainerCollectionState {
+  const existingState = runtime.states.get(containerId);
+  if (existingState) {
+    return existingState;
+  }
+
+  const nextState = createCollectionState(runtime.historySize);
+  runtime.states.set(containerId, nextState);
+  ensureDeletedStateSweep(runtime);
+  return nextState;
+}
+
+function isStateInactive(state: ContainerCollectionState): boolean {
+  return (
+    state.watchCount === 0 &&
+    !state.stream &&
+    !state.startPromise &&
+    !state.restTouchRelease &&
+    !state.restTouchTimeout &&
+    state.listeners.size === 0
+  );
+}
+
+function pruneContainerStateIfMissing(
+  runtime: CollectorRuntime,
+  containerId: string,
+  state: ContainerCollectionState,
+): void {
+  if (!isStateInactive(state)) {
+    return;
+  }
+  if (runtime.dependencies.getContainerById(containerId)) {
+    return;
+  }
+  runtime.states.delete(containerId);
+  maybeStopDeletedStateSweep(runtime);
+}
+
+function ensureDeletedStateSweep(runtime: CollectorRuntime): void {
+  if (runtime.stateSweepInterval || runtime.states.size === 0) {
+    return;
+  }
+
+  runtime.stateSweepInterval = runtime.setIntervalFn(() => {
+    sweepDeletedInactiveStates(runtime);
+  }, runtime.restTouchTtlMs);
+}
+
+function maybeStopDeletedStateSweep(runtime: CollectorRuntime): void {
+  if (runtime.states.size > 0 || !runtime.stateSweepInterval) {
+    return;
+  }
+
+  runtime.clearIntervalFn(runtime.stateSweepInterval);
+  runtime.stateSweepInterval = undefined;
+}
+
+function sweepDeletedInactiveStates(runtime: CollectorRuntime): void {
+  for (const [containerId, state] of runtime.states) {
+    pruneContainerStateIfMissing(runtime, containerId, state);
+  }
+}
+
+function stopCollection(state: ContainerCollectionState): void {
+  detachStream(state);
+}
+
+function emitSnapshot(state: ContainerCollectionState, snapshot: ContainerStatsSnapshot): void {
+  state.latest = snapshot;
+  state.history.push(snapshot);
+  for (const listener of state.listeners) {
+    listener(snapshot);
+  }
+}
+
+function processStatsPayload(
+  runtime: CollectorRuntime,
+  containerId: string,
+  state: ContainerCollectionState,
+  payload: DockerContainerStats,
+): void {
+  const nowMs = runtime.now();
+  if (state.lastSampleAtMs !== undefined && nowMs - state.lastSampleAtMs < runtime.intervalMs) {
+    log.trace(
+      {
+        containerId,
+        elapsedMs: nowMs - state.lastSampleAtMs,
+        intervalMs: runtime.intervalMs,
+      },
+      'Dropping throttled container stats sample',
+    );
+    return;
+  }
+
+  const snapshot = calculateContainerStatsSnapshot(
+    containerId,
+    payload,
+    state.previousStats,
+    nowMs,
+  );
+  state.previousStats = payload;
+  state.lastSampleAtMs = nowMs;
+  emitSnapshot(state, snapshot);
+}
+
+function handleStatsChunk(
+  runtime: CollectorRuntime,
+  containerId: string,
+  state: ContainerCollectionState,
+  chunk: unknown,
+): void {
+  for (const payload of parseStatsChunk(chunk)) {
+    processStatsPayload(runtime, containerId, state, payload);
+  }
+}
+
+function resolveStatsTarget(
+  dependencies: ContainerStatsCollectorDependencies,
+  containerId: string,
+): ResolvedStatsTarget | undefined {
+  const container = dependencies.getContainerById(containerId);
+  if (!container) {
+    return undefined;
+  }
+
+  const watcherId = `docker.${container.watcher}`;
+  const watcher = dependencies.getWatchers()[watcherId];
+  if (!isDockerStatsWatcherApi(watcher)) {
+    return undefined;
+  }
+
+  return {
+    containerName: container.name,
+    watcher,
+  };
+}
+
+function shouldStartCollection(state: ContainerCollectionState): boolean {
+  return state.watchCount > 0 && !state.stream && !state.startPromise;
+}
+
+function detachStream(state: ContainerCollectionState): void {
+  const { stream } = state;
+  if (stream) {
+    stream.removeAllListeners?.();
+    stream.destroy?.();
+    state.stream = undefined;
+  }
+}
+
+function restartCollection(
+  runtime: CollectorRuntime,
+  containerId: string,
+  state: ContainerCollectionState,
+): void {
+  detachStream(state);
+  void startCollection(runtime, containerId, state);
+}
+
+function attachStreamListeners(
+  runtime: CollectorRuntime,
+  containerId: string,
+  state: ContainerCollectionState,
+  stream: DockerStatsStream,
+): void {
+  state.stream = stream;
+
+  try {
+    stream.on('data', (chunk: unknown) => {
+      handleStatsChunk(runtime, containerId, state, chunk);
+    });
+    stream.on('error', (error: unknown) => {
+      log.warn(`Docker stats stream error for ${containerId} (${getErrorMessage(error)})`);
+      restartCollection(runtime, containerId, state);
+    });
+    stream.on('close', () => {
+      restartCollection(runtime, containerId, state);
+    });
+    stream.on('end', () => {
+      restartCollection(runtime, containerId, state);
+    });
+  } catch (error: unknown) {
+    log.warn(
+      `Failed to attach stats stream listeners for ${containerId} (${getErrorMessage(error)})`,
+    );
+    detachStream(state);
+  }
+}
+
+async function startStream(
+  runtime: CollectorRuntime,
+  containerId: string,
+  state: ContainerCollectionState,
+): Promise<void> {
+  const target = resolveStatsTarget(runtime.dependencies, containerId);
+  if (!target) {
+    return;
+  }
+
+  try {
+    const streamOrPromise = target.watcher.dockerApi.getContainer(target.containerName).stats({
+      stream: true,
+    });
+    const stream = await Promise.resolve(streamOrPromise);
+    if (!isDockerStatsStream(stream)) {
+      return;
+    }
+    if (state.watchCount === 0) {
+      stream.removeAllListeners?.();
+      stream.destroy?.();
+      return;
+    }
+    attachStreamListeners(runtime, containerId, state, stream);
+  } catch (error: unknown) {
+    log.warn(`Failed to start Docker stats stream for ${containerId} (${getErrorMessage(error)})`);
+  }
+}
+
+async function startCollection(
+  runtime: CollectorRuntime,
+  containerId: string,
+  state: ContainerCollectionState,
+): Promise<void> {
+  if (!shouldStartCollection(state)) {
+    return;
+  }
+
+  state.startPromise = startStream(runtime, containerId, state);
+  try {
+    await state.startPromise;
+  } finally {
+    state.startPromise = undefined;
+    pruneContainerStateIfMissing(runtime, containerId, state);
+  }
+}
+
+function createWatchRelease(
+  runtime: CollectorRuntime,
+  containerId: string,
+  state: ContainerCollectionState,
+): () => void {
+  let released = false;
+
+  return () => {
+    if (released) {
+      return;
+    }
+    released = true;
+    state.watchCount = Math.max(0, state.watchCount - 1);
+    if (state.watchCount === 0) {
+      stopCollection(state);
+    }
+    pruneContainerStateIfMissing(runtime, containerId, state);
+  };
+}
+
+function watchContainer(runtime: CollectorRuntime, containerId: string): () => void {
+  const state = getOrCreateState(runtime, containerId);
+  state.watchCount += 1;
+  void startCollection(runtime, containerId, state);
+  return createWatchRelease(runtime, containerId, state);
+}
+
+function touchContainer(runtime: CollectorRuntime, containerId: string): void {
+  const state = getOrCreateState(runtime, containerId);
+  if (!state.restTouchRelease) {
+    state.restTouchRelease = watchContainer(runtime, containerId);
+  }
+
+  if (state.restTouchTimeout) {
+    runtime.clearTimeoutFn(state.restTouchTimeout);
+  }
+
+  state.restTouchTimeout = runtime.setTimeoutFn(() => {
+    state.restTouchTimeout = undefined;
+    const releaseRestTouch = state.restTouchRelease;
+    state.restTouchRelease = undefined;
+    releaseRestTouch?.();
+  }, runtime.restTouchTtlMs);
+}
+
+function subscribeToContainer(
+  runtime: CollectorRuntime,
+  containerId: string,
+  listener: StatsListener,
+): () => void {
+  const state = getOrCreateState(runtime, containerId);
+  state.listeners.add(listener);
+
+  return () => {
+    state.listeners.delete(listener);
+    pruneContainerStateIfMissing(runtime, containerId, state);
+  };
+}
+
+function getLatest(
+  runtime: CollectorRuntime,
+  containerId: string,
+): ContainerStatsSnapshot | undefined {
+  const state = runtime.states.get(containerId);
+  if (!state) {
+    return undefined;
+  }
+  pruneContainerStateIfMissing(runtime, containerId, state);
+  return runtime.states.get(containerId)?.latest;
+}
+
+function getHistory(runtime: CollectorRuntime, containerId: string): ContainerStatsSnapshot[] {
+  const state = runtime.states.get(containerId);
+  if (!state) {
+    return [];
+  }
+  pruneContainerStateIfMissing(runtime, containerId, state);
+  return runtime.states.get(containerId)?.history.toArray() ?? [];
+}
+
+export function createContainerStatsCollector(
+  dependencies: ContainerStatsCollectorDependencies,
+): ContainerStatsCollector {
+  const runtime = createCollectorRuntime(dependencies);
+
+  return {
+    watch: (containerId: string) => watchContainer(runtime, containerId),
+    touch: (containerId: string) => touchContainer(runtime, containerId),
+    subscribe: (containerId: string, listener: StatsListener) =>
+      subscribeToContainer(runtime, containerId, listener),
+    getLatest: (containerId: string) => getLatest(runtime, containerId),
+    getHistory: (containerId: string) => getHistory(runtime, containerId),
+  };
+}
diff --git a/app/stats/config.test.ts b/app/stats/config.test.ts
new file mode 100644
index 000000000..85aa68d98
--- /dev/null
+++ b/app/stats/config.test.ts
@@ -0,0 +1,80 @@
+import {
+  DEFAULT_STATS_HISTORY_SIZE,
+  DEFAULT_STATS_INTERVAL_SECONDS,
+  getStatsHistorySize,
+  getStatsIntervalSeconds,
+} from './config.js';
+
+describe('stats/config', () => {
+  test('uses defaults when env vars are not set', () => {
+    const previousInterval = process.env.DD_STATS_INTERVAL;
+    const previousHistory = process.env.DD_STATS_HISTORY_SIZE;
+
+    try {
+      delete process.env.DD_STATS_INTERVAL;
+      delete process.env.DD_STATS_HISTORY_SIZE;
+
+      expect(getStatsIntervalSeconds()).toBe(DEFAULT_STATS_INTERVAL_SECONDS);
+      expect(getStatsHistorySize()).toBe(DEFAULT_STATS_HISTORY_SIZE);
+    } finally {
+      if (previousInterval === undefined) {
+        delete process.env.DD_STATS_INTERVAL;
+      } else {
+        process.env.DD_STATS_INTERVAL = previousInterval;
+      }
+      if (previousHistory === undefined) {
+        delete process.env.DD_STATS_HISTORY_SIZE;
+      } else {
+        process.env.DD_STATS_HISTORY_SIZE = previousHistory;
+      }
+    }
+  });
+
+  test('uses valid positive integer overrides', () => {
+    const previousInterval = process.env.DD_STATS_INTERVAL;
+    const previousHistory = process.env.DD_STATS_HISTORY_SIZE;
+
+    try {
+      process.env.DD_STATS_INTERVAL = '5';
+      process.env.DD_STATS_HISTORY_SIZE = '120';
+
+      expect(getStatsIntervalSeconds()).toBe(5);
+      expect(getStatsHistorySize()).toBe(120);
+    } finally {
+      if (previousInterval === undefined) {
+        delete process.env.DD_STATS_INTERVAL;
+      } else {
+        process.env.DD_STATS_INTERVAL = previousInterval;
+      }
+      if (previousHistory === undefined) {
+        delete process.env.DD_STATS_HISTORY_SIZE;
+      } else {
+        process.env.DD_STATS_HISTORY_SIZE = previousHistory;
+      }
+    }
+  });
+
+  test('falls back to defaults for invalid values', () => {
+    const previousInterval = process.env.DD_STATS_INTERVAL;
+    const previousHistory = process.env.DD_STATS_HISTORY_SIZE;
+
+    try {
+      process.env.DD_STATS_INTERVAL = '0';
+      process.env.DD_STATS_HISTORY_SIZE = '-2';
+
+      expect(getStatsIntervalSeconds()).toBe(DEFAULT_STATS_INTERVAL_SECONDS);
+      expect(getStatsHistorySize()).toBe(DEFAULT_STATS_HISTORY_SIZE);
+    } finally {
+      if (previousInterval === undefined) {
+        delete process.env.DD_STATS_INTERVAL;
+      } else {
+        process.env.DD_STATS_INTERVAL = previousInterval;
+      }
+      if (previousHistory === undefined) {
+        delete process.env.DD_STATS_HISTORY_SIZE;
+      } else {
+        process.env.DD_STATS_HISTORY_SIZE = previousHistory;
+      }
+    }
+  });
+});
diff --git a/app/stats/config.ts b/app/stats/config.ts
new file mode 100644
index 000000000..a1227948a
--- /dev/null
+++ b/app/stats/config.ts
@@ -0,0 +1,13 @@
+import { toPositiveInteger } from '../util/parse.js';
+
+export const DEFAULT_STATS_INTERVAL_SECONDS = 10;
+export const DEFAULT_STATS_HISTORY_SIZE = 60;
+export const STATS_STREAM_HEARTBEAT_INTERVAL_MS = 15_000;
+
+export function getStatsIntervalSeconds(): number {
+  return toPositiveInteger(process.env.DD_STATS_INTERVAL, DEFAULT_STATS_INTERVAL_SECONDS);
+}
+
+export function getStatsHistorySize(): number {
+  return toPositiveInteger(process.env.DD_STATS_HISTORY_SIZE, DEFAULT_STATS_HISTORY_SIZE);
+}
diff --git a/app/stats/ring-buffer.test.ts b/app/stats/ring-buffer.test.ts
new file mode 100644
index 000000000..7c7626581
--- /dev/null
+++ b/app/stats/ring-buffer.test.ts
@@ -0,0 +1,49 @@
+import { describe, expect, test } from 'vitest';
+import { RingBuffer } from './ring-buffer.js';
+
+describe('stats/ring-buffer', () => {
+  test('stores values in insertion order when not full', () => {
+    const buffer = new RingBuffer<number>(3);
+    buffer.push(1);
+    buffer.push(2);
+
+    expect(buffer.toArray()).toEqual([1, 2]);
+    expect(buffer.getLatest()).toBe(2);
+  });
+
+  test('overwrites oldest values when capacity is exceeded', () => {
+    const buffer = new RingBuffer<number>(3);
+    buffer.push(1);
+    buffer.push(2);
+    buffer.push(3);
+    buffer.push(4);
+    buffer.push(5);
+
+    expect(buffer.toArray()).toEqual([3, 4, 5]);
+    expect(buffer.getLatest()).toBe(5);
+  });
+
+  test('returns undefined as latest when empty', () => {
+    const buffer = new RingBuffer<number>(3);
+    expect(buffer.getLatest()).toBeUndefined();
+    expect(buffer.toArray()).toEqual([]);
+  });
+
+  test('normalizes invalid capacity to one', () => {
+    const buffer = new RingBuffer<number>(0);
+    buffer.push(1);
+    buffer.push(2);
+
+    expect(buffer.toArray()).toEqual([2]);
+    expect(buffer.getLatest()).toBe(2);
+  });
+
+  test('normalizes non-finite capacity to one', () => {
+    const buffer = new RingBuffer<number>(Number.NaN);
+    buffer.push(1);
+    buffer.push(2);
+
+    expect(buffer.toArray()).toEqual([2]);
+    expect(buffer.getLatest()).toBe(2);
+  });
+});
diff --git a/app/stats/ring-buffer.ts b/app/stats/ring-buffer.ts
new file mode 100644
index 000000000..0f859ab6c
--- /dev/null
+++ b/app/stats/ring-buffer.ts
@@ -0,0 +1,38 @@
+export class RingBuffer<T> {
+  private readonly capacity: number;
+  private readonly entries: T[];
+  private writeIndex = 0;
+  private size = 0;
+
+  constructor(capacity: number) {
+    const normalizedCapacity = Number.isFinite(capacity) ? Math.trunc(capacity) : 0;
+    this.capacity = normalizedCapacity > 0 ? normalizedCapacity : 1;
+    this.entries = new Array<T>(this.capacity);
+  }
+
+  push(value: T): void {
+    this.entries[this.writeIndex] = value;
+    this.writeIndex = (this.writeIndex + 1) % this.capacity;
+    if (this.size < this.capacity) {
+      this.size += 1;
+    }
+  }
+
+  getLatest(): T | undefined {
+    if (this.size === 0) {
+      return undefined;
+    }
+    const latestIndex = (this.writeIndex - 1 + this.capacity) % this.capacity;
+    return this.entries[latestIndex];
+  }
+
+  toArray(): T[] {
+    if (this.size === 0) {
+      return [];
+    }
+    if (this.size < this.capacity) {
+      return this.entries.slice(0, this.size);
+    }
+    return [...this.entries.slice(this.writeIndex), ...this.entries.slice(0, this.writeIndex)];
+  }
+}
diff --git a/app/store/audit.test.ts b/app/store/audit.test.ts
index 1513c275f..3fdf9ffea 100644
--- a/app/store/audit.test.ts
+++ b/app/store/audit.test.ts
@@ -12,8 +12,17 @@ function createDb() {
     return path.split('.').reduce((acc, key) => acc?.[key], object);
   }
 
+  function matchesQueryValue(actual, expected) {
+    if (expected && typeof expected === 'object' && '$in' in expected) {
+      return Array.isArray(expected.$in) && expected.$in.includes(actual);
+    }
+    return actual === expected;
+  }
+
   function matchesQuery(doc, query = {}) {
-    return Object.entries(query).every(([key, value]) => getByPath(doc, key) === value);
+    return Object.entries(query).every(([key, value]) =>
+      matchesQueryValue(getByPath(doc, key), value),
+    );
   }
 
   var collections = {};
@@ -42,8 +51,17 @@ function createChainDb(initialDocs = []) {
     return path.split('.').reduce((acc, key) => acc?.[key], object);
   }
 
+  function matchesQueryValue(actual, expected) {
+    if (expected && typeof expected === 'object' && '$in' in expected) {
+      return Array.isArray(expected.$in) && expected.$in.includes(actual);
+    }
+    return actual === expected;
+  }
+
   function matchesQuery(doc, query = {}) {
-    return Object.entries(query).every(([key, value]) => getByPath(doc, key) === value);
+    return Object.entries(query).every(([key, value]) =>
+      matchesQueryValue(getByPath(doc, key), value),
+    );
   }
 
   const docs = initialDocs.map((doc, index) => ({
@@ -358,6 +376,34 @@ describe('Audit Store', () => {
     expect(result.entries[0].containerName).toBe('redis');
   });
 
+  test('getAuditEntries should filter by multiple actions', () => {
+    audit.insertAudit({ action: 'update-available', containerName: 'nginx', status: 'info' });
+    audit.insertAudit({ action: 'update-applied', containerName: 'redis', status: 'success' });
+    audit.insertAudit({ action: 'container-update', containerName: 'postgres', status: 'info' });
+    audit.insertAudit({ action: 'security-alert', containerName: 'mysql', status: 'error' });
+
+    var result = audit.getAuditEntries({ actions: ['update-available', 'security-alert'] });
+    expect(result.total).toBe(2);
+    const actionTypes = result.entries.map((e) => e.action);
+    expect(actionTypes).toContain('update-available');
+    expect(actionTypes).toContain('security-alert');
+    expect(actionTypes).not.toContain('container-update');
+    expect(actionTypes).not.toContain('update-applied');
+  });
+
+  test('getAuditEntries should prefer action over actions when both provided', () => {
+    audit.insertAudit({ action: 'update-available', containerName: 'nginx', status: 'info' });
+    audit.insertAudit({ action: 'update-applied', containerName: 'redis', status: 'success' });
+    audit.insertAudit({ action: 'security-alert', containerName: 'mysql', status: 'error' });
+
+    var result = audit.getAuditEntries({
+      action: 'update-available',
+      actions: ['update-applied', 'security-alert'],
+    });
+    expect(result.total).toBe(1);
+    expect(result.entries[0].action).toBe('update-available');
+  });
+
   test('getAuditEntries should filter by container name', () => {
     audit.insertAudit({ action: 'update-available', containerName: 'nginx', status: 'info' });
     audit.insertAudit({ action: 'update-available', containerName: 'redis', status: 'info' });
diff --git a/app/store/audit.ts b/app/store/audit.ts
index e51ecca3b..c860a7036 100644
--- a/app/store/audit.ts
+++ b/app/store/audit.ts
@@ -18,6 +18,7 @@ type AuditCollectionEntry = {
 
 type GetAuditEntriesQuery = {
   action?: string;
+  actions?: string[];
   container?: string;
   from?: string;
   to?: string;
@@ -55,10 +56,12 @@ function hasInvalidDateRange(fromDate?: number, toDate?: number): boolean {
   return Number.isNaN(fromDate) || Number.isNaN(toDate);
 }
 
-function buildCollectionQuery(query: GetAuditEntriesQuery): Record<string, string> {
-  const collectionQuery: Record<string, string> = {};
+function buildCollectionQuery(query: GetAuditEntriesQuery): Record<string, unknown> {
+  const collectionQuery: Record<string, unknown> = {};
   if (query.action) {
     collectionQuery['data.action'] = query.action;
+  } else if (query.actions && query.actions.length > 0) {
+    collectionQuery['data.action'] = { $in: query.actions };
   }
   if (query.container) {
     collectionQuery['data.containerName'] = query.container;
@@ -86,7 +89,7 @@ function buildTimestampRangeQuery(
 }
 
 function getChainedAuditEntries(
-  collectionQuery: Record<string, string>,
+  collectionQuery: Record<string, unknown>,
   fromDate?: number,
   toDate?: number,
 ): AuditCollectionEntry[] | undefined {
@@ -128,7 +131,7 @@ function applyDateFilters(
 }
 
 function getFallbackAuditEntries(
-  collectionQuery: Record<string, string>,
+  collectionQuery: Record<string, unknown>,
   fromDate?: number,
   toDate?: number,
 ): AuditCollectionEntry[] {
diff --git a/app/store/container.test.ts b/app/store/container.test.ts
index 2ad6287d4..914f8f006 100644
--- a/app/store/container.test.ts
+++ b/app/store/container.test.ts
@@ -127,6 +127,7 @@ test('updateContainer should use collection update when available for existing c
   const existingContainer = {
     data: createContainerFixture({
       id: 'container-update-with-update-method',
+      status: 'running',
     }),
   };
   const collection = {
@@ -145,6 +146,7 @@ test('updateContainer should use collection update when available for existing c
   };
   const containerToSave = createContainerFixture({
     id: 'container-update-with-update-method',
+    status: 'stopped',
   });
   const spyEvent = vi.spyOn(event, 'emitContainerUpdated');
   container.createCollections(db);
@@ -527,6 +529,31 @@ test('insertContainer should stamp updateDetectedAt when update is available', a
   expect(typeof inserted.updateDetectedAt).toBe('string');
 });
 
+test('insertContainer should stamp firstSeenAt when update is available', async () => {
+  const collection = {
+    findOne: () => {},
+    insert: () => {},
+  };
+  const db = {
+    getCollection: () => collection,
+    addCollection: () => null,
+  };
+  const base = createContainerFixture();
+  const containerWithUpdate = {
+    ...base,
+    image: {
+      ...base.image,
+      tag: { ...base.image.tag, value: '1.0.0' },
+    },
+    result: { tag: '2.0.0' },
+  };
+
+  container.createCollections(db);
+  const inserted = container.insertContainer(containerWithUpdate);
+
+  expect(typeof inserted.firstSeenAt).toBe('string');
+});
+
 test('updateContainer should preserve updateDetectedAt when update has not changed', async () => {
   const existingDetectedAt = '2026-02-24T09:15:00.000Z';
   const existingFixture = createContainerFixture();
@@ -570,6 +597,49 @@ test('updateContainer should preserve updateDetectedAt when update has not chang
   expect(updated.updateDetectedAt).toBe(existingDetectedAt);
 });
 
+test('updateContainer should preserve firstSeenAt when update has not changed', async () => {
+  const existingFirstSeenAt = '2026-02-24T09:15:00.000Z';
+  const existingFixture = createContainerFixture();
+  const existingContainer = {
+    data: {
+      ...existingFixture,
+      image: {
+        ...existingFixture.image,
+        tag: { ...existingFixture.image.tag, value: '1.0.0' },
+      },
+      result: { tag: '2.0.0' },
+      firstSeenAt: existingFirstSeenAt,
+    },
+  };
+  const collection = {
+    findOne: () => existingContainer,
+    insert: () => {},
+    chain: () => ({
+      find: () => ({
+        remove: () => ({}),
+      }),
+    }),
+  };
+  const db = {
+    getCollection: () => collection,
+    addCollection: () => null,
+  };
+  const nextFixture = createContainerFixture();
+  const containerToSave = {
+    ...nextFixture,
+    image: {
+      ...nextFixture.image,
+      tag: { ...nextFixture.image.tag, value: '1.0.0' },
+    },
+    result: { tag: '2.0.0' },
+  };
+
+  container.createCollections(db);
+  const updated = container.updateContainer(containerToSave);
+
+  expect(updated.firstSeenAt).toBe(existingFirstSeenAt);
+});
+
 test('updateContainer should preserve explicit incoming updateDetectedAt when provided', async () => {
   const existingFixture = createContainerFixture();
   const existingContainer = {
@@ -700,6 +770,50 @@ test('updateContainer should refresh updateDetectedAt when update result changes
   expect(updated.updateDetectedAt).not.toBe(existingDetectedAt);
 });
 
+test('updateContainer should refresh firstSeenAt when update result changes', async () => {
+  const existingFirstSeenAt = '2026-02-24T09:15:00.000Z';
+  const existingFixture = createContainerFixture();
+  const existingContainer = {
+    data: {
+      ...existingFixture,
+      image: {
+        ...existingFixture.image,
+        tag: { ...existingFixture.image.tag, value: '1.0.0' },
+      },
+      result: { tag: '2.0.0' },
+      firstSeenAt: existingFirstSeenAt,
+    },
+  };
+  const collection = {
+    findOne: () => existingContainer,
+    insert: () => {},
+    chain: () => ({
+      find: () => ({
+        remove: () => ({}),
+      }),
+    }),
+  };
+  const db = {
+    getCollection: () => collection,
+    addCollection: () => null,
+  };
+  const nextFixture = createContainerFixture();
+  const containerToSave = {
+    ...nextFixture,
+    image: {
+      ...nextFixture.image,
+      tag: { ...nextFixture.image.tag, value: '1.0.0' },
+    },
+    result: { tag: '2.1.0' },
+  };
+
+  container.createCollections(db);
+  const updated = container.updateContainer(containerToSave);
+
+  expect(updated.firstSeenAt).toBeDefined();
+  expect(updated.firstSeenAt).not.toBe(existingFirstSeenAt);
+});
+
 test('updateContainer should clear updateDetectedAt when update is no longer available', async () => {
   const existingFixture = createContainerFixture();
   const existingContainer = {
@@ -742,6 +856,48 @@ test('updateContainer should clear updateDetectedAt when update is no longer ava
   expect(updated.updateDetectedAt).toBeUndefined();
 });
 
+test('updateContainer should clear firstSeenAt when update is no longer available', async () => {
+  const existingFixture = createContainerFixture();
+  const existingContainer = {
+    data: {
+      ...existingFixture,
+      image: {
+        ...existingFixture.image,
+        tag: { ...existingFixture.image.tag, value: '1.0.0' },
+      },
+      result: { tag: '2.0.0' },
+      firstSeenAt: '2026-02-24T09:15:00.000Z',
+    },
+  };
+  const collection = {
+    findOne: () => existingContainer,
+    insert: () => {},
+    chain: () => ({
+      find: () => ({
+        remove: () => ({}),
+      }),
+    }),
+  };
+  const db = {
+    getCollection: () => collection,
+    addCollection: () => null,
+  };
+  const nextFixture = createContainerFixture();
+  const containerToSave = {
+    ...nextFixture,
+    image: {
+      ...nextFixture.image,
+      tag: { ...nextFixture.image.tag, value: '1.0.0' },
+    },
+    result: { tag: '1.0.0' },
+  };
+
+  container.createCollections(db);
+  const updated = container.updateContainer(containerToSave);
+
+  expect(updated.firstSeenAt).toBeUndefined();
+});
+
 test('getContainers should return all containers sorted by name', async () => {
   const containerExample = createContainerFixture();
   const containers = [
@@ -2087,3 +2243,278 @@ test('getValueByPath helper should reject unsafe and invalid traversal paths', (
   ).toBeUndefined();
   expect(container._getValueByPathForTests({ name: 'plain-string' }, 'name.value')).toBeUndefined();
 });
+
+describe('hasContainerChanged', () => {
+  test('should return false for identical containers', () => {
+    const a = createContainerFixture();
+    const b = createContainerFixture();
+    expect(container.hasContainerChanged(a, b)).toBe(false);
+  });
+
+  test('should return true when updateAvailable changes', () => {
+    const a = createContainerFixture({ updateAvailable: false });
+    const b = createContainerFixture({ updateAvailable: true });
+    expect(container.hasContainerChanged(a, b)).toBe(true);
+  });
+
+  test('should return true when result.tag changes', () => {
+    const a = createContainerFixture({ result: { tag: '1.0.0' } });
+    const b = createContainerFixture({ result: { tag: '2.0.0' } });
+    expect(container.hasContainerChanged(a, b)).toBe(true);
+  });
+
+  test('should return true when result.digest changes', () => {
+    const a = createContainerFixture({ result: { tag: 'v1', digest: 'sha256:aaa' } });
+    const b = createContainerFixture({ result: { tag: 'v1', digest: 'sha256:bbb' } });
+    expect(container.hasContainerChanged(a, b)).toBe(true);
+  });
+
+  test('should return true when status changes', () => {
+    const a = createContainerFixture({ status: 'running' });
+    const b = createContainerFixture({ status: 'stopped' });
+    expect(container.hasContainerChanged(a, b)).toBe(true);
+  });
+
+  test('should return true when error appears', () => {
+    const a = createContainerFixture();
+    const b = createContainerFixture({ error: { message: 'connection refused' } });
+    expect(container.hasContainerChanged(a, b)).toBe(true);
+  });
+
+  test('should return true when error is cleared', () => {
+    const a = createContainerFixture({ error: { message: 'connection refused' } });
+    const b = createContainerFixture();
+    expect(container.hasContainerChanged(a, b)).toBe(true);
+  });
+
+  test('should return true when image.tag.value changes', () => {
+    const a = createContainerFixture();
+    const imageB = {
+      ...createContainerFixture().image,
+      tag: { value: 'new-version', semver: false },
+    };
+    const b = createContainerFixture({ image: imageB });
+    expect(container.hasContainerChanged(a, b)).toBe(true);
+  });
+
+  test('should return true when security state changes', () => {
+    const a = createContainerFixture({ security: undefined });
+    const b = createContainerFixture({
+      security: { scan: { scanner: 'trivy', status: 'passed' } },
+    });
+    expect(container.hasContainerChanged(a, b)).toBe(true);
+  });
+
+  test('should return false when security has same data in different key order', () => {
+    const a = createContainerFixture({
+      security: {
+        scan: {
+          scanner: 'trivy',
+          image: 'registry/image:1.2.3',
+          scannedAt: '2024-01-01T00:00:00.000Z',
+          status: 'passed',
+          blockSeverities: [],
+          blockingCount: 0,
+          summary: {
+            unknown: 0,
+            low: 0,
+            medium: 0,
+            high: 0,
+            critical: 0,
+          },
+          vulnerabilities: [],
+        },
+      },
+    });
+    const b = createContainerFixture({
+      security: {
+        scan: {
+          vulnerabilities: [],
+          summary: {
+            critical: 0,
+            high: 0,
+            medium: 0,
+            low: 0,
+            unknown: 0,
+          },
+          blockingCount: 0,
+          blockSeverities: [],
+          status: 'passed',
+          scannedAt: '2024-01-01T00:00:00.000Z',
+          image: 'registry/image:1.2.3',
+          scanner: 'trivy',
+        },
+      },
+    });
+
+    expect(container.hasContainerChanged(a, b)).toBe(false);
+  });
+
+  test('should reuse cached security hashes across repeated comparisons', () => {
+    let securityOwnKeysCount = 0;
+    const security = new Proxy(
+      {
+        scan: {
+          scanner: 'trivy',
+          image: 'registry/image:1.2.3',
+          scannedAt: '2024-01-01T00:00:00.000Z',
+          status: 'passed',
+          blockSeverities: [],
+          blockingCount: 0,
+          summary: {
+            unknown: 0,
+            low: 0,
+            medium: 0,
+            high: 0,
+            critical: 0,
+          },
+          vulnerabilities: [],
+        },
+      },
+      {
+        ownKeys(target) {
+          securityOwnKeysCount += 1;
+          return Reflect.ownKeys(target);
+        },
+      },
+    );
+    const a = createContainerFixture({
+      id: 'container-security-hash-cache',
+      security,
+    });
+    const b = createContainerFixture({
+      id: 'container-security-hash-cache',
+      security: {
+        scan: {
+          vulnerabilities: [],
+          summary: {
+            critical: 0,
+            high: 0,
+            medium: 0,
+            low: 0,
+            unknown: 0,
+          },
+          blockingCount: 0,
+          blockSeverities: [],
+          status: 'passed',
+          scannedAt: '2024-01-01T00:00:00.000Z',
+          image: 'registry/image:1.2.3',
+          scanner: 'trivy',
+        },
+      },
+    });
+
+    expect(container.hasContainerChanged(a, b)).toBe(false);
+    const initialSecurityOwnKeysCount = securityOwnKeysCount;
+    expect(initialSecurityOwnKeysCount).toBeGreaterThan(0);
+
+    expect(container.hasContainerChanged(a, b)).toBe(false);
+    expect(securityOwnKeysCount).toBe(initialSecurityOwnKeysCount);
+  });
+
+  test('updateContainer should reuse the stored security hash when the next payload omits security', () => {
+    const collection = createFilterableCollection([]);
+    const db = {
+      getCollection: () => collection,
+      addCollection: () => null,
+    };
+    container.createCollections(db);
+
+    let securityOwnKeysCount = 0;
+    const security = new Proxy(
+      {
+        scan: {
+          vulnerabilities: [],
+          summary: {
+            critical: 0,
+            high: 0,
+            medium: 0,
+            low: 0,
+            unknown: 0,
+          },
+          blockingCount: 0,
+          blockSeverities: [],
+          status: 'passed',
+          scannedAt: '2024-01-01T00:00:00.000Z',
+          image: 'registry/image:1.2.3',
+          scanner: 'trivy',
+        },
+      },
+      {
+        ownKeys(target) {
+          securityOwnKeysCount += 1;
+          return Reflect.ownKeys(target);
+        },
+      },
+    );
+    const existingContainer = createContainerFixture({
+      id: 'stored-security-hash-cache',
+      updateAvailable: false,
+      security,
+    });
+
+    container.insertContainer(existingContainer);
+    const initialSecurityOwnKeysCount = securityOwnKeysCount;
+    expect(initialSecurityOwnKeysCount).toBeGreaterThan(0);
+
+    const updatedContainer = container.updateContainer({
+      ...existingContainer,
+      updateAvailable: true,
+      security: undefined,
+    });
+
+    expect(updatedContainer).toBeDefined();
+    expect(securityOwnKeysCount).toBe(initialSecurityOwnKeysCount);
+  });
+
+  test('should compare primitive security values without object hashing', () => {
+    const a = createContainerFixture({ security: false as any });
+    const b = createContainerFixture({ security: false as any });
+    const c = createContainerFixture({ security: true as any });
+
+    expect(container.hasContainerChanged(a, b)).toBe(false);
+    expect(container.hasContainerChanged(a, c)).toBe(true);
+  });
+
+  test('should return false when only timestamp-like metadata differs', () => {
+    const a = createContainerFixture({ updateDetectedAt: '2024-01-01T00:00:00Z' });
+    const b = createContainerFixture({ updateDetectedAt: '2024-12-31T23:59:59Z' });
+    expect(container.hasContainerChanged(a, b)).toBe(false);
+  });
+});
+
+test('updateContainer should not emit when container data is unchanged', async () => {
+  const existingContainer = {
+    data: createContainerFixture({
+      id: 'unchanged-container',
+      status: 'running',
+      updateAvailable: false,
+    }),
+  };
+  const collection = {
+    findOne: () => existingContainer,
+    update: vi.fn(),
+    insert: vi.fn(),
+    chain: vi.fn(() => ({
+      find: () => ({
+        remove: () => ({}),
+      }),
+    })),
+  };
+  const db = {
+    getCollection: () => collection,
+    addCollection: () => null,
+  };
+  const containerToSave = createContainerFixture({
+    id: 'unchanged-container',
+    status: 'running',
+    updateAvailable: false,
+  });
+  const spyEvent = vi.spyOn(event, 'emitContainerUpdated');
+  container.createCollections(db);
+
+  container.updateContainer(containerToSave);
+
+  expect(collection.update).toHaveBeenCalledTimes(1);
+  expect(spyEvent).not.toHaveBeenCalled();
+});
diff --git a/app/store/container.ts b/app/store/container.ts
index 4aa0a2002..81e53f9c9 100644
--- a/app/store/container.ts
+++ b/app/store/container.ts
@@ -1,6 +1,7 @@
 /**
  * Container store.
  */
+import { createHash } from 'node:crypto';
 import { byString, byValues } from 'sort-es';
 import { redactContainerRuntimeEnv, redactContainersRuntimeEnv } from '../api/container/shared.js';
 import { getDefaultCacheMaxEntries } from '../configuration/runtime-defaults.js';
@@ -22,14 +23,25 @@ const containersQueryCacheParsedEntries = new Map<string, Array<readonly [string
 const DEFAULT_CACHE_MAX_ENTRIES = getDefaultCacheMaxEntries();
 
 // Security state cache: keyed by "{watcher}_{name}" to survive container recreation
-const securityStateCache = new Map();
 const DEFAULT_CONTAINERS_QUERY_CACHE_MAX_ENTRIES = DEFAULT_CACHE_MAX_ENTRIES;
 const DEFAULT_SECURITY_STATE_CACHE_TTL_MS = 15 * 60 * 1000;
 const DEFAULT_SECURITY_STATE_CACHE_MAX_ENTRIES = DEFAULT_CACHE_MAX_ENTRIES;
 const SECURITY_STATE_CACHE_PRUNE_SCAN_BUDGET = 10;
 const CONTAINER_COLLECTION_INDICES = ['data.watcher', 'data.status', 'data.updateAvailable'];
 const UNSAFE_QUERY_PATH_SEGMENTS = new Set(['__proto__', 'prototype', 'constructor']);
-let securityStateCachePruneIterator: IterableIterator<[string, any]> | undefined;
+const STABLE_UNDEFINED_SENTINEL = '__undefined__';
+
+type SecurityStateCacheEntry = {
+  security: unknown;
+  expiresAt: number;
+};
+
+const securityStateCache = new Map<string, SecurityStateCacheEntry>();
+const containerSecurityStateHashCache = new Map<string, string>();
+let securityStateObjectHashCache = new WeakMap<object, string>();
+let securityStateCachePruneIterator:
+  | IterableIterator<[string, SecurityStateCacheEntry]>
+  | undefined;
 
 interface ContainerListPaginationOptions {
   limit?: number;
@@ -460,16 +472,141 @@ export function clearAllCachedSecurityState() {
   securityStateCachePruneIterator = undefined;
 }
 
+function normalizeValue(current: unknown): unknown {
+  if (Array.isArray(current)) {
+    return current.map(normalizeValue);
+  }
+
+  if (current && typeof current === 'object') {
+    return Object.keys(current)
+      .sort()
+      .reduce<Record<string, unknown>>((normalized, key) => {
+        normalized[key] = normalizeValue(current[key]);
+        return normalized;
+      }, {});
+  }
+
+  return current;
+}
+
+function stableSerialize(value: unknown): string {
+  const normalizedValue = normalizeValue(value);
+  return normalizedValue === undefined
+    ? STABLE_UNDEFINED_SENTINEL
+    : JSON.stringify(normalizedValue);
+}
+
+function hashSecurityState(value: unknown): string {
+  return createHash('sha256').update(stableSerialize(value)).digest('hex');
+}
+
+const EMPTY_SECURITY_STATE_HASH = hashSecurityState(undefined);
+
+function getSecurityStateHash(value: unknown): string {
+  if (!value || typeof value !== 'object') {
+    return value === undefined ? EMPTY_SECURITY_STATE_HASH : hashSecurityState(value);
+  }
+
+  const cachedHash = securityStateObjectHashCache.get(value);
+  if (cachedHash) {
+    return cachedHash;
+  }
+
+  const computedHash = hashSecurityState(value);
+  securityStateObjectHashCache.set(value, computedHash);
+  return computedHash;
+}
+
+function getStoredContainerSecurityStateHash(
+  containerToHash: Pick<container.Container, 'id' | 'security'> | undefined,
+): string {
+  if (!containerToHash) {
+    return EMPTY_SECURITY_STATE_HASH;
+  }
+
+  const cachedHash = containerSecurityStateHashCache.get(containerToHash.id);
+  if (cachedHash) {
+    return cachedHash;
+  }
+
+  const computedHash = getSecurityStateHash(containerToHash.security);
+  containerSecurityStateHashCache.set(containerToHash.id, computedHash);
+  return computedHash;
+}
+
+function storeContainerSecurityStateHash(
+  containerToHash: Pick<container.Container, 'id' | 'security'>,
+): string {
+  const computedHash = getSecurityStateHash(containerToHash.security);
+  containerSecurityStateHashCache.set(containerToHash.id, computedHash);
+  return computedHash;
+}
+
+function hasContainerChangedWithSecurityHashes(
+  existing: container.Container,
+  incoming: container.Container,
+  existingSecurityHash: string,
+  incomingSecurityHash: string,
+): boolean {
+  if (existing.updateAvailable !== incoming.updateAvailable) {
+    return true;
+  }
+  if (existing.result?.tag !== incoming.result?.tag) {
+    return true;
+  }
+  if (existing.result?.digest !== incoming.result?.digest) {
+    return true;
+  }
+  if (existing.status !== incoming.status) {
+    return true;
+  }
+  if (existing.error?.message !== incoming.error?.message) {
+    return true;
+  }
+  if (existing.image?.tag?.value !== incoming.image?.tag?.value) {
+    return true;
+  }
+  if (existingSecurityHash !== incomingSecurityHash) {
+    return true;
+  }
+  return false;
+}
+
+/**
+ * Check whether meaningful container state changed between the existing record
+ * and the incoming update.  Returns false when nothing actionable changed
+ * (e.g. same data re-polled with only LokiJS timestamp metadata differing).
+ */
+export function hasContainerChanged(
+  existing: container.Container,
+  incoming: container.Container,
+): boolean {
+  return hasContainerChangedWithSecurityHashes(
+    existing,
+    incoming,
+    getSecurityStateHash(existing.security),
+    getSecurityStateHash(incoming.security),
+  );
+}
+
 function getUpdateDetectedAt(containerCurrent, containerNext) {
+  return getUpdateLifecycleTimestamp(containerCurrent, containerNext, 'updateDetectedAt');
+}
+
+function getFirstSeenAt(containerCurrent, containerNext) {
+  return getUpdateLifecycleTimestamp(containerCurrent, containerNext, 'firstSeenAt');
+}
+
+function getUpdateLifecycleTimestamp(containerCurrent, containerNext, timestampField) {
   if (!containerNext.updateAvailable) {
     return undefined;
   }
 
   if (
-    typeof containerNext.updateDetectedAt === 'string' &&
-    containerNext.updateDetectedAt.length > 0
+    typeof containerNext[timestampField] === 'string' &&
+    containerNext[timestampField].length > 0
   ) {
-    return containerNext.updateDetectedAt;
+    return containerNext[timestampField];
   }
 
   if (!containerCurrent) {
@@ -485,10 +622,10 @@ function getUpdateDetectedAt(containerCurrent, containerNext) {
   }
 
   if (
-    typeof containerCurrent.updateDetectedAt === 'string' &&
-    containerCurrent.updateDetectedAt.length > 0
+    typeof containerCurrent[timestampField] === 'string' &&
+    containerCurrent[timestampField].length > 0
   ) {
-    return containerCurrent.updateDetectedAt;
+    return containerCurrent[timestampField];
   }
 
   return new Date().toISOString();
@@ -517,6 +654,8 @@ export function insertContainer(container) {
   }
   const containerToSave = validateContainer(container);
   containerToSave.updateDetectedAt = getUpdateDetectedAt(undefined, containerToSave);
+  containerToSave.firstSeenAt = getFirstSeenAt(undefined, containerToSave);
+  storeContainerSecurityStateHash(containerToSave);
   containers.insert({
     data: containerToSave,
   });
@@ -557,6 +696,12 @@ export function updateContainer(container) {
   };
   const containerToReturn = validateContainer(containerMerged);
   containerToReturn.updateDetectedAt = getUpdateDetectedAt(containerCurrent, containerToReturn);
+  containerToReturn.firstSeenAt = getFirstSeenAt(containerCurrent, containerToReturn);
+  const containerCurrentSecurityHash = getStoredContainerSecurityStateHash(containerCurrent);
+  const containerNextSecurityHash =
+    !hasSecurity && containerCurrent
+      ? containerCurrentSecurityHash
+      : storeContainerSecurityStateHash(containerToReturn);
 
   if (containerCurrentDoc && typeof containers?.update === 'function') {
     containerCurrentDoc.data = containerToReturn;
@@ -576,10 +721,20 @@ export function updateContainer(container) {
     });
   }
   invalidateContainersCacheForMutation(containerCurrent, containerToReturn);
-  const containerUpdatedEventPayload: ContainerLifecycleEventPayload = redactContainerRuntimeEnv({
-    ...containerToReturn,
-  });
-  emitContainerUpdated(containerUpdatedEventPayload);
+  if (
+    !containerCurrent ||
+    hasContainerChangedWithSecurityHashes(
+      containerCurrent,
+      containerToReturn,
+      containerCurrentSecurityHash,
+      containerNextSecurityHash,
+    )
+  ) {
+    const containerUpdatedEventPayload: ContainerLifecycleEventPayload = redactContainerRuntimeEnv({
+      ...containerToReturn,
+    });
+    emitContainerUpdated(containerUpdatedEventPayload);
+  }
   return containerToReturn;
 }
 
@@ -698,6 +853,7 @@ export function deleteContainer(id) {
       })
       .remove();
     invalidateContainersCacheForMutation(containerRaw, undefined);
+    containerSecurityStateHashCache.delete(id);
     emitContainerRemoved(container);
   }
 }
@@ -705,10 +861,15 @@ export function deleteContainer(id) {
 export function _resetContainerStoreStateForTests() {
   clearContainersQueryCacheState();
   securityStateCache.clear();
+  containerSecurityStateHashCache.clear();
+  securityStateObjectHashCache = new WeakMap<object, string>();
   securityStateCachePruneIterator = undefined;
 }
 
-export function _setSecurityStateCacheEntryForTests(cacheKey: string, entry: any) {
+export function _setSecurityStateCacheEntryForTests(
+  cacheKey: string,
+  entry: SecurityStateCacheEntry,
+) {
   securityStateCache.set(cacheKey, entry);
 }
 
diff --git a/app/store/index.test.ts b/app/store/index.test.ts
index 93905c8e7..1b19e0af1 100644
--- a/app/store/index.test.ts
+++ b/app/store/index.test.ts
@@ -16,14 +16,15 @@ const {
   function createLokiMock(
     loadDbCallback = (options, callback) => callback(null),
     saveDbCallback = (callback) => callback(null),
+    createDbInstance = () => ({
+      loadDatabase: vi.fn(loadDbCallback),
+      saveDatabase: vi.fn(saveDbCallback),
+    }),
   ) {
     return {
       // biome-ignore lint/complexity/useArrowFunction: mock constructor requires function expression
       default: vi.fn().mockImplementation(function () {
-        return {
-          loadDatabase: vi.fn(loadDbCallback),
-          saveDatabase: vi.fn(saveDbCallback),
-        };
+        return createDbInstance();
       }),
     };
   }
@@ -51,11 +52,14 @@ const {
     overrides: {
       loki?: Parameters<typeof createLokiMock>[0];
       lokiSave?: Parameters<typeof createLokiMock>[1];
+      lokiInstance?: Parameters<typeof createLokiMock>[2];
       fs?: Record<string, unknown>;
       config?: Record<string, unknown>;
     } = {},
   ) {
-    vi.doMock('lokijs', () => createLokiMock(overrides.loki, overrides.lokiSave));
+    vi.doMock('lokijs', () =>
+      createLokiMock(overrides.loki, overrides.lokiSave, overrides.lokiInstance),
+    );
     vi.doMock('node:fs', () => createFsMock(overrides.fs));
     vi.doMock('../configuration', () => createConfigMock(overrides.config ?? STORE_CONFIG));
     vi.doMock('./app', createCollectionsMock);
@@ -280,13 +284,150 @@ describe('Store Module', () => {
       renameSync: vi.fn(),
     };
 
-    registerCommonMocks();
-    // Override the fs mock with the custom one for migration logic
-    vi.doMock('node:fs', () => ({ default: mockFs }));
+    registerCommonMocks({ fs: mockFs });
 
     const storeMigrate = await import('./index.js');
     await storeMigrate.init();
 
     expect(mockFs.renameSync).toHaveBeenCalledWith('/test/store/wud.json', '/test/store/test.json');
   });
+
+  test('should collect debug snapshot values from collection fallbacks', async () => {
+    vi.resetModules();
+
+    const storeDb = {
+      collections: [
+        123,
+        { count: vi.fn(() => -4) },
+        { name: undefined, count: vi.fn(() => Number.NaN) },
+        { name: 'bad-data', data: { value: 1 } },
+        { name: 'data', data: [1, 2, 3] },
+        { name: 'named', count: vi.fn(() => 5) },
+      ],
+      loadDatabase: vi.fn((options, callback) => callback(null)),
+      saveDatabase: vi.fn((callback) => callback(null)),
+    };
+
+    registerCommonMocks({
+      lokiInstance: () => storeDb,
+      fs: {
+        existsSync: vi.fn(() => true),
+        mkdirSync: vi.fn(),
+        statSync: vi.fn(() => ({ mtime: new Date('2026-03-18T12:34:56.000Z') })),
+        renameSync: vi.fn(),
+      },
+    });
+
+    const storeWithSnapshot = await import('./index.js');
+    await storeWithSnapshot.init();
+
+    expect(storeWithSnapshot.getDebugSnapshot()).toEqual({
+      memoryMode: false,
+      path: '/test/store/test.json',
+      collectionCount: 6,
+      documentCount: 8,
+      lastPersistAt: '2026-03-18T12:34:56.000Z',
+      collections: [
+        { name: 'unknown', documents: 0 },
+        { name: 'unknown', documents: 0 },
+        { name: 'unknown', documents: 0 },
+        { name: 'bad-data', documents: 0 },
+        { name: 'data', documents: 3 },
+        { name: 'named', documents: 5 },
+      ],
+    });
+  });
+
+  test('should return undefined lastPersistAt when store runs in memory mode', async () => {
+    vi.resetModules();
+
+    registerCommonMocks({
+      lokiInstance: () => ({
+        collections: [],
+        loadDatabase: vi.fn((options, callback) => callback(null)),
+        saveDatabase: vi.fn((callback) => callback(null)),
+      }),
+      fs: {
+        existsSync: vi.fn(() => true),
+        mkdirSync: vi.fn(),
+        statSync: vi.fn(() => ({ mtime: new Date('2026-03-18T12:34:56.000Z') })),
+        renameSync: vi.fn(),
+      },
+    });
+
+    const storeInMemory = await import('./index.js');
+    await storeInMemory.init({ memory: true });
+
+    expect(storeInMemory.getDebugSnapshot()).toEqual({
+      memoryMode: true,
+      path: '/test/store/test.json',
+      collectionCount: 0,
+      documentCount: 0,
+      lastPersistAt: undefined,
+      collections: [],
+    });
+  });
+
+  test('should return undefined lastPersistAt when store path has not been initialized', async () => {
+    vi.resetModules();
+
+    registerCommonMocks({
+      lokiInstance: () => ({
+        collections: [],
+        loadDatabase: vi.fn((options, callback) => callback(null)),
+        saveDatabase: vi.fn((callback) => callback(null)),
+      }),
+      fs: {
+        existsSync: vi.fn(() => true),
+        mkdirSync: vi.fn(),
+        statSync: vi.fn(() => ({ mtime: new Date('2026-03-18T12:34:56.000Z') })),
+        renameSync: vi.fn(),
+      },
+    });
+
+    const storeWithoutInit = await import('./index.js');
+
+    expect(storeWithoutInit.getDebugSnapshot()).toEqual({
+      memoryMode: false,
+      path: undefined,
+      collectionCount: 0,
+      documentCount: 0,
+      lastPersistAt: undefined,
+      collections: [],
+    });
+  });
+
+  test('should return undefined lastPersistAt when statSync throws', async () => {
+    vi.resetModules();
+
+    registerCommonMocks({
+      lokiInstance: () => ({
+        collections: [{ name: 'only', count: vi.fn(() => 1) }],
+        loadDatabase: vi.fn((options, callback) => callback(null)),
+        saveDatabase: vi.fn((callback) => callback(null)),
+      }),
+      fs: {
+        existsSync: vi.fn(
+          (targetPath) => targetPath === '/test/store/test.json' || targetPath === '/test/store',
+        ),
+        mkdirSync: vi.fn(),
+        statSync: vi.fn(() => {
+          throw new Error('stat failed');
+        }),
+        renameSync: vi.fn(),
+      },
+    });
+
+    const storeWithStatError = await import('./index.js');
+    await storeWithStatError.init();
+
+    expect(storeWithStatError.getDebugSnapshot()).toEqual({
+      memoryMode: false,
+      path: '/test/store/test.json',
+      collectionCount: 1,
+      documentCount: 1,
+      lastPersistAt: undefined,
+      collections: [{ name: 'only', documents: 1 }],
+    });
+  });
 });
diff --git a/app/store/index.ts b/app/store/index.ts
index c6c284bc6..deb45a604 100644
--- a/app/store/index.ts
+++ b/app/store/index.ts
@@ -34,6 +34,7 @@ const configuration = configurationToValidate.value;
 type LokiDatabase = InstanceType<typeof Loki>;
 let db: LokiDatabase | undefined;
 let isMemoryMode = false;
+let storePathResolved: string | undefined;
 
 function createCollections() {
   app.createCollections(db);
@@ -79,6 +80,7 @@ export async function init(options: { memory?: boolean } = {}) {
   const storePath = resolveConfiguredPathWithinBase(storeDirectory, configuration.file, {
     label: 'DD_STORE_FILE',
   });
+  storePathResolved = storePath;
   if (storePath === storeDirectory) {
     throw new Error('DD_STORE_FILE must reference a file path, not a directory');
   }
@@ -138,3 +140,65 @@ export async function save() {
 export function getConfiguration() {
   return configuration;
 }
+
+export interface StoreDebugCollectionStats {
+  name: string;
+  documents: number;
+}
+
+export interface StoreDebugSnapshot {
+  memoryMode: boolean;
+  path?: string;
+  collectionCount: number;
+  documentCount: number;
+  lastPersistAt?: string;
+  collections: StoreDebugCollectionStats[];
+}
+
+function getCollectionDocumentCount(collection: unknown): number {
+  if (!collection || typeof collection !== 'object') {
+    return 0;
+  }
+
+  if (typeof (collection as { count?: unknown }).count === 'function') {
+    return Math.max(0, Number((collection as { count: () => number }).count()) || 0);
+  }
+
+  const data = (collection as { data?: unknown }).data;
+  return Array.isArray(data) ? data.length : 0;
+}
+
+function getStoreLastPersistAt(): string | undefined {
+  if (isMemoryMode || !storePathResolved || !fs.existsSync(storePathResolved)) {
+    return undefined;
+  }
+
+  try {
+    return fs.statSync(storePathResolved).mtime.toISOString();
+  } catch {
+    return undefined;
+  }
+}
+
+export function getDebugSnapshot(): StoreDebugSnapshot {
+  const collections = Array.isArray((db as { collections?: unknown[] } | undefined)?.collections)
+    ? ((db as { collections: unknown[] }).collections as unknown[])
+    : [];
+  const collectionStats = collections.map((collection) => ({
+    name:
+      typeof (collection as { name?: unknown }).name === 'string'
+        ? ((collection as { name: string }).name as string)
+        : 'unknown',
+    documents: getCollectionDocumentCount(collection),
+  }));
+  const documentCount = collectionStats.reduce((total, stats) => total + stats.documents, 0);
+
+  return {
+    memoryMode: isMemoryMode,
+    path: storePathResolved,
+    collectionCount: collectionStats.length,
+    documentCount,
+    lastPersistAt: getStoreLastPersistAt(),
+    collections: collectionStats,
+  };
+}
diff --git a/app/store/migrate.test.ts b/app/store/migrate.test.ts
index 26adb6844..85ce2dad6 100644
--- a/app/store/migrate.test.ts
+++ b/app/store/migrate.test.ts
@@ -1,6 +1,8 @@
+const mockLogInfo = vi.hoisted(() => vi.fn());
+
 import * as container from './container.js';
 
-vi.mock('../log', () => ({ default: { child: vi.fn(() => ({ info: vi.fn() })) } }));
+vi.mock('../log', () => ({ default: { child: vi.fn(() => ({ info: mockLogInfo })) } }));
 vi.mock('./container', () => ({
   getContainers: vi.fn(() => [{ name: 'container1' }, { name: 'container2' }]),
   deleteContainer: vi.fn(),
@@ -15,9 +17,11 @@ beforeEach(async () => {
 test('migrate should not delete containers for legacy 7.x to 8.x version bumps', async () => {
   migrate.migrate('7.0.0', '8.0.0');
   expect(container.deleteContainer).not.toHaveBeenCalled();
+  expect(mockLogInfo).toHaveBeenCalledWith('Migrate data between schema versions');
 });
 
 test('migrate should not delete containers when from and to are 8.x versions', async () => {
   migrate.migrate('8.1.0', '8.2.0');
   expect(container.deleteContainer).not.toHaveBeenCalled();
+  expect(mockLogInfo).toHaveBeenCalledWith('Migrate data between schema versions');
 });
diff --git a/app/store/migrate.ts b/app/store/migrate.ts
index e1afb0bc8..ac3700bf7 100644
--- a/app/store/migrate.ts
+++ b/app/store/migrate.ts
@@ -7,8 +7,6 @@ const log = logger.child({ component: 'store' });
  * @param from version
  * @param to version
  */
-export function migrate(from, to) {
-  const safeFrom = String(from).replaceAll(/[^a-zA-Z0-9._\-+]/g, '');
-  const safeTo = String(to).replaceAll(/[^a-zA-Z0-9._\-+]/g, '');
-  log.info(`Migrate data from version ${safeFrom} to version ${safeTo}`);
+export function migrate(_from, _to) {
+  log.info('Migrate data between schema versions');
 }
diff --git a/app/stryker.conf.mjs b/app/stryker.conf.mjs
new file mode 100644
index 000000000..5c4176b67
--- /dev/null
+++ b/app/stryker.conf.mjs
@@ -0,0 +1,41 @@
+const dashboardReporterEnabled = Boolean(process.env.STRYKER_DASHBOARD_API_KEY);
+
+/** @type {import('@stryker-mutator/api/core').PartialStrykerOptions} */
+const config = {
+  mutate: [
+    '**/*.ts',
+    '!**/*.d.ts',
+    '!**/*.test.ts',
+    '!**/*.fuzz.test.ts',
+    '!**/*.typecheck.ts',
+    '!dist/**',
+    '!coverage/**',
+  ],
+  testRunner: 'vitest',
+  checkers: ['typescript'],
+  tsconfigFile: 'tsconfig.json',
+  coverageAnalysis: 'off',
+  reporters: ['clear-text', 'progress', 'html', ...(dashboardReporterEnabled ? ['dashboard'] : [])],
+  htmlReporter: {
+    fileName: 'reports/mutation/html/index.html',
+  },
+  ...(dashboardReporterEnabled
+    ? {
+        dashboard: {
+          project: 'github.com/CodesWhat/drydock',
+          module: 'app',
+          reportType: 'full',
+        },
+      }
+    : {}),
+  vitest: {
+    configFile: 'vitest.config.ts',
+  },
+  thresholds: {
+    high: 80,
+    low: 70,
+    break: 65,
+  },
+};
+
+export default config;
diff --git a/app/tag/index.test.ts b/app/tag/index.test.ts
index 4f12a4fc7..d565187ec 100644
--- a/app/tag/index.test.ts
+++ b/app/tag/index.test.ts
@@ -1,3 +1,5 @@
+import { RE2JS } from 're2js';
+import log from '../log/index.js';
 import * as semver from './index.js';
 
 describe('parse', () => {
@@ -305,6 +307,36 @@ describe('transform', () => {
       expect(semver.transform('[invalid-regex => $1', '1.2.3')).toBe('1.2.3');
     });
 
+    test('should include message from non-Error throw values during regex compilation', () => {
+      const warnSpy = vi.spyOn(log, 'warn').mockImplementation(() => {});
+      const compileSpy = vi.spyOn(RE2JS, 'compile').mockImplementation(() => {
+        throw { message: 'regex compile failed' };
+      });
+
+      try {
+        expect(semver.transform('^v(.+)$ => $1', 'v1.2.3')).toBe('v1.2.3');
+        expect(warnSpy).toHaveBeenCalledWith(expect.stringContaining('regex compile failed'));
+      } finally {
+        compileSpy.mockRestore();
+        warnSpy.mockRestore();
+      }
+    });
+
+    test('should stringify unknown throw values during regex compilation', () => {
+      const warnSpy = vi.spyOn(log, 'warn').mockImplementation(() => {});
+      const compileSpy = vi.spyOn(RE2JS, 'compile').mockImplementation(() => {
+        throw 42;
+      });
+
+      try {
+        expect(semver.transform('^v(.+)$ => $1', 'v1.2.3')).toBe('v1.2.3');
+        expect(warnSpy).toHaveBeenCalledWith(expect.stringContaining('42'));
+      } finally {
+        compileSpy.mockRestore();
+        warnSpy.mockRestore();
+      }
+    });
+
     test('should return original tag when regex pattern exceeds max length', async () => {
       const longPattern = `${'a'.repeat(1025)} => $1`;
       expect(semver.transform(longPattern, '1.2.3')).toBe('1.2.3');
diff --git a/app/tag/index.ts b/app/tag/index.ts
index b21640299..eeb0017b8 100644
--- a/app/tag/index.ts
+++ b/app/tag/index.ts
@@ -79,6 +79,24 @@ interface SafeRegex {
   exec(s: string): RegExpMatchArray | null;
 }
 
+interface ErrorWithMessage {
+  message: unknown;
+}
+
+function hasMessage(error: unknown): error is ErrorWithMessage {
+  return typeof error === 'object' && error !== null && 'message' in error;
+}
+
+function getErrorMessage(error: unknown): string {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  if (hasMessage(error) && typeof error.message === 'string') {
+    return error.message;
+  }
+  return String(error);
+}
+
 /**
  * Safely compile a user-supplied regex pattern.
  * Returns null (and logs a warning) when the pattern is invalid.
@@ -103,8 +121,8 @@ function safeRegExp(pattern: string): SafeRegex | null {
         return result;
       },
     };
-  } catch (e: any) {
-    log.warn(`Invalid regex pattern "${pattern}": ${e.message}`);
+  } catch (e: unknown) {
+    log.warn(`Invalid regex pattern "${pattern}": ${getErrorMessage(e)}`);
     return null;
   }
 }
diff --git a/app/tag/suggest.test.ts b/app/tag/suggest.test.ts
new file mode 100644
index 000000000..cb57c5537
--- /dev/null
+++ b/app/tag/suggest.test.ts
@@ -0,0 +1,168 @@
+import { RE2JS } from 're2js';
+import * as semver from './index.js';
+import { suggest } from './suggest.js';
+
+function createContainer(overrides: Record<string, unknown> = {}) {
+  return {
+    includeTags: undefined,
+    excludeTags: undefined,
+    image: {
+      tag: {
+        value: 'latest',
+      },
+    },
+    ...overrides,
+  };
+}
+
+describe('tag/suggest', () => {
+  test('should return null when current tag is not latest or untagged', () => {
+    const container = createContainer({ image: { tag: { value: '1.2.3' } } });
+
+    expect(suggest(container as any, ['1.0.0', '2.0.0'])).toBeNull();
+  });
+
+  test('should suggest highest stable semver for latest tag', () => {
+    const container = createContainer({ image: { tag: { value: 'latest' } } });
+
+    const suggestedTag = suggest(container as any, [
+      'latest',
+      'nightly',
+      '1.2.0-rc.1',
+      '2.0.0-beta',
+      '1.1.0',
+      '1.2.3',
+      '1.2.3+canary.1',
+    ]);
+
+    expect(suggestedTag).toBe('1.2.3');
+  });
+
+  test('should treat empty current tag as untagged and suggest stable semver', () => {
+    const container = createContainer({ image: { tag: { value: '' } } });
+
+    expect(suggest(container as any, ['0.9.0', '1.0.0', '1.0.1-alpha'])).toBe('1.0.0');
+  });
+
+  test('should treat missing current tag value as untagged', () => {
+    const container = createContainer({ image: { tag: { value: undefined } } });
+
+    expect(suggest(container as any, ['1.0.0', '2.0.0'])).toBe('2.0.0');
+  });
+
+  test('should apply include and exclude regex filters before suggesting', () => {
+    const container = createContainer({
+      includeTags: String.raw`^v?1\.`,
+      excludeTags: String.raw`1\.1\.`,
+      image: { tag: { value: 'latest' } },
+    });
+
+    const suggestedTag = suggest(container as any, ['v1.0.0', 'v1.1.0', 'v1.2.0', '2.0.0']);
+
+    expect(suggestedTag).toBe('v1.2.0');
+  });
+
+  test('should return null when no stable semver tags are available', () => {
+    const container = createContainer({ image: { tag: { value: 'latest' } } });
+
+    const suggestedTag = suggest(container as any, [
+      'latest',
+      'nightly',
+      '1.0.0-rc.1',
+      '2.0.0-beta',
+      'canary',
+    ]);
+
+    expect(suggestedTag).toBeNull();
+  });
+
+  test('should ignore invalid include/exclude regex and continue', () => {
+    const warn = vi.fn();
+    const container = createContainer({
+      includeTags: '[',
+      excludeTags: '(',
+      image: { tag: { value: 'latest' } },
+    });
+
+    expect(suggest(container as any, ['1.0.0', '2.0.0'], { warn })).toBe('2.0.0');
+    expect(warn).toHaveBeenCalledTimes(2);
+  });
+
+  test('should preserve string errors thrown by regex compilation', () => {
+    const compileSpy = vi.spyOn(RE2JS, 'compile').mockImplementation(() => {
+      throw 'raw regex failure';
+    });
+    const warn = vi.fn();
+
+    try {
+      const container = createContainer({
+        includeTags: 'anything',
+        image: { tag: { value: 'latest' } },
+      });
+
+      expect(suggest(container as any, ['1.0.0'], { warn })).toBe('1.0.0');
+      expect(warn).toHaveBeenCalledWith(expect.stringContaining('raw regex failure'));
+    } finally {
+      compileSpy.mockRestore();
+    }
+  });
+
+  test('should stringify non-Error objects without a message field from regex compilation', () => {
+    const compileSpy = vi.spyOn(RE2JS, 'compile').mockImplementation(() => {
+      throw { reason: 'opaque-failure' };
+    });
+    const warn = vi.fn();
+
+    try {
+      const container = createContainer({
+        includeTags: 'anything',
+        image: { tag: { value: 'latest' } },
+      });
+
+      expect(suggest(container as any, ['1.0.0'], { warn })).toBe('1.0.0');
+      expect(warn).toHaveBeenCalledWith(expect.stringContaining('[object Object]'));
+    } finally {
+      compileSpy.mockRestore();
+    }
+  });
+
+  test('should ignore overlong include regex and continue without include filtering', () => {
+    const warn = vi.fn();
+    const container = createContainer({
+      includeTags: 'a'.repeat(1025),
+      image: { tag: { value: 'latest' } },
+    });
+
+    expect(suggest(container as any, ['1.0.0', '2.0.0'], { warn })).toBe('2.0.0');
+    expect(warn).toHaveBeenCalledWith(
+      expect.stringContaining('Regex pattern exceeds maximum length'),
+    );
+  });
+
+  test('should drop semver candidates that only have prerelease metadata', () => {
+    const container = createContainer({ image: { tag: { value: 'latest' } } });
+
+    expect(suggest(container as any, ['1.2.3-ls132', '1.2.2'])).toBe('1.2.2');
+  });
+
+  test('should drop candidates with non-integer semver components', () => {
+    const parseSpy = vi.spyOn(semver, 'parse').mockImplementation((tag: string) => {
+      if (tag === 'bad-int') {
+        return {
+          major: 1.5,
+          minor: 0,
+          patch: 0,
+          prerelease: [],
+        } as any;
+      }
+      return null;
+    });
+
+    try {
+      const container = createContainer({ image: { tag: { value: 'latest' } } });
+      expect(suggest(container as any, ['bad-int'])).toBeNull();
+    } finally {
+      parseSpy.mockRestore();
+    }
+  });
+});
diff --git a/app/tag/suggest.ts b/app/tag/suggest.ts
new file mode 100644
index 000000000..977b2cd33
--- /dev/null
+++ b/app/tag/suggest.ts
@@ -0,0 +1,171 @@
+import { RE2JS } from 're2js';
+import type { Container } from '../model/container.js';
+import { parse as parseSemver } from './index.js';
+
+interface SafeRegex {
+  test(s: string): boolean;
+}
+
+interface TagSuggestionLogger {
+  warn?: (message: string) => void;
+}
+
+interface StableSemverCandidate {
+  tag: string;
+  major: number;
+  minor: number;
+  patch: number;
+}
+
+interface MessageLikeError {
+  message: string;
+}
+
+const PRERELEASE_LABEL_PATTERN = /(?:^|[+._-])(alpha|beta|rc|dev|nightly|canary)(?:$|[+._-])/i;
+
+function isMessageLikeError(error: unknown): error is MessageLikeError {
+  if (typeof error !== 'object' || error === null) {
+    return false;
+  }
+
+  return 'message' in error && typeof (error as { message: unknown }).message === 'string';
+}
+
+function normalizeErrorMessage(error: unknown): string {
+  if (isMessageLikeError(error)) {
+    return error.message;
+  }
+
+  if (typeof error === 'string') {
+    return error;
+  }
+
+  return String(error);
+}
+
+function safeRegExp(pattern: string, logger: TagSuggestionLogger): SafeRegex | null {
+  const MAX_PATTERN_LENGTH = 1024;
+  if (pattern.length > MAX_PATTERN_LENGTH) {
+    logger.warn?.(`Regex pattern exceeds maximum length of ${MAX_PATTERN_LENGTH} characters`);
+    return null;
+  }
+  try {
+    const compiled = RE2JS.compile(pattern);
+    return {
+      test(s: string): boolean {
+        return compiled.matcher(s).find();
+      },
+    };
+  } catch (e: unknown) {
+    logger.warn?.(`Invalid regex pattern "${pattern}": ${normalizeErrorMessage(e)}`);
+    return null;
+  }
+}
+
+function applyIncludeExcludeFilters(
+  tags: string[],
+  includeTags: string | undefined,
+  excludeTags: string | undefined,
+  logger: TagSuggestionLogger,
+): string[] {
+  let filteredTags = tags;
+
+  if (includeTags) {
+    const includeRegex = safeRegExp(includeTags, logger);
+    if (includeRegex) {
+      filteredTags = filteredTags.filter((tag) => includeRegex.test(tag));
+    }
+  }
+
+  if (excludeTags) {
+    const excludeRegex = safeRegExp(excludeTags, logger);
+    if (excludeRegex) {
+      filteredTags = filteredTags.filter((tag) => !excludeRegex.test(tag));
+    }
+  }
+
+  return filteredTags;
+}
+
+function isLatestOrUntagged(tagValue: string | undefined): boolean {
+  if (typeof tagValue !== 'string') {
+    return true;
+  }
+  const normalizedTag = tagValue.trim().toLowerCase();
+  return normalizedTag === '' || normalizedTag === 'latest';
+}
+
+function isStableSemverCandidate(tag: string): StableSemverCandidate | null {
+  const parsed = parseSemver(tag);
+  if (!parsed) {
+    return null;
+  }
+
+  // Defensive exclusion for prerelease-like labels that can be lost by coercion.
+  if (PRERELEASE_LABEL_PATTERN.test(tag)) {
+    return null;
+  }
+
+  const prerelease = Array.isArray(parsed.prerelease) ? parsed.prerelease : [];
+  if (prerelease.length > 0) {
+    return null;
+  }
+
+  if (
+    !Number.isInteger(parsed.major) ||
+    !Number.isInteger(parsed.minor) ||
+    !Number.isInteger(parsed.patch)
+  ) {
+    return null;
+  }
+
+  return {
+    tag,
+    major: parsed.major,
+    minor: parsed.minor,
+    patch: parsed.patch,
+  };
+}
+
+function sortBySemverDescending(candidates: StableSemverCandidate[]): void {
+  candidates.sort((candidate1, candidate2) => {
+    if (candidate1.major !== candidate2.major) {
+      return candidate2.major - candidate1.major;
+    }
+    if (candidate1.minor !== candidate2.minor) {
+      return candidate2.minor - candidate1.minor;
+    }
+    if (candidate1.patch !== candidate2.patch) {
+      return candidate2.patch - candidate1.patch;
+    }
+    return 0;
+  });
+}
+
+export function suggest(
+  container: Pick<Container, 'includeTags' | 'excludeTags' | 'image'>,
+  tags: string[],
+  logger: TagSuggestionLogger = {},
+): string | null {
+  const currentTagValue = container?.image?.tag?.value;
+  if (!isLatestOrUntagged(currentTagValue)) {
+    return null;
+  }
+
+  const filteredTags = applyIncludeExcludeFilters(
+    tags,
+    container.includeTags,
+    container.excludeTags,
+    logger,
+  );
+  const stableSemverCandidates = filteredTags
+    .map((tag) => isStableSemverCandidate(tag))
+    .filter((candidate): candidate is StableSemverCandidate => candidate !== null);
+
+  if (stableSemverCandidates.length === 0) {
+    return null;
+  }
+
+  sortBySemverDescending(stableSemverCandidates);
+  return stableSemverCandidates[0].tag;
+}
diff --git a/app/test/helpers.ts b/app/test/helpers.ts
index f08ac3446..6e263e5b1 100644
--- a/app/test/helpers.ts
+++ b/app/test/helpers.ts
@@ -6,30 +6,37 @@
  * For logger mocking, use the manual mock at log/__mocks__/index.ts
  * with vi.mock('../log') (no factory).
  */
+import type { Request, Response } from 'express';
 import { vi } from 'vitest';
 
 /**
  * Mock HTTP response object for API handler tests.
+ * Returns an Express-compatible Response with common methods stubbed.
  */
-export function createMockResponse() {
+export function createMockResponse(): Response {
   return {
     status: vi.fn().mockReturnThis(),
+    set: vi.fn().mockReturnThis(),
+    setHeader: vi.fn(),
     json: vi.fn(),
     sendStatus: vi.fn(),
     send: vi.fn(),
-  };
+  } as unknown as Response;
 }
 
 /**
  * Mock HTTP request object for API handler tests.
+ * Returns an Express-compatible Request with params, query, and body stubbed.
  */
-export function createMockRequest(overrides: Record<string, unknown> = {}) {
+export function createMockRequest<P = Record<string, string>>(
+  overrides: Record<string, unknown> = {},
+): Request<P> {
   return {
     params: {},
     query: {},
     body: undefined,
     ...overrides,
-  };
+  } as unknown as Request<P>;
 }
 
 /**
diff --git a/app/test/mock-factories.ts b/app/test/mock-factories.ts
new file mode 100644
index 000000000..fe6f9bb19
--- /dev/null
+++ b/app/test/mock-factories.ts
@@ -0,0 +1,60 @@
+/**
+ * Shared mock factories for test files.
+ *
+ * These factories return plain functions/objects (not vi.fn() wrapped) so they
+ * can be used with mockFn.mockImplementation() in beforeEach blocks.
+ *
+ * Due to vi.mock()/vi.hoisted() hoisting constraints, these CANNOT be used
+ * inside vi.hoisted() callbacks. Instead, create bare vi.fn() stubs in
+ * vi.hoisted(), wire them into vi.mock(), then set implementations in
+ * beforeEach using these factories.
+ */
+
+import { vi } from 'vitest';
+
+/**
+ * Creates a mock Express router with vi.fn() stubs for the given HTTP methods.
+ * Defaults to get, post, use.
+ */
+export function createMockRouter(
+  methods: string[] = ['get', 'post', 'use'],
+): Record<string, ReturnType<typeof vi.fn>> {
+  const router: Record<string, ReturnType<typeof vi.fn>> = {};
+  for (const method of methods) {
+    router[method] = vi.fn();
+  }
+  return router;
+}
+
+/**
+ * Returns a fresh hash object with XOR-based deterministic digest.
+ * Use as: mockCreateHash.mockImplementation(createMockHashObject)
+ *
+ * Each call to the mock produces a new hash with independent state.
+ */
+export function createMockHashObject() {
+  const chunks: Buffer[] = [];
+  const hash = {
+    update(value: string, encoding?: BufferEncoding) {
+      chunks.push(Buffer.from(value, encoding ?? 'utf8'));
+      return hash;
+    },
+    digest() {
+      const data = Buffer.concat(chunks);
+      const digest = Buffer.alloc(32);
+      for (let i = 0; i < data.length; i += 1) {
+        digest[i % 32] ^= data[i];
+      }
+      return digest;
+    },
+  };
+  return hash;
+}
+
+/**
+ * Buffer-comparison implementation for timingSafeEqual mocks.
+ * Use as: mockTimingSafeEqual.mockImplementation(mockTimingSafeEqualImpl)
+ */
+export function mockTimingSafeEqualImpl(left: Buffer, right: Buffer) {
+  return left.length === right.length && left.equals(right);
+}
diff --git a/app/triggers/hooks/HookRunner.ts b/app/triggers/hooks/HookRunner.ts
index e9eef0fba..c44ec738a 100644
--- a/app/triggers/hooks/HookRunner.ts
+++ b/app/triggers/hooks/HookRunner.ts
@@ -20,6 +20,9 @@ interface HookResult {
   timedOut: boolean;
 }
 
+type HookLogger = Pick<typeof log, 'info' | 'warn'>;
+type HookOutput = string | Buffer;
+
 function isHooksExecutionEnabled(): boolean {
   return process.env.DD_HOOKS_ENABLED?.trim().toLowerCase() === 'true';
 }
@@ -38,14 +41,14 @@ function resolveExitCode(
   return typeof exitCode === 'number' ? exitCode : 1;
 }
 
-function toTruncatedText(output: unknown): string {
+function toTruncatedText(output: HookOutput): string {
   return typeof output === 'string' ? output.slice(0, MAX_OUTPUT_BYTES) : '';
 }
 
 function createHookResult(
   error: NodeJS.ErrnoException | null,
-  stdout: unknown,
-  stderr: unknown,
+  stdout: HookOutput,
+  stderr: HookOutput,
   fallbackExitCode: number | null,
 ): HookResult {
   const timedOut = isTimedOut(error);
@@ -57,7 +60,12 @@ function createHookResult(
   };
 }
 
-function logHookResult(hookLog: any, label: string, timeout: number, result: HookResult): void {
+function logHookResult(
+  hookLog: HookLogger,
+  label: string,
+  timeout: number,
+  result: HookResult,
+): void {
   if (result.timedOut) {
     hookLog.warn(`Hook ${label} timed out after ${timeout}ms`);
     return;
@@ -78,7 +86,7 @@ function logHookResult(hookLog: any, label: string, timeout: number, result: Hoo
  * unescaped arguments while still supporting shell syntax in the command.
  */
 export async function runHook(command: string, options: HookRunnerOptions): Promise<HookResult> {
-  const hookLog = log.child({ hook: options.label });
+  const hookLog: HookLogger = log.child({ hook: options.label });
   if (!isHooksExecutionEnabled()) {
     hookLog.info(`Skipping ${options.label} hook because DD_HOOKS_ENABLED is not true`);
     return {
@@ -95,7 +103,11 @@ export async function runHook(command: string, options: HookRunnerOptions): Prom
 
   return new Promise<HookResult>((resolve) => {
     let child: ReturnType<typeof execFile> | undefined;
-    const callback = (error: NodeJS.ErrnoException | null, stdout: unknown, stderr: unknown) => {
+    const callback = (
+      error: NodeJS.ErrnoException | null,
+      stdout: HookOutput,
+      stderr: HookOutput,
+    ) => {
       const result = createHookResult(error, stdout, stderr, child?.exitCode ?? null);
       logHookResult(hookLog, options.label, timeout, result);
       resolve(result);
diff --git a/app/triggers/providers/Trigger.test.ts b/app/triggers/providers/Trigger.test.ts
index 4952aee80..59a57fe62 100644
--- a/app/triggers/providers/Trigger.test.ts
+++ b/app/triggers/providers/Trigger.test.ts
@@ -1,10 +1,13 @@
 import joi from 'joi';
+import mockCron from 'node-cron';
+import * as configuration from '../../configuration/index.js';
 import * as event from '../../event/index.js';
 import log from '../../log/index.js';
 import * as storeContainer from '../../store/container.js';
 import * as notificationStore from '../../store/notification.js';
 import Trigger from './Trigger.js';
 
+vi.mock('node-cron');
 vi.mock('../../log');
 vi.mock('../../event');
 vi.mock('../../store/notification.js', () => ({
@@ -47,7 +50,95 @@ beforeEach(async () => {
 
 test('validateConfiguration should return validated configuration when valid', async () => {
   const validatedConfiguration = trigger.validateConfiguration(configurationValid);
-  expect(validatedConfiguration).toStrictEqual(configurationValid);
+  expect(validatedConfiguration).toStrictEqual({
+    ...configurationValid,
+    auto: 'all',
+    digestcron: '0 8 * * *',
+  });
+});
+
+test('validateConfiguration should normalize auto=true to all', () => {
+  const validatedConfiguration = trigger.validateConfiguration({
+    ...configurationValid,
+    auto: true,
+  });
+  expect(validatedConfiguration.auto).toBe('all');
+});
+
+test('validateConfiguration should normalize auto=false to none', () => {
+  const validatedConfiguration = trigger.validateConfiguration({
+    ...configurationValid,
+    auto: false,
+  });
+  expect(validatedConfiguration.auto).toBe('none');
+});
+
+test('validateConfiguration should accept and normalize auto all/none/oninclude values', () => {
+  expect(
+    trigger.validateConfiguration({
+      ...configurationValid,
+      auto: 'all',
+    }).auto,
+  ).toBe('all');
+
+  expect(
+    trigger.validateConfiguration({
+      ...configurationValid,
+      auto: 'none',
+    }).auto,
+  ).toBe('none');
+
+  expect(
+    trigger.validateConfiguration({
+      ...configurationValid,
+      auto: 'oninclude',
+    }).auto,
+  ).toBe('oninclude');
+});
+
+test('validateConfiguration should normalize mixed-case auto value', () => {
+  const validatedConfiguration = trigger.validateConfiguration({
+    ...configurationValid,
+    auto: 'OnInclude',
+  });
+  expect(validatedConfiguration.auto).toBe('oninclude');
+});
+
+test('validateConfiguration should default auto to all for notification triggers', () => {
+  trigger.type = 'slack';
+  const { auto, ...configurationWithoutAuto } = configurationValid;
+  const validatedConfiguration = trigger.validateConfiguration(configurationWithoutAuto);
+  expect(validatedConfiguration.auto).toBe('all');
+});
+
+test('validateConfiguration should default auto to oninclude for action triggers', () => {
+  trigger.type = 'docker';
+  const { auto, ...configurationWithoutAuto } = configurationValid;
+  const validatedConfiguration = trigger.validateConfiguration(configurationWithoutAuto);
+  expect(validatedConfiguration.auto).toBe('oninclude');
+});
+
+test('validateConfiguration should respect explicit auto=true on action triggers', () => {
+  trigger.type = 'docker';
+  const validatedConfiguration = trigger.validateConfiguration({
+    ...configurationValid,
+    auto: true,
+  });
+  expect(validatedConfiguration.auto).toBe('all');
+});
+
+test('validateConfiguration should default auto to oninclude for dockercompose triggers', () => {
+  trigger.type = 'dockercompose';
+  const { auto, ...configurationWithoutAuto } = configurationValid;
+  const validatedConfiguration = trigger.validateConfiguration(configurationWithoutAuto);
+  expect(validatedConfiguration.auto).toBe('oninclude');
+});
+
+test('validateConfiguration should default auto to oninclude for command triggers', () => {
+  trigger.type = 'command';
+  const { auto, ...configurationWithoutAuto } = configurationValid;
+  const validatedConfiguration = trigger.validateConfiguration(configurationWithoutAuto);
+  expect(validatedConfiguration.auto).toBe('oninclude');
 });
 
 test('validateConfiguration should accept digest and non-digest thresholds', async () => {
@@ -74,6 +165,31 @@ test('validateConfiguration should throw error when invalid', async () => {
   }).toThrowError(joi.ValidationError);
 });
 
+test('getMetadata should include trigger category for action types', () => {
+  trigger.type = 'docker';
+  trigger.name = 'update';
+
+  expect(trigger.getMetadata()).toEqual({
+    category: 'action',
+    usesLegacyPrefix: false,
+  });
+});
+
+test('getMetadata should include trigger category and legacy prefix usage for notification types', () => {
+  configuration.ddEnvVars.DD_TRIGGER_SLACK_NOTIFY_CHANNEL = 'ops';
+  configuration.getTriggerConfigurations();
+
+  trigger.type = 'slack';
+  trigger.name = 'notify';
+
+  expect(trigger.getMetadata()).toEqual({
+    category: 'notification',
+    usesLegacyPrefix: true,
+  });
+
+  delete configuration.ddEnvVars.DD_TRIGGER_SLACK_NOTIFY_CHANNEL;
+});
+
 test('init should register to container report when simple mode enabled', async () => {
   const spy = vi.spyOn(event, 'registerContainerReport');
   await trigger.init();
@@ -99,6 +215,71 @@ test('init should register handlers with trigger id and order', async () => {
   });
 });
 
+test('init should not register auto listeners when auto is none', async () => {
+  const reportSpy = vi.spyOn(event, 'registerContainerReport');
+  const reportsSpy = vi.spyOn(event, 'registerContainerReports');
+  const updateAppliedSpy = vi.spyOn(event, 'registerContainerUpdateApplied');
+  const updateFailedSpy = vi.spyOn(event, 'registerContainerUpdateFailed');
+  const securityAlertSpy = vi.spyOn(event, 'registerSecurityAlert');
+  const agentDisconnectedSpy = vi.spyOn(event, 'registerAgentDisconnected');
+  trigger.configuration = trigger.validateConfiguration({
+    ...configurationValid,
+    auto: 'none',
+  });
+
+  await trigger.init();
+
+  expect(reportSpy).not.toHaveBeenCalled();
+  expect(reportsSpy).not.toHaveBeenCalled();
+  expect(updateAppliedSpy).not.toHaveBeenCalled();
+  expect(updateFailedSpy).not.toHaveBeenCalled();
+  expect(securityAlertSpy).not.toHaveBeenCalled();
+  expect(agentDisconnectedSpy).not.toHaveBeenCalled();
+});
+
+test('init should not register auto listeners when auto is false', async () => {
+  const reportSpy = vi.spyOn(event, 'registerContainerReport');
+  const reportsSpy = vi.spyOn(event, 'registerContainerReports');
+  const updateAppliedSpy = vi.spyOn(event, 'registerContainerUpdateApplied');
+  const updateFailedSpy = vi.spyOn(event, 'registerContainerUpdateFailed');
+  const securityAlertSpy = vi.spyOn(event, 'registerSecurityAlert');
+  const agentDisconnectedSpy = vi.spyOn(event, 'registerAgentDisconnected');
+  trigger.configuration = trigger.validateConfiguration({
+    ...configurationValid,
+    auto: false,
+  });
+
+  await trigger.init();
+
+  expect(reportSpy).not.toHaveBeenCalled();
+  expect(reportsSpy).not.toHaveBeenCalled();
+  expect(updateAppliedSpy).not.toHaveBeenCalled();
+  expect(updateFailedSpy).not.toHaveBeenCalled();
+  expect(securityAlertSpy).not.toHaveBeenCalled();
+  expect(agentDisconnectedSpy).not.toHaveBeenCalled();
+});
+
+test('init should register auto listeners when auto is oninclude', async () => {
+  const reportSpy = vi.spyOn(event, 'registerContainerReport');
+  const updateAppliedSpy = vi.spyOn(event, 'registerContainerUpdateApplied');
+  const updateFailedSpy = vi.spyOn(event, 'registerContainerUpdateFailed');
+  const securityAlertSpy = vi.spyOn(event, 'registerSecurityAlert');
+  const agentDisconnectedSpy = vi.spyOn(event, 'registerAgentDisconnected');
+  trigger.configuration = trigger.validateConfiguration({
+    ...configurationValid,
+    auto: 'oninclude',
+    mode: 'simple',
+  });
+
+  await trigger.init();
+
+  expect(reportSpy).toHaveBeenCalled();
+  expect(updateAppliedSpy).toHaveBeenCalled();
+  expect(updateFailedSpy).toHaveBeenCalled();
+  expect(securityAlertSpy).toHaveBeenCalled();
+  expect(agentDisconnectedSpy).toHaveBeenCalled();
+});
+
 test('deregister should unregister container report handler', async () => {
   const unregisterHandler = vi.fn();
   vi.spyOn(event, 'registerContainerReport').mockReturnValue(unregisterHandler);
@@ -230,6 +411,29 @@ test('handleContainerReport should stringify non-Error failures', async () => {
   expect(spyLog).toHaveBeenCalledWith('Error (string failure)');
 });
 
+test('handleContainerReport should stringify symbol failures', async () => {
+  trigger.configuration = {
+    threshold: 'all',
+    mode: 'simple',
+  };
+  const symbolFailure = Symbol('symbol failure');
+  trigger.trigger = () => {
+    throw symbolFailure;
+  };
+  await trigger.init();
+  const spyLog = vi.spyOn(log, 'warn');
+
+  await trigger.handleContainerReport({
+    changed: true,
+    container: {
+      name: 'container1',
+      updateAvailable: true,
+    },
+  });
+
+  expect(spyLog).toHaveBeenCalledWith(`Error (${String(symbolFailure)})`);
+});
+
 test('handleContainerReport should suppress repeated identical errors during a short burst', async () => {
   trigger.configuration = {
     threshold: 'all',
@@ -636,6 +840,67 @@ test('mustTrigger should accept trigger name-only exclude filters', async () =>
   ).toBe(false);
 });
 
+test('mustTrigger should fire without include label when auto is true', () => {
+  trigger.type = 'docker';
+  trigger.name = 'update';
+  trigger.configuration.auto = true;
+
+  expect(
+    trigger.mustTrigger({
+      updateKind: {
+        kind: 'tag',
+        semverDiff: 'minor',
+      },
+    }),
+  ).toBe(true);
+});
+
+test('mustTrigger should fire without include label when auto is all', () => {
+  trigger.type = 'docker';
+  trigger.name = 'update';
+  trigger.configuration.auto = 'all';
+
+  expect(
+    trigger.mustTrigger({
+      updateKind: {
+        kind: 'tag',
+        semverDiff: 'minor',
+      },
+    }),
+  ).toBe(true);
+});
+
+test('mustTrigger should not fire without include label when auto is oninclude', () => {
+  trigger.type = 'docker';
+  trigger.name = 'update';
+  trigger.configuration.auto = 'oninclude';
+
+  expect(
+    trigger.mustTrigger({
+      updateKind: {
+        kind: 'tag',
+        semverDiff: 'minor',
+      },
+    }),
+  ).toBe(false);
+});
+
+test('mustTrigger should fire with include label when auto is oninclude', () => {
+  trigger.type = 'docker';
+  trigger.name = 'update';
+  trigger.configuration.auto = 'oninclude';
+
+  expect(
+    trigger.mustTrigger({
+      triggerInclude: 'update:minor',
+      updateKind: {
+        kind: 'tag',
+        semverDiff: 'minor',
+      },
+    }),
+  ).toBe(true);
+});
+
 // --- Hybrid Triggers: name-only matching for include/exclude ---
 
 test('doesReferenceMatchId should match name-only against multiple trigger types', async () => {
@@ -778,6 +1043,195 @@ test('renderSimpleBody should replace placeholders when template is a customized
   ).toEqual('Watcher DUMMY reports container container-name available update');
 });
 
+test('renderSimpleTitle should use dedicated template for agent disconnect events', () => {
+  const container = {
+    id: 'agent-servicevault',
+    name: 'servicevault',
+    watcher: 'agent',
+    status: 'disconnected',
+    image: {
+      id: 'agent-servicevault',
+      registry: {
+        name: 'agent',
+        url: 'agent://servicevault',
+      },
+      name: 'servicevault',
+      tag: {
+        value: 'disconnected',
+        semver: false,
+      },
+      digest: {
+        watch: false,
+      },
+      architecture: 'unknown',
+      os: 'unknown',
+    },
+    updateAvailable: false,
+    updateKind: {
+      kind: 'unknown',
+    },
+    notificationEvent: {
+      kind: 'agent-disconnect',
+      agentName: 'servicevault',
+      reason: 'SSE connection lost',
+    },
+  } as any;
+
+  expect(trigger.renderSimpleTitle(container)).toBe('Agent servicevault disconnected');
+});
+
+test('renderSimpleBody should use dedicated template for agent disconnect events', () => {
+  const container = {
+    id: 'agent-servicevault',
+    name: 'servicevault',
+    watcher: 'agent',
+    status: 'disconnected',
+    image: {
+      id: 'agent-servicevault',
+      registry: {
+        name: 'agent',
+        url: 'agent://servicevault',
+      },
+      name: 'servicevault',
+      tag: {
+        value: 'disconnected',
+        semver: false,
+      },
+      digest: {
+        watch: false,
+      },
+      architecture: 'unknown',
+      os: 'unknown',
+    },
+    updateAvailable: false,
+    updateKind: {
+      kind: 'unknown',
+    },
+    notificationEvent: {
+      kind: 'agent-disconnect',
+      agentName: 'servicevault',
+      reason: 'SSE connection lost',
+    },
+  } as any;
+
+  expect(trigger.renderSimpleBody(container)).toBe(
+    'Agent servicevault disconnected: SSE connection lost',
+  );
+});
+
+test('renderSimpleBody should omit the reason suffix for agent disconnect events without a reason', () => {
+  const container = {
+    id: 'agent-servicevault',
+    name: 'servicevault',
+    watcher: 'agent',
+    status: 'disconnected',
+    image: {
+      id: 'agent-servicevault',
+      registry: {
+        name: 'agent',
+        url: 'agent://servicevault',
+      },
+      name: 'servicevault',
+      tag: {
+        value: 'disconnected',
+        semver: false,
+      },
+      digest: {
+        watch: false,
+      },
+      architecture: 'unknown',
+      os: 'unknown',
+    },
+    updateAvailable: false,
+    updateKind: {
+      kind: 'unknown',
+    },
+    notificationEvent: {
+      kind: 'agent-disconnect',
+      agentName: 'servicevault',
+    },
+  } as any;
+
+  expect(trigger.renderSimpleBody(container)).toBe('Agent servicevault disconnected');
+});
+
+test('renderSimpleTitle should fall back to the standard template for unsupported notification events', () => {
+  const container = {
+    id: 'container-servicevault',
+    name: 'servicevault',
+    watcher: 'agent',
+    status: 'running',
+    image: {
+      id: 'container-servicevault',
+      registry: {
+        name: 'agent',
+        url: 'agent://servicevault',
+      },
+      name: 'servicevault',
+      tag: {
+        value: '1.0.0',
+        semver: false,
+      },
+      digest: {
+        watch: false,
+      },
+      architecture: 'unknown',
+      os: 'unknown',
+    },
+    updateAvailable: true,
+    updateKind: {
+      kind: 'tag',
+    },
+    notificationEvent: {
+      kind: 'security-alert',
+      agentName: 'servicevault',
+    },
+  } as any;
+
+  expect(trigger.renderSimpleTitle(container)).toBe('New tag found for container servicevault');
+});
+
+test('renderSimpleBody should fall back to the standard template when agent disconnect metadata is invalid', () => {
+  const container = {
+    id: 'container-servicevault',
+    name: 'servicevault',
+    watcher: 'agent',
+    status: 'running',
+    image: {
+      id: 'container-servicevault',
+      registry: {
+        name: 'agent',
+        url: 'agent://servicevault',
+      },
+      name: 'servicevault',
+      tag: {
+        value: '1.0.0',
+        semver: false,
+      },
+      digest: {
+        watch: false,
+      },
+      architecture: 'unknown',
+      os: 'unknown',
+    },
+    updateAvailable: true,
+    updateKind: {
+      kind: 'tag',
+      localValue: '1.0.0',
+      remoteValue: '2.0.0',
+    },
+    notificationEvent: {
+      kind: 'agent-disconnect',
+      agentName: '',
+      reason: 'SSE connection lost',
+    },
+  } as any;
+
+  expect(trigger.renderSimpleBody(container)).toBe(
+    'Container servicevault running with tag 1.0.0 can be updated to tag 2.0.0',
+  );
+});
+
 test('renderSimpleBody should evaluate js functions when template is a customized one', async () => {
   trigger.configuration.simplebody =
     'Container ${name} update from ${local.substring(0, 15)} to ${remote.substring(0, 15)}';
@@ -793,6 +1247,49 @@ test('renderSimpleBody should evaluate js functions when template is a customize
   ).toEqual('Container container-name update from sha256:9a82d577 to sha256:6cdd4791');
 });
 
+test('renderSimpleBody should expose releaseNotes variables and truncate body for notification context', async () => {
+  const longReleaseBody = 'x'.repeat(900);
+  trigger.configuration.simplebody =
+    '${container.result.releaseNotes.title}|${container.result.releaseNotes.url}|${container.result.releaseNotes.body}';
+
+  const renderedBody = trigger.renderSimpleBody({
+    name: 'container-name',
+    result: {
+      releaseNotes: {
+        title: 'Release 2.0.0',
+        body: longReleaseBody,
+        url: 'https://github.com/acme/service/releases/tag/v2.0.0',
+        publishedAt: '2026-03-01T00:00:00.000Z',
+        provider: 'github',
+      },
+    },
+  });
+
+  const [title, url, body] = renderedBody.split('|');
+  expect(title).toBe('Release 2.0.0');
+  expect(url).toBe('https://github.com/acme/service/releases/tag/v2.0.0');
+  expect(body.length).toBeLessThanOrEqual(500);
+});
+
+test('renderSimpleBody should keep short releaseNotes body unchanged', () => {
+  trigger.configuration.simplebody = '${container.result.releaseNotes.body}';
+
+  const renderedBody = trigger.renderSimpleBody({
+    name: 'container-name',
+    result: {
+      releaseNotes: {
+        title: 'Release 2.0.1',
+        body: 'short body',
+        url: 'https://github.com/acme/service/releases/tag/v2.0.1',
+        publishedAt: '2026-03-01T00:00:00.000Z',
+        provider: 'github',
+      },
+    },
+  });
+
+  expect(renderedBody).toBe('short body');
+});
+
 test('renderBatchTitle should replace placeholders when called', async () => {
   expect(
     trigger.renderBatchTitle([
@@ -826,6 +1323,70 @@ test('renderBatchBody should replace placeholders when called', async () => {
   );
 });
 
+test('composeMessage should include title and body when disabletitle is false', () => {
+  trigger.configuration.disabletitle = false;
+  trigger.configuration.simpletitle = 'Title for ${container.name}';
+  trigger.configuration.simplebody = 'Body for ${container.name}';
+
+  expect(
+    trigger.composeMessage({
+      name: 'container-name',
+      updateKind: {
+        kind: 'tag',
+      },
+    }),
+  ).toBe('Title for container-name\n\nBody for container-name');
+});
+
+test('composeMessage should return body only when disabletitle is true', () => {
+  trigger.configuration.disabletitle = true;
+  trigger.configuration.simpletitle = 'Title for ${container.name}';
+  trigger.configuration.simplebody = 'Body for ${container.name}';
+
+  expect(
+    trigger.composeMessage({
+      name: 'container-name',
+      updateKind: {
+        kind: 'tag',
+      },
+    }),
+  ).toBe('Body for container-name');
+});
+
+test('composeBatchMessage should include title and body when disabletitle is false', () => {
+  trigger.configuration.disabletitle = false;
+  trigger.configuration.batchtitle = 'Batch ${containers.length}';
+  trigger.configuration.simplebody = 'Body for ${container.name}';
+
+  expect(
+    trigger.composeBatchMessage([
+      {
+        name: 'container-name',
+        updateKind: {
+          kind: 'tag',
+        },
+      },
+    ]),
+  ).toBe('Batch 1\n\n- Body for container-name\n');
+});
+
+test('composeBatchMessage should return body only when disabletitle is true', () => {
+  trigger.configuration.disabletitle = true;
+  trigger.configuration.batchtitle = 'Batch ${containers.length}';
+  trigger.configuration.simplebody = 'Body for ${container.name}';
+
+  expect(
+    trigger.composeBatchMessage([
+      {
+        name: 'container-name',
+        updateKind: {
+          kind: 'tag',
+        },
+      },
+    ]),
+  ).toBe('- Body for container-name\n');
+});
+
 test('init should invoke registered simple callback when handleContainerReport is called', async () => {
   let capturedCallback;
   vi.spyOn(event, 'registerContainerReport').mockImplementation((cb) => {
@@ -1037,23 +1598,32 @@ test('handleContainerUpdateAppliedEvent should suppress repeated identical dispa
 });
 
 test('handleContainerUpdateFailedEvent should run batch trigger when configured in batch mode', async () => {
+  vi.useFakeTimers();
   const container = {
     watcher: 'local',
     name: 'container1',
     updateAvailable: true,
     updateKind: { kind: 'tag', semverDiff: 'major' },
   };
-  trigger.configuration.mode = 'batch';
-  storeContainer.getContainers.mockReturnValue([container]);
-  const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+  try {
+    trigger.configuration.mode = 'batch';
+    storeContainer.getContainers.mockReturnValue([container]);
+    const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+
+    await trigger.handleContainerUpdateFailedEvent({
+      containerName: 'local_container1',
+      error: 'boom',
+    });
 
-  await trigger.handleContainerUpdateFailedEvent({
-    containerName: 'local_container1',
-    error: 'boom',
-  });
+    expect(triggerBatchSpy).not.toHaveBeenCalled();
 
-  expect(triggerBatchSpy).toHaveBeenCalledWith([container]);
-});
+    await vi.runOnlyPendingTimersAsync();
+
+    expect(triggerBatchSpy).toHaveBeenCalledWith([container]);
+  } finally {
+    vi.useRealTimers();
+  }
+});
 
 test('handleContainerUpdateFailedEvent should skip when threshold is not reached', async () => {
   const container = {
@@ -1156,6 +1726,85 @@ test('handleSecurityAlertEvent should catch trigger execution errors', async ()
   expect(debugSpy).toHaveBeenCalledWith(expect.any(Error));
 });
 
+test('handleContainerUpdateAppliedEvent should aggregate nearby update-applied events in batch mode', async () => {
+  vi.useFakeTimers();
+  const containers = [
+    {
+      watcher: 'local',
+      name: 'container1',
+      updateAvailable: true,
+      updateKind: { kind: 'tag', semverDiff: 'major' },
+    },
+    {
+      watcher: 'local',
+      name: 'container2',
+      updateAvailable: true,
+      updateKind: { kind: 'tag', semverDiff: 'major' },
+    },
+  ];
+
+  try {
+    trigger.configuration.mode = 'batch';
+    storeContainer.getContainers.mockReturnValue(containers);
+    const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+
+    await trigger.handleContainerUpdateAppliedEvent('local_container1');
+    await trigger.handleContainerUpdateAppliedEvent('local_container2');
+
+    expect(triggerBatchSpy).not.toHaveBeenCalled();
+
+    await vi.runOnlyPendingTimersAsync();
+
+    expect(triggerBatchSpy).toHaveBeenCalledTimes(1);
+    expect(triggerBatchSpy).toHaveBeenCalledWith(containers);
+  } finally {
+    vi.useRealTimers();
+  }
+});
+
+test('handleSecurityAlertEvent should aggregate nearby security alerts in batch mode', async () => {
+  vi.useFakeTimers();
+  const containers = [
+    {
+      watcher: 'local',
+      name: 'container1',
+      updateAvailable: true,
+      updateKind: { kind: 'tag', semverDiff: 'major' },
+    },
+    {
+      watcher: 'local',
+      name: 'container2',
+      updateAvailable: true,
+      updateKind: { kind: 'tag', semverDiff: 'major' },
+    },
+  ];
+
+  try {
+    trigger.configuration.mode = 'batch';
+    const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+
+    await trigger.handleSecurityAlertEvent({
+      containerName: 'local_container1',
+      details: 'high=1',
+      container: containers[0],
+    });
+    await trigger.handleSecurityAlertEvent({
+      containerName: 'local_container2',
+      details: 'high=2',
+      container: containers[1],
+    });
+
+    expect(triggerBatchSpy).not.toHaveBeenCalled();
+
+    await vi.runOnlyPendingTimersAsync();
+
+    expect(triggerBatchSpy).toHaveBeenCalledTimes(1);
+    expect(triggerBatchSpy).toHaveBeenCalledWith(containers);
+  } finally {
+    vi.useRealTimers();
+  }
+});
+
 test('handleAgentDisconnectedEvent should bypass threshold filtering', async () => {
   trigger.configuration.threshold = 'major-only';
   const triggerSpy = vi.spyOn(trigger, 'trigger').mockResolvedValue(undefined);
@@ -1170,11 +1819,16 @@ test('handleAgentDisconnectedEvent should bypass threshold filtering', async ()
       name: 'edge-a',
       watcher: 'agent',
       status: 'disconnected',
+      notificationEvent: {
+        kind: 'agent-disconnect',
+        agentName: 'edge-a',
+        reason: 'disconnected',
+      },
     }),
   );
 });
 
-test('handleAgentDisconnectedEvent should use disconnected fallback values when reason is missing', async () => {
+test('handleAgentDisconnectedEvent should omit agent disconnect reason when it is missing', async () => {
   const triggerSpy = vi.spyOn(trigger, 'trigger').mockResolvedValue(undefined);
 
   await trigger.handleAgentDisconnectedEvent({
@@ -1183,15 +1837,37 @@ test('handleAgentDisconnectedEvent should use disconnected fallback values when
 
   expect(triggerSpy).toHaveBeenCalledWith(
     expect.objectContaining({
-      updateKind: expect.objectContaining({
-        localValue: 'disconnected',
-        remoteValue: 'disconnected',
-      }),
+      notificationEvent: {
+        kind: 'agent-disconnect',
+        agentName: 'edge-a',
+      },
       error: undefined,
     }),
   );
 });
 
+test('handleAgentDisconnectedEvent should use simple dispatch even when trigger mode is batch', async () => {
+  trigger.configuration.mode = 'batch';
+  const triggerSpy = vi.spyOn(trigger, 'trigger').mockResolvedValue(undefined);
+  const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+
+  await trigger.handleAgentDisconnectedEvent({
+    agentName: 'edge-a',
+    reason: 'SSE connection lost',
+  });
+
+  expect(triggerSpy).toHaveBeenCalledWith(
+    expect.objectContaining({
+      notificationEvent: {
+        kind: 'agent-disconnect',
+        agentName: 'edge-a',
+        reason: 'SSE connection lost',
+      },
+    }),
+  );
+  expect(triggerBatchSpy).not.toHaveBeenCalled();
+});
+
 test('dispatchContainerForEvent should fallback to all threshold when threshold is undefined', async () => {
   const container = {
     watcher: 'local',
@@ -1592,6 +2268,61 @@ test('handleContainerReports should suppress repeated identical batch errors dur
   expect(debugSpy).toHaveBeenCalledWith('Suppressed repeated error (batch fail)');
 });
 
+test('flushEventBatchDispatch should warn when auto event batch dispatch fails', async () => {
+  trigger.configuration = {
+    threshold: 'all',
+    mode: 'batch',
+  };
+  trigger.triggerBatch = vi.fn().mockRejectedValue(new Error('event batch fail'));
+  vi.spyOn(trigger as any, 'shouldSuppressAutoTriggerError').mockReturnValue(false);
+
+  const warnSpy = vi.spyOn(log, 'warn');
+  const debugSpy = vi.spyOn(log, 'debug');
+
+  await (trigger as any).flushEventBatchDispatch('update-applied', [
+    { name: 'c1', watcher: 'local' },
+  ]);
+
+  expect(warnSpy).toHaveBeenCalledWith('Error handling update-applied event (event batch fail)');
+  expect(debugSpy).toHaveBeenCalledWith(expect.any(Error));
+});
+
+test('flushEventBatchDispatch should skip empty batches', async () => {
+  trigger.configuration = {
+    threshold: 'all',
+    mode: 'batch',
+  };
+  trigger.triggerBatch = vi.fn();
+
+  await (trigger as any).flushEventBatchDispatch('update-applied', []);
+
+  expect(trigger.triggerBatch).not.toHaveBeenCalled();
+});
+
+test('flushEventBatchDispatch should suppress repeated auto event batch errors', async () => {
+  trigger.configuration = {
+    threshold: 'all',
+    mode: 'batch',
+  };
+  trigger.triggerBatch = vi.fn().mockRejectedValue(new Error('event batch fail'));
+  vi.spyOn(trigger as any, 'shouldSuppressAutoTriggerError').mockReturnValue(true);
+
+  const warnSpy = vi.spyOn(log, 'warn');
+  const debugSpy = vi.spyOn(log, 'debug');
+
+  await (trigger as any).flushEventBatchDispatch('update-applied', [
+    { name: 'c1', watcher: 'local' },
+  ]);
+
+  expect(warnSpy).not.toHaveBeenCalledWith(
+    'Error handling update-applied event (event batch fail)',
+  );
+  expect(debugSpy).toHaveBeenCalledWith(
+    'Suppressed repeated error handling update-applied event (event batch fail)',
+  );
+  expect(debugSpy).toHaveBeenCalledWith(expect.any(Error));
+});
+
 test('shouldSuppressAutoTriggerError should prune stale cache entries', () => {
   const triggerAny = trigger as any;
   triggerAny.autoTriggerErrorSeenAt.set('stale-signature', 0);
@@ -1621,6 +2352,32 @@ test('doesReferenceMatchId should return false when trigger id has no name segme
   expect(Trigger.doesReferenceMatchId('update', '')).toBe(false);
 });
 
+test('canonicalizeReportName should strip docker recreate aliases', () => {
+  const report = {
+    container: {
+      name: '0123456789ab_nginx',
+    },
+    changed: false,
+  };
+
+  Trigger.canonicalizeReportName(report);
+
+  expect(report.container.name).toBe('nginx');
+});
+
+test('canonicalizeReportName should ignore reports without a string name', () => {
+  const report = {
+    container: {
+      name: undefined,
+    },
+    changed: false,
+  };
+
+  Trigger.canonicalizeReportName(report);
+
+  expect(report.container.name).toBeUndefined();
+});
+
 test('preview should return an empty object by default', async () => {
   await expect(trigger.preview({})).resolves.toEqual({});
 });
@@ -1634,3 +2391,452 @@ test('maskFields should mask non-empty configured values', () => {
   expect(masked.token).toBe('[REDACTED]');
   expect(masked.empty).toBe('');
 });
+
+describe('digest mode', () => {
+  const mockStop = vi.fn();
+
+  beforeEach(() => {
+    vi.mocked(mockCron.schedule).mockReturnValue({ stop: mockStop } as any);
+    vi.mocked(event.registerContainerReport).mockReturnValue(vi.fn());
+    vi.mocked(event.registerContainerUpdateApplied).mockReturnValue(vi.fn());
+    vi.mocked(event.registerContainerUpdateFailed).mockReturnValue(vi.fn());
+    vi.mocked(event.registerSecurityAlert).mockReturnValue(vi.fn());
+    vi.mocked(event.registerAgentDisconnected).mockReturnValue(vi.fn());
+    vi.mocked(mockCron.validate).mockReturnValue(true);
+  });
+
+  test('validateConfiguration should accept digest mode', () => {
+    const validated = trigger.validateConfiguration({
+      ...configurationValid,
+      mode: 'digest',
+    });
+    expect(validated.mode).toBe('digest');
+  });
+
+  test('validateConfiguration should default digestcron to 0 8 * * *', () => {
+    const validated = trigger.validateConfiguration(configurationValid);
+    expect(validated.digestcron).toBe('0 8 * * *');
+  });
+
+  test('init should schedule digest cron when mode is digest', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+      digestcron: '0 9 * * *',
+    });
+    trigger.init();
+
+    expect(event.registerContainerReport).toHaveBeenCalled();
+    expect(mockCron.schedule).toHaveBeenCalledWith('0 9 * * *', expect.any(Function));
+  });
+
+  test('handleContainerReportDigest should buffer containers', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+    });
+    trigger.init();
+
+    await trigger.handleContainerReportDigest({
+      container: {
+        id: 'c1',
+        name: 'app',
+        watcher: 'test',
+        updateAvailable: true,
+        updateKind: { kind: 'tag', localValue: '1.0', remoteValue: '2.0' },
+      },
+      changed: true,
+    });
+
+    // Buffer should have one entry — verified via flush
+    const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+    await trigger.flushDigestBuffer();
+    expect(triggerBatchSpy).toHaveBeenCalledWith([expect.objectContaining({ name: 'app' })]);
+    triggerBatchSpy.mockRestore();
+  });
+
+  test('handleContainerReportDigest should return early when auto trigger is disabled', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+    });
+    trigger.init();
+    notificationStore.isTriggerEnabledForRule.mockReturnValue(false);
+
+    const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+    await trigger.handleContainerReportDigest({
+      container: {
+        id: 'c1',
+        name: 'app',
+        watcher: 'test',
+        updateAvailable: true,
+        updateKind: { kind: 'tag', localValue: '1.0', remoteValue: '2.0' },
+      },
+      changed: true,
+    });
+    await trigger.flushDigestBuffer();
+
+    expect(triggerBatchSpy).not.toHaveBeenCalled();
+    triggerBatchSpy.mockRestore();
+  });
+
+  test('handleContainerReportDigest should return early when report is not eligible for simple handling', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+    });
+    trigger.init();
+
+    const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+    await trigger.handleContainerReportDigest({
+      container: {
+        id: 'c1',
+        name: 'app',
+        watcher: 'test',
+        updateAvailable: false,
+        updateKind: { kind: 'tag', localValue: '1.0', remoteValue: '2.0' },
+      },
+      changed: false,
+    });
+    await trigger.flushDigestBuffer();
+
+    expect(triggerBatchSpy).not.toHaveBeenCalled();
+    triggerBatchSpy.mockRestore();
+  });
+
+  test('handleContainerReportDigest should return early when threshold is not reached', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+    });
+    trigger.init();
+    const thresholdSpy = vi.spyOn(Trigger, 'isThresholdReached').mockReturnValue(false);
+
+    try {
+      const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+      await trigger.handleContainerReportDigest({
+        container: {
+          id: 'c1',
+          name: 'app',
+          watcher: 'test',
+          updateAvailable: true,
+          updateKind: { kind: 'digest', localValue: 'sha256:1', remoteValue: 'sha256:2' },
+        },
+        changed: true,
+      });
+      await trigger.flushDigestBuffer();
+
+      expect(triggerBatchSpy).not.toHaveBeenCalled();
+      triggerBatchSpy.mockRestore();
+    } finally {
+      thresholdSpy.mockRestore();
+    }
+  });
+
+  test('handleContainerReportDigest should return early when mustTrigger rejects the container', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+    });
+    trigger.init();
+
+    const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+    await trigger.handleContainerReportDigest({
+      container: {
+        id: 'c1',
+        name: 'app-old-1234567890',
+        watcher: 'test',
+        updateAvailable: true,
+        updateKind: { kind: 'tag', localValue: '1.0', remoteValue: '2.0' },
+      },
+      changed: true,
+    });
+    await trigger.flushDigestBuffer();
+
+    expect(triggerBatchSpy).not.toHaveBeenCalled();
+    triggerBatchSpy.mockRestore();
+  });
+
+  test('flushDigestBuffer should skip when buffer is empty', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+    });
+
+    const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+    await trigger.flushDigestBuffer();
+    expect(triggerBatchSpy).not.toHaveBeenCalled();
+    triggerBatchSpy.mockRestore();
+  });
+
+  test('flushDigestBuffer should deduplicate by keeping latest container', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+    });
+    trigger.init();
+
+    const report1 = {
+      container: {
+        id: 'c1',
+        name: 'app',
+        watcher: 'test',
+        updateAvailable: true,
+        updateKind: { kind: 'tag', localValue: '1.0', remoteValue: '2.0' },
+      },
+      changed: true,
+    };
+    const report2 = {
+      container: {
+        id: 'c1',
+        name: 'app',
+        watcher: 'test',
+        updateAvailable: true,
+        updateKind: { kind: 'tag', localValue: '1.0', remoteValue: '3.0' },
+      },
+      changed: true,
+    };
+
+    await trigger.handleContainerReportDigest(report1);
+    await trigger.handleContainerReportDigest(report2);
+
+    const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+    await trigger.flushDigestBuffer();
+    expect(triggerBatchSpy).toHaveBeenCalledTimes(1);
+    expect(triggerBatchSpy).toHaveBeenCalledWith([
+      expect.objectContaining({ updateKind: expect.objectContaining({ remoteValue: '3.0' }) }),
+    ]);
+    triggerBatchSpy.mockRestore();
+  });
+
+  test('flushDigestBuffer should clear buffer after flush', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+    });
+    trigger.init();
+
+    await trigger.handleContainerReportDigest({
+      container: {
+        id: 'c1',
+        name: 'app',
+        watcher: 'test',
+        updateAvailable: true,
+        updateKind: { kind: 'tag', localValue: '1.0', remoteValue: '2.0' },
+      },
+      changed: true,
+    });
+
+    const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+    await trigger.flushDigestBuffer();
+    await trigger.flushDigestBuffer(); // second flush should be no-op
+    expect(triggerBatchSpy).toHaveBeenCalledTimes(1);
+    triggerBatchSpy.mockRestore();
+  });
+
+  test('deregisterComponent should stop digest cron and clear buffer', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+    });
+    trigger.init();
+
+    await trigger.handleContainerReportDigest({
+      container: {
+        id: 'c1',
+        name: 'app',
+        watcher: 'test',
+        updateAvailable: true,
+        updateKind: { kind: 'tag', localValue: '1.0', remoteValue: '2.0' },
+      },
+      changed: true,
+    });
+
+    await trigger.deregisterComponent();
+    expect(mockStop).toHaveBeenCalled();
+
+    // Buffer should be cleared — flush should be no-op
+    const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+    await trigger.flushDigestBuffer();
+    expect(triggerBatchSpy).not.toHaveBeenCalled();
+    triggerBatchSpy.mockRestore();
+  });
+
+  test('clearEventBatchDispatches should clear pending timers and buffered containers', () => {
+    const clearTimeoutSpy = vi.spyOn(globalThis, 'clearTimeout');
+    const timer = setTimeout(() => undefined, 1_000);
+    const scheduledDispatch = {
+      timer,
+      containers: new Map([['test_app', { name: 'app', watcher: 'test' }]]),
+    };
+    const unscheduledDispatch = {
+      containers: new Map([['test_web', { name: 'web', watcher: 'test' }]]),
+    };
+
+    (trigger as any).eventBatchDispatches.set('update-applied', scheduledDispatch);
+    (trigger as any).eventBatchDispatches.set('update-failed', unscheduledDispatch);
+
+    (trigger as any).clearEventBatchDispatches();
+
+    expect(clearTimeoutSpy).toHaveBeenCalledWith(timer);
+    expect(scheduledDispatch.containers.size).toBe(0);
+    expect(scheduledDispatch.timer).toBeUndefined();
+    expect(unscheduledDispatch.containers.size).toBe(0);
+    expect(unscheduledDispatch.timer).toBeUndefined();
+    expect((trigger as any).eventBatchDispatches.size).toBe(0);
+  });
+
+  test('handleContainerUpdateAppliedEvent should evict container from digest buffer', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+    });
+    trigger.init();
+
+    await trigger.handleContainerReportDigest({
+      container: {
+        id: 'c1',
+        name: 'app',
+        watcher: 'test',
+        updateAvailable: true,
+        updateKind: { kind: 'tag', localValue: '1.0', remoteValue: '2.0' },
+      },
+      changed: true,
+    });
+    await trigger.handleContainerReportDigest({
+      container: {
+        id: 'c2',
+        name: 'web',
+        watcher: 'test',
+        updateAvailable: true,
+        updateKind: { kind: 'tag', localValue: '1.0', remoteValue: '3.0' },
+      },
+      changed: true,
+    });
+
+    // Simulate update applied for 'app' — uses full business ID (watcher_name)
+    await trigger.handleContainerUpdateAppliedEvent('test_app');
+
+    // Flush should only contain 'web'
+    const triggerBatchSpy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue(undefined);
+    await trigger.flushDigestBuffer();
+    expect(triggerBatchSpy).toHaveBeenCalledWith([expect.objectContaining({ name: 'web' })]);
+    triggerBatchSpy.mockRestore();
+  });
+
+  test('validateConfiguration should reject invalid digestcron expression', () => {
+    vi.mocked(mockCron.validate).mockReturnValue(false);
+    expect(() =>
+      trigger.validateConfiguration({
+        ...configurationValid,
+        digestcron: 'not-a-cron',
+      }),
+    ).toThrow('digestcron must be a valid cron expression');
+  });
+
+  test('validateConfiguration should accept valid digestcron expression', () => {
+    const validated = trigger.validateConfiguration({
+      ...configurationValid,
+      digestcron: '30 6 * * 1-5',
+    });
+    expect(validated.digestcron).toBe('30 6 * * 1-5');
+  });
+
+  test('flushDigestBuffer should log warning and increment error counter when triggerBatch throws', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+    });
+    trigger.init();
+
+    await trigger.handleContainerReportDigest({
+      container: {
+        id: 'c1',
+        name: 'app',
+        watcher: 'test',
+        updateAvailable: true,
+        updateKind: { kind: 'tag', localValue: '1.0', remoteValue: '2.0' },
+      },
+      changed: true,
+    });
+
+    const triggerBatchSpy = vi
+      .spyOn(trigger, 'triggerBatch')
+      .mockRejectedValue(new Error('SMTP down'));
+    await trigger.flushDigestBuffer();
+    expect(triggerBatchSpy).toHaveBeenCalled();
+    triggerBatchSpy.mockRestore();
+  });
+
+  test('digest cron callback should invoke flushDigestBuffer', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+      digestcron: '0 9 * * *',
+    });
+    trigger.init();
+
+    // Get the cron callback that was registered
+    const cronCallback = mockCron.schedule.mock.calls[0]?.[1];
+    expect(cronCallback).toBeDefined();
+
+    // Buffer a container and spy on flushDigestBuffer
+    await trigger.handleContainerReportDigest({
+      container: {
+        id: 'c1',
+        name: 'app',
+        watcher: 'test',
+        updateAvailable: true,
+        updateKind: { kind: 'tag', localValue: '1.0', remoteValue: '2.0' },
+      },
+      changed: true,
+    });
+
+    const flushSpy = vi.spyOn(trigger, 'flushDigestBuffer').mockResolvedValue(undefined);
+    cronCallback();
+    expect(flushSpy).toHaveBeenCalled();
+    flushSpy.mockRestore();
+  });
+
+  test('digest mode report listener callback should forward report to digest handler', async () => {
+    await trigger.register('trigger', 'test', 'digest-trigger', {
+      ...configurationValid,
+      mode: 'digest',
+    });
+    trigger.init();
+
+    const reportCallback = vi.mocked(event.registerContainerReport).mock.calls[0]?.[0];
+    expect(reportCallback).toBeDefined();
+
+    const digestHandlerSpy = vi
+      .spyOn(trigger, 'handleContainerReportDigest')
+      .mockResolvedValue(undefined);
+    const report = {
+      container: {
+        id: 'c42',
+        name: 'api',
+        watcher: 'test',
+        updateAvailable: true,
+        updateKind: { kind: 'tag', localValue: '1.0', remoteValue: '2.0' },
+      },
+      changed: true,
+    };
+
+    await reportCallback?.(report as any);
+
+    expect(digestHandlerSpy).toHaveBeenCalledWith(report);
+    digestHandlerSpy.mockRestore();
+  });
+
+  test('init should fall back to default digest cron when digestcron is missing at runtime', async () => {
+    trigger.configuration = {
+      ...configurationValid,
+      auto: 'all',
+      mode: 'digest',
+      digestcron: undefined as unknown as string,
+    };
+    await trigger.init();
+
+    expect(mockCron.schedule).toHaveBeenCalledWith('0 8 * * *', expect.any(Function));
+  });
+});
diff --git a/app/triggers/providers/Trigger.ts b/app/triggers/providers/Trigger.ts
index 368af35aa..515fc14bf 100644
--- a/app/triggers/providers/Trigger.ts
+++ b/app/triggers/providers/Trigger.ts
@@ -1,5 +1,10 @@
+import cron, { type ScheduledTask } from 'node-cron';
+import { usesLegacyTriggerPrefix } from '../../configuration/index.js';
 import * as event from '../../event/index.js';
 import { type Container, fullName } from '../../model/container.js';
+
+const RECREATED_ALIAS_RE = /^[a-f0-9]{12}_(.+)$/i;
+
 import { getTriggerCounter } from '../../prometheus/trigger.js';
 import Component, { type ComponentConfiguration } from '../../registry/Component.js';
 import * as storeContainer from '../../store/container.js';
@@ -11,7 +16,10 @@ import {
   SUPPORTED_THRESHOLDS,
 } from './trigger-threshold.js';
 
+const OLD_ROLLBACK_CONTAINER_NAME_PATTERN = /-old-\d{10,}$/;
+
 type SupportedThreshold = (typeof SUPPORTED_THRESHOLDS)[number];
+type TriggerAutoMode = 'all' | 'oninclude' | 'none';
 type NotificationRuleId =
   | 'update-available'
   | 'update-applied'
@@ -44,12 +52,31 @@ interface AgentDisconnectedPayload {
   reason?: string;
 }
 
+interface TriggerNotificationEvent {
+  kind: 'agent-disconnect';
+  agentName: string;
+  reason?: string;
+}
+
 interface EventDispatchOptions extends notificationStore.NotificationRuleDispatchOptions {
   skipThreshold?: boolean;
 }
 
 const AUTO_TRIGGER_ERROR_SUPPRESSION_WINDOW_MS = 15_000;
 const AUTO_TRIGGER_ERROR_SUPPRESSION_RETENTION_MS = AUTO_TRIGGER_ERROR_SUPPRESSION_WINDOW_MS * 4;
+const AUTO_EVENT_BATCH_FLUSH_DELAY_MS = 250;
+const TRIGGER_RELEASE_NOTES_BODY_MAX_LENGTH = 500;
+const ACTION_TRIGGER_TYPES = new Set(['command', 'docker', 'dockercompose']);
+const AGENT_DISCONNECT_SIMPLE_TITLE_TEMPLATE = 'Agent ${event.agentName} disconnected';
+const AGENT_DISCONNECT_SIMPLE_BODY_TEMPLATE =
+  'Agent ${event.agentName} disconnected${event.reason ? ": " + event.reason : ""}';
+
+function truncateReleaseNotesBody(body: string, maxLength: number) {
+  if (body.length <= maxLength) {
+    return body;
+  }
+  return body.slice(0, maxLength);
+}
 
 function buildAgentDisconnectedContainer(agentName: string, reason?: string): Container {
   return {
@@ -78,16 +105,42 @@ function buildAgentDisconnectedContainer(agentName: string, reason?: string): Co
     },
     updateAvailable: false,
     updateKind: {
-      kind: 'tag',
-      localValue: reason || 'disconnected',
-      remoteValue: reason || 'disconnected',
-      semverDiff: 'patch',
+      kind: 'unknown',
+      semverDiff: 'unknown',
     },
     error: reason
       ? {
           message: reason,
         }
       : undefined,
+    notificationEvent: {
+      kind: 'agent-disconnect',
+      agentName,
+      reason,
+    },
+  } as Container;
+}
+
+function getNotificationEvent(container: Container): TriggerNotificationEvent | undefined {
+  const notificationEvent = Reflect.get(new Object(container), 'notificationEvent');
+  if (!notificationEvent || typeof notificationEvent !== 'object') {
+    return undefined;
+  }
+
+  if (Reflect.get(new Object(notificationEvent), 'kind') !== 'agent-disconnect') {
+    return undefined;
+  }
+
+  const agentName = Reflect.get(new Object(notificationEvent), 'agentName');
+  const reason = Reflect.get(new Object(notificationEvent), 'reason');
+  if (typeof agentName !== 'string' || agentName.length === 0) {
+    return undefined;
+  }
+
+  return {
+    kind: 'agent-disconnect',
+    agentName,
+    reason: typeof reason === 'string' && reason.length > 0 ? reason : undefined,
   };
 }
 
@@ -96,7 +149,7 @@ function isSupportedThreshold(value: string): value is SupportedThreshold {
 }
 
 export interface TriggerConfiguration extends ComponentConfiguration {
-  auto?: boolean;
+  auto?: boolean | TriggerAutoMode;
   order?: number;
   threshold?: string;
   mode?: string;
@@ -105,6 +158,7 @@ export interface TriggerConfiguration extends ComponentConfiguration {
   simpletitle?: string;
   simplebody?: string;
   batchtitle?: string;
+  digestcron?: string;
   resolvenotifications?: boolean;
 }
 
@@ -113,6 +167,11 @@ interface ContainerReport {
   changed: boolean;
 }
 
+interface EventBatchDispatchState {
+  containers: Map<string, Container>;
+  timer?: ReturnType<typeof setTimeout>;
+}
+
 function splitAndTrimCommaSeparatedList(value: string): string[] {
   return value
     .split(',')
@@ -135,6 +194,10 @@ class Trigger extends Component {
   private unregisterContainerUpdateAppliedForResolution?: () => void;
   private readonly notificationResults: Map<string, unknown> = new Map();
   private readonly autoTriggerErrorSeenAt: Map<string, number> = new Map();
+  private readonly digestBuffer: Map<string, Container> = new Map();
+  private readonly eventBatchDispatches: Map<NotificationRuleId, EventBatchDispatchState> =
+    new Map();
+  private digestCronTask?: ScheduledTask;
 
   static getSupportedThresholds() {
     return [...SUPPORTED_THRESHOLDS];
@@ -144,10 +207,31 @@ class Trigger extends Component {
     return parseThresholdWithDigestBehaviorHelper(threshold);
   }
 
+  private static normalizeAutoMode(auto: TriggerConfiguration['auto']): TriggerAutoMode {
+    if (auto === false) {
+      return 'none';
+    }
+    if (auto === true || auto === undefined) {
+      return 'all';
+    }
+    return auto.toLowerCase() as TriggerAutoMode;
+  }
+
+  private getCategory() {
+    return ACTION_TRIGGER_TYPES.has(this.type.toLowerCase()) ? 'action' : 'notification';
+  }
+
+  private getAutoMode() {
+    return Trigger.normalizeAutoMode(this.configuration.auto);
+  }
+
   private static getErrorMessage(error: unknown): string {
     if (error instanceof Error) {
       return error.message;
     }
+    if (typeof error === 'symbol') {
+      return String(error);
+    }
     return `${error}`;
   }
 
@@ -277,6 +361,69 @@ class Trigger extends Component {
     );
   }
 
+  private getOrCreateEventBatchDispatch(ruleId: NotificationRuleId): EventBatchDispatchState {
+    const existing = this.eventBatchDispatches.get(ruleId);
+    if (existing) {
+      return existing;
+    }
+
+    const created: EventBatchDispatchState = {
+      containers: new Map(),
+    };
+    this.eventBatchDispatches.set(ruleId, created);
+    return created;
+  }
+
+  private buildEventBatchDispatchKey(container: Container): string {
+    return container.id || fullName(container);
+  }
+
+  private async flushEventBatchDispatch(ruleId: NotificationRuleId, containers: Container[]) {
+    if (containers.length === 0) {
+      return;
+    }
+
+    try {
+      await this.triggerBatch(containers);
+    } catch (e: unknown) {
+      const errorMessage = Trigger.getErrorMessage(e);
+      const firstContainer = containers[0];
+      if (this.shouldSuppressAutoTriggerError(ruleId, firstContainer, errorMessage)) {
+        this.log.debug(`Suppressed repeated error handling ${ruleId} event (${errorMessage})`);
+      } else {
+        this.log.warn(`Error handling ${ruleId} event (${errorMessage})`);
+      }
+      this.log.debug(e);
+    }
+  }
+
+  private queueEventBatchDispatch(ruleId: NotificationRuleId, container: Container) {
+    const eventBatchDispatch = this.getOrCreateEventBatchDispatch(ruleId);
+    eventBatchDispatch.containers.set(this.buildEventBatchDispatchKey(container), container);
+
+    if (eventBatchDispatch.timer) {
+      clearTimeout(eventBatchDispatch.timer);
+    }
+
+    eventBatchDispatch.timer = setTimeout(() => {
+      const containers = Array.from(eventBatchDispatch.containers.values());
+      eventBatchDispatch.containers.clear();
+      eventBatchDispatch.timer = undefined;
+      void this.flushEventBatchDispatch(ruleId, containers);
+    }, AUTO_EVENT_BATCH_FLUSH_DELAY_MS);
+  }
+
+  private clearEventBatchDispatches() {
+    for (const eventBatchDispatch of this.eventBatchDispatches.values()) {
+      if (eventBatchDispatch.timer) {
+        clearTimeout(eventBatchDispatch.timer);
+      }
+      eventBatchDispatch.containers.clear();
+      eventBatchDispatch.timer = undefined;
+    }
+    this.eventBatchDispatches.clear();
+  }
+
   private async dispatchContainerForEvent(
     ruleId: NotificationRuleId,
     container: Container | undefined,
@@ -303,8 +450,11 @@ class Trigger extends Component {
     }
 
     try {
-      if (this.configuration.mode?.toLowerCase() === 'batch') {
-        await this.triggerBatch([container]);
+      const shouldUseBatchMode =
+        this.configuration.mode?.toLowerCase() === 'batch' &&
+        getNotificationEvent(container)?.kind !== 'agent-disconnect';
+      if (shouldUseBatchMode) {
+        this.queueEventBatchDispatch(ruleId, container);
       } else {
         await this.trigger(container);
       }
@@ -320,6 +470,12 @@ class Trigger extends Component {
   }
 
   async handleContainerUpdateAppliedEvent(containerName: string) {
+    // Evict from digest buffer — container is already updated, no need to notify.
+    // containerName is the full business ID (watcher_name), matching the buffer key.
+    if (this.digestBuffer.delete(containerName)) {
+      this.log.debug(`Evicted ${containerName} from digest buffer (update applied)`);
+    }
+
     await this.dispatchContainerForEvent(
       'update-applied',
       this.findContainerByBusinessId(containerName),
@@ -442,6 +598,9 @@ class Trigger extends Component {
       return;
     }
 
+    // Strip Docker recreate alias prefixes before any trigger processing
+    Trigger.canonicalizeReportName(containerReport);
+
     // Filter on changed containers with update available and passing trigger threshold
     if (!this.shouldHandleSimpleContainerReport(containerReport)) {
       return;
@@ -470,6 +629,11 @@ class Trigger extends Component {
       return;
     }
 
+    // Strip Docker recreate alias prefixes before any trigger processing
+    for (const report of containerReports) {
+      Trigger.canonicalizeReportName(report);
+    }
+
     // Filter on containers with update available and passing trigger threshold
     try {
       const containerReportsFiltered = containerReports
@@ -500,6 +664,62 @@ class Trigger extends Component {
     }
   }
 
+  /**
+   * Buffer a container for digest mode. Keyed by full name so the latest
+   * update for each container wins if multiple scans fire before the digest
+   * cron flushes.
+   */
+  private bufferContainerForDigest(container: Container) {
+    this.digestBuffer.set(fullName(container), container);
+    this.log.debug(
+      `Buffered ${fullName(container)} for digest (${this.digestBuffer.size} buffered)`,
+    );
+  }
+
+  /**
+   * Handle container report (digest mode — single container from simple event).
+   */
+  async handleContainerReportDigest(containerReport: ContainerReport) {
+    if (!this.isUpdateAvailableAutoTriggerEnabled()) {
+      return;
+    }
+    if (!this.shouldHandleSimpleContainerReport(containerReport)) {
+      return;
+    }
+    const { container } = containerReport;
+    if (!Trigger.isThresholdReached(container, this.getSimpleModeThreshold())) {
+      return;
+    }
+    if (!this.mustTrigger(container)) {
+      return;
+    }
+    this.bufferContainerForDigest(container);
+  }
+
+  /**
+   * Flush the digest buffer: send a single batch notification with all
+   * accumulated containers, then clear the buffer.
+   */
+  async flushDigestBuffer() {
+    if (this.digestBuffer.size === 0) {
+      this.log.debug('Digest cron fired — buffer empty, nothing to send');
+      return;
+    }
+    const containers = Array.from(this.digestBuffer.values());
+    this.digestBuffer.clear();
+    this.log.info(`Digest flush: sending ${containers.length} update(s)`);
+    let status: 'success' | 'error' = 'error';
+    try {
+      await this.triggerBatch(containers);
+      status = 'success';
+    } catch (e: unknown) {
+      this.log.warn(`Digest flush failed (${Trigger.getErrorMessage(e)})`);
+      this.log.debug(e);
+    } finally {
+      this.incrementTriggerCounter(status);
+    }
+  }
+
   isTriggerIncludedOrExcluded(containerResult: Container, trigger: string) {
     const triggerId = this.getId().toLowerCase();
     const triggers = splitAndTrimCommaSeparatedList(trigger).map((triggerToMatch) =>
@@ -516,7 +736,7 @@ class Trigger extends Component {
 
   isTriggerIncluded(containerResult: Container, triggerInclude: string | undefined) {
     if (!triggerInclude) {
-      return true;
+      return this.getAutoMode() !== 'oninclude';
     }
     return this.isTriggerIncludedOrExcluded(containerResult, triggerInclude);
   }
@@ -533,7 +753,31 @@ class Trigger extends Component {
    * @param containerResult
    * @returns {boolean}
    */
+  /**
+   * Strip Docker recreate alias prefix from a container report's name.
+   * Belt-and-suspenders guard — the watcher should have already canonicalized,
+   * but this catches any remaining leaks regardless of environment quirks.
+   */
+  static canonicalizeReportName(report: ContainerReport): void {
+    const name = report.container?.name;
+    if (typeof name !== 'string') return;
+    const match = name.match(RECREATED_ALIAS_RE);
+    if (match) {
+      report.container.name = match[1];
+    }
+  }
+
+  static isRollbackContainer(container: { name?: unknown }): boolean {
+    return (
+      typeof container?.name === 'string' &&
+      OLD_ROLLBACK_CONTAINER_NAME_PATTERN.test(container.name)
+    );
+  }
+
   mustTrigger(containerResult: Container) {
+    if (Trigger.isRollbackContainer(containerResult)) {
+      return false;
+    }
     if (this.agent && this.agent !== containerResult.agent) {
       return false;
     }
@@ -552,8 +796,13 @@ class Trigger extends Component {
    */
   async init() {
     await this.initTrigger();
-    if (this.configuration.auto) {
-      this.log.info(`Registering for auto execution`);
+    if (this.getAutoMode() !== 'none') {
+      const autoMode = this.getAutoMode();
+      this.log.info(
+        autoMode === 'oninclude'
+          ? 'Registering for auto execution (only containers with explicit include labels)'
+          : 'Registering for auto execution (all watched containers)',
+      );
       if (this.configuration.mode?.toLowerCase() === 'simple') {
         this.unregisterContainerReport = event.registerContainerReport(
           async (containerReport) => this.handleContainerReport(containerReport),
@@ -572,6 +821,20 @@ class Trigger extends Component {
           },
         );
       }
+      if (this.configuration.mode?.toLowerCase() === 'digest') {
+        this.unregisterContainerReport = event.registerContainerReport(
+          async (containerReport) => this.handleContainerReportDigest(containerReport),
+          {
+            id: this.getId(),
+            order: this.configuration.order,
+          },
+        );
+        const digestCronExpression = this.configuration.digestcron ?? '0 8 * * *';
+        this.digestCronTask = cron.schedule(digestCronExpression, () => {
+          void this.flushDigestBuffer();
+        });
+        this.log.info(`Digest scheduled (${digestCronExpression})`);
+      }
 
       this.unregisterContainerUpdateAppliedForAutoDispatch = event.registerContainerUpdateApplied(
         async (containerName) => this.handleContainerUpdateAppliedEvent(containerName),
@@ -634,6 +897,11 @@ class Trigger extends Component {
     this.unregisterContainerUpdateAppliedForResolution?.();
     this.unregisterContainerUpdateAppliedForResolution = undefined;
 
+    this.digestCronTask?.stop();
+    this.digestCronTask = undefined;
+    this.digestBuffer.clear();
+    this.clearEventBatchDispatches();
+
     this.autoTriggerErrorSeenAt.clear();
   }
 
@@ -643,17 +911,30 @@ class Trigger extends Component {
    * @returns {*}
    */
   validateConfiguration(configuration: TriggerConfiguration): TriggerConfiguration {
-    const schema = this.getConfigurationSchema();
+    const schema = this.getConfigurationSchema() as ReturnType<typeof this.joi.object>;
     const schemaWithDefaultOptions = schema.append({
-      auto: this.joi.bool().default(true),
+      auto: this.joi
+        .alternatives()
+        .try(this.joi.bool(), this.joi.string().insensitive().valid('all', 'oninclude', 'none'))
+        .default(this.getCategory() === 'action' ? 'oninclude' : true),
       order: this.joi.number().default(100),
       threshold: this.joi
         .string()
         .insensitive()
         .valid(...Trigger.getSupportedThresholds())
         .default('all'),
-      mode: this.joi.string().insensitive().valid('simple', 'batch').default('simple'),
+      mode: this.joi.string().insensitive().valid('simple', 'batch', 'digest').default('simple'),
       once: this.joi.boolean().default(true),
+      digestcron: this.joi
+        .string()
+        .default('0 8 * * *')
+        .custom((value, helpers) => {
+          if (!cron.validate(value)) {
+            return helpers.error('string.pattern.base', { value });
+          }
+          return value;
+        })
+        .messages({ 'string.pattern.base': 'digestcron must be a valid cron expression' }),
       simpletitle: this.joi
         .string()
         .default('New ${container.updateKind.kind} found for container ${container.name}'),
@@ -669,7 +950,9 @@ class Trigger extends Component {
     if (schemaValidated.error) {
       throw schemaValidated.error;
     }
-    return schemaValidated.value;
+    const normalizedConfiguration = schemaValidated.value as TriggerConfiguration;
+    normalizedConfiguration.auto = Trigger.normalizeAutoMode(normalizedConfiguration.auto);
+    return normalizedConfiguration;
   }
 
   /**
@@ -684,15 +967,13 @@ class Trigger extends Component {
    * Preview what an update would do without performing it.
    * Can be overridden in trigger implementation class.
    */
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  async preview(container: Container): Promise<Record<string, unknown>> {
+  async preview(_container: Container): Promise<Record<string, unknown>> {
     return {};
   }
 
   /**
    * Trigger method. Must be overridden in trigger implementation class.
    */
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
   async trigger(containerWithResult: Container): Promise<unknown> {
     // do nothing by default
     this.log.warn('Cannot trigger container result; this trigger does not implement "simple" mode');
@@ -710,6 +991,13 @@ class Trigger extends Component {
     return containersWithResult;
   }
 
+  getMetadata(): Record<string, unknown> {
+    return {
+      category: this.getCategory(),
+      usesLegacyPrefix: usesLegacyTriggerPrefix(this.type, this.name),
+    };
+  }
+
   /**
    * Handle container update applied event.
    * Dismiss the stored notification for the updated container.
@@ -739,8 +1027,7 @@ class Trigger extends Component {
    * @param containerId the container identifier
    * @param triggerResult the result returned by trigger() when the notification was sent
    */
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  async dismiss(containerId: string, triggerResult: unknown): Promise<void> {
+  async dismiss(_containerId: string, _triggerResult: unknown): Promise<void> {
     // do nothing by default
   }
 
@@ -794,13 +1081,39 @@ class Trigger extends Component {
     return masked;
   }
 
+  /**
+   * Build the container template context used by trigger body/title rendering.
+   * Release notes bodies are shortened for notifications to avoid excessively long payloads.
+   */
+  private getTemplateContainer(container: Container): Container {
+    const releaseNotes = container.result?.releaseNotes;
+    if (!releaseNotes || typeof releaseNotes.body !== 'string') {
+      return container;
+    }
+
+    return {
+      ...container,
+      result: {
+        ...container.result,
+        releaseNotes: {
+          ...releaseNotes,
+          body: truncateReleaseNotesBody(releaseNotes.body, TRIGGER_RELEASE_NOTES_BODY_MAX_LENGTH),
+        },
+      },
+    };
+  }
+
   /**
    * Render trigger title simple.
    * @param container
    * @returns {*}
    */
   renderSimpleTitle(container: Container) {
-    return renderSimple(this.configuration.simpletitle ?? '', container);
+    const template =
+      getNotificationEvent(container)?.kind === 'agent-disconnect'
+        ? AGENT_DISCONNECT_SIMPLE_TITLE_TEMPLATE
+        : (this.configuration.simpletitle ?? '');
+    return renderSimple(template, this.getTemplateContainer(container));
   }
 
   /**
@@ -809,7 +1122,11 @@ class Trigger extends Component {
    * @returns {*}
    */
   renderSimpleBody(container: Container) {
-    return renderSimple(this.configuration.simplebody ?? '', container);
+    const template =
+      getNotificationEvent(container)?.kind === 'agent-disconnect'
+        ? AGENT_DISCONNECT_SIMPLE_BODY_TEMPLATE
+        : (this.configuration.simplebody ?? '');
+    return renderSimple(template, this.getTemplateContainer(container));
   }
 
   /**
diff --git a/app/triggers/providers/apprise/Apprise.test.ts b/app/triggers/providers/apprise/Apprise.test.ts
index 01fc9fa99..ddac9039c 100644
--- a/app/triggers/providers/apprise/Apprise.test.ts
+++ b/app/triggers/providers/apprise/Apprise.test.ts
@@ -11,7 +11,7 @@ const configurationValid = {
   url: 'http://xxx.com',
   urls: 'maito://user:pass@gmail.com',
   threshold: 'all',
-  auto: true,
+  auto: 'all',
   order: 100,
   once: true,
   mode: 'simple',
@@ -23,6 +23,7 @@ const configurationValid = {
 
   batchtitle: '${containers.length} updates available',
   resolvenotifications: false,
+  digestcron: '0 8 * * *',
 };
 
 beforeEach(async () => {
diff --git a/app/triggers/providers/command/Command.test.ts b/app/triggers/providers/command/Command.test.ts
index 088f329c3..70be80d34 100644
--- a/app/triggers/providers/command/Command.test.ts
+++ b/app/triggers/providers/command/Command.test.ts
@@ -47,13 +47,14 @@ const configurationValid = {
   threshold: 'all',
   mode: 'simple',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'New ${container.updateKind.kind} found for container ${container.name}',
   simplebody:
     'Container ${container.name} running with ${container.updateKind.kind} ${container.updateKind.localValue} can be updated to ${container.updateKind.kind} ${container.updateKind.remoteValue}${container.result && container.result.link ? "\\n" + container.result.link : ""}',
   batchtitle: '${containers.length} updates available',
   resolvenotifications: false,
+  digestcron: '0 8 * * *',
 };
 
 beforeEach(async () => {
diff --git a/app/triggers/providers/docker/ContainerRuntimeConfigManager.ts b/app/triggers/providers/docker/ContainerRuntimeConfigManager.ts
index 6c2232efd..d27990e65 100644
--- a/app/triggers/providers/docker/ContainerRuntimeConfigManager.ts
+++ b/app/triggers/providers/docker/ContainerRuntimeConfigManager.ts
@@ -38,7 +38,7 @@ type ClonedRuntimeFieldEvaluationContext = Pick<
   'sourceImageConfig' | 'targetImageConfig' | 'runtimeFieldOrigins' | 'logContainer'
 >;
 
-export type RuntimeConfigManagerDependencies = {
+type RuntimeConfigManagerDependencies = {
   getPreferredLabelValue: (
     labels: Record<string, string> | undefined,
     ddKey: string,
diff --git a/app/triggers/providers/docker/ContainerUpdateExecutor.test.ts b/app/triggers/providers/docker/ContainerUpdateExecutor.test.ts
index 742e5b2d3..d87469132 100644
--- a/app/triggers/providers/docker/ContainerUpdateExecutor.test.ts
+++ b/app/triggers/providers/docker/ContainerUpdateExecutor.test.ts
@@ -552,6 +552,26 @@ describe('ContainerUpdateExecutor', () => {
     );
   });
 
+  test('execute stringifies object errors when message field is undefined', async () => {
+    const context = createContext();
+    const createContainerError = { message: undefined, detail: 'create failed' };
+    const executor = createExecutor({
+      createContainer: vi.fn().mockRejectedValue(createContainerError),
+      buildRuntimeConfigCompatibilityError: vi.fn(() => undefined),
+    });
+
+    await expect(executor.execute(context, createContainer(), createLog())).rejects.toBe(
+      createContainerError,
+    );
+
+    expect(mockUpdateOperation).toHaveBeenCalledWith(
+      'op-1',
+      expect.objectContaining({
+        lastError: '[object Object]',
+      }),
+    );
+  });
+
   test('execute logs best-effort rollback cleanup failures for failed candidate container', async () => {
     const context = createContext({
       currentContainerSpec: createCurrentContainerSpec({
diff --git a/app/triggers/providers/docker/ContainerUpdateExecutor.ts b/app/triggers/providers/docker/ContainerUpdateExecutor.ts
index 9032caf8d..9e3cd0400 100644
--- a/app/triggers/providers/docker/ContainerUpdateExecutor.ts
+++ b/app/triggers/providers/docker/ContainerUpdateExecutor.ts
@@ -101,7 +101,7 @@ type PendingContainerUpdateOperation = NonNullable<
   ReturnType<typeof updateOperationStore.getInProgressOperationByContainerName>
 >;
 
-export type ContainerUpdateExecutorDependencies = {
+type ContainerUpdateExecutorDependencies = {
   getConfiguration: () => { dryrun?: boolean; [key: string]: unknown };
   getTriggerId: () => string;
   stopContainer: (
@@ -191,8 +191,23 @@ const REQUIRED_CONTAINER_UPDATE_EXECUTOR_DEPENDENCY_KEYS = [
   'waitForContainerHealthy',
 ] as const;
 
+type ErrorWithMessage = {
+  message?: unknown;
+};
+
+function hasMessage(error: unknown): error is ErrorWithMessage {
+  return (
+    (typeof error === 'object' || typeof error === 'function') &&
+    error !== null &&
+    'message' in error
+  );
+}
+
 function getErrorMessage(error: unknown): string {
-  return String((error as Error)?.message ?? error);
+  if (hasMessage(error)) {
+    return String(error.message ?? error);
+  }
+  return String(error);
 }
 
 class ContainerUpdateExecutor {
diff --git a/app/triggers/providers/docker/Docker.configuration-container-ops.test.ts b/app/triggers/providers/docker/Docker.configuration-container-ops.test.ts
new file mode 100644
index 000000000..0213d90c6
--- /dev/null
+++ b/app/triggers/providers/docker/Docker.configuration-container-ops.test.ts
@@ -0,0 +1,610 @@
+import joi from 'joi';
+import log from '../../../log/index.js';
+import {
+  configurationValid,
+  createMockLog,
+  docker,
+  getDockerTestMocks,
+  registerCommonDockerBeforeEach,
+} from './Docker.test.helpers.js';
+
+const { mockGetState } = getDockerTestMocks();
+
+registerCommonDockerBeforeEach();
+
+// --- Configuration validation ---
+
+test('validateConfiguration should return validated configuration when valid', async () => {
+  const validatedConfiguration = docker.validateConfiguration(configurationValid);
+  expect(validatedConfiguration).toStrictEqual(configurationValid);
+});
+
+test('validateConfiguration should throw error when invalid', async () => {
+  const configuration = {
+    url: 'git://xxx.com',
+  };
+  expect(() => {
+    docker.validateConfiguration(configuration);
+  }).toThrowError(joi.ValidationError);
+});
+
+// --- getWatcher ---
+
+test('getWatcher should return watcher responsible for a container', async () => {
+  expect(
+    docker
+      .getWatcher({
+        watcher: 'test',
+      })
+      .getId(),
+  ).toEqual('docker.test');
+});
+
+test('getWatcher should throw when the watcher reference does not exist', async () => {
+  expect(() =>
+    docker.getWatcher({
+      id: 'missing-id',
+      watcher: 'missing',
+    }),
+  ).toThrowError('No watcher found for container');
+});
+
+test('getWatcher should resolve agent-prefixed watcher ids', async () => {
+  mockGetState.mockReturnValue({
+    watcher: {
+      'edge-agent.docker.test': {
+        getId: () => 'edge-agent.docker.test',
+        dockerApi: {},
+      },
+    },
+  });
+
+  expect(
+    docker.getWatcher({
+      agent: 'edge-agent',
+      watcher: 'test',
+    }),
+  ).toMatchObject({
+    getId: expect.any(Function),
+  });
+  expect(docker.getWatcher({ agent: 'edge-agent', watcher: 'test' }).getId()).toBe(
+    'edge-agent.docker.test',
+  );
+  expect(mockGetState).toHaveBeenCalled();
+});
+
+test('getWatcher should include container name when id is missing', async () => {
+  mockGetState.mockReturnValue({ watcher: {} });
+
+  expect(() =>
+    docker.getWatcher({
+      name: 'named-only',
+      watcher: 'missing',
+    }),
+  ).toThrowError('No watcher found for container named-only (docker.missing)');
+});
+
+test('getWatcher should fall back to unknown when id and name are absent', async () => {
+  mockGetState.mockReturnValue({ watcher: {} });
+
+  expect(() => docker.getWatcher({ watcher: 'missing' })).toThrowError(
+    'No watcher found for container unknown (docker.missing)',
+  );
+});
+
+// --- getCurrentContainer ---
+
+test('getCurrentContainer should return container from dockerApi', async () => {
+  await expect(
+    docker.getCurrentContainer(docker.getWatcher({ watcher: 'test' }).dockerApi, {
+      id: '123456789',
+    }),
+  ).resolves.not.toBeUndefined();
+});
+
+test('getCurrentContainer should throw error when error occurs', async () => {
+  await expect(
+    docker.getCurrentContainer(docker.getWatcher({ watcher: 'test' }).dockerApi, { id: 'unknown' }),
+  ).rejects.toThrowError('Error when getting container');
+});
+
+// --- inspectContainer ---
+
+test('inspectContainer should return container details from dockerApi', async () => {
+  await expect(
+    docker.inspectContainer({ inspect: () => Promise.resolve({}) }, log),
+  ).resolves.toEqual({});
+});
+
+test('inspectContainer should throw error when error occurs', async () => {
+  await expect(
+    docker.inspectContainer({ inspect: () => Promise.reject(new Error('No container')) }, log),
+  ).rejects.toThrowError('No container');
+});
+
+// --- Container operations: stop, remove, wait, start (parametric) ---
+
+describe.each([
+  {
+    method: 'stopContainer',
+    action: 'stop',
+    args: (stub) => [stub, 'name', 'id', log],
+  },
+  {
+    method: 'removeContainer',
+    action: 'remove',
+    args: (stub) => [stub, 'name', 'id', log],
+  },
+  {
+    method: 'waitContainerRemoved',
+    action: 'wait',
+    args: (stub) => [stub, 'name', 'id', log],
+  },
+  {
+    method: 'startContainer',
+    action: 'start',
+    args: (stub) => [stub, 'name', log],
+  },
+])('$method', ({ method, action, args }) => {
+  test('should resolve when successful', async () => {
+    const stub = { [action]: () => Promise.resolve() };
+    await expect(docker[method](...args(stub))).resolves.toBeUndefined();
+  });
+
+  test('should throw error when error occurs', async () => {
+    const stub = { [action]: () => Promise.reject(new Error('No container')) };
+    await expect(docker[method](...args(stub))).rejects.toThrowError('No container');
+  });
+});
+
+// --- createContainer ---
+
+test('createContainer should stop container from dockerApi', async () => {
+  await expect(
+    docker.createContainer(
+      docker.getWatcher({ watcher: 'test' }).dockerApi,
+      { name: 'container-name' },
+      'name',
+      log,
+    ),
+  ).resolves.not.toBeUndefined();
+});
+
+test('createContainer should throw error when error occurs', async () => {
+  await expect(
+    docker.createContainer(
+      docker.getWatcher({ watcher: 'test' }).dockerApi,
+      { name: 'ko' },
+      'name',
+      log,
+    ),
+  ).rejects.toThrowError('Error when creating container');
+});
+
+test('createContainer should stringify non-object errors in warning logs', async () => {
+  const dockerApi = {
+    createContainer: vi.fn().mockRejectedValue(Symbol('create failed')),
+    getNetwork: vi.fn(),
+  };
+  const logContainer = createMockLog('info', 'warn');
+
+  await expect(
+    docker.createContainer(dockerApi as any, { name: 'ko' }, 'name', logContainer as any),
+  ).rejects.toBeTypeOf('symbol');
+
+  expect(logContainer.warn).toHaveBeenCalledWith(
+    'Error when creating container name (Symbol(create failed))',
+  );
+});
+
+test('createContainer should connect additional networks after create', async () => {
+  const connect = vi.fn().mockResolvedValue(undefined);
+  const getNetwork = vi.fn().mockReturnValue({ connect });
+  const createContainer = vi.fn().mockResolvedValue({
+    start: () => Promise.resolve(),
+  });
+  const logContainer = createMockLog('info', 'warn');
+
+  const containerToCreate = {
+    name: 'container-name',
+    HostConfig: {
+      NetworkMode: 'cloud_default',
+    },
+    NetworkingConfig: {
+      EndpointsConfig: {
+        cloud_default: { Aliases: ['container-name'] },
+        postgres_default: { Aliases: ['container-name'] },
+        valkey_default: { Aliases: ['container-name'] },
+      },
+    },
+  };
+
+  await docker.createContainer(
+    { createContainer, getNetwork },
+    containerToCreate,
+    'container-name',
+    logContainer,
+  );
+
+  expect(createContainer).toHaveBeenCalledWith({
+    name: 'container-name',
+    HostConfig: {
+      NetworkMode: 'cloud_default',
+    },
+    NetworkingConfig: {
+      EndpointsConfig: {
+        cloud_default: { Aliases: ['container-name'] },
+      },
+    },
+  });
+  expect(getNetwork).toHaveBeenCalledTimes(2);
+  expect(getNetwork).toHaveBeenCalledWith('postgres_default');
+  expect(getNetwork).toHaveBeenCalledWith('valkey_default');
+  expect(connect).toHaveBeenCalledTimes(2);
+  expect(connect).toHaveBeenCalledWith({
+    Container: 'container-name',
+    EndpointConfig: { Aliases: ['container-name'] },
+  });
+});
+
+// --- pullImage ---
+
+test('pull should pull image from dockerApi', async () => {
+  await expect(
+    docker.pullImage(
+      docker.getWatcher({ watcher: 'test' }).dockerApi,
+      undefined,
+      'test/test:1.2.3',
+      log,
+    ),
+  ).resolves.toBeUndefined();
+});
+
+test('pull should throw error when error occurs', async () => {
+  await expect(
+    docker.pullImage(
+      docker.getWatcher({ watcher: 'test' }).dockerApi,
+      undefined,
+      'test/test:unknown',
+      log,
+    ),
+  ).rejects.toThrowError('Error when pulling image');
+});
+
+test('pull should emit progress logs from followProgress events', async () => {
+  const dockerApi = {
+    pull: vi.fn().mockResolvedValue({}),
+    modem: {
+      followProgress: vi.fn((pullStream, done, onProgress) => {
+        onProgress({
+          id: 'layer-1',
+          status: 'Downloading',
+          progressDetail: { current: 50, total: 100 },
+        });
+        done(null, [{ id: 'layer-1', status: 'Download complete' }]);
+      }),
+    },
+  };
+  const logContainer = createMockLog('info', 'warn', 'debug');
+
+  await docker.pullImage(dockerApi, undefined, 'test/test:1.2.3', logContainer);
+
+  expect(logContainer.debug).toHaveBeenCalledWith(
+    expect.stringContaining('Pull progress for test/test:1.2.3'),
+  );
+  expect(logContainer.info).toHaveBeenCalledWith('Image test/test:1.2.3 pulled with success');
+});
+
+test('pull should throw error when followProgress reports an error', async () => {
+  const dockerApi = {
+    pull: vi.fn().mockResolvedValue({}),
+    modem: {
+      followProgress: vi.fn((pullStream, done) => {
+        done(new Error('Pull progress failed'));
+      }),
+    },
+  };
+  const logContainer = createMockLog('info', 'warn', 'debug');
+
+  await expect(
+    docker.pullImage(dockerApi, undefined, 'test/test:1.2.3', logContainer),
+  ).rejects.toThrowError('Pull progress failed');
+});
+
+// --- removeImage ---
+
+test('removeImage should pull image from dockerApi', async () => {
+  await expect(
+    docker.removeImage(docker.getWatcher({ watcher: 'test' }).dockerApi, 'test/test:1.2.3', log),
+  ).resolves.toBeUndefined();
+});
+
+test('removeImage should throw error when error occurs', async () => {
+  await expect(
+    docker.removeImage(docker.getWatcher({ watcher: 'test' }).dockerApi, 'test/test:unknown', log),
+  ).rejects.toThrowError('Error when removing image');
+});
+
+// --- cloneContainer ---
+
+test('clone should clone an existing container spec', async () => {
+  const clone = docker.cloneContainer(
+    {
+      Name: '/test',
+      Id: '123456789',
+      HostConfig: { a: 'a', b: 'b' },
+      Config: { configA: 'a', configB: 'b' },
+      NetworkSettings: {
+        Networks: {
+          test: { Aliases: ['9708fc7b44f2', 'test'] },
+        },
+      },
+    },
+    'test/test:2.0.0',
+  );
+  expect(clone).toEqual({
+    HostConfig: { a: 'a', b: 'b' },
+    Image: 'test/test:2.0.0',
+    configA: 'a',
+    configB: 'b',
+    name: 'test',
+    NetworkingConfig: {
+      EndpointsConfig: {
+        test: { Aliases: ['9708fc7b44f2', 'test'] },
+      },
+    },
+  });
+});
+
+test('clone should remove dynamic network endpoint fields and stale aliases', async () => {
+  const clone = docker.cloneContainer(
+    {
+      Name: '/test',
+      Id: '123456789abcdef',
+      HostConfig: { NetworkMode: 'cloud_default' },
+      Config: { configA: 'a' },
+      NetworkSettings: {
+        Networks: {
+          cloud_default: {
+            Aliases: ['123456789abc', 'nextcloud'],
+            NetworkID: 'network-id',
+            EndpointID: 'endpoint-id',
+            Gateway: '172.18.0.1',
+            IPAddress: '172.18.0.2',
+            DriverOpts: { test: 'value' },
+          },
+        },
+      },
+    },
+    'test/test:2.0.0',
+  );
+
+  expect(clone.NetworkingConfig.EndpointsConfig).toEqual({
+    cloud_default: {
+      Aliases: ['nextcloud'],
+      DriverOpts: { test: 'value' },
+    },
+  });
+});
+
+test('cloneContainer should remove Hostname and ExposedPorts when NetworkMode starts with container:', () => {
+  const clone = docker.cloneContainer(
+    {
+      Name: '/sidecar',
+      Id: 'abc123',
+      HostConfig: { NetworkMode: 'container:mainapp' },
+      Config: {
+        Hostname: 'sidecar-host',
+        ExposedPorts: { '80/tcp': {} },
+        configA: 'a',
+      },
+      NetworkSettings: { Networks: {} },
+    },
+    'test/test:2.0.0',
+  );
+  expect(clone.Hostname).toBeUndefined();
+  expect(clone.ExposedPorts).toBeUndefined();
+  expect(clone.HostConfig.NetworkMode).toBe('container:mainapp');
+});
+
+test('cloneContainer should handle missing NetworkSettings by using empty endpoint config', () => {
+  const clone = docker.cloneContainer(
+    {
+      Name: '/no-network',
+      Id: 'abc123',
+      HostConfig: {},
+      Config: { configA: 'a' },
+    },
+    'test/test:2.0.0',
+  );
+
+  expect(clone.NetworkingConfig).toEqual({ EndpointsConfig: {} });
+});
+
+test('cloneContainer should drop stale Entrypoint and Cmd inherited from source image defaults', () => {
+  const logContainer = createMockLog('info');
+  const clone = docker.cloneContainer(
+    {
+      Name: '/hub_nginx_120',
+      Id: 'abc123',
+      HostConfig: {},
+      Config: {
+        Entrypoint: ['/docker-entrypoint.sh'],
+        Cmd: ['nginx', '-g', 'daemon off;'],
+      },
+      NetworkSettings: { Networks: {} },
+    },
+    'nginx:1.10-alpine',
+    {
+      sourceImageConfig: {
+        Entrypoint: ['/docker-entrypoint.sh'],
+        Cmd: ['nginx', '-g', 'daemon off;'],
+      },
+      targetImageConfig: {
+        Entrypoint: null,
+        Cmd: ['nginx'],
+      },
+      runtimeFieldOrigins: {
+        Entrypoint: 'inherited',
+        Cmd: 'inherited',
+      },
+      logContainer,
+    },
+  );
+
+  expect(clone.Entrypoint).toBeUndefined();
+  expect(clone.Cmd).toBeUndefined();
+  expect(clone.Labels['dd.runtime.entrypoint.origin']).toBe('inherited');
+  expect(clone.Labels['dd.runtime.cmd.origin']).toBe('inherited');
+  expect(logContainer.info).toHaveBeenCalledWith(
+    expect.stringContaining('Dropping stale Entrypoint'),
+  );
+  expect(logContainer.info).toHaveBeenCalledWith(expect.stringContaining('Dropping stale Cmd'));
+});
+
+test('cloneContainer should preserve Cmd/Entrypoint pins when runtime origin is unknown', () => {
+  const logContainer = createMockLog('debug');
+  const clone = docker.cloneContainer(
+    {
+      Name: '/hub_nginx_pinned',
+      Id: 'abc123',
+      HostConfig: {},
+      Config: {
+        Entrypoint: ['/docker-entrypoint.sh'],
+        Cmd: ['nginx', '-g', 'daemon off;'],
+      },
+      NetworkSettings: { Networks: {} },
+    },
+    'nginx:1.10-alpine',
+    {
+      sourceImageConfig: {
+        Entrypoint: ['/docker-entrypoint.sh'],
+        Cmd: ['nginx', '-g', 'daemon off;'],
+      },
+      targetImageConfig: {
+        Entrypoint: null,
+        Cmd: ['nginx'],
+      },
+      runtimeFieldOrigins: {
+        Entrypoint: 'unknown',
+        Cmd: 'unknown',
+      },
+      logContainer,
+    },
+  );
+
+  expect(clone.Entrypoint).toEqual(['/docker-entrypoint.sh']);
+  expect(clone.Cmd).toEqual(['nginx', '-g', 'daemon off;']);
+  expect(clone.Labels['dd.runtime.entrypoint.origin']).toBe('explicit');
+  expect(clone.Labels['dd.runtime.cmd.origin']).toBe('explicit');
+  expect(logContainer.debug).toHaveBeenCalledWith(
+    expect.stringContaining('runtime origin is unknown'),
+  );
+});
+
+test('cloneContainer should preserve explicit Cmd pin while dropping inherited Entrypoint', () => {
+  const logContainer = createMockLog('info');
+  const clone = docker.cloneContainer(
+    {
+      Name: '/hub_nginx_cmd_pin',
+      Id: 'abc123',
+      HostConfig: {},
+      Config: {
+        Entrypoint: ['/docker-entrypoint.sh'],
+        Cmd: ['nginx', '-g', 'daemon off;'],
+      },
+      NetworkSettings: { Networks: {} },
+    },
+    'nginx:1.10-alpine',
+    {
+      sourceImageConfig: {
+        Entrypoint: ['/docker-entrypoint.sh'],
+        Cmd: ['nginx', '-g', 'daemon off;'],
+      },
+      targetImageConfig: {
+        Entrypoint: null,
+        Cmd: ['nginx'],
+      },
+      runtimeFieldOrigins: {
+        Entrypoint: 'inherited',
+        Cmd: 'unknown',
+      },
+      logContainer,
+    },
+  );
+
+  expect(clone.Entrypoint).toBeUndefined();
+  expect(clone.Cmd).toEqual(['nginx', '-g', 'daemon off;']);
+  expect(clone.Labels['dd.runtime.entrypoint.origin']).toBe('inherited');
+  expect(clone.Labels['dd.runtime.cmd.origin']).toBe('explicit');
+  expect(logContainer.info).toHaveBeenCalledWith(
+    expect.stringContaining('Dropping stale Entrypoint'),
+  );
+});
+
+test('cloneContainer should preserve explicit Entrypoint pin while dropping inherited Cmd', () => {
+  const logContainer = createMockLog('info');
+  const clone = docker.cloneContainer(
+    {
+      Name: '/hub_nginx_entrypoint_pin',
+      Id: 'abc123',
+      HostConfig: {},
+      Config: {
+        Entrypoint: ['/docker-entrypoint.sh'],
+        Cmd: ['nginx', '-g', 'daemon off;'],
+      },
+      NetworkSettings: { Networks: {} },
+    },
+    'nginx:1.10-alpine',
+    {
+      sourceImageConfig: {
+        Entrypoint: ['/docker-entrypoint.sh'],
+        Cmd: ['nginx', '-g', 'daemon off;'],
+      },
+      targetImageConfig: {
+        Entrypoint: null,
+        Cmd: ['nginx'],
+      },
+      runtimeFieldOrigins: {
+        Entrypoint: 'unknown',
+        Cmd: 'inherited',
+      },
+      logContainer,
+    },
+  );
+
+  expect(clone.Entrypoint).toEqual(['/docker-entrypoint.sh']);
+  expect(clone.Cmd).toBeUndefined();
+  expect(clone.Labels['dd.runtime.entrypoint.origin']).toBe('explicit');
+  expect(clone.Labels['dd.runtime.cmd.origin']).toBe('inherited');
+  expect(logContainer.info).toHaveBeenCalledWith(expect.stringContaining('Dropping stale Cmd'));
+});
+
+test('cloneContainer should preserve explicit Entrypoint/Cmd overrides', () => {
+  const clone = docker.cloneContainer(
+    {
+      Name: '/hub_nginx_custom',
+      Id: 'abc123',
+      HostConfig: {},
+      Config: {
+        Entrypoint: ['/custom-entrypoint.sh'],
+        Cmd: ['echo', 'healthy'],
+      },
+      NetworkSettings: { Networks: {} },
+    },
+    'nginx:1.10-alpine',
+    {
+      sourceImageConfig: {
+        Entrypoint: ['/docker-entrypoint.sh'],
+        Cmd: ['nginx', '-g', 'daemon off;'],
+      },
+      targetImageConfig: {
+        Entrypoint: null,
+        Cmd: ['nginx'],
+      },
+    },
+  );
+
+  expect(clone.Entrypoint).toEqual(['/custom-entrypoint.sh']);
+  expect(clone.Cmd).toEqual(['echo', 'healthy']);
+});
diff --git a/app/triggers/providers/docker/Docker.lifecycle-rollback.test.ts b/app/triggers/providers/docker/Docker.lifecycle-rollback.test.ts
new file mode 100644
index 000000000..b229858bd
--- /dev/null
+++ b/app/triggers/providers/docker/Docker.lifecycle-rollback.test.ts
@@ -0,0 +1,1199 @@
+import log from '../../../log/index.js';
+import {
+  configurationValid,
+  createMockLog,
+  createTriggerContainer,
+  docker,
+  getDockerTestMocks,
+  registerCommonDockerBeforeEach,
+  stubTriggerFlow,
+} from './Docker.test.helpers.js';
+
+registerCommonDockerBeforeEach();
+const {
+  mockAuditCounterInc,
+  mockGetInProgressOperationByContainerName,
+  mockInsertAudit,
+  mockRollbackCounterInc,
+  mockRunHook,
+  mockStartHealthMonitor,
+  mockUpdateOperation,
+} = getDockerTestMocks();
+// --- Lifecycle hooks ---
+describe('lifecycle hooks', () => {
+  beforeEach(() => {
+    docker.configuration = { ...configurationValid, dryrun: false, prune: false };
+    docker.log = log;
+    stubTriggerFlow({ running: true });
+    mockRunHook.mockReset();
+    mockAuditCounterInc.mockReset();
+  });
+
+  test('trigger should run pre-hook before pull and post-hook after recreate', async () => {
+    mockRunHook.mockResolvedValue({ exitCode: 0, stdout: 'ok', stderr: '', timedOut: false });
+
+    await docker.trigger(
+      createTriggerContainer({
+        labels: { 'dd.hook.pre': 'echo before', 'dd.hook.post': 'echo after' },
+      }),
+    );
+
+    expect(mockRunHook).toHaveBeenCalledTimes(2);
+    expect(mockRunHook).toHaveBeenCalledWith(
+      'echo before',
+      expect.objectContaining({ label: 'pre-update' }),
+    );
+    expect(mockRunHook).toHaveBeenCalledWith(
+      'echo after',
+      expect.objectContaining({ label: 'post-update' }),
+    );
+  });
+
+  test('trigger should emit hook-configured audit when hook labels are present', async () => {
+    mockRunHook.mockResolvedValue({ exitCode: 0, stdout: 'ok', stderr: '', timedOut: false });
+
+    await docker.trigger(
+      createTriggerContainer({
+        labels: { 'dd.hook.pre': 'echo before' },
+      }),
+    );
+
+    expect(mockAuditCounterInc).toHaveBeenCalledWith({ action: 'hook-configured' });
+    expect(mockInsertAudit).toHaveBeenCalledWith(
+      expect.objectContaining({
+        action: 'hook-configured',
+        status: 'info',
+        details: expect.stringContaining('pre=true'),
+      }),
+    );
+  });
+
+  test('trigger should not call hooks when no hook labels are set', async () => {
+    await docker.trigger(createTriggerContainer());
+
+    expect(mockRunHook).not.toHaveBeenCalled();
+  });
+
+  test('trigger should abort when pre-hook fails and hookPreAbort is true (default)', async () => {
+    mockRunHook.mockResolvedValue({ exitCode: 1, stdout: '', stderr: 'err', timedOut: false });
+
+    await expect(
+      docker.trigger(
+        createTriggerContainer({
+          labels: { 'dd.hook.pre': 'exit 1' },
+        }),
+      ),
+    ).rejects.toThrowError('Pre-update hook exited with code 1');
+
+    expect(mockAuditCounterInc).toHaveBeenCalledWith({ action: 'hook-pre-failed' });
+  });
+
+  test('trigger should continue when pre-hook fails and hookPreAbort is false', async () => {
+    mockRunHook.mockResolvedValue({ exitCode: 1, stdout: '', stderr: 'err', timedOut: false });
+
+    await expect(
+      docker.trigger(
+        createTriggerContainer({
+          labels: { 'dd.hook.pre': 'exit 1', 'dd.hook.pre.abort': 'false' },
+        }),
+      ),
+    ).resolves.toBeUndefined();
+
+    expect(mockAuditCounterInc).toHaveBeenCalledWith({ action: 'hook-pre-failed' });
+  });
+
+  test('trigger should abort when pre-hook times out and hookPreAbort is true', async () => {
+    mockRunHook.mockResolvedValue({ exitCode: 1, stdout: '', stderr: '', timedOut: true });
+
+    await expect(
+      docker.trigger(
+        createTriggerContainer({
+          labels: { 'dd.hook.pre': 'sleep 100', 'dd.hook.timeout': '500' },
+        }),
+      ),
+    ).rejects.toThrowError('Pre-update hook timed out after 500ms');
+  });
+
+  test('trigger should use wud.* labels as fallback', async () => {
+    mockRunHook.mockResolvedValue({ exitCode: 0, stdout: 'ok', stderr: '', timedOut: false });
+
+    await docker.trigger(
+      createTriggerContainer({
+        labels: { 'wud.hook.pre': 'echo legacy-pre', 'wud.hook.post': 'echo legacy-post' },
+      }),
+    );
+
+    expect(mockRunHook).toHaveBeenCalledWith(
+      'echo legacy-pre',
+      expect.objectContaining({ label: 'pre-update' }),
+    );
+    expect(mockRunHook).toHaveBeenCalledWith(
+      'echo legacy-post',
+      expect.objectContaining({ label: 'post-update' }),
+    );
+  });
+
+  test('trigger should not abort on post-hook failure', async () => {
+    mockRunHook
+      .mockResolvedValueOnce({ exitCode: 0, stdout: 'ok', stderr: '', timedOut: false })
+      .mockResolvedValueOnce({ exitCode: 1, stdout: '', stderr: 'post-err', timedOut: false });
+
+    await expect(
+      docker.trigger(
+        createTriggerContainer({
+          labels: { 'dd.hook.pre': 'echo before', 'dd.hook.post': 'exit 1' },
+        }),
+      ),
+    ).resolves.toBeUndefined();
+
+    expect(mockAuditCounterInc).toHaveBeenCalledWith({ action: 'hook-pre-success' });
+    expect(mockAuditCounterInc).toHaveBeenCalledWith({ action: 'hook-post-failed' });
+  });
+
+  test('trigger should emit hook-post-success audit on successful post-hook', async () => {
+    mockRunHook.mockResolvedValue({ exitCode: 0, stdout: 'done', stderr: '', timedOut: false });
+
+    await docker.trigger(
+      createTriggerContainer({
+        labels: { 'dd.hook.post': 'echo done' },
+      }),
+    );
+
+    expect(mockAuditCounterInc).toHaveBeenCalledWith({ action: 'hook-post-success' });
+  });
+
+  test('trigger should pass hook environment variables', async () => {
+    mockRunHook.mockResolvedValue({ exitCode: 0, stdout: '', stderr: '', timedOut: false });
+
+    await docker.trigger(
+      createTriggerContainer({
+        labels: { 'dd.hook.pre': 'echo $DD_CONTAINER_NAME' },
+      }),
+    );
+
+    expect(mockRunHook).toHaveBeenCalledWith(
+      'echo $DD_CONTAINER_NAME',
+      expect.objectContaining({
+        env: expect.objectContaining({
+          DD_CONTAINER_NAME: 'container-name',
+          DD_IMAGE_NAME: 'test/test',
+        }),
+      }),
+    );
+  });
+
+  test('trigger should use custom timeout from label', async () => {
+    mockRunHook.mockResolvedValue({ exitCode: 0, stdout: '', stderr: '', timedOut: false });
+
+    await docker.trigger(
+      createTriggerContainer({
+        labels: { 'dd.hook.pre': 'echo hi', 'dd.hook.timeout': '30000' },
+      }),
+    );
+
+    expect(mockRunHook).toHaveBeenCalledWith(
+      'echo hi',
+      expect.objectContaining({ timeout: 30000 }),
+    );
+  });
+});
+
+// --- Auto-rollback / health monitor integration ---
+
+describe('auto-rollback health monitor integration', () => {
+  beforeEach(() => {
+    docker.configuration = { ...configurationValid, dryrun: false, prune: false };
+    docker.log = log;
+    mockRunHook.mockReset();
+    mockStartHealthMonitor.mockReset();
+    mockStartHealthMonitor.mockReturnValue({ abort: vi.fn() });
+  });
+
+  test('trigger should start health monitor when dd.rollback.auto=true and HEALTHCHECK exists', async () => {
+    stubTriggerFlow({
+      running: true,
+      inspectOverrides: { State: { Running: true, Health: { Status: 'healthy' } } },
+    });
+
+    await docker.trigger(
+      createTriggerContainer({
+        labels: { 'dd.rollback.auto': 'true' },
+      }),
+    );
+
+    expect(mockStartHealthMonitor).toHaveBeenCalledWith(
+      expect.objectContaining({
+        containerId: '123',
+        containerName: 'container-name',
+        backupImageTag: '4.5.6',
+        window: 300000,
+        interval: 10000,
+      }),
+    );
+  });
+
+  test('trigger should NOT start health monitor when dd.rollback.auto is not set', async () => {
+    stubTriggerFlow({ running: true });
+
+    await docker.trigger(createTriggerContainer());
+
+    expect(mockStartHealthMonitor).not.toHaveBeenCalled();
+  });
+
+  test('trigger should NOT start health monitor when dd.rollback.auto=false', async () => {
+    stubTriggerFlow({ running: true });
+
+    await docker.trigger(
+      createTriggerContainer({
+        labels: { 'dd.rollback.auto': 'false' },
+      }),
+    );
+
+    expect(mockStartHealthMonitor).not.toHaveBeenCalled();
+  });
+
+  test('trigger should warn when auto-rollback enabled but no HEALTHCHECK', async () => {
+    const warnSpy = vi.fn();
+    const infoSpy = vi.fn();
+    const debugSpy = vi.fn();
+    docker.log = { child: () => ({ warn: warnSpy, info: infoSpy, debug: debugSpy }) };
+
+    stubTriggerFlow({ running: true, inspectOverrides: { State: { Running: true } } });
+
+    await docker.trigger(
+      createTriggerContainer({
+        labels: { 'dd.rollback.auto': 'true' },
+      }),
+    );
+
+    expect(warnSpy).toHaveBeenCalledWith(
+      expect.stringContaining('Auto-rollback enabled but container has no HEALTHCHECK defined'),
+    );
+    expect(mockStartHealthMonitor).not.toHaveBeenCalled();
+  });
+
+  test('trigger should use custom window and interval from labels', async () => {
+    stubTriggerFlow({
+      running: true,
+      inspectOverrides: { State: { Running: true, Health: { Status: 'healthy' } } },
+    });
+
+    await docker.trigger(
+      createTriggerContainer({
+        labels: {
+          'dd.rollback.auto': 'true',
+          'dd.rollback.window': '60000',
+          'dd.rollback.interval': '5000',
+        },
+      }),
+    );
+
+    expect(mockStartHealthMonitor).toHaveBeenCalledWith(
+      expect.objectContaining({
+        window: 60000,
+        interval: 5000,
+      }),
+    );
+  });
+
+  test('trigger should use wud.* labels as fallback for auto-rollback', async () => {
+    stubTriggerFlow({
+      running: true,
+      inspectOverrides: { State: { Running: true, Health: { Status: 'healthy' } } },
+    });
+
+    await docker.trigger(
+      createTriggerContainer({
+        labels: {
+          'wud.rollback.auto': 'true',
+          'wud.rollback.window': '120000',
+          'wud.rollback.interval': '3000',
+        },
+      }),
+    );
+
+    expect(mockStartHealthMonitor).toHaveBeenCalledWith(
+      expect.objectContaining({
+        window: 120000,
+        interval: 3000,
+      }),
+    );
+  });
+});
+
+describe('getRollbackConfig timer validation', () => {
+  beforeEach(() => {
+    docker.log = {
+      child: vi.fn().mockReturnValue({ warn: vi.fn(), info: vi.fn(), debug: vi.fn() }),
+    };
+  });
+
+  test('should return defaults when labels produce NaN', () => {
+    const result = docker.getRollbackConfig({
+      labels: {
+        'dd.rollback.auto': 'true',
+        'dd.rollback.window': 'abc',
+        'dd.rollback.interval': 'xyz',
+      },
+    });
+    expect(result.rollbackWindow).toBe(300000);
+    expect(result.rollbackInterval).toBe(10000);
+  });
+
+  test('should return defaults when labels are negative', () => {
+    const result = docker.getRollbackConfig({
+      labels: {
+        'dd.rollback.auto': 'true',
+        'dd.rollback.window': '-5000',
+        'dd.rollback.interval': '-1000',
+      },
+    });
+    expect(result.rollbackWindow).toBe(300000);
+    expect(result.rollbackInterval).toBe(10000);
+  });
+
+  test('should return defaults when labels are zero', () => {
+    const result = docker.getRollbackConfig({
+      labels: {
+        'dd.rollback.auto': 'true',
+        'dd.rollback.window': '0',
+        'dd.rollback.interval': '0',
+      },
+    });
+    expect(result.rollbackWindow).toBe(300000);
+    expect(result.rollbackInterval).toBe(10000);
+  });
+
+  test('should use valid label values when provided', () => {
+    const result = docker.getRollbackConfig({
+      labels: {
+        'dd.rollback.auto': 'true',
+        'dd.rollback.window': '60000',
+        'dd.rollback.interval': '5000',
+      },
+    });
+    expect(result.rollbackWindow).toBe(60000);
+    expect(result.rollbackInterval).toBe(5000);
+  });
+
+  test('should log warnings when falling back to defaults', () => {
+    docker.getRollbackConfig({
+      labels: {
+        'dd.rollback.auto': 'true',
+        'dd.rollback.window': 'bad',
+        'dd.rollback.interval': '-1',
+      },
+    });
+    const childLog = docker.log.child({});
+    expect(childLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('Invalid rollback window label value'),
+    );
+    expect(childLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('Invalid rollback interval label value'),
+    );
+  });
+});
+
+describe('additional docker trigger coverage', () => {
+  beforeEach(() => {
+    docker.configuration = { ...configurationValid, dryrun: false, prune: false };
+    docker.log = {
+      child: vi.fn().mockReturnValue(createMockLog('info', 'warn', 'debug')),
+    };
+  });
+
+  test('preview should return details when current container exists', async () => {
+    const container = createTriggerContainer();
+    vi.spyOn(docker, 'getCurrentContainer').mockResolvedValue({ id: container.id });
+    vi.spyOn(docker, 'inspectContainer').mockResolvedValue({
+      State: { Running: true },
+      NetworkSettings: { Networks: { bridge: {}, appnet: {} } },
+    });
+
+    const preview = await docker.preview(container);
+
+    expect(preview).toMatchObject({
+      containerName: 'container-name',
+      newImage: 'my-registry/test/test:4.5.6',
+      isRunning: true,
+      networks: ['bridge', 'appnet'],
+    });
+  });
+
+  test('preview should return an explicit error when container is not found', async () => {
+    vi.spyOn(docker, 'getCurrentContainer').mockResolvedValue(undefined);
+    const preview = await docker.preview(createTriggerContainer());
+    expect(preview).toEqual({ error: 'Container not found in Docker' });
+  });
+
+  test('preview should fallback to empty network list when NetworkSettings are missing', async () => {
+    const container = createTriggerContainer();
+    vi.spyOn(docker, 'getCurrentContainer').mockResolvedValue({ id: container.id });
+    vi.spyOn(docker, 'inspectContainer').mockResolvedValue({
+      State: { Running: true },
+    });
+
+    const preview = await docker.preview(container);
+    expect(preview.networks).toEqual([]);
+  });
+
+  test('maybeNotifySelfUpdate should notify immediately for drydock image', async () => {
+    const logContainer = createMockLog('info');
+
+    await docker.maybeNotifySelfUpdate(
+      {
+        image: {
+          name: 'drydock',
+        },
+      },
+      logContainer,
+    );
+
+    expect(logContainer.info).toHaveBeenCalledWith(
+      'Self-update detected — notifying UI before proceeding',
+    );
+  });
+
+  test('maybeNotifySelfUpdate should no-op for non-drydock images', async () => {
+    const logContainer = createMockLog('info');
+
+    await expect(
+      docker.maybeNotifySelfUpdate(
+        {
+          image: {
+            name: 'nginx',
+          },
+        },
+        logContainer,
+      ),
+    ).resolves.toBeUndefined();
+
+    expect(logContainer.info).not.toHaveBeenCalled();
+  });
+
+  test('cleanupOldImages should remove digest image when prune is enabled and digest repo exists', async () => {
+    docker.configuration.prune = true;
+    const removeImageSpy = vi.spyOn(docker, 'removeImage').mockResolvedValue(undefined);
+    const registryProvider = {
+      getImageFullName: vi.fn(() => 'my-registry/test/test:sha256:old'),
+    };
+
+    await docker.cleanupOldImages(
+      {},
+      registryProvider,
+      {
+        image: {
+          registry: { name: 'hub', url: 'my-registry' },
+          name: 'test/test',
+          tag: { value: '1.0.0' },
+          digest: { repo: 'sha256:old' },
+        },
+        updateKind: {
+          kind: 'digest',
+        },
+      },
+      createMockLog('debug'),
+    );
+
+    expect(removeImageSpy).toHaveBeenCalledWith(
+      {},
+      'my-registry/test/test:sha256:old',
+      expect.any(Object),
+    );
+  });
+
+  test('cleanupOldImages should skip tag pruning when tag is retained for rollback', async () => {
+    const backupStore = await import('../../../store/backup.js');
+    docker.configuration.prune = true;
+    vi.mocked(backupStore.getBackupsByName).mockReturnValue([
+      {
+        imageTag: '1.0.0',
+      },
+    ] as any);
+    const removeImageSpy = vi.spyOn(docker, 'removeImage').mockResolvedValue(undefined);
+    const registryProvider = {
+      getImageFullName: vi.fn(() => 'my-registry/test/test:1.0.0'),
+    };
+    const logContainer = createMockLog('info');
+
+    await docker.cleanupOldImages(
+      {},
+      registryProvider,
+      {
+        name: 'container-name',
+        image: {
+          registry: { name: 'hub', url: 'my-registry' },
+          name: 'test/test',
+          tag: { value: '1.0.0' },
+          digest: {},
+        },
+        updateKind: {
+          kind: 'tag',
+        },
+      },
+      logContainer,
+    );
+
+    expect(backupStore.getBackupsByName).toHaveBeenCalledWith('container-name');
+    expect(registryProvider.getImageFullName).not.toHaveBeenCalled();
+    expect(removeImageSpy).not.toHaveBeenCalled();
+    expect(logContainer.info).toHaveBeenCalledWith(
+      expect.stringContaining('Skipping prune of 1.0.0'),
+    );
+  });
+
+  test('cleanupOldImages should warn when digest image removal fails', async () => {
+    docker.configuration.prune = true;
+    vi.spyOn(docker, 'removeImage').mockRejectedValue(new Error('remove failed'));
+    const registryProvider = {
+      getImageFullName: vi.fn(() => 'my-registry/test/test:sha256:old'),
+    };
+    const logContainer = createMockLog('warn');
+
+    await docker.cleanupOldImages(
+      {},
+      registryProvider,
+      {
+        image: {
+          registry: { name: 'hub', url: 'my-registry' },
+          name: 'test/test',
+          tag: { value: '1.0.0' },
+          digest: { repo: 'sha256:old' },
+        },
+        updateKind: {
+          kind: 'digest',
+        },
+      },
+      logContainer,
+    );
+
+    expect(logContainer.warn).toHaveBeenCalledWith(
+      expect.stringContaining('Unable to remove previous digest image'),
+    );
+  });
+
+  test('cleanupOldImages should skip digest pruning when digest repo is missing', async () => {
+    docker.configuration.prune = true;
+    const removeImageSpy = vi.spyOn(docker, 'removeImage').mockResolvedValue(undefined);
+
+    await docker.cleanupOldImages(
+      {},
+      {
+        getImageFullName: vi.fn(() => 'unused'),
+      },
+      {
+        image: {
+          registry: { name: 'hub', url: 'my-registry' },
+          name: 'test/test',
+          tag: { value: '1.0.0' },
+          digest: {},
+        },
+        updateKind: {
+          kind: 'digest',
+        },
+      },
+      createMockLog('debug'),
+    );
+
+    expect(removeImageSpy).not.toHaveBeenCalled();
+  });
+
+  test('buildHookConfig should default update env values to empty strings when missing', () => {
+    const hookConfig = docker.buildHookConfig({
+      id: 'container-id',
+      name: 'container-name',
+      image: {
+        name: 'repo/name',
+        tag: {
+          value: '1.0.0',
+        },
+      },
+      updateKind: {
+        kind: 'unknown',
+      },
+      labels: {},
+    });
+
+    expect(hookConfig.hookEnv.DD_UPDATE_FROM).toBe('');
+    expect(hookConfig.hookEnv.DD_UPDATE_TO).toBe('');
+  });
+
+  test('maybeStartAutoRollbackMonitor should return early when recreated container is missing', async () => {
+    const getCurrentContainerSpy = vi.spyOn(docker, 'getCurrentContainer').mockResolvedValue(null);
+    const inspectContainerSpy = vi.spyOn(docker, 'inspectContainer');
+
+    await docker.maybeStartAutoRollbackMonitor(
+      {},
+      {
+        id: 'container-id',
+        name: 'container-name',
+        image: {
+          tag: { value: '1.0.0' },
+          digest: { repo: 'sha256:old' },
+        },
+      },
+      {
+        autoRollback: true,
+        rollbackWindow: 10_000,
+        rollbackInterval: 1_000,
+      },
+      createMockLog('info', 'warn'),
+    );
+
+    expect(getCurrentContainerSpy).toHaveBeenCalledWith({}, { id: 'container-name' });
+    expect(inspectContainerSpy).not.toHaveBeenCalled();
+  });
+});
+
+// --- Non-self update rollback ---
+
+describe('executeContainerUpdate', () => {
+  function createContainerUpdateContext(overrides = {}) {
+    const mockNewContainer = {
+      stop: vi.fn().mockResolvedValue(undefined),
+      remove: vi.fn().mockResolvedValue(undefined),
+      inspect: vi.fn().mockResolvedValue({
+        Id: 'new-container-id',
+        State: { Health: { Status: 'healthy' } },
+      }),
+    };
+    const currentContainer = {
+      rename: vi.fn().mockResolvedValue(undefined),
+      stop: vi.fn().mockResolvedValue(undefined),
+      remove: vi.fn().mockResolvedValue(undefined),
+      wait: vi.fn().mockResolvedValue(undefined),
+      start: vi.fn().mockResolvedValue(undefined),
+    };
+    const currentContainerSpec = {
+      Id: 'old-container-id',
+      Name: '/container-name',
+      Config: { Image: 'my-registry/test/test:1.0.0' },
+      State: { Running: true },
+      HostConfig: { AutoRemove: false },
+      NetworkSettings: { Networks: {} },
+    };
+
+    vi.spyOn(docker, 'pullImage').mockResolvedValue(undefined);
+    vi.spyOn(docker, 'cloneContainer').mockReturnValue({ name: 'container-name' });
+    vi.spyOn(docker, 'createContainer').mockResolvedValue(mockNewContainer);
+    vi.spyOn(docker, 'stopContainer').mockResolvedValue(undefined);
+    vi.spyOn(docker, 'startContainer').mockResolvedValue(undefined);
+    vi.spyOn(docker, 'removeContainer').mockResolvedValue(undefined);
+    vi.spyOn(docker, 'waitContainerRemoved').mockResolvedValue(undefined);
+
+    return {
+      dockerApi: {},
+      auth: undefined,
+      newImage: 'my-registry/test/test:4.5.6',
+      currentContainer,
+      currentContainerSpec,
+      _mockNewContainer: mockNewContainer,
+      ...overrides,
+    };
+  }
+
+  test('should replace running container using rename/create/start/remove sequence', async () => {
+    const context = createContainerUpdateContext();
+    const logContainer = createMockLog('info', 'warn', 'debug');
+
+    const result = await docker.executeContainerUpdate(
+      context,
+      createTriggerContainer(),
+      logContainer,
+    );
+
+    expect(result).toBe(true);
+    expect(context.currentContainer.rename).toHaveBeenCalledTimes(1);
+    const tempName = context.currentContainer.rename.mock.calls[0][0].name;
+    expect(tempName).toMatch(/^container-name-old-/);
+    expect(docker.createContainer).toHaveBeenCalled();
+    expect(docker.stopContainer).toHaveBeenCalledWith(
+      context.currentContainer,
+      tempName,
+      'old-container-id',
+      logContainer,
+    );
+    expect(docker.startContainer).toHaveBeenCalledWith(
+      context._mockNewContainer,
+      'container-name',
+      logContainer,
+    );
+    expect(docker.removeContainer).toHaveBeenCalledWith(
+      context.currentContainer,
+      tempName,
+      'old-container-id',
+      logContainer,
+    );
+  });
+
+  test('should preserve explicit runtime pins matching source defaults during update', async () => {
+    const currentContainer = {
+      rename: vi.fn().mockResolvedValue(undefined),
+      stop: vi.fn().mockResolvedValue(undefined),
+      remove: vi.fn().mockResolvedValue(undefined),
+      wait: vi.fn().mockResolvedValue(undefined),
+      start: vi.fn().mockResolvedValue(undefined),
+    };
+    const currentContainerSpec = {
+      Id: 'old-container-id',
+      Name: '/container-name',
+      Config: {
+        Image: 'nginx:1.20-alpine',
+        Entrypoint: ['/docker-entrypoint.sh'],
+        Cmd: ['nginx', '-g', 'daemon off;'],
+        Labels: {},
+      },
+      State: { Running: false },
+      HostConfig: { AutoRemove: false },
+      NetworkSettings: { Networks: {} },
+    };
+    const dockerApi = {
+      getImage: vi.fn((imageRef) => ({
+        inspect: vi.fn().mockResolvedValue(
+          imageRef === 'nginx:1.20-alpine'
+            ? {
+                Config: {
+                  Entrypoint: ['/docker-entrypoint.sh'],
+                  Cmd: ['nginx', '-g', 'daemon off;'],
+                },
+              }
+            : {
+                Config: {
+                  Entrypoint: null,
+                  Cmd: ['nginx'],
+                },
+              },
+        ),
+      })),
+    };
+    const newContainer = {
+      stop: vi.fn().mockResolvedValue(undefined),
+      remove: vi.fn().mockResolvedValue(undefined),
+      inspect: vi.fn().mockResolvedValue({
+        Id: 'new-container-id',
+        State: { Health: { Status: 'healthy' } },
+      }),
+    };
+    const createContainerSpy = vi.spyOn(docker, 'createContainer').mockResolvedValue(newContainer);
+    vi.spyOn(docker, 'pullImage').mockResolvedValue(undefined);
+    vi.spyOn(docker, 'removeContainer').mockResolvedValue(undefined);
+    vi.spyOn(docker, 'stopContainer').mockResolvedValue(undefined);
+    vi.spyOn(docker, 'startContainer').mockResolvedValue(undefined);
+    vi.spyOn(docker, 'waitContainerRemoved').mockResolvedValue(undefined);
+
+    const result = await docker.executeContainerUpdate(
+      {
+        dockerApi,
+        auth: undefined,
+        newImage: 'nginx:1.10-alpine',
+        currentContainer,
+        currentContainerSpec,
+      },
+      createTriggerContainer(),
+      createMockLog('info', 'warn', 'debug'),
+    );
+
+    expect(result).toBe(true);
+    const createPayload = createContainerSpy.mock.calls[0][1];
+    expect(createPayload.Entrypoint).toEqual(['/docker-entrypoint.sh']);
+    expect(createPayload.Cmd).toEqual(['nginx', '-g', 'daemon off;']);
+    expect(createPayload.Labels['dd.runtime.entrypoint.origin']).toBe('explicit');
+    expect(createPayload.Labels['dd.runtime.cmd.origin']).toBe('explicit');
+  });
+
+  test('should drop stale inherited runtime defaults when origin labels mark inherited', async () => {
+    const currentContainer = {
+      rename: vi.fn().mockResolvedValue(undefined),
+      stop: vi.fn().mockResolvedValue(undefined),
+      remove: vi.fn().mockResolvedValue(undefined),
+      wait: vi.fn().mockResolvedValue(undefined),
+      start: vi.fn().mockResolvedValue(undefined),
+    };
+    const currentContainerSpec = {
+      Id: 'old-container-id',
+      Name: '/container-name',
+      Config: {
+        Image: 'nginx:1.20-alpine',
+        Entrypoint: ['/docker-entrypoint.sh'],
+        Cmd: ['nginx', '-g', 'daemon off;'],
+        Labels: {
+          'dd.runtime.entrypoint.origin': 'inherited',
+          'dd.runtime.cmd.origin': 'inherited',
+        },
+      },
+      State: { Running: false },
+      HostConfig: { AutoRemove: false },
+      NetworkSettings: { Networks: {} },
+    };
+    const dockerApi = {
+      getImage: vi.fn((imageRef) => ({
+        inspect: vi.fn().mockResolvedValue(
+          imageRef === 'nginx:1.20-alpine'
+            ? {
+                Config: {
+                  Entrypoint: ['/docker-entrypoint.sh'],
+                  Cmd: ['nginx', '-g', 'daemon off;'],
+                },
+              }
+            : {
+                Config: {
+                  Entrypoint: null,
+                  Cmd: ['nginx'],
+                },
+              },
+        ),
+      })),
+    };
+    const newContainer = {
+      stop: vi.fn().mockResolvedValue(undefined),
+      remove: vi.fn().mockResolvedValue(undefined),
+      inspect: vi.fn().mockResolvedValue({
+        Id: 'new-container-id',
+        State: { Health: { Status: 'healthy' } },
+      }),
+    };
+    const createContainerSpy = vi.spyOn(docker, 'createContainer').mockResolvedValue(newContainer);
+    vi.spyOn(docker, 'pullImage').mockResolvedValue(undefined);
+    vi.spyOn(docker, 'removeContainer').mockResolvedValue(undefined);
+    vi.spyOn(docker, 'stopContainer').mockResolvedValue(undefined);
+    vi.spyOn(docker, 'startContainer').mockResolvedValue(undefined);
+    vi.spyOn(docker, 'waitContainerRemoved').mockResolvedValue(undefined);
+
+    const result = await docker.executeContainerUpdate(
+      {
+        dockerApi,
+        auth: undefined,
+        newImage: 'nginx:1.10-alpine',
+        currentContainer,
+        currentContainerSpec,
+      },
+      createTriggerContainer(),
+      createMockLog('info', 'warn', 'debug'),
+    );
+
+    expect(result).toBe(true);
+    const createPayload = createContainerSpy.mock.calls[0][1];
+    expect(createPayload.Entrypoint).toBeUndefined();
+    expect(createPayload.Cmd).toBeUndefined();
+    expect(createPayload.Labels['dd.runtime.entrypoint.origin']).toBe('inherited');
+    expect(createPayload.Labels['dd.runtime.cmd.origin']).toBe('inherited');
+  });
+
+  test('should rollback rename when creating new container fails', async () => {
+    const context = createContainerUpdateContext();
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    vi.mocked(docker.createContainer).mockRejectedValueOnce(new Error('create failed'));
+
+    await expect(
+      docker.executeContainerUpdate(context, createTriggerContainer(), logContainer),
+    ).rejects.toThrow('create failed');
+
+    expect(context.currentContainer.rename).toHaveBeenCalledTimes(2);
+    expect(context.currentContainer.rename).toHaveBeenLastCalledWith({ name: 'container-name' });
+    expect(docker.stopContainer).not.toHaveBeenCalled();
+    expect(docker.startContainer).not.toHaveBeenCalledWith(
+      context.currentContainer,
+      'container-name',
+      logContainer,
+    );
+  });
+
+  test('should return actionable rollback error for incompatible runtime command', async () => {
+    const context = createContainerUpdateContext({
+      newImage: 'nginx:1.10-alpine',
+      currentContainerSpec: {
+        Id: 'old-container-id',
+        Name: '/container-name',
+        Config: {
+          Image: 'nginx:1.20-alpine',
+          Entrypoint: ['/docker-entrypoint.sh'],
+          Cmd: ['nginx', '-g', 'daemon off;'],
+        },
+        State: { Running: true },
+        HostConfig: { AutoRemove: false },
+        NetworkSettings: { Networks: {} },
+      },
+    });
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    vi.mocked(docker.createContainer).mockRejectedValueOnce(
+      new Error(
+        '(HTTP code 400) unexpected - failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: exec: "/docker-entrypoint.sh": stat /docker-entrypoint.sh: no such file or directory',
+      ),
+    );
+
+    await expect(
+      docker.executeContainerUpdate(context, createTriggerContainer(), logContainer),
+    ).rejects.toThrow('runtime command is incompatible with target image nginx:1.10-alpine');
+
+    expect(context.currentContainer.rename).toHaveBeenCalledTimes(2);
+    expect(context.currentContainer.rename).toHaveBeenLastCalledWith({ name: 'container-name' });
+  });
+
+  test('should rollback to old container when starting new container fails', async () => {
+    const context = createContainerUpdateContext();
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    vi.mocked(docker.startContainer)
+      .mockRejectedValueOnce(new Error('new start failed'))
+      .mockResolvedValueOnce(undefined);
+
+    await expect(
+      docker.executeContainerUpdate(context, createTriggerContainer(), logContainer),
+    ).rejects.toThrow('new start failed');
+
+    const tempName = context.currentContainer.rename.mock.calls[0][0].name;
+    expect(docker.stopContainer).toHaveBeenCalledWith(
+      context.currentContainer,
+      tempName,
+      'old-container-id',
+      logContainer,
+    );
+    expect(context._mockNewContainer.stop).toHaveBeenCalled();
+    expect(context._mockNewContainer.remove).toHaveBeenCalledWith({ force: true });
+    expect(context.currentContainer.rename).toHaveBeenLastCalledWith({ name: 'container-name' });
+    expect(docker.startContainer).toHaveBeenNthCalledWith(
+      2,
+      context.currentContainer,
+      'container-name',
+      logContainer,
+    );
+  });
+
+  test('should wait for old container auto-removal when AutoRemove is enabled', async () => {
+    const context = createContainerUpdateContext({
+      currentContainerSpec: {
+        Id: 'old-container-id',
+        Name: '/container-name',
+        Config: { Image: 'my-registry/test/test:1.0.0' },
+        State: { Running: true },
+        HostConfig: { AutoRemove: true },
+        NetworkSettings: { Networks: {} },
+      },
+    });
+    const logContainer = createMockLog('info', 'warn', 'debug');
+
+    await docker.executeContainerUpdate(context, createTriggerContainer(), logContainer);
+
+    const tempName = context.currentContainer.rename.mock.calls[0][0].name;
+    expect(docker.waitContainerRemoved).toHaveBeenCalledWith(
+      context.currentContainer,
+      tempName,
+      'old-container-id',
+      logContainer,
+    );
+    expect(docker.removeContainer).not.toHaveBeenCalled();
+  });
+
+  test('should treat old AutoRemove cleanup 404 as success', async () => {
+    const context = createContainerUpdateContext({
+      currentContainerSpec: {
+        Id: 'old-container-id',
+        Name: '/container-name',
+        Config: { Image: 'my-registry/test/test:1.0.0' },
+        State: { Running: true },
+        HostConfig: { AutoRemove: true },
+        NetworkSettings: { Networks: {} },
+      },
+    });
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    const alreadyRemovedError = Object.assign(new Error('No such container: old-container-id'), {
+      statusCode: 404,
+    });
+    vi.mocked(docker.waitContainerRemoved).mockRejectedValueOnce(alreadyRemovedError);
+
+    const result = await docker.executeContainerUpdate(
+      context,
+      createTriggerContainer(),
+      logContainer,
+    );
+
+    expect(result).toBe(true);
+    expect(context.currentContainer.rename).toHaveBeenCalledTimes(1);
+    expect(mockRollbackCounterInc).not.toHaveBeenCalled();
+    expect(mockUpdateOperation).toHaveBeenCalledWith(
+      expect.any(String),
+      expect.objectContaining({
+        status: 'succeeded',
+        phase: 'succeeded',
+      }),
+    );
+  });
+
+  test('should not rollback-delete healthy new container when AutoRemove cleanup reports no such container', async () => {
+    const context = createContainerUpdateContext({
+      currentContainerSpec: {
+        Id: 'old-container-id',
+        Name: '/container-name',
+        Config: { Image: 'my-registry/test/test:1.0.0' },
+        State: { Running: true },
+        HostConfig: { AutoRemove: true },
+        NetworkSettings: { Networks: {} },
+      },
+    });
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    vi.mocked(docker.waitContainerRemoved).mockRejectedValueOnce(
+      new Error('No such container: old-container-id'),
+    );
+
+    await expect(
+      docker.executeContainerUpdate(context, createTriggerContainer(), logContainer),
+    ).resolves.toBe(true);
+
+    expect(context._mockNewContainer.stop).not.toHaveBeenCalled();
+    expect(context._mockNewContainer.remove).not.toHaveBeenCalled();
+    expect(context.currentContainer.rename).toHaveBeenCalledTimes(1);
+  });
+
+  test('should remove old container when AutoRemove is enabled but source was already stopped', async () => {
+    const context = createContainerUpdateContext({
+      currentContainerSpec: {
+        Id: 'old-container-id',
+        Name: '/container-name',
+        Config: { Image: 'my-registry/test/test:1.0.0' },
+        State: { Running: false },
+        HostConfig: { AutoRemove: true },
+        NetworkSettings: { Networks: {} },
+      },
+    });
+    const logContainer = createMockLog('info', 'warn', 'debug');
+
+    await docker.executeContainerUpdate(context, createTriggerContainer(), logContainer);
+
+    const tempName = context.currentContainer.rename.mock.calls[0][0].name;
+    expect(docker.removeContainer).toHaveBeenCalledWith(
+      context.currentContainer,
+      tempName,
+      'old-container-id',
+      logContainer,
+    );
+    expect(docker.waitContainerRemoved).not.toHaveBeenCalled();
+  });
+
+  test('should health-gate new container before removing old one when HEALTHCHECK is configured', async () => {
+    const context = createContainerUpdateContext({
+      currentContainerSpec: {
+        Id: 'old-container-id',
+        Name: '/container-name',
+        Config: { Image: 'my-registry/test/test:1.0.0', Healthcheck: { Test: ['CMD', 'true'] } },
+        State: { Running: true },
+        HostConfig: { AutoRemove: false },
+        NetworkSettings: { Networks: {} },
+      },
+    });
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    const waitForHealthySpy = vi.spyOn(docker, 'waitForContainerHealthy').mockResolvedValue();
+
+    await docker.executeContainerUpdate(context, createTriggerContainer(), logContainer);
+
+    expect(waitForHealthySpy).toHaveBeenCalledWith(
+      context._mockNewContainer,
+      'container-name',
+      logContainer,
+    );
+    expect(mockUpdateOperation).toHaveBeenCalledWith(
+      expect.any(String),
+      expect.objectContaining({ phase: 'health-gate-passed' }),
+    );
+  });
+
+  test('should rollback when health gate fails', async () => {
+    const context = createContainerUpdateContext({
+      currentContainerSpec: {
+        Id: 'old-container-id',
+        Name: '/container-name',
+        Config: { Image: 'my-registry/test/test:1.0.0', Healthcheck: { Test: ['CMD', 'true'] } },
+        State: { Running: true },
+        HostConfig: { AutoRemove: false },
+        NetworkSettings: { Networks: {} },
+      },
+    });
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    vi.spyOn(docker, 'waitForContainerHealthy').mockRejectedValue(
+      new Error('Health gate failed: unhealthy'),
+    );
+    vi.mocked(docker.startContainer)
+      .mockResolvedValueOnce(undefined)
+      .mockResolvedValueOnce(undefined);
+
+    await expect(
+      docker.executeContainerUpdate(context, createTriggerContainer(), logContainer),
+    ).rejects.toThrow('Health gate failed: unhealthy');
+
+    expect(context._mockNewContainer.stop).toHaveBeenCalled();
+    expect(context._mockNewContainer.remove).toHaveBeenCalledWith({ force: true });
+    expect(context.currentContainer.rename).toHaveBeenLastCalledWith({ name: 'container-name' });
+    expect(mockRollbackCounterInc).toHaveBeenCalledWith(
+      expect.objectContaining({
+        outcome: 'success',
+        reason: 'health_gate_failed',
+      }),
+    );
+    expect(mockInsertAudit).toHaveBeenCalledWith(
+      expect.objectContaining({
+        action: 'rollback',
+        status: 'success',
+      }),
+    );
+  });
+
+  test('should reconcile pending in-progress operation before update', async () => {
+    const staleTempContainer = {
+      inspect: vi.fn().mockResolvedValue({ Id: 'temp-id', State: { Running: false } }),
+      stop: vi.fn().mockResolvedValue(undefined),
+      remove: vi.fn().mockResolvedValue(undefined),
+    };
+    const activeContainer = {
+      inspect: vi.fn().mockResolvedValue({ Id: 'active-id', State: { Running: true } }),
+    };
+    const dockerApi = {
+      getContainer: vi.fn((id) => {
+        if (id === 'container-name') return activeContainer;
+        if (id === 'container-name-old-stale') return staleTempContainer;
+        return { inspect: vi.fn().mockRejectedValue(new Error('not found')) };
+      }),
+    };
+    const context = createContainerUpdateContext({ dockerApi });
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    mockGetInProgressOperationByContainerName.mockReturnValue({
+      id: 'op-recover-1',
+      containerName: 'container-name',
+      oldName: 'container-name',
+      tempName: 'container-name-old-stale',
+      oldContainerWasRunning: true,
+      oldContainerStopped: true,
+      fromVersion: '1.0.0',
+      toVersion: '1.1.0',
+      status: 'in-progress',
+    });
+
+    await docker.executeContainerUpdate(context, createTriggerContainer(), logContainer);
+
+    expect(staleTempContainer.remove).toHaveBeenCalledWith({ force: true });
+    expect(mockUpdateOperation).toHaveBeenCalledWith(
+      'op-recover-1',
+      expect.objectContaining({
+        status: 'succeeded',
+        phase: 'recovered-cleanup-temp',
+      }),
+    );
+    expect(mockRollbackCounterInc).toHaveBeenCalledWith(
+      expect.objectContaining({
+        reason: 'startup_reconcile_cleanup_temp',
+      }),
+    );
+  });
+
+  test('should return false in dry-run mode', async () => {
+    docker.configuration = { ...configurationValid, dryrun: true };
+    const context = createContainerUpdateContext();
+    const logContainer = createMockLog('info', 'warn', 'debug');
+
+    const result = await docker.executeContainerUpdate(
+      context,
+      createTriggerContainer(),
+      logContainer,
+    );
+
+    expect(result).toBe(false);
+    expect(context.currentContainer.rename).not.toHaveBeenCalled();
+  });
+});
diff --git a/app/triggers/providers/docker/Docker.self-update-compose-sync.test.ts b/app/triggers/providers/docker/Docker.self-update-compose-sync.test.ts
new file mode 100644
index 000000000..83b3a56e6
--- /dev/null
+++ b/app/triggers/providers/docker/Docker.self-update-compose-sync.test.ts
@@ -0,0 +1,870 @@
+import * as registryStore from '../../../registry';
+import {
+  configurationValid,
+  createMockLog,
+  createTriggerContainer,
+  docker,
+  getDockerTestMocks,
+  registerCommonDockerBeforeEach,
+  stubTriggerFlow,
+} from './Docker.test.helpers.js';
+
+registerCommonDockerBeforeEach();
+const { mockGetRollbackCounter, mockSyncComposeFileTag } = getDockerTestMocks();
+
+// --- Self-update ---
+
+describe('isSelfUpdate', () => {
+  test('should return true for drydock image', () => {
+    expect(docker.isSelfUpdate({ image: { name: 'drydock' } })).toBe(true);
+  });
+
+  test('should return true for namespaced drydock image', () => {
+    expect(docker.isSelfUpdate({ image: { name: 'codeswhat/drydock' } })).toBe(true);
+  });
+
+  test('should return false for non-drydock image', () => {
+    expect(docker.isSelfUpdate({ image: { name: 'nginx' } })).toBe(false);
+  });
+
+  test('should return false for image name containing drydock as substring', () => {
+    expect(docker.isSelfUpdate({ image: { name: 'drydock-proxy' } })).toBe(false);
+  });
+});
+
+describe('findDockerSocketBind', () => {
+  test('should find docker socket bind', () => {
+    const spec = {
+      HostConfig: {
+        Binds: ['/var/run/docker.sock:/var/run/docker.sock'],
+      },
+    };
+    expect(docker.findDockerSocketBind(spec)).toBe('/var/run/docker.sock');
+  });
+
+  test('should find docker socket with custom host path', () => {
+    const spec = {
+      HostConfig: {
+        Binds: ['/run/user/1000/docker.sock:/var/run/docker.sock'],
+      },
+    };
+    expect(docker.findDockerSocketBind(spec)).toBe('/run/user/1000/docker.sock');
+  });
+
+  test('should return undefined when no binds', () => {
+    expect(docker.findDockerSocketBind({ HostConfig: {} })).toBeUndefined();
+  });
+
+  test('should return undefined when no docker socket bind', () => {
+    const spec = {
+      HostConfig: {
+        Binds: ['/data:/data'],
+      },
+    };
+    expect(docker.findDockerSocketBind(spec)).toBeUndefined();
+  });
+
+  test('should return undefined when Binds is not an array', () => {
+    expect(docker.findDockerSocketBind({ HostConfig: { Binds: null } })).toBeUndefined();
+  });
+});
+
+describe('executeSelfUpdate', () => {
+  function createSelfUpdateContext(overrides = {}) {
+    const mockHelperContainer = { start: vi.fn().mockResolvedValue(undefined) };
+    const mockNewContainer = {
+      start: vi.fn().mockResolvedValue(undefined),
+      inspect: vi.fn().mockResolvedValue({ Id: 'new-container-id' }),
+      remove: vi.fn().mockResolvedValue(undefined),
+    };
+
+    const dockerApi = {
+      createContainer: vi.fn().mockResolvedValue(mockHelperContainer),
+      getContainer: vi.fn(),
+      pull: vi.fn().mockResolvedValue(undefined),
+      modem: { followProgress: (_s, res) => res() },
+    };
+
+    const currentContainer = {
+      rename: vi.fn().mockResolvedValue(undefined),
+      inspect: vi.fn().mockResolvedValue({
+        Id: 'old-container-id',
+        Name: '/drydock',
+        State: { Running: true },
+      }),
+    };
+
+    const currentContainerSpec = {
+      Id: 'old-container-id',
+      Name: '/drydock',
+      Config: { Image: 'ghcr.io/codeswhat/drydock:1.0.0' },
+      State: { Running: true },
+      HostConfig: {
+        Binds: ['/var/run/docker.sock:/var/run/docker.sock'],
+      },
+      NetworkSettings: { Networks: {} },
+    };
+
+    vi.spyOn(docker, 'pullImage').mockResolvedValue(undefined);
+    vi.spyOn(docker, 'cloneContainer').mockReturnValue({ name: 'drydock' });
+    vi.spyOn(docker, 'createContainer').mockResolvedValue(mockNewContainer);
+
+    return {
+      dockerApi,
+      registry: { getImageFullName: vi.fn((_img, tag) => `codeswhat/drydock:${tag}`) },
+      auth: undefined,
+      newImage: 'ghcr.io/codeswhat/drydock:2.0.0',
+      currentContainer,
+      currentContainerSpec,
+      _mockHelperContainer: mockHelperContainer,
+      _mockNewContainer: mockNewContainer,
+      ...overrides,
+    };
+  }
+
+  test('should rename old container, create new, and spawn controller helper', async () => {
+    const context = createSelfUpdateContext();
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    const container = createTriggerContainer({
+      image: {
+        name: 'codeswhat/drydock',
+        registry: { name: 'ghcr' },
+        tag: { value: '1.0.0' },
+        digest: {},
+      },
+    });
+
+    const result = await docker.executeSelfUpdate(context, container, logContainer);
+
+    expect(result).toBe(true);
+    expect(context.currentContainer.rename).toHaveBeenCalledWith({
+      name: expect.stringContaining('drydock-old-'),
+    });
+    expect(docker.createContainer).toHaveBeenCalled();
+    const helperCall = context.dockerApi.createContainer.mock.calls.find(
+      (call) => call[0]?.Cmd?.[0] === 'node',
+    );
+    expect(helperCall).toBeDefined();
+    expect(helperCall[0].Cmd).toEqual([
+      'node',
+      'dist/triggers/providers/docker/self-update-controller-entrypoint.js',
+    ]);
+    expect(helperCall[0].Env).toEqual(
+      expect.arrayContaining([
+        expect.stringMatching(/^DD_SELF_UPDATE_OP_ID=/),
+        'DD_SELF_UPDATE_OLD_CONTAINER_ID=old-container-id',
+        'DD_SELF_UPDATE_NEW_CONTAINER_ID=new-container-id',
+        'DD_SELF_UPDATE_OLD_CONTAINER_NAME=drydock',
+      ]),
+    );
+    expect(helperCall[0].Labels).toMatchObject({
+      'dd.self-update.helper': 'true',
+    });
+    expect(helperCall[0].HostConfig.AutoRemove).toBe(true);
+    expect(context._mockHelperContainer.start).toHaveBeenCalled();
+  });
+
+  test('should rollback rename when createContainer fails', async () => {
+    const context = createSelfUpdateContext();
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    const container = createTriggerContainer({
+      image: {
+        name: 'codeswhat/drydock',
+        registry: { name: 'ghcr' },
+        tag: { value: '1.0.0' },
+        digest: {},
+      },
+    });
+
+    vi.spyOn(docker, 'createContainer').mockRejectedValue(new Error('create failed'));
+
+    await expect(docker.executeSelfUpdate(context, container, logContainer)).rejects.toThrow(
+      'create failed',
+    );
+
+    // Verify rollback: old container renamed back to original name
+    expect(context.currentContainer.rename).toHaveBeenCalledTimes(2);
+    expect(context.currentContainer.rename).toHaveBeenLastCalledWith({ name: 'drydock' });
+  });
+
+  test('should rollback when helper container spawn fails', async () => {
+    const context = createSelfUpdateContext();
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    const container = createTriggerContainer({
+      image: {
+        name: 'codeswhat/drydock',
+        registry: { name: 'ghcr' },
+        tag: { value: '1.0.0' },
+        digest: {},
+      },
+    });
+
+    // First call is createContainer for the new drydock container (via spy on docker.createContainer)
+    // Second call is dockerApi.createContainer for the helper — make it fail
+    context.dockerApi.createContainer.mockRejectedValue(new Error('helper spawn failed'));
+
+    await expect(docker.executeSelfUpdate(context, container, logContainer)).rejects.toThrow(
+      'helper spawn failed',
+    );
+
+    // Verify rollback: new container removed, old renamed back
+    expect(context._mockNewContainer.remove).toHaveBeenCalledWith({ force: true });
+    expect(context.currentContainer.rename).toHaveBeenLastCalledWith({ name: 'drydock' });
+  });
+
+  test('should rollback when inspecting new container fails', async () => {
+    const context = createSelfUpdateContext();
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    const container = createTriggerContainer({
+      image: {
+        name: 'codeswhat/drydock',
+        registry: { name: 'ghcr' },
+        tag: { value: '1.0.0' },
+        digest: {},
+      },
+    });
+
+    context._mockNewContainer.inspect.mockRejectedValue(new Error('inspect failed'));
+
+    await expect(docker.executeSelfUpdate(context, container, logContainer)).rejects.toThrow(
+      'inspect failed',
+    );
+
+    expect(context._mockNewContainer.remove).toHaveBeenCalledWith({ force: true });
+    expect(context.currentContainer.rename).toHaveBeenLastCalledWith({ name: 'drydock' });
+    expect(context.dockerApi.createContainer).not.toHaveBeenCalled();
+  });
+
+  test('should throw when docker socket bind not found', async () => {
+    const context = createSelfUpdateContext();
+    context.currentContainerSpec.HostConfig.Binds = ['/data:/data'];
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    const container = createTriggerContainer({
+      image: {
+        name: 'codeswhat/drydock',
+        registry: { name: 'ghcr' },
+        tag: { value: '1.0.0' },
+        digest: {},
+      },
+    });
+
+    await expect(docker.executeSelfUpdate(context, container, logContainer)).rejects.toThrow(
+      'Self-update requires the Docker socket',
+    );
+  });
+
+  test('should return false in dryrun mode', async () => {
+    docker.configuration = { ...configurationValid, dryrun: true };
+    const context = createSelfUpdateContext();
+    const logContainer = createMockLog('info', 'warn', 'debug');
+    const container = createTriggerContainer({
+      image: {
+        name: 'codeswhat/drydock',
+        registry: { name: 'ghcr' },
+        tag: { value: '1.0.0' },
+        digest: {},
+      },
+    });
+
+    const result = await docker.executeSelfUpdate(context, container, logContainer);
+
+    expect(result).toBe(false);
+    expect(context.currentContainer.rename).not.toHaveBeenCalled();
+  });
+});
+
+describe('extracted lifecycle delegation', () => {
+  test('executeSelfUpdate should delegate to selfUpdateOrchestrator', async () => {
+    const originalSelfUpdateOrchestrator = docker.selfUpdateOrchestrator;
+    const execute = vi.fn().mockResolvedValue('delegated-self-update');
+    docker.selfUpdateOrchestrator = { execute };
+    const context = { any: 'context' };
+    const container = createTriggerContainer();
+    const logContainer = createMockLog('info', 'warn', 'debug');
+
+    try {
+      const result = await docker.executeSelfUpdate(context, container, logContainer, 'op-123');
+
+      expect(execute).toHaveBeenCalledWith(context, container, logContainer, 'op-123');
+      expect(result).toBe('delegated-self-update');
+    } finally {
+      docker.selfUpdateOrchestrator = originalSelfUpdateOrchestrator;
+    }
+  });
+
+  test('maybeNotifySelfUpdate should delegate to selfUpdateOrchestrator', async () => {
+    const originalSelfUpdateOrchestrator = docker.selfUpdateOrchestrator;
+    const maybeNotify = vi.fn().mockResolvedValue(undefined);
+    docker.selfUpdateOrchestrator = { maybeNotify };
+    const container = createTriggerContainer();
+    const logContainer = createMockLog('info', 'warn', 'debug');
+
+    try {
+      await docker.maybeNotifySelfUpdate(container, logContainer, 'op-123');
+      expect(maybeNotify).toHaveBeenCalledWith(container, logContainer, 'op-123');
+    } finally {
+      docker.selfUpdateOrchestrator = originalSelfUpdateOrchestrator;
+    }
+  });
+
+  test('executeContainerUpdate should delegate to containerUpdateExecutor', async () => {
+    const originalContainerUpdateExecutor = docker.containerUpdateExecutor;
+    const execute = vi.fn().mockResolvedValue('delegated-container-update');
+    docker.containerUpdateExecutor = { execute };
+    const context = { any: 'context' };
+    const container = createTriggerContainer();
+    const logContainer = createMockLog('info', 'warn', 'debug');
+
+    try {
+      const result = await docker.executeContainerUpdate(context, container, logContainer);
+
+      expect(execute).toHaveBeenCalledWith(context, container, logContainer);
+      expect(result).toBe('delegated-container-update');
+    } finally {
+      docker.containerUpdateExecutor = originalContainerUpdateExecutor;
+    }
+  });
+
+  test('runContainerUpdateLifecycle should delegate to updateLifecycleExecutor', async () => {
+    const originalUpdateLifecycleExecutor = docker.updateLifecycleExecutor;
+    const run = vi.fn().mockResolvedValue(undefined);
+    docker.updateLifecycleExecutor = { run };
+    const container = createTriggerContainer();
+    const runtimeContext = { composeFile: '/tmp/docker-compose.yml' };
+
+    try {
+      await docker.runContainerUpdateLifecycle(container, runtimeContext);
+
+      expect(run).toHaveBeenCalledWith(container, runtimeContext);
+    } finally {
+      docker.updateLifecycleExecutor = originalUpdateLifecycleExecutor;
+    }
+  });
+
+  test('getRollbackConfig should delegate to rollbackMonitor', () => {
+    const originalRollbackMonitor = docker.rollbackMonitor;
+    const getConfig = vi.fn().mockReturnValue({
+      autoRollback: true,
+      rollbackWindow: 45_000,
+      rollbackInterval: 2_000,
+    });
+    docker.rollbackMonitor = { getConfig };
+    const container = createTriggerContainer();
+
+    try {
+      const result = docker.getRollbackConfig(container);
+
+      expect(getConfig).toHaveBeenCalledWith(container);
+      expect(result).toEqual({
+        autoRollback: true,
+        rollbackWindow: 45_000,
+        rollbackInterval: 2_000,
+      });
+    } finally {
+      docker.rollbackMonitor = originalRollbackMonitor;
+    }
+  });
+
+  test('maybeStartAutoRollbackMonitor should delegate to rollbackMonitor', async () => {
+    const originalRollbackMonitor = docker.rollbackMonitor;
+    const start = vi.fn().mockResolvedValue(undefined);
+    docker.rollbackMonitor = { start };
+    const dockerApi = { any: 'docker' };
+    const container = createTriggerContainer();
+    const rollbackConfig = {
+      autoRollback: true,
+      rollbackWindow: 60_000,
+      rollbackInterval: 5_000,
+    };
+    const logContainer = createMockLog('info', 'warn', 'debug');
+
+    try {
+      await docker.maybeStartAutoRollbackMonitor(
+        dockerApi,
+        container,
+        rollbackConfig,
+        logContainer,
+      );
+
+      expect(start).toHaveBeenCalledWith(dockerApi, container, rollbackConfig, logContainer);
+    } finally {
+      docker.rollbackMonitor = originalRollbackMonitor;
+    }
+  });
+});
+
+describe('additional direct wrapper coverage', () => {
+  test('isContainerNotFoundError should handle empty, status, and message-based inputs', () => {
+    expect(docker.isContainerNotFoundError(undefined)).toBe(false);
+    expect(docker.isContainerNotFoundError('no such container as primitive')).toBe(false);
+    expect(docker.isContainerNotFoundError({ statusCode: 404 })).toBe(true);
+    expect(docker.isContainerNotFoundError({ status: 404 })).toBe(true);
+    expect(docker.isContainerNotFoundError({ message: 'No such container: abc' })).toBe(true);
+    expect(docker.isContainerNotFoundError({ reason: 'No such container: def' })).toBe(true);
+    expect(docker.isContainerNotFoundError({ json: { message: 'No such container: ghi' } })).toBe(
+      true,
+    );
+    expect(docker.isContainerNotFoundError({ json: { message: 404 } })).toBe(false);
+    expect(docker.isContainerNotFoundError({ message: 'something else' })).toBe(false);
+  });
+
+  test('registry resolver wrapper methods should delegate to registryResolver', () => {
+    const originalResolver = docker.registryResolver as any;
+    const getStateSpy = vi.spyOn(registryStore, 'getState').mockReturnValue({} as any);
+    docker.registryResolver = {
+      normalizeRegistryHost: vi.fn().mockReturnValue('normalized-host'),
+      buildRegistryLookupCandidates: vi.fn().mockReturnValue(['a', 'b']),
+      isRegistryManagerCompatible: vi.fn().mockReturnValue(true),
+      createAnonymousRegistryManager: vi.fn().mockReturnValue({ name: 'anon' }),
+      resolveRegistryManager: vi.fn().mockReturnValue({ name: 'resolved' }),
+    } as any;
+
+    try {
+      expect(docker.normalizeRegistryHost('docker.io')).toBe('normalized-host');
+      expect(docker.buildRegistryLookupCandidates({ name: 'nginx' } as any)).toEqual(['a', 'b']);
+      expect(docker.isRegistryManagerCompatible({} as any, { withDigest: true })).toBe(true);
+      expect(docker.createAnonymousRegistryManager({} as any, {} as any)).toEqual({ name: 'anon' });
+      expect(
+        docker.resolveRegistryManager({ image: { registry: { name: 'hub' } } } as any, {} as any),
+      ).toEqual({ name: 'resolved' });
+    } finally {
+      getStateSpy.mockRestore();
+      docker.registryResolver = originalResolver;
+    }
+  });
+
+  test('recordRollbackTelemetry should normalize reasons and map info outcome', () => {
+    const rollbackCounterInc = vi.fn();
+    mockGetRollbackCounter.mockReturnValue({ inc: rollbackCounterInc });
+    const recordRollbackAuditSpy = vi
+      .spyOn(docker, 'recordRollbackAudit')
+      .mockImplementation(() => {
+        return undefined as any;
+      });
+    const container = { name: 'web', image: { name: 'nginx' } } as any;
+
+    docker.recordRollbackTelemetry({
+      container,
+      outcome: 'info',
+      reason: '',
+      details: 'missing reason',
+    });
+    docker.recordRollbackTelemetry({
+      container,
+      outcome: 'info',
+      reason: '!!!',
+      details: 'sanitized reason',
+    });
+    docker.recordRollbackTelemetry({
+      container,
+      outcome: 'success',
+      reason: 'manual',
+      details: 'success reason',
+    });
+    docker.recordRollbackTelemetry({
+      container,
+      outcome: 'error',
+      reason: 'manual',
+      details: 'error reason',
+    });
+
+    expect(rollbackCounterInc).toHaveBeenNthCalledWith(
+      1,
+      expect.objectContaining({
+        outcome: 'info',
+        reason: 'unspecified',
+      }),
+    );
+    expect(rollbackCounterInc).toHaveBeenNthCalledWith(
+      2,
+      expect.objectContaining({
+        outcome: 'info',
+        reason: 'unspecified',
+      }),
+    );
+    expect(recordRollbackAuditSpy).toHaveBeenNthCalledWith(
+      1,
+      container,
+      'info',
+      'missing reason',
+      undefined,
+      undefined,
+    );
+    expect(recordRollbackAuditSpy).toHaveBeenNthCalledWith(
+      2,
+      container,
+      'info',
+      'sanitized reason',
+      undefined,
+      undefined,
+    );
+    expect(recordRollbackAuditSpy).toHaveBeenNthCalledWith(
+      3,
+      container,
+      'success',
+      'success reason',
+      undefined,
+      undefined,
+    );
+    expect(recordRollbackAuditSpy).toHaveBeenNthCalledWith(
+      4,
+      container,
+      'error',
+      'error reason',
+      undefined,
+      undefined,
+    );
+    recordRollbackAuditSpy.mockRestore();
+  });
+
+  test('stopAndRemoveContainer should stop then remove when running and auto-remove is disabled', async () => {
+    const stopSpy = vi.spyOn(docker, 'stopContainer').mockResolvedValue();
+    const removeSpy = vi.spyOn(docker, 'removeContainer').mockResolvedValue();
+    const waitSpy = vi.spyOn(docker, 'waitContainerRemoved').mockResolvedValue();
+
+    await docker.stopAndRemoveContainer(
+      {} as any,
+      { State: { Running: true }, HostConfig: { AutoRemove: false } } as any,
+      { name: 'c1', id: 'id-1' } as any,
+      createMockLog('info', 'warn', 'debug'),
+    );
+
+    expect(stopSpy).toHaveBeenCalledTimes(1);
+    expect(removeSpy).toHaveBeenCalledTimes(1);
+    expect(waitSpy).not.toHaveBeenCalled();
+  });
+
+  test('stopAndRemoveContainer should wait for auto-removal when AutoRemove is enabled', async () => {
+    const stopSpy = vi.spyOn(docker, 'stopContainer').mockResolvedValue();
+    const removeSpy = vi.spyOn(docker, 'removeContainer').mockResolvedValue();
+    const waitSpy = vi.spyOn(docker, 'waitContainerRemoved').mockResolvedValue();
+
+    await docker.stopAndRemoveContainer(
+      {} as any,
+      { State: { Running: false }, HostConfig: { AutoRemove: true } } as any,
+      { name: 'c1', id: 'id-1' } as any,
+      createMockLog('info', 'warn', 'debug'),
+    );
+
+    expect(stopSpy).not.toHaveBeenCalled();
+    expect(removeSpy).not.toHaveBeenCalled();
+    expect(waitSpy).toHaveBeenCalledTimes(1);
+  });
+
+  test('recreateContainer should create and start new container when previous one was running', async () => {
+    const cloneSpy = vi.spyOn(docker, 'cloneContainer').mockReturnValue({} as any);
+    const createSpy = vi.spyOn(docker, 'createContainer').mockResolvedValue({} as any);
+    const startSpy = vi.spyOn(docker, 'startContainer').mockResolvedValue();
+
+    await docker.recreateContainer(
+      {} as any,
+      { State: { Running: true } } as any,
+      'repo/image:new',
+      { name: 'c1' } as any,
+      createMockLog('info', 'warn', 'debug'),
+    );
+
+    expect(cloneSpy).toHaveBeenCalledTimes(1);
+    expect(createSpy).toHaveBeenCalledTimes(1);
+    expect(startSpy).toHaveBeenCalledTimes(1);
+  });
+
+  test('recreateContainer should skip start when previous container was stopped', async () => {
+    vi.spyOn(docker, 'cloneContainer').mockReturnValue({} as any);
+    vi.spyOn(docker, 'createContainer').mockResolvedValue({} as any);
+    const startSpy = vi.spyOn(docker, 'startContainer').mockResolvedValue();
+
+    await docker.recreateContainer(
+      {} as any,
+      { State: { Running: false } } as any,
+      'repo/image:new',
+      { name: 'c1' } as any,
+      createMockLog('info', 'warn', 'debug'),
+    );
+
+    expect(startSpy).not.toHaveBeenCalled();
+  });
+
+  test('waitForContainerHealthy should wait when health state is initially unavailable', async () => {
+    vi.useFakeTimers();
+    const dateNowSpy = vi.spyOn(Date, 'now');
+    dateNowSpy.mockReturnValueOnce(0).mockReturnValueOnce(1_000).mockReturnValueOnce(2_000);
+    const containerToCheck = {
+      inspect: vi
+        .fn()
+        .mockResolvedValueOnce({ State: {} })
+        .mockResolvedValueOnce({ State: { Health: { Status: 'healthy' } } }),
+    };
+    const logContainer = createMockLog('info', 'warn', 'debug');
+
+    const waitPromise = docker.waitForContainerHealthy(
+      containerToCheck as any,
+      'web',
+      logContainer,
+    );
+    await vi.advanceTimersByTimeAsync(5_000);
+    await waitPromise;
+
+    expect(logContainer.debug).toHaveBeenCalledWith(
+      'Container web health state not yet available — waiting for health gate',
+    );
+    expect(logContainer.info).toHaveBeenCalledWith('Container web passed health gate');
+    dateNowSpy.mockRestore();
+    vi.useRealTimers();
+  });
+
+  test('waitForContainerHealthy should fail when health status is unhealthy', async () => {
+    const containerToCheck = {
+      inspect: vi.fn().mockResolvedValue({ State: { Health: { Status: 'unhealthy' } } }),
+    };
+
+    await expect(
+      docker.waitForContainerHealthy(
+        containerToCheck as any,
+        'web',
+        createMockLog('info', 'warn', 'debug'),
+      ),
+    ).rejects.toThrow('Health gate failed: container web reported unhealthy');
+  });
+
+  test('waitForContainerHealthy should time out when status never becomes healthy', async () => {
+    const dateNowSpy = vi.spyOn(Date, 'now');
+    dateNowSpy.mockReturnValueOnce(0).mockReturnValueOnce(301_000);
+    const containerToCheck = {
+      inspect: vi.fn(),
+    };
+
+    await expect(
+      docker.waitForContainerHealthy(
+        containerToCheck as any,
+        'web',
+        createMockLog('info', 'warn', 'debug'),
+      ),
+    ).rejects.toThrow('Health gate timed out');
+
+    dateNowSpy.mockRestore();
+  });
+
+  test('waitForContainerHealthy should poll when health status is neither healthy nor unhealthy', async () => {
+    vi.useFakeTimers();
+    const dateNowSpy = vi.spyOn(Date, 'now');
+    dateNowSpy.mockReturnValueOnce(0).mockReturnValueOnce(0).mockReturnValueOnce(301_000);
+    const containerToCheck = {
+      inspect: vi.fn().mockResolvedValue({ State: { Health: { Status: 'starting' } } }),
+    };
+
+    try {
+      const waitPromise = docker.waitForContainerHealthy(
+        containerToCheck as any,
+        'web',
+        createMockLog('info', 'warn', 'debug'),
+      );
+      waitPromise.catch(() => undefined);
+      await vi.advanceTimersByTimeAsync(5_000);
+      await expect(waitPromise).rejects.toThrow('Health gate timed out');
+    } finally {
+      dateNowSpy.mockRestore();
+      vi.useRealTimers();
+    }
+  });
+
+  test('hook wrapper methods should delegate to hookExecutor', async () => {
+    const originalHookExecutor = docker.hookExecutor as any;
+    const runPreUpdateHook = vi.fn().mockResolvedValue(undefined);
+    const runPostUpdateHook = vi.fn().mockResolvedValue(undefined);
+    const isHookFailure = vi.fn().mockReturnValue(true);
+    const getHookFailureDetails = vi.fn().mockReturnValue('failed details');
+    docker.hookExecutor = {
+      runPreUpdateHook,
+      runPostUpdateHook,
+      isHookFailure,
+      getHookFailureDetails,
+    } as any;
+
+    try {
+      expect(docker.isHookFailure({ code: 1 })).toBe(true);
+      expect(docker.getHookFailureDetails('pre', { code: 1 }, 1000)).toBe('failed details');
+      await docker.runPreUpdateHook({} as any, {} as any, {} as any);
+      await docker.runPostUpdateHook({} as any, {} as any, {} as any);
+      expect(runPreUpdateHook).toHaveBeenCalledTimes(1);
+      expect(runPostUpdateHook).toHaveBeenCalledTimes(1);
+    } finally {
+      docker.hookExecutor = originalHookExecutor;
+    }
+  });
+
+  test('reconcileInProgressContainerUpdateOperation should delegate to containerUpdateExecutor', async () => {
+    const originalExecutor = docker.containerUpdateExecutor as any;
+    const reconcile = vi.fn().mockResolvedValue('reconciled');
+    docker.containerUpdateExecutor = {
+      reconcileInProgressContainerUpdateOperation: reconcile,
+    } as any;
+
+    try {
+      const result = await docker.reconcileInProgressContainerUpdateOperation(
+        {} as any,
+        {} as any,
+        {} as any,
+      );
+
+      expect(reconcile).toHaveBeenCalledTimes(1);
+      expect(result).toBe('reconciled');
+    } finally {
+      docker.containerUpdateExecutor = originalExecutor;
+    }
+  });
+});
+
+describe('trigger self-update routing', () => {
+  test('should route to executeSelfUpdate for drydock image', async () => {
+    stubTriggerFlow({ running: true });
+    const executeSelfUpdateSpy = vi.spyOn(docker, 'executeSelfUpdate').mockResolvedValue(true);
+    const executeContainerUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate');
+
+    await docker.trigger(
+      createTriggerContainer({
+        image: {
+          name: 'codeswhat/drydock',
+          registry: { name: 'hub', url: 'my-registry' },
+          tag: { value: '1.0.0' },
+        },
+      }),
+    );
+
+    expect(executeSelfUpdateSpy).toHaveBeenCalled();
+    expect(executeContainerUpdateSpy).not.toHaveBeenCalled();
+  });
+
+  test('should route to executeContainerUpdate for non-drydock image', async () => {
+    stubTriggerFlow({ running: true });
+    const executeSelfUpdateSpy = vi.spyOn(docker, 'executeSelfUpdate');
+    const executeContainerUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate');
+
+    await docker.trigger(createTriggerContainer());
+
+    expect(executeContainerUpdateSpy).toHaveBeenCalled();
+    expect(executeSelfUpdateSpy).not.toHaveBeenCalled();
+  });
+
+  test('should stop trigger flow when self-update returns false', async () => {
+    stubTriggerFlow({ running: true });
+    const maybeNotifySelfUpdateSpy = vi
+      .spyOn(docker, 'maybeNotifySelfUpdate')
+      .mockResolvedValue(undefined);
+    const executeSelfUpdateSpy = vi.spyOn(docker, 'executeSelfUpdate').mockResolvedValue(false);
+    const executeContainerUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate');
+
+    await expect(
+      docker.trigger(
+        createTriggerContainer({
+          image: {
+            name: 'codeswhat/drydock',
+            registry: { name: 'hub', url: 'my-registry' },
+            tag: { value: '1.0.0' },
+          },
+        }),
+      ),
+    ).resolves.toBeUndefined();
+
+    expect(maybeNotifySelfUpdateSpy).toHaveBeenCalled();
+    expect(executeSelfUpdateSpy).toHaveBeenCalled();
+    expect(executeContainerUpdateSpy).not.toHaveBeenCalled();
+  });
+});
+
+// --- compose file sync ---
+
+describe('performContainerUpdate compose file sync', () => {
+  beforeEach(() => {
+    mockSyncComposeFileTag.mockClear();
+  });
+
+  test('should call syncComposeFileTag after successful tag update', async () => {
+    const executeUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate').mockResolvedValue(true);
+
+    const context = {
+      currentContainerSpec: {
+        Config: {
+          Labels: {
+            'com.docker.compose.project.config_files': '/app/docker-compose.yml',
+            'com.docker.compose.service': 'web',
+          },
+        },
+      },
+      newImage: 'myapp:v2',
+    };
+
+    const container = {
+      updateKind: { kind: 'tag', localValue: 'v1', remoteValue: 'v2' },
+    };
+
+    const logContainer = { info: vi.fn(), warn: vi.fn(), debug: vi.fn(), error: vi.fn() };
+
+    await docker.performContainerUpdate(context, container, logContainer);
+
+    expect(mockSyncComposeFileTag).toHaveBeenCalledWith({
+      labels: context.currentContainerSpec.Config.Labels,
+      newImage: 'myapp:v2',
+      logContainer,
+    });
+
+    executeUpdateSpy.mockRestore();
+  });
+
+  test('should not call syncComposeFileTag for digest updates', async () => {
+    const executeUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate').mockResolvedValue(true);
+
+    const context = {
+      currentContainerSpec: {
+        Config: {
+          Labels: {
+            'com.docker.compose.project.config_files': '/app/docker-compose.yml',
+            'com.docker.compose.service': 'web',
+          },
+        },
+      },
+      newImage: 'myapp:latest',
+    };
+
+    const container = {
+      updateKind: { kind: 'digest' },
+    };
+
+    const logContainer = { info: vi.fn(), warn: vi.fn(), debug: vi.fn(), error: vi.fn() };
+
+    await docker.performContainerUpdate(context, container, logContainer);
+
+    expect(mockSyncComposeFileTag).not.toHaveBeenCalled();
+
+    executeUpdateSpy.mockRestore();
+  });
+
+  test('should not call syncComposeFileTag when update fails', async () => {
+    const executeUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate').mockResolvedValue(false);
+
+    const context = {
+      currentContainerSpec: {
+        Config: {
+          Labels: {
+            'com.docker.compose.project.config_files': '/app/docker-compose.yml',
+            'com.docker.compose.service': 'web',
+          },
+        },
+      },
+      newImage: 'myapp:v2',
+    };
+
+    const container = {
+      updateKind: { kind: 'tag', localValue: 'v1', remoteValue: 'v2' },
+    };
+
+    const logContainer = { info: vi.fn(), warn: vi.fn(), debug: vi.fn(), error: vi.fn() };
+
+    const result = await docker.performContainerUpdate(context, container, logContainer);
+
+    expect(result).toBe(false);
+    expect(mockSyncComposeFileTag).not.toHaveBeenCalled();
+
+    executeUpdateSpy.mockRestore();
+  });
+});
diff --git a/app/triggers/providers/docker/Docker.test.helpers.ts b/app/triggers/providers/docker/Docker.test.helpers.ts
new file mode 100644
index 000000000..6effdd3d5
--- /dev/null
+++ b/app/triggers/providers/docker/Docker.test.helpers.ts
@@ -0,0 +1,435 @@
+import log from '../../../log/index.js';
+import Docker from './Docker.js';
+
+export { log };
+
+export const configurationValid = {
+  prune: false,
+  dryrun: false,
+  threshold: 'all',
+  mode: 'simple',
+  once: true,
+  auto: 'all',
+  order: 100,
+  autoremovetimeout: 10000,
+  backupcount: 3,
+  simpletitle: 'New ${container.updateKind.kind} found for container ${container.name}',
+  simplebody:
+    'Container ${container.name} running with ${container.updateKind.kind} ${container.updateKind.localValue} can be updated to ${container.updateKind.kind} ${container.updateKind.remoteValue}${container.result && container.result.link ? "\\n" + container.result.link : ""}',
+  batchtitle: '${containers.length} updates available',
+  resolvenotifications: false,
+  digestcron: '0 8 * * *',
+};
+
+export const docker = new Docker();
+docker.configuration = configurationValid;
+docker.log = log;
+
+const mockGetSecurityConfiguration = vi.hoisted(() => vi.fn());
+vi.mock('../../../configuration/index.js', async () => {
+  const actual = await vi.importActual<typeof import('../../../configuration/index.js')>(
+    '../../../configuration/index.js',
+  );
+  return {
+    ...actual,
+    getSecurityConfiguration: (...args: any[]) => mockGetSecurityConfiguration(...args),
+  };
+});
+
+const mockScanImageForVulnerabilities = vi.hoisted(() => vi.fn());
+const mockVerifyImageSignature = vi.hoisted(() => vi.fn());
+const mockGenerateImageSbom = vi.hoisted(() => vi.fn());
+vi.mock('../../../security/scan.js', () => ({
+  scanImageForVulnerabilities: mockScanImageForVulnerabilities,
+  verifyImageSignature: mockVerifyImageSignature,
+  generateImageSbom: mockGenerateImageSbom,
+  clearDigestScanCache: vi.fn(),
+  getDigestScanCacheSize: vi.fn().mockReturnValue(0),
+  updateDigestScanCache: vi.fn(),
+  scanImageWithDedup: vi.fn(),
+}));
+
+vi.mock('../../../store/container.js', () => ({
+  getContainer: vi.fn(),
+  updateContainer: vi.fn((container) => container),
+  cacheSecurityState: vi.fn(),
+}));
+
+vi.mock('../../../store/backup', () => ({
+  insertBackup: vi.fn(),
+  pruneOldBackups: vi.fn(),
+  getBackupsByName: vi.fn().mockReturnValue([]),
+}));
+
+const mockRunHook = vi.hoisted(() => vi.fn());
+vi.mock('../../hooks/HookRunner.js', () => ({
+  runHook: mockRunHook,
+}));
+
+const mockStartHealthMonitor = vi.hoisted(() => vi.fn().mockReturnValue({ abort: vi.fn() }));
+vi.mock('./HealthMonitor.js', () => ({
+  startHealthMonitor: mockStartHealthMonitor,
+}));
+
+const mockInsertAudit = vi.hoisted(() => vi.fn());
+vi.mock('../../../store/audit.js', () => ({
+  insertAudit: (...args: any[]) => mockInsertAudit(...args),
+}));
+
+const mockAuditCounterInc = vi.hoisted(() => vi.fn());
+vi.mock('../../../prometheus/audit.js', () => ({
+  getAuditCounter: () => ({ inc: mockAuditCounterInc }),
+}));
+
+const mockRollbackCounterInc = vi.hoisted(() => vi.fn());
+const mockGetRollbackCounter = vi.hoisted(() => vi.fn());
+vi.mock('../../../prometheus/rollback.js', () => ({
+  getRollbackCounter: (...args: any[]) => mockGetRollbackCounter(...args),
+}));
+
+const mockInsertOperation = vi.hoisted(() => vi.fn());
+const mockUpdateOperation = vi.hoisted(() => vi.fn());
+const mockGetInProgressOperationByContainerName = vi.hoisted(() => vi.fn());
+vi.mock('../../../store/update-operation.js', () => ({
+  insertOperation: (...args: any[]) => mockInsertOperation(...args),
+  updateOperation: (...args: any[]) => mockUpdateOperation(...args),
+  getInProgressOperationByContainerName: (...args: any[]) =>
+    mockGetInProgressOperationByContainerName(...args),
+}));
+
+const mockSyncComposeFileTag = vi.hoisted(() => vi.fn().mockResolvedValue(false));
+vi.mock('./compose-file-sync.js', () => ({
+  syncComposeFileTag: (...args: any[]) => mockSyncComposeFileTag(...args),
+}));
+
+const mockGetState = vi.hoisted(() => vi.fn());
+vi.mock('../../../registry', () => ({
+  getState: (...args: any[]) => mockGetState(...args),
+}));
+
+/** Default registry state used by the Docker trigger test suite */
+export function createDefaultRegistryState() {
+  return {
+    watcher: {
+      'docker.test': {
+        getId: () => 'docker.test',
+        watch: () => Promise.resolve(),
+        dockerApi: {
+          getContainer: (id) => {
+            if (id === '123456789') {
+              return Promise.resolve({
+                inspect: () =>
+                  Promise.resolve({
+                    Name: '/container-name',
+                    Id: '123456798',
+                    State: {
+                      Running: true,
+                    },
+                    NetworkSettings: {
+                      Networks: {
+                        test: {
+                          Aliases: ['9708fc7b44f2', 'test'],
+                        },
+                      },
+                    },
+                  }),
+                stop: () => Promise.resolve(),
+                remove: () => Promise.resolve(),
+                start: () => Promise.resolve(),
+                rename: () => Promise.resolve(),
+              });
+            }
+            return Promise.reject(new Error('Error when getting container'));
+          },
+          createContainer: (container) => {
+            if (container.name === 'container-name') {
+              return Promise.resolve({
+                start: () => Promise.resolve(),
+                inspect: () =>
+                  Promise.resolve({
+                    Id: 'new-container-id',
+                    State: { Health: { Status: 'healthy' } },
+                  }),
+                stop: () => Promise.resolve(),
+                remove: () => Promise.resolve(),
+              });
+            }
+            return Promise.reject(new Error('Error when creating container'));
+          },
+          pull: (image) => {
+            if (image === 'test/test:1.2.3' || image === 'my-registry/test/test:4.5.6') {
+              return Promise.resolve();
+            }
+            return Promise.reject(new Error('Error when pulling image'));
+          },
+          getImage: (image) =>
+            Promise.resolve({
+              remove: () => {
+                if (image === 'test/test:1.2.3') {
+                  return Promise.resolve();
+                }
+                return Promise.reject(new Error('Error when removing image'));
+              },
+            }),
+          modem: {
+            followProgress: (pullStream, res) => res(),
+          },
+        },
+      },
+    },
+    registry: {
+      hub: {
+        getAuthPull: async () => undefined,
+        normalizeImage: (image) => ({
+          ...image,
+          registry: {
+            ...(image.registry || {}),
+            name: 'hub',
+          },
+        }),
+        getImageFullName: (image, tagOrDigest) =>
+          `${image.registry.url}/${image.name}:${tagOrDigest}`,
+      },
+    },
+  };
+}
+
+// --- Shared factories and helpers ---
+
+/** Build a mock dockerApi for pruneImages tests */
+export function createPruneDockerApi(images, removeSpy = vi.fn().mockResolvedValue(undefined)) {
+  return {
+    listImages: vi.fn().mockResolvedValue(images),
+    getImage: vi.fn().mockReturnValue({ name: 'image-to-remove', remove: removeSpy }),
+  };
+}
+
+/** Standard normalizeImage mock that echoes registry name, image name, and tag */
+export function createEchoNormalizeRegistry(registryName = 'ecr') {
+  return {
+    normalizeImage: (img) => ({
+      registry: { name: registryName },
+      name: img.name,
+      tag: { value: img.tag.value },
+    }),
+  };
+}
+
+/** Default container fixture for pruneImages tests */
+export function createPruneContainer(overrides = {}) {
+  return {
+    image: { registry: { name: 'ecr' }, name: 'repo', tag: { value: '1.0.0' } },
+    updateKind: { kind: 'tag', localValue: '1.0.0', remoteValue: '2.0.0' },
+    ...overrides,
+  };
+}
+
+/** Build a container payload for trigger tests */
+export function createTriggerContainer(overrides = {}) {
+  return {
+    watcher: 'test',
+    id: '123456789',
+    name: 'container-name',
+    image: {
+      name: 'test/test',
+      registry: { name: 'hub', url: 'my-registry' },
+      tag: { value: '1.0.0' },
+    },
+    updateKind: { kind: 'tag', remoteValue: '4.5.6' },
+    ...overrides,
+  };
+}
+
+export function createSecurityScanResult(overrides = {}) {
+  return {
+    scanner: 'trivy',
+    image: 'my-registry/test/test:4.5.6',
+    scannedAt: new Date().toISOString(),
+    status: 'passed',
+    blockSeverities: ['CRITICAL', 'HIGH'],
+    blockingCount: 0,
+    summary: {
+      unknown: 0,
+      low: 0,
+      medium: 0,
+      high: 0,
+      critical: 0,
+    },
+    vulnerabilities: [],
+    ...overrides,
+  };
+}
+
+export function createSignatureVerificationResult(overrides = {}) {
+  return {
+    verifier: 'cosign',
+    image: 'my-registry/test/test:4.5.6',
+    verifiedAt: new Date().toISOString(),
+    status: 'verified',
+    keyless: true,
+    signatures: 1,
+    ...overrides,
+  };
+}
+
+export function createSbomResult(overrides = {}) {
+  return {
+    generator: 'trivy',
+    image: 'my-registry/test/test:4.5.6',
+    generatedAt: new Date().toISOString(),
+    status: 'generated',
+    formats: ['spdx-json'],
+    documents: {
+      'spdx-json': { SPDXID: 'SPDXRef-DOCUMENT' },
+    },
+    ...overrides,
+  };
+}
+
+export function createSecurityConfiguration(overrides = {}) {
+  return {
+    enabled: true,
+    scanner: 'trivy',
+    blockSeverities: ['CRITICAL', 'HIGH'],
+    trivy: { server: '', command: 'trivy', timeout: 120000 },
+    signature: {
+      verify: false,
+      cosign: {
+        command: 'cosign',
+        timeout: 60000,
+        key: '',
+        identity: '',
+        issuer: '',
+      },
+    },
+    sbom: {
+      enabled: false,
+      formats: ['spdx-json'],
+    },
+    ...overrides,
+  };
+}
+
+/** Spy on all Docker methods needed for trigger flow (non-dryrun, non-running) */
+export function stubTriggerFlow(opts = {}) {
+  const { running = false, autoRemove = false, inspectOverrides = {} } = opts;
+
+  const waitSpy = vi.fn().mockResolvedValue();
+  vi.spyOn(docker, 'getCurrentContainer').mockResolvedValue({
+    inspect: () => Promise.resolve(),
+    remove: vi.fn(),
+    stop: () => Promise.resolve(),
+    rename: vi.fn().mockResolvedValue(undefined),
+    start: vi.fn().mockResolvedValue(undefined),
+    wait: waitSpy,
+  });
+  vi.spyOn(docker, 'inspectContainer').mockResolvedValue({
+    Name: '/container-name',
+    Id: '123',
+    State: { Running: running },
+    Config: {},
+    HostConfig: { ...(autoRemove ? { AutoRemove: true } : {}) },
+    NetworkSettings: { Networks: {} },
+    ...inspectOverrides,
+  });
+  vi.spyOn(docker, 'pruneImages').mockResolvedValue();
+  vi.spyOn(docker, 'pullImage').mockResolvedValue();
+  vi.spyOn(docker, 'cloneContainer').mockReturnValue({ name: 'container-name' });
+  vi.spyOn(docker, 'stopContainer').mockResolvedValue();
+  vi.spyOn(docker, 'removeContainer').mockResolvedValue();
+  vi.spyOn(docker, 'createContainer').mockResolvedValue({
+    start: vi.fn(),
+    inspect: vi.fn().mockResolvedValue({
+      Id: 'new-container-id',
+      State: { Health: { Status: 'healthy' } },
+    }),
+    stop: vi.fn().mockResolvedValue(undefined),
+    remove: vi.fn().mockResolvedValue(undefined),
+  });
+  vi.spyOn(docker, 'startContainer').mockResolvedValue();
+  const removeImageSpy = vi.spyOn(docker, 'removeImage').mockResolvedValue();
+
+  return { waitSpy, removeImageSpy };
+}
+
+/** Create a mock log with common methods */
+export function createMockLog(...methods) {
+  const mockLog = {};
+  for (const m of methods) {
+    mockLog[m] = vi.fn();
+  }
+  return mockLog;
+}
+
+export function registerCommonDockerBeforeEach() {
+  beforeEach(async () => {
+    vi.resetAllMocks();
+    mockGetState.mockImplementation(createDefaultRegistryState);
+    docker.configuration = configurationValid;
+    docker.log = log;
+    mockGetSecurityConfiguration.mockReturnValue({
+      enabled: false,
+      scanner: '',
+      blockSeverities: ['CRITICAL', 'HIGH'],
+      trivy: {
+        server: '',
+        command: 'trivy',
+        timeout: 120000,
+      },
+      signature: {
+        verify: false,
+        cosign: {
+          command: 'cosign',
+          timeout: 60000,
+          key: '',
+          identity: '',
+          issuer: '',
+        },
+      },
+      sbom: {
+        enabled: false,
+        formats: ['spdx-json'],
+      },
+    });
+    mockScanImageForVulnerabilities.mockResolvedValue({
+      ...createSecurityScanResult(),
+    });
+    mockVerifyImageSignature.mockResolvedValue({
+      ...createSignatureVerificationResult(),
+    });
+    mockGenerateImageSbom.mockResolvedValue({
+      ...createSbomResult(),
+    });
+    mockGetRollbackCounter.mockReturnValue({ inc: mockRollbackCounterInc });
+    mockInsertOperation.mockImplementation((operation) => ({
+      id: operation.id || 'op-1',
+      status: operation.status || 'in-progress',
+      phase: operation.phase || 'prepare',
+      createdAt: operation.createdAt || new Date().toISOString(),
+      updatedAt: new Date().toISOString(),
+      ...operation,
+    }));
+    mockUpdateOperation.mockImplementation((id, patch = {}) => ({ id, ...patch }));
+    mockGetInProgressOperationByContainerName.mockReturnValue(undefined);
+  });
+}
+
+export function getDockerTestMocks() {
+  return {
+    mockGetState,
+    mockGetSecurityConfiguration,
+    mockScanImageForVulnerabilities,
+    mockVerifyImageSignature,
+    mockGenerateImageSbom,
+    mockRunHook,
+    mockStartHealthMonitor,
+    mockInsertAudit,
+    mockAuditCounterInc,
+    mockRollbackCounterInc,
+    mockGetRollbackCounter,
+    mockInsertOperation,
+    mockUpdateOperation,
+    mockGetInProgressOperationByContainerName,
+    mockSyncComposeFileTag,
+  };
+}
diff --git a/app/triggers/providers/docker/Docker.test.ts b/app/triggers/providers/docker/Docker.test.ts
index 5009ec3f9..3ab16f70b 100644
--- a/app/triggers/providers/docker/Docker.test.ts
+++ b/app/triggers/providers/docker/Docker.test.ts
@@ -10,7 +10,7 @@ const configurationValid = {
   threshold: 'all',
   mode: 'simple',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   autoremovetimeout: 10000,
   backupcount: 3,
@@ -19,6 +19,7 @@ const configurationValid = {
     'Container ${container.name} running with ${container.updateKind.kind} ${container.updateKind.localValue} can be updated to ${container.updateKind.kind} ${container.updateKind.remoteValue}${container.result && container.result.link ? "\\n" + container.result.link : ""}',
   batchtitle: '${containers.length} updates available',
   resolvenotifications: false,
+  digestcron: '0 8 * * *',
 };
 
 const docker = new Docker();
@@ -97,6 +98,11 @@ vi.mock('../../../store/update-operation.js', () => ({
     mockGetInProgressOperationByContainerName(...args),
 }));
 
+const mockSyncComposeFileTag = vi.hoisted(() => vi.fn().mockResolvedValue(false));
+vi.mock('./compose-file-sync.js', () => ({
+  syncComposeFileTag: (...args: any[]) => mockSyncComposeFileTag(...args),
+}));
+
 vi.mock('../../../registry', () => ({
   getState() {
     return {
@@ -430,6 +436,62 @@ test('getWatcher should return watcher responsible for a container', async () =>
   ).toEqual('docker.test');
 });
 
+test('getWatcher should throw when the watcher reference does not exist', async () => {
+  expect(() =>
+    docker.getWatcher({
+      id: 'missing-id',
+      watcher: 'missing',
+    }),
+  ).toThrowError('No watcher found for container');
+});
+
+test('getWatcher should resolve agent-prefixed watcher ids', async () => {
+  const getStateSpy = vi.spyOn(registryStore, 'getState').mockReturnValue({
+    watcher: {
+      'edge-agent.docker.test': {
+        getId: () => 'edge-agent.docker.test',
+        dockerApi: {},
+      },
+    },
+  } as any);
+
+  try {
+    expect(
+      docker.getWatcher({
+        agent: 'edge-agent',
+        watcher: 'test',
+      }),
+    ).toMatchObject({
+      getId: expect.any(Function),
+    });
+    expect(docker.getWatcher({ agent: 'edge-agent', watcher: 'test' }).getId()).toBe(
+      'edge-agent.docker.test',
+    );
+    expect(getStateSpy).toHaveBeenCalled();
+  } finally {
+    getStateSpy.mockRestore();
+  }
+});
+
+test('getWatcher should include container name when id is missing', async () => {
+  vi.spyOn(registryStore, 'getState').mockReturnValue({ watcher: {} } as any);
+
+  expect(() =>
+    docker.getWatcher({
+      name: 'named-only',
+      watcher: 'missing',
+    }),
+  ).toThrowError('No watcher found for container named-only (docker.missing)');
+});
+
+test('getWatcher should fall back to unknown when id and name are absent', async () => {
+  vi.spyOn(registryStore, 'getState').mockReturnValue({ watcher: {} } as any);
+
+  expect(() => docker.getWatcher({ watcher: 'missing' })).toThrowError(
+    'No watcher found for container unknown (docker.missing)',
+  );
+});
+
 // --- getCurrentContainer ---
 
 test('getCurrentContainer should return container from dockerApi', async () => {
@@ -519,6 +581,22 @@ test('createContainer should throw error when error occurs', async () => {
   ).rejects.toThrowError('Error when creating container');
 });
 
+test('createContainer should stringify non-object errors in warning logs', async () => {
+  const dockerApi = {
+    createContainer: vi.fn().mockRejectedValue(Symbol('create failed')),
+    getNetwork: vi.fn(),
+  };
+  const logContainer = createMockLog('info', 'warn');
+
+  await expect(
+    docker.createContainer(dockerApi as any, { name: 'ko' }, 'name', logContainer as any),
+  ).rejects.toBeTypeOf('symbol');
+
+  expect(logContainer.warn).toHaveBeenCalledWith(
+    'Error when creating container name (Symbol(create failed))',
+  );
+});
+
 test('createContainer should connect additional networks after create', async () => {
   const connect = vi.fn().mockResolvedValue(undefined);
   const getNetwork = vi.fn().mockReturnValue({ connect });
@@ -949,6 +1027,16 @@ test('trigger should not throw when all is ok', async () => {
   ).resolves.toBeUndefined();
 });
 
+test('mustTrigger should reject containers renamed with -old unix timestamp suffix', () => {
+  expect(
+    docker.mustTrigger(createTriggerContainer({ name: 'container-name-old-1773933154786' })),
+  ).toBe(false);
+});
+
+test('mustTrigger should allow containers without rollback suffix', () => {
+  expect(docker.mustTrigger(createTriggerContainer({ name: 'my-container' }))).toBe(true);
+});
+
 test('trigger should not throw in dryrun mode', async () => {
   docker.configuration = { ...configurationValid, dryrun: true };
   docker.log = log;
@@ -3277,6 +3365,7 @@ describe('extracted lifecycle delegation', () => {
 describe('additional direct wrapper coverage', () => {
   test('isContainerNotFoundError should handle empty, status, and message-based inputs', () => {
     expect(docker.isContainerNotFoundError(undefined)).toBe(false);
+    expect(docker.isContainerNotFoundError('no such container as primitive')).toBe(false);
     expect(docker.isContainerNotFoundError({ statusCode: 404 })).toBe(true);
     expect(docker.isContainerNotFoundError({ status: 404 })).toBe(true);
     expect(docker.isContainerNotFoundError({ message: 'No such container: abc' })).toBe(true);
@@ -3284,6 +3373,7 @@ describe('additional direct wrapper coverage', () => {
     expect(docker.isContainerNotFoundError({ json: { message: 'No such container: ghi' } })).toBe(
       true,
     );
+    expect(docker.isContainerNotFoundError({ json: { message: 404 } })).toBe(false);
     expect(docker.isContainerNotFoundError({ message: 'something else' })).toBe(false);
   });
 
@@ -3649,3 +3739,100 @@ describe('trigger self-update routing', () => {
     expect(executeContainerUpdateSpy).not.toHaveBeenCalled();
   });
 });
+
+// --- compose file sync ---
+
+describe('performContainerUpdate compose file sync', () => {
+  beforeEach(() => {
+    mockSyncComposeFileTag.mockClear();
+  });
+
+  test('should call syncComposeFileTag after successful tag update', async () => {
+    const executeUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate').mockResolvedValue(true);
+
+    const context = {
+      currentContainerSpec: {
+        Config: {
+          Labels: {
+            'com.docker.compose.project.config_files': '/app/docker-compose.yml',
+            'com.docker.compose.service': 'web',
+          },
+        },
+      },
+      newImage: 'myapp:v2',
+    };
+
+    const container = {
+      updateKind: { kind: 'tag', localValue: 'v1', remoteValue: 'v2' },
+    };
+
+    const logContainer = { info: vi.fn(), warn: vi.fn(), debug: vi.fn(), error: vi.fn() };
+
+    await docker.performContainerUpdate(context, container, logContainer);
+
+    expect(mockSyncComposeFileTag).toHaveBeenCalledWith({
+      labels: context.currentContainerSpec.Config.Labels,
+      newImage: 'myapp:v2',
+      logContainer,
+    });
+
+    executeUpdateSpy.mockRestore();
+  });
+
+  test('should not call syncComposeFileTag for digest updates', async () => {
+    const executeUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate').mockResolvedValue(true);
+
+    const context = {
+      currentContainerSpec: {
+        Config: {
+          Labels: {
+            'com.docker.compose.project.config_files': '/app/docker-compose.yml',
+            'com.docker.compose.service': 'web',
+          },
+        },
+      },
+      newImage: 'myapp:latest',
+    };
+
+    const container = {
+      updateKind: { kind: 'digest' },
+    };
+
+    const logContainer = { info: vi.fn(), warn: vi.fn(), debug: vi.fn(), error: vi.fn() };
+
+    await docker.performContainerUpdate(context, container, logContainer);
+
+    expect(mockSyncComposeFileTag).not.toHaveBeenCalled();
+
+    executeUpdateSpy.mockRestore();
+  });
+
+  test('should not call syncComposeFileTag when update fails', async () => {
+    const executeUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate').mockResolvedValue(false);
+
+    const context = {
+      currentContainerSpec: {
+        Config: {
+          Labels: {
+            'com.docker.compose.project.config_files': '/app/docker-compose.yml',
+            'com.docker.compose.service': 'web',
+          },
+        },
+      },
+      newImage: 'myapp:v2',
+    };
+
+    const container = {
+      updateKind: { kind: 'tag', localValue: 'v1', remoteValue: 'v2' },
+    };
+
+    const logContainer = { info: vi.fn(), warn: vi.fn(), debug: vi.fn(), error: vi.fn() };
+
+    const result = await docker.performContainerUpdate(context, container, logContainer);
+
+    expect(result).toBe(false);
+    expect(mockSyncComposeFileTag).not.toHaveBeenCalled();
+
+    executeUpdateSpy.mockRestore();
+  });
+});
diff --git a/app/triggers/providers/docker/Docker.trigger-prune-progress.test.ts b/app/triggers/providers/docker/Docker.trigger-prune-progress.test.ts
new file mode 100644
index 000000000..4179dc26a
--- /dev/null
+++ b/app/triggers/providers/docker/Docker.trigger-prune-progress.test.ts
@@ -0,0 +1,820 @@
+import log from '../../../log/index.js';
+import {
+  configurationValid,
+  createEchoNormalizeRegistry,
+  createMockLog,
+  createPruneContainer,
+  createPruneDockerApi,
+  createSbomResult,
+  createSecurityConfiguration,
+  createSecurityScanResult,
+  createSignatureVerificationResult,
+  createTriggerContainer,
+  docker,
+  getDockerTestMocks,
+  registerCommonDockerBeforeEach,
+  stubTriggerFlow,
+} from './Docker.test.helpers.js';
+
+registerCommonDockerBeforeEach();
+const {
+  mockAuditCounterInc,
+  mockGenerateImageSbom,
+  mockGetSecurityConfiguration,
+  mockScanImageForVulnerabilities,
+  mockVerifyImageSignature,
+} = getDockerTestMocks();
+
+// --- trigger ---
+
+test('trigger should not throw when all is ok', async () => {
+  await expect(
+    docker.trigger({
+      watcher: 'test',
+      id: '123456789',
+      Name: '/container-name',
+      image: {
+        name: 'test/test',
+        registry: { name: 'hub', url: 'my-registry' },
+        tag: { value: '1.0.0' },
+      },
+      updateKind: { remoteValue: '4.5.6' },
+    }),
+  ).resolves.toBeUndefined();
+});
+
+test('mustTrigger should reject containers renamed with -old unix timestamp suffix', () => {
+  expect(
+    docker.mustTrigger(createTriggerContainer({ name: 'container-name-old-1773933154786' })),
+  ).toBe(false);
+});
+
+test('mustTrigger should allow containers without rollback suffix', () => {
+  expect(docker.mustTrigger(createTriggerContainer({ name: 'my-container' }))).toBe(true);
+});
+
+test('trigger should not throw in dryrun mode', async () => {
+  docker.configuration = { ...configurationValid, dryrun: true };
+  docker.log = log;
+  await expect(
+    docker.trigger(createTriggerContainer({ name: 'test-container' })),
+  ).resolves.toBeUndefined();
+});
+
+test('trigger should use waitContainerRemoved when AutoRemove is true', async () => {
+  docker.configuration = { ...configurationValid, dryrun: false, prune: false };
+  docker.log = log;
+  const { waitSpy } = stubTriggerFlow({ running: true, autoRemove: true });
+
+  await docker.trigger(createTriggerContainer());
+
+  expect(waitSpy).toHaveBeenCalled();
+});
+
+test('trigger should prune old image by tag after non-dryrun update', async () => {
+  docker.configuration = { ...configurationValid, dryrun: false, prune: true };
+  docker.log = log;
+  const { removeImageSpy } = stubTriggerFlow();
+
+  await docker.trigger(createTriggerContainer());
+
+  expect(removeImageSpy).toHaveBeenCalled();
+});
+
+test('trigger should prune old image by digest repo after non-dryrun update', async () => {
+  docker.configuration = { ...configurationValid, dryrun: false, prune: true };
+  docker.log = log;
+  const { removeImageSpy } = stubTriggerFlow();
+
+  await docker.trigger(
+    createTriggerContainer({
+      image: {
+        name: 'test/test',
+        registry: { name: 'hub', url: 'my-registry' },
+        tag: { value: 'latest' },
+        digest: { repo: 'sha256:olddigest' },
+      },
+      updateKind: { kind: 'digest', remoteValue: 'sha256:newdigest' },
+    }),
+  );
+
+  expect(removeImageSpy).toHaveBeenCalled();
+});
+
+test('trigger should catch error when removing digest image fails', async () => {
+  docker.configuration = { ...configurationValid, dryrun: false, prune: true };
+  docker.log = log;
+  stubTriggerFlow();
+  vi.spyOn(docker, 'removeImage').mockRejectedValue(new Error('remove failed'));
+
+  // Should not throw
+  await docker.trigger(
+    createTriggerContainer({
+      image: {
+        name: 'test/test',
+        registry: { name: 'hub', url: 'my-registry' },
+        tag: { value: 'latest' },
+        digest: { repo: 'sha256:olddigest' },
+      },
+      updateKind: { kind: 'digest', remoteValue: 'sha256:newdigest' },
+    }),
+  );
+});
+
+test('trigger should not throw when container does not exist', async () => {
+  docker.configuration = { ...configurationValid, dryrun: false };
+  docker.log = log;
+  vi.spyOn(docker, 'getCurrentContainer').mockResolvedValue(null);
+
+  await expect(
+    docker.trigger(createTriggerContainer({ name: 'test-container' })),
+  ).resolves.toBeUndefined();
+});
+
+test('trigger should throw an explicit error when registry manager is unknown', async () => {
+  await expect(
+    docker.trigger(
+      createTriggerContainer({
+        image: {
+          name: 'test/test',
+          registry: { name: 'custom.local', url: '' },
+          tag: { value: '1.0.0' },
+        },
+      }),
+    ),
+  ).rejects.toThrowError('Unsupported registry manager "custom.local"');
+});
+
+test('trigger should throw an explicit error when registry manager is misconfigured', async () => {
+  const registryStore = await import('../../../registry/index.js');
+  const baseState = registryStore.getState();
+  vi.spyOn(registryStore, 'getState').mockReturnValue({
+    ...baseState,
+    registry: {
+      ...baseState.registry,
+      hub: {
+        getImageFullName: vi.fn(
+          (image, tagOrDigest) => `${image.registry.url}/${image.name}:${tagOrDigest}`,
+        ),
+      },
+    },
+  } as any);
+
+  await expect(docker.trigger(createTriggerContainer())).rejects.toThrowError(
+    /Registry manager "hub" is misconfigured.*getAuthPull/,
+  );
+});
+
+test('trigger should use anonymous registry mode when registry URL is provided', async () => {
+  stubTriggerFlow({ running: true });
+  const executeSelfUpdateSpy = vi.spyOn(docker, 'executeSelfUpdate').mockResolvedValue(false);
+  const maybeNotifySelfUpdateSpy = vi
+    .spyOn(docker, 'maybeNotifySelfUpdate')
+    .mockResolvedValue(undefined);
+
+  await expect(
+    docker.trigger(
+      createTriggerContainer({
+        image: {
+          name: 'drydock',
+          registry: { name: 'custom.local', url: 'http://localhost:5000/v2' },
+          tag: { value: 'good' },
+        },
+        updateKind: { kind: 'tag', remoteValue: 'bad' },
+      }),
+    ),
+  ).resolves.toBeUndefined();
+
+  expect(maybeNotifySelfUpdateSpy).toHaveBeenCalled();
+  expect(executeSelfUpdateSpy).toHaveBeenCalled();
+  const [contextArg] = executeSelfUpdateSpy.mock.calls[0];
+  expect(contextArg.newImage).toBe('localhost:5000/drydock:bad');
+  expect(contextArg.auth).toBeUndefined();
+});
+
+test('trigger should block update when security scan is blocked', async () => {
+  mockGetSecurityConfiguration.mockReturnValue(createSecurityConfiguration());
+  mockScanImageForVulnerabilities.mockResolvedValue(
+    createSecurityScanResult({
+      status: 'blocked',
+      blockingCount: 2,
+      summary: {
+        unknown: 0,
+        low: 0,
+        medium: 0,
+        high: 2,
+        critical: 0,
+      },
+      vulnerabilities: [
+        { id: 'CVE-1', severity: 'HIGH' },
+        { id: 'CVE-2', severity: 'HIGH' },
+      ],
+    }),
+  );
+  stubTriggerFlow({ running: true });
+  const executeContainerUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate');
+
+  await expect(docker.trigger(createTriggerContainer())).rejects.toThrowError(
+    'Security scan blocked update',
+  );
+
+  expect(mockScanImageForVulnerabilities).toHaveBeenCalled();
+  expect(executeContainerUpdateSpy).not.toHaveBeenCalled();
+});
+
+test('trigger should block update when security scan errors', async () => {
+  mockGetSecurityConfiguration.mockReturnValue(createSecurityConfiguration());
+  mockScanImageForVulnerabilities.mockResolvedValue(
+    createSecurityScanResult({
+      status: 'error',
+      error: 'Trivy command failed',
+    }),
+  );
+  stubTriggerFlow({ running: true });
+
+  await expect(docker.trigger(createTriggerContainer())).rejects.toThrowError(
+    'Security scan failed: Trivy command failed',
+  );
+});
+
+test('trigger should continue update when security scan passes', async () => {
+  mockGetSecurityConfiguration.mockReturnValue(createSecurityConfiguration());
+  mockScanImageForVulnerabilities.mockResolvedValue(createSecurityScanResult());
+  stubTriggerFlow({ running: true });
+  const executeContainerUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate');
+
+  await expect(docker.trigger(createTriggerContainer())).resolves.toBeUndefined();
+
+  expect(mockScanImageForVulnerabilities).toHaveBeenCalled();
+  expect(executeContainerUpdateSpy).toHaveBeenCalled();
+});
+
+test('trigger should continue update when signature verification passes', async () => {
+  mockGetSecurityConfiguration.mockReturnValue(
+    createSecurityConfiguration({
+      signature: {
+        verify: true,
+        cosign: {
+          command: 'cosign',
+          timeout: 60000,
+          key: '',
+          identity: '',
+          issuer: '',
+        },
+      },
+    }),
+  );
+  mockVerifyImageSignature.mockResolvedValue(createSignatureVerificationResult());
+  mockScanImageForVulnerabilities.mockResolvedValue(createSecurityScanResult());
+  stubTriggerFlow({ running: true });
+  const executeContainerUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate');
+
+  await expect(docker.trigger(createTriggerContainer())).resolves.toBeUndefined();
+
+  expect(mockVerifyImageSignature).toHaveBeenCalled();
+  expect(executeContainerUpdateSpy).toHaveBeenCalled();
+});
+
+test('trigger should block update when signature verification is unverified', async () => {
+  mockGetSecurityConfiguration.mockReturnValue(
+    createSecurityConfiguration({
+      signature: {
+        verify: true,
+        cosign: {
+          command: 'cosign',
+          timeout: 60000,
+          key: '',
+          identity: '',
+          issuer: '',
+        },
+      },
+    }),
+  );
+  mockVerifyImageSignature.mockResolvedValue(
+    createSignatureVerificationResult({
+      status: 'unverified',
+      signatures: 0,
+      error: 'no matching signatures',
+    }),
+  );
+  stubTriggerFlow({ running: true });
+  const executeContainerUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate');
+
+  await expect(docker.trigger(createTriggerContainer())).rejects.toThrowError(
+    'Image signature verification failed',
+  );
+
+  expect(mockVerifyImageSignature).toHaveBeenCalled();
+  expect(executeContainerUpdateSpy).not.toHaveBeenCalled();
+});
+
+test('trigger should generate sbom when enabled', async () => {
+  mockGetSecurityConfiguration.mockReturnValue(
+    createSecurityConfiguration({
+      sbom: {
+        enabled: true,
+        formats: ['spdx-json', 'cyclonedx-json'],
+      },
+    }),
+  );
+  mockScanImageForVulnerabilities.mockResolvedValue(createSecurityScanResult());
+  mockGenerateImageSbom.mockResolvedValue(
+    createSbomResult({
+      formats: ['spdx-json', 'cyclonedx-json'],
+      documents: {
+        'spdx-json': { SPDXID: 'SPDXRef-DOCUMENT' },
+        'cyclonedx-json': { bomFormat: 'CycloneDX' },
+      },
+    }),
+  );
+  stubTriggerFlow({ running: true });
+
+  await expect(docker.trigger(createTriggerContainer())).resolves.toBeUndefined();
+
+  expect(mockGenerateImageSbom).toHaveBeenCalledWith(
+    expect.objectContaining({
+      formats: ['spdx-json', 'cyclonedx-json'],
+    }),
+  );
+});
+
+test('trigger should continue update when sbom generation fails', async () => {
+  mockGetSecurityConfiguration.mockReturnValue(
+    createSecurityConfiguration({
+      sbom: {
+        enabled: true,
+        formats: ['spdx-json'],
+      },
+    }),
+  );
+  mockScanImageForVulnerabilities.mockResolvedValue(createSecurityScanResult());
+  mockGenerateImageSbom.mockResolvedValue(
+    createSbomResult({
+      status: 'error',
+      documents: {},
+      error: 'trivy unavailable',
+    }),
+  );
+  stubTriggerFlow({ running: true });
+  const executeContainerUpdateSpy = vi.spyOn(docker, 'executeContainerUpdate');
+
+  await expect(docker.trigger(createTriggerContainer())).resolves.toBeUndefined();
+
+  expect(mockGenerateImageSbom).toHaveBeenCalled();
+  expect(executeContainerUpdateSpy).toHaveBeenCalled();
+});
+
+test('trigger should use fallback message when signature verification fails without error', async () => {
+  mockGetSecurityConfiguration.mockReturnValue(
+    createSecurityConfiguration({
+      signature: {
+        verify: true,
+        cosign: { command: 'cosign', timeout: 60000, key: '', identity: '', issuer: '' },
+      },
+    }),
+  );
+  mockVerifyImageSignature.mockResolvedValue(
+    createSignatureVerificationResult({ status: 'unverified', signatures: 0, error: '' }),
+  );
+  stubTriggerFlow({ running: true });
+
+  await expect(docker.trigger(createTriggerContainer())).rejects.toThrowError(
+    'Image signature verification failed: no valid signatures found',
+  );
+});
+
+test('trigger should use security-signature-failed action when signature status is error', async () => {
+  mockGetSecurityConfiguration.mockReturnValue(
+    createSecurityConfiguration({
+      signature: {
+        verify: true,
+        cosign: { command: 'cosign', timeout: 60000, key: '', identity: '', issuer: '' },
+      },
+    }),
+  );
+  mockVerifyImageSignature.mockResolvedValue(
+    createSignatureVerificationResult({ status: 'error', signatures: 0, error: 'cosign crashed' }),
+  );
+  stubTriggerFlow({ running: true });
+
+  await expect(docker.trigger(createTriggerContainer())).rejects.toThrowError(
+    'Image signature verification failed: cosign crashed',
+  );
+
+  expect(mockAuditCounterInc).toHaveBeenCalledWith({ action: 'security-signature-failed' });
+});
+
+test('trigger should use fallback message when sbom generation fails without error', async () => {
+  mockGetSecurityConfiguration.mockReturnValue(
+    createSecurityConfiguration({
+      sbom: { enabled: true, formats: ['spdx-json'] },
+    }),
+  );
+  mockScanImageForVulnerabilities.mockResolvedValue(createSecurityScanResult());
+  mockGenerateImageSbom.mockResolvedValue(
+    createSbomResult({ status: 'error', documents: {}, error: '' }),
+  );
+  stubTriggerFlow({ running: true });
+
+  await expect(docker.trigger(createTriggerContainer())).resolves.toBeUndefined();
+
+  expect(mockAuditCounterInc).toHaveBeenCalledWith(
+    expect.objectContaining({ action: 'security-sbom-failed' }),
+  );
+});
+
+test('trigger should use fallback message when security scan errors without error', async () => {
+  mockGetSecurityConfiguration.mockReturnValue(createSecurityConfiguration());
+  mockScanImageForVulnerabilities.mockResolvedValue(
+    createSecurityScanResult({ status: 'error', error: '' }),
+  );
+  stubTriggerFlow({ running: true });
+
+  await expect(docker.trigger(createTriggerContainer())).rejects.toThrowError(
+    'Security scan failed: unknown scanner error',
+  );
+});
+
+test('persistSecurityState should warn when container store update fails', async () => {
+  const storeContainer = await import('../../../store/container.js');
+  storeContainer.updateContainer.mockImplementationOnce(() => {
+    throw new Error('store unavailable');
+  });
+  const logContainer = createMockLog('warn');
+
+  await docker.persistSecurityState(
+    createTriggerContainer(),
+    { scan: createSecurityScanResult() },
+    logContainer,
+  );
+
+  expect(logContainer.warn).toHaveBeenCalledWith(
+    expect.stringContaining('Unable to persist security state (store unavailable)'),
+  );
+});
+
+test('persistSecurityState should merge with existing security state from store', async () => {
+  const storeContainer = await import('../../../store/container.js');
+  storeContainer.getContainer.mockReturnValue({
+    id: '123456789',
+    security: {
+      scan: createSecurityScanResult(),
+    },
+  });
+  const logContainer = createMockLog('warn');
+
+  await docker.persistSecurityState(
+    createTriggerContainer(),
+    { signature: createSignatureVerificationResult() },
+    logContainer,
+  );
+
+  expect(storeContainer.updateContainer).toHaveBeenCalledWith(
+    expect.objectContaining({
+      security: expect.objectContaining({
+        scan: expect.any(Object),
+        signature: expect.any(Object),
+      }),
+    }),
+  );
+});
+
+// --- triggerBatch ---
+
+test('triggerBatch should call trigger for each container', async () => {
+  const triggerSpy = vi.spyOn(docker, 'trigger').mockResolvedValue();
+  const containers = [{ name: 'c1' }, { name: 'c2' }];
+  await docker.triggerBatch(containers);
+  expect(triggerSpy).toHaveBeenCalledTimes(2);
+  expect(triggerSpy).toHaveBeenCalledWith({ name: 'c1' });
+  expect(triggerSpy).toHaveBeenCalledWith({ name: 'c2' });
+});
+
+test('triggerBatch should limit concurrent container updates to 3', async () => {
+  const containers = Array.from({ length: 8 }, (_, index) => ({ name: `c${index}` }));
+  let inFlight = 0;
+  let maxInFlight = 0;
+  const triggerSpy = vi.spyOn(docker, 'trigger').mockImplementation(async () => {
+    inFlight += 1;
+    maxInFlight = Math.max(maxInFlight, inFlight);
+    await new Promise((resolve) => setTimeout(resolve, 10));
+    inFlight -= 1;
+  });
+
+  await docker.triggerBatch(containers);
+
+  expect(triggerSpy).toHaveBeenCalledTimes(containers.length);
+  expect(maxInFlight).toBeLessThanOrEqual(3);
+});
+
+// --- pruneImages (parametric: exclusion filters) ---
+
+describe('pruneImages exclusion filters', () => {
+  test.each([
+    {
+      scenario: 'should exclude the current tag when updateKind is digest',
+      images: [
+        { Id: 'image-current', RepoTags: ['ecr.example.com/repo:nginx-prod'] },
+        { Id: 'image-other', RepoTags: ['ecr.example.com/repo:other-tag'] },
+      ],
+      container: createPruneContainer({
+        image: { registry: { name: 'ecr' }, name: 'repo', tag: { value: 'nginx-prod' } },
+        updateKind: {
+          kind: 'digest',
+          localValue: 'sha256:olddigest',
+          remoteValue: 'sha256:newdigest',
+        },
+      }),
+      expectedGetImageCalls: 1,
+      expectedGetImageArgs: ['image-other'],
+    },
+    {
+      scenario: 'should not exclude current tag when updateKind is tag',
+      images: [
+        { Id: 'image-current', RepoTags: ['ecr.example.com/repo:1.0.0'] },
+        { Id: 'image-other', RepoTags: ['ecr.example.com/repo:0.9.0'] },
+      ],
+      container: createPruneContainer(),
+      expectedGetImageCalls: 1,
+      expectedGetImageArgs: ['image-other'],
+    },
+  ])('$scenario', async ({ images, container, expectedGetImageCalls, expectedGetImageArgs }) => {
+    const mockDockerApi = createPruneDockerApi(images);
+
+    await docker.pruneImages(mockDockerApi, createEchoNormalizeRegistry(), container, log);
+
+    expect(mockDockerApi.getImage).toHaveBeenCalledTimes(expectedGetImageCalls);
+    for (const arg of expectedGetImageArgs) {
+      expect(mockDockerApi.getImage).toHaveBeenCalledWith(arg);
+    }
+  });
+});
+
+describe('pruneImages should not prune excluded images', () => {
+  test.each([
+    {
+      scenario: 'images from different registries',
+      images: [{ Id: 'image-diff-registry', RepoTags: ['other-registry.com/repo:1.0.0'] }],
+      registryName: 'other-reg',
+    },
+    {
+      scenario: 'images with different names',
+      images: [{ Id: 'image-diff-name', RepoTags: ['ecr.example.com/other-repo:0.9.0'] }],
+      registryName: 'ecr',
+    },
+    {
+      scenario: 'images matching remoteValue',
+      images: [{ Id: 'image-remote', RepoTags: ['ecr.example.com/repo:2.0.0'] }],
+      registryName: 'ecr',
+    },
+  ])('$scenario', async ({ images, registryName }) => {
+    const mockDockerApi = createPruneDockerApi(images);
+
+    await docker.pruneImages(
+      mockDockerApi,
+      createEchoNormalizeRegistry(registryName),
+      createPruneContainer(),
+      log,
+    );
+
+    expect(mockDockerApi.getImage).not.toHaveBeenCalled();
+  });
+});
+
+describe('pruneImages edge cases', () => {
+  test.each([
+    {
+      scenario: 'should exclude images without RepoTags (null)',
+      images: [{ Id: 'image-no-tags', RepoTags: null }],
+    },
+    {
+      scenario: 'should exclude images without RepoTags (empty)',
+      images: [{ Id: 'image-empty-tags', RepoTags: [] }],
+    },
+    {
+      scenario: 'should exclude images without RepoTags (null and empty)',
+      images: [
+        { Id: 'image-no-tags', RepoTags: null },
+        { Id: 'image-empty-tags', RepoTags: [] },
+      ],
+    },
+  ])('$scenario', async ({ images }) => {
+    const mockDockerApi = createPruneDockerApi(images);
+
+    await docker.pruneImages(
+      mockDockerApi,
+      { normalizeImage: vi.fn() },
+      createPruneContainer(),
+      log,
+    );
+
+    expect(mockDockerApi.getImage).not.toHaveBeenCalled();
+  });
+
+  test('should warn when error occurs during pruning', async () => {
+    const mockDockerApi = {
+      listImages: vi.fn().mockRejectedValue(new Error('list failed')),
+    };
+    const logContainer = createMockLog('info', 'warn');
+
+    await docker.pruneImages(mockDockerApi, {}, createPruneContainer(), logContainer);
+
+    expect(logContainer.warn).toHaveBeenCalledWith(expect.stringContaining('list failed'));
+  });
+
+  test('should normalize listed images when parser returns no domain', async () => {
+    const mockDockerApi = createPruneDockerApi([
+      { Id: 'image-no-domain', RepoTags: ['repo:0.9.0'] },
+    ]);
+    const normalizeImage = vi.fn((img) => ({
+      ...img,
+      registry: { name: 'ecr', url: img.registry.url || '' },
+      name: img.name,
+      tag: { value: img.tag.value },
+    }));
+
+    await docker.pruneImages(
+      mockDockerApi,
+      { normalizeImage },
+      createPruneContainer(),
+      createMockLog('info', 'warn'),
+    );
+
+    expect(normalizeImage).toHaveBeenCalledWith(
+      expect.objectContaining({
+        registry: expect.objectContaining({ url: '' }),
+      }),
+    );
+  });
+});
+
+// --- Duplicate pruneImages tests (longer-form, kept for backward compatibility) ---
+
+test('pruneImages should exclude images with different names', async () => {
+  const mockDockerApi = createPruneDockerApi([
+    { Id: 'image-different-name', RepoTags: ['ecr.example.com/different-repo:1.0.0'] },
+  ]);
+  const containerTagUpdate = createPruneContainer();
+
+  await docker.pruneImages(mockDockerApi, createEchoNormalizeRegistry(), containerTagUpdate, log);
+
+  expect(mockDockerApi.getImage).not.toHaveBeenCalled();
+});
+
+test('pruneImages should exclude candidate image (remoteValue)', async () => {
+  const mockDockerApi = createPruneDockerApi([
+    { Id: 'image-candidate', RepoTags: ['ecr.example.com/repo:2.0.0'] },
+  ]);
+  const containerTagUpdate = createPruneContainer();
+
+  await docker.pruneImages(mockDockerApi, createEchoNormalizeRegistry(), containerTagUpdate, log);
+
+  expect(mockDockerApi.getImage).not.toHaveBeenCalled();
+});
+
+test('pruneImages should exclude images without RepoTags', async () => {
+  const mockDockerApi = createPruneDockerApi([
+    { Id: 'image-no-tags', RepoTags: [] },
+    { Id: 'image-null-tags' },
+  ]);
+
+  await docker.pruneImages(mockDockerApi, { normalizeImage: vi.fn() }, createPruneContainer(), log);
+
+  expect(mockDockerApi.getImage).not.toHaveBeenCalled();
+});
+
+test('pruneImages should exclude images with different registry', async () => {
+  const mockDockerApi = createPruneDockerApi([
+    { Id: 'image-diff-registry', RepoTags: ['other-registry.io/repo:0.8.0'] },
+  ]);
+
+  await docker.pruneImages(
+    mockDockerApi,
+    createEchoNormalizeRegistry('other-registry'),
+    createPruneContainer(),
+    log,
+  );
+
+  expect(mockDockerApi.getImage).not.toHaveBeenCalled();
+});
+
+test('pruneImages should warn when error occurs during pruning', async () => {
+  const mockDockerApi = {
+    listImages: vi.fn().mockRejectedValue(new Error('list failed')),
+  };
+  const logContainer = createMockLog('info', 'warn');
+
+  await docker.pruneImages(mockDockerApi, {}, createPruneContainer(), logContainer);
+
+  expect(logContainer.warn).toHaveBeenCalledWith(expect.stringContaining('list failed'));
+});
+
+// --- getNewImageFullName ---
+
+test('getNewImageFullName should use tag value for digest updates', () => {
+  const mockRegistry = {
+    getImageFullName: (image, tagOrDigest) => `${image.registry.url}/${image.name}:${tagOrDigest}`,
+  };
+  const containerDigest = {
+    image: {
+      name: 'test/test',
+      tag: { value: 'nginx-prod' },
+      registry: { url: 'my-registry' },
+    },
+    updateKind: { kind: 'digest', remoteValue: 'sha256:newdigest' },
+  };
+  const result = docker.getNewImageFullName(mockRegistry, containerDigest);
+  expect(result).toBe('my-registry/test/test:nginx-prod');
+});
+
+test('getNewImageFullName should fall back to tag value when remoteValue is undefined', () => {
+  const mockRegistry = {
+    getImageFullName: (image, tagOrDigest) => `${image.registry.url}/${image.name}:${tagOrDigest}`,
+  };
+  const containerUnknown = {
+    image: {
+      name: 'test/test',
+      tag: { value: 'latest' },
+      registry: { url: 'my-registry' },
+    },
+    updateKind: { kind: 'unknown', remoteValue: undefined },
+  };
+  const result = docker.getNewImageFullName(mockRegistry, containerUnknown);
+  expect(result).toBe('my-registry/test/test:latest');
+});
+
+// --- createPullProgressLogger ---
+
+test('createPullProgressLogger should throttle duplicate snapshots within interval', () => {
+  const logContainer = createMockLog('debug');
+  const logger = docker.createPullProgressLogger(logContainer, 'test:1.0');
+
+  logger.onProgress({
+    status: 'Downloading',
+    id: 'layer-1',
+    progressDetail: { current: 50, total: 100 },
+  });
+  expect(logContainer.debug).toHaveBeenCalledTimes(1);
+
+  // Immediate repeat with same data should be throttled
+  logger.onProgress({
+    status: 'Downloading',
+    id: 'layer-1',
+    progressDetail: { current: 50, total: 100 },
+  });
+  expect(logContainer.debug).toHaveBeenCalledTimes(1);
+
+  // Different data but within interval should still be throttled
+  logger.onProgress({
+    status: 'Downloading',
+    id: 'layer-1',
+    progressDetail: { current: 75, total: 100 },
+  });
+  expect(logContainer.debug).toHaveBeenCalledTimes(1);
+});
+
+test('createPullProgressLogger should handle null/undefined progressEvent', () => {
+  const logContainer = createMockLog('debug');
+  const logger = docker.createPullProgressLogger(logContainer, 'test:1.0');
+  logger.onProgress(null);
+  logger.onProgress(undefined);
+  expect(logContainer.debug).not.toHaveBeenCalled();
+});
+
+test('createPullProgressLogger onDone should force log regardless of interval', () => {
+  const logContainer = createMockLog('debug');
+  const logger = docker.createPullProgressLogger(logContainer, 'test:1.0');
+  logger.onProgress({
+    status: 'Downloading',
+    id: 'l1',
+    progressDetail: { current: 50, total: 100 },
+  });
+  logger.onDone({ status: 'Download complete', id: 'l1' });
+  expect(logContainer.debug).toHaveBeenCalledTimes(2);
+});
+
+test('createPullProgressLogger should use default status when progress event has no status', () => {
+  const logContainer = createMockLog('debug');
+  const logger = docker.createPullProgressLogger(logContainer, 'test:1.0');
+
+  logger.onProgress({});
+
+  expect(logContainer.debug).toHaveBeenCalledWith('Pull progress for test:1.0: progress');
+});
+
+// --- formatPullProgress ---
+
+test('formatPullProgress should return string progress when progressDetail is missing', () => {
+  expect(docker.formatPullProgress({ progress: '[==> ] 50%' })).toBe('[==> ] 50%');
+});
+
+test('formatPullProgress should return undefined when no progress data', () => {
+  expect(docker.formatPullProgress({ status: 'Waiting' })).toBeUndefined();
+  expect(docker.formatPullProgress({})).toBeUndefined();
+});
+
+test('formatPullProgress should return formatted percentage', () => {
+  expect(docker.formatPullProgress({ progressDetail: { current: 50, total: 200 } })).toBe(
+    '50/200 (25%)',
+  );
+});
diff --git a/app/triggers/providers/docker/Docker.ts b/app/triggers/providers/docker/Docker.ts
index a6d6d2458..dec7d55dd 100644
--- a/app/triggers/providers/docker/Docker.ts
+++ b/app/triggers/providers/docker/Docker.ts
@@ -26,6 +26,7 @@ import { runHook } from '../../hooks/HookRunner.js';
 import Trigger from '../Trigger.js';
 import ContainerRuntimeConfigManager from './ContainerRuntimeConfigManager.js';
 import ContainerUpdateExecutor from './ContainerUpdateExecutor.js';
+import { syncComposeFileTag } from './compose-file-sync.js';
 import { startHealthMonitor } from './HealthMonitor.js';
 import HookExecutor from './HookExecutor.js';
 import RegistryResolver from './RegistryResolver.js';
@@ -40,6 +41,11 @@ const NON_SELF_UPDATE_HEALTH_POLL_INTERVAL_MS = 1_000;
 const TRIGGER_BATCH_CONCURRENCY = 3;
 const warnedLegacyTriggerLabelFallbacks = new Set<string>();
 
+type ContainerFullNameReference = {
+  name: string;
+  watcher?: unknown;
+};
+
 function getPreferredLabelValue(labels, ddKey, wudKey, logger) {
   return resolvePreferredLabelValue(labels, ddKey, wudKey, {
     warnedFallbacks: warnedLegacyTriggerLabelFallbacks,
@@ -86,6 +92,46 @@ function shouldKeepImage(imageNormalized, container) {
   return false;
 }
 
+function getContainerFullNameForLifecycle(container: ContainerFullNameReference): string {
+  return `${container.watcher}_${container.name}`;
+}
+
+function getErrorMessage(error: unknown): string {
+  if (!error || typeof error !== 'object' || !('message' in error)) {
+    return String(error);
+  }
+  return String((error as { message?: unknown }).message);
+}
+
+function getErrorNumberField(error: unknown, field: 'statusCode' | 'status'): number | undefined {
+  if (!error || typeof error !== 'object') {
+    return undefined;
+  }
+  const value = (error as Record<string, unknown>)[field];
+  return typeof value === 'number' ? value : undefined;
+}
+
+function getErrorStringField(error: unknown, field: 'message' | 'reason'): string | undefined {
+  if (!error || typeof error !== 'object') {
+    return undefined;
+  }
+  const value = (error as Record<string, unknown>)[field];
+  return typeof value === 'string' ? value : undefined;
+}
+
+function getErrorJsonMessage(error: unknown): string | undefined {
+  if (!error || typeof error !== 'object') {
+    return undefined;
+  }
+  const json = (error as { json?: unknown }).json;
+  if (!json || typeof json !== 'object') {
+    return undefined;
+  }
+  const jsonMessage = (json as { message?: unknown }).message;
+  /* v8 ignore next -- json.message is typically string when present; non-string forms are defensive */
+  return typeof jsonMessage === 'string' ? jsonMessage : undefined;
+}
+
 const HOOK_EXECUTOR_ORCHESTRATOR_METHODS = ['recordHookAudit'] as const;
 const SELF_UPDATE_ORCHESTRATOR_METHODS = [
   'pullImage',
@@ -238,7 +284,7 @@ class Docker extends Trigger {
         getLogger: () => this.log,
       },
       context: {
-        getContainerFullName: (container) => fullName(container as any),
+        getContainerFullName: (container) => getContainerFullNameForLifecycle(container),
         createTriggerContext: updateLifecycleCallbacks.createTriggerContext,
       },
       security: {
@@ -291,17 +337,18 @@ class Docker extends Trigger {
     return this.securityGate;
   }
 
-  isContainerNotFoundError(error) {
+  isContainerNotFoundError(error: unknown) {
     if (!error) {
       return false;
     }
 
-    const statusCode = error?.statusCode ?? error?.status;
+    const statusCode =
+      getErrorNumberField(error, 'statusCode') ?? getErrorNumberField(error, 'status');
     if (statusCode === 404) {
       return true;
     }
 
-    const errorMessage = `${error?.message ?? ''} ${error?.reason ?? ''} ${error?.json?.message ?? ''}`;
+    const errorMessage = `${getErrorStringField(error, 'message') ?? ''} ${getErrorStringField(error, 'reason') ?? ''} ${getErrorJsonMessage(error) ?? ''}`;
     return errorMessage.toLowerCase().includes('no such container');
   }
 
@@ -325,7 +372,15 @@ class Docker extends Trigger {
    */
 
   getWatcher(container) {
-    return getState().watcher[`docker.${container.watcher}`];
+    const watcherId = container?.agent
+      ? `${container.agent}.docker.${container.watcher}`
+      : `docker.${container.watcher}`;
+    const watcher = getState().watcher[watcherId];
+    if (!watcher) {
+      const containerIdOrName = container?.id || container?.name || 'unknown';
+      throw new Error(`No watcher found for container ${containerIdOrName} (${watcherId})`);
+    }
+    return watcher;
   }
 
   normalizeRegistryHost(registryUrlOrName) {
@@ -366,7 +421,7 @@ class Docker extends Trigger {
     this.log.debug(`Get container ${container.id}`);
     try {
       return await dockerApi.getContainer(container.id);
-    } catch (e) {
+    } catch (e: unknown) {
       this.log.warn(`Error when getting container ${container.id}`);
       throw e;
     }
@@ -381,7 +436,7 @@ class Docker extends Trigger {
     this.log.debug(`Inspect container ${container.id}`);
     try {
       return await container.inspect();
-    } catch (e) {
+    } catch (e: unknown) {
       logContainer.warn(`Error when inspecting container ${container.id}`);
       throw e;
     }
@@ -417,8 +472,10 @@ class Docker extends Trigger {
           return imageToRemove.remove();
         }),
       );
-    } catch (e) {
-      logContainer.warn(`Some errors occurred when trying to prune previous tags (${e.message})`);
+    } catch (e: unknown) {
+      logContainer.warn(
+        `Some errors occurred when trying to prune previous tags (${getErrorMessage(e)})`,
+      );
     }
   }
 
@@ -514,8 +571,8 @@ class Docker extends Trigger {
         ),
       );
       logContainer.info(`Image ${newImage} pulled with success`);
-    } catch (e) {
-      logContainer.warn(`Error when pulling image ${newImage} (${e.message})`);
+    } catch (e: unknown) {
+      logContainer.warn(`Error when pulling image ${newImage} (${getErrorMessage(e)})`);
       throw e;
     }
   }
@@ -534,7 +591,7 @@ class Docker extends Trigger {
     try {
       await container.stop();
       logContainer.info(`Container ${containerName} with id ${containerId} stopped with success`);
-    } catch (e) {
+    } catch (e: unknown) {
       logContainer.warn(`Error when stopping container ${containerName} with id ${containerId}`);
       throw e;
     }
@@ -553,7 +610,7 @@ class Docker extends Trigger {
     try {
       await container.remove();
       logContainer.info(`Container ${containerName} with id ${containerId} removed with success`);
-    } catch (e) {
+    } catch (e: unknown) {
       logContainer.warn(`Error when removing container ${containerName} with id ${containerId}`);
       throw e;
     }
@@ -572,7 +629,7 @@ class Docker extends Trigger {
       logContainer.info(
         `Container ${containerName} with id ${containerId} auto-removed successfully`,
       );
-    } catch (e) {
+    } catch (e: unknown) {
       logContainer.warn(
         e,
         `Error while waiting for container ${containerName} with id ${containerId}`,
@@ -632,8 +689,8 @@ class Docker extends Trigger {
 
       logContainer.info(`Container ${containerName} recreated on new image with success`);
       return newContainer;
-    } catch (e) {
-      logContainer.warn(`Error when creating container ${containerName} (${e.message})`);
+    } catch (e: unknown) {
+      logContainer.warn(`Error when creating container ${containerName} (${getErrorMessage(e)})`);
       throw e;
     }
   }
@@ -650,7 +707,7 @@ class Docker extends Trigger {
     try {
       await container.start();
       logContainer.info(`Container ${containerName} started with success`);
-    } catch (e) {
+    } catch (e: unknown) {
       logContainer.warn(`Error when starting container ${containerName}`);
       throw e;
     }
@@ -669,7 +726,7 @@ class Docker extends Trigger {
       const image = await dockerApi.getImage(imageToRemove);
       await image.remove();
       logContainer.info(`Image ${imageToRemove} removed with success`);
-    } catch (e) {
+    } catch (e: unknown) {
       logContainer.warn(`Error when removing image ${imageToRemove}`);
       throw e;
     }
@@ -815,8 +872,8 @@ class Docker extends Trigger {
       try {
         const oldImage = registry.getImageFullName(container.image, container.image.digest.repo);
         await this.removeImage(dockerApi, oldImage, logContainer);
-      } catch (e) {
-        logContainer.warn(`Unable to remove previous digest image (${e.message})`);
+      } catch (e: unknown) {
+        logContainer.warn(`Unable to remove previous digest image (${getErrorMessage(e)})`);
       }
     }
   }
@@ -1095,7 +1152,15 @@ class Docker extends Trigger {
    * mechanics while reusing the shared lifecycle orchestrator.
    */
   async performContainerUpdate(context, container, logContainer, _runtimeContext?: unknown) {
-    return this.executeContainerUpdate(context, container, logContainer);
+    const updated = await this.executeContainerUpdate(context, container, logContainer);
+    if (updated && container.updateKind?.kind === 'tag') {
+      await syncComposeFileTag({
+        labels: context.currentContainerSpec?.Config?.Labels,
+        newImage: context.newImage,
+        logContainer,
+      });
+    }
+    return updated;
   }
 
   getRollbackConfig(container) {
diff --git a/app/triggers/providers/docker/HealthMonitor.ts b/app/triggers/providers/docker/HealthMonitor.ts
index 86a433d60..40024f53b 100644
--- a/app/triggers/providers/docker/HealthMonitor.ts
+++ b/app/triggers/providers/docker/HealthMonitor.ts
@@ -3,16 +3,50 @@ import * as auditStore from '../../../store/audit.js';
 import * as backupStore from '../../../store/backup.js';
 import { getErrorMessage } from '../../../util/error.js';
 
+type UnknownRecord = Record<string, unknown>;
+
+interface LoggerLike {
+  info(message: string): void;
+  warn(message: string): void;
+  error(message: string): void;
+}
+
+interface DockerContainerLike {
+  inspect(): Promise<unknown>;
+}
+
+interface DockerApiLike {
+  getContainer(containerId: string): DockerContainerLike;
+}
+
+interface TriggerInstanceLike {
+  getCurrentContainer(dockerApi: DockerApiLike, containerRef: ContainerRef): Promise<unknown>;
+  inspectContainer(container: unknown, log: LoggerLike): Promise<unknown>;
+  stopAndRemoveContainer(
+    container: unknown,
+    containerSpec: unknown,
+    containerRef: ContainerRef,
+    log: LoggerLike,
+  ): Promise<void>;
+  recreateContainer(
+    dockerApi: DockerApiLike,
+    containerSpec: unknown,
+    backupImage: string,
+    containerRef: ContainerRef,
+    log: LoggerLike,
+  ): Promise<void>;
+}
+
 interface HealthMonitorOptions {
-  dockerApi: any;
+  dockerApi: unknown;
   containerId: string;
   containerName: string;
   backupImageTag: string;
   backupImageDigest?: string;
   window: number;
   interval: number;
-  triggerInstance: any;
-  log: any;
+  triggerInstance: unknown;
+  log: unknown;
 }
 
 interface ContainerRef {
@@ -26,22 +60,35 @@ interface MonitorTimers {
 }
 
 interface RollbackContext {
-  dockerApi: any;
-  triggerInstance: any;
+  dockerApi: DockerApiLike;
+  triggerInstance: TriggerInstanceLike;
   containerRef: ContainerRef;
   containerName: string;
   backupImageTag: string;
-  log: any;
+  log: LoggerLike;
 }
 
 interface HealthPollContext {
-  dockerApi: any;
+  dockerApi: DockerApiLike;
   containerId: string;
   containerName: string;
   signal: AbortSignal;
   cleanup: () => void;
   onUnhealthy: () => Promise<void>;
-  log: any;
+  log: LoggerLike;
+}
+
+function asUnknownRecord(value: unknown): UnknownRecord | null {
+  if (!value || typeof value !== 'object') {
+    return null;
+  }
+  return value as UnknownRecord;
+}
+
+function getInspectionHealthState(inspection: unknown): UnknownRecord | null {
+  const inspectionRecord = asUnknownRecord(inspection);
+  const stateRecord = asUnknownRecord(inspectionRecord?.State);
+  return asUnknownRecord(stateRecord?.Health);
 }
 
 function createContainerRef(containerId: string, containerName: string): ContainerRef {
@@ -127,7 +174,7 @@ async function performRollback(context: RollbackContext): Promise<void> {
 
     recordRollbackSuccess(containerName, backupImageTag, latestBackup.imageTag);
     log.info(`Auto-rollback of container ${containerName} completed successfully`);
-  } catch (error) {
+  } catch (error: unknown) {
     const message = getErrorMessage(error);
     log.error(`Auto-rollback failed for container ${containerName}: ${message}`);
     recordRollbackError(containerName, message);
@@ -138,7 +185,7 @@ async function inspectHealthAndHandle(context: HealthPollContext): Promise<void>
   const { dockerApi, containerId, containerName, cleanup, onUnhealthy, log } = context;
   const container = dockerApi.getContainer(containerId);
   const inspection = await container.inspect();
-  const healthState = inspection?.State?.Health;
+  const healthState = getInspectionHealthState(inspection);
 
   if (!healthState) {
     log.warn(`Container ${containerName} has no HEALTHCHECK defined — stopping health monitoring`);
@@ -164,7 +211,7 @@ function createPollHandler(context: HealthPollContext): () => Promise<void> {
 
     try {
       await inspectHealthAndHandle(context);
-    } catch (error) {
+    } catch (error: unknown) {
       const message = getErrorMessage(error);
       context.log.warn(
         `Error inspecting container ${context.containerName} during health monitoring: ${message}`,
@@ -179,7 +226,7 @@ function handleWindowExpiry(
   signal: AbortSignal,
   containerName: string,
   cleanup: () => void,
-  log: any,
+  log: LoggerLike,
 ): void {
   if (signal.aborted) return;
   log.info(
@@ -197,15 +244,18 @@ function handleWindowExpiry(
  */
 export function startHealthMonitor(options: HealthMonitorOptions): AbortController {
   const {
-    dockerApi,
+    dockerApi: dockerApiOption,
     containerId,
     containerName,
     backupImageTag,
     window: monitorWindow,
     interval,
-    triggerInstance,
-    log,
+    triggerInstance: triggerInstanceOption,
+    log: logOption,
   } = options;
+  const dockerApi = dockerApiOption as DockerApiLike;
+  const triggerInstance = triggerInstanceOption as TriggerInstanceLike;
+  const log = logOption as LoggerLike;
 
   const abortController = new AbortController();
   const { signal } = abortController;
diff --git a/app/triggers/providers/docker/HookExecutor.ts b/app/triggers/providers/docker/HookExecutor.ts
index dbd60e528..4913e1563 100644
--- a/app/triggers/providers/docker/HookExecutor.ts
+++ b/app/triggers/providers/docker/HookExecutor.ts
@@ -36,7 +36,7 @@ type HookConfig = {
   hookEnv: Record<string, string>;
 };
 
-export type HookExecutorDependencies = {
+type HookExecutorDependencies = {
   runHook: (
     command: string,
     options: { timeout: number; env: Record<string, string>; label: string },
diff --git a/app/triggers/providers/docker/RegistryResolver.test.ts b/app/triggers/providers/docker/RegistryResolver.test.ts
index 37021e4d2..7426d4660 100644
--- a/app/triggers/providers/docker/RegistryResolver.test.ts
+++ b/app/triggers/providers/docker/RegistryResolver.test.ts
@@ -263,6 +263,31 @@ describe('RegistryResolver', () => {
     );
   });
 
+  test('resolveRegistryManager should support symbol-valued registry names', () => {
+    const resolver = new RegistryResolver();
+    const registryKey = Symbol.for('hub');
+    const registryManager = {
+      getAuthPull: vi.fn(),
+      getImageFullName: vi.fn(),
+    };
+
+    const resolved = resolver.resolveRegistryManager(
+      {
+        image: {
+          registry: {
+            name: registryKey,
+          },
+        },
+      },
+      createLog(),
+      {
+        [registryKey]: registryManager,
+      },
+    );
+
+    expect(resolved).toBe(registryManager);
+  });
+
   test('resolveRegistryManager should include a stable error code for misconfigured registries', () => {
     const resolver = new RegistryResolver();
 
@@ -333,6 +358,41 @@ describe('RegistryResolver', () => {
     );
   });
 
+  test('resolveRegistryManager should ignore non-object registry entries when matching', () => {
+    const resolver = new RegistryResolver();
+    const log = createLog();
+    const matcher = {
+      match: vi.fn(() => true),
+      getAuthPull: vi.fn(),
+      getImageFullName: vi.fn(),
+      normalizeImage: vi.fn(),
+      getId: vi.fn(() => 'matcher-ghcr'),
+    };
+
+    const resolved = resolver.resolveRegistryManager(
+      {
+        image: {
+          name: 'library/nginx',
+          registry: {
+            name: 'unknown',
+            url: 'ghcr.io',
+          },
+        },
+      },
+      log,
+      {
+        invalid: 'not-an-object' as any,
+        primary: matcher,
+      },
+      {
+        requireNormalizeImage: true,
+      },
+    );
+
+    expect(resolved).toBe(matcher);
+    expect(matcher.match).toHaveBeenCalled();
+  });
+
   test('resolveRegistryManager should throw a typed error when matcher result is misconfigured', () => {
     const resolver = new RegistryResolver();
 
diff --git a/app/triggers/providers/docker/RegistryResolver.ts b/app/triggers/providers/docker/RegistryResolver.ts
index bbfa4b010..549cc8003 100644
--- a/app/triggers/providers/docker/RegistryResolver.ts
+++ b/app/triggers/providers/docker/RegistryResolver.ts
@@ -1,5 +1,36 @@
 import TriggerPipelineError from './TriggerPipelineError.js';
 
+type RegistryState = Record<PropertyKey, unknown>;
+
+type RegistryManagerCandidate = {
+  getAuthPull?: (...args: unknown[]) => unknown;
+  getImageFullName?: (...args: unknown[]) => unknown;
+  normalizeImage?: (...args: unknown[]) => unknown;
+  match?: (...args: unknown[]) => unknown;
+  getId?: (...args: unknown[]) => unknown;
+};
+
+type RegistryCompatibilityOptions = {
+  requireNormalizeImage?: boolean;
+};
+
+type RegistryLookupOptions = {
+  source?: string;
+  registryName?: unknown;
+  requiredMethods?: string[];
+  requireNormalizeImage?: boolean;
+};
+
+type RegistryResolveOptions = {
+  allowAnonymousFallback?: boolean;
+  requireNormalizeImage?: boolean;
+  registryName?: unknown;
+};
+
+function toPropertyKey(value: unknown): PropertyKey {
+  return typeof value === 'symbol' ? value : String(value);
+}
+
 class RegistryResolver {
   normalizeRegistryHost(registryUrlOrName) {
     if (typeof registryUrlOrName !== 'string') {
@@ -75,18 +106,19 @@ class RegistryResolver {
     return candidates;
   }
 
-  isRegistryManagerCompatible(registry, options: Record<string, any> = {}) {
+  isRegistryManagerCompatible(registry, options: RegistryCompatibilityOptions = {}) {
     const { requireNormalizeImage = false } = options;
     if (!registry || typeof registry !== 'object') {
       return false;
     }
-    if (typeof registry.getAuthPull !== 'function') {
+    const registryCandidate = registry as RegistryManagerCandidate;
+    if (typeof registryCandidate.getAuthPull !== 'function') {
       return false;
     }
-    if (typeof registry.getImageFullName !== 'function') {
+    if (typeof registryCandidate.getImageFullName !== 'function') {
       return false;
     }
-    if (requireNormalizeImage && typeof registry.normalizeImage !== 'function') {
+    if (requireNormalizeImage && typeof registryCandidate.normalizeImage !== 'function') {
       return false;
     }
     return true;
@@ -157,7 +189,7 @@ class RegistryResolver {
     return requiredMethods;
   }
 
-  ensureCompatibleRegistryManager(registryManager, options: Record<string, any> = {}) {
+  ensureCompatibleRegistryManager(registryManager, options: RegistryLookupOptions = {}) {
     const {
       source = 'unknown',
       registryName,
@@ -187,12 +219,12 @@ class RegistryResolver {
   }
 
   findRegistryManagerByName(
-    registryState: Record<string, any> = {},
-    options: Record<string, any> = {},
+    registryState: RegistryState = {},
+    options: RegistryLookupOptions = {},
   ) {
     const { registryName, requiredMethods = [], requireNormalizeImage = false } = options;
 
-    return this.ensureCompatibleRegistryManager(registryState[registryName], {
+    return this.ensureCompatibleRegistryManager(registryState[toPropertyKey(registryName)], {
       source: 'lookup by name',
       registryName,
       requiredMethods,
@@ -200,15 +232,19 @@ class RegistryResolver {
     });
   }
 
-  findRegistryManagerByImageCandidate(registryState: Record<string, any> = {}, imageCandidate) {
+  findRegistryManagerByImageCandidate(registryState: RegistryState = {}, imageCandidate) {
     for (const registryManager of Object.values(registryState)) {
-      if (typeof registryManager?.match !== 'function') {
+      if (!registryManager || typeof registryManager !== 'object') {
+        continue;
+      }
+      const registryManagerCandidate = registryManager as RegistryManagerCandidate;
+      if (typeof registryManagerCandidate.match !== 'function') {
         continue;
       }
 
       try {
-        if (registryManager.match(imageCandidate)) {
-          return registryManager;
+        if (registryManagerCandidate.match(imageCandidate)) {
+          return registryManagerCandidate;
         }
       } catch {
         // Ignore matcher errors and continue checking other registries.
@@ -221,8 +257,8 @@ class RegistryResolver {
   findRegistryManagerByImageMatch(
     container,
     logContainer,
-    registryState: Record<string, any> = {},
-    options: Record<string, any> = {},
+    registryState: RegistryState = {},
+    options: RegistryLookupOptions = {},
   ) {
     const { registryName, requiredMethods = [], requireNormalizeImage = false } = options;
     const lookupCandidates = this.buildRegistryLookupCandidates(container?.image);
@@ -251,7 +287,7 @@ class RegistryResolver {
     return undefined;
   }
 
-  createUnsupportedRegistryManagerError(registryState: Record<string, any> = {}, registryName) {
+  createUnsupportedRegistryManagerError(registryState: RegistryState = {}, registryName) {
     const knownRegistries = Object.keys(registryState);
     const knownRegistriesAsString =
       knownRegistries.length > 0 ? knownRegistries.join(', ') : 'none';
@@ -268,8 +304,8 @@ class RegistryResolver {
   resolveRegistryManager(
     container,
     logContainer,
-    registryState: Record<string, any> = {},
-    options: Record<string, any> = {},
+    registryState: RegistryState = {},
+    options: RegistryResolveOptions = {},
   ) {
     const {
       allowAnonymousFallback = false,
diff --git a/app/triggers/providers/docker/RollbackMonitor.ts b/app/triggers/providers/docker/RollbackMonitor.ts
index 722dbc4f3..b92667d53 100644
--- a/app/triggers/providers/docker/RollbackMonitor.ts
+++ b/app/triggers/providers/docker/RollbackMonitor.ts
@@ -27,7 +27,7 @@ type RollbackConfig = {
   rollbackInterval: number;
 };
 
-export type RollbackMonitorDependencies = {
+type RollbackMonitorDependencies = {
   getPreferredLabelValue: (
     labels: Record<string, string> | undefined,
     ddKey: string,
diff --git a/app/triggers/providers/docker/SecurityGate.ts b/app/triggers/providers/docker/SecurityGate.ts
index 5fbd17b4f..6914090a6 100644
--- a/app/triggers/providers/docker/SecurityGate.ts
+++ b/app/triggers/providers/docker/SecurityGate.ts
@@ -62,7 +62,7 @@ type SecurityAlertPayload = {
   container: SecurityContainer;
 };
 
-export type SecurityGateDependencies = {
+type SecurityGateDependencies = {
   getSecurityConfiguration: () => SecurityConfiguration;
   verifyImageSignature: (request: SecurityScannerRequest) => Promise<SignatureScanResult>;
   scanImageForVulnerabilities: (
diff --git a/app/triggers/providers/docker/SelfUpdateOrchestrator.ts b/app/triggers/providers/docker/SelfUpdateOrchestrator.ts
index 67c38a19d..127145418 100644
--- a/app/triggers/providers/docker/SelfUpdateOrchestrator.ts
+++ b/app/triggers/providers/docker/SelfUpdateOrchestrator.ts
@@ -23,7 +23,7 @@ interface SelfUpdateStartingPayload {
   startedAt: string;
 }
 
-export interface SelfUpdateOrchestratorDependencies {
+interface SelfUpdateOrchestratorDependencies {
   getConfiguration: () => SelfUpdateConfiguration;
   runtimeConfigManager: SelfUpdateRuntimeConfigManager;
   pullImage: (
diff --git a/app/triggers/providers/docker/SelfUpdateTransitionShared.ts b/app/triggers/providers/docker/SelfUpdateTransitionShared.ts
index c39c57a05..8fe0355cc 100644
--- a/app/triggers/providers/docker/SelfUpdateTransitionShared.ts
+++ b/app/triggers/providers/docker/SelfUpdateTransitionShared.ts
@@ -16,7 +16,7 @@ import type {
 type SelfUpdateRuntimeConfigOptions = Record<string, unknown>;
 type SelfUpdateContainerCreateSpec = Record<string, unknown>;
 
-export interface SelfUpdateTransitionDependencies {
+interface SelfUpdateTransitionDependencies {
   getConfiguration: () => SelfUpdateConfiguration | undefined;
   findDockerSocketBind: (spec: SelfUpdateContainerSpec | undefined) => string | undefined;
   insertContainerImageBackup: (
diff --git a/app/triggers/providers/docker/compose-file-sync.test.ts b/app/triggers/providers/docker/compose-file-sync.test.ts
new file mode 100644
index 000000000..23020006e
--- /dev/null
+++ b/app/triggers/providers/docker/compose-file-sync.test.ts
@@ -0,0 +1,342 @@
+import fs from 'node:fs/promises';
+import path from 'node:path';
+
+vi.mock('node:fs/promises');
+const mockUpdateComposeServiceImageInText = vi.hoisted(() => vi.fn());
+vi.mock('../dockercompose/ComposeFileParser.js', () => ({
+  updateComposeServiceImageInText: (...args: unknown[]) =>
+    mockUpdateComposeServiceImageInText(...args),
+}));
+
+vi.mock('../../../log/index.js', () => ({
+  default: {
+    child: () => ({
+      info: vi.fn(),
+      warn: vi.fn(),
+      debug: vi.fn(),
+      error: vi.fn(),
+    }),
+  },
+}));
+
+import { syncComposeFileTag } from './compose-file-sync.js';
+
+const COMPOSE_CONTENT = `services:
+  app:
+    image: hemmeligapp/hemmelig:v6
+    ports:
+      - "3000:3000"
+  db:
+    image: postgres:15
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+volumes:
+  pgdata:
+`;
+
+function makeLog() {
+  return {
+    info: vi.fn(),
+    warn: vi.fn(),
+    debug: vi.fn(),
+    error: vi.fn(),
+  };
+}
+
+function makeLabels(overrides: Record<string, string> = {}) {
+  return {
+    'com.docker.compose.project.config_files': '/home/user/stacks/app/docker-compose.yml',
+    'com.docker.compose.project.working_dir': '/home/user/stacks/app',
+    'com.docker.compose.service': 'app',
+    ...overrides,
+  };
+}
+
+beforeEach(() => {
+  vi.resetAllMocks();
+  mockUpdateComposeServiceImageInText.mockImplementation(
+    (composeText: string, serviceName: string, newImage: string) =>
+      serviceName === 'app'
+        ? composeText.replace('hemmeligapp/hemmelig:v6', newImage)
+        : composeText,
+  );
+});
+
+describe('syncComposeFileTag', () => {
+  test('should update compose file image tag for compose-managed container', async () => {
+    const logContainer = makeLog();
+    vi.mocked(fs.readFile).mockResolvedValue(COMPOSE_CONTENT);
+    vi.mocked(fs.writeFile).mockResolvedValue(undefined);
+    vi.mocked(fs.rename).mockResolvedValue(undefined);
+
+    const result = await syncComposeFileTag({
+      labels: makeLabels(),
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    expect(result).toBe(true);
+
+    // Verify file was read
+    expect(fs.readFile).toHaveBeenCalledWith('/home/user/stacks/app/docker-compose.yml', 'utf8');
+
+    // Verify atomic write (temp file then rename)
+    expect(fs.writeFile).toHaveBeenCalledTimes(1);
+    const writtenContent = vi.mocked(fs.writeFile).mock.calls[0][1];
+    expect(writtenContent).toContain('hemmeligapp/hemmelig:v7');
+    expect(writtenContent).not.toContain('hemmeligapp/hemmelig:v6');
+    // db service should be unchanged
+    expect(writtenContent).toContain('postgres:15');
+
+    expect(fs.rename).toHaveBeenCalledTimes(1);
+    expect(logContainer.info).toHaveBeenCalledWith(expect.stringContaining('compose file'));
+  });
+
+  test('should skip when container has no compose labels', async () => {
+    const logContainer = makeLog();
+
+    const result = await syncComposeFileTag({
+      labels: {},
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    expect(result).toBe(false);
+    expect(fs.readFile).not.toHaveBeenCalled();
+  });
+
+  test('should skip when labels are undefined', async () => {
+    const logContainer = makeLog();
+
+    const result = await syncComposeFileTag({
+      labels: undefined as unknown as Record<string, string>,
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    expect(result).toBe(false);
+    expect(fs.readFile).not.toHaveBeenCalled();
+  });
+
+  test('should skip when config_files label is missing', async () => {
+    const logContainer = makeLog();
+
+    const result = await syncComposeFileTag({
+      labels: {
+        'com.docker.compose.service': 'app',
+      },
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    expect(result).toBe(false);
+    expect(fs.readFile).not.toHaveBeenCalled();
+  });
+
+  test('should skip when service label is missing', async () => {
+    const logContainer = makeLog();
+
+    const result = await syncComposeFileTag({
+      labels: {
+        'com.docker.compose.project.config_files': '/path/compose.yml',
+      },
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    expect(result).toBe(false);
+    expect(fs.readFile).not.toHaveBeenCalled();
+  });
+
+  test('should skip when compose file path resolves to empty first entry', async () => {
+    const logContainer = makeLog();
+
+    const result = await syncComposeFileTag({
+      labels: {
+        'com.docker.compose.project.config_files': ' , /home/user/stacks/app/docker-compose.yml',
+        'com.docker.compose.project.working_dir': '/home/user/stacks/app',
+        'com.docker.compose.service': 'app',
+      },
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    expect(result).toBe(false);
+    expect(fs.readFile).not.toHaveBeenCalled();
+  });
+
+  test('should resolve relative compose file paths using working_dir', async () => {
+    const logContainer = makeLog();
+    vi.mocked(fs.readFile).mockResolvedValue(COMPOSE_CONTENT);
+    vi.mocked(fs.writeFile).mockResolvedValue(undefined);
+    vi.mocked(fs.rename).mockResolvedValue(undefined);
+
+    await syncComposeFileTag({
+      labels: makeLabels({
+        'com.docker.compose.project.config_files': 'docker-compose.yml',
+        'com.docker.compose.project.working_dir': '/home/user/stacks/app',
+      }),
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    expect(fs.readFile).toHaveBeenCalledWith(
+      path.resolve('/home/user/stacks/app', 'docker-compose.yml'),
+      'utf8',
+    );
+  });
+
+  test('should use first file when multiple compose files are specified', async () => {
+    const logContainer = makeLog();
+    vi.mocked(fs.readFile).mockResolvedValue(COMPOSE_CONTENT);
+    vi.mocked(fs.writeFile).mockResolvedValue(undefined);
+    vi.mocked(fs.rename).mockResolvedValue(undefined);
+
+    await syncComposeFileTag({
+      labels: makeLabels({
+        'com.docker.compose.project.config_files':
+          '/home/user/stacks/app/docker-compose.yml,/home/user/stacks/app/docker-compose.override.yml',
+      }),
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    expect(fs.readFile).toHaveBeenCalledWith('/home/user/stacks/app/docker-compose.yml', 'utf8');
+  });
+
+  test('should handle compose file read failure gracefully', async () => {
+    const logContainer = makeLog();
+    vi.mocked(fs.readFile).mockRejectedValue(new Error('ENOENT: no such file'));
+
+    const result = await syncComposeFileTag({
+      labels: makeLabels(),
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    expect(result).toBe(false);
+    expect(logContainer.warn).toHaveBeenCalledWith(expect.stringContaining('ENOENT'));
+  });
+
+  test('should handle compose file write failure gracefully', async () => {
+    const logContainer = makeLog();
+    vi.mocked(fs.readFile).mockResolvedValue(COMPOSE_CONTENT);
+    vi.mocked(fs.writeFile).mockRejectedValue(new Error('EACCES: permission denied'));
+
+    const result = await syncComposeFileTag({
+      labels: makeLabels(),
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    expect(result).toBe(false);
+    expect(logContainer.warn).toHaveBeenCalledWith(expect.stringContaining('EACCES'));
+  });
+
+  test('should stringify non-Error compose sync failures', async () => {
+    const logContainer = makeLog();
+    vi.mocked(fs.readFile).mockRejectedValue('boom' as never);
+
+    const result = await syncComposeFileTag({
+      labels: makeLabels(),
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    expect(result).toBe(false);
+    expect(logContainer.warn).toHaveBeenCalledWith(expect.stringContaining('boom'));
+  });
+
+  test('should handle rename failure with direct write fallback', async () => {
+    const logContainer = makeLog();
+    vi.mocked(fs.readFile).mockResolvedValue(COMPOSE_CONTENT);
+    vi.mocked(fs.writeFile).mockResolvedValue(undefined);
+    vi.mocked(fs.rename).mockRejectedValue(new Error('EBUSY'));
+    vi.mocked(fs.unlink).mockRejectedValue(new Error('unlink failed'));
+
+    const result = await syncComposeFileTag({
+      labels: makeLabels(),
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    // Falls back to direct overwrite
+    expect(result).toBe(true);
+    // writeFile called twice: once for temp, once for direct fallback
+    expect(fs.writeFile).toHaveBeenCalledTimes(2);
+  });
+
+  test('should handle service not found in compose file gracefully', async () => {
+    const logContainer = makeLog();
+    vi.mocked(fs.readFile).mockResolvedValue(COMPOSE_CONTENT);
+    mockUpdateComposeServiceImageInText.mockReturnValue(COMPOSE_CONTENT);
+
+    const result = await syncComposeFileTag({
+      labels: makeLabels({
+        'com.docker.compose.service': 'nonexistent',
+      }),
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    expect(result).toBe(false);
+    expect(logContainer.debug).toHaveBeenCalledWith(expect.stringContaining('already has image'));
+    expect(fs.writeFile).not.toHaveBeenCalled();
+    expect(fs.rename).not.toHaveBeenCalled();
+  });
+
+  test('should skip when compose file already has requested image', async () => {
+    const logContainer = makeLog();
+    vi.mocked(fs.readFile).mockResolvedValue(COMPOSE_CONTENT);
+    mockUpdateComposeServiceImageInText.mockReturnValue(COMPOSE_CONTENT);
+
+    const result = await syncComposeFileTag({
+      labels: makeLabels(),
+      newImage: 'hemmeligapp/hemmelig:v6',
+      logContainer,
+    });
+
+    expect(result).toBe(false);
+    expect(logContainer.debug).toHaveBeenCalledWith(expect.stringContaining('already has image'));
+    expect(fs.writeFile).not.toHaveBeenCalled();
+    expect(fs.rename).not.toHaveBeenCalled();
+  });
+
+  test('should preserve formatting and other services', async () => {
+    const logContainer = makeLog();
+    vi.mocked(fs.readFile).mockResolvedValue(COMPOSE_CONTENT);
+    vi.mocked(fs.writeFile).mockResolvedValue(undefined);
+    vi.mocked(fs.rename).mockResolvedValue(undefined);
+
+    await syncComposeFileTag({
+      labels: makeLabels(),
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    const writtenContent = vi.mocked(fs.writeFile).mock.calls[0][1] as string;
+    // Ports should remain intact
+    expect(writtenContent).toContain('- "3000:3000"');
+    // volumes section should be untouched
+    expect(writtenContent).toContain('pgdata:');
+  });
+
+  test('should clean up temp file on write failure', async () => {
+    const logContainer = makeLog();
+    vi.mocked(fs.readFile).mockResolvedValue(COMPOSE_CONTENT);
+    vi.mocked(fs.writeFile).mockResolvedValueOnce(undefined);
+    vi.mocked(fs.rename).mockRejectedValue(new Error('EBUSY'));
+    // Second writeFile (direct fallback) also fails
+    vi.mocked(fs.writeFile).mockRejectedValueOnce(new Error('EACCES'));
+    vi.mocked(fs.unlink).mockRejectedValue(new Error('unlink failed'));
+
+    const result = await syncComposeFileTag({
+      labels: makeLabels(),
+      newImage: 'hemmeligapp/hemmelig:v7',
+      logContainer,
+    });
+
+    expect(result).toBe(false);
+    expect(fs.unlink).toHaveBeenCalledTimes(1);
+  });
+});
diff --git a/app/triggers/providers/docker/compose-file-sync.ts b/app/triggers/providers/docker/compose-file-sync.ts
new file mode 100644
index 000000000..6bec43877
--- /dev/null
+++ b/app/triggers/providers/docker/compose-file-sync.ts
@@ -0,0 +1,122 @@
+/**
+ * Compose file sync for the Docker trigger.
+ *
+ * When the Docker trigger updates a compose-managed container with a tag
+ * change, this module updates the image tag in the compose file so that
+ * subsequent `docker-compose up` commands don't revert the update.
+ *
+ * GitHub Discussion #178
+ */
+import fs from 'node:fs/promises';
+import path from 'node:path';
+
+import { updateComposeServiceImageInText } from '../dockercompose/ComposeFileParser.js';
+
+const COMPOSE_PROJECT_CONFIG_FILES_LABEL = 'com.docker.compose.project.config_files';
+const COMPOSE_PROJECT_WORKING_DIR_LABEL = 'com.docker.compose.project.working_dir';
+const COMPOSE_SERVICE_LABEL = 'com.docker.compose.service';
+
+interface ComposeFileSyncOptions {
+  labels: Record<string, string> | undefined;
+  newImage: string;
+  logContainer: {
+    info: (message: string) => void;
+    warn: (message: string) => void;
+    debug: (message: string) => void;
+  };
+}
+
+function resolveComposeFilePath(
+  configFilesLabel: string,
+  workingDirLabel: string | undefined,
+): string {
+  const firstFile = configFilesLabel.split(',')[0].trim();
+  if (!firstFile) {
+    return '';
+  }
+  if (workingDirLabel && !path.isAbsolute(firstFile)) {
+    return path.resolve(workingDirLabel, firstFile);
+  }
+  return firstFile;
+}
+
+async function writeComposeFileAtomic(
+  filePath: string,
+  data: string,
+  logContainer: ComposeFileSyncOptions['logContainer'],
+): Promise<void> {
+  const dir = path.dirname(filePath);
+  const base = path.basename(filePath);
+  const tmpPath = path.join(
+    dir,
+    `.${base}.tmp-${process.pid}-${Date.now()}-${Math.random().toString(16).slice(2)}`,
+  );
+
+  await fs.writeFile(tmpPath, data);
+
+  try {
+    await fs.rename(tmpPath, filePath);
+  } catch {
+    // Rename can fail on Docker bind mounts (EBUSY); fall back to direct overwrite
+    logContainer.debug(`Atomic rename failed for ${filePath}; falling back to direct overwrite`);
+    try {
+      await fs.writeFile(filePath, data);
+    } catch (writeError: unknown) {
+      // Clean up temp file before propagating
+      await fs.unlink(tmpPath).catch(() => {});
+      throw writeError;
+    }
+    await fs.unlink(tmpPath).catch(() => {});
+  }
+}
+
+/**
+ * Sync the image tag in the compose file after a Docker trigger update.
+ *
+ * Returns true if the compose file was updated, false if skipped or on error.
+ * Errors are logged as warnings — a compose sync failure should never block
+ * an otherwise successful container update.
+ */
+export async function syncComposeFileTag(options: ComposeFileSyncOptions): Promise<boolean> {
+  const { labels, newImage, logContainer } = options;
+
+  if (!labels) {
+    return false;
+  }
+
+  const configFilesLabel = labels[COMPOSE_PROJECT_CONFIG_FILES_LABEL];
+  const serviceName = labels[COMPOSE_SERVICE_LABEL];
+
+  if (!configFilesLabel || !serviceName) {
+    return false;
+  }
+
+  const workingDir = labels[COMPOSE_PROJECT_WORKING_DIR_LABEL];
+  const composeFilePath = resolveComposeFilePath(configFilesLabel, workingDir);
+
+  if (!composeFilePath) {
+    return false;
+  }
+
+  try {
+    const composeText = await fs.readFile(composeFilePath, 'utf8');
+    const updatedText = updateComposeServiceImageInText(composeText, serviceName, newImage);
+
+    if (updatedText === composeText) {
+      logContainer.debug(`Compose file ${composeFilePath} already has image ${newImage}`);
+      return false;
+    }
+
+    await writeComposeFileAtomic(composeFilePath, updatedText, logContainer);
+    logContainer.info(
+      `Updated compose file ${composeFilePath} service '${serviceName}' to ${newImage}`,
+    );
+    return true;
+  } catch (error: unknown) {
+    const message = error instanceof Error ? error.message : String(error);
+    logContainer.warn(
+      `Unable to sync compose file ${composeFilePath} for service '${serviceName}' (${message})`,
+    );
+    return false;
+  }
+}
diff --git a/app/triggers/providers/docker/self-update-controller.test.ts b/app/triggers/providers/docker/self-update-controller.test.ts
index ed499c61c..210f352c9 100644
--- a/app/triggers/providers/docker/self-update-controller.test.ts
+++ b/app/triggers/providers/docker/self-update-controller.test.ts
@@ -1,4 +1,5 @@
 import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest';
+import { probeSocketApiVersion } from '../../../watchers/providers/docker/socket-version-probe.js';
 import {
   runSelfUpdateController,
   runSelfUpdateControllerEntrypoint,
@@ -11,6 +12,12 @@ const mockDockerodeCtor = vi.hoisted(() => vi.fn());
 vi.mock('dockerode', () => ({
   default: mockDockerodeCtor,
 }));
+vi.mock('../../../watchers/providers/docker/disable-socket-redirects.js', () => ({
+  disableSocketRedirects: vi.fn(),
+}));
+vi.mock('../../../watchers/providers/docker/socket-version-probe.js', () => ({
+  probeSocketApiVersion: vi.fn().mockResolvedValue(undefined),
+}));
 
 const DEFAULT_CONTROLLER_ENV = {
   DD_SELF_UPDATE_OP_ID: 'op-123',
@@ -166,6 +173,20 @@ describe('self-update-controller orchestration', () => {
     );
   });
 
+  test('pins Dockerode to the probed socket API version when available', async () => {
+    vi.mocked(probeSocketApiVersion).mockResolvedValue('1.44');
+    const oldContainer = createOldContainer();
+    const newContainer = createNewContainer();
+    mockDocker(oldContainer, newContainer);
+
+    await runSelfUpdateController();
+
+    expect(mockDockerodeCtor).toHaveBeenCalledWith({
+      socketPath: '/var/run/docker.sock',
+      version: 'v1.44',
+    });
+  });
+
   test('handles healthcheck transition from starting to healthy', async () => {
     const oldContainer = createOldContainer();
     const newContainer = createNewContainer({
@@ -403,6 +424,23 @@ describe('self-update-controller orchestration', () => {
     );
   });
 
+  test('does not log rollback-start failure when old container start rejects with already-started string', async () => {
+    const oldContainer = createOldContainer({
+      inspect: vi.fn().mockResolvedValue({ State: { Running: false }, Name: '/drydock' }),
+      start: vi.fn().mockRejectedValue('already started by another process'),
+    });
+    const newContainer = createNewContainer({
+      start: vi.fn().mockRejectedValue(new Error('start failed')),
+    });
+    mockDocker(oldContainer, newContainer);
+
+    await expect(runSelfUpdateController()).rejects.toThrow('start failed');
+
+    expect(getLoggedStates().some((line) => line.includes('ROLLBACK_START_OLD_FAILED'))).toBe(
+      false,
+    );
+  });
+
   test('fails early when required env is missing', async () => {
     clearControllerEnv();
     process.env.DD_SELF_UPDATE_NEW_CONTAINER_ID = 'new-container-id';
diff --git a/app/triggers/providers/docker/self-update-controller.ts b/app/triggers/providers/docker/self-update-controller.ts
index 287c71459..2ffbc3a18 100644
--- a/app/triggers/providers/docker/self-update-controller.ts
+++ b/app/triggers/providers/docker/self-update-controller.ts
@@ -2,6 +2,8 @@ import Dockerode from 'dockerode';
 import { getErrorMessage } from '../../../util/error.js';
 import { toPositiveInteger } from '../../../util/parse.js';
 import { sleep } from '../../../util/sleep.js';
+import { disableSocketRedirects } from '../../../watchers/providers/docker/disable-socket-redirects.js';
+import { probeSocketApiVersion } from '../../../watchers/providers/docker/socket-version-probe.js';
 import {
   SELF_UPDATE_HEALTH_TIMEOUT_MS,
   SELF_UPDATE_POLL_INTERVAL_MS,
@@ -18,6 +20,29 @@ type SelfUpdateControllerConfig = {
   pollIntervalMs: number;
 };
 
+type ErrorWithStatusCode = {
+  statusCode?: number;
+  status?: number;
+};
+
+type ContainerInspectState = {
+  State?: {
+    Running?: boolean;
+    Health?: {
+      Status?: string;
+    };
+  };
+  Name?: string;
+};
+
+function getErrorStatusCode(error: unknown): number | undefined {
+  if (typeof error !== 'object' || error === null) {
+    return undefined;
+  }
+  const errorWithStatusCode = error as ErrorWithStatusCode;
+  return errorWithStatusCode.statusCode ?? errorWithStatusCode.status;
+}
+
 function getRequiredEnv(name: string): string {
   const value = process.env[name];
   if (!value || value.trim() === '') {
@@ -47,8 +72,8 @@ function readConfigFromEnv(): SelfUpdateControllerConfig {
   };
 }
 
-function isContainerAlreadyStoppedError(error: any): boolean {
-  const statusCode = error?.statusCode ?? error?.status;
+function isContainerAlreadyStoppedError(error: unknown): boolean {
+  const statusCode = getErrorStatusCode(error);
   if (statusCode === 304) {
     return true;
   }
@@ -56,8 +81,8 @@ function isContainerAlreadyStoppedError(error: any): boolean {
   return message.includes('is not running') || message.includes('already stopped');
 }
 
-function isContainerAlreadyStartedError(error: any): boolean {
-  const statusCode = error?.statusCode ?? error?.status;
+function isContainerAlreadyStartedError(error: unknown): boolean {
+  const statusCode = getErrorStatusCode(error);
   if (statusCode === 304) {
     return true;
   }
@@ -65,8 +90,8 @@ function isContainerAlreadyStartedError(error: any): boolean {
   return message.includes('already started');
 }
 
-function hasHealthcheck(containerInspect: any): boolean {
-  return Boolean(containerInspect?.State?.Health);
+function hasHealthcheck(containerInspect: ContainerInspectState): boolean {
+  return Boolean(containerInspect.State?.Health);
 }
 
 function normalizeContainerName(name: string | undefined): string {
@@ -98,18 +123,17 @@ class SelfUpdateController {
 
   config: SelfUpdateControllerConfig;
 
-  constructor(config: SelfUpdateControllerConfig) {
-    this.docker = new Dockerode({ socketPath: '/var/run/docker.sock' });
+  constructor(config: SelfUpdateControllerConfig, docker: Dockerode) {
+    this.docker = docker;
     this.config = config;
   }
 
   logState(state: string, details?: string): void {
     const suffix = details ? ` - ${details}` : '';
-    // eslint-disable-next-line no-console
-    console.log(`[self-update:${this.config.opId}] ${state}${suffix}`);
+    globalThis.console.log(`[self-update:${this.config.opId}] ${state}${suffix}`);
   }
 
-  async inspectContainer(containerId: string): Promise<any> {
+  async inspectContainer(containerId: string): Promise<ContainerInspectState> {
     return this.docker.getContainer(containerId).inspect();
   }
 
@@ -118,7 +142,7 @@ class SelfUpdateController {
     const oldContainer = this.docker.getContainer(this.config.oldContainerId);
     try {
       await oldContainer.stop();
-    } catch (error: any) {
+    } catch (error: unknown) {
       if (!isContainerAlreadyStoppedError(error)) {
         throw error;
       }
@@ -146,7 +170,7 @@ class SelfUpdateController {
     const newContainer = this.docker.getContainer(this.config.newContainerId);
     try {
       await newContainer.start();
-    } catch (error: any) {
+    } catch (error: unknown) {
       if (!isContainerAlreadyStartedError(error)) {
         throw error;
       }
@@ -213,7 +237,7 @@ class SelfUpdateController {
     await oldContainer.rename({ name: this.config.oldContainerName });
   }
 
-  async rollback(error: any): Promise<never> {
+  async rollback(error: unknown): Promise<never> {
     const reason = getErrorMessage(error, String(error));
     const oldContainer = this.docker.getContainer(this.config.oldContainerId);
     const newContainer = this.docker.getContainer(this.config.newContainerId);
@@ -221,7 +245,7 @@ class SelfUpdateController {
     try {
       this.logState('CLEANUP_CANDIDATE');
       await newContainer.remove({ force: true });
-    } catch (cleanupError: any) {
+    } catch (cleanupError: unknown) {
       this.logState(
         'CLEANUP_CANDIDATE_FAILED',
         getErrorMessage(cleanupError, String(cleanupError)),
@@ -230,7 +254,7 @@ class SelfUpdateController {
 
     try {
       await this.restoreOldContainerName(oldContainer);
-    } catch (restoreNameError: any) {
+    } catch (restoreNameError: unknown) {
       this.logState(
         'ROLLBACK_RESTORE_NAME_FAILED',
         getErrorMessage(restoreNameError, String(restoreNameError)),
@@ -240,7 +264,7 @@ class SelfUpdateController {
     this.logState('ROLLBACK_START_OLD', reason);
     try {
       await oldContainer.start();
-    } catch (rollbackError: any) {
+    } catch (rollbackError: unknown) {
       if (!isContainerAlreadyStartedError(rollbackError)) {
         this.logState(
           'ROLLBACK_START_OLD_FAILED',
@@ -265,7 +289,7 @@ class SelfUpdateController {
       await this.waitNewContainerRunning();
       await this.waitNewContainerHealthy();
       await this.commitUpdate();
-    } catch (error: any) {
+    } catch (error: unknown) {
       await this.rollback(error);
     }
   }
@@ -273,7 +297,15 @@ class SelfUpdateController {
 
 export async function runSelfUpdateController(): Promise<void> {
   const config = readConfigFromEnv();
-  const controller = new SelfUpdateController(config);
+  const socketPath = '/var/run/docker.sock';
+  const apiVersion = await probeSocketApiVersion(socketPath);
+  const dockerOpts: Dockerode.DockerOptions = { socketPath };
+  if (apiVersion) {
+    dockerOpts.version = `v${apiVersion}`;
+  }
+  const docker = new Dockerode(dockerOpts);
+  disableSocketRedirects(docker);
+  const controller = new SelfUpdateController(config, docker);
   await controller.run();
 }
 
@@ -282,9 +314,10 @@ export async function runSelfUpdateControllerEntrypoint(
 ): Promise<void> {
   try {
     await runner();
-  } catch (error: any) {
-    // eslint-disable-next-line no-console
-    console.error(`[self-update] controller failed: ${getErrorMessage(error, String(error))}`);
+  } catch (error: unknown) {
+    globalThis.console.error(
+      `[self-update] controller failed: ${getErrorMessage(error, String(error))}`,
+    );
     process.exitCode = 1;
   }
 }
diff --git a/app/triggers/providers/docker/self-update-sse-flow.test.ts b/app/triggers/providers/docker/self-update-sse-flow.test.ts
index 28564b267..333c25553 100644
--- a/app/triggers/providers/docker/self-update-sse-flow.test.ts
+++ b/app/triggers/providers/docker/self-update-sse-flow.test.ts
@@ -5,6 +5,12 @@ const mockDockerodeCtor = vi.hoisted(() => vi.fn());
 vi.mock('dockerode', () => ({
   default: mockDockerodeCtor,
 }));
+vi.mock('../../../watchers/providers/docker/disable-socket-redirects.js', () => ({
+  disableSocketRedirects: vi.fn(),
+}));
+vi.mock('../../../watchers/providers/docker/socket-version-probe.js', () => ({
+  probeSocketApiVersion: vi.fn().mockResolvedValue(undefined),
+}));
 
 import * as sseRouter from '../../../api/sse.js';
 import { clearAllListenersForTests, emitSelfUpdateStarting } from '../../../event/index.js';
diff --git a/app/triggers/providers/dockercompose/ComposeFileLockManager.ts b/app/triggers/providers/dockercompose/ComposeFileLockManager.ts
index 2c63c79c4..8e5ab7c75 100644
--- a/app/triggers/providers/dockercompose/ComposeFileLockManager.ts
+++ b/app/triggers/providers/dockercompose/ComposeFileLockManager.ts
@@ -2,6 +2,7 @@ import { watch } from 'node:fs';
 import fs from 'node:fs/promises';
 import path from 'node:path';
 import { resolveConfiguredPath } from '../../../runtime/paths.js';
+import { getErrorMessage } from '../../../util/error.js';
 
 const COMPOSE_FILE_LOCK_SUFFIX = '.drydock.lock';
 const COMPOSE_FILE_LOCK_MAX_WAIT_MS = 10_000;
@@ -11,6 +12,14 @@ export interface ComposeFileLockManagerOptions {
   getLog?: () => { warn?: (message: string) => void } | undefined;
 }
 
+interface ErrorWithCode {
+  code?: unknown;
+}
+
+function hasErrorCode(error: unknown, code: string): boolean {
+  return !!error && typeof error === 'object' && (error as ErrorWithCode).code === code;
+}
+
 /**
  * Manages file-level locking for compose writes, including stale lock cleanup
  * and lock-file change notifications.
@@ -80,8 +89,8 @@ export class ComposeFileLockManager {
         await this.tryCreateComposeFileLock(lockFilePath);
         this._composeFileLocksHeld.add(filePath);
         return lockFilePath;
-      } catch (e: any) {
-        if (e?.code !== 'EEXIST') {
+      } catch (e: unknown) {
+        if (!hasErrorCode(e, 'EEXIST')) {
           throw e;
         }
         const staleLockReleased = await this.maybeReleaseStaleComposeFileLock(lockFilePath);
@@ -101,9 +110,9 @@ export class ComposeFileLockManager {
     this._composeFileLocksHeld.delete(filePath);
     try {
       await fs.unlink(lockFilePath);
-    } catch (e: any) {
-      if (e?.code !== 'ENOENT') {
-        this.warn(`Could not remove compose file lock ${lockFilePath} (${e.message})`);
+    } catch (e: unknown) {
+      if (!hasErrorCode(e, 'ENOENT')) {
+        this.warn(`Could not remove compose file lock ${lockFilePath} (${getErrorMessage(e)})`);
       }
     }
   }
@@ -130,11 +139,11 @@ export class ComposeFileLockManager {
       await fs.unlink(lockFilePath);
       this.warn(`Removed stale compose file lock ${lockFilePath}`);
       return true;
-    } catch (e: any) {
-      if (e?.code === 'ENOENT') {
+    } catch (e: unknown) {
+      if (hasErrorCode(e, 'ENOENT')) {
         return true;
       }
-      this.warn(`Could not inspect compose file lock ${lockFilePath} (${e.message})`);
+      this.warn(`Could not inspect compose file lock ${lockFilePath} (${getErrorMessage(e)})`);
       return false;
     }
   }
diff --git a/app/triggers/providers/dockercompose/ComposeFileParser.test.ts b/app/triggers/providers/dockercompose/ComposeFileParser.test.ts
index 5bc732cc8..a9d243b2c 100644
--- a/app/triggers/providers/dockercompose/ComposeFileParser.test.ts
+++ b/app/triggers/providers/dockercompose/ComposeFileParser.test.ts
@@ -226,4 +226,21 @@ describe('ComposeFileParser', () => {
       expect.stringContaining('Error when reading the docker-compose yaml file'),
     );
   });
+
+  test('getComposeFile should stringify non-Error synchronous read failures', () => {
+    const errorSpy = vi.fn();
+    const parser = new ComposeFileParser({
+      resolveComposeFilePath: (filePath) => filePath,
+      getLog: () => ({ error: errorSpy }),
+    });
+
+    fs.readFile.mockImplementation(() => {
+      throw 42;
+    });
+
+    expect(() => parser.getComposeFile('/bad.yml')).toThrow();
+    expect(errorSpy).toHaveBeenCalledWith(
+      expect.stringContaining('Error when reading the docker-compose yaml file /bad.yml (42)'),
+    );
+  });
 });
diff --git a/app/triggers/providers/dockercompose/ComposeFileParser.ts b/app/triggers/providers/dockercompose/ComposeFileParser.ts
index 4e0d6f5ea..cdb44a6c3 100644
--- a/app/triggers/providers/dockercompose/ComposeFileParser.ts
+++ b/app/triggers/providers/dockercompose/ComposeFileParser.ts
@@ -57,7 +57,14 @@ function formatReplacementImageValue(currentImageValueText: string, newImage: st
   return newImage;
 }
 
-export function parseComposeDocument(composeFileText: string) {
+function getErrorMessage(error: unknown) {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return String(error);
+}
+
+function parseComposeDocument(composeFileText: string) {
   const parseDocumentOptions = {
     keepSourceTokens: true,
     maxAliasCount: YAML_MAX_ALIAS_COUNT,
@@ -71,9 +78,11 @@ export function parseComposeDocument(composeFileText: string) {
   return composeDoc;
 }
 
+type ComposeDocument = ReturnType<typeof parseComposeDocument>;
+
 function buildComposeServiceImageTextEdit(
   composeFileText: string,
-  composeDoc: any,
+  composeDoc: ComposeDocument,
   serviceName: string,
   newImage: string,
 ): ComposeTextEdit {
@@ -158,7 +167,7 @@ export function updateComposeServiceImageInText(
   composeFileText: string,
   serviceName: string,
   newImage: string,
-  composeDoc: any = null,
+  composeDoc: ComposeDocument | null = null,
 ) {
   const doc = composeDoc || parseComposeDocument(composeFileText);
   const composeTextEdit = buildComposeServiceImageTextEdit(
@@ -173,7 +182,7 @@ export function updateComposeServiceImageInText(
 export function updateComposeServiceImagesInText(
   composeFileText: string,
   serviceImageUpdates: Map<string, string>,
-  composeDoc: any = null,
+  composeDoc: ComposeDocument | null = null,
 ) {
   if (serviceImageUpdates.size === 0) {
     return composeFileText;
@@ -191,7 +200,7 @@ export function updateComposeServiceImagesInText(
 class ComposeFileParser {
   _composeCacheMaxEntries = COMPOSE_CACHE_MAX_ENTRIES;
   _composeObjectCache = new Map<string, { mtimeMs: number; compose: unknown }>();
-  _composeDocumentCache = new Map<string, { mtimeMs: number; composeDoc: unknown }>();
+  _composeDocumentCache = new Map<string, { mtimeMs: number; composeDoc: ComposeDocument }>();
 
   private readonly resolveComposeFilePath: (file: string) => string;
   private readonly getDefaultComposeFilePath: () => string | null | undefined;
@@ -280,9 +289,9 @@ class ComposeFileParser {
     const filePath = this.resolveComposeFilePath(configuredFilePath as string);
     try {
       return fs.readFile(filePath);
-    } catch (e: any) {
+    } catch (e: unknown) {
       this.getLog()?.error?.(
-        `Error when reading the docker-compose yaml file ${filePath} (${e.message})`,
+        `Error when reading the docker-compose yaml file ${filePath} (${getErrorMessage(e)})`,
       );
       throw e;
     }
@@ -311,9 +320,9 @@ class ComposeFileParser {
         compose,
       });
       return compose;
-    } catch (e: any) {
+    } catch (e: unknown) {
       this.getLog()?.error?.(
-        `Error when parsing the docker-compose yaml file ${configuredFilePath} (${e.message})`,
+        `Error when parsing the docker-compose yaml file ${configuredFilePath} (${getErrorMessage(e)})`,
       );
       throw e;
     }
diff --git a/app/triggers/providers/dockercompose/Dockercompose.comments-and-pruning.test.ts b/app/triggers/providers/dockercompose/Dockercompose.comments-and-pruning.test.ts
new file mode 100644
index 000000000..a981f1eb3
--- /dev/null
+++ b/app/triggers/providers/dockercompose/Dockercompose.comments-and-pruning.test.ts
@@ -0,0 +1,501 @@
+import { watch } from 'node:fs';
+import yaml from 'yaml';
+import { emitContainerUpdateApplied } from '../../../event/index.js';
+import { getState } from '../../../registry/index.js';
+import Dockercompose, { testable_updateComposeServiceImageInText } from './Dockercompose.js';
+import {
+  makeCompose,
+  makeContainer,
+  setupDockercomposeTestContext,
+  spyOnProcessComposeHelpers,
+} from './Dockercompose.test.helpers.js';
+
+vi.mock('../../../registry', () => ({
+  getState: vi.fn(),
+}));
+
+vi.mock('../../../event/index.js', () => ({
+  emitContainerUpdateApplied: vi.fn().mockResolvedValue(undefined),
+  emitContainerUpdateFailed: vi.fn().mockResolvedValue(undefined),
+  emitSecurityAlert: vi.fn().mockResolvedValue(undefined),
+  emitSelfUpdateStarting: vi.fn(),
+}));
+
+vi.mock('../../../model/container.js', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    fullName: vi.fn((c) => `test_${c.name}`),
+  };
+});
+
+vi.mock('../../../store/backup', () => ({
+  insertBackup: vi.fn(),
+  pruneOldBackups: vi.fn(),
+  getBackupsByName: vi.fn().mockReturnValue([]),
+}));
+
+// Modules used by the shared lifecycle (inherited from Docker trigger)
+vi.mock('../../../configuration/index.js', async () => {
+  const actual = await vi.importActual('../../../configuration/index.js');
+  return { ...actual, getSecurityConfiguration: vi.fn().mockReturnValue({ enabled: false }) };
+});
+vi.mock('../../../store/audit.js', () => ({ insertAudit: vi.fn() }));
+vi.mock('../../../prometheus/audit.js', () => ({ getAuditCounter: vi.fn().mockReturnValue(null) }));
+vi.mock('../../../security/scan.js', () => ({
+  scanImageForVulnerabilities: vi.fn(),
+  verifyImageSignature: vi.fn(),
+  generateImageSbom: vi.fn(),
+  clearDigestScanCache: vi.fn(),
+  getDigestScanCacheSize: vi.fn().mockReturnValue(0),
+  updateDigestScanCache: vi.fn(),
+  scanImageWithDedup: vi.fn(),
+}));
+vi.mock('../../../store/container.js', () => ({
+  getContainer: vi.fn(),
+  updateContainer: vi.fn(),
+  cacheSecurityState: vi.fn(),
+}));
+vi.mock('../../hooks/HookRunner.js', () => ({ runHook: vi.fn() }));
+vi.mock('../docker/HealthMonitor.js', () => ({ startHealthMonitor: vi.fn() }));
+
+vi.mock('node:fs', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    watch: vi.fn(),
+  };
+});
+
+vi.mock('../../../util/sleep.js', () => ({
+  sleep: vi.fn().mockResolvedValue(undefined),
+}));
+
+vi.mock('node:fs/promises', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    default: {
+      ...actual.default,
+      access: vi.fn().mockResolvedValue(undefined),
+      copyFile: vi.fn().mockResolvedValue(undefined),
+      readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+      writeFile: vi.fn().mockResolvedValue(undefined),
+      rename: vi.fn().mockResolvedValue(undefined),
+      unlink: vi.fn().mockResolvedValue(undefined),
+      stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+    },
+    access: vi.fn().mockResolvedValue(undefined),
+    copyFile: vi.fn().mockResolvedValue(undefined),
+    readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+    writeFile: vi.fn().mockResolvedValue(undefined),
+    rename: vi.fn().mockResolvedValue(undefined),
+    unlink: vi.fn().mockResolvedValue(undefined),
+    stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+  };
+});
+
+describe('Dockercompose Trigger', () => {
+  let trigger;
+  let mockLog;
+  let mockDockerApi;
+
+  beforeEach(() => {
+    ({ trigger, mockLog, mockDockerApi } = setupDockercomposeTestContext({
+      DockercomposeCtor: Dockercompose,
+      watchMock: watch,
+      getStateMock: getState,
+    }));
+  });
+
+  // Comment preservation
+  // -----------------------------------------------------------------------
+
+  test('updateComposeServiceImageInText should preserve commented-out service fields', () => {
+    const compose = [
+      'services:',
+      '  nginx:',
+      '    image: nginx:1.1.0',
+      '    # ports:',
+      '    #   - "8080:80"',
+      '    # volumes:',
+      '    #   - ./html:/usr/share/nginx/html',
+      '    # environment:',
+      '    #   - FOO=bar',
+      '    restart: always',
+      '',
+    ].join('\n');
+
+    const updated = testable_updateComposeServiceImageInText(compose, 'nginx', 'nginx:1.2.0');
+
+    expect(updated).toContain('    image: nginx:1.2.0');
+    expect(updated).toContain('    # ports:');
+    expect(updated).toContain('    #   - "8080:80"');
+    expect(updated).toContain('    # volumes:');
+    expect(updated).toContain('    #   - ./html:/usr/share/nginx/html');
+    expect(updated).toContain('    # environment:');
+    expect(updated).toContain('    #   - FOO=bar');
+    expect(updated).toContain('    restart: always');
+  });
+
+  test('updateComposeServiceImageInText should preserve a commented-out entire service', () => {
+    const compose = [
+      'services:',
+      '  nginx:',
+      '    image: nginx:1.1.0',
+      '  # redis:',
+      '  #   image: redis:7',
+      '  #   ports:',
+      '  #     - "6379:6379"',
+      '',
+    ].join('\n');
+
+    const updated = testable_updateComposeServiceImageInText(compose, 'nginx', 'nginx:1.2.0');
+
+    expect(updated).toContain('    image: nginx:1.2.0');
+    expect(updated).toContain('  # redis:');
+    expect(updated).toContain('  #   image: redis:7');
+    expect(updated).toContain('  #   ports:');
+    expect(updated).toContain('  #     - "6379:6379"');
+  });
+
+  test('updateComposeServiceImageInText should preserve top-level file comments', () => {
+    const compose = [
+      '# My production stack',
+      '# Last updated: 2024-01-01',
+      'services:',
+      '  nginx:',
+      '    image: nginx:1.1.0',
+      '',
+    ].join('\n');
+
+    const updated = testable_updateComposeServiceImageInText(compose, 'nginx', 'nginx:1.2.0');
+
+    expect(updated).toContain('# My production stack');
+    expect(updated).toContain('# Last updated: 2024-01-01');
+    expect(updated).toContain('    image: nginx:1.2.0');
+  });
+
+  test('updateComposeServiceImageInText should preserve mixed inline and block comments', () => {
+    const compose = [
+      '# Stack header',
+      'services:',
+      '  nginx:',
+      '    image: nginx:1.1.0 # web server',
+      '    # ports:',
+      '    #   - "80:80"',
+      '    environment: # env vars',
+      '      - NGINX_PORT=80 # default port',
+      '  redis:',
+      '    image: redis:7.0.0 # cache',
+      '',
+    ].join('\n');
+
+    const updated = testable_updateComposeServiceImageInText(compose, 'nginx', 'nginx:1.2.0');
+
+    expect(updated).toContain('# Stack header');
+    expect(updated).toContain('    image: nginx:1.2.0 # web server');
+    expect(updated).toContain('    # ports:');
+    expect(updated).toContain('    #   - "80:80"');
+    expect(updated).toContain('    environment: # env vars');
+    expect(updated).toContain('      - NGINX_PORT=80 # default port');
+    expect(updated).toContain('    image: redis:7.0.0 # cache');
+  });
+
+  // -----------------------------------------------------------------------
+  // Image pruning after compose update
+  // -----------------------------------------------------------------------
+
+  test('processComposeFile should prune images after non-dryrun update when prune is enabled', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.prune = true;
+
+    const container = makeContainer();
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+    const { pruneImagesSpy, cleanupOldImagesSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(pruneImagesSpy).toHaveBeenCalledWith(
+      mockDockerApi,
+      getState().registry.hub,
+      container,
+      expect.anything(),
+    );
+    expect(cleanupOldImagesSpy).toHaveBeenCalledWith(
+      mockDockerApi,
+      getState().registry.hub,
+      container,
+      expect.anything(),
+    );
+  });
+
+  test('processComposeFile should not call pruneImages when prune is disabled', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.prune = false;
+
+    const container = makeContainer();
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+    const { pruneImagesSpy, cleanupOldImagesSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    // pruneImages is gated by prune config
+    expect(pruneImagesSpy).not.toHaveBeenCalled();
+    // cleanupOldImages is always called — it handles the prune check internally
+    expect(cleanupOldImagesSpy).toHaveBeenCalledTimes(1);
+  });
+
+  test('processComposeFile should skip pruneImages and post-update lifecycle in dryrun mode', async () => {
+    trigger.configuration.dryrun = true;
+    trigger.configuration.prune = true;
+
+    const container = makeContainer();
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+    const { pruneImagesSpy, cleanupOldImagesSpy, postHookSpy, rollbackMonitorSpy } =
+      spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    // pruneImages is skipped in compose dryrun mode
+    expect(pruneImagesSpy).not.toHaveBeenCalled();
+    // cleanupOldImages is skipped (performContainerUpdate returns false in dryrun)
+    expect(cleanupOldImagesSpy).not.toHaveBeenCalled();
+    // Post-update hook is skipped in dryrun
+    expect(postHookSpy).not.toHaveBeenCalled();
+    // Rollback monitor is skipped in dryrun
+    expect(rollbackMonitorSpy).not.toHaveBeenCalled();
+    // No update event emitted
+    expect(emitContainerUpdateApplied).not.toHaveBeenCalled();
+  });
+
+  test('processComposeFile should prune images for each container in a multi-container update', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.prune = true;
+
+    const nginxContainer = makeContainer();
+    const redisContainer = makeContainer({
+      name: 'redis',
+      imageName: 'redis',
+      tagValue: '7.0.0',
+      remoteValue: '7.1.0',
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({
+        nginx: { image: 'nginx:1.0.0' },
+        redis: { image: 'redis:7.0.0' },
+      }),
+    );
+    const { pruneImagesSpy, cleanupOldImagesSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [
+      nginxContainer,
+      redisContainer,
+    ]);
+
+    expect(pruneImagesSpy).toHaveBeenCalledTimes(2);
+    expect(cleanupOldImagesSpy).toHaveBeenCalledTimes(2);
+  });
+
+  test('processComposeFile should parse compose update document only once for multi-service updates', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.prune = false;
+
+    const nginxContainer = makeContainer();
+    const redisContainer = makeContainer({
+      name: 'redis',
+      imageName: 'redis',
+      tagValue: '7.0.0',
+      remoteValue: '7.1.0',
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({
+        nginx: { image: 'nginx:1.0.0' },
+        redis: { image: 'redis:7.0.0' },
+      }),
+    );
+    spyOnProcessComposeHelpers(trigger);
+    const parseDocumentSpy = vi.spyOn(yaml, 'parseDocument');
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [
+      nginxContainer,
+      redisContainer,
+    ]);
+
+    expect(parseDocumentSpy).toHaveBeenCalledTimes(1);
+  });
+
+  test('processComposeFile should refresh each distinct service in compose-file-once mode', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.prune = false;
+    trigger.configuration.composeFileOnce = true;
+
+    const nginxContainer = makeContainer({
+      labels: { 'com.docker.compose.service': 'nginx' },
+    });
+    const redisContainer = makeContainer({
+      name: 'redis',
+      imageName: 'redis',
+      tagValue: '7.0.0',
+      remoteValue: '7.1.0',
+      labels: { 'com.docker.compose.service': 'redis' },
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({
+        nginx: { image: 'nginx:1.0.0' },
+        redis: { image: 'redis:7.0.0' },
+      }),
+    );
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(
+      Buffer.from(
+        [
+          'services:',
+          '  nginx:',
+          '    image: nginx:1.0.0',
+          '  redis:',
+          '    image: redis:7.0.0',
+          '',
+        ].join('\n'),
+      ),
+    );
+    vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+    const runContainerUpdateLifecycleSpy = vi
+      .spyOn(trigger, 'runContainerUpdateLifecycle')
+      .mockResolvedValue();
+    vi.spyOn(trigger, 'maybeScanAndGateUpdate').mockResolvedValue();
+    vi.spyOn(trigger, 'runPreUpdateHook').mockResolvedValue();
+    vi.spyOn(trigger, 'runPostUpdateHook').mockResolvedValue();
+    vi.spyOn(trigger, 'cleanupOldImages').mockResolvedValue();
+    vi.spyOn(trigger, 'maybeStartAutoRollbackMonitor').mockResolvedValue();
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [
+      nginxContainer,
+      redisContainer,
+    ]);
+
+    expect(runContainerUpdateLifecycleSpy).toHaveBeenCalledTimes(2);
+    expect(runContainerUpdateLifecycleSpy).toHaveBeenNthCalledWith(
+      1,
+      nginxContainer,
+      expect.objectContaining({
+        service: 'nginx',
+        composeFileOnceApplied: false,
+      }),
+    );
+    expect(runContainerUpdateLifecycleSpy).toHaveBeenNthCalledWith(
+      2,
+      redisContainer,
+      expect.objectContaining({
+        service: 'redis',
+        composeFileOnceApplied: false,
+      }),
+    );
+  });
+
+  test('processComposeFile should pre-pull distinct services and skip per-service pull in compose-file-once mode', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.prune = false;
+    trigger.configuration.composeFileOnce = true;
+
+    const nginxContainer = makeContainer({
+      labels: { 'com.docker.compose.service': 'nginx' },
+    });
+    const redisContainer = makeContainer({
+      name: 'redis',
+      imageName: 'redis',
+      tagValue: '7.0.0',
+      remoteValue: '7.1.0',
+      labels: { 'com.docker.compose.service': 'redis' },
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({
+        nginx: { image: 'nginx:1.0.0' },
+        redis: { image: 'redis:7.0.0' },
+      }),
+    );
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(
+      Buffer.from(
+        [
+          'services:',
+          '  nginx:',
+          '    image: nginx:1.0.0',
+          '  redis:',
+          '    image: redis:7.0.0',
+          '',
+        ].join('\n'),
+      ),
+    );
+    vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+    const pullImageSpy = vi.spyOn(trigger, 'pullImage').mockResolvedValue();
+    const updateContainerWithComposeSpy = vi
+      .spyOn(trigger, 'updateContainerWithCompose')
+      .mockResolvedValue();
+    vi.spyOn(trigger, 'runServicePostStartHooks').mockResolvedValue();
+    vi.spyOn(trigger, 'maybeScanAndGateUpdate').mockResolvedValue();
+    vi.spyOn(trigger, 'runPreUpdateHook').mockResolvedValue();
+    vi.spyOn(trigger, 'runPostUpdateHook').mockResolvedValue();
+    vi.spyOn(trigger, 'cleanupOldImages').mockResolvedValue();
+    vi.spyOn(trigger, 'maybeStartAutoRollbackMonitor').mockResolvedValue();
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [
+      nginxContainer,
+      redisContainer,
+    ]);
+
+    expect(pullImageSpy).toHaveBeenCalledTimes(2);
+    expect(updateContainerWithComposeSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      'nginx',
+      nginxContainer,
+      expect.objectContaining({
+        skipPull: true,
+      }),
+    );
+    expect(updateContainerWithComposeSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      'redis',
+      redisContainer,
+      expect.objectContaining({
+        skipPull: true,
+      }),
+    );
+  });
+
+  test('processComposeFile should prune images for digest-only updates when prune is enabled', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.prune = true;
+
+    const container = makeContainer({
+      name: 'redis',
+      imageName: 'redis',
+      tagValue: '7.0.0',
+      updateKind: 'digest',
+      remoteValue: 'sha256:deadbeef',
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ redis: { image: 'redis:7.0.0' } }),
+    );
+    const { pruneImagesSpy, cleanupOldImagesSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(pruneImagesSpy).toHaveBeenCalledTimes(1);
+    expect(cleanupOldImagesSpy).toHaveBeenCalledTimes(1);
+  });
+
+  // -----------------------------------------------------------------------
+});
diff --git a/app/triggers/providers/dockercompose/Dockercompose.compose-exec-and-hooks.test.ts b/app/triggers/providers/dockercompose/Dockercompose.compose-exec-and-hooks.test.ts
new file mode 100644
index 000000000..cf54bb868
--- /dev/null
+++ b/app/triggers/providers/dockercompose/Dockercompose.compose-exec-and-hooks.test.ts
@@ -0,0 +1,1170 @@
+import { watch } from 'node:fs';
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import { getState } from '../../../registry/index.js';
+import Dockercompose from './Dockercompose.js';
+import {
+  makeCompose,
+  makeContainer,
+  makeDockerContainerHandle,
+  makeExecMocks,
+  setupDockercomposeTestContext,
+} from './Dockercompose.test.helpers.js';
+
+vi.mock('../../../registry', () => ({
+  getState: vi.fn(),
+}));
+
+vi.mock('../../../event/index.js', () => ({
+  emitContainerUpdateApplied: vi.fn().mockResolvedValue(undefined),
+  emitContainerUpdateFailed: vi.fn().mockResolvedValue(undefined),
+  emitSecurityAlert: vi.fn().mockResolvedValue(undefined),
+  emitSelfUpdateStarting: vi.fn(),
+}));
+
+vi.mock('../../../model/container.js', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    fullName: vi.fn((c) => `test_${c.name}`),
+  };
+});
+
+vi.mock('../../../store/backup', () => ({
+  insertBackup: vi.fn(),
+  pruneOldBackups: vi.fn(),
+  getBackupsByName: vi.fn().mockReturnValue([]),
+}));
+
+// Modules used by the shared lifecycle (inherited from Docker trigger)
+vi.mock('../../../configuration/index.js', async () => {
+  const actual = await vi.importActual('../../../configuration/index.js');
+  return { ...actual, getSecurityConfiguration: vi.fn().mockReturnValue({ enabled: false }) };
+});
+vi.mock('../../../store/audit.js', () => ({ insertAudit: vi.fn() }));
+vi.mock('../../../prometheus/audit.js', () => ({ getAuditCounter: vi.fn().mockReturnValue(null) }));
+vi.mock('../../../security/scan.js', () => ({
+  scanImageForVulnerabilities: vi.fn(),
+  verifyImageSignature: vi.fn(),
+  generateImageSbom: vi.fn(),
+  clearDigestScanCache: vi.fn(),
+  getDigestScanCacheSize: vi.fn().mockReturnValue(0),
+  updateDigestScanCache: vi.fn(),
+  scanImageWithDedup: vi.fn(),
+}));
+vi.mock('../../../store/container.js', () => ({
+  getContainer: vi.fn(),
+  updateContainer: vi.fn(),
+  cacheSecurityState: vi.fn(),
+}));
+vi.mock('../../hooks/HookRunner.js', () => ({ runHook: vi.fn() }));
+vi.mock('../docker/HealthMonitor.js', () => ({ startHealthMonitor: vi.fn() }));
+
+vi.mock('node:fs', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    watch: vi.fn(),
+  };
+});
+
+vi.mock('../../../util/sleep.js', () => ({
+  sleep: vi.fn().mockResolvedValue(undefined),
+}));
+
+vi.mock('node:fs/promises', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    default: {
+      ...actual.default,
+      access: vi.fn().mockResolvedValue(undefined),
+      copyFile: vi.fn().mockResolvedValue(undefined),
+      readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+      writeFile: vi.fn().mockResolvedValue(undefined),
+      rename: vi.fn().mockResolvedValue(undefined),
+      unlink: vi.fn().mockResolvedValue(undefined),
+      stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+    },
+    access: vi.fn().mockResolvedValue(undefined),
+    copyFile: vi.fn().mockResolvedValue(undefined),
+    readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+    writeFile: vi.fn().mockResolvedValue(undefined),
+    rename: vi.fn().mockResolvedValue(undefined),
+    unlink: vi.fn().mockResolvedValue(undefined),
+    stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+  };
+});
+
+describe('Dockercompose Trigger', () => {
+  let trigger;
+  let mockLog;
+  let mockDockerApi;
+
+  beforeEach(() => {
+    ({ trigger, mockLog, mockDockerApi } = setupDockercomposeTestContext({
+      DockercomposeCtor: Dockercompose,
+      watchMock: watch,
+      getStateMock: getState,
+    }));
+  });
+
+  // compose command execution
+  // -----------------------------------------------------------------------
+
+  test('updateContainerWithCompose should skip Docker API calls in dry-run mode', async () => {
+    trigger.configuration.dryrun = true;
+    const pullImageSpy = vi.spyOn(trigger, 'pullImage').mockResolvedValue();
+    const container = makeContainer({ name: 'nginx' });
+
+    await trigger.updateContainerWithCompose('/opt/drydock/test/stack.yml', 'nginx', container);
+
+    expect(pullImageSpy).not.toHaveBeenCalled();
+    expect(mockLog.child).toHaveBeenCalledWith({ container: 'nginx' });
+    expect(mockLog.info).toHaveBeenCalledWith(expect.stringContaining('dry-run mode is enabled'));
+  });
+
+  test('updateContainerWithCompose should pull and recreate the target service via Docker API', async () => {
+    trigger.configuration.dryrun = false;
+    const pullImageSpy = vi.spyOn(trigger, 'pullImage').mockResolvedValue();
+    const stopContainerSpy = vi.spyOn(trigger, 'stopContainer').mockResolvedValue();
+    const removeContainerSpy = vi.spyOn(trigger, 'removeContainer').mockResolvedValue();
+    const createContainerSpy = vi.spyOn(trigger, 'createContainer').mockResolvedValue({
+      start: vi.fn().mockResolvedValue(undefined),
+    } as any);
+    const startContainerSpy = vi.spyOn(trigger, 'startContainer').mockResolvedValue();
+    const container = makeContainer({ name: 'nginx' });
+
+    await trigger.updateContainerWithCompose('/opt/drydock/test/stack.yml', 'nginx', container);
+
+    expect(pullImageSpy).toHaveBeenCalledTimes(1);
+    expect(stopContainerSpy).toHaveBeenCalledTimes(1);
+    expect(removeContainerSpy).toHaveBeenCalledTimes(1);
+    expect(createContainerSpy).toHaveBeenCalledTimes(1);
+    expect(startContainerSpy).toHaveBeenCalledTimes(1);
+  });
+
+  test('updateContainerWithCompose should preserve stopped runtime state', async () => {
+    trigger.configuration.dryrun = false;
+    const pullImageSpy = vi.spyOn(trigger, 'pullImage').mockResolvedValue();
+    const startContainerSpy = vi.spyOn(trigger, 'startContainer').mockResolvedValue();
+    vi.spyOn(trigger, 'getCurrentContainer').mockResolvedValue(
+      makeDockerContainerHandle({
+        running: false,
+      }),
+    );
+    const container = makeContainer({ name: 'nginx' });
+
+    await trigger.updateContainerWithCompose('/opt/drydock/test/stack.yml', 'nginx', container);
+
+    expect(pullImageSpy).toHaveBeenCalledTimes(1);
+    expect(startContainerSpy).not.toHaveBeenCalled();
+  });
+
+  test('updateContainerWithCompose should skip pull when requested and still recreate', async () => {
+    trigger.configuration.dryrun = false;
+    const pullImageSpy = vi.spyOn(trigger, 'pullImage').mockResolvedValue();
+    const createContainerSpy = vi.spyOn(trigger, 'createContainer').mockResolvedValue({
+      start: vi.fn().mockResolvedValue(undefined),
+    } as any);
+    const container = makeContainer({ name: 'nginx' });
+
+    await trigger.updateContainerWithCompose('/opt/drydock/test/stack.yml', 'nginx', container, {
+      shouldStart: true,
+      skipPull: true,
+      forceRecreate: true,
+    });
+
+    expect(pullImageSpy).not.toHaveBeenCalled();
+    expect(createContainerSpy).toHaveBeenCalledTimes(1);
+  });
+
+  test('updateContainerWithCompose should ignore compose file chain and use Docker API path', async () => {
+    trigger.configuration.dryrun = false;
+    const pullImageSpy = vi.spyOn(trigger, 'pullImage').mockResolvedValue();
+    const container = makeContainer({ name: 'nginx' });
+    const composeFiles = ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'];
+
+    await trigger.updateContainerWithCompose('/opt/drydock/test/stack.yml', 'nginx', container, {
+      shouldStart: true,
+      skipPull: true,
+      composeFiles,
+    });
+
+    expect(pullImageSpy).not.toHaveBeenCalled();
+  });
+
+  test('updateContainerWithCompose should reuse runtime context without resolving registry manager', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({ name: 'nginx' });
+    const pullImageSpy = vi.spyOn(trigger, 'pullImage').mockResolvedValue();
+    const resolveRegistryManagerSpy = vi.spyOn(trigger, 'resolveRegistryManager');
+    const getWatcherSpy = vi.spyOn(trigger, 'getWatcher');
+    const runtimeContext = {
+      dockerApi: mockDockerApi,
+      auth: { from: 'context' },
+      newImage: 'nginx:9.9.9',
+    };
+
+    await trigger.updateContainerWithCompose('/opt/drydock/test/stack.yml', 'nginx', container, {
+      runtimeContext,
+    });
+
+    expect(resolveRegistryManagerSpy).not.toHaveBeenCalled();
+    expect(getWatcherSpy).not.toHaveBeenCalled();
+    expect(pullImageSpy).toHaveBeenCalledWith(
+      runtimeContext.dockerApi,
+      runtimeContext.auth,
+      runtimeContext.newImage,
+      expect.anything(),
+    );
+  });
+
+  test('updateContainerWithCompose should fetch auth when runtime context provides newImage without auth', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({ name: 'nginx' });
+    const pullImageSpy = vi.spyOn(trigger, 'pullImage').mockResolvedValue();
+    const resolveRegistryManagerSpy = vi.spyOn(trigger, 'resolveRegistryManager');
+    const getNewImageFullNameSpy = vi.spyOn(trigger, 'getNewImageFullName');
+    const registryGetAuthPull = vi.fn().mockResolvedValue({ from: 'registry-auth' });
+    const runtimeContext = {
+      dockerApi: mockDockerApi,
+      newImage: 'nginx:9.9.9',
+      registry: {
+        getAuthPull: registryGetAuthPull,
+      },
+    };
+
+    await trigger.updateContainerWithCompose('/opt/drydock/test/stack.yml', 'nginx', container, {
+      runtimeContext,
+    });
+
+    expect(resolveRegistryManagerSpy).not.toHaveBeenCalled();
+    expect(getNewImageFullNameSpy).not.toHaveBeenCalled();
+    expect(registryGetAuthPull).toHaveBeenCalledTimes(1);
+    expect(pullImageSpy).toHaveBeenCalledWith(
+      runtimeContext.dockerApi,
+      { from: 'registry-auth' },
+      runtimeContext.newImage,
+      expect.anything(),
+    );
+  });
+
+  test('updateContainerWithCompose should throw when current container cannot be resolved', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({ name: 'nginx' });
+    vi.spyOn(trigger, 'getCurrentContainer').mockResolvedValue(undefined);
+
+    await expect(
+      trigger.updateContainerWithCompose('/opt/drydock/test/stack.yml', 'nginx', container),
+    ).rejects.toThrow(
+      'Unable to refresh compose service nginx from /opt/drydock/test/stack.yml because container nginx no longer exists',
+    );
+  });
+
+  test('updateContainerWithCompose should surface pullImage failures and stop before recreation', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({ name: 'nginx' });
+    vi.spyOn(trigger, 'pullImage').mockRejectedValue(new Error('pull failed'));
+    const stopContainerSpy = vi.spyOn(trigger, 'stopContainer').mockResolvedValue();
+    const createContainerSpy = vi.spyOn(trigger, 'createContainer').mockResolvedValue({
+      start: vi.fn().mockResolvedValue(undefined),
+    } as any);
+
+    await expect(
+      trigger.updateContainerWithCompose('/opt/drydock/test/stack.yml', 'nginx', container),
+    ).rejects.toThrow('pull failed');
+
+    expect(stopContainerSpy).not.toHaveBeenCalled();
+    expect(createContainerSpy).not.toHaveBeenCalled();
+  });
+
+  test('updateContainerWithCompose should surface stopAndRemoveContainer failures and skip recreation', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({ name: 'nginx' });
+    vi.spyOn(trigger, 'pullImage').mockResolvedValue();
+    vi.spyOn(trigger, 'stopContainer').mockRejectedValue(new Error('stop failed'));
+    const createContainerSpy = vi.spyOn(trigger, 'createContainer').mockResolvedValue({
+      start: vi.fn().mockResolvedValue(undefined),
+    } as any);
+
+    await expect(
+      trigger.updateContainerWithCompose('/opt/drydock/test/stack.yml', 'nginx', container),
+    ).rejects.toThrow('stop failed');
+
+    expect(createContainerSpy).not.toHaveBeenCalled();
+  });
+
+  test('updateContainerWithCompose should surface recreateContainer failures', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({ name: 'nginx' });
+    vi.spyOn(trigger, 'pullImage').mockResolvedValue();
+    vi.spyOn(trigger, 'stopContainer').mockResolvedValue();
+    vi.spyOn(trigger, 'removeContainer').mockResolvedValue();
+    vi.spyOn(trigger, 'createContainer').mockRejectedValue(new Error('create failed'));
+
+    await expect(
+      trigger.updateContainerWithCompose('/opt/drydock/test/stack.yml', 'nginx', container),
+    ).rejects.toThrow('create failed');
+  });
+
+  test('updateContainerWithCompose should throw when inspectContainer returns malformed runtime state', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({ name: 'nginx' });
+    vi.spyOn(trigger, 'inspectContainer').mockResolvedValue({
+      Config: { Image: 'nginx:1.0.0' },
+    } as any);
+
+    await expect(
+      trigger.updateContainerWithCompose('/opt/drydock/test/stack.yml', 'nginx', container),
+    ).rejects.toThrow(
+      'Unable to refresh compose service nginx from /opt/drydock/test/stack.yml because Docker inspection data is missing runtime state',
+    );
+  });
+
+  test('stopAndRemoveContainer should be a no-op with compose lifecycle log', async () => {
+    await trigger.stopAndRemoveContainer({}, {}, { name: 'nginx' }, mockLog);
+
+    expect(mockLog.info).toHaveBeenCalledWith(
+      'Skip direct stop/remove for compose-managed container nginx; using compose lifecycle',
+    );
+  });
+
+  test('recreateContainer should rewrite compose service image without routing through updateContainerWithCompose', async () => {
+    const container = makeContainer({
+      name: 'nginx',
+      labels: {
+        'dd.compose.file': '/opt/drydock/test/stack.yml',
+        'com.docker.compose.service': 'nginx',
+      },
+    });
+    const composeFileContent = [
+      'services:',
+      '  nginx:',
+      '    # existing comment',
+      '    image: nginx:1.1.0 # old image',
+      '',
+    ].join('\n');
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(Buffer.from(composeFileContent));
+    const writeComposeFileSpy = vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+    const composeUpdateSpy = vi.spyOn(trigger, 'updateContainerWithCompose');
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.1.0' } }),
+    );
+
+    await trigger.recreateContainer(
+      mockDockerApi,
+      {
+        State: { Running: false },
+        Config: { Image: 'nginx:1.1.0' },
+      },
+      'nginx:1.0.0',
+      container,
+      mockLog,
+    );
+
+    expect(writeComposeFileSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      expect.stringContaining('nginx:1.0.0'),
+    );
+    expect(writeComposeFileSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      expect.stringContaining('# existing comment'),
+    );
+    expect(composeUpdateSpy).not.toHaveBeenCalled();
+  });
+
+  test('recreateContainer should fallback to registry-derived image when current spec image is missing', async () => {
+    const container = makeContainer({
+      name: 'nginx',
+      labels: {
+        'dd.compose.file': '/opt/drydock/test/stack.yml',
+        'com.docker.compose.service': 'nginx',
+      },
+    });
+    const composeFileContent = ['services:', '  nginx:', '    image: nginx:1.1.0', ''].join('\n');
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(Buffer.from(composeFileContent));
+    vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+    const resolveContextSpy = vi.spyOn(trigger, 'resolveComposeServiceContext');
+    vi.spyOn(trigger, 'updateContainerWithCompose').mockResolvedValue();
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.1.0' } }),
+    );
+
+    await trigger.recreateContainer(
+      mockDockerApi,
+      {
+        State: { Running: true },
+        Config: {},
+      },
+      'nginx:1.0.0',
+      container,
+      mockLog,
+    );
+
+    expect(resolveContextSpy).toHaveBeenCalledWith(container, 'nginx:1.0.0');
+  });
+
+  test('recreateContainer integration should update compose image and recreate via Docker API without pull', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      name: 'nginx',
+      labels: {
+        'dd.compose.file': '/opt/drydock/test/stack.yml',
+        'com.docker.compose.service': 'nginx',
+      },
+    });
+    const composeFileContent = ['services:', '  nginx:', '    image: nginx:1.1.0', ''].join('\n');
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(Buffer.from(composeFileContent));
+    const writeComposeFileSpy = vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.1.0' } }),
+    );
+    const pullImageSpy = vi.spyOn(trigger, 'pullImage').mockResolvedValue();
+    const createContainerSpy = vi.spyOn(trigger, 'createContainer').mockResolvedValue({
+      start: vi.fn().mockResolvedValue(undefined),
+    } as any);
+
+    await trigger.recreateContainer(
+      mockDockerApi,
+      {
+        State: { Running: true },
+        Config: { Image: 'nginx:1.1.0' },
+      },
+      'nginx:1.0.0',
+      container,
+      mockLog,
+    );
+
+    expect(writeComposeFileSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      expect.stringContaining('nginx:1.0.0'),
+    );
+    expect(pullImageSpy).not.toHaveBeenCalled();
+    expect(createContainerSpy).toHaveBeenCalledTimes(1);
+  });
+
+  test('executeSelfUpdate should delegate to parent self-update transition with hydrated runtime context', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      name: 'drydock',
+      imageName: 'codeswhat/drydock',
+      labels: {
+        'dd.compose.file': '/opt/drydock/test/stack.yml',
+        'com.docker.compose.service': 'drydock',
+      },
+    });
+    const composeContext = {
+      composeFile: '/opt/drydock/test/stack.yml',
+      service: 'drydock',
+      serviceDefinition: {},
+    };
+    const currentContainer = makeDockerContainerHandle();
+    const currentContainerSpec = {
+      Id: 'current-id',
+      Name: '/drydock',
+      State: { Running: true },
+      HostConfig: {
+        Binds: ['/var/run/docker.sock:/var/run/docker.sock'],
+      },
+    };
+
+    const getCurrentContainerSpy = vi
+      .spyOn(trigger, 'getCurrentContainer')
+      .mockResolvedValue(currentContainer);
+    const inspectContainerSpy = vi
+      .spyOn(trigger, 'inspectContainer')
+      .mockResolvedValue(currentContainerSpec as any);
+    const orchestratorExecuteSpy = vi
+      .spyOn(trigger.selfUpdateOrchestrator, 'execute')
+      .mockResolvedValue(true);
+    const composeUpdateSpy = vi.spyOn(trigger, 'updateContainerWithCompose').mockResolvedValue();
+    const hooksSpy = vi.spyOn(trigger, 'runServicePostStartHooks').mockResolvedValue();
+
+    const updated = await trigger.executeSelfUpdate(
+      {
+        dockerApi: mockDockerApi,
+        registry: getState().registry.hub,
+        auth: {},
+        newImage: 'codeswhat/drydock:1.1.0',
+        currentContainer: null,
+        currentContainerSpec: null,
+      },
+      container,
+      mockLog,
+      undefined,
+      composeContext,
+    );
+
+    expect(updated).toBe(true);
+    expect(getCurrentContainerSpy).toHaveBeenCalledWith(mockDockerApi, container);
+    expect(inspectContainerSpy).toHaveBeenCalledWith(currentContainer, mockLog);
+    expect(orchestratorExecuteSpy).toHaveBeenCalledWith(
+      expect.objectContaining({
+        currentContainer,
+        currentContainerSpec,
+      }),
+      container,
+      mockLog,
+      undefined,
+    );
+    expect(composeUpdateSpy).not.toHaveBeenCalled();
+    expect(hooksSpy).not.toHaveBeenCalled();
+  });
+
+  test('executeSelfUpdate should reuse current container and inspection from context when available', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      name: 'drydock',
+      imageName: 'codeswhat/drydock',
+      labels: {
+        'dd.compose.file': '/opt/drydock/test/stack.yml',
+        'com.docker.compose.service': 'drydock',
+      },
+    });
+    const composeContext = {
+      composeFile: '/opt/drydock/test/stack.yml',
+      service: 'drydock',
+      serviceDefinition: {},
+    };
+    const currentContainer = makeDockerContainerHandle({ id: 'context-container-id' });
+    const currentContainerSpec = {
+      Id: 'context-id',
+      Name: '/drydock',
+      State: { Running: true },
+      HostConfig: {
+        Binds: ['/var/run/docker.sock:/var/run/docker.sock'],
+      },
+    };
+
+    const getCurrentContainerSpy = vi
+      .spyOn(trigger, 'getCurrentContainer')
+      .mockResolvedValue(makeDockerContainerHandle({ id: 'fetched-id' }));
+    const inspectContainerSpy = vi.spyOn(trigger, 'inspectContainer').mockResolvedValue({
+      Id: 'fetched-id',
+      State: { Running: true },
+    } as any);
+    const orchestratorExecuteSpy = vi
+      .spyOn(trigger.selfUpdateOrchestrator, 'execute')
+      .mockResolvedValue(true);
+
+    const updated = await trigger.executeSelfUpdate(
+      {
+        dockerApi: mockDockerApi,
+        registry: getState().registry.hub,
+        auth: {},
+        newImage: 'codeswhat/drydock:1.1.0',
+        currentContainer,
+        currentContainerSpec,
+      },
+      container,
+      mockLog,
+      'op-self-update-context',
+      composeContext,
+    );
+
+    expect(updated).toBe(true);
+    expect(getCurrentContainerSpy).not.toHaveBeenCalled();
+    expect(inspectContainerSpy).not.toHaveBeenCalled();
+    expect(orchestratorExecuteSpy).toHaveBeenCalledWith(
+      expect.objectContaining({
+        currentContainer,
+        currentContainerSpec,
+      }),
+      container,
+      mockLog,
+      'op-self-update-context',
+    );
+  });
+
+  test('executeSelfUpdate should inspect context current container when inspection is missing', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      name: 'drydock',
+      imageName: 'codeswhat/drydock',
+      labels: {
+        'dd.compose.file': '/opt/drydock/test/stack.yml',
+        'com.docker.compose.service': 'drydock',
+      },
+    });
+    const composeContext = {
+      composeFile: '/opt/drydock/test/stack.yml',
+      service: 'drydock',
+      serviceDefinition: {},
+    };
+    const currentContainer = makeDockerContainerHandle({ id: 'context-container-id' });
+    const currentContainerSpec = {
+      Id: 'context-inspected-id',
+      Name: '/drydock',
+      State: { Running: true },
+      HostConfig: {
+        Binds: ['/var/run/docker.sock:/var/run/docker.sock'],
+      },
+    };
+
+    const getCurrentContainerSpy = vi
+      .spyOn(trigger, 'getCurrentContainer')
+      .mockResolvedValue(makeDockerContainerHandle({ id: 'fetched-id' }));
+    const inspectContainerSpy = vi
+      .spyOn(trigger, 'inspectContainer')
+      .mockResolvedValue(currentContainerSpec as any);
+    const orchestratorExecuteSpy = vi
+      .spyOn(trigger.selfUpdateOrchestrator, 'execute')
+      .mockResolvedValue(true);
+
+    const updated = await trigger.executeSelfUpdate(
+      {
+        dockerApi: mockDockerApi,
+        registry: getState().registry.hub,
+        auth: {},
+        newImage: 'codeswhat/drydock:1.1.0',
+        currentContainer,
+        currentContainerSpec: null,
+      },
+      container,
+      mockLog,
+      undefined,
+      composeContext,
+    );
+
+    expect(updated).toBe(true);
+    expect(getCurrentContainerSpy).not.toHaveBeenCalled();
+    expect(inspectContainerSpy).toHaveBeenCalledWith(currentContainer, mockLog);
+    expect(orchestratorExecuteSpy).toHaveBeenCalledWith(
+      expect.objectContaining({
+        currentContainer,
+        currentContainerSpec,
+      }),
+      container,
+      mockLog,
+      undefined,
+    );
+  });
+
+  test('performContainerUpdate should throw when compose context is missing', async () => {
+    await expect(
+      trigger.performContainerUpdate(
+        {},
+        {
+          name: 'missing-container',
+        },
+      ),
+    ).rejects.toThrow('Missing compose context for container missing-container');
+  });
+
+  test('executeSelfUpdate should throw when compose context is missing', async () => {
+    await expect(
+      trigger.executeSelfUpdate(
+        {
+          dockerApi: mockDockerApi,
+          registry: getState().registry.hub,
+          auth: {},
+          newImage: 'codeswhat/drydock:1.1.0',
+          currentContainer: null,
+          currentContainerSpec: null,
+        },
+        {
+          name: 'drydock',
+        },
+        mockLog,
+      ),
+    ).rejects.toThrow('Missing compose context for self-update container drydock');
+  });
+
+  test('executeSelfUpdate should skip work in dry-run mode', async () => {
+    trigger.configuration.dryrun = true;
+    const composeContext = {
+      composeFile: '/opt/drydock/test/stack.yml',
+      service: 'drydock',
+      serviceDefinition: {},
+    };
+    const composeUpdateSpy = vi.spyOn(trigger, 'updateContainerWithCompose').mockResolvedValue();
+    const hooksSpy = vi.spyOn(trigger, 'runServicePostStartHooks').mockResolvedValue();
+    const getCurrentContainerSpy = vi
+      .spyOn(trigger, 'getCurrentContainer')
+      .mockResolvedValue(makeDockerContainerHandle());
+    const orchestratorExecuteSpy = vi
+      .spyOn(trigger.selfUpdateOrchestrator, 'execute')
+      .mockResolvedValue(true);
+
+    const updated = await trigger.executeSelfUpdate(
+      {
+        dockerApi: mockDockerApi,
+        registry: getState().registry.hub,
+        auth: {},
+        newImage: 'codeswhat/drydock:1.1.0',
+        currentContainer: null,
+        currentContainerSpec: null,
+      },
+      {
+        name: 'drydock',
+      },
+      mockLog,
+      undefined,
+      composeContext,
+    );
+
+    expect(updated).toBe(false);
+    expect(composeUpdateSpy).not.toHaveBeenCalled();
+    expect(hooksSpy).not.toHaveBeenCalled();
+    expect(getCurrentContainerSpy).not.toHaveBeenCalled();
+    expect(orchestratorExecuteSpy).not.toHaveBeenCalled();
+    expect(mockLog.info).toHaveBeenCalledWith(
+      'Do not replace the existing container because dry-run mode is enabled',
+    );
+  });
+
+  test('resolveComposeFilePath should allow absolute compose files while blocking relative traversal when boundary is enforced', () => {
+    const composeFilePathOutsideWorkingDirectory = path.resolve(
+      process.cwd(),
+      '..',
+      'outside',
+      'stack.yml',
+    );
+
+    expect(trigger.resolveComposeFilePath(composeFilePathOutsideWorkingDirectory)).toBe(
+      composeFilePathOutsideWorkingDirectory,
+    );
+    expect(
+      trigger.resolveComposeFilePath(composeFilePathOutsideWorkingDirectory, {
+        enforceWorkingDirectoryBoundary: true,
+      }),
+    ).toBe(composeFilePathOutsideWorkingDirectory);
+    expect(() =>
+      trigger.resolveComposeFilePath('../outside/stack.yml', {
+        enforceWorkingDirectoryBoundary: true,
+      }),
+    ).toThrow(/Compose file path must stay inside/);
+    expect(() =>
+      trigger.resolveComposeFilePath(composeFilePathOutsideWorkingDirectory, {
+        enforceWorkingDirectoryBoundary: true,
+      }),
+    ).not.toThrow();
+  });
+
+  test('resolveComposeFilePathFromDirectory should return original path when target is a file', async () => {
+    fs.stat.mockResolvedValueOnce({
+      isDirectory: () => false,
+      mtimeMs: 1_700_000_000_000,
+    } as any);
+
+    const resolved = await trigger.resolveComposeFilePathFromDirectory(
+      '/opt/drydock/test/stack.yml',
+    );
+
+    expect(resolved).toBe('/opt/drydock/test/stack.yml');
+  });
+
+  test('resolveComposeFilePathFromDirectory should warn and return null when directory has no compose candidates', async () => {
+    fs.stat.mockResolvedValueOnce({
+      isDirectory: () => true,
+      mtimeMs: 1_700_000_000_000,
+    } as any);
+    const missingComposeFileError = Object.assign(new Error('ENOENT'), { code: 'ENOENT' });
+    fs.access
+      .mockRejectedValueOnce(missingComposeFileError)
+      .mockRejectedValueOnce(missingComposeFileError)
+      .mockRejectedValueOnce(missingComposeFileError)
+      .mockRejectedValueOnce(missingComposeFileError);
+
+    const resolved = await trigger.resolveComposeFilePathFromDirectory('/opt/drydock/test/stack');
+
+    expect(resolved).toBeNull();
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('does not contain a compose file candidate'),
+    );
+  });
+
+  test('resolveComposeServiceContext should throw when no compose file is configured', async () => {
+    trigger.configuration.file = undefined;
+
+    await expect(
+      trigger.resolveComposeServiceContext(
+        {
+          name: 'nginx',
+          watcher: 'local',
+        },
+        'nginx:1.0.0',
+      ),
+    ).rejects.toThrow('No compose file configured for nginx');
+  });
+
+  test('resolveComposeServiceContext should throw when service cannot be resolved from compose file', async () => {
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ redis: { image: 'redis:7.0.0' } }),
+    );
+
+    await expect(
+      trigger.resolveComposeServiceContext(
+        {
+          name: 'nginx',
+          watcher: 'local',
+          labels: {
+            'dd.compose.file': '/opt/drydock/test/stack.yml',
+          },
+          image: {
+            name: 'nginx',
+            registry: { name: 'hub' },
+            tag: { value: '1.0.0' },
+          },
+        },
+        'nginx:1.0.0',
+      ),
+    ).rejects.toThrow(
+      'Unable to resolve compose service for nginx from /opt/drydock/test/stack.yml',
+    );
+  });
+
+  test('resolveComposeServiceContext should return compose file chain and deterministic writable file', async () => {
+    vi.spyOn(trigger, 'getComposeFileAsObject')
+      .mockResolvedValueOnce(makeCompose({ nginx: { image: 'nginx:1.0.0' } }))
+      .mockResolvedValueOnce(makeCompose({ nginx: { image: 'nginx:1.1.0' } }));
+
+    const context = await trigger.resolveComposeServiceContext(
+      {
+        name: 'nginx',
+        watcher: 'local',
+        labels: {
+          'com.docker.compose.project.config_files':
+            '/opt/drydock/test/stack.yml,/opt/drydock/test/stack.override.yml',
+          'com.docker.compose.service': 'nginx',
+        },
+        image: {
+          name: 'nginx',
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+        },
+      },
+      'nginx:1.0.0',
+    );
+
+    expect(context.composeFiles).toEqual([
+      '/opt/drydock/test/stack.yml',
+      '/opt/drydock/test/stack.override.yml',
+    ]);
+    expect(context.composeFile).toBe('/opt/drydock/test/stack.override.yml');
+  });
+
+  // -----------------------------------------------------------------------
+  // runServicePostStartHooks
+  // -----------------------------------------------------------------------
+
+  test('runServicePostStartHooks should execute configured hooks on recreated container', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer, mockExec } = makeExecMocks();
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: [
+        {
+          command: 'echo hello',
+          user: 'root',
+          working_dir: '/tmp',
+          privileged: true,
+          environment: { TEST: '1' },
+        },
+      ],
+    });
+
+    expect(recreatedContainer.exec).toHaveBeenCalledWith(
+      expect.objectContaining({
+        Cmd: ['sh', '-c', 'echo hello'],
+        User: 'root',
+        WorkingDir: '/tmp',
+        Privileged: true,
+        Env: ['TEST=1'],
+      }),
+    );
+    expect(mockExec.inspect).toHaveBeenCalledTimes(1);
+  });
+
+  test('runServicePostStartHooks should support string hook syntax', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer } = makeExecMocks();
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: ['echo hello'],
+    });
+
+    expect(recreatedContainer.exec).toHaveBeenCalledWith(
+      expect.objectContaining({
+        Cmd: ['sh', '-c', 'echo hello'],
+      }),
+    );
+  });
+
+  test('runServicePostStartHooks should skip when dryrun is true', async () => {
+    trigger.configuration.dryrun = true;
+    const container = { name: 'netbox', watcher: 'local' };
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: ['echo hello'],
+    });
+
+    expect(mockDockerApi.getContainer).not.toHaveBeenCalled();
+  });
+
+  test('runServicePostStartHooks should skip when service has no post_start', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {});
+
+    expect(mockDockerApi.getContainer).not.toHaveBeenCalled();
+  });
+
+  test('runServicePostStartHooks should warn when watcher dockerApi is unavailable', async () => {
+    trigger.configuration.dryrun = false;
+
+    await trigger.runServicePostStartHooks(
+      {
+        name: 'ghost',
+        watcher: 'missing',
+      },
+      'ghost',
+      { post_start: ['echo hello'] },
+    );
+
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      'Skip compose post_start hooks for ghost (ghost) because watcher Docker API is unavailable',
+    );
+  });
+
+  test('runServicePostStartHooks should skip when container is not running', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const recreatedContainer = {
+      inspect: vi.fn().mockResolvedValue({
+        State: { Running: false },
+      }),
+    };
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: ['echo hello'],
+    });
+
+    expect(mockLog.info).toHaveBeenCalledWith(expect.stringContaining('not running'));
+  });
+
+  test('runServicePostStartHooks should skip hook with no command', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const recreatedContainer = {
+      inspect: vi.fn().mockResolvedValue({
+        State: { Running: true },
+      }),
+      exec: vi.fn(),
+    };
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: [{ user: 'root' }],
+    });
+
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('command is missing'));
+    expect(recreatedContainer.exec).not.toHaveBeenCalled();
+  });
+
+  test('runServicePostStartHooks should throw on non-zero exit code', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer } = makeExecMocks({ exitCode: 1, streamEvent: 'end' });
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await expect(
+      trigger.runServicePostStartHooks(container, 'netbox', {
+        post_start: ['failing-command'],
+      }),
+    ).rejects.toThrow('exit code 1');
+  });
+
+  test('runServicePostStartHooks should handle exec stream error', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer } = makeExecMocks({
+      streamError: new Error('stream failure'),
+    });
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await expect(
+      trigger.runServicePostStartHooks(container, 'netbox', {
+        post_start: ['echo hello'],
+      }),
+    ).rejects.toThrow('stream failure');
+  });
+
+  test('runServicePostStartHooks should handle stream without resume', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer, mockExec } = makeExecMocks({ hasResume: false });
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: ['echo hello'],
+    });
+
+    expect(mockExec.inspect).toHaveBeenCalled();
+  });
+
+  test('runServicePostStartHooks should handle stream without once', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer, mockExec } = makeExecMocks({ hasOnce: false });
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: ['echo hello'],
+    });
+
+    expect(mockExec.inspect).toHaveBeenCalled();
+  });
+
+  test('runServicePostStartHooks should support array command form', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer } = makeExecMocks();
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: [{ command: ['echo', 'hello'] }],
+    });
+
+    expect(recreatedContainer.exec).toHaveBeenCalledWith(
+      expect.objectContaining({
+        Cmd: ['echo', 'hello'],
+      }),
+    );
+  });
+
+  test('runServicePostStartHooks should support environment as array', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer } = makeExecMocks();
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: [{ command: 'echo hello', environment: ['FOO=bar', 'BAZ=1'] }],
+    });
+
+    expect(recreatedContainer.exec).toHaveBeenCalledWith(
+      expect.objectContaining({
+        Env: ['FOO=bar', 'BAZ=1'],
+      }),
+    );
+  });
+
+  test('runServicePostStartHooks should support environment array entries without equals sign', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer } = makeExecMocks();
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: [{ command: 'echo hello', environment: ['FOO', 'BAR=1'] }],
+    });
+
+    expect(recreatedContainer.exec).toHaveBeenCalledWith(
+      expect.objectContaining({
+        Env: ['FOO', 'BAR=1'],
+      }),
+    );
+  });
+
+  test('runServicePostStartHooks should reject object environment with invalid key', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer } = makeExecMocks();
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await expect(
+      trigger.runServicePostStartHooks(container, 'netbox', {
+        post_start: [{ command: 'echo hello', environment: { 'INVALID-KEY': '1' } }],
+      }),
+    ).rejects.toThrow('Invalid compose post_start environment variable key "INVALID-KEY"');
+
+    expect(recreatedContainer.exec).not.toHaveBeenCalled();
+  });
+
+  test('runServicePostStartHooks should reject array environment with invalid key', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer } = makeExecMocks();
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await expect(
+      trigger.runServicePostStartHooks(container, 'netbox', {
+        post_start: [{ command: 'echo hello', environment: ['INVALID-KEY=1'] }],
+      }),
+    ).rejects.toThrow('Invalid compose post_start environment variable key "INVALID-KEY"');
+
+    expect(recreatedContainer.exec).not.toHaveBeenCalled();
+  });
+
+  test('runServicePostStartHooks should normalize single post_start hook (not array)', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer } = makeExecMocks();
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: { command: 'echo hello' },
+    });
+
+    expect(recreatedContainer.exec).toHaveBeenCalledWith(
+      expect.objectContaining({
+        Cmd: ['sh', '-c', 'echo hello'],
+      }),
+    );
+  });
+
+  test('runServicePostStartHooks should return early when normalized hooks array is empty', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: [],
+    });
+
+    expect(mockDockerApi.getContainer).not.toHaveBeenCalled();
+  });
+
+  test('runServicePostStartHooks should handle environment with null values', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer } = makeExecMocks();
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: [{ command: 'echo hello', environment: { KEY: null } }],
+    });
+
+    expect(recreatedContainer.exec).toHaveBeenCalledWith(
+      expect.objectContaining({
+        Env: ['KEY='],
+      }),
+    );
+  });
+
+  test('runServicePostStartHooks should JSON-stringify object environment values', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'netbox', watcher: 'local' };
+    const { recreatedContainer } = makeExecMocks();
+    mockDockerApi.getContainer.mockReturnValue(recreatedContainer);
+
+    await trigger.runServicePostStartHooks(container, 'netbox', {
+      post_start: [{ command: 'echo hello', environment: { KEY: { nested: 'value' } } }],
+    });
+
+    expect(recreatedContainer.exec).toHaveBeenCalledWith(
+      expect.objectContaining({
+        Env: ['KEY={"nested":"value"}'],
+      }),
+    );
+  });
+
+  // -----------------------------------------------------------------------
+});
diff --git a/app/triggers/providers/dockercompose/Dockercompose.compose-resolution-and-init.test.ts b/app/triggers/providers/dockercompose/Dockercompose.compose-resolution-and-init.test.ts
new file mode 100644
index 000000000..c524d694e
--- /dev/null
+++ b/app/triggers/providers/dockercompose/Dockercompose.compose-resolution-and-init.test.ts
@@ -0,0 +1,483 @@
+import { watch } from 'node:fs';
+import fs from 'node:fs/promises';
+import yaml from 'yaml';
+import { getState } from '../../../registry/index.js';
+import Dockercompose, {
+  testable_hasExplicitRegistryHost,
+  testable_normalizeImplicitLatest,
+  testable_normalizePostStartEnvironmentValue,
+  testable_normalizePostStartHooks,
+  testable_updateComposeServiceImageInText,
+} from './Dockercompose.js';
+import { setupDockercomposeTestContext } from './Dockercompose.test.helpers.js';
+
+vi.mock('../../../registry', () => ({
+  getState: vi.fn(),
+}));
+
+vi.mock('../../../event/index.js', () => ({
+  emitContainerUpdateApplied: vi.fn().mockResolvedValue(undefined),
+  emitContainerUpdateFailed: vi.fn().mockResolvedValue(undefined),
+  emitSecurityAlert: vi.fn().mockResolvedValue(undefined),
+  emitSelfUpdateStarting: vi.fn(),
+}));
+
+vi.mock('../../../model/container.js', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    fullName: vi.fn((c) => `test_${c.name}`),
+  };
+});
+
+vi.mock('../../../store/backup', () => ({
+  insertBackup: vi.fn(),
+  pruneOldBackups: vi.fn(),
+  getBackupsByName: vi.fn().mockReturnValue([]),
+}));
+
+// Modules used by the shared lifecycle (inherited from Docker trigger)
+vi.mock('../../../configuration/index.js', async () => {
+  const actual = await vi.importActual('../../../configuration/index.js');
+  return { ...actual, getSecurityConfiguration: vi.fn().mockReturnValue({ enabled: false }) };
+});
+vi.mock('../../../store/audit.js', () => ({ insertAudit: vi.fn() }));
+vi.mock('../../../prometheus/audit.js', () => ({ getAuditCounter: vi.fn().mockReturnValue(null) }));
+vi.mock('../../../security/scan.js', () => ({
+  scanImageForVulnerabilities: vi.fn(),
+  verifyImageSignature: vi.fn(),
+  generateImageSbom: vi.fn(),
+  clearDigestScanCache: vi.fn(),
+  getDigestScanCacheSize: vi.fn().mockReturnValue(0),
+  updateDigestScanCache: vi.fn(),
+  scanImageWithDedup: vi.fn(),
+}));
+vi.mock('../../../store/container.js', () => ({
+  getContainer: vi.fn(),
+  updateContainer: vi.fn(),
+  cacheSecurityState: vi.fn(),
+}));
+vi.mock('../../hooks/HookRunner.js', () => ({ runHook: vi.fn() }));
+vi.mock('../docker/HealthMonitor.js', () => ({ startHealthMonitor: vi.fn() }));
+
+vi.mock('node:fs', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    watch: vi.fn(),
+  };
+});
+
+vi.mock('../../../util/sleep.js', () => ({
+  sleep: vi.fn().mockResolvedValue(undefined),
+}));
+
+vi.mock('node:fs/promises', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    default: {
+      ...actual.default,
+      access: vi.fn().mockResolvedValue(undefined),
+      copyFile: vi.fn().mockResolvedValue(undefined),
+      readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+      writeFile: vi.fn().mockResolvedValue(undefined),
+      rename: vi.fn().mockResolvedValue(undefined),
+      unlink: vi.fn().mockResolvedValue(undefined),
+      stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+    },
+    access: vi.fn().mockResolvedValue(undefined),
+    copyFile: vi.fn().mockResolvedValue(undefined),
+    readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+    writeFile: vi.fn().mockResolvedValue(undefined),
+    rename: vi.fn().mockResolvedValue(undefined),
+    unlink: vi.fn().mockResolvedValue(undefined),
+    stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+  };
+});
+
+describe('Dockercompose Trigger', () => {
+  let trigger;
+  let mockLog;
+  let mockDockerApi;
+
+  beforeEach(() => {
+    ({ trigger, mockLog, mockDockerApi } = setupDockercomposeTestContext({
+      DockercomposeCtor: Dockercompose,
+      watchMock: watch,
+      getStateMock: getState,
+    }));
+  });
+
+  // getComposeFileForContainer
+  // -----------------------------------------------------------------------
+
+  test('getComposeFileForContainer should use label from container', () => {
+    const container = {
+      labels: { 'dd.compose.file': '/opt/compose.yml' },
+    };
+
+    const result = trigger.getComposeFileForContainer(container);
+
+    expect(result).toBe('/opt/compose.yml');
+  });
+
+  test('getComposeFileForContainer should use wud fallback label', () => {
+    const container = {
+      labels: { 'wud.compose.file': '/opt/wud-compose.yml' },
+    };
+
+    const result = trigger.getComposeFileForContainer(container);
+
+    expect(result).toBe('/opt/wud-compose.yml');
+  });
+
+  test('getComposeFileForContainer should use the first compose config file from compose labels', () => {
+    const container = {
+      labels: {
+        'com.docker.compose.project.config_files':
+          '/opt/drydock/test/stack.yml,/opt/drydock/test/stack.override.yml',
+      },
+    };
+
+    const result = trigger.getComposeFileForContainer(container);
+
+    expect(result).toBe('/opt/drydock/test/stack.yml');
+  });
+
+  test('getComposeFileForContainer should resolve relative label paths', () => {
+    const container = {
+      labels: { 'dd.compose.file': 'relative/compose.yml' },
+    };
+
+    const result = trigger.getComposeFileForContainer(container);
+
+    expect(result).toMatch(/\/.*relative\/compose\.yml$/);
+    expect(result).not.toBe('relative/compose.yml');
+  });
+
+  test('getComposeFileForContainer should return null when no label and no default file', () => {
+    trigger.configuration.file = undefined;
+    const container = { labels: {} };
+
+    const result = trigger.getComposeFileForContainer(container);
+
+    expect(result).toBeNull();
+  });
+
+  test('getComposeFileForContainer should fall back to default config file', () => {
+    trigger.configuration.file = '/default/compose.yml';
+    const container = { labels: {} };
+
+    const result = trigger.getComposeFileForContainer(container);
+
+    expect(result).toBe('/default/compose.yml');
+  });
+
+  test('getComposeFileForContainer should return null and warn when label value is invalid', () => {
+    const container = {
+      name: 'broken',
+      labels: { 'dd.compose.file': '\0bad' },
+    };
+
+    const result = trigger.getComposeFileForContainer(container);
+
+    expect(result).toBeNull();
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('is invalid'));
+  });
+
+  test('getComposeFileForContainer should return null and warn when default path is invalid', () => {
+    trigger.configuration.file = '\0broken';
+    const container = { labels: {} };
+
+    const result = trigger.getComposeFileForContainer(container);
+
+    expect(result).toBeNull();
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('Default compose file path is invalid'),
+    );
+  });
+
+  test('getComposeFilesForContainer should prefer legacy label over compose project labels', () => {
+    const container = {
+      name: 'with-both-labels',
+      labels: {
+        'dd.compose.file': '/opt/drydock/test/legacy.yml',
+        'com.docker.compose.project.config_files':
+          '/opt/drydock/test/stack.yml,/opt/drydock/test/stack.override.yml',
+      },
+    };
+
+    const result = trigger.getComposeFilesForContainer(container);
+
+    expect(result).toEqual(['/opt/drydock/test/legacy.yml']);
+  });
+
+  test('getWritableComposeFileForService should throw when compose file chain is empty', async () => {
+    await expect(trigger.getWritableComposeFileForService([], 'nginx')).rejects.toThrow(
+      'Cannot resolve writable compose file for service nginx because compose file chain is empty',
+    );
+    expect(fs.access).not.toHaveBeenCalled();
+  });
+
+  test('triggerBatch should fallback to inspect labels for compose config files when cached labels do not include them', async () => {
+    fs.access.mockResolvedValue(undefined);
+    mockDockerApi.getContainer.mockReturnValue({
+      inspect: vi.fn().mockResolvedValue({
+        Config: {
+          Labels: {
+            'com.docker.compose.project.config_files':
+              '/opt/drydock/test/stack.yml,/opt/drydock/test/stack.override.yml',
+          },
+        },
+      }),
+    });
+    const container = { name: 'inspected', watcher: 'local', labels: {} };
+    const processComposeFileSpy = vi.spyOn(trigger, 'processComposeFile').mockResolvedValue();
+
+    await trigger.triggerBatch([container]);
+
+    expect(processComposeFileSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      [container],
+      ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+    );
+  });
+
+  // -----------------------------------------------------------------------
+  // initTrigger & trigger delegation
+  // -----------------------------------------------------------------------
+
+  test('initTrigger should set mode to batch', async () => {
+    trigger.configuration.mode = 'simple';
+    trigger.configuration.file = undefined;
+
+    await trigger.initTrigger();
+
+    expect(trigger.configuration.mode).toBe('batch');
+  });
+
+  test('initTrigger should throw when configured file does not exist', async () => {
+    trigger.configuration.file = '/nonexistent/compose.yml';
+    const err = new Error('ENOENT');
+    err.code = 'ENOENT';
+    fs.access.mockRejectedValueOnce(err);
+
+    await expect(trigger.initTrigger()).rejects.toThrow('ENOENT');
+
+    expect(mockLog.error).toHaveBeenCalledWith(expect.stringContaining('does not exist'));
+  });
+
+  test('initTrigger should log permission denied when configured file has EACCES', async () => {
+    trigger.configuration.file = '/restricted/compose.yml';
+    const err = new Error('EACCES');
+    err.code = 'EACCES';
+    fs.access.mockRejectedValueOnce(err);
+
+    await expect(trigger.initTrigger()).rejects.toThrow('EACCES');
+
+    expect(mockLog.error).toHaveBeenCalledWith(expect.stringContaining('permission denied'));
+  });
+
+  test('trigger should delegate to triggerBatch with single container', async () => {
+    const container = { name: 'test' };
+    const spy = vi.spyOn(trigger, 'triggerBatch').mockResolvedValue([true]);
+
+    await trigger.trigger(container);
+
+    expect(spy).toHaveBeenCalledWith([container]);
+  });
+
+  test('trigger should throw when update is still available but compose trigger applies no runtime updates', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { name: 'test', updateAvailable: true };
+    vi.spyOn(trigger, 'triggerBatch').mockResolvedValue([false]);
+
+    await expect(trigger.trigger(container)).rejects.toThrow(
+      'No compose updates were applied for container test',
+    );
+  });
+
+  test('trigger should use unknown fallback when throwing without a container name', async () => {
+    trigger.configuration.dryrun = false;
+    const container = { updateAvailable: true };
+    vi.spyOn(trigger, 'triggerBatch').mockResolvedValue([false]);
+
+    await expect(trigger.trigger(container as any)).rejects.toThrow(
+      'No compose updates were applied for container unknown',
+    );
+  });
+
+  test('getConfigurationSchema should extend Docker schema with compose hardening options', () => {
+    const schema = trigger.getConfigurationSchema();
+    expect(schema).toBeDefined();
+    const { error } = schema.validate({
+      prune: false,
+      dryrun: false,
+      autoremovetimeout: 10000,
+      file: '/opt/drydock/test/compose.yml',
+      backup: true,
+      composeFileLabel: 'dd.compose.file',
+      reconciliationMode: 'block',
+      digestPinning: true,
+      composeFileOnce: true,
+    });
+    expect(error).toBeUndefined();
+  });
+
+  test('getConfigurationSchema should accept env-normalized compose hardening keys', () => {
+    const schema = trigger.getConfigurationSchema();
+    const { error, value } = schema.validate({
+      prune: false,
+      dryrun: false,
+      autoremovetimeout: 10000,
+      file: '/opt/drydock/test/compose.yml',
+      backup: true,
+      composefilelabel: 'com.example.compose.file',
+      reconciliationmode: 'block',
+      digestpinning: true,
+      composefileonce: true,
+    });
+    expect(error).toBeUndefined();
+    expect(value.composeFileLabel).toBe('com.example.compose.file');
+    expect(value.reconciliationMode).toBe('block');
+    expect(value.digestPinning).toBe(true);
+    expect(value.composeFileOnce).toBe(true);
+  });
+
+  test('normalizeImplicitLatest should return input when image is empty or already digest/tag qualified', () => {
+    expect(testable_normalizeImplicitLatest('')).toBe('');
+    expect(testable_normalizeImplicitLatest('alpine@sha256:abc')).toBe('alpine@sha256:abc');
+    expect(testable_normalizeImplicitLatest('nginx:1.0.0')).toBe('nginx:1.0.0');
+  });
+
+  test('normalizeImplicitLatest should append latest even when image path ends with slash', () => {
+    expect(testable_normalizeImplicitLatest('repo/')).toBe('repo/:latest');
+  });
+
+  test('hasExplicitRegistryHost should detect empty, host:port, and localhost prefixes', () => {
+    expect(testable_hasExplicitRegistryHost('')).toBe(false);
+    expect(testable_hasExplicitRegistryHost('registry.example.com:5000/nginx:1.1.0')).toBe(true);
+    expect(testable_hasExplicitRegistryHost('localhost/nginx:1.1.0')).toBe(true);
+  });
+
+  test('normalizePostStartHooks should return empty array when post_start is missing', () => {
+    expect(testable_normalizePostStartHooks(undefined)).toEqual([]);
+  });
+
+  test('normalizePostStartEnvironmentValue should return empty string on json serialization errors', () => {
+    const circular: any = {};
+    circular.self = circular;
+    expect(testable_normalizePostStartEnvironmentValue(circular)).toBe('');
+  });
+
+  test('updateComposeServiceImageInText should update only target service image while preserving comments', () => {
+    const compose = [
+      'services:',
+      '  nginx:',
+      '    # pinned for compatibility',
+      '    image: nginx:1.1.0 # current',
+      '    environment:',
+      '      - NGINX_PORT=80',
+      '  redis:',
+      '    image: redis:7.0.0',
+      '',
+    ].join('\n');
+
+    const updated = testable_updateComposeServiceImageInText(compose, 'nginx', 'nginx:1.2.0');
+
+    expect(updated).toContain('    # pinned for compatibility');
+    expect(updated).toContain('    image: nginx:1.2.0 # current');
+    expect(updated).toContain('  redis:');
+    expect(updated).toContain('    image: redis:7.0.0');
+  });
+
+  test('updateComposeServiceImageInText should insert image when service has no image key', () => {
+    const compose = ['services:', '  nginx:', '    environment:', '      - NGINX_PORT=80', ''].join(
+      '\n',
+    );
+
+    const updated = testable_updateComposeServiceImageInText(compose, 'nginx', 'nginx:1.2.0');
+
+    expect(updated).toContain('  nginx:');
+    expect(updated).toContain('    image: nginx:1.2.0');
+    expect(updated).toContain('    environment:');
+  });
+
+  test('updateComposeServiceImageInText should preserve CRLF newlines', () => {
+    const compose = ['services:', '  nginx:', '    image: nginx:1.1.0', ''].join('\r\n');
+
+    const updated = testable_updateComposeServiceImageInText(compose, 'nginx', 'nginx:1.2.0');
+
+    expect(updated).toContain('\r\n');
+    expect(updated).toContain('image: nginx:1.2.0');
+  });
+
+  test('updateComposeServiceImageInText should preserve quote style when replacing image value', () => {
+    const compose = ['services:', '  nginx:', "    image: 'nginx:1.1.0'", ''].join('\n');
+
+    const updated = testable_updateComposeServiceImageInText(compose, 'nginx', 'nginx:1.2.0');
+
+    expect(updated).toContain("image: 'nginx:1.2.0'");
+  });
+
+  test('updateComposeServiceImageInText should update image in flow-style service mapping', () => {
+    const compose = ['services:', '  nginx: { image: "nginx:1.1.0", restart: always }', ''].join(
+      '\n',
+    );
+
+    const updated = testable_updateComposeServiceImageInText(compose, 'nginx', 'nginx:1.2.0');
+
+    expect(updated).toContain('nginx: { image: "nginx:1.2.0", restart: always }');
+  });
+
+  test('updateComposeServiceImageInText should parse with maxAliasCount guard', () => {
+    const compose = ['services:', '  nginx:', '    image: nginx:1.1.0', ''].join('\n');
+    const parseDocumentSpy = vi.spyOn(yaml, 'parseDocument');
+
+    testable_updateComposeServiceImageInText(compose, 'nginx', 'nginx:1.2.0');
+
+    expect(parseDocumentSpy).toHaveBeenCalledWith(
+      compose,
+      expect.objectContaining({
+        keepSourceTokens: true,
+        maxAliasCount: 10000,
+      }),
+    );
+  });
+
+  test('updateComposeServiceImageInText should throw for flow-style services without image key', () => {
+    const compose = ['services:', '  nginx: { restart: always }', ''].join('\n');
+
+    expect(() => testable_updateComposeServiceImageInText(compose, 'nginx', 'nginx:1.2.0')).toThrow(
+      'Unable to insert compose image for flow-style service nginx without image key',
+    );
+  });
+
+  test('updateComposeServiceImageInText should throw when services section is missing', () => {
+    const compose = ['version: "3"', 'x-service: value', ''].join('\n');
+
+    expect(() => testable_updateComposeServiceImageInText(compose, 'nginx', 'nginx:1.2.0')).toThrow(
+      'Unable to locate services section in compose file',
+    );
+  });
+
+  test('updateComposeServiceImageInText should insert image using default field indentation when service has no fields', () => {
+    const compose = ['services:', '  nginx:', ''].join('\n');
+
+    const updated = testable_updateComposeServiceImageInText(compose, 'nginx', 'nginx:1.2.0');
+
+    expect(updated).toContain('  nginx:');
+    expect(updated).toContain('    image: nginx:1.2.0');
+  });
+
+  test('updateComposeServiceImageInText should throw when service is missing', () => {
+    const compose = ['services:', '  nginx:', '    image: nginx:1.1.0', ''].join('\n');
+
+    expect(() => testable_updateComposeServiceImageInText(compose, 'redis', 'redis:7.1.0')).toThrow(
+      'Unable to locate compose service redis',
+    );
+  });
+
+  // -----------------------------------------------------------------------
+});
diff --git a/app/triggers/providers/dockercompose/Dockercompose.file-ops-and-trigger-batch.test.ts b/app/triggers/providers/dockercompose/Dockercompose.file-ops-and-trigger-batch.test.ts
new file mode 100644
index 000000000..5d1cb7a6c
--- /dev/null
+++ b/app/triggers/providers/dockercompose/Dockercompose.file-ops-and-trigger-batch.test.ts
@@ -0,0 +1,1052 @@
+import { EventEmitter } from 'node:events';
+import { watch } from 'node:fs';
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import yaml from 'yaml';
+import { getState } from '../../../registry/index.js';
+import { sleep } from '../../../util/sleep.js';
+import Dockercompose, { testable_updateComposeServiceImageInText } from './Dockercompose.js';
+import { makeCompose, setupDockercomposeTestContext } from './Dockercompose.test.helpers.js';
+
+vi.mock('../../../registry', () => ({
+  getState: vi.fn(),
+}));
+
+vi.mock('../../../event/index.js', () => ({
+  emitContainerUpdateApplied: vi.fn().mockResolvedValue(undefined),
+  emitContainerUpdateFailed: vi.fn().mockResolvedValue(undefined),
+  emitSecurityAlert: vi.fn().mockResolvedValue(undefined),
+  emitSelfUpdateStarting: vi.fn(),
+}));
+
+vi.mock('../../../model/container.js', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    fullName: vi.fn((c) => `test_${c.name}`),
+  };
+});
+
+vi.mock('../../../store/backup', () => ({
+  insertBackup: vi.fn(),
+  pruneOldBackups: vi.fn(),
+  getBackupsByName: vi.fn().mockReturnValue([]),
+}));
+
+// Modules used by the shared lifecycle (inherited from Docker trigger)
+vi.mock('../../../configuration/index.js', async () => {
+  const actual = await vi.importActual('../../../configuration/index.js');
+  return { ...actual, getSecurityConfiguration: vi.fn().mockReturnValue({ enabled: false }) };
+});
+vi.mock('../../../store/audit.js', () => ({ insertAudit: vi.fn() }));
+vi.mock('../../../prometheus/audit.js', () => ({ getAuditCounter: vi.fn().mockReturnValue(null) }));
+vi.mock('../../../security/scan.js', () => ({
+  scanImageForVulnerabilities: vi.fn(),
+  verifyImageSignature: vi.fn(),
+  generateImageSbom: vi.fn(),
+  clearDigestScanCache: vi.fn(),
+  getDigestScanCacheSize: vi.fn().mockReturnValue(0),
+  updateDigestScanCache: vi.fn(),
+  scanImageWithDedup: vi.fn(),
+}));
+vi.mock('../../../store/container.js', () => ({
+  getContainer: vi.fn(),
+  updateContainer: vi.fn(),
+  cacheSecurityState: vi.fn(),
+}));
+vi.mock('../../hooks/HookRunner.js', () => ({ runHook: vi.fn() }));
+vi.mock('../docker/HealthMonitor.js', () => ({ startHealthMonitor: vi.fn() }));
+
+vi.mock('node:fs', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    watch: vi.fn(),
+  };
+});
+
+vi.mock('../../../util/sleep.js', () => ({
+  sleep: vi.fn().mockResolvedValue(undefined),
+}));
+
+vi.mock('node:fs/promises', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    default: {
+      ...actual.default,
+      access: vi.fn().mockResolvedValue(undefined),
+      copyFile: vi.fn().mockResolvedValue(undefined),
+      readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+      writeFile: vi.fn().mockResolvedValue(undefined),
+      rename: vi.fn().mockResolvedValue(undefined),
+      unlink: vi.fn().mockResolvedValue(undefined),
+      stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+    },
+    access: vi.fn().mockResolvedValue(undefined),
+    copyFile: vi.fn().mockResolvedValue(undefined),
+    readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+    writeFile: vi.fn().mockResolvedValue(undefined),
+    rename: vi.fn().mockResolvedValue(undefined),
+    unlink: vi.fn().mockResolvedValue(undefined),
+    stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+  };
+});
+
+describe('Dockercompose Trigger', () => {
+  let trigger;
+  let mockLog;
+  let mockDockerApi;
+
+  beforeEach(() => {
+    ({ trigger, mockLog, mockDockerApi } = setupDockercomposeTestContext({
+      DockercomposeCtor: Dockercompose,
+      watchMock: watch,
+      getStateMock: getState,
+    }));
+  });
+
+  // File operations & misc
+  // -----------------------------------------------------------------------
+
+  test('backup should log warning on error', async () => {
+    fs.copyFile.mockRejectedValueOnce(new Error('copy failed'));
+
+    await trigger.backup('/opt/drydock/test/compose.yml', '/opt/drydock/test/compose.yml.back');
+
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('copy failed'));
+  });
+
+  test('writeComposeFile should log error and throw on write failure', async () => {
+    fs.writeFile.mockRejectedValueOnce(new Error('write failed'));
+
+    await expect(trigger.writeComposeFile('/opt/drydock/test/compose.yml', 'data')).rejects.toThrow(
+      'write failed',
+    );
+
+    expect(mockLog.error).toHaveBeenCalledWith(expect.stringContaining('write failed'));
+  });
+
+  test('writeComposeFile should stringify non-object write failures in logs', async () => {
+    fs.writeFile.mockRejectedValueOnce(42);
+
+    await expect(trigger.writeComposeFile('/opt/drydock/test/compose.yml', 'data')).rejects.toBe(
+      42,
+    );
+
+    expect(mockLog.error).toHaveBeenCalledWith(expect.stringContaining('(42)'));
+  });
+
+  test('writeComposeFile should write atomically through temp file + rename under lock', async () => {
+    await trigger.writeComposeFile('/opt/drydock/test/compose.yml', 'data');
+
+    expect(fs.writeFile).toHaveBeenCalledWith(
+      '/opt/drydock/test/compose.yml.drydock.lock',
+      expect.any(String),
+      { flag: 'wx' },
+    );
+    expect(fs.writeFile).toHaveBeenCalledWith(
+      expect.stringContaining('/opt/drydock/test/.compose.yml.tmp-'),
+      'data',
+    );
+    expect(fs.rename).toHaveBeenCalledWith(
+      expect.stringContaining('/opt/drydock/test/.compose.yml.tmp-'),
+      '/opt/drydock/test/compose.yml',
+    );
+    expect(fs.unlink).toHaveBeenCalledWith('/opt/drydock/test/compose.yml.drydock.lock');
+  });
+
+  test('writeComposeFileAtomic should remove temp file and rethrow when rename fails', async () => {
+    const renameError = new Error('rename failed');
+    fs.rename.mockRejectedValueOnce(renameError);
+
+    await expect(
+      trigger.writeComposeFileAtomic('/opt/drydock/test/compose.yml', 'data'),
+    ).rejects.toThrow('rename failed');
+
+    const temporaryFilePath = fs.writeFile.mock.calls[0][0];
+    expect(temporaryFilePath).toEqual(
+      expect.stringContaining('/opt/drydock/test/.compose.yml.tmp-'),
+    );
+    expect(fs.rename).toHaveBeenCalledWith(temporaryFilePath, '/opt/drydock/test/compose.yml');
+    expect(fs.unlink).toHaveBeenCalledWith(temporaryFilePath);
+  });
+
+  test('writeComposeFileAtomic should retry on EBUSY and succeed', async () => {
+    const ebusyError: any = new Error('EBUSY: resource busy or locked');
+    ebusyError.code = 'EBUSY';
+    fs.rename
+      .mockRejectedValueOnce(ebusyError)
+      .mockRejectedValueOnce(ebusyError)
+      .mockResolvedValueOnce(undefined);
+
+    await trigger.writeComposeFileAtomic('/opt/drydock/test/compose.yml', 'data');
+
+    expect(fs.rename).toHaveBeenCalledTimes(3);
+    expect(fs.unlink).not.toHaveBeenCalled();
+  });
+
+  test('writeComposeFileAtomic should fall back to direct write after EBUSY retries exhausted', async () => {
+    const ebusyError: any = new Error('EBUSY: resource busy or locked');
+    ebusyError.code = 'EBUSY';
+    for (let i = 0; i < 6; i++) {
+      fs.rename.mockRejectedValueOnce(ebusyError);
+    }
+
+    await trigger.writeComposeFileAtomic('/opt/drydock/test/compose.yml', 'data');
+
+    // 1 initial attempt + 5 retries = 6 rename attempts
+    expect(fs.rename).toHaveBeenCalledTimes(6);
+    // Falls back to direct write to the target file
+    expect(fs.writeFile).toHaveBeenCalledWith('/opt/drydock/test/compose.yml', 'data');
+    // Temp file cleaned up
+    const temporaryFilePath = fs.writeFile.mock.calls[0][0];
+    expect(fs.unlink).toHaveBeenCalledWith(temporaryFilePath);
+  });
+
+  test('writeComposeFileAtomic should not retry on non-EBUSY errors', async () => {
+    const permError: any = new Error('EACCES: permission denied');
+    permError.code = 'EACCES';
+    fs.rename.mockRejectedValueOnce(permError);
+
+    await expect(
+      trigger.writeComposeFileAtomic('/opt/drydock/test/compose.yml', 'data'),
+    ).rejects.toThrow('EACCES');
+
+    expect(fs.rename).toHaveBeenCalledTimes(1);
+  });
+
+  test('writeComposeFileAtomic should not retry when rename error code is non-string', async () => {
+    const malformedCodeError: any = new Error('rename failed');
+    malformedCodeError.code = 123;
+    fs.rename.mockRejectedValueOnce(malformedCodeError);
+
+    await expect(
+      trigger.writeComposeFileAtomic('/opt/drydock/test/compose.yml', 'data'),
+    ).rejects.toThrow('rename failed');
+
+    expect(fs.rename).toHaveBeenCalledTimes(1);
+  });
+
+  test('withComposeFileLock should wait and retry when lock exists but is not stale', async () => {
+    const lockBusyError: any = new Error('lock exists');
+    lockBusyError.code = 'EEXIST';
+    fs.writeFile.mockRejectedValueOnce(lockBusyError).mockResolvedValueOnce(undefined);
+    fs.stat.mockResolvedValueOnce({
+      mtimeMs: Date.now(),
+    });
+    const waitForLockChangeSpy = vi
+      .spyOn(trigger._composeFileLockManager, 'waitForComposeFileLockChange')
+      .mockResolvedValueOnce(true);
+    const operation = vi.fn().mockResolvedValue('ok');
+
+    const result = await trigger.withComposeFileLock('/opt/drydock/test/compose.yml', operation);
+
+    expect(result).toBe('ok');
+    expect(operation).toHaveBeenCalledWith('/opt/drydock/test/compose.yml');
+    expect(waitForLockChangeSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/compose.yml.drydock.lock',
+      expect.any(Number),
+    );
+    expect(sleep).not.toHaveBeenCalled();
+  });
+
+  test('withComposeFileLock should time out while waiting for a busy lock', async () => {
+    const lockBusyError: any = new Error('lock exists');
+    lockBusyError.code = 'EEXIST';
+    fs.writeFile.mockRejectedValueOnce(lockBusyError);
+    fs.stat.mockResolvedValueOnce({
+      mtimeMs: 0,
+    });
+    const dateNowSpy = vi
+      .spyOn(Date, 'now')
+      .mockReturnValueOnce(0)
+      .mockReturnValueOnce(10)
+      .mockReturnValueOnce(10_001);
+
+    try {
+      await expect(
+        trigger.withComposeFileLock('/opt/drydock/test/compose.yml', async () => 'never'),
+      ).rejects.toThrow('Timed out waiting for compose file lock');
+    } finally {
+      dateNowSpy.mockRestore();
+    }
+  });
+
+  test('withComposeFileLock should warn when lock removal fails with a non-ENOENT error', async () => {
+    const lockRemovalError: any = new Error('permission denied');
+    lockRemovalError.code = 'EPERM';
+    fs.unlink.mockRejectedValueOnce(lockRemovalError);
+
+    await trigger.withComposeFileLock('/opt/drydock/test/compose.yml', async () => undefined);
+
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('Could not remove compose file lock'),
+    );
+  });
+
+  test('withComposeFileLock should ignore ENOENT when lock removal races', async () => {
+    const lockRemovalError: any = new Error('gone');
+    lockRemovalError.code = 'ENOENT';
+    fs.unlink.mockRejectedValueOnce(lockRemovalError);
+
+    await trigger.withComposeFileLock('/opt/drydock/test/compose.yml', async () => undefined);
+
+    expect(
+      mockLog.warn.mock.calls.some(([message]) =>
+        String(message).includes('Could not remove compose file lock'),
+      ),
+    ).toBe(false);
+  });
+
+  test('withComposeFileLock should execute immediately when lock is already held by this process', async () => {
+    const filePath = '/opt/drydock/test/compose.yml';
+    trigger._composeFileLocksHeld.add(filePath);
+    const operation = vi.fn().mockResolvedValue('ok');
+
+    try {
+      const result = await trigger.withComposeFileLock(filePath, operation);
+      expect(result).toBe('ok');
+      expect(operation).toHaveBeenCalledWith(filePath);
+      expect(fs.writeFile).not.toHaveBeenCalledWith(
+        `${filePath}.drydock.lock`,
+        expect.any(String),
+        { flag: 'wx' },
+      );
+    } finally {
+      trigger._composeFileLocksHeld.delete(filePath);
+    }
+  });
+
+  test('waitForComposeFileLockChange should return false when timeout is not positive', async () => {
+    await expect(
+      trigger.waitForComposeFileLockChange('/opt/drydock/test/compose.yml.drydock.lock', 0),
+    ).resolves.toBe(false);
+  });
+
+  test('waitForComposeFileLockChange should return false when timeout elapses without lock changes', async () => {
+    vi.useFakeTimers();
+    const watcher: any = new EventEmitter();
+    watcher.close = vi.fn();
+    const watchMock = vi.mocked(watch);
+    watchMock.mockImplementation(() => watcher);
+
+    try {
+      const waitForLockChange = trigger.waitForComposeFileLockChange(
+        '/opt/drydock/test/compose.yml.drydock.lock',
+        1_000,
+      );
+
+      await vi.advanceTimersByTimeAsync(1_000);
+
+      await expect(waitForLockChange).resolves.toBe(false);
+      expect(watcher.close).toHaveBeenCalledTimes(1);
+    } finally {
+      vi.useRealTimers();
+    }
+  });
+
+  test('waitForComposeFileLockChange should settle when changed path is unavailable', async () => {
+    const watcher: any = new EventEmitter();
+    watcher.close = vi.fn();
+    const watchMock = vi.mocked(watch);
+    watchMock.mockImplementation((_directoryPath, onChange: any) => {
+      setImmediate(() => onChange('rename', null as any));
+      return watcher;
+    });
+
+    await expect(
+      trigger.waitForComposeFileLockChange('/opt/drydock/test/compose.yml.drydock.lock', 1_000),
+    ).resolves.toBe(true);
+    expect(watcher.close).toHaveBeenCalledTimes(1);
+  });
+
+  test('waitForComposeFileLockChange should settle when target lock file changes', async () => {
+    const watcher: any = new EventEmitter();
+    watcher.close = vi.fn();
+    const watchMock = vi.mocked(watch);
+    watchMock.mockImplementation((_directoryPath, onChange: any) => {
+      setImmediate(() => onChange('change', Buffer.from('compose.yml.drydock.lock')));
+      return watcher;
+    });
+
+    await expect(
+      trigger.waitForComposeFileLockChange('/opt/drydock/test/compose.yml.drydock.lock', 1_000),
+    ).resolves.toBe(true);
+    expect(watcher.close).toHaveBeenCalledTimes(1);
+  });
+
+  test('waitForComposeFileLockChange should ignore duplicate settle attempts after it resolves', async () => {
+    const watcher: any = new EventEmitter();
+    watcher.close = vi.fn();
+    const watchMock = vi.mocked(watch);
+    watchMock.mockImplementation((_directoryPath, onChange: any) => {
+      setImmediate(() => {
+        onChange('rename', null as any);
+        onChange('change', 'compose.yml.drydock.lock');
+      });
+      return watcher;
+    });
+
+    await expect(
+      trigger.waitForComposeFileLockChange('/opt/drydock/test/compose.yml.drydock.lock', 1_000),
+    ).resolves.toBe(true);
+    expect(watcher.close).toHaveBeenCalledTimes(1);
+  });
+
+  test('waitForComposeFileLockChange should settle when watcher emits an error', async () => {
+    const watcher: any = new EventEmitter();
+    watcher.close = vi.fn();
+    const watchMock = vi.mocked(watch);
+    watchMock.mockImplementation(() => {
+      setImmediate(() => watcher.emit('error', new Error('watch failed')));
+      return watcher;
+    });
+
+    await expect(
+      trigger.waitForComposeFileLockChange('/opt/drydock/test/compose.yml.drydock.lock', 1_000),
+    ).resolves.toBe(true);
+    expect(watcher.close).toHaveBeenCalledTimes(1);
+  });
+
+  test('maybeReleaseStaleComposeFileLock should treat missing lock file as released', async () => {
+    const missingLockError: any = new Error('missing lock');
+    missingLockError.code = 'ENOENT';
+    fs.stat.mockRejectedValueOnce(missingLockError);
+
+    await expect(
+      trigger.maybeReleaseStaleComposeFileLock('/opt/drydock/test/compose.yml.drydock.lock'),
+    ).resolves.toBe(true);
+  });
+
+  test('maybeReleaseStaleComposeFileLock should warn and return false on unexpected stat errors', async () => {
+    const statError: any = new Error('permission denied');
+    statError.code = 'EPERM';
+    fs.stat.mockRejectedValueOnce(statError);
+
+    await expect(
+      trigger.maybeReleaseStaleComposeFileLock('/opt/drydock/test/compose.yml.drydock.lock'),
+    ).resolves.toBe(false);
+
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('Could not inspect compose file lock'),
+    );
+  });
+
+  test('writeComposeFile should preserve rename error when temp cleanup also fails', async () => {
+    const renameError = new Error('rename failed');
+    fs.rename.mockRejectedValueOnce(renameError);
+    fs.unlink.mockRejectedValueOnce(new Error('cleanup failed'));
+
+    await expect(trigger.writeComposeFile('/opt/drydock/test/compose.yml', 'data')).rejects.toThrow(
+      'rename failed',
+    );
+  });
+
+  test('mutateComposeFile should return false when no text changes are applied', async () => {
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(
+      Buffer.from('services:\n  nginx:\n    image: nginx:1.0.0\n'),
+    );
+    const writeSpy = vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+
+    const changed = await trigger.mutateComposeFile(
+      '/opt/drydock/test/compose.yml',
+      (text) => text,
+    );
+
+    expect(changed).toBe(false);
+    expect(writeSpy).not.toHaveBeenCalled();
+  });
+
+  test('mutateComposeFile should validate candidate compose config before writing', async () => {
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(
+      Buffer.from('services:\n  nginx:\n    image: nginx:1.0.0\n'),
+    );
+    const validateSpy = vi
+      .spyOn(trigger, 'validateComposeConfiguration')
+      .mockResolvedValue(undefined);
+    const writeSpy = vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+
+    const changed = await trigger.mutateComposeFile('/opt/drydock/test/compose.yml', (text) =>
+      text.replace('nginx:1.0.0', 'nginx:1.1.0'),
+    );
+
+    expect(changed).toBe(true);
+    expect(validateSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/compose.yml',
+      expect.stringContaining('nginx:1.1.0'),
+    );
+    expect(writeSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/compose.yml',
+      expect.stringContaining('nginx:1.1.0'),
+    );
+  });
+
+  test('mutateComposeFile should block writes when compose validation fails', async () => {
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(
+      Buffer.from('services:\n  nginx:\n    image: nginx:1.0.0\n'),
+    );
+    vi.spyOn(trigger, 'validateComposeConfiguration').mockRejectedValue(
+      new Error('compose config is invalid'),
+    );
+    const writeSpy = vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+
+    await expect(
+      trigger.mutateComposeFile('/opt/drydock/test/compose.yml', (text) =>
+        text.replace('nginx:1.0.0', 'nginx:1.1.0'),
+      ),
+    ).rejects.toThrow('compose config is invalid');
+
+    expect(writeSpy).not.toHaveBeenCalled();
+  });
+
+  test('mutateComposeFile should forward a pre-parsed compose object to validation', async () => {
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(
+      Buffer.from('services:\n  nginx:\n    image: nginx:1.0.0\n'),
+    );
+    const validateSpy = vi
+      .spyOn(trigger, 'validateComposeConfiguration')
+      .mockResolvedValue(undefined);
+    vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+    const parsedComposeFileObject = makeCompose({ nginx: { image: 'nginx:1.1.0' } });
+
+    const changed = await trigger.mutateComposeFile(
+      '/opt/drydock/test/compose.yml',
+      (text) => text.replace('nginx:1.0.0', 'nginx:1.1.0'),
+      {
+        parsedComposeFileObject,
+      },
+    );
+
+    expect(changed).toBe(true);
+    expect(validateSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/compose.yml',
+      expect.stringContaining('nginx:1.1.0'),
+      {
+        parsedComposeFileObject,
+      },
+    );
+  });
+
+  test('validateComposeConfiguration should validate compose text in-process without shell commands', async () => {
+    await trigger.validateComposeConfiguration(
+      '/opt/drydock/test/compose.yml',
+      'services:\n  nginx:\n    image: nginx:1.1.0\n',
+    );
+  });
+
+  test('validateComposeConfiguration should validate updated file against full compose file chain', async () => {
+    const getComposeFileAsObjectSpy = vi
+      .spyOn(trigger, 'getComposeFileAsObject')
+      .mockResolvedValue(makeCompose({ base: { image: 'busybox:1.0.0' } }));
+
+    await trigger.validateComposeConfiguration(
+      '/opt/drydock/test/stack.override.yml',
+      'services:\n  nginx:\n    image: nginx:1.1.0\n',
+      {
+        composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+      },
+    );
+
+    expect(getComposeFileAsObjectSpy).toHaveBeenCalledWith('/opt/drydock/test/stack.yml');
+  });
+
+  test('validateComposeConfiguration should reuse a pre-parsed compose object when provided', async () => {
+    const parseSpy = vi.spyOn(yaml, 'parse');
+    const getComposeFileAsObjectSpy = vi
+      .spyOn(trigger, 'getComposeFileAsObject')
+      .mockResolvedValue(makeCompose({ base: { image: 'busybox:1.0.0' } }));
+
+    await trigger.validateComposeConfiguration(
+      '/opt/drydock/test/stack.override.yml',
+      'services:\n  nginx:\n    image: nginx:1.1.0\n',
+      {
+        composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+        parsedComposeFileObject: makeCompose({ nginx: { image: 'nginx:1.1.0' } }),
+      },
+    );
+
+    expect(parseSpy).not.toHaveBeenCalled();
+    expect(getComposeFileAsObjectSpy).toHaveBeenCalledWith('/opt/drydock/test/stack.yml');
+  });
+
+  test('updateComposeServiceImageInText should throw when compose document has parse errors', () => {
+    expect(() =>
+      testable_updateComposeServiceImageInText('services:\n  nginx: [\n', 'nginx', 'nginx:2.0.0'),
+    ).toThrow();
+  });
+
+  test('updateComposeServiceImageInText should throw when service definition is not a map', () => {
+    expect(() =>
+      testable_updateComposeServiceImageInText(
+        ['services:', '  nginx: "literal-service"', ''].join('\n'),
+        'nginx',
+        'nginx:2.0.0',
+      ),
+    ).toThrow('Unable to patch compose service nginx because it is not a map');
+  });
+
+  test('updateComposeServiceImageInText should append image line when service key has no trailing newline', () => {
+    const updated = testable_updateComposeServiceImageInText(
+      'services:\n  nginx:',
+      'nginx',
+      'nginx:2.0.0',
+    );
+
+    expect(updated).toBe('services:\n  nginx:\n    image: nginx:2.0.0');
+  });
+
+  test('writeComposeFile should remove stale lock and continue', async () => {
+    const lockBusyError: any = new Error('lock exists');
+    lockBusyError.code = 'EEXIST';
+    fs.writeFile
+      .mockRejectedValueOnce(lockBusyError)
+      .mockResolvedValueOnce(undefined)
+      .mockResolvedValueOnce(undefined);
+    fs.stat.mockResolvedValueOnce({
+      mtimeMs: Date.now() - 200_000,
+    });
+
+    await trigger.writeComposeFile('/opt/drydock/test/compose.yml', 'data');
+
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('Removed stale compose file lock'),
+    );
+    expect(fs.rename).toHaveBeenCalledWith(
+      expect.stringContaining('/opt/drydock/test/.compose.yml.tmp-'),
+      '/opt/drydock/test/compose.yml',
+    );
+  });
+
+  test('getComposeFileAsObject should throw on yaml parse error', async () => {
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(Buffer.from('invalid: yaml: [[['));
+
+    await expect(trigger.getComposeFileAsObject('/opt/drydock/test/compose.yml')).rejects.toThrow();
+
+    expect(mockLog.error).toHaveBeenCalledWith(expect.stringContaining('Error when parsing'));
+  });
+
+  test('getComposeFileAsObject should reuse cached parse when file mtime is unchanged', async () => {
+    const composeFilePath = '/opt/drydock/test/compose.yml';
+    const composeText = ['services:', '  nginx:', '    image: nginx:1.0.0', ''].join('\n');
+    const getComposeFileSpy = vi
+      .spyOn(trigger, 'getComposeFile')
+      .mockResolvedValue(Buffer.from(composeText));
+    const parseSpy = vi.spyOn(yaml, 'parse');
+    fs.stat.mockResolvedValue({
+      mtimeMs: 1700000000000,
+    } as any);
+
+    const first = await trigger.getComposeFileAsObject(composeFilePath);
+    const second = await trigger.getComposeFileAsObject(composeFilePath);
+
+    expect(first).toEqual(second);
+    expect(getComposeFileSpy).toHaveBeenCalledTimes(1);
+    expect(parseSpy).toHaveBeenCalledTimes(1);
+  });
+
+  test('getComposeFileAsObject should evict least recently used cache entries when max size is reached', async () => {
+    const composeFilePathA = '/opt/drydock/test/a.yml';
+    const composeFilePathB = '/opt/drydock/test/b.yml';
+    const composeFilePathC = '/opt/drydock/test/c.yml';
+    trigger._composeCacheMaxEntries = 2;
+    expect(trigger._composeCacheMaxEntries).toBe(2);
+
+    const getComposeFileSpy = vi
+      .spyOn(trigger, 'getComposeFile')
+      .mockImplementation(async (filePath) =>
+        Buffer.from(
+          ['services:', '  nginx:', `    image: ${path.basename(filePath, '.yml')}:1.0.0`, ''].join(
+            '\n',
+          ),
+        ),
+      );
+    const parseSpy = vi.spyOn(yaml, 'parse');
+    fs.stat.mockResolvedValue({
+      mtimeMs: 1700000000000,
+    } as any);
+
+    await trigger.getComposeFileAsObject(composeFilePathA);
+    await trigger.getComposeFileAsObject(composeFilePathB);
+    await trigger.getComposeFileAsObject(composeFilePathA);
+    await trigger.getComposeFileAsObject(composeFilePathC);
+
+    expect(trigger._composeObjectCache.has(composeFilePathA)).toBe(true);
+    expect(trigger._composeObjectCache.has(composeFilePathB)).toBe(false);
+    expect(trigger._composeObjectCache.has(composeFilePathC)).toBe(true);
+
+    await trigger.getComposeFileAsObject(composeFilePathB);
+
+    expect(getComposeFileSpy).toHaveBeenCalledTimes(4);
+    expect(parseSpy).toHaveBeenCalledTimes(4);
+    expect(trigger._composeObjectCache.has(composeFilePathA)).toBe(false);
+    expect(trigger._composeObjectCache.has(composeFilePathB)).toBe(true);
+    expect(trigger._composeObjectCache.has(composeFilePathC)).toBe(true);
+  });
+
+  test('getCachedComposeDocument should reuse cached parse when file mtime is unchanged', () => {
+    const composeFilePath = '/opt/drydock/test/compose.yml';
+    const parseDocumentSpy = vi.spyOn(yaml, 'parseDocument');
+    const firstText = ['services:', '  nginx:', '    image: nginx:1.0.0', ''].join('\n');
+    const secondText = ['services:', '  nginx:', '    image: nginx:2.0.0', ''].join('\n');
+
+    const firstDocument = trigger.getCachedComposeDocument(
+      composeFilePath,
+      1700000000000,
+      firstText,
+    );
+    const secondDocument = trigger.getCachedComposeDocument(
+      composeFilePath,
+      1700000000000,
+      secondText,
+    );
+
+    expect(secondDocument).toBe(firstDocument);
+    expect(parseDocumentSpy).toHaveBeenCalledTimes(1);
+  });
+
+  test('getCachedComposeDocument should evict least recently used cache entries when max size is reached', () => {
+    const composeFilePathA = '/opt/drydock/test/a.yml';
+    const composeFilePathB = '/opt/drydock/test/b.yml';
+    const composeFilePathC = '/opt/drydock/test/c.yml';
+    trigger._composeCacheMaxEntries = 2;
+    const parseDocumentSpy = vi.spyOn(yaml, 'parseDocument');
+
+    const firstDocumentA = trigger.getCachedComposeDocument(
+      composeFilePathA,
+      1700000000000,
+      ['services:', '  app-a:', '    image: app-a:1.0.0', ''].join('\n'),
+    );
+    const firstDocumentB = trigger.getCachedComposeDocument(
+      composeFilePathB,
+      1700000000000,
+      ['services:', '  app-b:', '    image: app-b:1.0.0', ''].join('\n'),
+    );
+    const secondDocumentA = trigger.getCachedComposeDocument(
+      composeFilePathA,
+      1700000000000,
+      ['services:', '  app-a:', '    image: app-a:2.0.0', ''].join('\n'),
+    );
+    trigger.getCachedComposeDocument(
+      composeFilePathC,
+      1700000000000,
+      ['services:', '  app-c:', '    image: app-c:1.0.0', ''].join('\n'),
+    );
+
+    expect(secondDocumentA).toBe(firstDocumentA);
+    expect(trigger._composeDocumentCache.has(composeFilePathA)).toBe(true);
+    expect(trigger._composeDocumentCache.has(composeFilePathB)).toBe(false);
+    expect(trigger._composeDocumentCache.has(composeFilePathC)).toBe(true);
+
+    const secondDocumentB = trigger.getCachedComposeDocument(
+      composeFilePathB,
+      1700000000000,
+      ['services:', '  app-b:', '    image: app-b:2.0.0', ''].join('\n'),
+    );
+
+    expect(secondDocumentB).not.toBe(firstDocumentB);
+    expect(parseDocumentSpy).toHaveBeenCalledTimes(4);
+    expect(trigger._composeDocumentCache.has(composeFilePathA)).toBe(false);
+    expect(trigger._composeDocumentCache.has(composeFilePathB)).toBe(true);
+    expect(trigger._composeDocumentCache.has(composeFilePathC)).toBe(true);
+  });
+
+  test('getComposeFileAsObject should refresh cached parse when file mtime changes', async () => {
+    const composeFilePath = '/opt/drydock/test/compose.yml';
+    const getComposeFileSpy = vi
+      .spyOn(trigger, 'getComposeFile')
+      .mockResolvedValueOnce(
+        Buffer.from(['services:', '  nginx:', '    image: nginx:1.0.0', ''].join('\n')),
+      )
+      .mockResolvedValueOnce(
+        Buffer.from(['services:', '  nginx:', '    image: nginx:1.1.0', ''].join('\n')),
+      );
+    const parseSpy = vi.spyOn(yaml, 'parse');
+    fs.stat
+      .mockResolvedValueOnce({
+        mtimeMs: 1700000000000,
+      } as any)
+      .mockResolvedValueOnce({
+        mtimeMs: 1700000001000,
+      } as any);
+
+    const first = await trigger.getComposeFileAsObject(composeFilePath);
+    const second = await trigger.getComposeFileAsObject(composeFilePath);
+
+    expect(first).not.toEqual(second);
+    expect(getComposeFileSpy).toHaveBeenCalledTimes(2);
+    expect(parseSpy).toHaveBeenCalledTimes(2);
+  });
+
+  test('getComposeFileAsObject should log default file path when called without explicit file argument', async () => {
+    trigger.configuration.file = '/opt/drydock/test/default-compose.yml';
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(Buffer.from('invalid: yaml: [[['));
+
+    await expect(trigger.getComposeFileAsObject()).rejects.toThrow();
+
+    expect(mockLog.error).toHaveBeenCalledWith(
+      expect.stringContaining('/opt/drydock/test/default-compose.yml'),
+    );
+  });
+
+  test('getComposeFile should use default configuration file when no argument', () => {
+    trigger.configuration.file = '/opt/drydock/test/default-compose.yml';
+
+    trigger.getComposeFile();
+
+    expect(fs.readFile).toHaveBeenCalledWith('/opt/drydock/test/default-compose.yml');
+  });
+
+  test('getComposeFile should log error and throw when fs.readFile throws synchronously', () => {
+    const readFileMock = fs.readFile;
+    readFileMock.mockImplementationOnce(() => {
+      throw new Error('sync read error');
+    });
+    trigger.configuration.file = '/opt/drydock/test/compose.yml';
+
+    expect(() => trigger.getComposeFile('/opt/drydock/test/compose.yml')).toThrow(
+      'sync read error',
+    );
+    expect(mockLog.error).toHaveBeenCalledWith(expect.stringContaining('sync read error'));
+  });
+
+  // -----------------------------------------------------------------------
+  // triggerBatch
+  // -----------------------------------------------------------------------
+
+  test('triggerBatch should skip containers not on local host', async () => {
+    const container = { name: 'remote-container', watcher: 'remote' };
+
+    getState.mockReturnValue({
+      registry: {
+        hub: { getImageFullName: (image, tag) => `${image.name}:${tag}` },
+      },
+      watcher: {
+        'docker.remote': {
+          dockerApi: {
+            modem: { socketPath: '' },
+          },
+        },
+      },
+    });
+
+    await trigger.triggerBatch([container]);
+
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('not running on local host'));
+  });
+
+  test('triggerBatch should skip containers with no compose file', async () => {
+    trigger.configuration.file = undefined;
+    const container = { name: 'no-compose', watcher: 'local' };
+
+    await trigger.triggerBatch([container]);
+
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('No compose file found'));
+  });
+
+  test('triggerBatch should skip containers when compose file does not exist', async () => {
+    trigger.configuration.file = '/nonexistent/compose.yml';
+    const err = new Error('ENOENT');
+    err.code = 'ENOENT';
+    fs.access.mockRejectedValueOnce(err);
+
+    const container = { name: 'test-container', watcher: 'local' };
+
+    await trigger.triggerBatch([container]);
+
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('does not exist'));
+  });
+
+  test('triggerBatch should log permission denied when compose file has EACCES', async () => {
+    trigger.configuration.file = '/restricted/compose.yml';
+    const err = new Error('EACCES');
+    err.code = 'EACCES';
+    fs.access.mockRejectedValueOnce(err);
+
+    const container = { name: 'test-container', watcher: 'local' };
+
+    await trigger.triggerBatch([container]);
+
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('permission denied'));
+  });
+
+  test('triggerBatch should warn when container compose file does not match configured file', async () => {
+    trigger.configuration.file = '/opt/drydock/configured.yml';
+    fs.access.mockResolvedValue(undefined);
+
+    const container = {
+      name: 'mismatched',
+      watcher: 'local',
+      labels: { 'dd.compose.file': '/opt/drydock/other.yml' },
+    };
+
+    await trigger.triggerBatch([container]);
+
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('do not match configured file'),
+    );
+  });
+
+  test('triggerBatch should warn when no containers matched any compose file', async () => {
+    trigger.configuration.file = undefined;
+
+    const container = { name: 'orphan', watcher: 'local' };
+
+    await trigger.triggerBatch([container]);
+
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      'No containers matched any compose file for this trigger',
+    );
+  });
+
+  test('triggerBatch should group containers by compose file and process each', async () => {
+    trigger.configuration.file = undefined;
+    fs.access.mockResolvedValue(undefined);
+
+    const container1 = {
+      name: 'app1',
+      watcher: 'local',
+      labels: { 'dd.compose.file': '/opt/drydock/test/a.yml' },
+    };
+    const container2 = {
+      name: 'app2',
+      watcher: 'local',
+      labels: { 'dd.compose.file': '/opt/drydock/test/b.yml' },
+    };
+
+    const processComposeFileSpy = vi.spyOn(trigger, 'processComposeFile').mockResolvedValue();
+
+    await trigger.triggerBatch([container1, container2]);
+
+    expect(processComposeFileSpy).toHaveBeenCalledTimes(2);
+    expect(processComposeFileSpy).toHaveBeenCalledWith('/opt/drydock/test/a.yml', [container1]);
+    expect(processComposeFileSpy).toHaveBeenCalledWith('/opt/drydock/test/b.yml', [container2]);
+  });
+
+  test('triggerBatch should group multiple containers under the same compose file', async () => {
+    trigger.configuration.file = undefined;
+    fs.access.mockResolvedValue(undefined);
+
+    const container1 = {
+      name: 'app1',
+      watcher: 'local',
+      labels: { 'dd.compose.file': '/opt/drydock/test/shared.yml' },
+    };
+    const container2 = {
+      name: 'app2',
+      watcher: 'local',
+      labels: { 'dd.compose.file': '/opt/drydock/test/shared.yml' },
+    };
+
+    const processComposeFileSpy = vi.spyOn(trigger, 'processComposeFile').mockResolvedValue();
+
+    await trigger.triggerBatch([container1, container2]);
+
+    expect(processComposeFileSpy).toHaveBeenCalledTimes(1);
+    expect(processComposeFileSpy).toHaveBeenCalledWith('/opt/drydock/test/shared.yml', [
+      container1,
+      container2,
+    ]);
+  });
+
+  test('triggerBatch should only access each compose file once across containers sharing the same compose chain', async () => {
+    trigger.configuration.file = undefined;
+    fs.access.mockResolvedValue(undefined);
+
+    const sharedComposeLabels = {
+      'com.docker.compose.project.config_files':
+        '/opt/drydock/test/stack.yml,/opt/drydock/test/stack.override.yml',
+    };
+    const container1 = {
+      name: 'app1',
+      watcher: 'local',
+      labels: sharedComposeLabels,
+    };
+    const container2 = {
+      name: 'app2',
+      watcher: 'local',
+      labels: sharedComposeLabels,
+    };
+
+    const processComposeFileSpy = vi.spyOn(trigger, 'processComposeFile').mockResolvedValue();
+
+    await trigger.triggerBatch([container1, container2]);
+
+    expect(processComposeFileSpy).toHaveBeenCalledTimes(1);
+    expect(fs.access).toHaveBeenCalledTimes(2);
+    expect(fs.access).toHaveBeenCalledWith('/opt/drydock/test/stack.yml');
+    expect(fs.access).toHaveBeenCalledWith('/opt/drydock/test/stack.override.yml');
+  });
+
+  test('triggerBatch should only process containers matching configured compose file affinity', async () => {
+    trigger.configuration.file = '/opt/drydock/test/monitoring.yml';
+    fs.access.mockImplementation(async (composeFilePath) => {
+      if (`${composeFilePath}`.includes('/opt/drydock/test/mysql.yml')) {
+        const missingComposeError = new Error('ENOENT');
+        missingComposeError.code = 'ENOENT';
+        throw missingComposeError;
+      }
+      return undefined;
+    });
+
+    const monitoringContainer = {
+      name: 'monitoring-app',
+      watcher: 'local',
+      labels: { 'dd.compose.file': '/opt/drydock/test/monitoring.yml' },
+    };
+    const mysqlContainer = {
+      name: 'mysql-app',
+      watcher: 'local',
+      labels: { 'dd.compose.file': '/opt/drydock/test/mysql.yml' },
+    };
+
+    const processComposeFileSpy = vi.spyOn(trigger, 'processComposeFile').mockResolvedValue();
+
+    await trigger.triggerBatch([monitoringContainer, mysqlContainer]);
+
+    expect(processComposeFileSpy).toHaveBeenCalledTimes(1);
+    expect(processComposeFileSpy).toHaveBeenCalledWith('/opt/drydock/test/monitoring.yml', [
+      monitoringContainer,
+    ]);
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('do not match configured file'),
+    );
+  });
+
+  test('triggerBatch should resolve a configured compose directory to compose.yaml for affinity matching', async () => {
+    trigger.configuration.file = '/opt/drydock/stacks/filebrowser';
+    fs.stat.mockImplementation(async (candidatePath: string) => {
+      if (candidatePath === '/opt/drydock/stacks/filebrowser') {
+        return {
+          isDirectory: () => true,
+          mtimeMs: 1_700_000_000_000,
+        } as any;
+      }
+      return {
+        isDirectory: () => false,
+        mtimeMs: 1_700_000_000_000,
+      } as any;
+    });
+    fs.access.mockResolvedValue(undefined);
+
+    const container = {
+      name: 'filebrowser',
+      watcher: 'local',
+      labels: { 'dd.compose.file': '/opt/drydock/stacks/filebrowser/compose.yaml' },
+    };
+    const processComposeFileSpy = vi.spyOn(trigger, 'processComposeFile').mockResolvedValue(true);
+
+    await trigger.triggerBatch([container]);
+
+    expect(processComposeFileSpy).toHaveBeenCalledTimes(1);
+    expect(processComposeFileSpy).toHaveBeenCalledWith(
+      '/opt/drydock/stacks/filebrowser/compose.yaml',
+      [container],
+    );
+    expect(mockLog.warn).not.toHaveBeenCalledWith(
+      expect.stringContaining('do not match configured file'),
+    );
+  });
+
+  // -----------------------------------------------------------------------
+});
diff --git a/app/triggers/providers/dockercompose/Dockercompose.map-and-process-compose.test.ts b/app/triggers/providers/dockercompose/Dockercompose.map-and-process-compose.test.ts
new file mode 100644
index 000000000..2bf065206
--- /dev/null
+++ b/app/triggers/providers/dockercompose/Dockercompose.map-and-process-compose.test.ts
@@ -0,0 +1,1054 @@
+import { watch } from 'node:fs';
+import yaml from 'yaml';
+import { getState } from '../../../registry/index.js';
+import Dockercompose from './Dockercompose.js';
+import {
+  makeCompose,
+  makeContainer,
+  setupDockercomposeTestContext,
+  spyOnProcessComposeHelpers,
+} from './Dockercompose.test.helpers.js';
+
+vi.mock('../../../registry', () => ({
+  getState: vi.fn(),
+}));
+
+vi.mock('../../../event/index.js', () => ({
+  emitContainerUpdateApplied: vi.fn().mockResolvedValue(undefined),
+  emitContainerUpdateFailed: vi.fn().mockResolvedValue(undefined),
+  emitSecurityAlert: vi.fn().mockResolvedValue(undefined),
+  emitSelfUpdateStarting: vi.fn(),
+}));
+
+vi.mock('../../../model/container.js', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    fullName: vi.fn((c) => `test_${c.name}`),
+  };
+});
+
+vi.mock('../../../store/backup', () => ({
+  insertBackup: vi.fn(),
+  pruneOldBackups: vi.fn(),
+  getBackupsByName: vi.fn().mockReturnValue([]),
+}));
+
+// Modules used by the shared lifecycle (inherited from Docker trigger)
+vi.mock('../../../configuration/index.js', async () => {
+  const actual = await vi.importActual('../../../configuration/index.js');
+  return { ...actual, getSecurityConfiguration: vi.fn().mockReturnValue({ enabled: false }) };
+});
+vi.mock('../../../store/audit.js', () => ({ insertAudit: vi.fn() }));
+vi.mock('../../../prometheus/audit.js', () => ({ getAuditCounter: vi.fn().mockReturnValue(null) }));
+vi.mock('../../../security/scan.js', () => ({
+  scanImageForVulnerabilities: vi.fn(),
+  verifyImageSignature: vi.fn(),
+  generateImageSbom: vi.fn(),
+  clearDigestScanCache: vi.fn(),
+  getDigestScanCacheSize: vi.fn().mockReturnValue(0),
+  updateDigestScanCache: vi.fn(),
+  scanImageWithDedup: vi.fn(),
+}));
+vi.mock('../../../store/container.js', () => ({
+  getContainer: vi.fn(),
+  updateContainer: vi.fn(),
+  cacheSecurityState: vi.fn(),
+}));
+vi.mock('../../hooks/HookRunner.js', () => ({ runHook: vi.fn() }));
+vi.mock('../docker/HealthMonitor.js', () => ({ startHealthMonitor: vi.fn() }));
+
+vi.mock('node:fs', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    watch: vi.fn(),
+  };
+});
+
+vi.mock('../../../util/sleep.js', () => ({
+  sleep: vi.fn().mockResolvedValue(undefined),
+}));
+
+vi.mock('node:fs/promises', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    default: {
+      ...actual.default,
+      access: vi.fn().mockResolvedValue(undefined),
+      copyFile: vi.fn().mockResolvedValue(undefined),
+      readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+      writeFile: vi.fn().mockResolvedValue(undefined),
+      rename: vi.fn().mockResolvedValue(undefined),
+      unlink: vi.fn().mockResolvedValue(undefined),
+      stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+    },
+    access: vi.fn().mockResolvedValue(undefined),
+    copyFile: vi.fn().mockResolvedValue(undefined),
+    readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+    writeFile: vi.fn().mockResolvedValue(undefined),
+    rename: vi.fn().mockResolvedValue(undefined),
+    unlink: vi.fn().mockResolvedValue(undefined),
+    stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+  };
+});
+
+describe('Dockercompose Trigger', () => {
+  let trigger;
+  let mockLog;
+  let mockDockerApi;
+
+  beforeEach(() => {
+    ({ trigger, mockLog, mockDockerApi } = setupDockercomposeTestContext({
+      DockercomposeCtor: Dockercompose,
+      watchMock: watch,
+      getStateMock: getState,
+    }));
+  });
+
+  // mapCurrentVersionToUpdateVersion
+  // -----------------------------------------------------------------------
+
+  test('mapCurrentVersionToUpdateVersion should ignore services without image', () => {
+    const compose = makeCompose({
+      dd: { environment: ['DD_TRIGGER_DOCKERCOMPOSE_BASE_AUTO=false'] },
+      portainer: { image: 'portainer/portainer-ce:2.27.4' },
+    });
+    const container = makeContainer({
+      name: 'portainer',
+      imageName: 'portainer/portainer-ce',
+      tagValue: '2.27.4',
+      remoteValue: '2.27.5',
+    });
+
+    const result = trigger.mapCurrentVersionToUpdateVersion(compose, container);
+
+    expect(result).toEqual({
+      service: 'portainer',
+      current: 'portainer/portainer-ce:2.27.4',
+      update: 'portainer/portainer-ce:2.27.5',
+      currentNormalized: 'portainer/portainer-ce:2.27.4',
+      updateNormalized: 'portainer/portainer-ce:2.27.5',
+    });
+  });
+
+  test('mapCurrentVersionToUpdateVersion should prefer compose service label', () => {
+    const compose = makeCompose({
+      alpha: { image: 'nginx:1.0.0' },
+      beta: { image: 'nginx:1.0.0' },
+    });
+    const container = makeContainer({
+      labels: { 'com.docker.compose.service': 'beta' },
+    });
+
+    const result = trigger.mapCurrentVersionToUpdateVersion(compose, container);
+
+    expect(result?.service).toBe('beta');
+  });
+
+  test('mapCurrentVersionToUpdateVersion should not fall back to image matching when compose service label is unknown', () => {
+    const compose = makeCompose({
+      nginx: { image: 'nginx:1.0.0' },
+    });
+    const container = makeContainer({
+      labels: {
+        'com.docker.compose.project': 'other-stack',
+        'com.docker.compose.service': 'unknown-service',
+      },
+    });
+
+    const result = trigger.mapCurrentVersionToUpdateVersion(compose, container);
+
+    expect(result).toBeUndefined();
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('Could not find service'));
+  });
+
+  test('mapCurrentVersionToUpdateVersion should not fall back to image matching when compose identity labels exist without a service label', () => {
+    const compose = makeCompose({
+      nginx: { image: 'nginx:1.0.0' },
+    });
+    const container = makeContainer({
+      labels: {
+        'com.docker.compose.project': 'other-stack',
+      },
+    });
+
+    const result = trigger.mapCurrentVersionToUpdateVersion(compose, container);
+
+    expect(result).toBeUndefined();
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('Could not find service'));
+  });
+
+  test('mapCurrentVersionToUpdateVersion should return undefined when service not found', () => {
+    const compose = makeCompose({ redis: { image: 'redis:7.0.0' } });
+    const container = makeContainer();
+
+    const result = trigger.mapCurrentVersionToUpdateVersion(compose, container);
+
+    expect(result).toBeUndefined();
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('Could not find service'));
+  });
+
+  test('mapCurrentVersionToUpdateVersion should return undefined when service has no image', () => {
+    const compose = makeCompose({ nginx: { build: './nginx' } });
+    const container = makeContainer({
+      labels: { 'com.docker.compose.service': 'nginx' },
+    });
+
+    const result = trigger.mapCurrentVersionToUpdateVersion(compose, container);
+
+    expect(result).toBeUndefined();
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('image is missing'));
+  });
+
+  // -----------------------------------------------------------------------
+  // processComposeFile
+  // -----------------------------------------------------------------------
+
+  test('processComposeFile should not fail when compose has partial services', async () => {
+    const container = makeContainer({
+      name: 'portainer',
+      imageName: 'portainer/portainer-ce',
+      tagValue: '2.27.4',
+      remoteValue: '2.27.5',
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({
+        dd: { environment: ['DD_TRIGGER_DOCKERCOMPOSE_BASE_AUTO=false'] },
+        portainer: { image: 'portainer/portainer-ce:2.27.4' },
+      }),
+    );
+
+    const composeUpdateSpy = vi.spyOn(trigger, 'updateContainerWithCompose').mockResolvedValue();
+
+    await trigger.processComposeFile('/opt/drydock/test/portainer.yml', [container]);
+
+    expect(composeUpdateSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/portainer.yml',
+      'portainer',
+      container,
+      expect.objectContaining({
+        runtimeContext: expect.objectContaining({
+          dockerApi: mockDockerApi,
+        }),
+      }),
+    );
+  });
+
+  test('processComposeFile should trigger both tag and digest updates', async () => {
+    const tagContainer = makeContainer({ name: 'nginx' });
+    const digestContainer = makeContainer({
+      name: 'redis',
+      imageName: 'redis',
+      tagValue: '7.0.0',
+      updateKind: 'digest',
+      remoteValue: 'sha256:deadbeef',
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({
+        nginx: { image: 'nginx:1.0.0' },
+        redis: { image: 'redis:7.0.0' },
+      }),
+    );
+
+    const composeUpdateSpy = vi.spyOn(trigger, 'updateContainerWithCompose').mockResolvedValue();
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [
+      tagContainer,
+      digestContainer,
+    ]);
+
+    expect(composeUpdateSpy).toHaveBeenCalledTimes(2);
+    expect(composeUpdateSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      'nginx',
+      tagContainer,
+      expect.objectContaining({
+        runtimeContext: expect.objectContaining({
+          dockerApi: mockDockerApi,
+        }),
+      }),
+    );
+    expect(composeUpdateSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      'redis',
+      digestContainer,
+      expect.objectContaining({
+        runtimeContext: expect.objectContaining({
+          dockerApi: mockDockerApi,
+        }),
+      }),
+    );
+  });
+
+  test('processComposeFile should trigger digest-only updates even in dryrun mode', async () => {
+    const container = makeContainer({
+      name: 'redis',
+      imageName: 'redis',
+      tagValue: '7.0.0',
+      updateKind: 'digest',
+      remoteValue: 'sha256:deadbeef',
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ redis: { image: 'redis:7.0.0' } }),
+    );
+
+    const { getComposeFileSpy, writeComposeFileSpy, composeUpdateSpy } =
+      spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(getComposeFileSpy).not.toHaveBeenCalled();
+    expect(writeComposeFileSpy).not.toHaveBeenCalled();
+    expect(composeUpdateSpy).toHaveBeenCalledTimes(1);
+    expect(composeUpdateSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      'redis',
+      container,
+      expect.objectContaining({
+        runtimeContext: expect.objectContaining({
+          dockerApi: mockDockerApi,
+        }),
+      }),
+    );
+  });
+
+  test('processComposeFile should skip compose writes but still trigger digest-only updates', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      name: 'redis',
+      imageName: 'redis',
+      tagValue: '7.0.0',
+      updateKind: 'digest',
+      remoteValue: 'sha256:deadbeef',
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ redis: { image: 'redis:7.0.0' } }),
+    );
+
+    const { getComposeFileSpy, writeComposeFileSpy, composeUpdateSpy } =
+      spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(getComposeFileSpy).not.toHaveBeenCalled();
+    expect(writeComposeFileSpy).not.toHaveBeenCalled();
+    expect(composeUpdateSpy).toHaveBeenCalledTimes(1);
+    expect(composeUpdateSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      'redis',
+      container,
+      expect.objectContaining({
+        runtimeContext: expect.objectContaining({
+          dockerApi: mockDockerApi,
+        }),
+      }),
+    );
+  });
+
+  test('processComposeFile should trigger digest update when compose image uses implicit latest', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      tagValue: 'latest',
+      updateKind: 'digest',
+      remoteValue: 'sha256:deadbeef',
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx' } }),
+    );
+
+    const { getComposeFileSpy, writeComposeFileSpy, composeUpdateSpy } =
+      spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(getComposeFileSpy).not.toHaveBeenCalled();
+    expect(writeComposeFileSpy).not.toHaveBeenCalled();
+    expect(composeUpdateSpy).toHaveBeenCalledTimes(1);
+    expect(composeUpdateSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      'nginx',
+      container,
+      expect.objectContaining({
+        runtimeContext: expect.objectContaining({
+          dockerApi: mockDockerApi,
+        }),
+      }),
+    );
+  });
+
+  test('processComposeFile should write digest-pinned image when digest pinning is enabled', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+    trigger.configuration.digestPinning = true;
+
+    const container = makeContainer({
+      tagValue: '1.0.0',
+      remoteValue: '1.1.0',
+      result: { digest: 'sha256:deadbeef' },
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+
+    const { writeComposeFileSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(writeComposeFileSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      expect.stringContaining('image: nginx@sha256:deadbeef'),
+    );
+    expect(writeComposeFileSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      expect.not.stringContaining('image: nginx:1.1.0'),
+    );
+  });
+
+  test('processComposeFile should trigger runtime update when update kind is unknown but update is available', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      name: 'filebrowser',
+      imageName: 'filebrowser/filebrowser',
+      tagValue: 'v2.59.0-s6',
+      updateKind: 'unknown',
+      remoteValue: null,
+      updateAvailable: true,
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ filebrowser: { image: 'filebrowser/filebrowser:v2.59.0-s6' } }),
+    );
+
+    const { getComposeFileSpy, writeComposeFileSpy, composeUpdateSpy } =
+      spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(getComposeFileSpy).not.toHaveBeenCalled();
+    expect(writeComposeFileSpy).not.toHaveBeenCalled();
+    expect(composeUpdateSpy).toHaveBeenCalledTimes(1);
+    expect(composeUpdateSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      'filebrowser',
+      container,
+      expect.objectContaining({
+        runtimeContext: expect.objectContaining({
+          dockerApi: mockDockerApi,
+        }),
+      }),
+    );
+  });
+
+  test('processComposeFile should report when all mapped containers are already up to date', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      tagValue: '1.0.0',
+      remoteValue: '1.0.0',
+      updateAvailable: false,
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+
+    const { writeComposeFileSpy, composeUpdateSpy } = spyOnProcessComposeHelpers(trigger);
+
+    const updated = await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(updated).toBe(false);
+    expect(mockLog.info).toHaveBeenCalledWith(expect.stringContaining('already up to date'));
+    expect(writeComposeFileSpy).not.toHaveBeenCalled();
+    expect(composeUpdateSpy).not.toHaveBeenCalled();
+  });
+
+  test('processComposeFile should warn when no containers belong to compose', async () => {
+    const container = makeContainer({
+      name: 'unknown',
+      imageName: 'unknown-image',
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('No containers found'));
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('not found in compose file'));
+  });
+
+  test('processComposeFile should warn and continue on compose/runtime reconciliation mismatch by default', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+
+    const container = makeContainer({
+      tagValue: '1.0.0',
+      remoteValue: '1.1.0',
+      labels: { 'com.docker.compose.service': 'nginx' },
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:2.0.0' } }),
+    );
+
+    const { composeUpdateSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('Compose reconciliation mismatch'),
+    );
+    expect(composeUpdateSpy).toHaveBeenCalledTimes(1);
+  });
+
+  test('processComposeFile should block updates on compose/runtime reconciliation mismatch when configured', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+    trigger.configuration.reconciliationMode = 'block';
+
+    const container = makeContainer({
+      tagValue: '1.0.0',
+      remoteValue: '1.1.0',
+      labels: { 'com.docker.compose.service': 'nginx' },
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:2.0.0' } }),
+    );
+
+    const { writeComposeFileSpy, composeUpdateSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await expect(
+      trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]),
+    ).rejects.toThrow('Compose reconciliation mismatch');
+
+    expect(writeComposeFileSpy).not.toHaveBeenCalled();
+    expect(composeUpdateSpy).not.toHaveBeenCalled();
+  });
+
+  test('processComposeFile should backup and write when not in dryrun mode', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = true;
+
+    const container = makeContainer();
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+
+    const { backupSpy, writeComposeFileSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(backupSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      '/opt/drydock/test/stack.yml.back',
+    );
+    expect(writeComposeFileSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      expect.stringContaining('image: nginx:1.1.0'),
+    );
+    expect(writeComposeFileSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      expect.not.stringContaining('image: nginx:1.0.0'),
+    );
+  });
+
+  test('processComposeFile should only patch target image field and keep other matching strings unchanged', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+
+    const container = makeContainer();
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+
+    const composeWithOtherImageStrings = [
+      'services:',
+      '  nginx:',
+      '    image: nginx:1.0.0',
+      '    environment:',
+      '      - MIRROR_IMAGE=nginx:1.0.0',
+      '',
+    ].join('\n');
+    const { writeComposeFileSpy } = spyOnProcessComposeHelpers(
+      trigger,
+      composeWithOtherImageStrings,
+    );
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    const [, updatedCompose] = writeComposeFileSpy.mock.calls[0];
+    expect(updatedCompose).toContain('    image: nginx:1.1.0');
+    expect(updatedCompose).toContain('MIRROR_IMAGE=nginx:1.0.0');
+  });
+
+  test('processComposeFile should not rewrite matching image strings in comments or env vars', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+
+    const container = makeContainer();
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+
+    const composeWithCommentsAndEnv = [
+      'services:',
+      '  nginx:',
+      '    image: nginx:1.0.0',
+      '    # do not touch: nginx:1.0.0',
+      '    environment:',
+      '      - MIRROR_IMAGE=nginx:1.0.0',
+      '      - COMMENT_IMAGE=nginx:1.0.0 # note',
+      '',
+    ].join('\n');
+    const { writeComposeFileSpy } = spyOnProcessComposeHelpers(trigger, composeWithCommentsAndEnv);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    const [, updatedCompose] = writeComposeFileSpy.mock.calls[0];
+    expect(updatedCompose).toContain('    image: nginx:1.1.0');
+    expect(updatedCompose).toContain('# do not touch: nginx:1.0.0');
+    expect(updatedCompose).toContain('MIRROR_IMAGE=nginx:1.0.0');
+    expect(updatedCompose).toContain('COMMENT_IMAGE=nginx:1.0.0 # note');
+  });
+
+  test('processComposeFile should preserve commented-out fields in compose file', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+
+    const container = makeContainer();
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+
+    const composeWithComments = [
+      '# My production stack',
+      'services:',
+      '  nginx:',
+      '    image: nginx:1.0.0',
+      '    # ports:',
+      '    #   - "8080:80"',
+      '    # volumes:',
+      '    #   - ./html:/usr/share/nginx/html',
+      '    environment:',
+      '      - NGINX_PORT=80',
+      '  redis:',
+      '    image: redis:7.0.0',
+      '',
+    ].join('\n');
+    const { writeComposeFileSpy } = spyOnProcessComposeHelpers(trigger, composeWithComments);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    const [, updatedCompose] = writeComposeFileSpy.mock.calls[0];
+    expect(updatedCompose).toContain('# My production stack');
+    expect(updatedCompose).toContain('    image: nginx:1.1.0');
+    expect(updatedCompose).toContain('    # ports:');
+    expect(updatedCompose).toContain('    #   - "8080:80"');
+    expect(updatedCompose).toContain('    # volumes:');
+    expect(updatedCompose).toContain('    #   - ./html:/usr/share/nginx/html');
+    expect(updatedCompose).toContain('    environment:');
+    expect(updatedCompose).toContain('    image: redis:7.0.0');
+  });
+
+  test('processComposeFile should fail when the same service resolves to conflicting image updates', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+
+    const containerA = makeContainer({
+      name: 'nginx-a',
+      remoteValue: '1.1.0',
+      labels: { 'com.docker.compose.service': 'nginx' },
+    });
+    const containerB = makeContainer({
+      name: 'nginx-b',
+      remoteValue: '1.2.0',
+      labels: { 'com.docker.compose.service': 'nginx' },
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+
+    const { writeComposeFileSpy, composeUpdateSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await expect(
+      trigger.processComposeFile('/opt/drydock/test/stack.yml', [containerA, containerB]),
+    ).rejects.toThrow('Conflicting compose image updates for service nginx');
+
+    expect(writeComposeFileSpy).not.toHaveBeenCalled();
+    expect(composeUpdateSpy).not.toHaveBeenCalled();
+  });
+
+  test('processComposeFile should return original compose text when computed service updates map is empty', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+
+    const container = makeContainer();
+    const composeFileText = ['services:', '  nginx:', '    image: nginx:1.0.0', ''].join('\n');
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+    vi.spyOn(trigger, 'buildComposeServiceImageUpdates').mockReturnValue(new Map());
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(Buffer.from(composeFileText));
+    const writeComposeFileSpy = vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+    const runLifecycleSpy = vi
+      .spyOn(trigger, 'runContainerUpdateLifecycle')
+      .mockResolvedValue(undefined);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(writeComposeFileSpy).not.toHaveBeenCalled();
+    expect(runLifecycleSpy).toHaveBeenCalledTimes(1);
+  });
+
+  test('processComposeFile should parse compose text when cached compose document is unavailable', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+
+    const container = makeContainer();
+    const composeFileText = ['services:', '  nginx:', '    image: nginx:1.0.0', ''].join('\n');
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(Buffer.from(composeFileText));
+    vi.spyOn(trigger, 'getCachedComposeDocument').mockReturnValue(null);
+    const writeComposeFileSpy = vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+    const runLifecycleSpy = vi
+      .spyOn(trigger, 'runContainerUpdateLifecycle')
+      .mockResolvedValue(undefined);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(writeComposeFileSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      expect.stringContaining('image: nginx:1.1.0'),
+    );
+    expect(runLifecycleSpy).toHaveBeenCalledTimes(1);
+  });
+
+  test('processComposeFile should fail when computed compose edits overlap', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+
+    const nginxContainer = makeContainer();
+    const redisContainer = makeContainer({
+      name: 'redis',
+      imageName: 'redis',
+      tagValue: '7.0.0',
+      remoteValue: '7.1.0',
+    });
+    const composeFileText = [
+      'services:',
+      '  nginx:',
+      '    image: nginx:1.0.0',
+      '  redis:',
+      '    image: redis:7.0.0',
+      '',
+    ].join('\n');
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({
+        nginx: { image: 'nginx:1.0.0' },
+        redis: { image: 'redis:7.0.0' },
+      }),
+    );
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(Buffer.from(composeFileText));
+
+    const overlappingDoc = yaml.parseDocument(composeFileText, {
+      keepSourceTokens: true,
+      maxAliasCount: 10_000,
+    });
+    const servicesNode: any = overlappingDoc.get('services', true);
+    const findImageValueNode = (serviceName: string) => {
+      const servicePair = servicesNode.items.find((pair: any) => pair.key?.value === serviceName);
+      return servicePair.value.items.find((pair: any) => pair.key?.value === 'image').value;
+    };
+    const nginxImageValueNode: any = findImageValueNode('nginx');
+    const redisImageValueNode: any = findImageValueNode('redis');
+
+    // Force equal start offsets with different end offsets to create deterministic overlap.
+    nginxImageValueNode.range[0] = redisImageValueNode.range[0];
+    nginxImageValueNode.range[1] = redisImageValueNode.range[0] + 1;
+
+    vi.spyOn(trigger, 'getCachedComposeDocument').mockReturnValue(overlappingDoc);
+    const writeComposeFileSpy = vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+    const runLifecycleSpy = vi
+      .spyOn(trigger, 'runContainerUpdateLifecycle')
+      .mockResolvedValue(undefined);
+
+    await expect(
+      trigger.processComposeFile('/opt/drydock/test/stack.yml', [nginxContainer, redisContainer]),
+    ).rejects.toThrow('Unable to apply overlapping compose edits');
+
+    expect(writeComposeFileSpy).not.toHaveBeenCalled();
+    expect(runLifecycleSpy).not.toHaveBeenCalled();
+  });
+
+  test('processComposeFile should not backup when backup is false', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+
+    const container = makeContainer();
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+
+    const { backupSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(backupSpy).not.toHaveBeenCalled();
+  });
+
+  test('processComposeFile should run post-start hooks for updated services', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+
+    const container = makeContainer();
+    const serviceDefinition = {
+      image: 'nginx:1.0.0',
+      post_start: ['echo done'],
+    };
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: serviceDefinition }),
+    );
+
+    const { hooksSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(hooksSpy).toHaveBeenCalledWith(container, 'nginx', serviceDefinition);
+  });
+
+  test('processComposeFile should pass compose context through update lifecycle', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+
+    const container = makeContainer();
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(
+      Buffer.from(['services:', '  nginx:', '    image: nginx:1.0.0', ''].join('\n')),
+    );
+    vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+    const runLifecycleSpy = vi
+      .spyOn(trigger, 'runContainerUpdateLifecycle')
+      .mockResolvedValue(undefined);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(runLifecycleSpy).toHaveBeenCalledWith(
+      container,
+      expect.objectContaining({
+        composeFile: '/opt/drydock/test/stack.yml',
+        service: 'nginx',
+        serviceDefinition: expect.objectContaining({ image: 'nginx:1.0.0' }),
+      }),
+    );
+  });
+
+  test('processComposeFile should filter out containers where mapCurrentVersionToUpdateVersion returns undefined', async () => {
+    trigger.configuration.dryrun = false;
+
+    const container1 = makeContainer();
+    const container2 = makeContainer({
+      name: 'unknown-container',
+      imageName: 'unknown',
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+
+    const { composeUpdateSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container1, container2]);
+
+    expect(composeUpdateSpy).toHaveBeenCalledTimes(1);
+    expect(composeUpdateSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      'nginx',
+      container1,
+      expect.objectContaining({
+        runtimeContext: expect.objectContaining({
+          dockerApi: mockDockerApi,
+        }),
+      }),
+    );
+  });
+
+  test('processComposeFile should ignore containers with unknown compose service labels even when image matches', async () => {
+    trigger.configuration.dryrun = false;
+
+    const containerInProject = makeContainer({
+      name: 'nginx-main',
+      labels: {
+        'com.docker.compose.project': 'main-stack',
+        'com.docker.compose.service': 'nginx',
+      },
+    });
+    const containerFromOtherProject = makeContainer({
+      name: 'nginx-other',
+      labels: {
+        'com.docker.compose.project': 'other-stack',
+        'com.docker.compose.service': 'unknown-service',
+      },
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+
+    const { composeUpdateSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [
+      containerInProject,
+      containerFromOtherProject,
+    ]);
+
+    expect(composeUpdateSpy).toHaveBeenCalledTimes(1);
+    expect(composeUpdateSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      'nginx',
+      containerInProject,
+      expect.objectContaining({
+        runtimeContext: expect.objectContaining({
+          dockerApi: mockDockerApi,
+        }),
+      }),
+    );
+  });
+
+  test('processComposeFile should handle digest images with @ in compose file', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+
+    const container = makeContainer({ tagValue: 'latest' });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx@sha256:abc123' } }),
+    );
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('No containers found'));
+  });
+
+  test('processComposeFile should handle null image in mapCurrentVersionToUpdateVersion', async () => {
+    trigger.configuration.dryrun = false;
+
+    const container = makeContainer({
+      labels: { 'com.docker.compose.service': 'nginx' },
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { build: './nginx' } }),
+    );
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('image is missing'));
+  });
+
+  test('processComposeFile should treat image with digest reference as up to date', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      tagValue: 'latest',
+      updateKind: 'digest',
+      remoteValue: 'sha256:deadbeef',
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx@sha256:abc123' } }),
+    );
+
+    const composeUpdateSpy = vi.spyOn(trigger, 'updateContainerWithCompose').mockResolvedValue();
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('No containers found'));
+    expect(composeUpdateSpy).not.toHaveBeenCalled();
+  });
+
+  test('processComposeFile should not trigger container updates when compose file write fails', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.backup = false;
+
+    const container = makeContainer();
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(
+      Buffer.from(['services:', '  nginx:', '    image: nginx:1.0.0', ''].join('\n')),
+    );
+    vi.spyOn(trigger, 'writeComposeFile').mockRejectedValue(new Error('disk full'));
+    const composeUpdateSpy = vi.spyOn(trigger, 'updateContainerWithCompose').mockResolvedValue();
+    const hooksSpy = vi.spyOn(trigger, 'runServicePostStartHooks').mockResolvedValue();
+
+    await expect(
+      trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]),
+    ).rejects.toThrow('disk full');
+
+    expect(composeUpdateSpy).not.toHaveBeenCalled();
+    expect(hooksSpy).not.toHaveBeenCalled();
+  });
+
+  test('processComposeFile should handle mapCurrentVersionToUpdateVersion returning undefined', async () => {
+    trigger.configuration.dryrun = false;
+
+    const container1 = makeContainer({
+      labels: { 'com.docker.compose.service': 'nginx' },
+    });
+    const container2 = makeContainer({
+      name: 'redis',
+      imageName: 'redis',
+      tagValue: '7.0.0',
+      remoteValue: '7.1.0',
+      labels: { 'com.docker.compose.service': 'redis' },
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({
+        nginx: { image: 'nginx:1.0.0' },
+        redis: { build: './redis' },
+      }),
+    );
+
+    const { composeUpdateSpy } = spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container1, container2]);
+
+    expect(composeUpdateSpy).toHaveBeenCalledTimes(1);
+    expect(composeUpdateSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      'nginx',
+      container1,
+      expect.objectContaining({
+        runtimeContext: expect.objectContaining({
+          dockerApi: mockDockerApi,
+        }),
+      }),
+    );
+  });
+});
diff --git a/app/triggers/providers/dockercompose/Dockercompose.test.helpers.ts b/app/triggers/providers/dockercompose/Dockercompose.test.helpers.ts
new file mode 100644
index 000000000..9b1cc3702
--- /dev/null
+++ b/app/triggers/providers/dockercompose/Dockercompose.test.helpers.ts
@@ -0,0 +1,260 @@
+import { EventEmitter } from 'node:events';
+// ---------------------------------------------------------------------------
+// Factory helpers to eliminate repeated object literals
+// ---------------------------------------------------------------------------
+
+/**
+ * Build a container object for tests. Only the fields that vary need to be
+ * supplied; sensible defaults cover the rest.
+ */
+export function makeContainer(overrides: Record<string, unknown> = {}) {
+  const {
+    name = 'nginx',
+    imageName = 'nginx',
+    registryName = 'hub',
+    tagValue = '1.0.0',
+    updateKind = 'tag',
+    remoteValue = '1.1.0',
+    labels,
+    watcher = 'local',
+    ...rest
+  } = overrides as any;
+
+  const container: Record<string, unknown> = {
+    name,
+    watcher,
+    image: {
+      name: imageName,
+      registry: { name: registryName },
+      tag: { value: tagValue },
+    },
+    updateKind: {
+      kind: updateKind,
+      remoteValue,
+      localValue: tagValue,
+    },
+    ...rest,
+  };
+
+  if (labels !== undefined) container.labels = labels;
+
+  return container;
+}
+
+/**
+ * Build a compose object with the given services map.
+ */
+export function makeCompose(services: Record<string, unknown>) {
+  return { services };
+}
+
+/**
+ * Create the trio of mock objects needed to simulate Docker exec inside a
+ * running container: the EventEmitter stream, the exec handle, and the
+ * container itself.
+ *
+ * @param exitCode  - exit code returned by exec.inspect() (default 0)
+ * @param streamEvent - event emitted by the stream to signal completion
+ *                      (default 'close')
+ * @param streamError - if provided, the stream emits an 'error' with this
+ * @param hasResume  - whether the stream has a resume() method (default true)
+ * @param hasOnce    - whether the stream is a real EventEmitter (default true)
+ */
+export function makeExecMocks({
+  exitCode = 0,
+  streamEvent = 'close',
+  streamError = undefined as Error | undefined,
+  hasResume = true,
+  hasOnce = true,
+} = {}) {
+  let startStream: any;
+  if (hasOnce) {
+    startStream = new EventEmitter();
+    if (hasResume) {
+      startStream.resume = vi.fn();
+    }
+  } else {
+    // Plain object without EventEmitter – exercises the "no once" branch
+    startStream = {};
+  }
+
+  const mockExec = {
+    start: vi.fn().mockImplementation(async () => {
+      if (hasOnce) {
+        setImmediate(() => {
+          if (streamError) {
+            startStream.emit('error', streamError);
+          } else {
+            startStream.emit(streamEvent);
+          }
+        });
+      }
+      return startStream;
+    }),
+    inspect: vi.fn().mockResolvedValue({ ExitCode: exitCode }),
+  };
+
+  const recreatedContainer = {
+    inspect: vi.fn().mockResolvedValue({
+      State: { Running: true },
+    }),
+    exec: vi.fn().mockResolvedValue(mockExec),
+  };
+
+  return { startStream, mockExec, recreatedContainer };
+}
+
+export function makeDockerContainerHandle({
+  running = true,
+  image = 'nginx:1.0.0',
+  id = 'container-id',
+  name = 'nginx',
+  autoRemove = false,
+} = {}) {
+  return {
+    id,
+    inspect: vi.fn().mockResolvedValue({
+      Id: id,
+      Name: `/${name}`,
+      Config: {
+        Image: image,
+        Env: [],
+        Labels: {},
+      },
+      HostConfig: {
+        AutoRemove: autoRemove,
+      },
+      NetworkSettings: {
+        Networks: {},
+      },
+      State: { Running: running },
+    }),
+    stop: vi.fn().mockResolvedValue(undefined),
+    remove: vi.fn().mockResolvedValue(undefined),
+    wait: vi.fn().mockResolvedValue(undefined),
+  };
+}
+
+/**
+ * Set up the common spies used by processComposeFile tests that exercise
+ * the write / trigger / hooks path.
+ */
+export function spyOnProcessComposeHelpers(
+  triggerInstance,
+  composeFileContent = [
+    'services:',
+    '  nginx:',
+    '    image: nginx:1.0.0',
+    '  redis:',
+    '    image: redis:7.0.0',
+    '  filebrowser:',
+    '    image: filebrowser/filebrowser:v2.59.0-s6',
+    '  drydock:',
+    '    image: codeswhat/drydock:1.0.0',
+    '',
+  ].join('\n'),
+) {
+  const getComposeFileSpy = vi
+    .spyOn(triggerInstance, 'getComposeFile')
+    .mockResolvedValue(Buffer.from(composeFileContent));
+  const writeComposeFileSpy = vi.spyOn(triggerInstance, 'writeComposeFile').mockResolvedValue();
+  const composeUpdateSpy = vi
+    .spyOn(triggerInstance, 'updateContainerWithCompose')
+    .mockResolvedValue();
+  const hooksSpy = vi.spyOn(triggerInstance, 'runServicePostStartHooks').mockResolvedValue();
+  const backupSpy = vi.spyOn(triggerInstance, 'backup').mockResolvedValue();
+  // Lifecycle methods inherited from Docker trigger
+  const maybeScanSpy = vi.spyOn(triggerInstance, 'maybeScanAndGateUpdate').mockResolvedValue();
+  const preHookSpy = vi.spyOn(triggerInstance, 'runPreUpdateHook').mockResolvedValue();
+  const postHookSpy = vi.spyOn(triggerInstance, 'runPostUpdateHook').mockResolvedValue();
+  const pruneImagesSpy = vi.spyOn(triggerInstance, 'pruneImages').mockResolvedValue();
+  const cleanupOldImagesSpy = vi.spyOn(triggerInstance, 'cleanupOldImages').mockResolvedValue();
+  const rollbackMonitorSpy = vi
+    .spyOn(triggerInstance, 'maybeStartAutoRollbackMonitor')
+    .mockResolvedValue();
+  return {
+    getComposeFileSpy,
+    writeComposeFileSpy,
+    composeUpdateSpy,
+    hooksSpy,
+    backupSpy,
+    maybeScanSpy,
+    preHookSpy,
+    postHookSpy,
+    pruneImagesSpy,
+    cleanupOldImagesSpy,
+    rollbackMonitorSpy,
+  };
+}
+
+export function setupDockercomposeTestContext({
+  DockercomposeCtor,
+  watchMock,
+  getStateMock,
+}: {
+  DockercomposeCtor: any;
+  watchMock: any;
+  getStateMock: any;
+}) {
+  vi.clearAllMocks();
+  vi.mocked(watchMock).mockReset();
+
+  const mockLog = {
+    info: vi.fn(),
+    warn: vi.fn(),
+    debug: vi.fn(),
+    error: vi.fn(),
+    child: vi.fn().mockReturnThis(),
+  };
+
+  const trigger = new DockercomposeCtor();
+  trigger.log = mockLog;
+  trigger.resetHostToContainerBindMountCache();
+  trigger.configuration = {
+    dryrun: true,
+    backup: false,
+    composeFileLabel: 'dd.compose.file',
+  };
+
+  const mockDockerApi = {
+    modem: {
+      socketPath: '/var/run/docker.sock',
+      followProgress: vi.fn((_stream, onDone, onProgress) => {
+        onProgress?.({
+          status: 'Pulling fs layer',
+          id: 'layer-1',
+          progressDetail: { current: 1, total: 1 },
+        });
+        onDone?.(null, [{ status: 'Pull complete', id: 'layer-1' }]);
+      }),
+    },
+    pull: vi.fn().mockResolvedValue({}),
+    createContainer: vi.fn().mockResolvedValue({
+      start: vi.fn().mockResolvedValue(undefined),
+      inspect: vi.fn().mockResolvedValue({ State: { Running: true } }),
+    }),
+    getContainer: vi.fn().mockReturnValue(makeDockerContainerHandle()),
+    getNetwork: vi.fn().mockReturnValue({
+      connect: vi.fn().mockResolvedValue(undefined),
+    }),
+  };
+
+  // getId is called by insertBackup to record which trigger performed the update
+  trigger.getId = vi.fn().mockReturnValue('dockercompose.test');
+
+  vi.mocked(getStateMock).mockReturnValue({
+    registry: {
+      hub: {
+        getImageFullName: (image, tag) => `${image.name}:${tag}`,
+        getAuthPull: vi.fn().mockResolvedValue({}),
+      },
+    },
+    watcher: {
+      'docker.local': {
+        dockerApi: mockDockerApi,
+      },
+    },
+  } as any);
+
+  return { trigger, mockLog, mockDockerApi };
+}
diff --git a/app/triggers/providers/dockercompose/Dockercompose.test.ts b/app/triggers/providers/dockercompose/Dockercompose.test.ts
index 51d8d2d02..8be21c940 100644
--- a/app/triggers/providers/dockercompose/Dockercompose.test.ts
+++ b/app/triggers/providers/dockercompose/Dockercompose.test.ts
@@ -2381,6 +2381,16 @@ describe('Dockercompose Trigger', () => {
     expect(mockLog.error).toHaveBeenCalledWith(expect.stringContaining('write failed'));
   });
 
+  test('writeComposeFile should stringify non-object write failures in logs', async () => {
+    fs.writeFile.mockRejectedValueOnce(42);
+
+    await expect(trigger.writeComposeFile('/opt/drydock/test/compose.yml', 'data')).rejects.toBe(
+      42,
+    );
+
+    expect(mockLog.error).toHaveBeenCalledWith(expect.stringContaining('(42)'));
+  });
+
   test('writeComposeFile should write atomically through temp file + rename under lock', async () => {
     await trigger.writeComposeFile('/opt/drydock/test/compose.yml', 'data');
 
@@ -2460,6 +2470,18 @@ describe('Dockercompose Trigger', () => {
     expect(fs.rename).toHaveBeenCalledTimes(1);
   });
 
+  test('writeComposeFileAtomic should not retry when rename error code is non-string', async () => {
+    const malformedCodeError: any = new Error('rename failed');
+    malformedCodeError.code = 123;
+    fs.rename.mockRejectedValueOnce(malformedCodeError);
+
+    await expect(
+      trigger.writeComposeFileAtomic('/opt/drydock/test/compose.yml', 'data'),
+    ).rejects.toThrow('rename failed');
+
+    expect(fs.rename).toHaveBeenCalledTimes(1);
+  });
+
   test('withComposeFileLock should wait and retry when lock exists but is not stale', async () => {
     const lockBusyError: any = new Error('lock exists');
     lockBusyError.code = 'EEXIST';
@@ -4109,7 +4131,7 @@ describe('Dockercompose Trigger', () => {
     // Backup pruning
     expect(backupStore.pruneOldBackups).toHaveBeenCalledWith('nginx', undefined);
     // Update applied event
-    expect(emitContainerUpdateApplied).toHaveBeenCalledWith('test_nginx');
+    expect(emitContainerUpdateApplied).toHaveBeenCalledWith('local_nginx');
   });
 
   test('processComposeFile should run security scanning but skip post-update lifecycle in dryrun mode', async () => {
@@ -4156,7 +4178,7 @@ describe('Dockercompose Trigger', () => {
 
     expect(emitContainerUpdateApplied).not.toHaveBeenCalled();
     expect(emitContainerUpdateFailed).toHaveBeenCalledWith({
-      containerName: 'test_nginx',
+      containerName: 'local_nginx',
       error: 'compose pull failed',
     });
   });
@@ -4205,6 +4227,16 @@ describe('Dockercompose Trigger', () => {
     ).resolves.toEqual([]);
   });
 
+  test('getComposeFilesFromInspect should return empty list when watcher lookup fails', async () => {
+    vi.spyOn(trigger, 'getWatcher').mockReturnValue(null as any);
+
+    await expect(
+      trigger.getComposeFilesFromInspect({
+        name: 'nginx',
+      } as any),
+    ).resolves.toEqual([]);
+  });
+
   test('getComposeFilesFromInspect should return empty list when inspect fails', async () => {
     const inspectError = new Error('inspect failed');
     vi.spyOn(trigger, 'getWatcher').mockReturnValue({
diff --git a/app/triggers/providers/dockercompose/Dockercompose.ts b/app/triggers/providers/dockercompose/Dockercompose.ts
index 0050309a7..2eff38726 100644
--- a/app/triggers/providers/dockercompose/Dockercompose.ts
+++ b/app/triggers/providers/dockercompose/Dockercompose.ts
@@ -140,6 +140,10 @@ type ValidateComposeConfigurationOptions = {
   parsedComposeFileObject?: unknown;
 };
 
+type ComposeFileWithServices = {
+  services?: Record<string, { image?: string }>;
+};
+
 function getDockerApiFromWatcher(watcher: unknown): DockerApiLike | undefined {
   if (!watcher || typeof watcher !== 'object') {
     return undefined;
@@ -246,6 +250,22 @@ function isPlainObject(value: unknown): value is Record<string, unknown> {
   return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
 }
 
+function getErrorMessage(error: unknown): string {
+  if (!error || typeof error !== 'object' || !('message' in error)) {
+    return String(error);
+  }
+  return String((error as { message?: unknown }).message);
+}
+
+function getErrorCode(error: unknown): string | undefined {
+  if (!error || typeof error !== 'object' || !('code' in error)) {
+    return undefined;
+  }
+  const code = (error as { code?: unknown }).code;
+  /* v8 ignore next -- non-string fs/network error codes are defensive and treated as absent */
+  return typeof code === 'string' ? code : undefined;
+}
+
 /**
  * Return true if the container belongs to the compose file.
  * @param compose
@@ -361,9 +381,9 @@ class Dockercompose extends Docker {
     if (this.configuration.file) {
       try {
         await fs.access(this.configuration.file);
-      } catch (e) {
+      } catch (e: unknown) {
         const reason =
-          e.code === 'EACCES'
+          getErrorCode(e) === 'EACCES'
             ? `permission denied (${ROOT_MODE_BREAK_GLASS_HINT})`
             : 'does not exist';
         this.log.error(`The default file ${this.configuration.file} ${reason}`);
@@ -452,9 +472,9 @@ class Dockercompose extends Docker {
           .map((bindDefinition) => this.parseHostToContainerBindMount(bindDefinition))
           .filter((bindMount): bindMount is HostToContainerBindMount => bindMount !== null)
           .sort((left, right) => right.source.length - left.source.length);
-      } catch (e) {
+      } catch (e: unknown) {
         this.log.debug(
-          `Unable to inspect bind mounts for compose host-path remapping (${e.message})`,
+          `Unable to inspect bind mounts for compose host-path remapping (${getErrorMessage(e)})`,
         );
       }
     })();
@@ -586,9 +606,9 @@ class Dockercompose extends Docker {
         return this.resolveComposeFilePath(labelValue, {
           label: `Compose file label ${composeFileLabel}`,
         });
-      } catch (e) {
+      } catch (e: unknown) {
         this.log.warn(
-          `Compose file label ${composeFileLabel} on container ${container.name} is invalid (${e.message})`,
+          `Compose file label ${composeFileLabel} on container ${container.name} is invalid (${getErrorMessage(e)})`,
         );
         return null;
       }
@@ -604,8 +624,8 @@ class Dockercompose extends Docker {
       return this.resolveComposeFilePath(this.configuration.file, {
         label: 'Default compose file path',
       });
-    } catch (e) {
-      this.log.warn(`Default compose file path is invalid (${e.message})`);
+    } catch (e: unknown) {
+      this.log.warn(`Default compose file path is invalid (${getErrorMessage(e)})`);
       return null;
     }
   }
@@ -625,9 +645,9 @@ class Dockercompose extends Docker {
         composeWorkingDirectory = resolveConfiguredPath(composeWorkingDirectoryRaw, {
           label: `Compose file label ${COMPOSE_PROJECT_WORKING_DIR_LABEL}`,
         });
-      } catch (e) {
+      } catch (e: unknown) {
         this.log.warn(
-          `Compose file label ${COMPOSE_PROJECT_WORKING_DIR_LABEL} on container ${containerName} is invalid (${e.message})`,
+          `Compose file label ${COMPOSE_PROJECT_WORKING_DIR_LABEL} on container ${containerName} is invalid (${getErrorMessage(e)})`,
         );
       }
     }
@@ -646,9 +666,9 @@ class Dockercompose extends Docker {
             label: `Compose file label ${COMPOSE_PROJECT_CONFIG_FILES_LABEL}`,
           });
           composeFiles.add(this.mapComposePathToContainerBindMount(resolvedComposeFilePath));
-        } catch (e) {
+        } catch (e: unknown) {
           this.log.warn(
-            `Compose file label ${COMPOSE_PROJECT_CONFIG_FILES_LABEL} on container ${containerName} is invalid (${e.message})`,
+            `Compose file label ${COMPOSE_PROJECT_CONFIG_FILES_LABEL} on container ${containerName} is invalid (${getErrorMessage(e)})`,
           );
         }
       });
@@ -692,9 +712,9 @@ class Dockercompose extends Docker {
         inspectedContainer?.Config?.Labels,
         container.name,
       );
-    } catch (e) {
+    } catch (e: unknown) {
       this.log.warn(
-        `Unable to inspect compose labels for container ${container.name}; falling back to default compose file resolution (${e.message})`,
+        `Unable to inspect compose labels for container ${container.name}; falling back to default compose file resolution (${getErrorMessage(e)})`,
       );
       return [];
     }
@@ -927,12 +947,12 @@ class Dockercompose extends Docker {
     }
     const candidateFiles =
       filesContainingService.length > 0 ? [...filesContainingService].reverse() : [composeFiles[0]];
-    let lastAccessError;
+    let lastAccessError: unknown;
     for (const candidateFile of candidateFiles) {
       try {
         await fs.access(candidateFile, fsConstants.W_OK);
         return candidateFile;
-      } catch (e) {
+      } catch (e: unknown) {
         lastAccessError = e;
       }
     }
@@ -975,13 +995,13 @@ class Dockercompose extends Docker {
     try {
       await fs.rename(temporaryFilePath, filePath);
       return undefined;
-    } catch (error) {
+    } catch (error: unknown) {
       return error;
     }
   }
 
   async handleBusyComposeRenameRetry(error, filePath, attempt) {
-    if (error?.code !== 'EBUSY' || attempt >= COMPOSE_RENAME_MAX_RETRIES) {
+    if (getErrorCode(error) !== 'EBUSY' || attempt >= COMPOSE_RENAME_MAX_RETRIES) {
       return false;
     }
     this.log.warn(
@@ -1000,7 +1020,7 @@ class Dockercompose extends Docker {
   }
 
   async handleBusyComposeRenameFallback(error, filePath, data, temporaryFilePath) {
-    if (error?.code !== 'EBUSY') {
+    if (getErrorCode(error) !== 'EBUSY') {
       return false;
     }
     this.log.warn(
@@ -1072,9 +1092,9 @@ class Dockercompose extends Docker {
         composeByFile.set(composeFile, await this.getComposeFileAsObject(composeFile));
       }
       await this.getComposeFileChainAsObject(effectiveComposeFileChain, composeByFile);
-    } catch (e) {
+    } catch (e: unknown) {
       throw new Error(
-        `Error when validating compose configuration for ${composeFilePath} (${e.message})`,
+        `Error when validating compose configuration for ${composeFilePath} (${getErrorMessage(e)})`,
       );
     }
   }
@@ -1369,9 +1389,9 @@ class Dockercompose extends Docker {
       await fs.access(composeFile);
       composeFileAccessErrorByPath.set(composeFile, null);
       return null;
-    } catch (e) {
+    } catch (e: unknown) {
       const reason =
-        e.code === 'EACCES'
+        getErrorCode(e) === 'EACCES'
           ? `permission denied (${ROOT_MODE_BREAK_GLASS_HINT})`
           : 'does not exist';
       composeFileAccessErrorByPath.set(composeFile, reason);
@@ -1803,7 +1823,7 @@ class Dockercompose extends Docker {
 
     const mapping = this.mapCurrentVersionToUpdateVersion(compose, container);
     const currentServiceImage =
-      mapping?.current || (compose as Record<string, any>)?.services?.[service]?.image;
+      mapping?.current || (compose as ComposeFileWithServices)?.services?.[service]?.image;
     const targetServiceImage = mapping
       ? this.getComposeMutationImageReference(container, mapping.update, currentServiceImage)
       : preview.newImage;
@@ -1884,7 +1904,7 @@ class Dockercompose extends Docker {
     }
 
     const runtimeContext = options.runtimeContext || {};
-    const dockerApi = runtimeContext.dockerApi || this.getWatcher(container)?.dockerApi;
+    const dockerApi = runtimeContext.dockerApi || this.getWatcher(container).dockerApi;
     let auth = runtimeContext.auth;
     let newImage = runtimeContext.newImage;
 
@@ -2026,8 +2046,10 @@ class Dockercompose extends Docker {
     try {
       this.log.debug(`Backup ${file} as ${backupFile}`);
       await fs.copyFile(file, backupFile);
-    } catch (e) {
-      this.log.warn(`Error when trying to backup file ${file} to ${backupFile} (${e.message})`);
+    } catch (e: unknown) {
+      this.log.warn(
+        `Error when trying to backup file ${file} to ${backupFile} (${getErrorMessage(e)})`,
+      );
     }
   }
 
@@ -2088,8 +2110,8 @@ class Dockercompose extends Docker {
         await this.writeComposeFileAtomic(filePath, data);
       });
       this.invalidateComposeCaches(filePath);
-    } catch (e) {
-      this.log.error(`Error when writing ${filePath} (${e.message})`);
+    } catch (e: unknown) {
+      this.log.error(`Error when writing ${filePath} (${getErrorMessage(e)})`);
       this.log.debug(e);
       throw e;
     }
@@ -2139,9 +2161,9 @@ class Dockercompose extends Docker {
         compose,
       });
       return compose;
-    } catch (e) {
+    } catch (e: unknown) {
       this.log.error(
-        `Error when parsing the docker-compose yaml file ${configuredFilePath} (${e.message})`,
+        `Error when parsing the docker-compose yaml file ${configuredFilePath} (${getErrorMessage(e)})`,
       );
       throw e;
     }
diff --git a/app/triggers/providers/dockercompose/Dockercompose.update-lifecycle-core.test.ts b/app/triggers/providers/dockercompose/Dockercompose.update-lifecycle-core.test.ts
new file mode 100644
index 000000000..6ff7278df
--- /dev/null
+++ b/app/triggers/providers/dockercompose/Dockercompose.update-lifecycle-core.test.ts
@@ -0,0 +1,837 @@
+import { watch } from 'node:fs';
+import path from 'node:path';
+import { emitContainerUpdateApplied, emitContainerUpdateFailed } from '../../../event/index.js';
+import { getState } from '../../../registry/index.js';
+import * as backupStore from '../../../store/backup.js';
+import Dockercompose from './Dockercompose.js';
+import {
+  makeCompose,
+  makeContainer,
+  setupDockercomposeTestContext,
+  spyOnProcessComposeHelpers,
+} from './Dockercompose.test.helpers.js';
+
+vi.mock('../../../registry', () => ({
+  getState: vi.fn(),
+}));
+
+vi.mock('../../../event/index.js', () => ({
+  emitContainerUpdateApplied: vi.fn().mockResolvedValue(undefined),
+  emitContainerUpdateFailed: vi.fn().mockResolvedValue(undefined),
+  emitSecurityAlert: vi.fn().mockResolvedValue(undefined),
+  emitSelfUpdateStarting: vi.fn(),
+}));
+
+vi.mock('../../../model/container.js', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    fullName: vi.fn((c) => `test_${c.name}`),
+  };
+});
+
+vi.mock('../../../store/backup', () => ({
+  insertBackup: vi.fn(),
+  pruneOldBackups: vi.fn(),
+  getBackupsByName: vi.fn().mockReturnValue([]),
+}));
+
+// Modules used by the shared lifecycle (inherited from Docker trigger)
+vi.mock('../../../configuration/index.js', async () => {
+  const actual = await vi.importActual('../../../configuration/index.js');
+  return { ...actual, getSecurityConfiguration: vi.fn().mockReturnValue({ enabled: false }) };
+});
+vi.mock('../../../store/audit.js', () => ({ insertAudit: vi.fn() }));
+vi.mock('../../../prometheus/audit.js', () => ({ getAuditCounter: vi.fn().mockReturnValue(null) }));
+vi.mock('../../../security/scan.js', () => ({
+  scanImageForVulnerabilities: vi.fn(),
+  verifyImageSignature: vi.fn(),
+  generateImageSbom: vi.fn(),
+  clearDigestScanCache: vi.fn(),
+  getDigestScanCacheSize: vi.fn().mockReturnValue(0),
+  updateDigestScanCache: vi.fn(),
+  scanImageWithDedup: vi.fn(),
+}));
+vi.mock('../../../store/container.js', () => ({
+  getContainer: vi.fn(),
+  updateContainer: vi.fn(),
+  cacheSecurityState: vi.fn(),
+}));
+vi.mock('../../hooks/HookRunner.js', () => ({ runHook: vi.fn() }));
+vi.mock('../docker/HealthMonitor.js', () => ({ startHealthMonitor: vi.fn() }));
+
+vi.mock('node:fs', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    watch: vi.fn(),
+  };
+});
+
+vi.mock('../../../util/sleep.js', () => ({
+  sleep: vi.fn().mockResolvedValue(undefined),
+}));
+
+vi.mock('node:fs/promises', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    default: {
+      ...actual.default,
+      access: vi.fn().mockResolvedValue(undefined),
+      copyFile: vi.fn().mockResolvedValue(undefined),
+      readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+      writeFile: vi.fn().mockResolvedValue(undefined),
+      rename: vi.fn().mockResolvedValue(undefined),
+      unlink: vi.fn().mockResolvedValue(undefined),
+      stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+    },
+    access: vi.fn().mockResolvedValue(undefined),
+    copyFile: vi.fn().mockResolvedValue(undefined),
+    readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+    writeFile: vi.fn().mockResolvedValue(undefined),
+    rename: vi.fn().mockResolvedValue(undefined),
+    unlink: vi.fn().mockResolvedValue(undefined),
+    stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+  };
+});
+
+describe('Dockercompose Trigger', () => {
+  let trigger;
+  let mockLog;
+  let mockDockerApi;
+
+  beforeEach(() => {
+    ({ trigger, mockLog, mockDockerApi } = setupDockercomposeTestContext({
+      DockercomposeCtor: Dockercompose,
+      watchMock: watch,
+      getStateMock: getState,
+    }));
+  });
+
+  // Update lifecycle (security, hooks, backups, events)
+  // -----------------------------------------------------------------------
+
+  test('processComposeFile should use self-update branch for compose-managed Drydock', async () => {
+    trigger.configuration.dryrun = false;
+
+    const container = makeContainer({
+      name: 'drydock',
+      imageName: 'codeswhat/drydock',
+      tagValue: '1.0.0',
+      remoteValue: '1.1.0',
+      labels: { 'com.docker.compose.service': 'drydock' },
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ drydock: { image: 'codeswhat/drydock:1.0.0' } }),
+    );
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(
+      Buffer.from(['services:', '  drydock:', '    image: codeswhat/drydock:1.0.0', ''].join('\n')),
+    );
+    vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+    const notifySpy = vi.spyOn(trigger, 'maybeNotifySelfUpdate').mockResolvedValue();
+    const executeSelfUpdateSpy = vi.spyOn(trigger, 'executeSelfUpdate').mockResolvedValue(true);
+    const postHookSpy = vi.spyOn(trigger, 'runPostUpdateHook').mockResolvedValue();
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    expect(notifySpy).toHaveBeenCalledTimes(1);
+    expect(executeSelfUpdateSpy).toHaveBeenCalledTimes(1);
+    expect(postHookSpy).not.toHaveBeenCalled();
+    expect(emitContainerUpdateApplied).not.toHaveBeenCalled();
+  });
+
+  test('processComposeFile should run full update lifecycle for non-dryrun update', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.prune = false;
+
+    const container = makeContainer();
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+    const { maybeScanSpy, preHookSpy, postHookSpy, composeUpdateSpy, rollbackMonitorSpy } =
+      spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    // Security scanning
+    expect(maybeScanSpy).toHaveBeenCalledTimes(1);
+    // Pre/post update hooks
+    expect(preHookSpy).toHaveBeenCalledTimes(1);
+    expect(postHookSpy).toHaveBeenCalledTimes(1);
+    // Rollback monitor phase
+    expect(rollbackMonitorSpy).toHaveBeenCalledTimes(1);
+    // Compose update
+    expect(composeUpdateSpy).toHaveBeenCalledTimes(1);
+    // Backup inserted
+    expect(backupStore.insertBackup).toHaveBeenCalledWith(
+      expect.objectContaining({
+        containerName: 'nginx',
+        imageTag: '1.0.0',
+        triggerName: 'dockercompose.test',
+      }),
+    );
+    // Backup pruning
+    expect(backupStore.pruneOldBackups).toHaveBeenCalledWith('nginx', undefined);
+    // Update applied event
+    expect(emitContainerUpdateApplied).toHaveBeenCalledWith('local_nginx');
+  });
+
+  test('processComposeFile should run security scanning but skip post-update lifecycle in dryrun mode', async () => {
+    trigger.configuration.dryrun = true;
+
+    const container = makeContainer();
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+    const { maybeScanSpy, preHookSpy, postHookSpy, rollbackMonitorSpy } =
+      spyOnProcessComposeHelpers(trigger);
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]);
+
+    // Security scanning runs even in dryrun (matches Docker behavior)
+    expect(maybeScanSpy).toHaveBeenCalledTimes(1);
+    // Pre-update hook still runs (can abort before dryrun pull)
+    expect(preHookSpy).toHaveBeenCalledTimes(1);
+    // Post-update hook skipped (performContainerUpdate returns false in dryrun)
+    expect(postHookSpy).not.toHaveBeenCalled();
+    // Rollback monitoring does not start because runtime update returns false in dryrun
+    expect(rollbackMonitorSpy).not.toHaveBeenCalled();
+    // Backup insertion is skipped in compose dryrun mode
+    expect(backupStore.insertBackup).not.toHaveBeenCalled();
+    // No update event (performContainerUpdate returned false)
+    expect(emitContainerUpdateApplied).not.toHaveBeenCalled();
+  });
+
+  test('processComposeFile should emit failure event on error', async () => {
+    trigger.configuration.dryrun = false;
+
+    const container = makeContainer();
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+    );
+    const helpers = spyOnProcessComposeHelpers(trigger);
+    helpers.composeUpdateSpy.mockRejectedValue(new Error('compose pull failed'));
+
+    await expect(
+      trigger.processComposeFile('/opt/drydock/test/stack.yml', [container]),
+    ).rejects.toThrow('compose pull failed');
+
+    expect(emitContainerUpdateApplied).not.toHaveBeenCalled();
+    expect(emitContainerUpdateFailed).toHaveBeenCalledWith({
+      containerName: 'local_nginx',
+      error: 'compose pull failed',
+    });
+  });
+
+  test('mapCurrentVersionToUpdateVersion should match services by raw image substring', () => {
+    const compose = makeCompose({
+      nginx: { image: 'ghcr.io/acme/nginx:1.0.0-alpine' },
+    });
+    const container = makeContainer({
+      imageName: 'nginx',
+      tagValue: '1.0.0',
+      remoteValue: '1.1.0',
+    });
+
+    const result = trigger.mapCurrentVersionToUpdateVersion(compose, container);
+
+    expect(result?.service).toBe('nginx');
+  });
+
+  test('getComposeFilesFromProjectLabels should warn and skip invalid working directory and config file labels', () => {
+    const composeFiles = trigger.getComposeFilesFromProjectLabels(
+      {
+        'com.docker.compose.project.working_dir': '\0invalid-workdir',
+        'com.docker.compose.project.config_files': '/opt/drydock/test/stack.yml,\0invalid-file',
+      },
+      'test-container',
+    );
+
+    expect(composeFiles).toContain('/opt/drydock/test/stack.yml');
+    expect(composeFiles).not.toContain('\0invalid-file');
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('com.docker.compose.project.working_dir'),
+    );
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('com.docker.compose.project.config_files'),
+    );
+  });
+
+  test('getComposeFilesFromInspect should return empty list when watcher has no docker api', async () => {
+    vi.spyOn(trigger, 'getWatcher').mockReturnValue({} as any);
+
+    await expect(
+      trigger.getComposeFilesFromInspect({
+        name: 'nginx',
+      } as any),
+    ).resolves.toEqual([]);
+  });
+
+  test('getComposeFilesFromInspect should return empty list when watcher lookup fails', async () => {
+    vi.spyOn(trigger, 'getWatcher').mockReturnValue(null as any);
+
+    await expect(
+      trigger.getComposeFilesFromInspect({
+        name: 'nginx',
+      } as any),
+    ).resolves.toEqual([]);
+  });
+
+  test('getComposeFilesFromInspect should return empty list when inspect fails', async () => {
+    const inspectError = new Error('inspect failed');
+    vi.spyOn(trigger, 'getWatcher').mockReturnValue({
+      dockerApi: {
+        modem: {},
+        getContainer: vi.fn(() => ({
+          inspect: vi.fn().mockRejectedValue(inspectError),
+        })),
+      },
+    } as any);
+
+    await expect(
+      trigger.getComposeFilesFromInspect({
+        name: 'nginx',
+      } as any),
+    ).resolves.toEqual([]);
+    expect(mockLog.warn).toHaveBeenCalledWith(
+      expect.stringContaining('Unable to inspect compose labels'),
+    );
+  });
+
+  test('normalizeDigestPinningValue should normalize accepted digest formats', () => {
+    expect(trigger.normalizeDigestPinningValue(undefined)).toBeNull();
+    expect(trigger.normalizeDigestPinningValue('   ')).toBeNull();
+    expect(trigger.normalizeDigestPinningValue('sha256:ABC123')).toBe('sha256:ABC123');
+    expect(trigger.normalizeDigestPinningValue('abc123')).toBe('sha256:abc123');
+    expect(trigger.normalizeDigestPinningValue('not-a-digest')).toBeNull();
+  });
+
+  test('normalizeComposeFileChain should return empty chain when no compose file is provided', () => {
+    expect(trigger.normalizeComposeFileChain(undefined, undefined)).toEqual([]);
+  });
+
+  test('normalizeComposeFileChain should drop empty compose file entries', () => {
+    expect(trigger.normalizeComposeFileChain('/opt/drydock/test/stack.yml', [''])).toEqual([]);
+  });
+
+  test('getComposeFilesFromProjectLabels should resolve config files relative to compose working directory', () => {
+    const composeFiles = trigger.getComposeFilesFromProjectLabels(
+      {
+        'com.docker.compose.project.working_dir': '/opt/drydock/test',
+        'com.docker.compose.project.config_files': 'stack.yml,stack.override.yml',
+      },
+      'test-container',
+    );
+
+    expect(composeFiles).toEqual([
+      '/opt/drydock/test/stack.yml',
+      '/opt/drydock/test/stack.override.yml',
+    ]);
+  });
+
+  test('resolveComposeFilesForContainer should map compose config file labels from host bind paths to container paths', async () => {
+    const originalHostname = process.env.HOSTNAME;
+    process.env.HOSTNAME = 'drydock-self';
+
+    mockDockerApi.getContainer.mockImplementation((containerName) => {
+      if (containerName === 'drydock-self') {
+        return {
+          inspect: vi.fn().mockResolvedValue({
+            HostConfig: {
+              Binds: ['/mnt/volume1/docker/stacks:/drydock:rw'],
+            },
+          }),
+        };
+      }
+      return {
+        inspect: vi.fn().mockResolvedValue({
+          State: { Running: true },
+        }),
+      };
+    });
+
+    try {
+      const composeFiles = await trigger.resolveComposeFilesForContainer({
+        name: 'monitoring',
+        watcher: 'local',
+        labels: {
+          'com.docker.compose.project.config_files':
+            '/mnt/volume1/docker/stacks/monitoring/compose.yaml',
+        },
+      });
+
+      expect(composeFiles).toEqual(['/drydock/monitoring/compose.yaml']);
+    } finally {
+      if (originalHostname === undefined) {
+        delete process.env.HOSTNAME;
+      } else {
+        process.env.HOSTNAME = originalHostname;
+      }
+    }
+  });
+
+  test('parseHostToContainerBindMount should return null when bind definition is missing source or destination', () => {
+    expect(trigger.parseHostToContainerBindMount('/mnt/volume1/docker/stacks')).toBeNull();
+    expect(trigger.parseHostToContainerBindMount(':/drydock')).toBeNull();
+  });
+
+  test('parseHostToContainerBindMount should ignore trailing mount options', () => {
+    expect(trigger.parseHostToContainerBindMount('/mnt/volume1/docker/stacks:/drydock:rw')).toEqual(
+      {
+        source: '/mnt/volume1/docker/stacks',
+        destination: '/drydock',
+      },
+    );
+    expect(trigger.parseHostToContainerBindMount('/mnt/volume1/docker/stacks:/drydock:ro')).toEqual(
+      {
+        source: '/mnt/volume1/docker/stacks',
+        destination: '/drydock',
+      },
+    );
+  });
+
+  test('getSelfContainerIdentifier should return null when HOSTNAME contains slash', () => {
+    const originalHostname = process.env.HOSTNAME;
+    process.env.HOSTNAME = 'pod/name';
+
+    try {
+      expect(trigger.getSelfContainerIdentifier()).toBeNull();
+    } finally {
+      if (originalHostname === undefined) {
+        delete process.env.HOSTNAME;
+      } else {
+        process.env.HOSTNAME = originalHostname;
+      }
+    }
+  });
+
+  test('getSelfContainerIdentifier should return null when HOSTNAME is whitespace', () => {
+    const originalHostname = process.env.HOSTNAME;
+    process.env.HOSTNAME = '   ';
+
+    try {
+      expect(trigger.getSelfContainerIdentifier()).toBeNull();
+    } finally {
+      if (originalHostname === undefined) {
+        delete process.env.HOSTNAME;
+      } else {
+        process.env.HOSTNAME = originalHostname;
+      }
+    }
+  });
+
+  test('getSelfContainerIdentifier should return null when HOSTNAME is undefined', () => {
+    const originalHostname = process.env.HOSTNAME;
+    delete process.env.HOSTNAME;
+
+    try {
+      expect(trigger.getSelfContainerIdentifier()).toBeNull();
+    } finally {
+      if (originalHostname === undefined) {
+        delete process.env.HOSTNAME;
+      } else {
+        process.env.HOSTNAME = originalHostname;
+      }
+    }
+  });
+
+  test('getSelfContainerIdentifier should return null when HOSTNAME starts with non-alphanumeric character', () => {
+    const originalHostname = process.env.HOSTNAME;
+    process.env.HOSTNAME = '-drydock-self';
+
+    try {
+      expect(trigger.getSelfContainerIdentifier()).toBeNull();
+    } finally {
+      if (originalHostname === undefined) {
+        delete process.env.HOSTNAME;
+      } else {
+        process.env.HOSTNAME = originalHostname;
+      }
+    }
+  });
+
+  test('getSelfContainerIdentifier should return null when HOSTNAME has unsupported characters', () => {
+    const originalHostname = process.env.HOSTNAME;
+    process.env.HOSTNAME = 'drydock$self';
+
+    try {
+      expect(trigger.getSelfContainerIdentifier()).toBeNull();
+    } finally {
+      if (originalHostname === undefined) {
+        delete process.env.HOSTNAME;
+      } else {
+        process.env.HOSTNAME = originalHostname;
+      }
+    }
+  });
+
+  test('getSelfContainerIdentifier should return trimmed hostname when HOSTNAME is valid', () => {
+    const originalHostname = process.env.HOSTNAME;
+    process.env.HOSTNAME = '  drydock-self  ';
+
+    try {
+      expect(trigger.getSelfContainerIdentifier()).toBe('drydock-self');
+    } finally {
+      if (originalHostname === undefined) {
+        delete process.env.HOSTNAME;
+      } else {
+        process.env.HOSTNAME = originalHostname;
+      }
+    }
+  });
+
+  test('parseHostToContainerBindMount should return null when source or destination is not absolute', () => {
+    expect(trigger.parseHostToContainerBindMount('relative/path:/drydock')).toBeNull();
+    expect(
+      trigger.parseHostToContainerBindMount('/mnt/volume1/docker/stacks:relative/path'),
+    ).toBeNull();
+  });
+
+  test('ensureHostToContainerBindMountsLoaded should return early when watcher docker api is unavailable', async () => {
+    const originalHostname = process.env.HOSTNAME;
+    process.env.HOSTNAME = 'drydock-self';
+
+    vi.spyOn(trigger, 'getWatcher').mockReturnValue({} as any);
+
+    try {
+      await trigger.ensureHostToContainerBindMountsLoaded({ name: 'monitoring' } as any);
+
+      expect(trigger.isHostToContainerBindMountCacheLoaded()).toBe(false);
+      expect(trigger.getHostToContainerBindMountCache()).toEqual([]);
+    } finally {
+      if (originalHostname === undefined) {
+        delete process.env.HOSTNAME;
+      } else {
+        process.env.HOSTNAME = originalHostname;
+      }
+    }
+  });
+
+  test('ensureHostToContainerBindMountsLoaded should wait for an in-flight load to finish', async () => {
+    const originalHostname = process.env.HOSTNAME;
+    process.env.HOSTNAME = 'drydock-self';
+
+    let resolveInspect: ((value: any) => void) | undefined;
+    const inspectPromise = new Promise((resolve) => {
+      resolveInspect = resolve;
+    });
+    mockDockerApi.getContainer.mockReturnValue({
+      inspect: vi.fn().mockReturnValue(inspectPromise),
+    });
+
+    try {
+      const firstLoad = trigger.ensureHostToContainerBindMountsLoaded({
+        name: 'monitoring',
+        watcher: 'local',
+      } as any);
+      await Promise.resolve();
+
+      let secondLoadResolved = false;
+      const secondLoad = trigger
+        .ensureHostToContainerBindMountsLoaded({
+          name: 'monitoring',
+          watcher: 'local',
+        } as any)
+        .then(() => {
+          secondLoadResolved = true;
+        });
+
+      await Promise.resolve();
+      expect(secondLoadResolved).toBe(false);
+
+      if (!resolveInspect) {
+        throw new Error('resolveInspect was not initialized');
+      }
+      resolveInspect({
+        HostConfig: {
+          Binds: ['/mnt/volume1/docker/stacks:/drydock:rw'],
+        },
+      });
+
+      await Promise.all([firstLoad, secondLoad]);
+
+      expect(mockDockerApi.getContainer).toHaveBeenCalledTimes(1);
+      expect(trigger.getHostToContainerBindMountCache()).toEqual([
+        {
+          source: '/mnt/volume1/docker/stacks',
+          destination: '/drydock',
+        },
+      ]);
+    } finally {
+      if (originalHostname === undefined) {
+        delete process.env.HOSTNAME;
+      } else {
+        process.env.HOSTNAME = originalHostname;
+      }
+    }
+  });
+
+  test('ensureHostToContainerBindMountsLoaded should skip when bind definitions are not an array', async () => {
+    const originalHostname = process.env.HOSTNAME;
+    process.env.HOSTNAME = 'drydock-self';
+
+    mockDockerApi.getContainer.mockReturnValue({
+      inspect: vi.fn().mockResolvedValue({
+        HostConfig: {
+          Binds: null,
+        },
+      }),
+    });
+
+    try {
+      await trigger.ensureHostToContainerBindMountsLoaded({
+        name: 'monitoring',
+        watcher: 'local',
+      } as any);
+
+      expect(trigger.isHostToContainerBindMountCacheLoaded()).toBe(true);
+      expect(trigger.getHostToContainerBindMountCache()).toEqual([]);
+    } finally {
+      if (originalHostname === undefined) {
+        delete process.env.HOSTNAME;
+      } else {
+        process.env.HOSTNAME = originalHostname;
+      }
+    }
+  });
+
+  test('ensureHostToContainerBindMountsLoaded should parse and sort bind mounts by source path length', async () => {
+    const originalHostname = process.env.HOSTNAME;
+    process.env.HOSTNAME = 'drydock-self';
+
+    mockDockerApi.getContainer.mockReturnValue({
+      inspect: vi.fn().mockResolvedValue({
+        HostConfig: {
+          Binds: ['/mnt/volume1/docker:/drydock-base:rw', '/mnt/volume1/docker/stacks:/drydock:rw'],
+        },
+      }),
+    });
+
+    try {
+      await trigger.ensureHostToContainerBindMountsLoaded({
+        name: 'monitoring',
+        watcher: 'local',
+      } as any);
+
+      expect(trigger.getHostToContainerBindMountCache()).toEqual([
+        {
+          source: '/mnt/volume1/docker/stacks',
+          destination: '/drydock',
+        },
+        {
+          source: '/mnt/volume1/docker',
+          destination: '/drydock-base',
+        },
+      ]);
+    } finally {
+      if (originalHostname === undefined) {
+        delete process.env.HOSTNAME;
+      } else {
+        process.env.HOSTNAME = originalHostname;
+      }
+    }
+  });
+
+  test('ensureHostToContainerBindMountsLoaded should log debug message when inspect fails', async () => {
+    const originalHostname = process.env.HOSTNAME;
+    process.env.HOSTNAME = 'drydock-self';
+
+    mockDockerApi.getContainer.mockReturnValue({
+      inspect: vi.fn().mockRejectedValue(new Error('inspect failed')),
+    });
+
+    try {
+      await trigger.ensureHostToContainerBindMountsLoaded({
+        name: 'monitoring',
+        watcher: 'local',
+      } as any);
+
+      expect(trigger.isHostToContainerBindMountCacheLoaded()).toBe(true);
+      expect(mockLog.debug).toHaveBeenCalledWith(
+        expect.stringContaining('Unable to inspect bind mounts for compose host-path remapping'),
+      );
+    } finally {
+      if (originalHostname === undefined) {
+        delete process.env.HOSTNAME;
+      } else {
+        process.env.HOSTNAME = originalHostname;
+      }
+    }
+  });
+
+  test('mapComposePathToContainerBindMount should map exact source paths to destination paths', () => {
+    trigger.setHostToContainerBindMountCache([
+      {
+        source: '/mnt/volume1/docker/stacks/monitoring/compose.yaml',
+        destination: '/drydock/monitoring/compose.yaml',
+      },
+    ]);
+
+    const mappedPath = trigger.mapComposePathToContainerBindMount(
+      '/mnt/volume1/docker/stacks/monitoring/compose.yaml',
+    );
+
+    expect(mappedPath).toBe('/drydock/monitoring/compose.yaml');
+  });
+
+  test('mapComposePathToContainerBindMount should map nested files when bind source ends with path separator', () => {
+    trigger.setHostToContainerBindMountCache([
+      {
+        source: '/mnt/volume1/docker/stacks/',
+        destination: '/drydock/',
+      },
+    ]);
+
+    const mappedPath = trigger.mapComposePathToContainerBindMount(
+      '/mnt/volume1/docker/stacks/monitoring/compose.yaml',
+    );
+
+    expect(mappedPath).toBe('/drydock/monitoring/compose.yaml');
+  });
+
+  test('mapComposePathToContainerBindMount should return original path when no bind source matches', () => {
+    trigger.setHostToContainerBindMountCache([
+      {
+        source: '/mnt/volume1/docker/stacks/',
+        destination: '/drydock/',
+      },
+    ]);
+
+    const composePath = '/opt/other/stack/compose.yaml';
+    const mappedPath = trigger.mapComposePathToContainerBindMount(composePath);
+
+    expect(mappedPath).toBe(composePath);
+  });
+
+  test('mapComposePathToContainerBindMount should return destination root when computed relative path is empty', () => {
+    trigger.setHostToContainerBindMountCache([
+      {
+        source: '/mnt/volume1/docker/stacks/',
+        destination: '/drydock/',
+      },
+    ]);
+    const relativeSpy = vi.spyOn(path, 'relative').mockReturnValueOnce('');
+
+    try {
+      const mappedPath = trigger.mapComposePathToContainerBindMount(
+        '/mnt/volume1/docker/stacks/monitoring/compose.yaml',
+      );
+      expect(mappedPath).toBe('/drydock/');
+    } finally {
+      relativeSpy.mockRestore();
+    }
+  });
+
+  test('mapComposePathToContainerBindMount should skip unsafe relative compose paths that escape source', () => {
+    trigger.setHostToContainerBindMountCache([
+      {
+        source: '/mnt/volume1/docker/stacks/',
+        destination: '/drydock/',
+      },
+    ]);
+    const relativeSpy = vi.spyOn(path, 'relative').mockReturnValueOnce('../escape');
+
+    try {
+      const composePath = '/mnt/volume1/docker/stacks/monitoring/compose.yaml';
+      const mappedPath = trigger.mapComposePathToContainerBindMount(composePath);
+      expect(mappedPath).toBe(composePath);
+    } finally {
+      relativeSpy.mockRestore();
+    }
+  });
+
+  test('getImageNameFromReference should parse image names from tags and digests', () => {
+    expect(trigger.getImageNameFromReference(undefined)).toBeUndefined();
+    expect(trigger.getImageNameFromReference('nginx:1.0.0')).toBe('nginx');
+    expect(trigger.getImageNameFromReference('ghcr.io/acme/web@sha256:abc')).toBe(
+      'ghcr.io/acme/web',
+    );
+    expect(trigger.getImageNameFromReference('ghcr.io/acme/web')).toBe('ghcr.io/acme/web');
+  });
+
+  test('getComposeMutationImageReference should honor digest pinning settings and fallbacks', () => {
+    const container = makeContainer({
+      updateKind: 'digest',
+      remoteValue: 'abc123',
+      result: {},
+    });
+    trigger.configuration.digestPinning = false;
+    expect(trigger.getComposeMutationImageReference(container as any, 'nginx:1.1.0')).toBe(
+      'nginx:1.1.0',
+    );
+
+    trigger.configuration.digestPinning = true;
+    expect(trigger.getComposeMutationImageReference(container as any, '')).toBe('');
+    expect(trigger.getComposeMutationImageReference(container as any, 'nginx:1.1.0')).toBe(
+      'nginx@sha256:abc123',
+    );
+    expect(
+      trigger.getComposeMutationImageReference(
+        makeContainer({ updateKind: 'digest', remoteValue: 'invalid' }) as any,
+        'nginx:1.1.0',
+      ),
+    ).toBe('nginx:1.1.0');
+    expect(
+      trigger.getComposeMutationImageReference(
+        makeContainer({ updateKind: 'tag', remoteValue: '1.1.0' }) as any,
+        'nginx:1.1.0',
+      ),
+    ).toBe('nginx:1.1.0');
+  });
+
+  test('getComposeMutationImageReference should preserve explicit docker.io prefix from compose image', () => {
+    const container = makeContainer({
+      updateKind: 'digest',
+      remoteValue: 'abc123',
+      result: {},
+    });
+
+    trigger.configuration.digestPinning = false;
+    expect(
+      trigger.getComposeMutationImageReference(
+        container as any,
+        'nginx:1.1.0',
+        'docker.io/nginx:1.0.0',
+      ),
+    ).toBe('docker.io/nginx:1.1.0');
+
+    trigger.configuration.digestPinning = true;
+    expect(
+      trigger.getComposeMutationImageReference(
+        container as any,
+        'nginx:1.1.0',
+        'docker.io/nginx:1.0.0',
+      ),
+    ).toBe('docker.io/nginx@sha256:abc123');
+
+    expect(
+      trigger.getComposeMutationImageReference(
+        container as any,
+        'ghcr.io/acme/nginx:1.1.0',
+        'docker.io/nginx:1.0.0',
+      ),
+    ).toBe('ghcr.io/acme/nginx@sha256:abc123');
+  });
+
+  test('buildComposeServiceImageUpdates should use runtime update image when compose update override is missing', () => {
+    const serviceUpdates = trigger.buildComposeServiceImageUpdates([
+      {
+        service: 'nginx',
+        update: 'nginx:1.1.0',
+      },
+    ] as any);
+
+    expect(serviceUpdates.get('nginx')).toBe('nginx:1.1.0');
+  });
+
+  test('buildUpdatedComposeFileObjectForValidation should return undefined for non-object input', () => {
+    const updated = trigger.buildUpdatedComposeFileObjectForValidation(null, new Map());
+
+    expect(updated).toBeUndefined();
+  });
+});
diff --git a/app/triggers/providers/dockercompose/Dockercompose.update-lifecycle-extended.test.ts b/app/triggers/providers/dockercompose/Dockercompose.update-lifecycle-extended.test.ts
new file mode 100644
index 000000000..faf62549e
--- /dev/null
+++ b/app/triggers/providers/dockercompose/Dockercompose.update-lifecycle-extended.test.ts
@@ -0,0 +1,787 @@
+import { watch } from 'node:fs';
+import fs from 'node:fs/promises';
+import { getState } from '../../../registry/index.js';
+import Dockercompose from './Dockercompose.js';
+import {
+  makeCompose,
+  makeContainer,
+  makeDockerContainerHandle,
+  setupDockercomposeTestContext,
+} from './Dockercompose.test.helpers.js';
+
+vi.mock('../../../registry', () => ({
+  getState: vi.fn(),
+}));
+
+vi.mock('../../../event/index.js', () => ({
+  emitContainerUpdateApplied: vi.fn().mockResolvedValue(undefined),
+  emitContainerUpdateFailed: vi.fn().mockResolvedValue(undefined),
+  emitSecurityAlert: vi.fn().mockResolvedValue(undefined),
+  emitSelfUpdateStarting: vi.fn(),
+}));
+
+vi.mock('../../../model/container.js', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    fullName: vi.fn((c) => `test_${c.name}`),
+  };
+});
+
+vi.mock('../../../store/backup', () => ({
+  insertBackup: vi.fn(),
+  pruneOldBackups: vi.fn(),
+  getBackupsByName: vi.fn().mockReturnValue([]),
+}));
+
+// Modules used by the shared lifecycle (inherited from Docker trigger)
+vi.mock('../../../configuration/index.js', async () => {
+  const actual = await vi.importActual('../../../configuration/index.js');
+  return { ...actual, getSecurityConfiguration: vi.fn().mockReturnValue({ enabled: false }) };
+});
+vi.mock('../../../store/audit.js', () => ({ insertAudit: vi.fn() }));
+vi.mock('../../../prometheus/audit.js', () => ({ getAuditCounter: vi.fn().mockReturnValue(null) }));
+vi.mock('../../../security/scan.js', () => ({
+  scanImageForVulnerabilities: vi.fn(),
+  verifyImageSignature: vi.fn(),
+  generateImageSbom: vi.fn(),
+  clearDigestScanCache: vi.fn(),
+  getDigestScanCacheSize: vi.fn().mockReturnValue(0),
+  updateDigestScanCache: vi.fn(),
+  scanImageWithDedup: vi.fn(),
+}));
+vi.mock('../../../store/container.js', () => ({
+  getContainer: vi.fn(),
+  updateContainer: vi.fn(),
+  cacheSecurityState: vi.fn(),
+}));
+vi.mock('../../hooks/HookRunner.js', () => ({ runHook: vi.fn() }));
+vi.mock('../docker/HealthMonitor.js', () => ({ startHealthMonitor: vi.fn() }));
+
+vi.mock('node:fs', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    watch: vi.fn(),
+  };
+});
+
+vi.mock('../../../util/sleep.js', () => ({
+  sleep: vi.fn().mockResolvedValue(undefined),
+}));
+
+vi.mock('node:fs/promises', async (importOriginal) => {
+  const actual = await importOriginal();
+  return {
+    ...actual,
+    default: {
+      ...actual.default,
+      access: vi.fn().mockResolvedValue(undefined),
+      copyFile: vi.fn().mockResolvedValue(undefined),
+      readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+      writeFile: vi.fn().mockResolvedValue(undefined),
+      rename: vi.fn().mockResolvedValue(undefined),
+      unlink: vi.fn().mockResolvedValue(undefined),
+      stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+    },
+    access: vi.fn().mockResolvedValue(undefined),
+    copyFile: vi.fn().mockResolvedValue(undefined),
+    readFile: vi.fn().mockResolvedValue(Buffer.from('')),
+    writeFile: vi.fn().mockResolvedValue(undefined),
+    rename: vi.fn().mockResolvedValue(undefined),
+    unlink: vi.fn().mockResolvedValue(undefined),
+    stat: vi.fn().mockResolvedValue({ mtimeMs: Date.now() }),
+  };
+});
+
+describe('Dockercompose Trigger', () => {
+  let trigger;
+  let mockLog;
+  let mockDockerApi;
+
+  beforeEach(() => {
+    ({ trigger, mockLog, mockDockerApi } = setupDockercomposeTestContext({
+      DockercomposeCtor: Dockercompose,
+      watchMock: watch,
+      getStateMock: getState,
+    }));
+  });
+
+  test('buildUpdatedComposeFileObjectForValidation should normalize non-object service sections and entries', () => {
+    const updatedFromInvalidServices = trigger.buildUpdatedComposeFileObjectForValidation(
+      { version: '3.9', services: 'invalid' },
+      new Map([['nginx', 'nginx:1.1.0']]),
+    ) as any;
+    const updatedFromScalarService = trigger.buildUpdatedComposeFileObjectForValidation(
+      { services: { nginx: 'legacy' } },
+      new Map([['nginx', 'nginx:1.1.0']]),
+    ) as any;
+
+    expect(updatedFromInvalidServices.services).toEqual({
+      nginx: { image: 'nginx:1.1.0' },
+    });
+    expect(updatedFromScalarService.services.nginx).toEqual({
+      image: 'nginx:1.1.0',
+    });
+  });
+
+  test('reconcileComposeMappings should no-op when reconciliation mode is off', () => {
+    trigger.configuration.reconciliationMode = 'off';
+
+    expect(() =>
+      trigger.reconcileComposeMappings('stack.yml', [
+        {
+          service: 'nginx',
+          runtimeNormalized: 'nginx:1.1.0',
+          currentNormalized: 'nginx:1.0.0',
+          runtimeImage: 'nginx:1.1.0',
+          current: 'nginx:1.0.0',
+        },
+      ]),
+    ).not.toThrow();
+    expect(mockLog.warn).not.toHaveBeenCalled();
+  });
+
+  test('getComposeFileChainAsObject should skip compose documents without service maps', async () => {
+    const composeFiles = ['/opt/drydock/test/base.yml', '/opt/drydock/test/override.yml'];
+    const composeByFile = new Map<string, any>([
+      ['/opt/drydock/test/base.yml', { volumes: { data: {} } }],
+      ['/opt/drydock/test/override.yml', { services: { nginx: { image: 'nginx:1.1.0' } } }],
+    ]);
+
+    const compose = await trigger.getComposeFileChainAsObject(composeFiles, composeByFile);
+
+    expect(compose).toEqual({
+      services: {
+        nginx: { image: 'nginx:1.1.0' },
+      },
+    });
+  });
+
+  test('getComposeFileChainAsObject should load compose files when composeByFile cache is not provided', async () => {
+    vi.spyOn(trigger, 'getComposeFileAsObject')
+      .mockResolvedValueOnce({ services: { nginx: { image: 'nginx:1.0.0' } } })
+      .mockResolvedValueOnce({ services: { redis: { image: 'redis:7.0.0' } } });
+
+    const compose = await trigger.getComposeFileChainAsObject([
+      '/opt/drydock/test/stack.yml',
+      '/opt/drydock/test/stack.override.yml',
+    ]);
+
+    expect(compose).toEqual({
+      services: {
+        nginx: { image: 'nginx:1.0.0' },
+        redis: { image: 'redis:7.0.0' },
+      },
+    });
+  });
+
+  test('getComposeFileChainAsObject should continue when loaded compose file has no services section', async () => {
+    vi.spyOn(trigger, 'getComposeFileAsObject')
+      .mockResolvedValueOnce({ version: '3.9' })
+      .mockResolvedValueOnce({ services: { nginx: { image: 'nginx:1.0.0' } } });
+
+    const compose = await trigger.getComposeFileChainAsObject([
+      '/opt/drydock/test/stack.yml',
+      '/opt/drydock/test/stack.override.yml',
+    ]);
+
+    expect(compose.services).toEqual({
+      nginx: { image: 'nginx:1.0.0' },
+    });
+  });
+
+  test('getWritableComposeFileForService should throw the last write-access error', async () => {
+    const accessError = new Error('permission denied');
+    fs.access.mockRejectedValueOnce(accessError).mockRejectedValueOnce(accessError);
+
+    await expect(
+      trigger.getWritableComposeFileForService(
+        ['/opt/drydock/test/base.yml', '/opt/drydock/test/override.yml'],
+        'nginx',
+        new Map<string, unknown>([
+          ['/opt/drydock/test/base.yml', { services: { nginx: { image: 'nginx:1.0.0' } } }],
+          ['/opt/drydock/test/override.yml', { services: { nginx: { image: 'nginx:1.1.0' } } }],
+        ]),
+      ),
+    ).rejects.toBe(accessError);
+  });
+
+  test('getWritableComposeFileForService should load compose files when compose cache is not provided', async () => {
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue({
+      services: { nginx: { image: 'nginx:1.0.0' } },
+    } as any);
+
+    const composeFile = await trigger.getWritableComposeFileForService(
+      ['/opt/drydock/test/stack.yml'],
+      'nginx',
+    );
+
+    expect(composeFile).toBe('/opt/drydock/test/stack.yml');
+  });
+
+  test('getWritableComposeFileForService should fall back to the first compose file when service is absent', async () => {
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue({
+      services: { redis: { image: 'redis:7.0.0' } },
+    } as any);
+
+    const composeFile = await trigger.getWritableComposeFileForService(
+      ['/opt/drydock/test/stack.yml'],
+      'nginx',
+    );
+
+    expect(composeFile).toBe('/opt/drydock/test/stack.yml');
+  });
+
+  test('getWritableComposeFileForService should tolerate undefined compose documents when resolving service ownership', async () => {
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(undefined as any);
+
+    const composeFile = await trigger.getWritableComposeFileForService(
+      ['/opt/drydock/test/stack.yml'],
+      'nginx',
+    );
+
+    expect(composeFile).toBe('/opt/drydock/test/stack.yml');
+  });
+
+  test('validateComposeConfiguration should throw when the updated compose text is invalid YAML', async () => {
+    await expect(
+      trigger.validateComposeConfiguration(
+        '/opt/drydock/test/compose.yml',
+        'services:\n  nginx: [\n',
+      ),
+    ).rejects.toThrow('Error when validating compose configuration');
+  });
+
+  test('mutateComposeFile should validate compose chain when multiple compose files are provided', async () => {
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(
+      Buffer.from('services:\n  nginx:\n    image: nginx:1.0.0\n'),
+    );
+    fs.stat.mockResolvedValueOnce({ mtimeMs: 1_700_000_000_000 } as any);
+    const validateSpy = vi
+      .spyOn(trigger, 'validateComposeConfiguration')
+      .mockResolvedValue(undefined);
+    vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+
+    const changed = await trigger.mutateComposeFile(
+      '/opt/drydock/test/stack.override.yml',
+      (text) => text.replace('1.0.0', '1.1.0'),
+      {
+        composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+      },
+    );
+
+    expect(changed).toBe(true);
+    expect(validateSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.override.yml',
+      expect.stringContaining('1.1.0'),
+      {
+        composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+      },
+    );
+  });
+
+  test('buildPerformContainerUpdateOptions should compose options without duplicate spread logic', () => {
+    const runtimeContext = {
+      dockerApi: mockDockerApi,
+      auth: { from: 'context' },
+      newImage: 'nginx:9.9.9',
+      registry: getState().registry.hub,
+    };
+
+    const options = (trigger as any).buildPerformContainerUpdateOptions(
+      {
+        composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+        skipPull: true,
+      },
+      runtimeContext,
+    );
+
+    expect(options).toEqual({
+      composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+      skipPull: true,
+      runtimeContext,
+    });
+  });
+
+  test('buildPerformContainerUpdateOptions should omit runtime context and compose chain when not needed', () => {
+    const options = (trigger as any).buildPerformContainerUpdateOptions(
+      {
+        composeFiles: ['/opt/drydock/test/stack.yml'],
+      },
+      {},
+    );
+
+    expect(options).toEqual({});
+  });
+
+  test('performContainerUpdate should pass compose chain to per-service update', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      name: 'nginx',
+    });
+    const updateContainerWithComposeSpy = vi
+      .spyOn(trigger, 'updateContainerWithCompose')
+      .mockResolvedValue();
+    vi.spyOn(trigger, 'runServicePostStartHooks').mockResolvedValue();
+
+    const updated = await trigger.performContainerUpdate({} as any, container as any, mockLog, {
+      composeFile: '/opt/drydock/test/stack.override.yml',
+      composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+      service: 'nginx',
+      serviceDefinition: {},
+      composeFileOnceApplied: false,
+    } as any);
+
+    expect(updated).toBe(true);
+    expect(updateContainerWithComposeSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.override.yml',
+      'nginx',
+      container,
+      {
+        composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+      },
+    );
+  });
+
+  test('performContainerUpdate should pass runtime context to per-service update when available', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      name: 'nginx',
+    });
+    const updateContainerWithComposeSpy = vi
+      .spyOn(trigger, 'updateContainerWithCompose')
+      .mockResolvedValue();
+    vi.spyOn(trigger, 'runServicePostStartHooks').mockResolvedValue();
+    const runtimeContext = {
+      dockerApi: mockDockerApi,
+      auth: { from: 'context' },
+      newImage: 'nginx:9.9.9',
+      registry: getState().registry.hub,
+    };
+
+    const updated = await trigger.performContainerUpdate(
+      runtimeContext as any,
+      container as any,
+      mockLog,
+      {
+        composeFile: '/opt/drydock/test/stack.override.yml',
+        composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+        service: 'nginx',
+        serviceDefinition: {},
+        composeFileOnceApplied: false,
+      } as any,
+    );
+
+    expect(updated).toBe(true);
+    expect(updateContainerWithComposeSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.override.yml',
+      'nginx',
+      container,
+      {
+        composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+        runtimeContext,
+      },
+    );
+  });
+
+  test('performContainerUpdate should pass skipPull in multi-file compose context', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      name: 'nginx',
+    });
+    const updateContainerWithComposeSpy = vi
+      .spyOn(trigger, 'updateContainerWithCompose')
+      .mockResolvedValue();
+    vi.spyOn(trigger, 'runServicePostStartHooks').mockResolvedValue();
+
+    const updated = await trigger.performContainerUpdate({} as any, container as any, mockLog, {
+      composeFile: '/opt/drydock/test/stack.override.yml',
+      composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+      service: 'nginx',
+      serviceDefinition: {},
+      composeFileOnceApplied: false,
+      skipPull: true,
+    } as any);
+
+    expect(updated).toBe(true);
+    expect(updateContainerWithComposeSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.override.yml',
+      'nginx',
+      container,
+      {
+        composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+        skipPull: true,
+      },
+    );
+  });
+
+  test('performContainerUpdate should avoid passing runtime context when none is available in single-file path', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      name: 'nginx',
+    });
+    const updateContainerWithComposeSpy = vi
+      .spyOn(trigger, 'updateContainerWithCompose')
+      .mockResolvedValue();
+    vi.spyOn(trigger, 'runServicePostStartHooks').mockResolvedValue();
+
+    const updated = await trigger.performContainerUpdate({} as any, container as any, mockLog, {
+      composeFile: '/opt/drydock/test/stack.yml',
+      service: 'nginx',
+      serviceDefinition: {},
+      composeFileOnceApplied: false,
+    } as any);
+
+    expect(updated).toBe(true);
+    expect(updateContainerWithComposeSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      'nginx',
+      container,
+      {},
+    );
+  });
+
+  test('performContainerUpdate should skip per-service refresh when compose-file-once is already applied', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      name: 'nginx',
+    });
+    const updateContainerWithComposeSpy = vi
+      .spyOn(trigger, 'updateContainerWithCompose')
+      .mockResolvedValue();
+    const hooksSpy = vi.spyOn(trigger, 'runServicePostStartHooks').mockResolvedValue();
+
+    const updated = await trigger.performContainerUpdate({} as any, container as any, mockLog, {
+      composeFile: '/opt/drydock/test/stack.yml',
+      service: 'nginx',
+      serviceDefinition: {},
+      composeFileOnceApplied: true,
+    } as any);
+
+    expect(updated).toBe(true);
+    expect(updateContainerWithComposeSpy).not.toHaveBeenCalled();
+    expect(hooksSpy).toHaveBeenCalledWith(container, 'nginx', {});
+    expect(mockLog.info).toHaveBeenCalledWith(
+      expect.stringContaining('Skip per-service compose refresh for nginx'),
+    );
+  });
+
+  test('executeSelfUpdate should forward operation id to parent self-update transition', async () => {
+    trigger.configuration.dryrun = false;
+    const container = makeContainer({
+      name: 'drydock',
+      imageName: 'codeswhat/drydock',
+    });
+    const currentContainer = makeDockerContainerHandle();
+    const currentContainerSpec = {
+      Id: 'current-id',
+      Name: '/drydock',
+      State: { Running: true },
+      HostConfig: {
+        Binds: ['/var/run/docker.sock:/var/run/docker.sock'],
+      },
+    };
+    vi.spyOn(trigger, 'getCurrentContainer').mockResolvedValue(currentContainer);
+    vi.spyOn(trigger, 'inspectContainer').mockResolvedValue(currentContainerSpec as any);
+    const executeSpy = vi.spyOn(trigger.selfUpdateOrchestrator, 'execute').mockResolvedValue(true);
+    const updateContainerWithComposeSpy = vi
+      .spyOn(trigger, 'updateContainerWithCompose')
+      .mockResolvedValue();
+
+    const updated = await trigger.executeSelfUpdate(
+      {
+        dockerApi: mockDockerApi,
+        registry: getState().registry.hub,
+        auth: {},
+        newImage: 'codeswhat/drydock:1.1.0',
+        currentContainer: null,
+        currentContainerSpec: null,
+      },
+      container,
+      mockLog,
+      'op-self-update-123',
+      {
+        composeFile: '/opt/drydock/test/stack.override.yml',
+        composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+        service: 'drydock',
+        serviceDefinition: {},
+      } as any,
+    );
+
+    expect(updated).toBe(true);
+    expect(executeSpy).toHaveBeenCalledWith(
+      expect.objectContaining({
+        currentContainer,
+        currentContainerSpec,
+      }),
+      container,
+      mockLog,
+      'op-self-update-123',
+    );
+    expect(updateContainerWithComposeSpy).not.toHaveBeenCalled();
+  });
+
+  test('processComposeFile should mark repeated compose services as already refreshed in compose-file-once mode', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.composeFileOnce = true;
+    const firstContainer = makeContainer({
+      name: 'nginx-a',
+      labels: { 'com.docker.compose.service': 'nginx' },
+    });
+    const secondContainer = makeContainer({
+      name: 'nginx-b',
+      labels: { 'com.docker.compose.service': 'nginx' },
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({
+        nginx: { image: 'nginx:1.0.0' },
+      }),
+    );
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(
+      Buffer.from(['services:', '  nginx:', '    image: nginx:1.0.0', ''].join('\n')),
+    );
+    vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+    const runContainerUpdateLifecycleSpy = vi
+      .spyOn(trigger, 'runContainerUpdateLifecycle')
+      .mockResolvedValue();
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [
+      firstContainer,
+      secondContainer,
+    ]);
+
+    expect(runContainerUpdateLifecycleSpy).toHaveBeenCalledTimes(2);
+    expect(runContainerUpdateLifecycleSpy).toHaveBeenNthCalledWith(
+      1,
+      firstContainer,
+      expect.objectContaining({
+        service: 'nginx',
+        composeFileOnceApplied: false,
+      }),
+    );
+    expect(runContainerUpdateLifecycleSpy).toHaveBeenNthCalledWith(
+      2,
+      secondContainer,
+      expect.objectContaining({
+        service: 'nginx',
+        composeFileOnceApplied: true,
+      }),
+    );
+  });
+
+  test('processComposeFile should pre-pull once for repeated compose services in compose-file-once mode', async () => {
+    trigger.configuration.dryrun = false;
+    trigger.configuration.prune = false;
+    trigger.configuration.composeFileOnce = true;
+    const firstContainer = makeContainer({
+      name: 'nginx-a',
+      labels: { 'com.docker.compose.service': 'nginx' },
+    });
+    const secondContainer = makeContainer({
+      name: 'nginx-b',
+      labels: { 'com.docker.compose.service': 'nginx' },
+    });
+
+    vi.spyOn(trigger, 'getComposeFileAsObject').mockResolvedValue(
+      makeCompose({
+        nginx: { image: 'nginx:1.0.0' },
+      }),
+    );
+    vi.spyOn(trigger, 'getComposeFile').mockResolvedValue(
+      Buffer.from(['services:', '  nginx:', '    image: nginx:1.0.0', ''].join('\n')),
+    );
+    vi.spyOn(trigger, 'writeComposeFile').mockResolvedValue();
+    const pullImageSpy = vi.spyOn(trigger, 'pullImage').mockResolvedValue();
+    const updateContainerWithComposeSpy = vi
+      .spyOn(trigger, 'updateContainerWithCompose')
+      .mockResolvedValue();
+    vi.spyOn(trigger, 'runServicePostStartHooks').mockResolvedValue();
+    vi.spyOn(trigger, 'maybeScanAndGateUpdate').mockResolvedValue();
+    vi.spyOn(trigger, 'runPreUpdateHook').mockResolvedValue();
+    vi.spyOn(trigger, 'runPostUpdateHook').mockResolvedValue();
+    vi.spyOn(trigger, 'cleanupOldImages').mockResolvedValue();
+    vi.spyOn(trigger, 'maybeStartAutoRollbackMonitor').mockResolvedValue();
+
+    await trigger.processComposeFile('/opt/drydock/test/stack.yml', [
+      firstContainer,
+      secondContainer,
+    ]);
+
+    expect(pullImageSpy).toHaveBeenCalledTimes(1);
+    expect(updateContainerWithComposeSpy).toHaveBeenCalledTimes(1);
+    expect(updateContainerWithComposeSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.yml',
+      'nginx',
+      firstContainer,
+      expect.objectContaining({
+        skipPull: true,
+      }),
+    );
+  });
+
+  test('preview should passthrough base preview errors without compose metadata', async () => {
+    const basePreviewSpy = vi
+      .spyOn(Object.getPrototypeOf(Dockercompose.prototype), 'preview')
+      .mockResolvedValue({ error: 'base preview failure' } as any);
+    try {
+      await expect(trigger.preview(makeContainer() as any)).resolves.toEqual({
+        error: 'base preview failure',
+      });
+    } finally {
+      basePreviewSpy.mockRestore();
+    }
+  });
+
+  test('preview should include compose patch metadata when service image changes', async () => {
+    const basePreviewSpy = vi
+      .spyOn(Object.getPrototypeOf(Dockercompose.prototype), 'preview')
+      .mockResolvedValue({ newImage: 'nginx:1.1.0' } as any);
+    vi.spyOn(trigger, 'resolveComposeServiceContext').mockResolvedValue({
+      composeFile: '/opt/drydock/test/stack.override.yml',
+      composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+      compose: makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+      service: 'nginx',
+    } as any);
+    vi.spyOn(trigger, 'mapCurrentVersionToUpdateVersion').mockReturnValue({
+      service: 'nginx',
+      current: 'nginx:1.0.0',
+      update: 'nginx:1.1.0',
+      currentNormalized: 'nginx:1.0.0',
+      updateNormalized: 'nginx:1.1.0',
+    } as any);
+
+    try {
+      const preview = await trigger.preview(makeContainer() as any);
+
+      expect(preview.compose).toEqual(
+        expect.objectContaining({
+          files: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+          service: 'nginx',
+          mutation: {
+            intent: 'update-compose-service-image',
+            dryRun: true,
+            willWrite: false,
+          },
+          patch: expect.objectContaining({
+            path: '/opt/drydock/test/stack.override.yml',
+            format: 'unified',
+          }),
+        }),
+      );
+      expect(preview.compose.patch.diff).toContain('-  image: nginx:1.0.0');
+      expect(preview.compose.patch.diff).toContain('+  image: nginx:1.1.0');
+    } finally {
+      basePreviewSpy.mockRestore();
+    }
+  });
+
+  test('preview should omit compose patch when target image is unchanged', async () => {
+    const basePreviewSpy = vi
+      .spyOn(Object.getPrototypeOf(Dockercompose.prototype), 'preview')
+      .mockResolvedValue({ newImage: 'nginx:1.0.0' } as any);
+    vi.spyOn(trigger, 'resolveComposeServiceContext').mockResolvedValue({
+      composeFile: '/opt/drydock/test/stack.yml',
+      composeFiles: ['/opt/drydock/test/stack.yml'],
+      compose: makeCompose({ nginx: { image: 'nginx:1.0.0' } }),
+      service: 'nginx',
+    } as any);
+    vi.spyOn(trigger, 'mapCurrentVersionToUpdateVersion').mockReturnValue(undefined);
+
+    try {
+      const preview = await trigger.preview(makeContainer() as any);
+
+      expect(preview.compose.patch).toBeUndefined();
+    } finally {
+      basePreviewSpy.mockRestore();
+    }
+  });
+
+  test('updateContainerWithCompose should use Docker API pull regardless of compose file chain', async () => {
+    trigger.configuration.dryrun = false;
+    const pullImageSpy = vi.spyOn(trigger, 'pullImage').mockResolvedValue();
+    const composeFiles = ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'];
+    const container = makeContainer({
+      name: 'nginx',
+    });
+
+    await trigger.updateContainerWithCompose('/opt/drydock/test/stack.yml', 'nginx', container, {
+      composeFiles,
+      shouldStart: true,
+      skipPull: false,
+    });
+
+    expect(pullImageSpy).toHaveBeenCalledTimes(1);
+  });
+
+  test('recreateContainer should include compose file chain when compose service is defined in overrides', async () => {
+    const container = makeContainer({
+      name: 'nginx',
+      labels: {
+        'dd.compose.file': '/opt/drydock/test/stack.yml',
+        'com.docker.compose.service': 'nginx',
+      },
+    });
+    vi.spyOn(trigger, 'resolveComposeServiceContext').mockResolvedValue({
+      composeFile: '/opt/drydock/test/stack.override.yml',
+      composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+      service: 'nginx',
+    } as any);
+    vi.spyOn(trigger, 'mutateComposeFile').mockResolvedValue(true);
+    const refreshComposeServiceSpy = vi
+      .spyOn(trigger as any, 'refreshComposeServiceWithDockerApi')
+      .mockResolvedValue();
+
+    await trigger.recreateContainer(
+      mockDockerApi,
+      {
+        State: { Running: true },
+        Config: { Image: 'nginx:1.0.0' },
+      },
+      'nginx:1.1.0',
+      container,
+      mockLog,
+    );
+
+    expect(refreshComposeServiceSpy).toHaveBeenCalledWith(
+      '/opt/drydock/test/stack.override.yml',
+      'nginx',
+      container,
+      {
+        shouldStart: true,
+        skipPull: true,
+        forceRecreate: true,
+        composeFiles: ['/opt/drydock/test/stack.yml', '/opt/drydock/test/stack.override.yml'],
+      },
+    );
+  });
+
+  test('setComposeCacheEntry should clear caches when max entries is below one', () => {
+    const cache = new Map<string, unknown>([
+      ['a', { value: 1 }],
+      ['b', { value: 2 }],
+    ]);
+    trigger._composeCacheMaxEntries = 0;
+
+    trigger.setComposeCacheEntry(cache, 'c', { value: 3 });
+
+    expect(cache.size).toBe(0);
+  });
+
+  test('validateComposeConfiguration should append target compose file when compose chain omits it', async () => {
+    const getComposeFileAsObjectSpy = vi
+      .spyOn(trigger, 'getComposeFileAsObject')
+      .mockResolvedValue(makeCompose({ base: { image: 'busybox:1.0.0' } }));
+
+    await trigger.validateComposeConfiguration(
+      '/opt/drydock/test/stack.override.yml',
+      'services:\n  nginx:\n    image: nginx:1.1.0\n',
+      {
+        composeFiles: ['/opt/drydock/test/stack.yml'],
+      },
+    );
+
+    expect(getComposeFileAsObjectSpy).toHaveBeenCalledWith('/opt/drydock/test/stack.yml');
+  });
+});
diff --git a/app/triggers/providers/dockercompose/PostStartExecutor.ts b/app/triggers/providers/dockercompose/PostStartExecutor.ts
index 5026fc002..b77d0777e 100644
--- a/app/triggers/providers/dockercompose/PostStartExecutor.ts
+++ b/app/triggers/providers/dockercompose/PostStartExecutor.ts
@@ -15,6 +15,16 @@ type PostStartHook =
       environment?: string[] | Record<string, unknown>;
     };
 
+type PostStartHookObject = Exclude<PostStartHook, string>;
+
+type PostStartHookConfiguration = {
+  command: string | string[];
+  user?: string;
+  working_dir?: string;
+  privileged?: boolean;
+  environment?: string[] | Record<string, unknown>;
+};
+
 type PostStartExecStream = {
   once?: (event: string, callback: (error?: unknown) => void) => void;
   removeListener: (event: string, callback: (error?: unknown) => void) => void;
@@ -140,7 +150,15 @@ class PostStartExecutor {
   }
 
   async resolvePostStartHooksContainer(container: { name?: string }, serviceKey: string) {
-    const watcher = this.getWatcher(container);
+    let watcher: unknown;
+    try {
+      watcher = this.getWatcher(container);
+    } catch {
+      this.getLog()?.warn?.(
+        `Skip compose post_start hooks for ${container.name} (${serviceKey}) because watcher Docker API is unavailable`,
+      );
+      return null;
+    }
     const dockerApi = this.getDockerApiFromWatcher(watcher);
     if (!dockerApi) {
       this.getLog()?.warn?.(
@@ -163,10 +181,14 @@ class PostStartExecutor {
     hook: PostStartHook,
     containerName: string,
     serviceKey: string,
-  ) {
-    const hookConfiguration = typeof hook === 'string' ? { command: hook } : hook;
-    if (hookConfiguration?.command) {
-      return hookConfiguration;
+  ): PostStartHookConfiguration | null {
+    const hookConfiguration: PostStartHookConfiguration | PostStartHookObject =
+      typeof hook === 'string' ? { command: hook } : hook;
+    if (hookConfiguration.command) {
+      return {
+        ...hookConfiguration,
+        command: hookConfiguration.command,
+      };
     }
 
     this.getLog()?.warn?.(
@@ -175,13 +197,7 @@ class PostStartExecutor {
     return null;
   }
 
-  buildPostStartHookExecOptions(hookConfiguration: {
-    command: string | string[];
-    user?: string;
-    working_dir?: string;
-    privileged?: boolean;
-    environment?: string[] | Record<string, unknown>;
-  }) {
+  buildPostStartHookExecOptions(hookConfiguration: PostStartHookConfiguration) {
     return {
       AttachStdout: true,
       AttachStderr: true,
@@ -244,7 +260,7 @@ class PostStartExecutor {
       return;
     }
 
-    const execOptions = this.buildPostStartHookExecOptions(hookConfiguration as any);
+    const execOptions = this.buildPostStartHookExecOptions(hookConfiguration);
     this.getLog()?.info?.(`Run compose post_start hook for ${container.name} (${serviceKey})`);
     const exec = await containerToUpdate.exec(execOptions);
     const execStream = await exec.start({
diff --git a/app/triggers/providers/googlechat/Googlechat.test.ts b/app/triggers/providers/googlechat/Googlechat.test.ts
index e51afd7d0..e91b824d8 100644
--- a/app/triggers/providers/googlechat/Googlechat.test.ts
+++ b/app/triggers/providers/googlechat/Googlechat.test.ts
@@ -21,13 +21,14 @@ const configurationValid = {
   threshold: 'all',
   mode: 'simple',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'Test Title',
   simplebody: 'Test Body',
   batchtitle: 'Batch Title',
   resolvenotifications: false,
   disabletitle: false,
+  digestcron: '0 8 * * *',
 };
 
 test('validateConfiguration should return validated configuration when valid', async () => {
diff --git a/app/triggers/providers/googlechat/Googlechat.ts b/app/triggers/providers/googlechat/Googlechat.ts
index 5b0427c76..5959b1845 100644
--- a/app/triggers/providers/googlechat/Googlechat.ts
+++ b/app/triggers/providers/googlechat/Googlechat.ts
@@ -2,6 +2,13 @@ import axios from 'axios';
 import { getOutboundHttpTimeoutMs } from '../../../configuration/runtime-defaults.js';
 import Trigger from '../Trigger.js';
 
+type GoogleChatMessageBody = {
+  text: string;
+  thread?: {
+    threadKey: string;
+  };
+};
+
 /**
  * Google Chat Trigger implementation
  */
@@ -43,7 +50,7 @@ class Googlechat extends Trigger {
   }
 
   buildMessageBody(text) {
-    const body: any = { text };
+    const body: GoogleChatMessageBody = { text };
     if (this.configuration.threadkey) {
       body.thread = { threadKey: this.configuration.threadkey };
     }
diff --git a/app/triggers/providers/gotify/Gotify.test.ts b/app/triggers/providers/gotify/Gotify.test.ts
index 9c3a5d943..f0c2590fd 100644
--- a/app/triggers/providers/gotify/Gotify.test.ts
+++ b/app/triggers/providers/gotify/Gotify.test.ts
@@ -11,7 +11,7 @@ const configurationValid = {
   mode: 'simple',
   threshold: 'all',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'New ${container.updateKind.kind} found for container ${container.name}',
   simplebody:
@@ -19,6 +19,7 @@ const configurationValid = {
 
   batchtitle: '${containers.length} updates available',
   resolvenotifications: false,
+  digestcron: '0 8 * * *',
 };
 
 beforeEach(async () => {
@@ -57,12 +58,13 @@ test('maskConfiguration should mask sensitive data', async () => {
     mode: 'simple',
     threshold: 'all',
     once: true,
-    auto: true,
+    auto: 'all',
     order: 100,
     simpletitle: configurationValid.simpletitle,
     simplebody: configurationValid.simplebody,
     batchtitle: configurationValid.batchtitle,
     resolvenotifications: false,
+    digestcron: '0 8 * * *',
   });
 });
 
diff --git a/app/triggers/providers/ifttt/Ifttt.test.ts b/app/triggers/providers/ifttt/Ifttt.test.ts
index a16051722..17473546b 100644
--- a/app/triggers/providers/ifttt/Ifttt.test.ts
+++ b/app/triggers/providers/ifttt/Ifttt.test.ts
@@ -13,7 +13,7 @@ const configurationValid = {
   threshold: 'all',
   mode: 'simple',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'New ${container.updateKind.kind} found for container ${container.name}',
 
@@ -22,6 +22,7 @@ const configurationValid = {
 
   batchtitle: '${containers.length} updates available',
   resolvenotifications: false,
+  digestcron: '0 8 * * *',
 };
 
 beforeEach(async () => {
diff --git a/app/triggers/providers/kafka/Kafka.test.ts b/app/triggers/providers/kafka/Kafka.test.ts
index c6e1d06ca..88dca00a4 100644
--- a/app/triggers/providers/kafka/Kafka.test.ts
+++ b/app/triggers/providers/kafka/Kafka.test.ts
@@ -15,7 +15,7 @@ const configurationValid = {
   threshold: 'all',
   mode: 'simple',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'New ${container.updateKind.kind} found for container ${container.name}',
 
@@ -24,6 +24,7 @@ const configurationValid = {
 
   batchtitle: '${containers.length} updates available',
   resolvenotifications: false,
+  digestcron: '0 8 * * *',
 };
 
 beforeEach(async () => {
diff --git a/app/triggers/providers/matrix/Matrix.test.ts b/app/triggers/providers/matrix/Matrix.test.ts
index 7128a1123..46b30368b 100644
--- a/app/triggers/providers/matrix/Matrix.test.ts
+++ b/app/triggers/providers/matrix/Matrix.test.ts
@@ -23,13 +23,14 @@ const configurationValid = {
   threshold: 'all',
   mode: 'simple',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'Test Title',
   simplebody: 'Test Body',
   batchtitle: 'Batch Title',
   resolvenotifications: false,
   disabletitle: false,
+  digestcron: '0 8 * * *',
 };
 
 test('validateConfiguration should return validated configuration when valid', async () => {
diff --git a/app/triggers/providers/mattermost/Mattermost.test.ts b/app/triggers/providers/mattermost/Mattermost.test.ts
index 0dba5b26d..6b63a695d 100644
--- a/app/triggers/providers/mattermost/Mattermost.test.ts
+++ b/app/triggers/providers/mattermost/Mattermost.test.ts
@@ -23,13 +23,14 @@ const configurationValid = {
   threshold: 'all',
   mode: 'simple',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'Test Title',
   simplebody: 'Test Body',
   batchtitle: 'Batch Title',
   resolvenotifications: false,
   disabletitle: false,
+  digestcron: '0 8 * * *',
 };
 
 test('validateConfiguration should return validated configuration when valid', async () => {
diff --git a/app/triggers/providers/mattermost/Mattermost.ts b/app/triggers/providers/mattermost/Mattermost.ts
index b39d716f5..58bde8814 100644
--- a/app/triggers/providers/mattermost/Mattermost.ts
+++ b/app/triggers/providers/mattermost/Mattermost.ts
@@ -2,6 +2,14 @@ import axios from 'axios';
 import { getOutboundHttpTimeoutMs } from '../../../configuration/runtime-defaults.js';
 import Trigger from '../Trigger.js';
 
+type MattermostMessageBody = {
+  text: string;
+  channel?: string;
+  username?: string;
+  icon_emoji?: string;
+  icon_url?: string;
+};
+
 /**
  * Mattermost Trigger implementation
  */
@@ -52,7 +60,7 @@ class Mattermost extends Trigger {
   }
 
   buildMessageBody(text) {
-    const body: any = { text };
+    const body: MattermostMessageBody = { text };
     if (this.configuration.channel) {
       body.channel = this.configuration.channel;
     }
diff --git a/app/triggers/providers/mqtt/Hass.test.ts b/app/triggers/providers/mqtt/Hass.test.ts
index 97e2e9786..6753a6cab 100644
--- a/app/triggers/providers/mqtt/Hass.test.ts
+++ b/app/triggers/providers/mqtt/Hass.test.ts
@@ -813,9 +813,6 @@ test('addContainerSensor should not duplicate stale topic when it matches curren
 
   // The stale alias topic should be removed, the canonical published
   const publishCalls = mqttClientMock.publish.mock.calls;
-  const discoveryTopics = publishCalls
-    .filter(([topic]) => topic.startsWith('homeassistant/'))
-    .map(([topic]) => topic);
   // canonical topic should appear exactly once as a non-empty publish
   const canonicalPublishes = publishCalls.filter(
     ([topic, payload]) =>
diff --git a/app/triggers/providers/mqtt/Mqtt.test.ts b/app/triggers/providers/mqtt/Mqtt.test.ts
index 2183ea642..1ec6efd20 100644
--- a/app/triggers/providers/mqtt/Mqtt.test.ts
+++ b/app/triggers/providers/mqtt/Mqtt.test.ts
@@ -46,7 +46,7 @@ const configurationValid = {
   threshold: 'all',
   mode: 'simple',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'New ${container.updateKind.kind} found for container ${container.name}',
 
@@ -55,6 +55,7 @@ const configurationValid = {
 
   batchtitle: '${containers.length} updates available',
   resolvenotifications: false,
+  digestcron: '0 8 * * *',
 };
 
 const containerData = [
diff --git a/app/triggers/providers/ntfy/Ntfy.test.ts b/app/triggers/providers/ntfy/Ntfy.test.ts
index 10cc4df74..84497b6dd 100644
--- a/app/triggers/providers/ntfy/Ntfy.test.ts
+++ b/app/triggers/providers/ntfy/Ntfy.test.ts
@@ -13,7 +13,7 @@ const configurationValid = {
   mode: 'simple',
   threshold: 'all',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'New ${container.updateKind.kind} found for container ${container.name}',
 
@@ -22,6 +22,7 @@ const configurationValid = {
 
   batchtitle: '${containers.length} updates available',
   resolvenotifications: false,
+  digestcron: '0 8 * * *',
 };
 
 beforeEach(async () => {
diff --git a/app/triggers/providers/pushover/Pushover.test.ts b/app/triggers/providers/pushover/Pushover.test.ts
index 04f98e7ee..2ca555955 100644
--- a/app/triggers/providers/pushover/Pushover.test.ts
+++ b/app/triggers/providers/pushover/Pushover.test.ts
@@ -21,7 +21,7 @@ const configurationValid = {
   threshold: 'all',
   mode: 'simple',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'New ${container.updateKind.kind} found for container ${container.name}',
 
@@ -30,6 +30,7 @@ const configurationValid = {
 
   batchtitle: '${containers.length} updates available',
   resolvenotifications: false,
+  digestcron: '0 8 * * *',
 };
 
 test('validateConfiguration should return validated configuration when valid', async () => {
@@ -102,7 +103,7 @@ test('maskConfiguration should mask sensitive data', async () => {
   expect(pushover.maskConfiguration()).toEqual({
     mode: 'simple',
     priority: 0,
-    auto: true,
+    auto: 'all',
     order: 100,
     simplebody:
       'Container ${container.name} running with ${container.updateKind.kind} ${container.updateKind.localValue} can be updated to ${container.updateKind.kind} ${container.updateKind.remoteValue}${container.result && container.result.link ? "\\n" + container.result.link : ""}',
@@ -117,6 +118,7 @@ test('maskConfiguration should mask sensitive data', async () => {
     once: true,
     token: '[REDACTED]',
     user: '[REDACTED]',
+    digestcron: '0 8 * * *',
   });
 });
 
@@ -268,3 +270,64 @@ test('sendMessage should reject when send callback has error', async () => {
   po.configuration = { ...configurationValid };
   await expect(po.sendMessage({ title: 'Test', message: 'test' })).rejects.toThrow('send error');
 });
+
+test('sendMessage should preserve Error.toString output for callback errors', async () => {
+  vi.resetModules();
+  vi.doMock('pushover-notifications', () => ({
+    default: class Push {
+      set onerror(_fn) {}
+      send(_message, cb) {
+        cb(new Error('send failed'), null);
+      }
+    },
+  }));
+  const { default: PushoverFresh } = await import('./Pushover.js');
+  const po = new PushoverFresh();
+  po.configuration = { ...configurationValid };
+  await expect(po.sendMessage({ title: 'Test', message: 'test' })).rejects.toThrow(
+    'Error: send failed',
+  );
+});
+
+test('sendMessage should allow undefined onerror payloads', async () => {
+  vi.resetModules();
+  vi.doMock('pushover-notifications', () => ({
+    default: class Push {
+      set onerror(fn) {
+        this._onerror = fn;
+      }
+      send(_message, _cb) {
+        this._onerror(undefined);
+      }
+    },
+  }));
+  const { default: PushoverFresh } = await import('./Pushover.js');
+  const po = new PushoverFresh();
+  po.configuration = { ...configurationValid };
+  await expect(po.sendMessage({ title: 'Test', message: 'test' })).rejects.toMatchObject({
+    message: '',
+  });
+});
+
+test('sendMessage should fallback to unknown error when callback error cannot be stringified', async () => {
+  vi.resetModules();
+  vi.doMock('pushover-notifications', () => ({
+    default: class Push {
+      set onerror(_fn) {}
+      send(_message, cb) {
+        cb(
+          {
+            toString() {
+              throw new Error('stringify failed');
+            },
+          },
+          null,
+        );
+      }
+    },
+  }));
+  const { default: PushoverFresh } = await import('./Pushover.js');
+  const po = new PushoverFresh();
+  po.configuration = { ...configurationValid };
+  await expect(po.sendMessage({ title: 'Test', message: 'test' })).rejects.toThrow('Unknown error');
+});
diff --git a/app/triggers/providers/pushover/Pushover.ts b/app/triggers/providers/pushover/Pushover.ts
index 1d16443c2..d62082889 100644
--- a/app/triggers/providers/pushover/Pushover.ts
+++ b/app/triggers/providers/pushover/Pushover.ts
@@ -1,6 +1,58 @@
 import Push from 'pushover-notifications';
+import type { Container } from '../../../model/container.js';
 import Trigger from '../Trigger.js';
 
+interface PushoverConfiguration {
+  user: string;
+  token: string;
+  device?: string;
+  html: number;
+  sound: string;
+  priority: number;
+  retry?: number;
+  ttl?: number;
+  expire?: number;
+}
+
+interface PushoverMessageInput {
+  title: string;
+  message: string;
+}
+
+interface PushoverMessagePayload extends PushoverMessageInput {
+  sound: string;
+  device?: string;
+  priority: number;
+  html: number;
+  retry?: number;
+  ttl?: number;
+  expire?: number;
+}
+
+interface PushoverClient {
+  onerror: ((error: unknown) => void) | undefined;
+  send(
+    message: PushoverMessagePayload,
+    callback: (error: unknown, response: unknown) => void,
+  ): void;
+}
+
+const JOI_CUSTOM_ERROR_CODE = 'an' + 'y.custom';
+
+function normalizeErrorMessage(error: unknown): string {
+  if (error instanceof Error) {
+    return error.toString();
+  }
+  if (error === undefined) {
+    return '';
+  }
+  try {
+    return String(error);
+  } catch {
+    return 'Unknown error';
+  }
+}
+
 /**
  * Ifttt Trigger implementation
  */
@@ -55,19 +107,19 @@ class Pushover extends Trigger {
           return configuration;
         }
         if (configuration.retry == null) {
-          return helpers.error('any.custom', {
+          return helpers.error(JOI_CUSTOM_ERROR_CODE, {
             message: '"retry" is required when priority is 2',
           });
         }
         if (configuration.expire == null) {
-          return helpers.error('any.custom', {
+          return helpers.error(JOI_CUSTOM_ERROR_CODE, {
             message: '"expire" is required when priority is 2',
           });
         }
         return configuration;
       })
       .messages({
-        'any.custom': '{{#message}}',
+        [JOI_CUSTOM_ERROR_CODE]: '{{#message}}',
       });
   }
 
@@ -85,7 +137,7 @@ class Pushover extends Trigger {
    * @param container the container
    * @returns {Promise<void>}
    */
-  async trigger(container) {
+  async trigger(container: Container) {
     return this.sendMessage({
       title: this.renderSimpleTitle(container),
       message: this.renderSimpleBody(container),
@@ -97,45 +149,46 @@ class Pushover extends Trigger {
    * @param containers
    * @returns {Promise<unknown>}
    */
-  async triggerBatch(containers) {
+  async triggerBatch(containers: Container[]) {
     return this.sendMessage({
       title: this.renderBatchTitle(containers),
       message: this.renderBatchBody(containers),
     });
   }
 
-  async sendMessage(message) {
-    const messageToSend = {
+  async sendMessage(message: PushoverMessageInput): Promise<unknown> {
+    const configuration = this.configuration as PushoverConfiguration;
+    const messageToSend: PushoverMessagePayload = {
       ...message,
-      sound: this.configuration.sound,
-      device: this.configuration.device,
-      priority: this.configuration.priority,
-      html: this.configuration.html,
+      sound: configuration.sound,
+      device: configuration.device,
+      priority: configuration.priority,
+      html: configuration.html,
     };
 
     // Emergency priority needs retry/expire props
-    if (this.configuration.priority === 2) {
-      messageToSend.expire = this.configuration.expire;
-      messageToSend.retry = this.configuration.retry;
+    if (configuration.priority === 2) {
+      messageToSend.expire = configuration.expire;
+      messageToSend.retry = configuration.retry;
     }
-    if (this.configuration.ttl) {
-      messageToSend.ttl = this.configuration.ttl;
+    if (configuration.ttl) {
+      messageToSend.ttl = configuration.ttl;
     }
-    return new Promise((resolve, reject) => {
-      const push = new Push({
-        user: this.configuration.user,
-        token: this.configuration.token,
+    return new Promise<unknown>((resolve, reject) => {
+      const push: PushoverClient = new Push({
+        user: configuration.user,
+        token: configuration.token,
       });
 
-      push.onerror = (err) => {
-        reject(new Error(err));
+      push.onerror = (error: unknown) => {
+        reject(new Error(normalizeErrorMessage(error)));
       };
 
-      push.send(messageToSend, (err, res) => {
-        if (err) {
-          reject(new Error(err));
+      push.send(messageToSend, (error: unknown, response: unknown) => {
+        if (error) {
+          reject(new Error(normalizeErrorMessage(error)));
         } else {
-          resolve(res);
+          resolve(response);
         }
       });
     });
@@ -146,7 +199,7 @@ class Pushover extends Trigger {
    * @param containers
    * @returns {*}
    */
-  renderBatchBody(containers) {
+  renderBatchBody(containers: Container[]) {
     return containers.map((container) => `- ${this.renderSimpleBody(container)}`).join('\n');
   }
 }
diff --git a/app/triggers/providers/slack/Slack.test.ts b/app/triggers/providers/slack/Slack.test.ts
index 4d0dc803c..70e353607 100644
--- a/app/triggers/providers/slack/Slack.test.ts
+++ b/app/triggers/providers/slack/Slack.test.ts
@@ -13,7 +13,7 @@ const configurationValid = {
   threshold: 'all',
   mode: 'simple',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'New ${container.updateKind.kind} found for container ${container.name}',
 
@@ -23,6 +23,7 @@ const configurationValid = {
   batchtitle: '${containers.length} updates available',
   resolvenotifications: false,
   disabletitle: false,
+  digestcron: '0 8 * * *',
 };
 
 test('validateConfiguration should return validated configuration when valid', async () => {
diff --git a/app/triggers/providers/smtp/Smtp.test.ts b/app/triggers/providers/smtp/Smtp.test.ts
index 2aee7abd4..f9baf4077 100644
--- a/app/triggers/providers/smtp/Smtp.test.ts
+++ b/app/triggers/providers/smtp/Smtp.test.ts
@@ -15,7 +15,7 @@ const configurationValid = {
   threshold: 'all',
   mode: 'simple',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'New ${container.updateKind.kind} found for container ${container.name}',
 
@@ -24,6 +24,7 @@ const configurationValid = {
 
   batchtitle: '${containers.length} updates available',
   resolvenotifications: false,
+  digestcron: '0 8 * * *',
 };
 
 test('validateConfiguration should return validated configuration when valid', async () => {
@@ -266,6 +267,53 @@ test('trigger should format mail as expected', async () => {
   );
 });
 
+test('trigger should format agent disconnect mail without container update wording', async () => {
+  smtp.configuration = configurationValid;
+  smtp.transporter = {
+    sendMail: (conf) => conf,
+  };
+  const response = await smtp.trigger({
+    id: 'agent-servicevault',
+    name: 'servicevault',
+    displayName: 'servicevault',
+    displayIcon: 'mdi:server-network-off',
+    status: 'disconnected',
+    watcher: 'agent',
+    image: {
+      id: 'agent-servicevault',
+      registry: {
+        name: 'agent',
+        url: 'agent://servicevault',
+      },
+      name: 'servicevault',
+      tag: {
+        value: 'disconnected',
+        semver: false,
+      },
+      digest: {
+        watch: false,
+      },
+      architecture: 'unknown',
+      os: 'unknown',
+    },
+    error: {
+      message: 'SSE connection lost',
+    },
+    updateAvailable: false,
+    updateKind: {
+      kind: 'unknown',
+    },
+    notificationEvent: {
+      kind: 'agent-disconnect',
+      agentName: 'servicevault',
+      reason: 'SSE connection lost',
+    },
+  } as any);
+
+  expect(response.subject).toBe('Agent servicevault disconnected');
+  expect(response.text).toBe('Agent servicevault disconnected: SSE connection lost');
+});
+
 test('triggerBatch should format mail as expected', async () => {
   smtp.configuration = configurationValid;
   smtp.transporter = {
diff --git a/app/triggers/providers/teams/Teams.test.ts b/app/triggers/providers/teams/Teams.test.ts
index 647bcad72..9917adff9 100644
--- a/app/triggers/providers/teams/Teams.test.ts
+++ b/app/triggers/providers/teams/Teams.test.ts
@@ -20,13 +20,14 @@ const configurationValid = {
   threshold: 'all',
   mode: 'simple',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'Test Title',
   simplebody: 'Test Body',
   batchtitle: 'Batch Title',
   resolvenotifications: false,
   disabletitle: false,
+  digestcron: '0 8 * * *',
 };
 
 test('validateConfiguration should return validated configuration when valid', async () => {
diff --git a/app/triggers/providers/teams/Teams.ts b/app/triggers/providers/teams/Teams.ts
index 3a039c1fb..ec92e448b 100644
--- a/app/triggers/providers/teams/Teams.ts
+++ b/app/triggers/providers/teams/Teams.ts
@@ -2,6 +2,35 @@ import axios from 'axios';
 import { getOutboundHttpTimeoutMs } from '../../../configuration/runtime-defaults.js';
 import Trigger from '../Trigger.js';
 
+type TeamsAdaptiveCardTextBlock = {
+  type: 'TextBlock';
+  text: string;
+  wrap: true;
+};
+
+type TeamsAdaptiveCardOpenUrlAction = {
+  type: 'Action.OpenUrl';
+  title: 'Open release';
+  url: string;
+};
+
+type TeamsAdaptiveCardContent = {
+  type: 'AdaptiveCard';
+  $schema: 'http://adaptivecards.io/schemas/adaptive-card.json';
+  version: string;
+  body: TeamsAdaptiveCardTextBlock[];
+  actions?: TeamsAdaptiveCardOpenUrlAction[];
+};
+
+type TeamsMessageBody = {
+  type: 'message';
+  attachments: Array<{
+    contentType: 'application/vnd.microsoft.card.adaptive';
+    contentUrl: null;
+    content: TeamsAdaptiveCardContent;
+  }>;
+};
+
 /**
  * Microsoft Teams Trigger implementation
  */
@@ -48,7 +77,7 @@ class Teams extends Trigger {
   }
 
   buildMessageBody(text, resultLink?) {
-    const content: any = {
+    const content: TeamsAdaptiveCardContent = {
       type: 'AdaptiveCard',
       $schema: 'http://adaptivecards.io/schemas/adaptive-card.json',
       version: this.configuration.cardversion,
@@ -71,7 +100,7 @@ class Teams extends Trigger {
       ];
     }
 
-    return {
+    const messageBody: TeamsMessageBody = {
       type: 'message',
       attachments: [
         {
@@ -81,6 +110,8 @@ class Teams extends Trigger {
         },
       ],
     };
+
+    return messageBody;
   }
 
   async postMessage(text, resultLink?) {
diff --git a/app/triggers/providers/telegram/Telegram.test.ts b/app/triggers/providers/telegram/Telegram.test.ts
index 93e67f5fa..e6524206a 100644
--- a/app/triggers/providers/telegram/Telegram.test.ts
+++ b/app/triggers/providers/telegram/Telegram.test.ts
@@ -17,7 +17,7 @@ const configurationValid = {
   threshold: 'all',
   mode: 'simple',
   once: true,
-  auto: true,
+  auto: 'all',
   order: 100,
   simpletitle: 'New ${container.updateKind.kind} found for container ${container.name}',
 
@@ -28,6 +28,7 @@ const configurationValid = {
   resolvenotifications: false,
   disabletitle: false,
   messageformat: 'Markdown',
+  digestcron: '0 8 * * *',
 };
 
 beforeEach(async () => {
@@ -54,7 +55,7 @@ test('maskConfiguration should mask sensitive data', async () => {
     chatid: '[REDACTED]',
     mode: 'simple',
     once: true,
-    auto: true,
+    auto: 'all',
     order: 100,
     simplebody:
       'Container ${container.name} running with ${container.updateKind.kind} ${container.updateKind.localValue} can be updated to ${container.updateKind.kind} ${container.updateKind.remoteValue}${container.result && container.result.link ? "\\n" + container.result.link : ""}',
@@ -64,6 +65,7 @@ test('maskConfiguration should mask sensitive data', async () => {
     resolvenotifications: false,
     disabletitle: false,
     messageformat: 'Markdown',
+    digestcron: '0 8 * * *',
   });
 });
 
@@ -107,6 +109,21 @@ test('disabletitle should result in no title in message', async () => {
   expect(telegram.sendMessage).toHaveBeenCalledWith('Test Body');
 });
 
+test('disabletitle with HTML format should escape body as HTML', async () => {
+  telegram.configuration = {
+    ...configurationValid,
+    simpletitle: 'Test Title',
+    simplebody: 'Test <Body>',
+    disabletitle: true,
+    messageformat: 'HTML',
+  };
+
+  telegram.sendMessage = vi.fn();
+  await telegram.trigger({});
+
+  expect(telegram.sendMessage).toHaveBeenCalledWith('Test &lt;Body&gt;');
+});
+
 test('triggerBatch should send batch notification', async () => {
   telegram.configuration = configurationValid;
   telegram.sendMessage = vi.fn();
@@ -130,7 +147,20 @@ test('triggerBatch should send batch notification', async () => {
   ];
   await telegram.triggerBatch(containers);
   expect(telegram.sendMessage).toHaveBeenCalledWith(
-    '*2 updates available*\n\n- Container container1 running with tag 1.0.0 can be updated to tag 2.0.0\n\n- Container container2 running with tag 1.1.0 can be updated to tag 2.1.0\n',
+    '*2 updates available*\n\n\\- Container container1 running with tag 1\\.0\\.0 can be updated to tag 2\\.0\\.0\n\n\\- Container container2 running with tag 1\\.1\\.0 can be updated to tag 2\\.1\\.0\n',
+  );
+});
+
+test('trigger should escape MarkdownV2 special characters in body', async () => {
+  telegram.configuration = {
+    ...configurationValid,
+    simpletitle: 'Update',
+    simplebody: 'nginx:1.25.5 -> 1.29.7 (minor)',
+  };
+  telegram.sendMessage = vi.fn();
+  await telegram.trigger({});
+  expect(telegram.sendMessage).toHaveBeenCalledWith(
+    '*Update*\n\nnginx:1\\.25\\.5 \\-\\> 1\\.29\\.7 \\(minor\\)',
   );
 });
 
diff --git a/app/triggers/providers/telegram/Telegram.ts b/app/triggers/providers/telegram/Telegram.ts
index cbaad0b33..00d93fdac 100644
--- a/app/triggers/providers/telegram/Telegram.ts
+++ b/app/triggers/providers/telegram/Telegram.ts
@@ -69,22 +69,26 @@ class Telegram extends Trigger {
     const body = this.renderSimpleBody(container);
 
     if (this.configuration.disabletitle) {
-      return this.sendMessage(body);
+      return this.sendMessage(this.escape(body));
     }
 
     const title = this.renderSimpleTitle(container);
 
-    return this.sendMessage(`${this.bold(title)}\n\n${escapeMarkdown(body)}`);
+    return this.sendMessage(`${this.bold(title)}\n\n${this.escape(body)}`);
   }
 
   async triggerBatch(containers) {
     const body = this.renderBatchBody(containers);
     if (this.configuration.disabletitle) {
-      return this.sendMessage(body);
+      return this.sendMessage(this.escape(body));
     }
 
     const title = this.renderBatchTitle(containers);
-    return this.sendMessage(`${this.bold(title)}\n\n${body}`);
+    return this.sendMessage(`${this.bold(title)}\n\n${this.escape(body)}`);
+  }
+
+  private escape(text: string): string {
+    return this.getParseMode() === 'MarkdownV2' ? escapeMarkdown(text) : escapeHtml(text);
   }
 
   /**
@@ -107,13 +111,15 @@ class Telegram extends Trigger {
   }
 
   bold(text) {
-    return this.configuration.messageformat.toLowerCase() === 'markdown'
+    return (this.configuration.messageformat as string).toLowerCase() === 'markdown'
       ? `*${escapeMarkdown(text)}*`
       : `<b>${escapeHtml(text)}</b>`;
   }
 
   getParseMode() {
-    return this.configuration.messageformat.toLowerCase() === 'markdown' ? 'MarkdownV2' : 'HTML';
+    return (this.configuration.messageformat as string).toLowerCase() === 'markdown'
+      ? 'MarkdownV2'
+      : 'HTML';
   }
 }
 
diff --git a/app/triggers/providers/trigger-expression-parser.test.ts b/app/triggers/providers/trigger-expression-parser.test.ts
index 0a910414a..7c1ed3a82 100644
--- a/app/triggers/providers/trigger-expression-parser.test.ts
+++ b/app/triggers/providers/trigger-expression-parser.test.ts
@@ -17,6 +17,7 @@ const baseContainer = {
   },
   result: {
     link: 'https://example.com/release',
+    suggestedTag: '1.2.3',
   },
 };
 
@@ -93,6 +94,24 @@ describe('trigger-expression-parser', () => {
     });
     expect(output).toBe('suffix');
   });
+
+  test('renderSimple should expose suggestedTag template variable', () => {
+    const output = renderSimple('Pin to ${suggestedTag}', baseContainer as any);
+    expect(output).toBe('Pin to 1.2.3');
+  });
+
+  test('renderSimple should expose releaseNotes template variable', () => {
+    const output = renderSimple('${releaseNotes.title}', {
+      ...baseContainer,
+      result: {
+        ...baseContainer.result,
+        releaseNotes: {
+          title: 'Release title',
+        },
+      },
+    } as any);
+    expect(output).toBe('Release title');
+  });
 });
 
 describe('legacy template variable deprecation warnings', () => {
diff --git a/app/triggers/providers/trigger-expression-parser.ts b/app/triggers/providers/trigger-expression-parser.ts
index 47862b28e..ddc2d2acc 100644
--- a/app/triggers/providers/trigger-expression-parser.ts
+++ b/app/triggers/providers/trigger-expression-parser.ts
@@ -10,7 +10,7 @@ type TemplateVars = Record<string, unknown>;
 
 /**
  * Safely resolve a dotted property path on an object.
- * Returns undefined when any segment along the path is nullish.
+ * Returns undefined when a segment along the path is nullish.
  */
 function resolvePath(obj: unknown, path: string): unknown {
   return path.split('.').reduce<unknown>((cur, key) => {
@@ -347,8 +347,12 @@ function warnLegacyTemplateVars(template: string, legacyVars: string[], replacem
  */
 export function renderSimple(template: string, container: Container): string {
   if (template) warnLegacyTemplateVars(template, LEGACY_SIMPLE_VARS, 'container');
+  const event = Reflect.get(new Object(container), 'notificationEvent');
   const vars: TemplateVars = {
     container,
+    event: event && typeof event === 'object' ? event : {},
+    releaseNotes: container.result?.releaseNotes,
+    suggestedTag: container.result?.suggestedTag ?? container.result?.tag ?? '',
     // Deprecated vars for backward compatibility
     id: container.id,
     name: container.name,
diff --git a/app/tsconfig.json b/app/tsconfig.json
index b0dcce6c5..067882001 100644
--- a/app/tsconfig.json
+++ b/app/tsconfig.json
@@ -15,5 +15,13 @@
     "resolveJsonModule": true
   },
   "include": ["./**/*"],
-  "exclude": ["node_modules", "dist", "coverage", "**/*.test.ts", "**/*.spec.ts", "test"]
+  "exclude": [
+    "node_modules",
+    "dist",
+    "coverage",
+    "**/*.test.ts",
+    "**/*.test.helpers.ts",
+    "**/*.spec.ts",
+    "test"
+  ]
 }
diff --git a/app/vitest.config.test.ts b/app/vitest.config.test.ts
index 18ba0a0a4..9c6fed306 100644
--- a/app/vitest.config.test.ts
+++ b/app/vitest.config.test.ts
@@ -8,9 +8,24 @@ describe('vitest coverage configuration', () => {
       '**/node_modules/**',
       '**/dist/**',
       '**/coverage/**',
-      '**/package.json',
       '**/*.d.ts',
       '**/*.typecheck.ts',
+      '**/auth-types.ts',
+      '**/api/openapi.ts',
+      '**/api/openapi/index.ts',
+      '**/release-notes/types.ts',
+      '**/webhooks/parsers/types.ts',
+      '**/registries/providers/artifactory/Artifactory.ts',
+      '**/registries/providers/forgejo/Forgejo.ts',
+      '**/registries/providers/gitea/Gitea.ts',
+      '**/registries/providers/harbor/Harbor.ts',
+      '**/registries/providers/nexus/Nexus.ts',
+      '**/registries/providers/trueforge/Trueforge.ts',
+      '**/api/container/query-values.ts',
+      '**/api/container/sorting.ts',
+      '**/api/container/update-age.ts',
+      '**/test/mock-factories.ts',
+      '**/*.test.helpers.ts',
       'vitest.config.ts',
       'vitest.coverage-provider.ts',
     ]);
diff --git a/app/vitest.config.ts b/app/vitest.config.ts
index 6c2c3db25..7fa11de74 100644
--- a/app/vitest.config.ts
+++ b/app/vitest.config.ts
@@ -1,39 +1,72 @@
 import { defineConfig } from 'vitest/config';
 
+interface CoverageThresholds {
+  lines: number;
+  branches: number;
+  functions: number;
+  statements: number;
+}
+
+interface CustomCoverageConfig {
+  provider: 'custom';
+  customProviderModule: string;
+  reporter: string[];
+  include: string[];
+  exclude: string[];
+  thresholds: CoverageThresholds;
+}
+
+const coverageConfig: CustomCoverageConfig = {
+  // Use v8 coverage with a small wrapper that avoids a Vitest temp-dir race.
+  provider: 'custom',
+  customProviderModule: './vitest.coverage-provider.ts',
+  reporter: ['text', 'lcov', 'html'],
+  include: ['**/*.{js,ts}'],
+  exclude: [
+    '**/node_modules/**',
+    '**/dist/**',
+    '**/coverage/**',
+    '**/*.d.ts',
+    '**/*.typecheck.ts',
+    '**/auth-types.ts',
+    '**/api/openapi.ts',
+    '**/api/openapi/index.ts',
+    '**/release-notes/types.ts',
+    '**/webhooks/parsers/types.ts',
+    '**/registries/providers/artifactory/Artifactory.ts',
+    '**/registries/providers/forgejo/Forgejo.ts',
+    '**/registries/providers/gitea/Gitea.ts',
+    '**/registries/providers/harbor/Harbor.ts',
+    '**/registries/providers/nexus/Nexus.ts',
+    '**/registries/providers/trueforge/Trueforge.ts',
+    '**/api/container/query-values.ts',
+    '**/api/container/sorting.ts',
+    '**/api/container/update-age.ts',
+    '**/test/mock-factories.ts',
+    '**/*.test.helpers.ts',
+    'vitest.config.ts',
+    'vitest.coverage-provider.ts',
+  ],
+  thresholds: {
+    lines: 100,
+    branches: 100,
+    functions: 100,
+    statements: 100,
+  },
+};
+
 export default defineConfig({
   test: {
     globals: true,
     environment: 'node',
     // Coverage writes can race with clean-up; keep file execution serial.
     fileParallelism: false,
-    exclude: ['**/node_modules/**', '**/dist/**'],
+    exclude: ['**/node_modules/**', '**/dist/**', '**/.stryker-tmp/**'],
     server: {
       deps: {
         inline: ['openid-client', 'oauth4webapi', 'jose'],
       },
     },
-    coverage: {
-      // Use v8 coverage with a small wrapper that avoids a Vitest temp-dir race.
-      provider: 'custom',
-      customProviderModule: './vitest.coverage-provider.ts',
-      reporter: ['text', 'lcov', 'html'],
-      include: ['**/*.{js,ts}'],
-      exclude: [
-        '**/node_modules/**',
-        '**/dist/**',
-        '**/coverage/**',
-        '**/package.json',
-        '**/*.d.ts',
-        '**/*.typecheck.ts',
-        'vitest.config.ts',
-        'vitest.coverage-provider.ts',
-      ],
-      thresholds: {
-        lines: 100,
-        branches: 100,
-        functions: 100,
-        statements: 100,
-      },
-    } as any,
+    coverage: coverageConfig,
   },
 });
diff --git a/app/vitest.coverage-provider.test.ts b/app/vitest.coverage-provider.test.ts
index 47104ed0d..1b38f68f4 100644
--- a/app/vitest.coverage-provider.test.ts
+++ b/app/vitest.coverage-provider.test.ts
@@ -1,6 +1,8 @@
-const { getProviderMock, readFileMock } = vi.hoisted(() => ({
+const { getProviderMock, readFileMock, mkdirMock, writeFileMock } = vi.hoisted(() => ({
   getProviderMock: vi.fn(),
   readFileMock: vi.fn(),
+  mkdirMock: vi.fn(),
+  writeFileMock: vi.fn(),
 }));
 
 vi.mock('@vitest/coverage-v8', () => ({
@@ -11,11 +13,14 @@ vi.mock('@vitest/coverage-v8', () => ({
 
 vi.mock('node:fs/promises', () => ({
   readFile: readFileMock,
+  mkdir: mkdirMock,
+  writeFile: writeFileMock,
 }));
 
 describe('vitest coverage provider', () => {
   beforeEach(() => {
     vi.clearAllMocks();
+    vi.resetModules();
   });
 
   test('should reset debug read progress per environment', async () => {
@@ -66,4 +71,168 @@ describe('vitest coverage provider', () => {
     expect(onFinished).toHaveBeenNthCalledWith(2, project, 'browser');
     expect(onFileRead).toHaveBeenCalledTimes(2);
   });
+
+  test('should retry coverage file writes when the temp directory disappears', async () => {
+    writeFileMock
+      .mockRejectedValueOnce(Object.assign(new Error('missing directory'), { code: 'ENOENT' }))
+      .mockResolvedValueOnce(undefined);
+    mkdirMock.mockResolvedValue(undefined);
+
+    getProviderMock.mockResolvedValue({
+      pendingPromises: [],
+      coverageFiles: new Map(),
+      coverageFilesDirectory: '/tmp/coverage/.tmp',
+      ctx: {
+        getProjectByName: vi.fn(),
+      },
+      options: {
+        processingConcurrency: 1,
+      },
+      toSlices: (filenames: string[]) => filenames.map((filename) => [filename]),
+    });
+
+    const coverageProvider = await import('./vitest.coverage-provider.js');
+    const provider = await coverageProvider.default.getProvider();
+
+    provider.onAfterSuiteRun({
+      coverage: { result: [] },
+      environment: 'node',
+      projectName: '',
+      testFiles: ['suite.test.ts'],
+    });
+
+    await Promise.all(provider.pendingPromises);
+
+    expect(mkdirMock).toHaveBeenCalledWith(
+      expect.stringMatching(/^\/tmp\/coverage\/\.tmp-\d+-\d+-[a-f0-9]+$/),
+      { recursive: true },
+    );
+    expect(writeFileMock).toHaveBeenCalledTimes(2);
+    expect(writeFileMock).toHaveBeenCalledWith(
+      expect.stringMatching(/^\/tmp\/coverage\/\.tmp-\d+-\d+-[a-f0-9]+\/coverage-\d+\.json$/),
+      JSON.stringify({ result: [] }),
+      'utf-8',
+    );
+    const projectEntry = provider.coverageFiles.get(Symbol.for('default-project'));
+    expect(projectEntry?.node?.['suite.test.ts']).toEqual(
+      expect.stringMatching(/^\/tmp\/coverage\/\.tmp-\d+-\d+-[a-f0-9]+\/coverage-\d+\.json$/),
+    );
+  });
+
+  test('should isolate coverage temp files per provider instance', async () => {
+    getProviderMock.mockResolvedValue({
+      pendingPromises: [],
+      coverageFiles: new Map(),
+      coverageFilesDirectory: '/tmp/coverage/.tmp',
+      ctx: {
+        getProjectByName: vi.fn(),
+      },
+      options: {
+        reportsDirectory: '/tmp/coverage',
+        processingConcurrency: 1,
+      },
+      toSlices: (filenames: string[]) => filenames.map((filename) => [filename]),
+    });
+
+    const coverageProvider = await import('./vitest.coverage-provider.js');
+    const provider = await coverageProvider.default.getProvider();
+
+    expect(provider.coverageFilesDirectory).toEqual(
+      expect.stringMatching(/^\/tmp\/coverage\/\.tmp-\d+-\d+-[a-f0-9]+$/),
+    );
+  });
+
+  test('should isolate coverage temp files even when reportsDirectory is unset', async () => {
+    getProviderMock.mockResolvedValue({
+      pendingPromises: [],
+      coverageFiles: new Map(),
+      coverageFilesDirectory: '/tmp/coverage/.tmp',
+      ctx: {
+        getProjectByName: vi.fn(),
+      },
+      options: {
+        processingConcurrency: 1,
+      },
+      toSlices: (filenames: string[]) => filenames.map((filename) => [filename]),
+    });
+
+    const coverageProvider = await import('./vitest.coverage-provider.js');
+    const provider = await coverageProvider.default.getProvider();
+
+    expect(provider.coverageFilesDirectory).toEqual(
+      expect.stringMatching(/^\/tmp\/coverage\/\.tmp-\d+-\d+-[a-f0-9]+$/),
+    );
+  });
+
+  test('should read coverage from in-memory fallback when temp file disappears', async () => {
+    writeFileMock.mockResolvedValue(undefined);
+    mkdirMock.mockResolvedValue(undefined);
+    readFileMock.mockRejectedValue(Object.assign(new Error('ENOENT'), { code: 'ENOENT' }));
+
+    const project = { name: 'app' };
+    const onFinished = vi.fn(async () => {});
+    const onFileRead = vi.fn();
+    const onDebug = (() => {}) as ((message: string) => void) & { enabled?: boolean };
+
+    getProviderMock.mockResolvedValue({
+      pendingPromises: [],
+      coverageFiles: new Map(),
+      coverageFilesDirectory: '/tmp/coverage/.tmp',
+      ctx: {
+        getProjectByName: vi.fn(() => project),
+      },
+      options: {
+        processingConcurrency: 1,
+      },
+      toSlices: (filenames: string[]) => filenames.map((filename) => [filename]),
+    });
+
+    const coverageProvider = await import('./vitest.coverage-provider.js');
+    const provider = await coverageProvider.default.getProvider();
+
+    provider.onAfterSuiteRun({
+      coverage: { result: [{ url: 'file:///app.ts' }] },
+      environment: 'node',
+      projectName: 'app',
+      testFiles: ['app.test.ts'],
+    });
+
+    await Promise.all(provider.pendingPromises);
+
+    await provider.readCoverageFiles({ onFileRead, onFinished, onDebug });
+
+    expect(onFileRead).toHaveBeenCalledWith({ result: [{ url: 'file:///app.ts' }] });
+    expect(readFileMock).not.toHaveBeenCalled();
+    expect(onFinished).toHaveBeenCalledWith(project, 'node');
+  });
+
+  test('clean should re-isolate the temp directory before delegating to the base provider', async () => {
+    const cleanMock = vi.fn(async () => {});
+    getProviderMock.mockResolvedValue({
+      pendingPromises: [],
+      coverageFiles: new Map(),
+      coverageFilesDirectory: '/tmp/coverage/.tmp',
+      clean: cleanMock,
+      ctx: {
+        getProjectByName: vi.fn(),
+      },
+      options: {
+        reportsDirectory: '/tmp/coverage',
+        processingConcurrency: 1,
+      },
+      toSlices: (filenames: string[]) => filenames.map((filename) => [filename]),
+    });
+
+    const coverageProvider = await import('./vitest.coverage-provider.js');
+    const provider = await coverageProvider.default.getProvider();
+    const firstCoverageDirectory = provider.coverageFilesDirectory;
+
+    await provider.clean(true);
+
+    expect(cleanMock).toHaveBeenCalledWith(true);
+    expect(provider.coverageFilesDirectory).not.toBe(firstCoverageDirectory);
+    expect(provider.coverageFilesDirectory).toEqual(
+      expect.stringMatching(/^\/tmp\/coverage\/\.tmp-\d+-\d+-[a-f0-9]+$/),
+    );
+  });
 });
diff --git a/app/vitest.coverage-provider.ts b/app/vitest.coverage-provider.ts
index 38d070e5f..b97d32bfd 100644
--- a/app/vitest.coverage-provider.ts
+++ b/app/vitest.coverage-provider.ts
@@ -1,15 +1,28 @@
-import { readFile } from 'node:fs/promises';
+import { mkdir, readFile, writeFile } from 'node:fs/promises';
+import { dirname, resolve } from 'node:path';
 
 import v8CoverageModule from '@vitest/coverage-v8';
 
 const COVERAGE_READ_RETRY_DELAY_MS = 15;
 const COVERAGE_READ_RETRY_MAX_ATTEMPTS = 40;
+const COVERAGE_WRITE_SETTLE_DELAY_MS = 5;
+const COVERAGE_WRITE_SETTLE_IDLE_WINDOW_MS = 50;
+const COVERAGE_WRITE_RETRY_DELAY_MS = 15;
+const COVERAGE_WRITE_RETRY_MAX_ATTEMPTS = 40;
+const DEFAULT_PROJECT = Symbol.for('default-project');
+
+let coverageWriteSequence = 0;
 
 const sleep = (durationMs: number): Promise<void> =>
   new Promise((resolve) => {
     setTimeout(resolve, durationMs);
   });
 
+// In-memory fallback for coverage data. If the temp file disappears before the
+// read phase (e.g. OS tmpdir cleanup, vitest internal clean-up race), the data
+// is still available here.  Keyed by the same filename used on disk.
+const coveragePayloads = new Map<string, string>();
+
 async function readCoverageFileWithRetry(filename: string): Promise<string> {
   for (let attempt = 1; attempt <= COVERAGE_READ_RETRY_MAX_ATTEMPTS; attempt += 1) {
     try {
@@ -25,10 +38,112 @@ async function readCoverageFileWithRetry(filename: string): Promise<string> {
   throw new Error(`Unable to read coverage file "${filename}"`);
 }
 
+async function writeCoverageFileWithRetry(filename: string, content: string): Promise<void> {
+  for (let attempt = 1; attempt <= COVERAGE_WRITE_RETRY_MAX_ATTEMPTS; attempt += 1) {
+    try {
+      await mkdir(dirname(filename), { recursive: true });
+      await writeFile(filename, content, 'utf-8');
+      return;
+    } catch (error) {
+      const isMissingCoverageDirectory = (error as NodeJS.ErrnoException)?.code === 'ENOENT';
+      if (!isMissingCoverageDirectory || attempt === COVERAGE_WRITE_RETRY_MAX_ATTEMPTS) {
+        throw error;
+      }
+      await sleep(COVERAGE_WRITE_RETRY_DELAY_MS);
+    }
+  }
+  throw new Error(`Unable to write coverage file "${filename}"`);
+}
+
 const coverageProviderModule = {
   ...v8CoverageModule,
   async getProvider() {
     const provider = (await v8CoverageModule.getProvider()) as any;
+    const writeErrors: unknown[] = [];
+    const resolveReportsDirectory = (): string | undefined => {
+      const configuredReportsDirectory = provider.options?.reportsDirectory;
+      const fallbackReportsDirectory =
+        typeof provider.coverageFilesDirectory === 'string' &&
+        provider.coverageFilesDirectory.length > 0
+          ? dirname(provider.coverageFilesDirectory)
+          : undefined;
+      return typeof configuredReportsDirectory === 'string' && configuredReportsDirectory.length > 0
+        ? configuredReportsDirectory
+        : fallbackReportsDirectory;
+    };
+
+    const assignIsolatedCoverageDirectory = () => {
+      const reportsDirectory = resolveReportsDirectory();
+      if (typeof reportsDirectory !== 'string' || reportsDirectory.length === 0) {
+        return;
+      }
+
+      const uniqueCoverageTmpDirectory = `.tmp-${process.pid}-${Date.now()}-${Math.random()
+        .toString(16)
+        .slice(2)}`;
+      provider.coverageFilesDirectory = resolve(reportsDirectory, uniqueCoverageTmpDirectory);
+    };
+
+    assignIsolatedCoverageDirectory();
+
+    const originalClean =
+      typeof provider.clean === 'function' ? provider.clean.bind(provider) : undefined;
+    provider.clean = async (clean = true) => {
+      assignIsolatedCoverageDirectory();
+      writeErrors.length = 0;
+      coveragePayloads.clear();
+
+      if (originalClean) {
+        await originalClean(clean);
+        return;
+      }
+
+      if (typeof provider.coverageFilesDirectory === 'string') {
+        await mkdir(provider.coverageFilesDirectory, { recursive: true });
+      }
+      provider.coverageFiles = new Map();
+      provider.pendingPromises = [];
+    };
+
+    provider.onAfterSuiteRun = ({
+      coverage,
+      environment,
+      projectName,
+      testFiles,
+    }: {
+      coverage?: unknown;
+      environment: string;
+      projectName?: string;
+      testFiles: string[];
+    }) => {
+      if (!coverage) {
+        return;
+      }
+
+      const resolvedProject = projectName || DEFAULT_PROJECT;
+      let coverageByProject = provider.coverageFiles.get(resolvedProject);
+      if (!coverageByProject) {
+        coverageByProject = {};
+        provider.coverageFiles.set(resolvedProject, coverageByProject);
+      }
+
+      const testFileKey = testFiles.join();
+      const filename = resolve(
+        provider.coverageFilesDirectory,
+        `coverage-${coverageWriteSequence++}.json`,
+      );
+      coverageByProject[environment] ??= {};
+      coverageByProject[environment][testFileKey] = filename;
+
+      const json = JSON.stringify(coverage);
+      coveragePayloads.set(filename, json);
+
+      // Attach a catch handler immediately to avoid unhandled rejections from async writes.
+      const pendingWrite = writeCoverageFileWithRetry(filename, json).catch((error: unknown) => {
+        writeErrors.push(error);
+      });
+      provider.pendingPromises.push(pendingWrite);
+    };
 
     provider.readCoverageFiles = async ({
       onFileRead,
@@ -40,14 +155,28 @@ const coverageProviderModule = {
       onDebug: ((message: string) => void) & { enabled?: boolean };
     }) => {
       const waitForPendingWrites = async () => {
-        while (provider.pendingPromises.length > 0) {
-          const pendingWrites = provider.pendingPromises;
-          provider.pendingPromises = [];
-          await Promise.all(pendingWrites);
+        let idleDurationMs = 0;
+        while (idleDurationMs < COVERAGE_WRITE_SETTLE_IDLE_WINDOW_MS) {
+          while (provider.pendingPromises.length > 0) {
+            const pendingWrites = provider.pendingPromises;
+            provider.pendingPromises = [];
+            await Promise.all(pendingWrites);
+            idleDurationMs = 0;
+          }
+
+          await sleep(COVERAGE_WRITE_SETTLE_DELAY_MS);
+          if (provider.pendingPromises.length === 0) {
+            idleDurationMs += COVERAGE_WRITE_SETTLE_DELAY_MS;
+          } else {
+            idleDurationMs = 0;
+          }
         }
       };
 
       await waitForPendingWrites();
+      if (writeErrors.length > 0) {
+        throw writeErrors[0];
+      }
 
       for (const [projectName, coveragePerProject] of provider.coverageFiles.entries()) {
         for (const [environment, coverageByTestfiles] of Object.entries(coveragePerProject)) {
@@ -65,7 +194,10 @@ const coverageProviderModule = {
             }
             await Promise.all(
               chunk.map(async (filename: string) => {
-                const contents = await readCoverageFileWithRetry(filename);
+                let contents: string | undefined = coveragePayloads.get(filename);
+                if (contents === undefined) {
+                  contents = await readCoverageFileWithRetry(filename);
+                }
                 onFileRead(JSON.parse(contents));
               }),
             );
diff --git a/app/watchers/Watcher.test.ts b/app/watchers/Watcher.test.ts
index c7618deb8..d5ffc1bcf 100644
--- a/app/watchers/Watcher.test.ts
+++ b/app/watchers/Watcher.test.ts
@@ -72,3 +72,15 @@ test('maskConfiguration should return passed configuration when provided', () =>
   const config = { token: 'secret' };
   expect(watcher.maskConfiguration(config)).toStrictEqual(config);
 });
+
+test('getMetadata should return lastRunAt as undefined when no watch has occurred', () => {
+  const watcher = new ConcreteWatcher();
+  expect(watcher.getMetadata()).toStrictEqual({ lastRunAt: undefined });
+});
+
+test('getMetadata should return lastRunAt when set', () => {
+  const watcher = new ConcreteWatcher();
+  const now = '2026-03-20T12:00:00.000Z';
+  watcher.lastRunAt = now;
+  expect(watcher.getMetadata()).toStrictEqual({ lastRunAt: now });
+});
diff --git a/app/watchers/Watcher.ts b/app/watchers/Watcher.ts
index 1a4ab483a..61e6da2f4 100644
--- a/app/watchers/Watcher.ts
+++ b/app/watchers/Watcher.ts
@@ -6,21 +6,28 @@ import Component from '../registry/Component.js';
  */
 abstract class Watcher extends Component {
   dockerApi?: unknown;
+  lastRunAt?: string;
 
   protected constructor() {
     super();
   }
 
+  getMetadata(): Record<string, unknown> {
+    return {
+      lastRunAt: this.lastRunAt,
+    };
+  }
+
   /**
    * Watch main method.
-   * @returns {Promise<any[]>}
+   * @returns {Promise<ContainerReport[]>}
    */
   abstract watch(): Promise<ContainerReport[]>;
 
   /**
    * Watch a Container.
    * @param container
-   * @returns {Promise<any>}
+   * @returns {Promise<ContainerReport>}
    */
   abstract watchContainer(container: Container): Promise<ContainerReport>;
 }
diff --git a/app/watchers/providers/docker/Docker.containers.additional-coverage-core.test.ts b/app/watchers/providers/docker/Docker.containers.additional-coverage-core.test.ts
new file mode 100644
index 000000000..8cc90bf5b
--- /dev/null
+++ b/app/watchers/providers/docker/Docker.containers.additional-coverage-core.test.ts
@@ -0,0 +1,655 @@
+const mockDdEnvVars = vi.hoisted(() => ({}) as Record<string, string | undefined>);
+const mockDetectSourceRepoFromImageMetadata = vi.hoisted(() => vi.fn());
+const mockResolveSourceRepoForContainer = vi.hoisted(() => vi.fn());
+const mockGetFullReleaseNotesForContainer = vi.hoisted(() => vi.fn());
+const mockToContainerReleaseNotes = vi.hoisted(() => vi.fn((notes: unknown) => notes));
+vi.mock('../../../configuration/index.js', async (importOriginal) => ({
+  ...(await importOriginal<typeof import('../../../configuration/index.js')>()),
+  ddEnvVars: mockDdEnvVars,
+}));
+vi.mock('../../../release-notes/index.js', () => ({
+  detectSourceRepoFromImageMetadata: (...args: unknown[]) =>
+    mockDetectSourceRepoFromImageMetadata(...args),
+  resolveSourceRepoForContainer: (...args: unknown[]) => mockResolveSourceRepoForContainer(...args),
+  getFullReleaseNotesForContainer: (...args: unknown[]) =>
+    mockGetFullReleaseNotesForContainer(...args),
+  toContainerReleaseNotes: (...args: unknown[]) => mockToContainerReleaseNotes(...args),
+}));
+vi.mock('dockerode');
+vi.mock('node-cron');
+vi.mock('just-debounce');
+vi.mock('../../../event');
+vi.mock('../../../store/container');
+vi.mock('../../../model/container');
+vi.mock('../../../prometheus/watcher');
+vi.mock('node:fs');
+vi.mock('axios');
+vi.mock('./maintenance.js', () => ({
+  isInMaintenanceWindow: vi.fn(() => true),
+  getNextMaintenanceWindow: vi.fn(() => undefined),
+}));
+
+import {
+  createHarborHubRegistryState,
+  createMockLog,
+  setupContainerDetailTest,
+  setupDockerWatcherContainerSuite,
+} from './Docker.containers.test.helpers.js';
+import {
+  testable_getImageReferenceCandidatesFromPattern,
+  testable_getImgsetSpecificity,
+} from './Docker.js';
+
+describe('Docker Watcher', () => {
+  let docker;
+  let mockDockerApi;
+  let mockSchedule;
+  let mockContainer;
+  let mockImage;
+  // Helper-scoped mock references (populated in beforeEach)
+  let hRegistry: any;
+  let hMockTag: any;
+  let hMockParse: any;
+
+  setupDockerWatcherContainerSuite((state) => {
+    docker = state.docker;
+    mockDockerApi = state.mockDockerApi;
+    mockSchedule = state.mockSchedule;
+    mockContainer = state.mockContainer;
+    mockImage = state.mockImage;
+  });
+
+  beforeEach(async () => {
+    // Dynamic imports get the mocked module instances that the helpers' vi.mock
+    // created. These are the same instances that production code sees.
+    hRegistry = await import('../../../registry/index.js');
+    hMockTag = await import('../../../tag/index.js');
+    hMockParse = (await import('parse-docker-image-name')).default;
+  });
+
+  /** Set registry state on the helper-scoped mock (used by production code). */
+  function setRegistryState(state: Record<string, unknown>) {
+    const value = { registry: state };
+    hRegistry.getState.mockReturnValue(value);
+  }
+
+  describe('Additional Coverage - safeRegExp', () => {
+    test('should warn when includeTags regex is invalid', async () => {
+      const container = {
+        includeTags: '[invalid',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      setRegistryState({ hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } });
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      const result = await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(expect.stringContaining('Invalid regex pattern'));
+      expect(result.tag).toBe('1.0.0');
+    });
+
+    test('should warn when excludeTags regex is invalid', async () => {
+      const container = {
+        excludeTags: '(unclosed',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      setRegistryState({ hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } });
+      hMockTag.isGreater.mockReturnValue(true);
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(expect.stringContaining('Invalid regex pattern'));
+    });
+  });
+
+  describe('Additional Coverage - filterByCurrentPrefix', () => {
+    test('should warn when no tags match prefix', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'v1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      setRegistryState({ hub: { getTags: vi.fn().mockResolvedValue(['2.0.0']) } });
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining('No tags found with existing prefix'),
+      );
+    });
+
+    test('should warn when no tags start with a number', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      setRegistryState({ hub: { getTags: vi.fn().mockResolvedValue(['latest', 'stable']) } });
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining('No tags found starting with a number'),
+      );
+    });
+  });
+
+  describe('Digest-only images skip version comparison', () => {
+    test('should skip version check when tag is sha256 digest', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'sha256:abc123def456', semver: false },
+          digest: { watch: false },
+        },
+      };
+      setRegistryState({ hub: { getTags: vi.fn().mockResolvedValue([]) } });
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      const result = await docker.findNewVersion(container, logChild);
+      expect(result.tag).toBe('sha256:abc123def456');
+      expect(result.noUpdateReason).toBe('Running by digest — no tag to compare');
+      expect(logChild.debug).toHaveBeenCalledWith(
+        'Digest-only image — no tag available for version comparison',
+      );
+    });
+
+    test('should skip version check when tag is unknown', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'unknown', semver: false },
+          digest: { watch: false },
+        },
+      };
+      setRegistryState({ hub: { getTags: vi.fn().mockResolvedValue([]) } });
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      const result = await docker.findNewVersion(container, logChild);
+      expect(result.tag).toBe('unknown');
+      expect(result.noUpdateReason).toBe('Running by digest — no tag to compare');
+    });
+  });
+
+  describe('Additional Coverage - getTagCandidates empty', () => {
+    test('should warn when no tags after include filter', async () => {
+      const container = {
+        includeTags: '^nonexistent$',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      setRegistryState({ hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } });
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining('No tags found after filtering'),
+      );
+    });
+  });
+
+  describe('Additional Coverage - getSwarmServiceLabels', () => {
+    test('should return empty when getService is not a function', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug', 'warn', 'info']);
+      docker.dockerApi.getService = 'not-a-function';
+      expect(await docker.getSwarmServiceLabels('svc1', 'c1')).toEqual({});
+      expect(docker.log.debug).toHaveBeenCalledWith(
+        expect.stringContaining('does not support getService'),
+      );
+    });
+
+    test('should log debug when service has no labels', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug', 'warn', 'info']);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({ Spec: {} }),
+      });
+      expect(await docker.getSwarmServiceLabels('svc1', 'c1')).toEqual({});
+      expect(docker.log.debug).toHaveBeenCalledWith(expect.stringContaining('has no labels'));
+    });
+
+    test('should log dd/wud label summary as none when labels are present but none are dd/wud', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug', 'warn', 'info']);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({
+          Spec: {
+            Labels: { team: 'ops' },
+            TaskTemplate: {
+              ContainerSpec: {
+                Labels: { env: 'prod' },
+              },
+            },
+          },
+        }),
+      });
+
+      const labels = await docker.getSwarmServiceLabels('svc1', 'c1');
+
+      expect(labels).toEqual({ team: 'ops', env: 'prod' });
+      expect(docker.log.debug).toHaveBeenCalledWith(expect.stringContaining('deploy labels=none'));
+    });
+
+    test('getEffectiveContainerLabels should fallback to empty container labels object', async () => {
+      const labels = await docker.getEffectiveContainerLabels({}, new Map());
+      expect(labels).toEqual({});
+    });
+
+    test('getEffectiveContainerLabels should merge container labels when cached service labels are undefined', async () => {
+      const serviceId = 'svc-1';
+      const serviceLabelsCache = new Map([[serviceId, Promise.resolve(undefined as any)]]);
+
+      const labels = await docker.getEffectiveContainerLabels(
+        {
+          Id: 'container-1',
+          Labels: {
+            'com.docker.swarm.service.id': serviceId,
+            'dd.watch': 'true',
+          },
+        },
+        serviceLabelsCache,
+      );
+
+      expect(labels).toEqual({
+        'com.docker.swarm.service.id': serviceId,
+        'dd.watch': 'true',
+      });
+    });
+  });
+
+  describe('Additional Coverage - getMatchingImgsetConfiguration', () => {
+    test('should return undefined when no imgset configured', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      expect(
+        docker.getMatchingImgsetConfiguration({ path: 'library/nginx', domain: 'docker.io' }),
+      ).toBeUndefined();
+    });
+
+    test('should break ties by alphabetical name', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        imgset: {
+          zebra: { image: 'library/nginx', display: { name: 'Z' } },
+          alpha: { image: 'library/nginx', display: { name: 'A' } },
+        },
+      });
+      const parseImpl = (v) =>
+        v === 'library/nginx'
+          ? { path: 'library/nginx' }
+          : { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' };
+      hMockParse.mockImplementation(parseImpl);
+      hMockParse.mockImplementation(parseImpl);
+      const result = docker.getMatchingImgsetConfiguration({
+        path: 'library/nginx',
+        domain: 'docker.io',
+      });
+      expect(result).toBeDefined();
+      expect(result.name).toBe('alpha');
+    });
+
+    test('should keep first match when later candidate is not better', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        imgset: {
+          alpha: { image: 'library/nginx' },
+          zebra: { image: 'library/nginx' },
+        },
+      });
+
+      const result = docker.getMatchingImgsetConfiguration({
+        path: 'library/nginx',
+        domain: 'docker.io',
+      });
+
+      expect(result).toBeDefined();
+      expect(result.name).toBe('alpha');
+    });
+  });
+
+  describe('Additional Coverage - safeRegExp max length', () => {
+    test('should warn when regex pattern exceeds max length', async () => {
+      const longPattern = 'a'.repeat(1025);
+      const container = {
+        includeTags: longPattern,
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      setRegistryState({ hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } });
+      hMockTag.isGreater.mockReturnValue(true);
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(expect.stringContaining('exceeds maximum length'));
+    });
+
+    test('should warn when exclude regex exceeds max length', async () => {
+      const longPattern = 'b'.repeat(1025);
+      const container = {
+        excludeTags: longPattern,
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      setRegistryState({ hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } });
+      hMockTag.isGreater.mockReturnValue(true);
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(expect.stringContaining('exceeds maximum length'));
+    });
+  });
+
+  describe('Additional Coverage - filterBySegmentCount no numeric part', () => {
+    test('should return all tags when current tag has no numeric part', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'latest', semver: true },
+          digest: { watch: false },
+        },
+        includeTags: '.*',
+      };
+      setRegistryState({
+        hub: { getTags: vi.fn().mockResolvedValue(['latest', 'stable', '1.0.0']) },
+      });
+      hMockTag.transform.mockImplementation((_transform, tag) =>
+        tag === 'latest' ? 'nonnumeric' : tag,
+      );
+      hMockTag.parse.mockReturnValue({ major: 1, minor: 0, patch: 0 });
+      hMockTag.isGreater.mockReturnValue(true);
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      expect(logChild.error).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('Additional Coverage - normalizeContainer no registry', () => {
+    test('should set registry name to unknown when no registry provider found', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: { Image: 'custom.registry/myimage:1.0.0', Names: ['/myimage'] },
+        parsedImage: { domain: 'custom.registry', path: 'myimage', tag: '1.0.0' },
+        registryState: {},
+      });
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result.image.registry.name).toBe('unknown');
+    });
+  });
+
+  describe('Additional Coverage - v1 manifest digest uses repo digest', () => {
+    test('should set digest value from repo digest for v1 manifests', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      const container = {
+        image: {
+          id: 'image123',
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: true, repo: 'sha256:abc123' },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImageManifestDigest: vi.fn().mockResolvedValue({
+          digest: 'sha256:def456',
+          created: '2023-01-01',
+          version: 1,
+        }),
+      };
+      setRegistryState({ hub: mockRegistry });
+      const mockLogChild = { error: vi.fn() };
+
+      await docker.findNewVersion(container, mockLogChild);
+
+      expect(container.image.digest.value).toBe('sha256:abc123');
+    });
+
+    test('should set digest value to undefined when repo digest is missing', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      const container = {
+        image: {
+          id: 'image123',
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: true, repo: undefined },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImageManifestDigest: vi.fn().mockResolvedValue({
+          digest: 'sha256:def456',
+          created: '2023-01-01',
+          version: 1,
+        }),
+      };
+      setRegistryState({ hub: mockRegistry });
+      const mockLogChild = { error: vi.fn() };
+
+      await docker.findNewVersion(container, mockLogChild);
+
+      expect(container.image.digest.value).toBeUndefined();
+    });
+  });
+
+  describe('Additional Coverage - getMatchingImgsetConfiguration with no image pattern', () => {
+    test('should skip imgset entries without image/match key', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.configuration.imgset = {
+        noimage: { display: { name: 'No Image Entry' } },
+      };
+      const result = docker.getMatchingImgsetConfiguration({
+        path: 'library/nginx',
+        domain: 'docker.io',
+      });
+      expect(result).toBeUndefined();
+    });
+  });
+
+  describe('Additional Coverage - getSwarmServiceLabels with dd labels', () => {
+    test('should log debug with dd label names from service', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      const logMock = createMockLog(['debug', 'warn', 'info']);
+      docker.log = logMock;
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({
+          Spec: {
+            Labels: { 'dd.watch': 'true', 'dd.tag.include': '^v' },
+            TaskTemplate: { ContainerSpec: { Labels: { 'wud.display.name': 'Test' } } },
+          },
+        }),
+      });
+      const labels = await docker.getSwarmServiceLabels('svc1', 'c1');
+      expect(labels['dd.watch']).toBe('true');
+      expect(labels['wud.display.name']).toBe('Test');
+      expect(logMock.debug).toHaveBeenCalledWith(
+        expect.stringContaining('deploy labels=dd.watch,dd.tag.include'),
+      );
+    });
+  });
+
+  describe('Additional Coverage - getImageForRegistryLookup branches', () => {
+    test('should handle lookup image as hostname only (no slash)', async () => {
+      const harborHubState = createHarborHubRegistryState();
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'myimage:1.0.0',
+          Names: ['/myimage'],
+          Labels: { 'dd.registry.lookup.image': 'myregistry.example.com' },
+        },
+        imageDetails: { RepoDigests: ['myimage@sha256:abc123'] },
+        parsedImage: { domain: undefined, path: 'library/myimage', tag: '1.0.0' },
+        parseImpl: (value) => {
+          if (value === 'myimage:1.0.0')
+            return { domain: undefined, path: 'library/myimage', tag: '1.0.0' };
+          if (value === 'myregistry.example.com')
+            return { path: 'myregistry.example.com', domain: undefined };
+          return { domain: undefined, path: value };
+        },
+        registryState: harborHubState,
+      });
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result).toBeDefined();
+    });
+
+    test('should handle lookup image with empty parsed path', async () => {
+      const harborHubState = createHarborHubRegistryState();
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'myimage:1.0.0',
+          Names: ['/myimage'],
+          Labels: { 'dd.registry.lookup.image': 'something' },
+        },
+        imageDetails: { RepoDigests: ['myimage@sha256:abc123'] },
+        parseImpl: (value) => {
+          if (value === 'myimage:1.0.0')
+            return { domain: undefined, path: 'library/myimage', tag: '1.0.0' };
+          if (value === 'something') return { path: undefined, domain: undefined };
+          return { domain: undefined, path: value };
+        },
+        registryState: harborHubState,
+      });
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result).toBeDefined();
+    });
+  });
+
+  describe('Additional Coverage - Docker Hub digest watch warning', () => {
+    test('should warn about throttling when watching digest on Docker Hub with explicit label', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'docker.io/library/nginx:latest',
+          Names: ['/nginx'],
+          Labels: { 'dd.watch.digest': 'true' },
+        },
+        imageDetails: { RepoDigests: ['nginx@sha256:abc123'] },
+        parsedImage: { domain: 'docker.io', path: 'library/nginx', tag: 'latest' },
+        semverValue: null,
+      });
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result.image.digest.watch).toBe(true);
+    });
+  });
+
+  describe('Additional Coverage - inspectTagPath edge cases', () => {
+    test('should handle inspect path returning empty string value', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/example/service:latest',
+          Names: ['/service'],
+          Labels: { 'dd.inspect.tag.path': 'Config/Labels/version' },
+        },
+        imageDetails: { Config: { Labels: { version: '   ' } } },
+        parsedImage: { domain: 'ghcr.io', path: 'example/service', tag: 'latest' },
+        semverValue: null,
+      });
+      hMockTag.transform.mockImplementation((_transform, value) => value);
+      hMockTag.transform.mockImplementation((_transform, value) => value);
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result.image.tag.value).toBe('latest');
+    });
+
+    test('should handle inspect path with null intermediate value', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/example/service:latest',
+          Names: ['/service'],
+          Labels: { 'dd.inspect.tag.path': 'Config/NonExistent/deep' },
+        },
+        imageDetails: { Config: {} },
+        parsedImage: { domain: 'ghcr.io', path: 'example/service', tag: 'latest' },
+        semverValue: null,
+      });
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result.image.tag.value).toBe('latest');
+    });
+
+    test('should default to latest when parsed image tag is missing', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/example/service',
+          Names: ['/service'],
+          Labels: {},
+        },
+        imageDetails: {},
+        parsedImage: { domain: 'ghcr.io', path: 'example/service' },
+        semverValue: null,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result.image.tag.value).toBe('latest');
+    });
+  });
+
+  describe('Additional Coverage - imgset pattern matching edge cases', () => {
+    test('should handle imgset with empty image pattern', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.configuration.imgset = { weird: { image: '   ' } };
+      hMockParse.mockReturnValue({ path: undefined });
+      hMockParse.mockReturnValue({ path: undefined });
+      const result = docker.getMatchingImgsetConfiguration({
+        path: 'library/nginx',
+        domain: 'docker.io',
+      });
+      expect(result).toBeUndefined();
+    });
+
+    test('should return -1 specificity when parsedImage has no path', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        imgset: { test: { image: 'library/nginx' } },
+      });
+      const parseImpl = (v) => (v === 'library/nginx' ? { path: 'library/nginx' } : {});
+      hMockParse.mockImplementation(parseImpl);
+      hMockParse.mockImplementation(parseImpl);
+      const result = docker.getMatchingImgsetConfiguration({ path: undefined, domain: undefined });
+      expect(result).toBeUndefined();
+    });
+
+    test('helper should return empty candidates for blank pattern', () => {
+      expect(testable_getImageReferenceCandidatesFromPattern('   ')).toEqual([]);
+    });
+
+    test('helper should fallback to normalized pattern when parsed pattern has no path', () => {
+      hMockParse.mockReturnValue({ path: undefined });
+      hMockParse.mockReturnValue({ path: undefined });
+      expect(testable_getImageReferenceCandidatesFromPattern('docker.io')).toEqual(['docker.io']);
+    });
+
+    test('helper should fallback to normalized pattern when parser throws', () => {
+      const throwImpl = () => {
+        throw new Error('invalid pattern');
+      };
+      hMockParse.mockImplementation(throwImpl);
+      hMockParse.mockImplementation(throwImpl);
+      expect(testable_getImageReferenceCandidatesFromPattern('INVALID[')).toEqual(['invalid[']);
+    });
+
+    test('helper should return -1 specificity when pattern produces no candidates', () => {
+      expect(
+        testable_getImgsetSpecificity('   ', { path: 'library/nginx', domain: 'docker.io' }),
+      ).toBe(-1);
+    });
+
+    test('helper should avoid array includes for candidate membership checks', () => {
+      hMockParse.mockReturnValue({ path: 'library/nginx', domain: 'docker.io' });
+      hMockParse.mockReturnValue({ path: 'library/nginx', domain: 'docker.io' });
+      const includesSpy = vi.spyOn(Array.prototype, 'includes');
+      const beforeCallCount = includesSpy.mock.calls.length;
+      const specificity = testable_getImgsetSpecificity('library/nginx', {
+        path: 'library/nginx',
+        domain: 'docker.io',
+      });
+      const callDelta = includesSpy.mock.calls.length - beforeCallCount;
+      includesSpy.mockRestore();
+
+      expect(specificity).toBeGreaterThan(0);
+      expect(callDelta).toBe(0);
+    });
+  });
+});
diff --git a/app/watchers/providers/docker/Docker.containers.additional-coverage-helpers.test.ts b/app/watchers/providers/docker/Docker.containers.additional-coverage-helpers.test.ts
new file mode 100644
index 000000000..25b6aa77f
--- /dev/null
+++ b/app/watchers/providers/docker/Docker.containers.additional-coverage-helpers.test.ts
@@ -0,0 +1,801 @@
+const mockDdEnvVars = vi.hoisted(() => ({}) as Record<string, string | undefined>);
+const mockDetectSourceRepoFromImageMetadata = vi.hoisted(() => vi.fn());
+const mockResolveSourceRepoForContainer = vi.hoisted(() => vi.fn());
+const mockGetFullReleaseNotesForContainer = vi.hoisted(() => vi.fn());
+const mockToContainerReleaseNotes = vi.hoisted(() => vi.fn((notes: unknown) => notes));
+vi.mock('../../../configuration/index.js', async (importOriginal) => ({
+  ...(await importOriginal<typeof import('../../../configuration/index.js')>()),
+  ddEnvVars: mockDdEnvVars,
+}));
+vi.mock('../../../release-notes/index.js', () => ({
+  detectSourceRepoFromImageMetadata: (...args: unknown[]) =>
+    mockDetectSourceRepoFromImageMetadata(...args),
+  resolveSourceRepoForContainer: (...args: unknown[]) => mockResolveSourceRepoForContainer(...args),
+  getFullReleaseNotesForContainer: (...args: unknown[]) =>
+    mockGetFullReleaseNotesForContainer(...args),
+  toContainerReleaseNotes: (...args: unknown[]) => mockToContainerReleaseNotes(...args),
+}));
+vi.mock('dockerode');
+vi.mock('node-cron');
+vi.mock('just-debounce');
+vi.mock('../../../event');
+vi.mock('../../../store/container.js');
+vi.mock('../../../registry/index.js');
+vi.mock('../../../model/container');
+vi.mock('../../../tag');
+vi.mock('../../../prometheus/watcher');
+vi.mock('parse-docker-image-name');
+vi.mock('node:fs');
+vi.mock('axios');
+vi.mock('./maintenance.js', () => ({
+  isInMaintenanceWindow: vi.fn(() => true),
+  getNextMaintenanceWindow: vi.fn(() => undefined),
+}));
+
+import * as registry from '../../../registry/index.js';
+import * as storeContainer from '../../../store/container.js';
+import { getDockerWatcherRegistryId, getDockerWatcherSourceKey } from './container-init.js';
+import {
+  createMockLog,
+  setupDockerWatcherContainerSuite,
+} from './Docker.containers.test.helpers.js';
+import {
+  testable_filterBySegmentCount,
+  testable_filterRecreatedContainerAliases,
+  testable_getContainerDisplayName,
+  testable_getContainerName,
+  testable_getCurrentPrefix,
+  testable_getFirstDigitIndex,
+  testable_getImageForRegistryLookup,
+  testable_getInspectValueByPath,
+  testable_getLabel,
+  testable_getOldContainers,
+  testable_normalizeConfigNumberValue,
+  testable_normalizeContainer,
+  testable_pruneOldContainers,
+  testable_shouldUpdateDisplayNameFromContainerName,
+} from './Docker.js';
+
+describe('Docker Watcher', () => {
+  let docker;
+  let mockDockerApi;
+  let mockSchedule;
+  let mockContainer;
+  let mockImage;
+
+  setupDockerWatcherContainerSuite((state) => {
+    docker = state.docker;
+    mockDockerApi = state.mockDockerApi;
+    mockSchedule = state.mockSchedule;
+    mockContainer = state.mockContainer;
+    mockImage = state.mockImage;
+  });
+
+  describe('Additional Coverage - Docker helper functions', () => {
+    test('getLabel should fallback to wud key when dd key is absent', () => {
+      const labels = {
+        'wud.display.name': 'Legacy Name',
+      };
+      expect(testable_getLabel(labels, 'dd.display.name', 'wud.display.name')).toBe('Legacy Name');
+    });
+
+    test('getLabel should prefer dd key when both dd and wud keys are present', () => {
+      const labels = {
+        'dd.display.name': 'Preferred',
+        'wud.display.name': 'Legacy Name',
+      };
+      expect(testable_getLabel(labels, 'dd.display.name', 'wud.display.name')).toBe('Preferred');
+    });
+
+    test('getLabel should return undefined when fallback key is not provided', () => {
+      expect(testable_getLabel({}, 'dd.display.name')).toBeUndefined();
+    });
+
+    test.each([
+      {
+        aliasKey: 'dd.action.include',
+        legacyKey: 'dd.trigger.include',
+        fallbackKey: 'wud.trigger.include',
+        preferredValue: 'action-include',
+      },
+      {
+        aliasKey: 'dd.notification.exclude',
+        legacyKey: 'dd.trigger.exclude',
+        fallbackKey: 'wud.trigger.exclude',
+        preferredValue: 'notification-exclude',
+      },
+    ])('getLabel should prefer $aliasKey over $legacyKey and warn once for the legacy key', ({
+      aliasKey,
+      legacyKey,
+      fallbackKey,
+      preferredValue,
+    }) => {
+      const warnedLegacyTriggerLabels = new Set<string>();
+      const warn = vi.fn();
+      const labels = {
+        [aliasKey]: preferredValue,
+        [legacyKey]: 'legacy-value',
+        [fallbackKey]: 'legacy-fallback',
+      } as Record<string, string>;
+
+      expect(
+        testable_getLabel(labels, legacyKey, fallbackKey, {
+          warn,
+          warnedLegacyTriggerLabels,
+        }),
+      ).toBe(preferredValue);
+      expect(
+        testable_getLabel(
+          {
+            [legacyKey]: 'legacy-value',
+            [fallbackKey]: 'legacy-fallback',
+          } as Record<string, string>,
+          legacyKey,
+          fallbackKey,
+          {
+            warn,
+            warnedLegacyTriggerLabels,
+          },
+        ),
+      ).toBe('legacy-value');
+
+      expect(warn).toHaveBeenCalledTimes(1);
+      expect(warn.mock.calls[0][0]).toContain(legacyKey);
+    });
+
+    test('getCurrentPrefix should return the non-numeric prefix before the first digit', () => {
+      expect(testable_getCurrentPrefix('v2026.2.1')).toBe('v');
+    });
+
+    test('getCurrentPrefix should return empty string when there are no digits', () => {
+      expect(testable_getCurrentPrefix('latest')).toBe('');
+    });
+
+    test('filterBySegmentCount should drop tags without numeric groups', () => {
+      const filtered = testable_filterBySegmentCount(['latest', '1.2.4', '1.3.0'], {
+        transformTags: undefined,
+        image: {
+          tag: {
+            value: '1.2.3',
+          },
+        },
+      });
+
+      expect(filtered).toEqual(['1.2.4', '1.3.0']);
+    });
+
+    test('filterBySegmentCount should enforce numeric zero-padding style by segment', () => {
+      const filtered = testable_filterBySegmentCount(['5.1.5', '20.04.1', '5.01.6'], {
+        transformTags: undefined,
+        image: {
+          tag: {
+            value: '5.1.4',
+          },
+        },
+      });
+
+      expect(filtered).toEqual(['5.1.5']);
+    });
+
+    test('filterBySegmentCount should allow non-padded segments when current tag is padded', () => {
+      const filtered = testable_filterBySegmentCount(['20.10.1', '20.04.2'], {
+        transformTags: undefined,
+        image: {
+          tag: {
+            value: '20.04.1',
+          },
+        },
+      });
+
+      expect(filtered).toEqual(['20.10.1', '20.04.2']);
+    });
+
+    test('filterBySegmentCount should preserve current prefix family', () => {
+      const filtered = testable_filterBySegmentCount(['1.2.4', 'v1.2.4'], {
+        transformTags: undefined,
+        image: {
+          tag: {
+            value: 'v1.2.3',
+          },
+        },
+      });
+
+      expect(filtered).toEqual(['v1.2.4']);
+    });
+
+    test('filterBySegmentCount should preserve suffix family template', () => {
+      const filtered = testable_filterBySegmentCount(['1.2.4', '1.2.4-ls133', '1.2.4-r1'], {
+        transformTags: undefined,
+        image: {
+          tag: {
+            value: '1.2.3-ls132',
+          },
+        },
+      });
+
+      expect(filtered).toEqual(['1.2.4-ls133']);
+    });
+
+    test('getContainerName should extract first docker name entry and strip slash', () => {
+      expect(testable_getContainerName({ Names: ['/my-container'] })).toBe('my-container');
+    });
+
+    test('getContainerName should return empty string when names are missing', () => {
+      expect(testable_getContainerName({})).toBe('');
+    });
+
+    test('filterRecreatedContainerAliases should skip self-id-prefixed aliases when base name exists in store', () => {
+      const result = testable_filterRecreatedContainerAliases(
+        [
+          {
+            Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+            Names: ['/7ea6b8a42686_termix'],
+          },
+        ],
+        [
+          {
+            id: 'termix-current',
+            watcher: 'docker-test',
+            name: 'termix',
+          } as any,
+        ],
+      );
+
+      expect(result.containersToWatch).toHaveLength(0);
+      expect(result.skippedContainerIds.size).toBe(1);
+      expect(
+        result.skippedContainerIds.has(
+          '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+        ),
+      ).toBe(true);
+    });
+
+    test('filterRecreatedContainerAliases should ignore containers with missing Id or Names', () => {
+      const result = testable_filterRecreatedContainerAliases(
+        [
+          { Names: ['/abc123_myapp'] },
+          { Id: 'name-missing' },
+          { Id: '', Names: ['/def456_myapp'] },
+          { Id: 'valid1', Names: ['/valid1_myapp'] },
+        ],
+        [],
+      );
+      expect(result.containersToWatch).toHaveLength(4);
+      expect(result.skippedContainerIds.size).toBe(0);
+    });
+
+    test('filterRecreatedContainerAliases should keep alias when no sibling and no store match', () => {
+      const result = testable_filterRecreatedContainerAliases(
+        [
+          {
+            Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+            Names: ['/7ea6b8a42686_termix'],
+          },
+        ],
+        [],
+      );
+      expect(result.containersToWatch).toHaveLength(1);
+      expect(result.skippedContainerIds.size).toBe(0);
+    });
+
+    test('filterRecreatedContainerAliases should keep alias when base-name map only has the same container id', () => {
+      const result = testable_filterRecreatedContainerAliases(
+        [
+          {
+            Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+            Names: ['/7ea6b8a42686_termix'],
+          },
+          {
+            Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+            Names: ['/termix'],
+          },
+        ],
+        [],
+      );
+      expect(result.containersToWatch).toHaveLength(2);
+      expect(result.skippedContainerIds.size).toBe(0);
+    });
+
+    test('filterRecreatedContainerAliases should skip alias when a sibling container already uses the base name', () => {
+      const aliasContainerId = '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10';
+      const result = testable_filterRecreatedContainerAliases(
+        [
+          {
+            Id: aliasContainerId,
+            Names: ['/7ea6b8a42686_termix'],
+          },
+          {
+            Id: 'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb',
+            Names: ['/termix'],
+          },
+        ],
+        [],
+      );
+
+      expect(result.containersToWatch).toHaveLength(1);
+      expect(result.skippedContainerIds.size).toBe(1);
+      expect(result.skippedContainerIds.has(aliasContainerId)).toBe(true);
+    });
+
+    test('filterRecreatedContainerAliases should keep names that are not self-id-prefixed aliases', () => {
+      const result = testable_filterRecreatedContainerAliases(
+        [
+          {
+            Id: 'aaaaaaaaaaaa1111111111111111111111111111111111111111111111111111',
+            Names: ['/7ea6b8a42686_termix'],
+          },
+        ],
+        [
+          {
+            id: 'termix-current',
+            watcher: 'docker-test',
+            name: 'termix',
+          } as any,
+        ],
+      );
+
+      expect(result.containersToWatch).toHaveLength(1);
+      expect(result.skippedContainerIds.size).toBe(0);
+    });
+
+    test('getContainerDisplayName should fallback to container name when parsed image path is missing', () => {
+      expect(testable_getContainerDisplayName('my-container', undefined, undefined)).toBe(
+        'my-container',
+      );
+    });
+
+    test('normalizeConfigNumberValue should return undefined for non-finite numeric strings', () => {
+      expect(testable_normalizeConfigNumberValue('NaN')).toBeUndefined();
+    });
+
+    test('shouldUpdateDisplayNameFromContainerName should support empty old display names', () => {
+      expect(testable_shouldUpdateDisplayNameFromContainerName('new-name', 'old-name', '')).toBe(
+        true,
+      );
+    });
+
+    test('getFirstDigitIndex should return -1 when no digit exists', () => {
+      expect(testable_getFirstDigitIndex('latest')).toBe(-1);
+    });
+
+    test('getImageForRegistryLookup should ignore invalid legacy lookup url', () => {
+      const image = {
+        registry: {
+          url: 'harbor.example.com',
+          lookupUrl: 'https://%',
+        },
+        name: 'dockerhub-proxy/traefik',
+        tag: {
+          value: 'v3.5.3',
+        },
+      };
+      expect(testable_getImageForRegistryLookup(image)).toBe(image);
+    });
+
+    test('getDockerWatcherRegistryId should normalize watcher and agent values', () => {
+      expect(getDockerWatcherRegistryId('watcher')).toBe('docker.watcher');
+      expect(getDockerWatcherRegistryId('watcher', 'agent-1')).toBe('agent-1.docker.watcher');
+      expect(getDockerWatcherRegistryId('   ', 'agent-1')).toBe('');
+    });
+
+    test('getDockerWatcherSourceKey should build tcp and socket keys with defaults', () => {
+      expect(
+        getDockerWatcherSourceKey({
+          agent: 'agent-1',
+          configuration: {
+            host: 'Docker.Example.Com',
+            protocol: 'HTTPS',
+            port: 4242,
+          },
+        } as any),
+      ).toBe('agent:agent-1|tcp:https://docker.example.com:4242');
+
+      expect(
+        getDockerWatcherSourceKey({
+          agent: '',
+          configuration: {
+            host: 'Docker.Example.Com',
+            protocol: '',
+            port: 0,
+          },
+        } as any),
+      ).toBe('agent:|tcp:http://docker.example.com:2375');
+
+      expect(
+        getDockerWatcherSourceKey({
+          agent: 'agent-2',
+          configuration: {
+            socket: '',
+          },
+        } as any),
+      ).toBe('agent:agent-2|socket:/var/run/docker.sock');
+    });
+
+    test('normalizeContainer should not mutate the input container object', async () => {
+      const containerModule = await import('../../../model/container.js');
+      const realContainerModule = await vi.importActual<
+        typeof import('../../../model/container.js')
+      >('../../../model/container.js');
+      containerModule.validate.mockImplementation(realContainerModule.validate);
+
+      const container = {
+        id: 'c1',
+        name: 'container-1',
+        watcher: 'docker',
+        image: {
+          id: 'sha256:abc123',
+          registry: {
+            name: 'original-registry',
+            url: 'custom.registry',
+          },
+          name: 'myimage',
+          tag: {
+            value: '1.0.0',
+            semver: true,
+          },
+          digest: {
+            watch: false,
+          },
+          architecture: 'amd64',
+          os: 'linux',
+        },
+      };
+
+      registry.getState.mockReturnValue({ registry: {} });
+      const result = testable_normalizeContainer(container);
+
+      expect(result).toBeDefined();
+      expect(result.image.registry.name).toBe('unknown');
+      expect(container.image.registry.name).toBe('original-registry');
+      expect(result.image).not.toBe(container.image);
+    });
+
+    test('getInspectValueByPath should return undefined for empty path', () => {
+      expect(testable_getInspectValueByPath({ Config: { Labels: {} } }, '')).toBeUndefined();
+    });
+
+    test('getOldContainers should return empty array when arguments are missing', () => {
+      expect(testable_getOldContainers(undefined, [])).toEqual([]);
+      expect(testable_getOldContainers([], undefined)).toEqual([]);
+    });
+
+    test('getOldContainers should remove containers that still exist in new snapshot', () => {
+      const result = testable_getOldContainers(
+        [{ id: 'current-1' }],
+        [{ id: 'current-1' }, { id: 'stale-1' }],
+      );
+
+      expect(result).toEqual([{ id: 'stale-1' }]);
+    });
+
+    test('getOldContainers should perform near-linear id lookups', () => {
+      let newIdReads = 0;
+      let storeIdReads = 0;
+      const newContainers = Array.from({ length: 30 }, (_, index) => {
+        const container = {};
+        Object.defineProperty(container, 'id', {
+          enumerable: true,
+          get: () => {
+            newIdReads += 1;
+            return `id-${index}`;
+          },
+        });
+        return container;
+      });
+      const containersFromStore = Array.from({ length: 30 }, (_, index) => {
+        const container = {};
+        Object.defineProperty(container, 'id', {
+          enumerable: true,
+          get: () => {
+            storeIdReads += 1;
+            return `id-${index + 15}`;
+          },
+        });
+        return container;
+      });
+
+      const result = testable_getOldContainers(newContainers, containersFromStore);
+
+      expect(result).toHaveLength(15);
+      expect(newIdReads).toBeLessThanOrEqual(60);
+      expect(storeIdReads).toBeLessThanOrEqual(60);
+    });
+
+    test('pruneOldContainers should update status when stale container still exists in docker', async () => {
+      const dockerApi = {
+        getContainer: vi.fn().mockReturnValue({
+          inspect: vi.fn().mockResolvedValue({
+            State: {
+              Status: 'exited',
+            },
+          }),
+        }),
+      };
+
+      await testable_pruneOldContainers([], [{ id: 'old-1', name: 'old-container' }], dockerApi);
+
+      expect(storeContainer.updateContainer).toHaveBeenCalledWith(
+        expect.objectContaining({
+          id: 'old-1',
+          status: 'exited',
+        }),
+      );
+    });
+
+    test('pruneOldContainers should delete stale entries when a same-name replacement exists', async () => {
+      const dockerApi = {
+        getContainer: vi.fn(),
+      };
+
+      await testable_pruneOldContainers(
+        [
+          {
+            id: 'new-1',
+            watcher: 'docker',
+            name: 'app',
+          },
+        ] as any,
+        [
+          {
+            id: 'old-1',
+            watcher: 'docker',
+            name: 'app',
+          },
+        ] as any,
+        dockerApi as any,
+      );
+
+      expect(dockerApi.getContainer).not.toHaveBeenCalled();
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('old-1');
+    });
+
+    test('pruneOldContainers should delete stale same-name entries from same-source cross-watcher candidates', async () => {
+      const dockerApi = {
+        getContainer: vi.fn(),
+      };
+
+      await testable_pruneOldContainers(
+        [
+          {
+            id: 'new-1',
+            watcher: 'docker',
+            name: 'app',
+          },
+        ] as any,
+        [] as any,
+        dockerApi as any,
+        {
+          sameSourceContainersFromStore: [
+            {
+              id: 'old-2',
+              watcher: 'docker-alias',
+              name: 'app',
+            },
+          ],
+        },
+      );
+
+      expect(dockerApi.getContainer).not.toHaveBeenCalled();
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('old-2');
+    });
+
+    test('pruneOldContainers should treat missing watcher as an empty watcher key', async () => {
+      const dockerApi = {
+        getContainer: vi.fn(),
+      };
+
+      await testable_pruneOldContainers(
+        [
+          {
+            id: 'new-1',
+            name: 'app',
+          },
+        ] as any,
+        [
+          {
+            id: 'old-1',
+            watcher: '',
+            name: 'app',
+          },
+        ] as any,
+        dockerApi as any,
+      );
+
+      expect(dockerApi.getContainer).not.toHaveBeenCalled();
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('old-1');
+    });
+
+    test('pruneOldContainers should force-delete stale ids skipped during alias filtering', async () => {
+      const dockerApi = {
+        getContainer: vi.fn().mockReturnValue({
+          inspect: vi.fn().mockResolvedValue({
+            State: {
+              Status: 'exited',
+            },
+          }),
+        }),
+      };
+
+      await testable_pruneOldContainers(
+        [],
+        [
+          {
+            id: 'alias-1',
+            watcher: 'docker',
+            name: '7ea6b8a42686_termix',
+          },
+        ] as any,
+        dockerApi as any,
+        {
+          forceRemoveContainerIds: new Set(['alias-1']),
+        },
+      );
+
+      expect(dockerApi.getContainer).not.toHaveBeenCalled();
+      expect(storeContainer.updateContainer).not.toHaveBeenCalled();
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('alias-1');
+    });
+  });
+
+  describe('Additional Coverage - getContainers same-source filtering', () => {
+    // Docker.ts gets its registry/storeContainer references from a mock version
+    // created by the helpers file's runtime vi.mock() call, which differs from
+    // the test file's static import. Use dynamic imports to get the same instance.
+    let hRegistry: any;
+    let hStoreContainer: any;
+
+    beforeEach(async () => {
+      hRegistry = await import('../../../registry/index.js');
+      hStoreContainer = await import('../../../store/container.js');
+    });
+
+    test('should normalize a non-string watcher agent when grouping same-source containers', async () => {
+      await docker.register(
+        'watcher',
+        'docker',
+        'test',
+        {
+          socket: '/var/run/docker.sock',
+          host: 'socket-proxy.internal',
+          protocol: 'http',
+          port: 2375,
+        },
+        'agent-1',
+      );
+      docker.agent = 42 as any;
+      mockDockerApi.listContainers.mockResolvedValue([]);
+      hStoreContainer.getContainers.mockImplementation((query?: { watcher?: string }) =>
+        query?.watcher ? [] : [],
+      );
+      hRegistry.getState.mockReturnValue({ watcher: {} } as any);
+
+      await docker.getContainers();
+
+      expect(hRegistry.getState).toHaveBeenCalled();
+    });
+
+    test('should fall back to current containers when same-source lookup fails', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        socket: '/var/run/docker.sock',
+      });
+      docker.log = createMockLog(['warn']);
+      mockDockerApi.listContainers.mockResolvedValue([]);
+      hStoreContainer.getContainers.mockImplementation((query?: { watcher?: string }) =>
+        query?.watcher ? [] : [],
+      );
+      hRegistry.getState.mockImplementation(() => {
+        throw new Error('Registry unavailable');
+      });
+
+      await expect(docker.getContainers()).resolves.toEqual([]);
+      expect(docker.log.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Error when trying to get same-source containers from the store'),
+      );
+    });
+
+    test('should keep same-source containers and skip invalid cross-watcher records', async () => {
+      await docker.register(
+        'watcher',
+        'docker',
+        'test',
+        {
+          socket: '/var/run/docker.sock',
+          host: 'socket-proxy.internal',
+          protocol: 'http',
+          port: 2375,
+        },
+        '',
+      );
+      mockDockerApi.listContainers.mockResolvedValue([]);
+      hStoreContainer.getContainers.mockImplementation((query?: { watcher?: string }) => {
+        if (query?.watcher) {
+          return [];
+        }
+
+        return [
+          {
+            id: 'same-source',
+            watcher: 'docker-same-source',
+            agent: '',
+            name: 'service',
+          },
+          {
+            id: 'empty-watcher',
+            watcher: '',
+            agent: '',
+            name: 'service',
+          },
+          {
+            id: 'whitespace-watcher',
+            watcher: '   ',
+            agent: '',
+            name: 'service',
+          },
+          {
+            id: 'non-docker-watcher',
+            watcher: 'docker-queue',
+            agent: '',
+            name: 'service',
+          },
+          {
+            id: 'different-agent',
+            watcher: 'docker-same-source',
+            agent: 'remote-agent',
+            name: 'service',
+          },
+        ] as any;
+      });
+      hRegistry.getState.mockReturnValue({
+        watcher: {
+          'docker.docker-same-source': {
+            type: 'docker',
+            name: 'docker-same-source',
+            configuration: {
+              host: 'socket-proxy.internal',
+              protocol: 'http',
+              port: 2375,
+              socket: '/var/run/docker.sock',
+            },
+          },
+          'docker.docker-queue': {
+            type: 'queue',
+            name: 'docker-queue',
+            configuration: {
+              host: 'socket-proxy.internal',
+              protocol: 'http',
+              port: 2375,
+              socket: '/var/run/docker.sock',
+            },
+          },
+        },
+      } as any);
+
+      await docker.getContainers();
+
+      expect(hStoreContainer.deleteContainer).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('Additional Coverage - findNewVersion unsupported registry', () => {
+    test('should return current tag and log error when registry provider is unsupported', async () => {
+      const logChild = createMockLog(['error']);
+      const container = {
+        image: {
+          registry: {
+            name: 'unknown',
+          },
+          tag: {
+            value: '1.2.3',
+          },
+          digest: {
+            watch: false,
+          },
+        },
+      };
+
+      const result = await docker.findNewVersion(container, logChild);
+      expect(result).toEqual({ tag: '1.2.3' });
+      expect(logChild.error).toHaveBeenCalledWith('Unsupported registry (unknown)');
+    });
+  });
+});
diff --git a/app/watchers/providers/docker/Docker.containers.details.test.ts b/app/watchers/providers/docker/Docker.containers.details.test.ts
new file mode 100644
index 000000000..56208def8
--- /dev/null
+++ b/app/watchers/providers/docker/Docker.containers.details.test.ts
@@ -0,0 +1,1178 @@
+import {
+  createDockerContainer,
+  createHaParseMock,
+  createHarborHubRegistryState,
+  createMockLog,
+  setupContainerDetailTest,
+  setupDockerWatcherContainerSuite,
+} from './Docker.containers.test.helpers.js';
+
+describe('Docker Watcher', () => {
+  let docker;
+  let mockDockerApi;
+  let mockSchedule;
+  let mockContainer;
+  let mockImage;
+  // Helper-scoped mock references (populated in beforeEach)
+  let hMockParse: any;
+  let hStoreContainer: any;
+  let hMockTag: any;
+
+  setupDockerWatcherContainerSuite((state) => {
+    docker = state.docker;
+    mockDockerApi = state.mockDockerApi;
+    mockSchedule = state.mockSchedule;
+    mockContainer = state.mockContainer;
+    mockImage = state.mockImage;
+  });
+
+  beforeEach(async () => {
+    hMockParse = (await import('parse-docker-image-name')).default;
+    hStoreContainer = await import('../../../store/container.js');
+    hMockTag = await import('../../../tag/index.js');
+  });
+
+  describe('Container Details', () => {
+    test('should return existing container from store', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: { digest: { repo: 'sha256:abc' }, id: 'image123', created: '2023-01-01' },
+      };
+      hStoreContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'image123',
+        RepoDigests: ['nginx@sha256:abc'],
+        Created: '2023-01-01',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result).toBe(existingContainer);
+    });
+
+    test('should skip container inspect for store container when watch events are enabled', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:abc' },
+          id: 'image123',
+          created: '2023-01-01',
+        },
+        details: {
+          ports: ['80/tcp'],
+          volumes: ['/old/data:/data'],
+          env: [{ key: 'APP_ENV', value: 'prod' }],
+        },
+      };
+      hStoreContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'image123',
+        RepoDigests: ['nginx@sha256:abc'],
+        Created: '2023-01-01',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+        Ports: [{ PrivatePort: 8080, Type: 'tcp', PublicPort: 18080, IP: '0.0.0.0' }],
+        Mounts: [{ Source: '/host/data', Destination: '/data', RW: false }],
+      });
+
+      expect(result).toBe(existingContainer);
+      expect(mockContainer.inspect).not.toHaveBeenCalled();
+      expect(result.details).toEqual({
+        ports: ['0.0.0.0:18080->8080/tcp'],
+        volumes: ['/host/data:/data:ro'],
+        env: [{ key: 'APP_ENV', value: 'prod' }],
+      });
+    });
+
+    test('should inspect store container runtime details when watch events are disabled', async () => {
+      await docker.register('watcher', 'docker', 'test', { watchevents: false });
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:abc' },
+          id: 'image123',
+          created: '2023-01-01',
+        },
+        details: {
+          ports: [],
+          volumes: [],
+          env: [],
+        },
+      };
+      hStoreContainer.getContainer.mockReturnValue(existingContainer);
+      mockContainer.inspect.mockResolvedValue({
+        Config: {
+          Env: ['APP_ENV=prod'],
+        },
+      });
+      mockImage.inspect.mockResolvedValue({
+        Id: 'image123',
+        RepoDigests: ['nginx@sha256:abc'],
+        Created: '2023-01-01',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result).toBe(existingContainer);
+      expect(mockContainer.inspect).toHaveBeenCalledTimes(1);
+      expect(result.details.env).toEqual([{ key: 'APP_ENV', value: 'prod' }]);
+    });
+
+    test('should refresh image fields when digest changed in store container', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:olddigest' },
+          id: 'old-image-id',
+          created: '2023-01-01',
+        },
+      };
+      hStoreContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'new-image-id',
+        RepoDigests: ['nginx@sha256:newdigest'],
+        Created: '2024-06-15',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result.image.digest.repo).toBe('sha256:newdigest');
+      expect(result.image.id).toBe('new-image-id');
+      expect(result.image.created).toBe('2024-06-15');
+    });
+
+    test('should keep existing created date when refreshed image has no Created field', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:olddigest' },
+          id: 'old-image-id',
+          created: '2023-01-01',
+        },
+      };
+      hStoreContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'new-image-id',
+        RepoDigests: ['nginx@sha256:newdigest'],
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result.image.digest.repo).toBe('sha256:newdigest');
+      expect(result.image.id).toBe('new-image-id');
+      expect(result.image.created).toBe('2023-01-01');
+    });
+
+    test('should degrade gracefully when image inspect fails for store container', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:cached' },
+          id: 'cached-image-id',
+          created: '2023-01-01',
+        },
+      };
+      hStoreContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockRejectedValue(new Error('image not found'));
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result).toBe(existingContainer);
+      expect(result.image.digest.repo).toBe('sha256:cached');
+      expect(result.image.id).toBe('cached-image-id');
+    });
+
+    test('should not mutate store container when image fields unchanged', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:samedigest' },
+          id: 'same-image-id',
+          created: '2023-01-01',
+        },
+      };
+      hStoreContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'same-image-id',
+        RepoDigests: ['nginx@sha256:samedigest'],
+        Created: '2023-01-01',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result).toBe(existingContainer);
+      // Values should be unchanged
+      expect(result.image.digest.repo).toBe('sha256:samedigest');
+      expect(result.image.id).toBe('same-image-id');
+      expect(result.image.created).toBe('2023-01-01');
+    });
+
+    test('should backfill digest value for store container when repo digest exists', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:samedigest' },
+          id: 'same-image-id',
+          created: '2023-01-01',
+        },
+      };
+      hStoreContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'same-image-id',
+        RepoDigests: ['nginx@sha256:samedigest'],
+        Created: '2023-01-01',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result.image.digest.value).toBe('sha256:samedigest');
+    });
+
+    test('should keep existing digest value when backfill is not needed', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:samedigest', value: 'sha256:already-set' },
+          id: 'same-image-id',
+          created: '2023-01-01',
+        },
+      };
+      hStoreContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'same-image-id',
+        RepoDigests: ['nginx@sha256:samedigest'],
+        Created: '2023-01-01',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result.image.digest.value).toBe('sha256:already-set');
+    });
+
+    test('should keep digest value unchanged when repo digest is missing but image metadata changes', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:cached', value: 'sha256:cached' },
+          id: 'old-image-id',
+          created: '2023-01-01',
+        },
+      };
+      hStoreContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'new-image-id',
+        RepoDigests: [],
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result.image.digest.repo).toBeUndefined();
+      expect(result.image.digest.value).toBe('sha256:cached');
+      expect(result.image.id).toBe('new-image-id');
+    });
+
+    test('should set digest value from repo digest for new container details', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: { Image: 'nginx:latest' },
+        imageDetails: { RepoDigests: ['nginx@sha256:abc123'] },
+        parsedImage: { domain: 'docker.io', path: 'library/nginx', tag: 'latest' },
+        semverValue: null,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.digest.repo).toBe('sha256:abc123');
+      expect(result.image.digest.value).toBe('sha256:abc123');
+    });
+
+    test('should add image details to new container', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: { Image: 'nginx:1.0.0' },
+        imageDetails: { Variant: 'v8', RepoDigests: ['nginx@sha256:abc123'] },
+        validateImpl: () => ({
+          id: '123',
+          name: 'test-container',
+          image: { architecture: 'amd64', variant: 'v8' },
+        }),
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(mockImage.inspect).toHaveBeenCalled();
+      expect(result).toBeDefined();
+    });
+
+    test('should include runtime details from inspect payload', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: { Image: 'nginx:1.0.0' },
+      });
+      mockContainer.inspect.mockResolvedValue({
+        NetworkSettings: {
+          Ports: {
+            '80/tcp': [{ HostIp: '0.0.0.0', HostPort: '8080' }],
+            '443/tcp': null,
+          },
+        },
+        Mounts: [
+          { Name: 'config-vol', Destination: '/config', RW: true },
+          { Source: '/host/data', Destination: '/data', RW: false },
+        ],
+        Config: {
+          Env: ['NODE_ENV=production', 'EMPTY=', 'NO_VALUE'],
+        },
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.details).toEqual({
+        ports: ['0.0.0.0:8080->80/tcp', '443/tcp'],
+        volumes: ['config-vol:/config', '/host/data:/data:ro'],
+        env: [
+          { key: 'NODE_ENV', value: 'production' },
+          { key: 'EMPTY', value: '' },
+          { key: 'NO_VALUE', value: '' },
+        ],
+      });
+    });
+
+    test('should default display name to container name for drydock image', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/codeswhat/drydock:latest',
+          Names: ['/dd'],
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/codeswhat/drydock@sha256:abc123'],
+        },
+        parsedImage: { domain: 'ghcr.io', path: 'codeswhat/drydock', tag: 'latest' },
+        semverValue: null,
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.displayName).toBe('dd');
+    });
+
+    test('should keep custom display name when provided', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/codeswhat/drydock:latest',
+          Names: ['/dd'],
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/codeswhat/drydock@sha256:abc123'],
+        },
+        parsedImage: { domain: 'ghcr.io', path: 'codeswhat/drydock', tag: 'latest' },
+        semverValue: null,
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container, {
+        displayName: 'DD CE Custom',
+      });
+
+      expect(result.displayName).toBe('DD CE Custom');
+    });
+
+    test('should apply imgset defaults when labels are missing', async () => {
+      const haImgset = {
+        homeassistant: {
+          image: 'ghcr.io/home-assistant/home-assistant',
+          tag: {
+            include: String.raw`^\d+\.\d+\.\d+$`,
+          },
+          display: {
+            name: 'Home Assistant',
+            icon: 'mdi-home-assistant',
+          },
+          link: {
+            template: 'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
+          },
+          trigger: {
+            include: 'ntfy.default:major',
+          },
+          registry: {
+            lookup: {
+              image: 'ghcr.io/home-assistant/home-assistant',
+            },
+          },
+        },
+      };
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: { imgset: haImgset },
+        container: {
+          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
+          Names: ['/homeassistant'],
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
+        },
+        parseImpl: createHaParseMock(),
+        semverValue: { major: 2026, minor: 2, patch: 1 },
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.includeTags).toBe(String.raw`^\d+\.\d+\.\d+$`);
+      expect(result.displayName).toBe('Home Assistant');
+      expect(result.displayIcon).toBe('mdi-home-assistant');
+      expect(result.linkTemplate).toBe(
+        'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
+      );
+      expect(result.triggerInclude).toBe('ntfy.default:major');
+      expect(result.image.registry.lookupImage).toBe('ghcr.io/home-assistant/home-assistant');
+    });
+
+    test('should let labels override imgset defaults', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: {
+          imgset: {
+            homeassistant: {
+              image: 'ghcr.io/home-assistant/home-assistant',
+              tag: { include: String.raw`^\d+\.\d+\.\d+$` },
+              display: { name: 'Home Assistant', icon: 'mdi-home-assistant' },
+              link: {
+                template: 'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
+              },
+              trigger: { include: 'ntfy.default:major' },
+            },
+          },
+        },
+        container: {
+          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
+          Names: ['/homeassistant'],
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
+        },
+        parseImpl: createHaParseMock(),
+        semverValue: { major: 2026, minor: 2, patch: 1 },
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container, {
+        includeTags: '^stable$',
+        displayName: 'HA Label Name',
+        displayIcon: 'mdi-docker',
+        triggerInclude: 'discord.default:major',
+      });
+
+      expect(result.includeTags).toBe('^stable$');
+      expect(result.displayName).toBe('HA Label Name');
+      expect(result.displayIcon).toBe('mdi-docker');
+      expect(result.triggerInclude).toBe('discord.default:major');
+      expect(result.linkTemplate).toBe(
+        'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
+      );
+    });
+
+    test('should prefer dd.action and dd.notification aliases over legacy trigger labels', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: {
+          imgset: {
+            homeassistant: {
+              image: 'ghcr.io/home-assistant/home-assistant',
+              tag: { include: String.raw`^\d+\.\d+\.\d+$` },
+              display: { name: 'Home Assistant', icon: 'mdi-home-assistant' },
+              link: {
+                template: 'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
+              },
+              trigger: { include: 'imgset.default:major' },
+            },
+          },
+        },
+        container: {
+          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
+          Names: ['/homeassistant'],
+          Labels: {
+            'dd.action.include': 'action.default:major',
+            'dd.notification.include': 'notification.default:major',
+            'dd.trigger.include': 'legacy.default:major',
+            'wud.trigger.include': 'wud.default:major',
+          },
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
+        },
+        parseImpl: createHaParseMock(),
+        semverValue: { major: 2026, minor: 2, patch: 1 },
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.triggerInclude).toBe('action.default:major');
+    });
+
+    test('should apply tagFamily from container labels', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'docker.io/library/nginx:1.0.0',
+          Names: ['/nginx'],
+          Labels: { 'dd.tag.family': 'loose' },
+        },
+        parsedImage: { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' },
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.tagFamily).toBe('loose');
+    });
+
+    test('should apply imgset tagFamily when label is missing', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: {
+          imgset: {
+            nginx: {
+              image: 'library/nginx',
+              tag: { family: 'loose' },
+            },
+          },
+        },
+        container: {
+          Image: 'docker.io/library/nginx:1.0.0',
+          Names: ['/nginx'],
+        },
+        parsedImage: { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' },
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.tagFamily).toBe('loose');
+    });
+
+    test('should apply imgset watchDigest when label is missing', async () => {
+      const watchDigestImgset = {
+        customregistry: {
+          image: 'ghcr.io/home-assistant/home-assistant',
+          watch: { digest: 'true' },
+        },
+      };
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: { imgset: watchDigestImgset },
+        container: {
+          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
+          Names: ['/homeassistant'],
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
+        },
+        parseImpl: createHaParseMock(),
+        semverValue: { major: 2026, minor: 2, patch: 1 },
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.digest.watch).toBe(true);
+    });
+
+    test('should let dd.watch.digest label override imgset watchDigest', async () => {
+      const watchDigestImgset = {
+        customregistry: {
+          image: 'ghcr.io/home-assistant/home-assistant',
+          watch: { digest: 'true' },
+        },
+      };
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: { imgset: watchDigestImgset },
+        container: {
+          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
+          Names: ['/homeassistant'],
+          Labels: { 'dd.watch.digest': 'false' },
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
+        },
+        parseImpl: createHaParseMock(),
+        semverValue: { major: 2026, minor: 2, patch: 1 },
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      // Label says false, overriding imgset's true
+      expect(result.image.digest.watch).toBe(false);
+    });
+
+    test('should apply imgset inspectTagPath when label is missing', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: {
+          imgset: {
+            haos: {
+              image: 'ghcr.io/home-assistant/home-assistant',
+              inspect: {
+                tag: { path: 'Config/Labels/org.opencontainers.image.version' },
+              },
+            },
+          },
+        },
+        container: {
+          Image: 'ghcr.io/home-assistant/home-assistant:stable',
+          Names: ['/homeassistant'],
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
+          Config: {
+            Labels: { 'org.opencontainers.image.version': '2026.2.1' },
+          },
+        },
+        parseImpl: createHaParseMock(),
+        semverValue: { major: 2026, minor: 2, patch: 1, version: '2026.2.1' },
+        registryId: 'ghcr',
+      });
+      hMockTag.transform.mockImplementation((_transform, value) => value);
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      // The tag should be resolved from the inspect path via imgset
+      expect(result.image.tag.value).toBe('2026.2.1');
+    });
+
+    test('should not apply imgset when image does not match any preset', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: {
+          imgset: {
+            homeassistant: {
+              image: 'ghcr.io/home-assistant/home-assistant',
+              tag: { include: String.raw`^\d+\.\d+\.\d+$` },
+              display: { name: 'Home Assistant', icon: 'mdi-home-assistant' },
+            },
+          },
+        },
+        container: {
+          Id: '456',
+          Image: 'nginx:1.25.0',
+          Names: ['/nginx'],
+        },
+        imageDetails: {
+          Id: 'image456',
+          RepoDigests: ['nginx@sha256:def456'],
+        },
+        parseImpl: (value) => {
+          if (value === 'nginx:1.25.0')
+            return { domain: undefined, path: 'library/nginx', tag: '1.25.0' };
+          if (value === 'ghcr.io/home-assistant/home-assistant')
+            return { domain: 'ghcr.io', path: 'home-assistant/home-assistant' };
+          return { domain: undefined, path: 'library/nginx', tag: '1.25.0' };
+        },
+        semverValue: { major: 1, minor: 25, patch: 0 },
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      // No imgset should be applied - fields should be undefined
+      expect(result.includeTags).toBeUndefined();
+      expect(result.displayName).toBe('nginx');
+      expect(result.displayIcon).toBeUndefined();
+    });
+
+    test('should pick the most specific imgset when multiple match', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: {
+          imgset: {
+            generic: { image: 'nginx', display: { name: 'Generic Nginx', icon: 'mdi-web' } },
+            specific: {
+              image: 'harbor.example.com/library/nginx',
+              display: { name: 'Harbor Nginx', icon: 'mdi-web-lock' },
+            },
+          },
+        },
+        container: {
+          Id: '789',
+          Image: 'harbor.example.com/library/nginx:1.25.0',
+          Names: ['/mynginx'],
+        },
+        imageDetails: {
+          Id: 'image789',
+          RepoDigests: ['harbor.example.com/library/nginx@sha256:ghi789'],
+        },
+        parseImpl: (value) => {
+          if (value === 'harbor.example.com/library/nginx:1.25.0')
+            return { domain: 'harbor.example.com', path: 'library/nginx', tag: '1.25.0' };
+          if (value === 'harbor.example.com/library/nginx')
+            return { domain: 'harbor.example.com', path: 'library/nginx' };
+          if (value === 'nginx') return { domain: undefined, path: 'nginx' };
+          return { domain: undefined, path: value };
+        },
+        semverValue: { major: 1, minor: 25, patch: 0 },
+        registryId: 'harbor',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      // The more specific imgset (harbor.example.com/library/nginx) should win
+      expect(result.displayIcon).toBe('mdi-web-lock');
+    });
+
+    test('should validate configuration with imgset watchDigest and inspectTagPath', async () => {
+      const config = {
+        socket: '/var/run/docker.sock',
+        imgset: {
+          homeassistant: {
+            image: 'ghcr.io/home-assistant/home-assistant',
+            watch: {
+              digest: 'true',
+            },
+            inspect: {
+              tag: {
+                path: 'Config/Labels/org.opencontainers.image.version',
+              },
+            },
+          },
+        },
+      };
+      expect(() => docker.validateConfiguration(config)).not.toThrow();
+    });
+
+    test('should use lookup image label for registry matching', async () => {
+      const harborHubState = createHarborHubRegistryState();
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'harbor.example.com/dockerhub-proxy/traefik:v3.5.3',
+          Names: ['/traefik'],
+          Labels: { 'dd.registry.lookup.image': 'library/traefik' },
+        },
+        imageDetails: {
+          RepoDigests: ['harbor.example.com/dockerhub-proxy/traefik@sha256:abc123'],
+        },
+        parseImpl: (value) => {
+          if (value === 'harbor.example.com/dockerhub-proxy/traefik:v3.5.3')
+            return { domain: 'harbor.example.com', path: 'dockerhub-proxy/traefik', tag: 'v3.5.3' };
+          if (value === 'library/traefik') return { path: 'library/traefik' };
+          return { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' };
+        },
+        semverValue: { major: 3, minor: 5, patch: 3 },
+        registryState: harborHubState,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.registry.name).toBe('hub');
+      expect(result.image.registry.url).toBe('https://registry-1.docker.io/v2');
+      expect(result.image.registry.lookupImage).toBe('library/traefik');
+      expect(result.image.name).toBe('library/traefik');
+    });
+
+    test('should support legacy lookup url label without crashing', async () => {
+      const harborHubState = createHarborHubRegistryState();
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'harbor.example.com/dockerhub-proxy/traefik:v3.5.3',
+          Names: ['/traefik'],
+          Labels: { 'dd.registry.lookup.url': 'https://registry-1.docker.io' },
+        },
+        imageDetails: {
+          RepoDigests: ['harbor.example.com/dockerhub-proxy/traefik@sha256:abc123'],
+        },
+        parsedImage: {
+          domain: 'harbor.example.com',
+          path: 'dockerhub-proxy/traefik',
+          tag: 'v3.5.3',
+        },
+        semverValue: { major: 3, minor: 5, patch: 3 },
+        registryState: harborHubState,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.registry.name).toBe('hub');
+      expect(result.image.registry.lookupImage).toBe('https://registry-1.docker.io');
+      expect(result.image.name).toBe('dockerhub-proxy/traefik');
+    });
+
+    test('should handle container with implicit docker hub image (no domain)', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'prom/prometheus:v3.8.0',
+          Names: ['/prometheus'],
+        },
+        imageDetails: { RepoTags: ['prom/prometheus:v3.8.0'] },
+        parsedImage: { domain: undefined, path: 'prom/prometheus', tag: 'v3.8.0' },
+        validateImpl: () => ({
+          id: '123',
+          name: 'prometheus',
+          image: { architecture: 'amd64' },
+        }),
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+      // Verify parse was called
+      expect(hMockParse).toHaveBeenCalledWith('prom/prometheus:v3.8.0');
+    });
+
+    test('should fail implicit docker hub image normalization when hub registry provider is missing', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'nginx:1.25.5',
+          Names: ['/hub-proof'],
+        },
+        parsedImage: { domain: undefined, path: 'library/nginx', tag: '1.25.5' },
+        registryState: {},
+        validateImpl: (containerCandidate) => {
+          if (!containerCandidate.image.registry.url) {
+            throw new Error('"image.registry.url" is required');
+          }
+          return containerCandidate;
+        },
+      });
+
+      await expect(docker.addImageDetailsToContainer(container)).rejects.toThrow(
+        '"image.registry.url" is required',
+      );
+    });
+
+    test('should keep implicit docker hub image tracking when hub registry provider is available', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'nginx:1.25.5',
+          Names: ['/hub-proof'],
+        },
+        parsedImage: { domain: undefined, path: 'library/nginx', tag: '1.25.5' },
+        registryState: createHarborHubRegistryState(),
+        validateImpl: (containerCandidate) => {
+          if (!containerCandidate.image.registry.url) {
+            throw new Error('"image.registry.url" is required');
+          }
+          return containerCandidate;
+        },
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.registry.name).toBe('hub');
+      expect(result.image.registry.url).toBe('https://registry-1.docker.io/v2');
+    });
+
+    test('should handle container with SHA256 image', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'sha256:abcdef123456',
+          Names: ['/test'],
+        },
+        imageDetails: { RepoTags: ['nginx:latest'] },
+        validateImpl: () => ({
+          id: '123',
+          name: 'test',
+          image: { architecture: 'amd64' },
+        }),
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+    });
+
+    test('should handle container with no repo tags but with repo digests', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'sha256:abcdef123456',
+          Names: ['/test'],
+        },
+        imageDetails: {
+          RepoTags: [],
+          RepoDigests: ['portainer/agent@sha256:abcdef123456'],
+        },
+        parseImpl: (value) => {
+          if (value === 'portainer/agent') {
+            return { domain: 'docker.io', path: 'portainer/agent' };
+          }
+          return { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' };
+        },
+        validateImpl: (c) => c,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+      expect(result.image.name).toBe('portainer/agent');
+      expect(result.image.tag.value).toBe('sha256:abcdef123456');
+    });
+
+    test('should handle container with no repo tags and no repo digests', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'sha256:abcdef123456',
+          Names: ['/test'],
+        },
+        imageDetails: { RepoTags: [], RepoDigests: [] },
+        parsedImage: { path: 'sha256:abcdef123456', tag: 'unknown' },
+        validateImpl: (c) => c,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+      expect(result.image.tag.value).toBe('unknown');
+    });
+
+    test('should resolve digest-only image without container name (falsy containerName branch)', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'sha256:abcdef123456',
+          Names: [],
+        },
+        imageDetails: { RepoTags: [], RepoDigests: [] },
+        parsedImage: { path: 'sha256:abcdef123456', tag: 'unknown' },
+        validateImpl: (c) => c,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+      expect(result.image.tag.value).toBe('unknown');
+    });
+
+    test('should resolve digest-only image with RepoDigests containing @ separator', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'sha256:deadbeef7890',
+          Names: ['/myapp'],
+        },
+        imageDetails: {
+          RepoTags: [],
+          RepoDigests: ['registry.example.com/myapp@sha256:deadbeef7890abcdef'],
+        },
+        parseImpl: (value) => {
+          if (value === 'registry.example.com/myapp') {
+            return { domain: 'registry.example.com', path: 'myapp' };
+          }
+          return { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' };
+        },
+        validateImpl: (c) => c,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+      expect(result.image.name).toBe('myapp');
+      expect(result.image.tag.value).toBe('sha256:deadbeef7890abcdef');
+    });
+
+    test('should resolve digest-only image with RepoDigests lacking @ separator', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'sha256:cafebabe1234',
+          Names: ['/oddimage'],
+        },
+        imageDetails: {
+          RepoTags: [],
+          RepoDigests: ['no-at-sign-here'],
+        },
+        parsedImage: { path: 'sha256:cafebabe1234', tag: 'unknown' },
+        validateImpl: (c) => c,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+      expect(result.image.tag.value).toBe('unknown');
+    });
+
+    test('should warn without a container name prefix when digest-only image has no names', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'sha256:abcdef123456',
+          Names: [],
+        },
+        imageDetails: { RepoTags: [], RepoDigests: [] },
+        parsedImage: { path: 'sha256:abcdef123456', tag: 'unknown' },
+        validateImpl: (c) => c,
+      });
+      docker.log = createMockLog(['warn', 'info', 'debug']);
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+      expect(docker.log.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Cannot get a reliable tag for this image'),
+      );
+    });
+
+    test('should fall back when repo digest is malformed and missing "@"', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'sha256:abcdef123456',
+          Names: ['/test'],
+        },
+        imageDetails: {
+          RepoTags: [],
+          RepoDigests: ['malformed-digest'],
+        },
+        validateImpl: (c) => c,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+      expect(result.image.tag.value).toBe('unknown');
+    });
+
+    test('should prefix fallback digest when raw name does not start with sha256:', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'repo@sha256:abcdef123456',
+          Names: ['/test'],
+        },
+        imageDetails: {
+          RepoTags: [],
+          RepoDigests: ['malformed-digest'],
+        },
+        validateImpl: (c) => c,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+      expect(result.image.tag.value).toBe('unknown');
+    });
+
+    test('should warn for non-semver without digest watching', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'nginx:latest',
+          Names: ['/test'],
+        },
+        semverValue: null,
+        validateImpl: () => ({
+          id: '123',
+          name: 'test',
+          image: { architecture: 'amd64' },
+        }),
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+    });
+
+    test('should use inspect path semver when dd.inspect.tag.path is set', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/example/service:latest',
+          Names: ['/service'],
+          Labels: {
+            'dd.inspect.tag.path': 'Config/Labels/org.opencontainers.image.version',
+          },
+        },
+        imageDetails: {
+          Config: {
+            Labels: { 'org.opencontainers.image.version': '2.7.5' },
+          },
+        },
+        parsedImage: { domain: 'ghcr.io', path: 'example/service', tag: 'latest' },
+        semverValue: null, // will be overridden below
+      });
+      hMockTag.parse.mockImplementation((tag) => (tag === '2.7.5' ? { version: '2.7.5' } : null));
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.tag.value).toBe('2.7.5');
+      expect(result.image.tag.semver).toBe(true);
+    });
+
+    test('should fall back to parsed image tag when inspect path is missing', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/example/service:latest',
+          Names: ['/service'],
+          Labels: {
+            'dd.inspect.tag.path': 'Config/Labels/org.opencontainers.image.version',
+          },
+        },
+        imageDetails: { Config: { Labels: {} } },
+        parsedImage: { domain: 'ghcr.io', path: 'example/service', tag: 'latest' },
+        semverValue: null,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.tag.value).toBe('latest');
+      expect(result.image.tag.semver).toBe(false);
+    });
+
+    test('should return a clear error when image inspection fails', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      const container = createDockerContainer({
+        Image: 'ghcr.io/example/service:latest',
+        Names: ['/service'],
+      });
+      mockImage.inspect.mockRejectedValue(new Error('inspect failed'));
+
+      await expect(docker.addImageDetailsToContainer(container)).rejects.toThrow(
+        'Unable to inspect image for container 123: inspect failed',
+      );
+    });
+  });
+});
diff --git a/app/watchers/providers/docker/Docker.containers.labels-version-finding.test.ts b/app/watchers/providers/docker/Docker.containers.labels-version-finding.test.ts
new file mode 100644
index 000000000..5e54b9ce0
--- /dev/null
+++ b/app/watchers/providers/docker/Docker.containers.labels-version-finding.test.ts
@@ -0,0 +1,866 @@
+import { setupDockerWatcherContainerSuite } from './Docker.containers.test.helpers.js';
+import { testable_getLabel } from './Docker.js';
+
+describe('Docker Watcher', () => {
+  let docker;
+  let mockDockerApi;
+  let mockSchedule;
+  let mockContainer;
+  let mockImage;
+  let hRegistry: any;
+  let hMockTag: any;
+
+  setupDockerWatcherContainerSuite((state) => {
+    docker = state.docker;
+    mockDockerApi = state.mockDockerApi;
+    mockSchedule = state.mockSchedule;
+    mockContainer = state.mockContainer;
+    mockImage = state.mockImage;
+  });
+
+  beforeEach(async () => {
+    hRegistry = await import('../../../registry/index.js');
+    hMockTag = await import('../../../tag/index.js');
+  });
+
+  describe('Dual-prefix dd.*/wud.* label support', () => {
+    test('should prefer dd.watch over wud.watch label', async () => {
+      const containers = [
+        {
+          Id: 'dd-label-1',
+          Labels: { 'dd.watch': 'true', 'wud.watch': 'false' },
+          Names: ['/dd-test'],
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'dd-label-1' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      // dd.watch=true should override wud.watch=false
+      expect(result).toHaveLength(1);
+    });
+
+    test('should fall back to wud.watch when dd.watch is not set', async () => {
+      const containers = [
+        {
+          Id: 'wud-fallback-1',
+          Labels: { 'wud.watch': 'true' },
+          Names: ['/wud-test'],
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'wud-fallback-1' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      expect(result).toHaveLength(1);
+    });
+
+    test('should prefer dd.tag.include over wud.tag.include label', async () => {
+      const containers = [
+        {
+          Id: 'dd-tag-1',
+          Labels: {
+            'dd.watch': 'true',
+            'dd.tag.include': String.raw`^v\d+`,
+            'wud.tag.include': String.raw`^\d+`,
+          },
+          Names: ['/dd-tag-test'],
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'dd-tag-1' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      await docker.getContainers();
+
+      // dd.tag.include should be preferred
+      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBe(
+        String.raw`^v\d+`,
+      );
+    });
+
+    describe('getLabel dual-prefix fallback for all label pairs', () => {
+      const labelPairs = [
+        ['dd.watch', 'wud.watch'],
+        ['dd.tag.include', 'wud.tag.include'],
+        ['dd.tag.exclude', 'wud.tag.exclude'],
+        ['dd.tag.transform', 'wud.tag.transform'],
+        ['dd.inspect.tag.path', 'wud.inspect.tag.path'],
+        ['dd.hRegistry.lookup.image', 'wud.hRegistry.lookup.image'],
+        ['dd.hRegistry.lookup.url', 'wud.hRegistry.lookup.url'],
+        ['dd.watch.digest', 'wud.watch.digest'],
+        ['dd.link.template', 'wud.link.template'],
+        ['dd.display.name', 'wud.display.name'],
+        ['dd.display.icon', 'wud.display.icon'],
+        ['dd.trigger.include', 'wud.trigger.include'],
+        ['dd.trigger.exclude', 'wud.trigger.exclude'],
+        ['dd.group', 'wud.group'],
+        ['dd.hook.pre', 'wud.hook.pre'],
+        ['dd.hook.post', 'wud.hook.post'],
+        ['dd.hook.pre.abort', 'wud.hook.pre.abort'],
+        ['dd.hook.timeout', 'wud.hook.timeout'],
+        ['dd.rollback.auto', 'wud.rollback.auto'],
+        ['dd.rollback.window', 'wud.rollback.window'],
+        ['dd.rollback.interval', 'wud.rollback.interval'],
+      ];
+
+      test.each(labelPairs)('should prefer %s over %s when both are present', (ddKey, wudKey) => {
+        const labels = { [ddKey]: 'dd-value', [wudKey]: 'wud-value' };
+        expect(testable_getLabel(labels, ddKey, wudKey)).toBe('dd-value');
+      });
+
+      test.each(labelPairs)('should fall back to %s when %s is absent', (ddKey, wudKey) => {
+        const labels = { [wudKey]: 'legacy-value' };
+        expect(testable_getLabel(labels, ddKey, wudKey)).toBe('legacy-value');
+      });
+
+      test.each(
+        labelPairs,
+      )('should return undefined when neither %s nor %s is set', (ddKey, wudKey) => {
+        expect(testable_getLabel({}, ddKey, wudKey)).toBeUndefined();
+      });
+    });
+  });
+
+  describe('Version Finding', () => {
+    test('should find new version using registry', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0', '1.1.0', '2.0.0']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(mockRegistry.getTags).toHaveBeenCalledWith(container.image);
+      expect(result).toEqual({ tag: '1.0.0' });
+    });
+
+    test('should include result publishedAt when registry can resolve publish date', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImagePublishedAt: vi.fn().mockResolvedValue('2026-03-10T10:00:00.000Z'),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(mockRegistry.getImagePublishedAt).toHaveBeenCalledWith(container.image, '1.0.0');
+      expect(result).toEqual({
+        tag: '1.0.0',
+        publishedAt: '2026-03-10T10:00:00.000Z',
+      });
+    });
+
+    test('should resolve publishedAt using fallback tag expression when current tag is empty', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '' },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue([]),
+        getImagePublishedAt: vi.fn().mockResolvedValue('2026-03-01T10:00:00.000Z'),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(mockRegistry.getImagePublishedAt).toHaveBeenCalledWith(container.image, '');
+      expect(result.publishedAt).toEqual('2026-03-01T10:00:00.000Z');
+      expect(result.tag).toEqual('');
+    });
+
+    test('should ignore publish date values that are not strings', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImagePublishedAt: vi.fn().mockResolvedValue(new Date('2026-03-10T10:00:00.000Z')),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.0.0' });
+    });
+
+    test('should continue when publish date lookup fails', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImagePublishedAt: vi.fn().mockRejectedValue(new Error('metadata unavailable')),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.0.0' });
+      expect(mockLogChild.debug).toHaveBeenCalledWith(
+        expect.stringContaining('publish date lookup failed'),
+      );
+    });
+
+    test('should continue when publish date lookup fails and debug logger is unavailable', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImagePublishedAt: vi.fn().mockRejectedValue(new Error('metadata unavailable')),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.0.0' });
+    });
+
+    test('should handle unsupported registry', async () => {
+      const container = {
+        image: {
+          registry: { name: 'unknown' },
+          tag: { value: '1.0.0' },
+          digest: { watch: false },
+        },
+      };
+      hRegistry.getState.mockReturnValue({ registry: {} });
+      const mockLogChild = { error: vi.fn() };
+
+      try {
+        await docker.findNewVersion(container, mockLogChild);
+      } catch (error) {
+        expect(error.message).toContain('Unsupported Registry');
+      }
+    });
+
+    test('should handle digest watching with v2 manifest', async () => {
+      const container = {
+        image: {
+          id: 'image123',
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: true, repo: 'sha256:abc123' },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImageManifestDigest: vi
+          .fn()
+          .mockResolvedValueOnce({
+            digest: 'sha256:def456',
+            created: '2023-01-01',
+            version: 2,
+          })
+          .mockResolvedValueOnce({
+            digest: 'sha256:manifest123',
+          }),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(mockRegistry.getImageManifestDigest).toHaveBeenCalledTimes(2);
+      expect(result.digest).toBe('sha256:def456');
+      expect(result.created).toBe('2023-01-01');
+    });
+
+    test('should handle digest watching with v1 manifest using repo digest', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      const container = {
+        image: {
+          id: 'image123',
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: true, repo: 'sha256:abc123' },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImageManifestDigest: vi.fn().mockResolvedValue({
+          digest: 'sha256:def456',
+          created: '2023-01-01',
+          version: 1,
+        }),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn() };
+
+      await docker.findNewVersion(container, mockLogChild);
+
+      expect(container.image.digest.value).toBe('sha256:abc123');
+    });
+
+    test('should use tag candidate for digest lookup when digest watch is true and candidates exist', async () => {
+      const container = {
+        image: {
+          id: 'image123',
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: true, repo: 'sha256:abc123' },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']),
+        getImageManifestDigest: vi
+          .fn()
+          .mockResolvedValueOnce({
+            digest: 'sha256:def456',
+            created: '2023-01-01',
+            version: 2,
+          })
+          .mockResolvedValueOnce({
+            digest: 'sha256:manifest123',
+          }),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      hMockTag.parse.mockReturnValue({ major: 1, minor: 0, patch: 0 });
+      hMockTag.isGreater.mockImplementation((t2, t1) => {
+        return t2 === '2.0.0' && t1 === '1.0.0';
+      });
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      // Should have used the tag candidate (2.0.0) for digest lookup
+      expect(result.tag).toBe('2.0.0');
+      expect(result.digest).toBe('sha256:def456');
+    });
+
+    test('should handle tag candidates with semver', async () => {
+      const container = {
+        includeTags: String.raw`^v\d+`,
+        excludeTags: 'beta',
+        transformTags: 's/v//',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['v1.0.0', 'v1.1.0', 'v2.0.0-beta', 'latest']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      hMockTag.parse.mockReturnValue({ major: 1, minor: 1, patch: 0 });
+      hMockTag.isGreater.mockReturnValue(true);
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+
+      await docker.findNewVersion(container, mockLogChild);
+
+      expect(mockRegistry.getTags).toHaveBeenCalled();
+    });
+
+    test('should filter tags with different number of semver parts', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.2', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue([
+          '1.2.1', // 3 parts, should be filtered out
+          '1.3', // 2 parts, should be kept
+          '1.1', // 2 parts, should be kept (but lower)
+          '2', // 1 part, should be filtered out
+        ]),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      // Mock isGreater to return true for 1.3 > 1.2
+      hMockTag.isGreater.mockImplementation((t1, t2) => {
+        if (t1 === '1.3' && t2 === '1.2') return true;
+        return false;
+      });
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.3' });
+    });
+
+    test('should ignore semver tags with mismatched numeric zero-padding style', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '5.1.4', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['20.04.1', '5.1.5', '5.1.4']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '5.1.4': 514,
+        '5.1.5': 515,
+        '20.04.1': 200401,
+      };
+      hMockTag.isGreater.mockImplementation(
+        (version1, version2) => rank[version1] >= rank[version2],
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '5.1.5' });
+    });
+
+    test('should keep updates within inferred suffix family by default', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.2.3-ls132', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.4-ls133', '1.2.3-ls132']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.2.3-ls132': 1230,
+        '1.2.4-ls133': 1240,
+        '1.2.4': 1241,
+      };
+      hMockTag.isGreater.mockImplementation(
+        (version1, version2) => rank[version1] >= rank[version2],
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.2.4-ls133' });
+    });
+
+    test('should keep current tag and warn when strict mode filters only cross-family higher tags', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.2.3-ls132', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.3-ls132']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.2.3-ls132': 1230,
+        '1.2.4': 1241,
+      };
+      hMockTag.isGreater.mockImplementation(
+        (version1, version2) => (rank[version1] || 0) > (rank[version2] || 0),
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({
+        tag: '1.2.3-ls132',
+        noUpdateReason: expect.stringContaining(
+          'Strict tag-family policy filtered out 1 higher semver tag(s) outside the inferred family of "1.2.3-ls132"',
+        ),
+      });
+      expect(mockLogChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining(
+          'Strict tag-family policy filtered out 1 higher semver tag(s) outside the inferred family of "1.2.3-ls132"',
+        ),
+      );
+    });
+
+    test('should allow cross-family updates in loose mode when no higher same-family tag exists', async () => {
+      const container = {
+        tagFamily: 'loose',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.2.3-ls132', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.3-ls132']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.2.3-ls132': 1230,
+        '1.2.4': 1241,
+      };
+      hMockTag.isGreater.mockImplementation(
+        (version1, version2) => (rank[version1] || 0) > (rank[version2] || 0),
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.2.4' });
+    });
+
+    test('should allow cross-family semver updates when tagFamily is loose', async () => {
+      const container = {
+        tagFamily: 'loose',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.2.3-ls132', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.4-ls133', '1.2.3-ls132']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.2.3-ls132': 1230,
+        '1.2.4-ls133': 1240,
+        '1.2.4': 1241,
+      };
+      hMockTag.isGreater.mockImplementation(
+        (version1, version2) => rank[version1] >= rank[version2],
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.2.4' });
+    });
+
+    test('should fall back to strict mode when tagFamily is invalid', async () => {
+      const container = {
+        tagFamily: 'unsupported',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.2.3-ls132', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.4-ls133', '1.2.3-ls132']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.2.3-ls132': 1230,
+        '1.2.4-ls133': 1240,
+        '1.2.4': 1241,
+      };
+      hMockTag.isGreater.mockImplementation(
+        (version1, version2) => rank[version1] >= rank[version2],
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.2.4-ls133' });
+      expect(mockLogChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Invalid tag family policy'),
+      );
+    });
+
+    test('should log one-pass semver candidate filter counters in strict mode', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'v1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['latest', 'v1.0.0', 'v1.1.0', 'v2.0.0', '1.2.0']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        'v1.0.0': 100,
+        'v1.1.0': 110,
+        'v2.0.0': 200,
+      };
+      hMockTag.isGreater.mockImplementation(
+        (version1, version2) => (rank[version1] || 0) > (rank[version2] || 0),
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: 'v2.0.0' });
+      expect(mockLogChild.debug).toHaveBeenCalledWith(
+        expect.stringContaining(
+          'Tag candidate filter counters (strict): input=5, prefix=3, semver=3, family=3, greater=2, output=2',
+        ),
+      );
+    });
+
+    test('should best-effort suggest semver tag when current tag is outside include filter', async () => {
+      const container = {
+        includeTags: '^1\\.',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '2.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.8.0', '1.9.0', '2.1.0']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.8.0': 180,
+        '1.9.0': 190,
+        '2.0.0': 200,
+        '2.1.0': 210,
+      };
+      hMockTag.isGreater.mockImplementation(
+        (version1, version2) => rank[version1] >= rank[version2],
+      );
+      hMockTag.parse.mockImplementation((version) => {
+        const score = rank[version];
+        if (!score) {
+          return null;
+        }
+        return {
+          major: Number.parseInt(version.split('.')[0], 10),
+          minor: Number.parseInt(version.split('.')[1], 10),
+          patch: Number.parseInt(version.split('.')[2], 10),
+          prerelease: [],
+        };
+      });
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.9.0' });
+      expect(mockLogChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining('does not match includeTags regex'),
+      );
+      expect(mockLogChild.debug).toHaveBeenCalledWith(expect.stringContaining('greater=skipped'));
+    });
+
+    test('should advise best semver tag when current tag is non-semver and includeTags filter is set', async () => {
+      const container = {
+        includeTags: String.raw`^\d+\.\d+`,
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'latest', semver: false },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['latest', 'rolling', '1.0.0', '2.0.0', '3.0.0']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.0.0': 100,
+        '2.0.0': 200,
+        '3.0.0': 300,
+      };
+      hMockTag.isGreater.mockImplementation(
+        (version1, version2) => rank[version1] >= rank[version2],
+      );
+      hMockTag.parse.mockImplementation((version) =>
+        rank[version] ? { major: 1, minor: 0, patch: 0 } : null,
+      );
+
+      const mockLogChild = {
+        error: vi.fn(),
+        warn: vi.fn(),
+        debug: vi.fn(),
+      };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({
+        tag: '3.0.0',
+        suggestedTag: expect.stringMatching(/^\d+\.\d+\.\d+$/),
+      });
+      expect(mockLogChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining('is not semver but includeTags filter'),
+      );
+    });
+
+    test('should not advise any tag when current tag is non-semver and no includeTags filter is set', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'latest', semver: false },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['latest', '1.0.0', '2.0.0']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      hMockTag.parse.mockReturnValue(null);
+
+      const mockLogChild = {
+        error: vi.fn(),
+        warn: vi.fn(),
+        debug: vi.fn(),
+      };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      // Without includeTags, non-semver tags should not get any advice
+      expect(result).toEqual({ tag: 'latest' });
+    });
+
+    test('should add suggestedTag for latest-tagged containers using highest stable semver', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'latest', semver: false },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['latest', '1.27.2', '1.27.3', '1.28.0-rc.1']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      hMockTag.parse.mockImplementation((tag) => {
+        if (tag === '1.27.2') return { major: 1, minor: 27, patch: 2, prerelease: [] };
+        if (tag === '1.27.3') return { major: 1, minor: 27, patch: 3, prerelease: [] };
+        if (tag === '1.28.0-rc.1') return { major: 1, minor: 28, patch: 0, prerelease: ['rc', 1] };
+        return null;
+      });
+
+      const result = await docker.findNewVersion(container as any, {
+        error: vi.fn(),
+        warn: vi.fn(),
+        debug: vi.fn(),
+      });
+
+      expect(result).toEqual({ tag: 'latest', suggestedTag: '1.27.3' });
+    });
+
+    test('should not add suggestedTag when latest-tagged container has no stable semver tags', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'latest', semver: false },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['latest', 'nightly', '1.28.0-beta']),
+      };
+      hRegistry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      hMockTag.parse.mockImplementation((tag) => {
+        if (tag === '1.28.0-beta') return { major: 1, minor: 28, patch: 0, prerelease: ['beta'] };
+        return null;
+      });
+
+      const result = await docker.findNewVersion(container as any, {
+        error: vi.fn(),
+        warn: vi.fn(),
+        debug: vi.fn(),
+      });
+
+      expect(result).toEqual({ tag: 'latest' });
+    });
+  });
+});
diff --git a/app/watchers/providers/docker/Docker.containers.processing-retrieval.test.ts b/app/watchers/providers/docker/Docker.containers.processing-retrieval.test.ts
new file mode 100644
index 000000000..1dfc9335f
--- /dev/null
+++ b/app/watchers/providers/docker/Docker.containers.processing-retrieval.test.ts
@@ -0,0 +1,531 @@
+import {
+  createMockLog,
+  createMockLogWithChild,
+  mockGetFullReleaseNotesForContainer,
+  mockResolveSourceRepoForContainer,
+  mockToContainerReleaseNotes,
+  setupDockerWatcherContainerSuite,
+} from './Docker.containers.test.helpers.js';
+
+describe('Docker Watcher', () => {
+  let docker;
+  let mockDockerApi;
+  let mockSchedule;
+  let mockContainer;
+  let mockImage;
+  let hEvent: any;
+  let hStoreContainer: any;
+
+  setupDockerWatcherContainerSuite((state) => {
+    docker = state.docker;
+    mockDockerApi = state.mockDockerApi;
+    mockSchedule = state.mockSchedule;
+    mockContainer = state.mockContainer;
+    mockImage = state.mockImage;
+  });
+
+  beforeEach(async () => {
+    hEvent = await import('../../../event/index.js');
+    hStoreContainer = await import('../../../store/container.js');
+  });
+
+  describe('Container Processing', () => {
+    test('should watch individual container', async () => {
+      const container = { id: 'test123', name: 'test' };
+      const mockLog = createMockLogWithChild(['debug']);
+      docker.log = mockLog;
+      docker.findNewVersion = vi.fn().mockResolvedValue({ tag: '2.0.0' });
+      docker.mapContainerToContainerReport = vi.fn().mockReturnValue({ container, changed: false });
+
+      await docker.watchContainer(container);
+
+      expect(docker.findNewVersion).toHaveBeenCalledWith(container, expect.any(Object));
+      expect(hEvent.emitContainerReport).toHaveBeenCalled();
+    });
+
+    test('should handle container processing error', async () => {
+      const container = { id: 'test123', name: 'test' };
+      const mockLog = createMockLogWithChild(['warn', 'debug']);
+      docker.log = mockLog;
+      docker.findNewVersion = vi.fn().mockRejectedValue(new Error('Registry error'));
+      docker.mapContainerToContainerReport = vi.fn().mockReturnValue({ container, changed: false });
+
+      await docker.watchContainer(container);
+
+      expect(mockLog._child.warn).toHaveBeenCalledWith(expect.stringContaining('Registry error'));
+      expect(container.error).toEqual({ message: 'Registry error' });
+    });
+
+    test('should fallback to a non-empty message when container processing error is empty', async () => {
+      const container = { id: 'test123', name: 'test' };
+      const mockLog = createMockLogWithChild(['warn', 'debug']);
+      docker.log = mockLog;
+      docker.findNewVersion = vi.fn().mockRejectedValue(new Error(''));
+      docker.mapContainerToContainerReport = vi.fn().mockReturnValue({ container, changed: false });
+
+      await docker.watchContainer(container);
+
+      expect(mockLog._child.warn).toHaveBeenCalledWith(
+        'Error when processing (Unexpected container processing error)',
+      );
+      expect(container.error).toEqual({ message: 'Unexpected container processing error' });
+    });
+
+    test('should attach release notes and source repo for update-available containers', async () => {
+      const container = {
+        id: 'test123',
+        name: 'test',
+        updateAvailable: true,
+        image: {
+          name: 'acme/service',
+          registry: {
+            url: 'ghcr.io',
+          },
+          tag: {
+            value: '1.0.0',
+          },
+        },
+      };
+      const mockLog = createMockLogWithChild(['warn', 'debug']);
+      docker.log = mockLog;
+      docker.findNewVersion = vi.fn().mockResolvedValue({ tag: '2.0.0' });
+      docker.mapContainerToContainerReport = vi.fn().mockReturnValue({ container, changed: false });
+      mockResolveSourceRepoForContainer.mockResolvedValue('github.com/acme/service');
+      mockGetFullReleaseNotesForContainer.mockResolvedValue({
+        title: 'v2.0.0',
+        body: 'Release body',
+        url: 'https://github.com/acme/service/releases/tag/v2.0.0',
+        publishedAt: '2026-03-01T00:00:00.000Z',
+        provider: 'github',
+      });
+      mockToContainerReleaseNotes.mockReturnValue({
+        title: 'v2.0.0',
+        body: 'Release body',
+        url: 'https://github.com/acme/service/releases/tag/v2.0.0',
+        publishedAt: '2026-03-01T00:00:00.000Z',
+        provider: 'github',
+      });
+
+      await docker.watchContainer(container as any);
+
+      expect(mockResolveSourceRepoForContainer).toHaveBeenCalledWith(container);
+      expect(mockGetFullReleaseNotesForContainer).toHaveBeenCalledWith(container);
+      expect(container.sourceRepo).toBe('github.com/acme/service');
+      expect(container.result?.releaseNotes).toEqual({
+        title: 'v2.0.0',
+        body: 'Release body',
+        url: 'https://github.com/acme/service/releases/tag/v2.0.0',
+        publishedAt: '2026-03-01T00:00:00.000Z',
+        provider: 'github',
+      });
+    });
+
+    test('should ignore release notes failures', async () => {
+      const container = {
+        id: 'test123',
+        name: 'test',
+        updateAvailable: true,
+        image: {
+          name: 'acme/service',
+          registry: {
+            url: 'ghcr.io',
+          },
+          tag: {
+            value: '1.0.0',
+          },
+        },
+      };
+      const mockLog = createMockLogWithChild(['warn', 'debug']);
+      docker.log = mockLog;
+      docker.findNewVersion = vi.fn().mockResolvedValue({ tag: '2.0.0' });
+      docker.mapContainerToContainerReport = vi.fn().mockReturnValue({ container, changed: false });
+      mockResolveSourceRepoForContainer.mockResolvedValue('github.com/acme/service');
+      mockGetFullReleaseNotesForContainer.mockRejectedValue(new Error('rate limited'));
+
+      await docker.watchContainer(container as any);
+
+      expect(container.error).toBeUndefined();
+      expect(mockLog._child.debug).toHaveBeenCalledWith(
+        expect.stringContaining('Unable to fetch release notes'),
+      );
+    });
+  });
+
+  describe('Container Retrieval', () => {
+    test('should get containers with default options', async () => {
+      const containers = [
+        {
+          Id: '123',
+          Labels: { 'dd.watch': 'true' },
+          Names: ['/test'],
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: '123' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: true,
+      });
+      const result = await docker.getContainers();
+
+      expect(mockDockerApi.listContainers).toHaveBeenCalledWith({});
+      expect(result).toHaveLength(1);
+    });
+
+    test('should get all containers when watchall enabled', async () => {
+      mockDockerApi.listContainers.mockResolvedValue([]);
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchall: true,
+      });
+      await docker.getContainers();
+
+      expect(mockDockerApi.listContainers).toHaveBeenCalledWith({
+        all: true,
+      });
+    });
+
+    test('should filter containers based on watch label', async () => {
+      const containers = [
+        { Id: '1', Labels: { 'dd.watch': 'true' }, Names: ['/test1'] },
+        {
+          Id: '2',
+          Labels: { 'dd.watch': 'false' },
+          Names: ['/test2'],
+        },
+        { Id: '3', Labels: {}, Names: ['/test3'] },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: '1' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      expect(result).toHaveLength(1);
+    });
+
+    test('should apply swarm service deploy labels to container filtering and tag include', async () => {
+      const containers = [
+        {
+          Id: 'swarm-task-1',
+          Image: 'authelia/authelia:4.39.15',
+          Names: ['/authelia_authelia.1.xxxxx'],
+          Labels: {
+            'com.docker.swarm.service.id': 'service123',
+          },
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({
+          Spec: {
+            Labels: {
+              'dd.watch': 'true',
+              'dd.tag.include': String.raw`^\d+\.\d+\.\d+$`,
+            },
+          },
+        }),
+      });
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'swarm-task-1' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      expect(result).toHaveLength(1);
+      expect(mockDockerApi.getService).toHaveBeenCalledWith('service123');
+      expect(docker.addImageDetailsToContainer).toHaveBeenCalledTimes(1);
+      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBe(
+        String.raw`^\d+\.\d+\.\d+$`,
+      );
+    });
+
+    test('should let container labels override swarm service labels', async () => {
+      const containers = [
+        {
+          Id: 'swarm-task-2',
+          Image: 'grafana/alloy:v1.12.2',
+          Names: ['/monitoring_alloy.1.yyyyy'],
+          Labels: {
+            'com.docker.swarm.service.id': 'service456',
+            'dd.watch': 'true',
+            'dd.tag.include': String.raw`^v\d+\.\d+\.\d+$`,
+          },
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({
+          Spec: {
+            Labels: {
+              'dd.watch': 'false',
+              'dd.tag.include': String.raw`^\d+\.\d+\.\d+$`,
+            },
+          },
+        }),
+      });
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'swarm-task-2' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      expect(result).toHaveLength(1);
+      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBe(
+        String.raw`^v\d+\.\d+\.\d+$`,
+      );
+    });
+
+    test('should cache swarm service label lookups per service', async () => {
+      const containers = [
+        {
+          Id: 'swarm-task-3a',
+          Image: 'example/service:1.0.0',
+          Names: ['/svc.1.a'],
+          Labels: {
+            'com.docker.swarm.service.id': 'service789',
+          },
+        },
+        {
+          Id: 'swarm-task-3b',
+          Image: 'example/service:1.0.0',
+          Names: ['/svc.2.b'],
+          Labels: {
+            'com.docker.swarm.service.id': 'service789',
+          },
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({
+          Spec: {
+            Labels: {
+              'dd.watch': 'true',
+            },
+          },
+        }),
+      });
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'ok' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      await docker.getContainers();
+
+      expect(mockDockerApi.getService).toHaveBeenCalledTimes(1);
+      expect(mockDockerApi.getService).toHaveBeenCalledWith('service789');
+    });
+
+    test('should pick up dd labels from deploy-only labels (Spec.Labels) when container has no dd labels', async () => {
+      // Simulates: docker-compose deploy: labels: dd.tag.include (NOT root labels:)
+      // In Swarm, deploy labels go to Spec.Labels but NOT to container.Labels
+      const containers = [
+        {
+          Id: 'swarm-deploy-only',
+          Image: 'authelia/authelia:4.39.15',
+          Names: ['/authelia_authelia.1.xxxxx'],
+          Labels: {
+            'com.docker.swarm.service.id': 'svc-deploy-labels',
+            'com.docker.swarm.task.id': 'task1',
+            'com.docker.swarm.task.name': 'authelia_authelia.1.xxxxx',
+            // NO dd.* labels — they only exist in Spec.Labels
+          },
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({
+          Spec: {
+            Labels: {
+              'dd.watch': 'true',
+              'dd.tag.include': String.raw`^\d+\.\d+\.\d+$`,
+            },
+            TaskTemplate: {
+              ContainerSpec: {
+                // No Labels here — deploy labels don't go to TaskTemplate
+              },
+            },
+          },
+        }),
+      });
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'swarm-deploy-only' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      expect(result).toHaveLength(1);
+      expect(docker.addImageDetailsToContainer).toHaveBeenCalledTimes(1);
+      // The tag include regex should come from Spec.Labels
+      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBe(
+        String.raw`^\d+\.\d+\.\d+$`,
+      );
+    });
+
+    test('should gracefully handle swarm service inspect failure without losing container', async () => {
+      const containers = [
+        {
+          Id: 'swarm-inspect-fail',
+          Image: 'example/app:1.0.0',
+          Names: ['/app.1.xxxxx'],
+          Labels: {
+            'com.docker.swarm.service.id': 'svc-fail',
+            'dd.watch': 'true',
+          },
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockRejectedValue(new Error('service not found')),
+      });
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'swarm-inspect-fail' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      // Container should still be watched using its own labels
+      expect(result).toHaveLength(1);
+      // tag.include should be undefined since service inspect failed and
+      // the container itself has no dd.tag.include
+      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBeUndefined();
+    });
+
+    test('should handle mixed label sources: deploy labels + root labels across services', async () => {
+      // Simulates: authelia with deploy labels, alloy with root labels
+      const containers = [
+        {
+          Id: 'swarm-authelia',
+          Image: 'authelia/authelia:4.39.15',
+          Names: ['/authelia_authelia.1.aaa'],
+          Labels: {
+            'com.docker.swarm.service.id': 'svc-authelia',
+            // deploy: labels: go to Spec.Labels, NOT here
+          },
+        },
+        {
+          Id: 'swarm-alloy',
+          Image: 'grafana/alloy:v1.12.2',
+          Names: ['/monitoring_alloy.1.bbb'],
+          Labels: {
+            'com.docker.swarm.service.id': 'svc-alloy',
+            // Root labels: ARE on the container
+            'dd.watch': 'true',
+            'dd.tag.include': String.raw`^v\d+\.\d+\.\d+$`,
+          },
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      mockDockerApi.getService.mockImplementation((serviceId: string) => ({
+        inspect: vi.fn().mockResolvedValue(
+          serviceId === 'svc-authelia'
+            ? {
+                Spec: {
+                  Labels: {
+                    'dd.watch': 'true',
+                    'dd.tag.include': String.raw`^\d+\.\d+\.\d+$`,
+                  },
+                },
+              }
+            : {
+                Spec: {
+                  TaskTemplate: {
+                    ContainerSpec: {
+                      Labels: {
+                        'dd.watch': 'true',
+                        'dd.tag.include': String.raw`^v\d+\.\d+\.\d+$`,
+                      },
+                    },
+                  },
+                },
+              },
+        ),
+      }));
+      docker.addImageDetailsToContainer = vi
+        .fn()
+        .mockImplementation((_container: any, labelOverrides: any) =>
+          Promise.resolve({ id: _container.Id, includeTags: labelOverrides?.includeTags }),
+        );
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      expect(result).toHaveLength(2);
+      // Authelia's tag include should come from Spec.Labels (deploy labels)
+      const autheliaCall = docker.addImageDetailsToContainer.mock.calls.find(
+        (call: any) => call[0].Id === 'swarm-authelia',
+      );
+      expect(autheliaCall[1].includeTags).toBe(String.raw`^\d+\.\d+\.\d+$`);
+      // Alloy's tag include should come from container labels (root labels)
+      const alloyCall = docker.addImageDetailsToContainer.mock.calls.find(
+        (call: any) => call[0].Id === 'swarm-alloy',
+      );
+      expect(alloyCall[1].includeTags).toBe(String.raw`^v\d+\.\d+\.\d+$`);
+    });
+
+    test('should prune old containers', async () => {
+      const oldContainers = [{ id: 'old1' }, { id: 'old2' }];
+      hStoreContainer.getContainers.mockReturnValue(oldContainers);
+      mockDockerApi.listContainers.mockResolvedValue([]);
+      // Simulate containers no longer existing in Docker
+      mockDockerApi.getContainer.mockReturnValue({
+        inspect: vi.fn().mockRejectedValue(new Error('no such container')),
+      });
+
+      await docker.register('watcher', 'docker', 'test', {});
+      await docker.getContainers();
+
+      expect(hStoreContainer.deleteContainer).toHaveBeenCalledWith('old1');
+      expect(hStoreContainer.deleteContainer).toHaveBeenCalledWith('old2');
+    });
+
+    test('should continue when pruneOldContainers throws during stale record cleanup', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['warn']);
+      hStoreContainer.getContainers.mockReturnValue([
+        { id: 'old1', watcher: 'test', name: 'svc' } as any,
+      ]);
+      hStoreContainer.deleteContainer.mockImplementation(() => {
+        throw new Error('Delete failed');
+      });
+      mockDockerApi.listContainers.mockResolvedValue([
+        {
+          Id: 'new1',
+          Labels: { 'dd.watch': 'true' },
+          Names: ['/svc'],
+        },
+      ]);
+      docker.addImageDetailsToContainer = vi
+        .fn()
+        .mockResolvedValue({ id: 'new1', watcher: 'test', name: 'svc' });
+
+      const result = await docker.getContainers();
+
+      expect(result).toEqual([{ id: 'new1', watcher: 'test', name: 'svc' }]);
+      expect(docker.log.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Error when trying to prune the old containers (Delete failed)'),
+      );
+    });
+
+    test('should handle pruning error', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['warn']);
+      hStoreContainer.getContainers.mockImplementationOnce(() => {
+        throw new Error('Store error');
+      });
+      mockDockerApi.listContainers.mockResolvedValue([]);
+
+      await docker.getContainers();
+
+      expect(docker.log.warn).toHaveBeenCalledWith(expect.stringContaining('Store error'));
+    });
+  });
+});
diff --git a/app/watchers/providers/docker/Docker.containers.reporting-utility-coverage.test.ts b/app/watchers/providers/docker/Docker.containers.reporting-utility-coverage.test.ts
new file mode 100644
index 000000000..15eb7df32
--- /dev/null
+++ b/app/watchers/providers/docker/Docker.containers.reporting-utility-coverage.test.ts
@@ -0,0 +1,120 @@
+import {
+  createMockLogWithChild,
+  setupDockerWatcherContainerSuite,
+} from './Docker.containers.test.helpers.js';
+
+let hStoreContainer: any;
+
+describe('Docker Watcher', () => {
+  let docker;
+  let mockDockerApi;
+  let mockSchedule;
+  let mockContainer;
+  let mockImage;
+
+  setupDockerWatcherContainerSuite((state) => {
+    docker = state.docker;
+    mockDockerApi = state.mockDockerApi;
+    mockSchedule = state.mockSchedule;
+    mockContainer = state.mockContainer;
+    mockImage = state.mockImage;
+  });
+
+  beforeEach(async () => {
+    hStoreContainer = await import('../../../store/container.js');
+  });
+
+  describe('Container Reporting', () => {
+    test('should map container to report for new container', async () => {
+      const container = { id: '123', name: 'test' };
+      docker.log = createMockLogWithChild(['debug']);
+      hStoreContainer.getContainer.mockReturnValue(undefined);
+      hStoreContainer.insertContainer.mockReturnValue(container);
+
+      const result = docker.mapContainerToContainerReport(container);
+
+      expect(result.changed).toBe(true);
+      expect(hStoreContainer.insertContainer).toHaveBeenCalledWith(container);
+    });
+
+    test('should map container to report for existing container', async () => {
+      const container = {
+        id: '123',
+        name: 'test',
+        updateAvailable: true,
+      };
+      const existingContainer = {
+        resultChanged: vi.fn().mockReturnValue(true),
+      };
+      docker.log = createMockLogWithChild(['debug']);
+      hStoreContainer.getContainer.mockReturnValue(existingContainer);
+      hStoreContainer.updateContainer.mockReturnValue(container);
+
+      const result = docker.mapContainerToContainerReport(container);
+
+      expect(result.changed).toBe(true);
+      expect(hStoreContainer.updateContainer).toHaveBeenCalledWith(container);
+    });
+
+    test('should not mark as changed when no update available', async () => {
+      const container = {
+        id: '123',
+        name: 'test',
+        updateAvailable: false,
+      };
+      const existingContainer = {
+        resultChanged: vi.fn().mockReturnValue(true),
+      };
+      docker.log = createMockLogWithChild(['debug']);
+      hStoreContainer.getContainer.mockReturnValue(existingContainer);
+      hStoreContainer.updateContainer.mockReturnValue(container);
+
+      const result = docker.mapContainerToContainerReport(container);
+
+      expect(result.changed).toBe(false);
+    });
+  });
+
+  describe('Utility Functions', () => {
+    test('should get tag candidates with include filter', async () => {
+      const tags = ['v1.0.0', 'latest', 'v2.0.0', 'beta'];
+      const filtered = tags.filter((tag) => /^v\d+/.test(tag));
+      expect(filtered).toEqual(['v1.0.0', 'v2.0.0']);
+    });
+
+    test('should get container name and strip slash', async () => {
+      const container = { Names: ['/test-container'] };
+      const name = container.Names[0].replace(/\//, '');
+      expect(name).toBe('test-container');
+    });
+
+    test('should get repo digest from image', async () => {
+      const image = { RepoDigests: ['nginx@sha256:abc123def456'] };
+      const digest = image.RepoDigests[0].split('@')[1];
+      expect(digest).toBe('sha256:abc123def456');
+    });
+
+    test('should handle empty repo digests', async () => {
+      const image = { RepoDigests: [] };
+      expect(image.RepoDigests.length).toBe(0);
+    });
+
+    test('should get old containers for pruning', async () => {
+      const newContainers = [{ id: '1' }, { id: '2' }];
+      const storeContainers = [{ id: '1' }, { id: '3' }];
+
+      const oldContainers = storeContainers.filter((storeContainer) => {
+        const stillExists = newContainers.find(
+          (newContainer) => newContainer.id === storeContainer.id,
+        );
+        return stillExists === undefined;
+      });
+
+      expect(oldContainers).toEqual([{ id: '3' }]);
+    });
+
+    test('should handle null inputs for old containers', async () => {
+      expect([].filter(() => false)).toEqual([]);
+    });
+  });
+});
diff --git a/app/watchers/providers/docker/Docker.containers.test.helpers.ts b/app/watchers/providers/docker/Docker.containers.test.helpers.ts
new file mode 100644
index 000000000..3fee94f5a
--- /dev/null
+++ b/app/watchers/providers/docker/Docker.containers.test.helpers.ts
@@ -0,0 +1,499 @@
+import type { Mocked } from 'vitest';
+import * as event from '../../../event/index.js';
+import { fullName } from '../../../model/container.js';
+import * as registry from '../../../registry/index.js';
+import * as storeContainer from '../../../store/container.js';
+import { mockConstructor } from '../../../test/mock-constructor.js';
+import { _resetRegistryWebhookFreshStateForTests } from '../../registry-webhook-fresh.js';
+import { getDockerWatcherRegistryId, getDockerWatcherSourceKey } from './container-init.js';
+import Docker, {
+  testable_filterBySegmentCount,
+  testable_filterRecreatedContainerAliases,
+  testable_getContainerDisplayName,
+  testable_getContainerName,
+  testable_getCurrentPrefix,
+  testable_getFirstDigitIndex,
+  testable_getImageForRegistryLookup,
+  testable_getImageReferenceCandidatesFromPattern,
+  testable_getImgsetSpecificity,
+  testable_getInspectValueByPath,
+  testable_getLabel,
+  testable_getOldContainers,
+  testable_normalizeConfigNumberValue,
+  testable_normalizeContainer,
+  testable_pruneOldContainers,
+  testable_shouldUpdateDisplayNameFromContainerName,
+} from './Docker.js';
+
+const mockDdEnvVars = vi.hoisted(() => ({}) as Record<string, string | undefined>);
+const mockDetectSourceRepoFromImageMetadata = vi.hoisted(() => vi.fn());
+const mockResolveSourceRepoForContainer = vi.hoisted(() => vi.fn());
+const mockGetFullReleaseNotesForContainer = vi.hoisted(() => vi.fn());
+const mockToContainerReleaseNotes = vi.hoisted(() => vi.fn((notes) => notes));
+vi.mock('../../../configuration/index.js', async (importOriginal) => ({
+  ...(await importOriginal<typeof import('../../../configuration/index.js')>()),
+  ddEnvVars: mockDdEnvVars,
+}));
+vi.mock('../../../release-notes/index.js', () => ({
+  detectSourceRepoFromImageMetadata: (...args: unknown[]) =>
+    mockDetectSourceRepoFromImageMetadata(...args),
+  resolveSourceRepoForContainer: (...args: unknown[]) => mockResolveSourceRepoForContainer(...args),
+  getFullReleaseNotesForContainer: (...args: unknown[]) =>
+    mockGetFullReleaseNotesForContainer(...args),
+  toContainerReleaseNotes: (...args: unknown[]) => mockToContainerReleaseNotes(...args),
+}));
+
+// Mock all dependencies
+vi.mock('dockerode');
+vi.mock('node-cron');
+vi.mock('just-debounce');
+vi.mock('../../../event');
+vi.mock('../../../store/container');
+vi.mock('../../../registry/index.js');
+vi.mock('../../../model/container');
+vi.mock('../../../tag');
+vi.mock('../../../prometheus/watcher');
+vi.mock('parse-docker-image-name');
+vi.mock('node:fs');
+vi.mock('axios');
+vi.mock('./maintenance.js', () => ({
+  isInMaintenanceWindow: vi.fn(() => true),
+  getNextMaintenanceWindow: vi.fn(() => undefined),
+}));
+
+import axios from 'axios';
+import mockDockerode from 'dockerode';
+import mockDebounce from 'just-debounce';
+import mockCron from 'node-cron';
+import mockParse from 'parse-docker-image-name';
+import * as mockPrometheus from '../../../prometheus/watcher.js';
+import * as mockTag from '../../../tag/index.js';
+import * as maintenance from './maintenance.js';
+
+const mockAxios = axios as Mocked<typeof axios>;
+
+// --- Shared factory functions to reduce test duplication ---
+
+/** Base OIDC auth configuration for remote Docker API tests. */
+function createOidcConfig(oidcOverrides = {}, configOverrides = {}) {
+  return {
+    host: 'docker-api.example.com',
+    port: 443,
+    protocol: 'https',
+    auth: {
+      type: 'oidc',
+      oidc: {
+        tokenurl: 'https://idp.example.com/oauth/token',
+        ...oidcOverrides,
+      },
+    },
+    ...configOverrides,
+  };
+}
+
+/** Device flow OIDC config (adds deviceurl + clientid to base OIDC). */
+function createDeviceFlowConfig(oidcOverrides = {}, configOverrides = {}) {
+  return createOidcConfig(
+    {
+      deviceurl: 'https://idp.example.com/oauth/device/code',
+      clientid: 'dd-device-client',
+      ...oidcOverrides,
+    },
+    configOverrides,
+  );
+}
+
+/** Standard device authorization response from the IdP. */
+function createDeviceCodeResponse(overrides = {}) {
+  return {
+    device_code: 'device-code-123',
+    user_code: 'ABCD-1234',
+    verification_uri: 'https://idp.example.com/device',
+    interval: 1,
+    expires_in: 300,
+    ...overrides,
+  };
+}
+
+/** Token response from the IdP. */
+function createTokenResponse(overrides = {}) {
+  return {
+    access_token: 'test-token',
+    expires_in: 3600,
+    ...overrides,
+  };
+}
+
+/** Creates a mock log object with commonly needed methods. */
+function createMockLog(methods = ['info', 'warn', 'debug', 'error']) {
+  const log = {};
+  for (const m of methods) {
+    log[m] = vi.fn();
+  }
+  return log;
+}
+
+/** Creates a mock log with a child() that returns another mock log. */
+function createMockLogWithChild(childMethods = ['info', 'warn', 'debug', 'error']) {
+  const childLog = createMockLog(childMethods);
+  return {
+    child: vi.fn().mockReturnValue(childLog),
+    ...createMockLog(['info', 'warn', 'debug', 'error']),
+    _child: childLog,
+  };
+}
+
+/** Standard mock registry for container detail tests. */
+function createMockRegistry(id = 'hub', matchFn = () => true) {
+  return {
+    normalizeImage: vi.fn((img) => img),
+    getId: () => id,
+    match: matchFn,
+  };
+}
+
+/** Standard image details fixture. */
+function createImageDetails(overrides = {}) {
+  return {
+    Id: 'image123',
+    Architecture: 'amd64',
+    Os: 'linux',
+    Created: '2023-01-01',
+    ...overrides,
+  };
+}
+
+/** Standard container fixture for Docker API list results. */
+function createDockerContainer(overrides = {}) {
+  return {
+    Id: '123',
+    Names: ['/test-container'],
+    State: 'running',
+    Labels: {},
+    ...overrides,
+  };
+}
+
+/**
+ * Harbor + Docker Hub dual-registry state for lookup label tests.
+ */
+function createHarborHubRegistryState() {
+  return {
+    harbor: {
+      normalizeImage: vi.fn((img) => img),
+      getId: () => 'harbor',
+      match: (img) => img.registry.url === 'harbor.example.com',
+    },
+    hub: {
+      normalizeImage: vi.fn((img) => ({
+        ...img,
+        registry: {
+          ...img.registry,
+          url: 'https://registry-1.docker.io/v2',
+        },
+      })),
+      getId: () => 'hub',
+      match: (img) => !img.registry.url || /^.*\.?docker.io$/.test(img.registry.url),
+    },
+  };
+}
+
+/**
+ * Home Assistant mockParse implementation (used in multiple imgset tests).
+ * Maps HA image strings to their parsed components.
+ */
+function createHaParseMock() {
+  return (value) => {
+    if (value === 'ghcr.io/home-assistant/home-assistant:2026.2.1') {
+      return { domain: 'ghcr.io', path: 'home-assistant/home-assistant', tag: '2026.2.1' };
+    }
+    if (value === 'ghcr.io/home-assistant/home-assistant:stable') {
+      return { domain: 'ghcr.io', path: 'home-assistant/home-assistant', tag: 'stable' };
+    }
+    if (value === 'ghcr.io/home-assistant/home-assistant') {
+      return { domain: 'ghcr.io', path: 'home-assistant/home-assistant' };
+    }
+    return { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' };
+  };
+}
+
+function createDockerOidcStateAdapter(docker) {
+  return {
+    get accessToken() {
+      return docker.remoteOidcAccessToken;
+    },
+    set accessToken(value) {
+      docker.remoteOidcAccessToken = value;
+    },
+    get refreshToken() {
+      return docker.remoteOidcRefreshToken;
+    },
+    set refreshToken(value) {
+      docker.remoteOidcRefreshToken = value;
+    },
+    get accessTokenExpiresAt() {
+      return docker.remoteOidcAccessTokenExpiresAt;
+    },
+    set accessTokenExpiresAt(value) {
+      docker.remoteOidcAccessTokenExpiresAt = value;
+    },
+    get deviceCodeCompleted() {
+      return docker.remoteOidcDeviceCodeCompleted;
+    },
+    set deviceCodeCompleted(value) {
+      docker.remoteOidcDeviceCodeCompleted = value;
+    },
+  };
+}
+
+function createDockerOidcContext(docker) {
+  return {
+    watcherName: docker.name,
+    log: docker.log,
+    state: createDockerOidcStateAdapter(docker),
+    getOidcAuthString: (paths) => docker.getOidcAuthString(paths),
+    getOidcAuthNumber: (paths) => docker.getOidcAuthNumber(paths),
+    normalizeNumber: testable_normalizeConfigNumberValue,
+    sleep: (ms) => docker.sleep(ms),
+  };
+}
+
+/**
+ * Setup a container-detail test: registers the watcher, sets up image inspect,
+ * parse mock, tag mock, registry state, and validateContainer mock.
+ * Returns the raw Docker API container object, ready for addImageDetailsToContainer.
+ */
+async function setupContainerDetailTest(
+  docker,
+  {
+    registerConfig = {},
+    container: containerOverrides = {},
+    imageDetails: imageOverrides = {},
+    parsedImage = { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' },
+    parseImpl = undefined,
+    semverValue = { major: 1, minor: 0, patch: 0 },
+    registryId = 'hub',
+    registryMatchFn = () => true,
+    registryState = undefined,
+    validateImpl = (c) => c,
+  } = {},
+) {
+  await docker.register('watcher', 'docker', 'test', registerConfig);
+
+  const imageDetails = createImageDetails(imageOverrides);
+  mockImage.inspect.mockResolvedValue(imageDetails);
+
+  if (parseImpl) {
+    mockParse.mockImplementation(parseImpl);
+  } else {
+    mockParse.mockReturnValue(parsedImage);
+  }
+  mockTag.parse.mockReturnValue(semverValue);
+
+  if (registryState) {
+    registry.getState.mockReturnValue({ registry: registryState });
+  } else {
+    const mockReg = createMockRegistry(registryId, registryMatchFn);
+    registry.getState.mockReturnValue({ registry: { [registryId]: mockReg } });
+  }
+
+  const containerModule = await import('../../../model/container.js');
+  const validateContainer = containerModule.validate;
+  validateContainer.mockImplementation(validateImpl);
+
+  return createDockerContainer(containerOverrides);
+}
+
+// Keep a module-level reference so setupContainerDetailTest can see it
+let mockImage;
+
+export type DockerContainersTestState = {
+  docker: Docker;
+  mockDockerApi: {
+    listContainers: ReturnType<typeof vi.fn>;
+    getContainer: ReturnType<typeof vi.fn>;
+    getEvents: ReturnType<typeof vi.fn>;
+    getImage: ReturnType<typeof vi.fn>;
+    getService: ReturnType<typeof vi.fn>;
+    modem: {
+      headers: Record<string, unknown>;
+    };
+  };
+  mockSchedule: {
+    stop: ReturnType<typeof vi.fn>;
+  };
+  mockContainer: {
+    inspect: ReturnType<typeof vi.fn>;
+  };
+  mockImage: {
+    inspect: ReturnType<typeof vi.fn>;
+  };
+};
+
+export function setupDockerWatcherContainerSuite(
+  assignState: (state: DockerContainersTestState) => void,
+) {
+  let docker: Docker;
+  let mockDockerApi: DockerContainersTestState['mockDockerApi'];
+  let mockSchedule: DockerContainersTestState['mockSchedule'];
+  let mockContainer: DockerContainersTestState['mockContainer'];
+  let localMockImage: DockerContainersTestState['mockImage'];
+
+  beforeEach(async () => {
+    vi.clearAllMocks();
+    _resetRegistryWebhookFreshStateForTests();
+
+    // Setup dockerode mock
+    mockDockerApi = {
+      listContainers: vi.fn(),
+      getContainer: vi.fn(),
+      getEvents: vi.fn(),
+      getImage: vi.fn(),
+      getService: vi.fn(),
+      modem: {
+        headers: {},
+      },
+    };
+    mockDockerode.mockImplementation(mockConstructor(mockDockerApi));
+
+    // Setup cron mock
+    mockSchedule = {
+      stop: vi.fn(),
+    };
+    mockCron.schedule.mockReturnValue(mockSchedule);
+
+    // Setup debounce mock
+    mockDebounce.mockImplementation((fn) => fn);
+
+    // Setup container mock
+    mockContainer = {
+      inspect: vi.fn(),
+    };
+    mockDockerApi.getContainer.mockReturnValue(mockContainer);
+
+    // Setup image mock
+    localMockImage = {
+      inspect: vi.fn(),
+    };
+    mockImage = localMockImage;
+    mockDockerApi.getImage.mockReturnValue(localMockImage);
+
+    // Setup store mock
+    storeContainer.getContainers.mockReturnValue([]);
+    storeContainer.getContainer.mockReturnValue(undefined);
+    storeContainer.insertContainer.mockImplementation((c) => c);
+    storeContainer.updateContainer.mockImplementation((c) => c);
+    storeContainer.deleteContainer.mockImplementation(() => {});
+
+    // Setup registry mock
+    registry.getState.mockReturnValue({ registry: {} });
+
+    // Setup event mock
+    event.emitWatcherStart.mockImplementation(() => {});
+    event.emitWatcherStop.mockImplementation(() => {});
+    event.emitContainerReport.mockImplementation(() => {});
+    event.emitContainerReports.mockImplementation(() => {});
+
+    // Setup tag mock
+    mockTag.parse.mockReturnValue({ major: 1, minor: 0, patch: 0 });
+    mockTag.isGreater.mockReturnValue(false);
+    mockTag.transform.mockImplementation((transform, tag) => tag);
+
+    // Setup prometheus mock
+    const mockGauge = { set: vi.fn() };
+    mockPrometheus.getWatchContainerGauge.mockReturnValue(mockGauge);
+    mockPrometheus.getMaintenanceSkipCounter.mockReturnValue({
+      labels: vi.fn().mockReturnValue({ inc: vi.fn() }),
+    });
+    mockPrometheus.getLoggerInitFailureCounter.mockReturnValue({
+      labels: vi.fn().mockReturnValue({ inc: vi.fn() }),
+    });
+
+    // Setup maintenance helpers
+    maintenance.isInMaintenanceWindow.mockReturnValue(true);
+    maintenance.getNextMaintenanceWindow.mockReturnValue(undefined);
+
+    // Setup parse mock
+    mockParse.mockReturnValue({
+      domain: 'docker.io',
+      path: 'library/nginx',
+      tag: '1.0.0',
+    });
+
+    mockAxios.post.mockResolvedValue({
+      data: {
+        access_token: 'oidc-token',
+        expires_in: 300,
+      },
+    } as any);
+
+    // Setup fullName mock
+    fullName.mockReturnValue('test_container');
+
+    docker = new Docker();
+    assignState({
+      docker,
+      mockDockerApi,
+      mockSchedule,
+      mockContainer,
+      mockImage: localMockImage,
+    });
+  });
+
+  afterEach(async () => {
+    vi.useRealTimers();
+    if (docker) {
+      await docker.deregisterComponent();
+    }
+  });
+}
+
+export {
+  createDeviceCodeResponse,
+  createDeviceFlowConfig,
+  createDockerContainer,
+  createDockerOidcContext,
+  createDockerOidcStateAdapter,
+  createHaParseMock,
+  createHarborHubRegistryState,
+  createImageDetails,
+  createMockLog,
+  createMockLogWithChild,
+  createMockRegistry,
+  createOidcConfig,
+  createTokenResponse,
+  Docker,
+  event,
+  fullName,
+  getDockerWatcherRegistryId,
+  getDockerWatcherSourceKey,
+  maintenance,
+  mockAxios,
+  mockDdEnvVars,
+  mockDetectSourceRepoFromImageMetadata,
+  mockGetFullReleaseNotesForContainer,
+  mockParse,
+  mockPrometheus,
+  mockResolveSourceRepoForContainer,
+  mockTag,
+  mockToContainerReleaseNotes,
+  registry,
+  setupContainerDetailTest,
+  storeContainer,
+  testable_filterBySegmentCount,
+  testable_filterRecreatedContainerAliases,
+  testable_getContainerDisplayName,
+  testable_getContainerName,
+  testable_getCurrentPrefix,
+  testable_getFirstDigitIndex,
+  testable_getImageForRegistryLookup,
+  testable_getImageReferenceCandidatesFromPattern,
+  testable_getImgsetSpecificity,
+  testable_getInspectValueByPath,
+  testable_getLabel,
+  testable_getOldContainers,
+  testable_normalizeConfigNumberValue,
+  testable_normalizeContainer,
+  testable_pruneOldContainers,
+  testable_shouldUpdateDisplayNameFromContainerName,
+};
diff --git a/app/watchers/providers/docker/Docker.containers.test.ts b/app/watchers/providers/docker/Docker.containers.test.ts
new file mode 100644
index 000000000..e305720a6
--- /dev/null
+++ b/app/watchers/providers/docker/Docker.containers.test.ts
@@ -0,0 +1,4052 @@
+import type { Mocked } from 'vitest';
+import * as event from '../../../event/index.js';
+import { fullName } from '../../../model/container.js';
+import * as registry from '../../../registry/index.js';
+import * as storeContainer from '../../../store/container.js';
+import { mockConstructor } from '../../../test/mock-constructor.js';
+import { _resetRegistryWebhookFreshStateForTests } from '../../registry-webhook-fresh.js';
+import { getDockerWatcherRegistryId, getDockerWatcherSourceKey } from './container-init.js';
+import Docker, {
+  testable_filterBySegmentCount,
+  testable_filterRecreatedContainerAliases,
+  testable_getContainerDisplayName,
+  testable_getContainerName,
+  testable_getCurrentPrefix,
+  testable_getFirstDigitIndex,
+  testable_getImageForRegistryLookup,
+  testable_getImageReferenceCandidatesFromPattern,
+  testable_getImgsetSpecificity,
+  testable_getInspectValueByPath,
+  testable_getLabel,
+  testable_getOldContainers,
+  testable_normalizeConfigNumberValue,
+  testable_normalizeContainer,
+  testable_pruneOldContainers,
+  testable_shouldUpdateDisplayNameFromContainerName,
+} from './Docker.js';
+
+const mockDdEnvVars = vi.hoisted(() => ({}) as Record<string, string | undefined>);
+const mockDetectSourceRepoFromImageMetadata = vi.hoisted(() => vi.fn());
+const mockResolveSourceRepoForContainer = vi.hoisted(() => vi.fn());
+const mockGetFullReleaseNotesForContainer = vi.hoisted(() => vi.fn());
+const mockToContainerReleaseNotes = vi.hoisted(() => vi.fn((notes) => notes));
+vi.mock('../../../configuration/index.js', async (importOriginal) => ({
+  ...(await importOriginal<typeof import('../../../configuration/index.js')>()),
+  ddEnvVars: mockDdEnvVars,
+}));
+vi.mock('../../../release-notes/index.js', () => ({
+  detectSourceRepoFromImageMetadata: (...args: unknown[]) =>
+    mockDetectSourceRepoFromImageMetadata(...args),
+  resolveSourceRepoForContainer: (...args: unknown[]) => mockResolveSourceRepoForContainer(...args),
+  getFullReleaseNotesForContainer: (...args: unknown[]) =>
+    mockGetFullReleaseNotesForContainer(...args),
+  toContainerReleaseNotes: (...args: unknown[]) => mockToContainerReleaseNotes(...args),
+}));
+
+// Mock all dependencies
+vi.mock('dockerode');
+vi.mock('node-cron');
+vi.mock('just-debounce');
+vi.mock('../../../event');
+vi.mock('../../../store/container');
+vi.mock('../../../registry/index.js');
+vi.mock('../../../model/container');
+vi.mock('../../../tag');
+vi.mock('../../../prometheus/watcher');
+vi.mock('parse-docker-image-name');
+vi.mock('node:fs');
+vi.mock('axios');
+vi.mock('./maintenance.js', () => ({
+  isInMaintenanceWindow: vi.fn(() => true),
+  getNextMaintenanceWindow: vi.fn(() => undefined),
+}));
+
+import axios from 'axios';
+import mockDockerode from 'dockerode';
+import mockDebounce from 'just-debounce';
+import mockCron from 'node-cron';
+import mockParse from 'parse-docker-image-name';
+import * as mockPrometheus from '../../../prometheus/watcher.js';
+import * as mockTag from '../../../tag/index.js';
+import * as maintenance from './maintenance.js';
+
+const mockAxios = axios as Mocked<typeof axios>;
+
+// --- Shared factory functions to reduce test duplication ---
+
+/** Creates a mock log object with commonly needed methods. */
+function createMockLog(methods = ['info', 'warn', 'debug', 'error']) {
+  const log = {};
+  for (const m of methods) {
+    log[m] = vi.fn();
+  }
+  return log;
+}
+
+/** Creates a mock log with a child() that returns another mock log. */
+function createMockLogWithChild(childMethods = ['info', 'warn', 'debug', 'error']) {
+  const childLog = createMockLog(childMethods);
+  return {
+    child: vi.fn().mockReturnValue(childLog),
+    ...createMockLog(['info', 'warn', 'debug', 'error']),
+    _child: childLog,
+  };
+}
+
+/** Standard mock registry for container detail tests. */
+function createMockRegistry(id = 'hub', matchFn = () => true) {
+  return {
+    normalizeImage: vi.fn((img) => img),
+    getId: () => id,
+    match: matchFn,
+  };
+}
+
+/** Standard image details fixture. */
+function createImageDetails(overrides = {}) {
+  return {
+    Id: 'image123',
+    Architecture: 'amd64',
+    Os: 'linux',
+    Created: '2023-01-01',
+    ...overrides,
+  };
+}
+
+/** Standard container fixture for Docker API list results. */
+function createDockerContainer(overrides = {}) {
+  return {
+    Id: '123',
+    Names: ['/test-container'],
+    State: 'running',
+    Labels: {},
+    ...overrides,
+  };
+}
+
+/**
+ * Harbor + Docker Hub dual-registry state for lookup label tests.
+ */
+function createHarborHubRegistryState() {
+  return {
+    harbor: {
+      normalizeImage: vi.fn((img) => img),
+      getId: () => 'harbor',
+      match: (img) => img.registry.url === 'harbor.example.com',
+    },
+    hub: {
+      normalizeImage: vi.fn((img) => ({
+        ...img,
+        registry: {
+          ...img.registry,
+          url: 'https://registry-1.docker.io/v2',
+        },
+      })),
+      getId: () => 'hub',
+      match: (img) => !img.registry.url || /^.*\.?docker.io$/.test(img.registry.url),
+    },
+  };
+}
+
+/**
+ * Home Assistant mockParse implementation (used in multiple imgset tests).
+ * Maps HA image strings to their parsed components.
+ */
+function createHaParseMock() {
+  return (value) => {
+    if (value === 'ghcr.io/home-assistant/home-assistant:2026.2.1') {
+      return { domain: 'ghcr.io', path: 'home-assistant/home-assistant', tag: '2026.2.1' };
+    }
+    if (value === 'ghcr.io/home-assistant/home-assistant:stable') {
+      return { domain: 'ghcr.io', path: 'home-assistant/home-assistant', tag: 'stable' };
+    }
+    if (value === 'ghcr.io/home-assistant/home-assistant') {
+      return { domain: 'ghcr.io', path: 'home-assistant/home-assistant' };
+    }
+    return { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' };
+  };
+}
+
+/**
+ * Setup a container-detail test: registers the watcher, sets up image inspect,
+ * parse mock, tag mock, registry state, and validateContainer mock.
+ * Returns the raw Docker API container object, ready for addImageDetailsToContainer.
+ */
+async function setupContainerDetailTest(
+  docker,
+  {
+    registerConfig = {},
+    container: containerOverrides = {},
+    imageDetails: imageOverrides = {},
+    parsedImage = { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' },
+    parseImpl = undefined,
+    semverValue = { major: 1, minor: 0, patch: 0 },
+    registryId = 'hub',
+    registryMatchFn = () => true,
+    registryState = undefined,
+    validateImpl = (c) => c,
+  } = {},
+) {
+  await docker.register('watcher', 'docker', 'test', registerConfig);
+
+  const imageDetails = createImageDetails(imageOverrides);
+  mockImage.inspect.mockResolvedValue(imageDetails);
+
+  if (parseImpl) {
+    mockParse.mockImplementation(parseImpl);
+  } else {
+    mockParse.mockReturnValue(parsedImage);
+  }
+  mockTag.parse.mockReturnValue(semverValue);
+
+  if (registryState) {
+    registry.getState.mockReturnValue({ registry: registryState });
+  } else {
+    const mockReg = createMockRegistry(registryId, registryMatchFn);
+    registry.getState.mockReturnValue({ registry: { [registryId]: mockReg } });
+  }
+
+  const containerModule = await import('../../../model/container.js');
+  const validateContainer = containerModule.validate;
+  validateContainer.mockImplementation(validateImpl);
+
+  return createDockerContainer(containerOverrides);
+}
+
+// Keep a module-level reference so setupContainerDetailTest can see it
+let mockImage;
+
+describe('Docker Watcher', () => {
+  let docker;
+  let mockDockerApi;
+  let mockSchedule;
+  let mockContainer;
+
+  beforeEach(async () => {
+    vi.clearAllMocks();
+    _resetRegistryWebhookFreshStateForTests();
+
+    // Setup dockerode mock
+    mockDockerApi = {
+      listContainers: vi.fn(),
+      getContainer: vi.fn(),
+      getEvents: vi.fn(),
+      getImage: vi.fn(),
+      getService: vi.fn(),
+      modem: {
+        headers: {},
+      },
+    };
+    mockDockerode.mockImplementation(mockConstructor(mockDockerApi));
+
+    // Setup cron mock
+    mockSchedule = {
+      stop: vi.fn(),
+    };
+    mockCron.schedule.mockReturnValue(mockSchedule);
+
+    // Setup debounce mock
+    mockDebounce.mockImplementation((fn) => fn);
+
+    // Setup container mock
+    mockContainer = {
+      inspect: vi.fn(),
+    };
+    mockDockerApi.getContainer.mockReturnValue(mockContainer);
+
+    // Setup image mock
+    mockImage = {
+      inspect: vi.fn(),
+    };
+    mockDockerApi.getImage.mockReturnValue(mockImage);
+
+    // Setup store mock
+    storeContainer.getContainers.mockReturnValue([]);
+    storeContainer.getContainer.mockReturnValue(undefined);
+    storeContainer.insertContainer.mockImplementation((c) => c);
+    storeContainer.updateContainer.mockImplementation((c) => c);
+    storeContainer.deleteContainer.mockImplementation(() => {});
+
+    // Setup registry mock
+    registry.getState.mockReturnValue({ registry: {} });
+
+    // Setup event mock
+    event.emitWatcherStart.mockImplementation(() => {});
+    event.emitWatcherStop.mockImplementation(() => {});
+    event.emitContainerReport.mockImplementation(() => {});
+    event.emitContainerReports.mockImplementation(() => {});
+
+    // Setup tag mock
+    mockTag.parse.mockReturnValue({ major: 1, minor: 0, patch: 0 });
+    mockTag.isGreater.mockReturnValue(false);
+    mockTag.transform.mockImplementation((transform, tag) => tag);
+
+    // Setup prometheus mock
+    const mockGauge = { set: vi.fn() };
+    mockPrometheus.getWatchContainerGauge.mockReturnValue(mockGauge);
+    mockPrometheus.getMaintenanceSkipCounter.mockReturnValue({
+      labels: vi.fn().mockReturnValue({ inc: vi.fn() }),
+    });
+    mockPrometheus.getLoggerInitFailureCounter.mockReturnValue({
+      labels: vi.fn().mockReturnValue({ inc: vi.fn() }),
+    });
+
+    // Setup maintenance helpers
+    maintenance.isInMaintenanceWindow.mockReturnValue(true);
+    maintenance.getNextMaintenanceWindow.mockReturnValue(undefined);
+
+    // Setup parse mock
+    mockParse.mockReturnValue({
+      domain: 'docker.io',
+      path: 'library/nginx',
+      tag: '1.0.0',
+    });
+
+    mockAxios.post.mockResolvedValue({
+      data: {
+        access_token: 'oidc-token',
+        expires_in: 300,
+      },
+    } as any);
+
+    // Setup fullName mock
+    fullName.mockReturnValue('test_container');
+
+    docker = new Docker();
+  });
+
+  afterEach(async () => {
+    vi.useRealTimers();
+    if (docker) {
+      await docker.deregisterComponent();
+    }
+  });
+
+  describe('Container Processing', () => {
+    test('should watch individual container', async () => {
+      const container = { id: 'test123', name: 'test' };
+      const mockLog = createMockLogWithChild(['debug']);
+      docker.log = mockLog;
+      docker.findNewVersion = vi.fn().mockResolvedValue({ tag: '2.0.0' });
+      docker.mapContainerToContainerReport = vi.fn().mockReturnValue({ container, changed: false });
+
+      await docker.watchContainer(container);
+
+      expect(docker.findNewVersion).toHaveBeenCalledWith(container, expect.any(Object));
+      expect(event.emitContainerReport).toHaveBeenCalled();
+    });
+
+    test('should handle container processing error', async () => {
+      const container = { id: 'test123', name: 'test' };
+      const mockLog = createMockLogWithChild(['warn', 'debug']);
+      docker.log = mockLog;
+      docker.findNewVersion = vi.fn().mockRejectedValue(new Error('Registry error'));
+      docker.mapContainerToContainerReport = vi.fn().mockReturnValue({ container, changed: false });
+
+      await docker.watchContainer(container);
+
+      expect(mockLog._child.warn).toHaveBeenCalledWith(expect.stringContaining('Registry error'));
+      expect(container.error).toEqual({ message: 'Registry error' });
+    });
+
+    test('should fallback to a non-empty message when container processing error is empty', async () => {
+      const container = { id: 'test123', name: 'test' };
+      const mockLog = createMockLogWithChild(['warn', 'debug']);
+      docker.log = mockLog;
+      docker.findNewVersion = vi.fn().mockRejectedValue(new Error(''));
+      docker.mapContainerToContainerReport = vi.fn().mockReturnValue({ container, changed: false });
+
+      await docker.watchContainer(container);
+
+      expect(mockLog._child.warn).toHaveBeenCalledWith(
+        'Error when processing (Unexpected container processing error)',
+      );
+      expect(container.error).toEqual({ message: 'Unexpected container processing error' });
+    });
+
+    test('should attach release notes and source repo for update-available containers', async () => {
+      const container = {
+        id: 'test123',
+        name: 'test',
+        updateAvailable: true,
+        image: {
+          name: 'acme/service',
+          registry: {
+            url: 'ghcr.io',
+          },
+          tag: {
+            value: '1.0.0',
+          },
+        },
+      };
+      const mockLog = createMockLogWithChild(['warn', 'debug']);
+      docker.log = mockLog;
+      docker.findNewVersion = vi.fn().mockResolvedValue({ tag: '2.0.0' });
+      docker.mapContainerToContainerReport = vi.fn().mockReturnValue({ container, changed: false });
+      mockResolveSourceRepoForContainer.mockResolvedValue('github.com/acme/service');
+      mockGetFullReleaseNotesForContainer.mockResolvedValue({
+        title: 'v2.0.0',
+        body: 'Release body',
+        url: 'https://github.com/acme/service/releases/tag/v2.0.0',
+        publishedAt: '2026-03-01T00:00:00.000Z',
+        provider: 'github',
+      });
+      mockToContainerReleaseNotes.mockReturnValue({
+        title: 'v2.0.0',
+        body: 'Release body',
+        url: 'https://github.com/acme/service/releases/tag/v2.0.0',
+        publishedAt: '2026-03-01T00:00:00.000Z',
+        provider: 'github',
+      });
+
+      await docker.watchContainer(container as any);
+
+      expect(mockResolveSourceRepoForContainer).toHaveBeenCalledWith(container);
+      expect(mockGetFullReleaseNotesForContainer).toHaveBeenCalledWith(container);
+      expect(container.sourceRepo).toBe('github.com/acme/service');
+      expect(container.result?.releaseNotes).toEqual({
+        title: 'v2.0.0',
+        body: 'Release body',
+        url: 'https://github.com/acme/service/releases/tag/v2.0.0',
+        publishedAt: '2026-03-01T00:00:00.000Z',
+        provider: 'github',
+      });
+    });
+
+    test('should ignore release notes failures', async () => {
+      const container = {
+        id: 'test123',
+        name: 'test',
+        updateAvailable: true,
+        image: {
+          name: 'acme/service',
+          registry: {
+            url: 'ghcr.io',
+          },
+          tag: {
+            value: '1.0.0',
+          },
+        },
+      };
+      const mockLog = createMockLogWithChild(['warn', 'debug']);
+      docker.log = mockLog;
+      docker.findNewVersion = vi.fn().mockResolvedValue({ tag: '2.0.0' });
+      docker.mapContainerToContainerReport = vi.fn().mockReturnValue({ container, changed: false });
+      mockResolveSourceRepoForContainer.mockResolvedValue('github.com/acme/service');
+      mockGetFullReleaseNotesForContainer.mockRejectedValue(new Error('rate limited'));
+
+      await docker.watchContainer(container as any);
+
+      expect(container.error).toBeUndefined();
+      expect(mockLog._child.debug).toHaveBeenCalledWith(
+        expect.stringContaining('Unable to fetch release notes'),
+      );
+    });
+  });
+
+  describe('Container Retrieval', () => {
+    test('should get containers with default options', async () => {
+      const containers = [
+        {
+          Id: '123',
+          Labels: { 'dd.watch': 'true' },
+          Names: ['/test'],
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: '123' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: true,
+      });
+      const result = await docker.getContainers();
+
+      expect(mockDockerApi.listContainers).toHaveBeenCalledWith({});
+      expect(result).toHaveLength(1);
+    });
+
+    test('should get all containers when watchall enabled', async () => {
+      mockDockerApi.listContainers.mockResolvedValue([]);
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchall: true,
+      });
+      await docker.getContainers();
+
+      expect(mockDockerApi.listContainers).toHaveBeenCalledWith({
+        all: true,
+      });
+    });
+
+    test('should filter containers based on watch label', async () => {
+      const containers = [
+        { Id: '1', Labels: { 'dd.watch': 'true' }, Names: ['/test1'] },
+        {
+          Id: '2',
+          Labels: { 'dd.watch': 'false' },
+          Names: ['/test2'],
+        },
+        { Id: '3', Labels: {}, Names: ['/test3'] },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: '1' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      expect(result).toHaveLength(1);
+    });
+
+    test('should apply swarm service deploy labels to container filtering and tag include', async () => {
+      const containers = [
+        {
+          Id: 'swarm-task-1',
+          Image: 'authelia/authelia:4.39.15',
+          Names: ['/authelia_authelia.1.xxxxx'],
+          Labels: {
+            'com.docker.swarm.service.id': 'service123',
+          },
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({
+          Spec: {
+            Labels: {
+              'dd.watch': 'true',
+              'dd.tag.include': String.raw`^\d+\.\d+\.\d+$`,
+            },
+          },
+        }),
+      });
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'swarm-task-1' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      expect(result).toHaveLength(1);
+      expect(mockDockerApi.getService).toHaveBeenCalledWith('service123');
+      expect(docker.addImageDetailsToContainer).toHaveBeenCalledTimes(1);
+      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBe(
+        String.raw`^\d+\.\d+\.\d+$`,
+      );
+    });
+
+    test('should let container labels override swarm service labels', async () => {
+      const containers = [
+        {
+          Id: 'swarm-task-2',
+          Image: 'grafana/alloy:v1.12.2',
+          Names: ['/monitoring_alloy.1.yyyyy'],
+          Labels: {
+            'com.docker.swarm.service.id': 'service456',
+            'dd.watch': 'true',
+            'dd.tag.include': String.raw`^v\d+\.\d+\.\d+$`,
+          },
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({
+          Spec: {
+            Labels: {
+              'dd.watch': 'false',
+              'dd.tag.include': String.raw`^\d+\.\d+\.\d+$`,
+            },
+          },
+        }),
+      });
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'swarm-task-2' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      expect(result).toHaveLength(1);
+      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBe(
+        String.raw`^v\d+\.\d+\.\d+$`,
+      );
+    });
+
+    test('should cache swarm service label lookups per service', async () => {
+      const containers = [
+        {
+          Id: 'swarm-task-3a',
+          Image: 'example/service:1.0.0',
+          Names: ['/svc.1.a'],
+          Labels: {
+            'com.docker.swarm.service.id': 'service789',
+          },
+        },
+        {
+          Id: 'swarm-task-3b',
+          Image: 'example/service:1.0.0',
+          Names: ['/svc.2.b'],
+          Labels: {
+            'com.docker.swarm.service.id': 'service789',
+          },
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({
+          Spec: {
+            Labels: {
+              'dd.watch': 'true',
+            },
+          },
+        }),
+      });
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'ok' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      await docker.getContainers();
+
+      expect(mockDockerApi.getService).toHaveBeenCalledTimes(1);
+      expect(mockDockerApi.getService).toHaveBeenCalledWith('service789');
+    });
+
+    test('should pick up dd labels from deploy-only labels (Spec.Labels) when container has no dd labels', async () => {
+      // Simulates: docker-compose deploy: labels: dd.tag.include (NOT root labels:)
+      // In Swarm, deploy labels go to Spec.Labels but NOT to container.Labels
+      const containers = [
+        {
+          Id: 'swarm-deploy-only',
+          Image: 'authelia/authelia:4.39.15',
+          Names: ['/authelia_authelia.1.xxxxx'],
+          Labels: {
+            'com.docker.swarm.service.id': 'svc-deploy-labels',
+            'com.docker.swarm.task.id': 'task1',
+            'com.docker.swarm.task.name': 'authelia_authelia.1.xxxxx',
+            // NO dd.* labels — they only exist in Spec.Labels
+          },
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({
+          Spec: {
+            Labels: {
+              'dd.watch': 'true',
+              'dd.tag.include': String.raw`^\d+\.\d+\.\d+$`,
+            },
+            TaskTemplate: {
+              ContainerSpec: {
+                // No Labels here — deploy labels don't go to TaskTemplate
+              },
+            },
+          },
+        }),
+      });
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'swarm-deploy-only' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      expect(result).toHaveLength(1);
+      expect(docker.addImageDetailsToContainer).toHaveBeenCalledTimes(1);
+      // The tag include regex should come from Spec.Labels
+      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBe(
+        String.raw`^\d+\.\d+\.\d+$`,
+      );
+    });
+
+    test('should gracefully handle swarm service inspect failure without losing container', async () => {
+      const containers = [
+        {
+          Id: 'swarm-inspect-fail',
+          Image: 'example/app:1.0.0',
+          Names: ['/app.1.xxxxx'],
+          Labels: {
+            'com.docker.swarm.service.id': 'svc-fail',
+            'dd.watch': 'true',
+          },
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockRejectedValue(new Error('service not found')),
+      });
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'swarm-inspect-fail' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      // Container should still be watched using its own labels
+      expect(result).toHaveLength(1);
+      // tag.include should be undefined since service inspect failed and
+      // the container itself has no dd.tag.include
+      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBeUndefined();
+    });
+
+    test('should handle mixed label sources: deploy labels + root labels across services', async () => {
+      // Simulates: authelia with deploy labels, alloy with root labels
+      const containers = [
+        {
+          Id: 'swarm-authelia',
+          Image: 'authelia/authelia:4.39.15',
+          Names: ['/authelia_authelia.1.aaa'],
+          Labels: {
+            'com.docker.swarm.service.id': 'svc-authelia',
+            // deploy: labels: go to Spec.Labels, NOT here
+          },
+        },
+        {
+          Id: 'swarm-alloy',
+          Image: 'grafana/alloy:v1.12.2',
+          Names: ['/monitoring_alloy.1.bbb'],
+          Labels: {
+            'com.docker.swarm.service.id': 'svc-alloy',
+            // Root labels: ARE on the container
+            'dd.watch': 'true',
+            'dd.tag.include': String.raw`^v\d+\.\d+\.\d+$`,
+          },
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      mockDockerApi.getService.mockImplementation((serviceId: string) => ({
+        inspect: vi.fn().mockResolvedValue(
+          serviceId === 'svc-authelia'
+            ? {
+                Spec: {
+                  Labels: {
+                    'dd.watch': 'true',
+                    'dd.tag.include': String.raw`^\d+\.\d+\.\d+$`,
+                  },
+                },
+              }
+            : {
+                Spec: {
+                  TaskTemplate: {
+                    ContainerSpec: {
+                      Labels: {
+                        'dd.watch': 'true',
+                        'dd.tag.include': String.raw`^v\d+\.\d+\.\d+$`,
+                      },
+                    },
+                  },
+                },
+              },
+        ),
+      }));
+      docker.addImageDetailsToContainer = vi
+        .fn()
+        .mockImplementation((_container: any, labelOverrides: any) =>
+          Promise.resolve({ id: _container.Id, includeTags: labelOverrides?.includeTags }),
+        );
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      expect(result).toHaveLength(2);
+      // Authelia's tag include should come from Spec.Labels (deploy labels)
+      const autheliaCall = docker.addImageDetailsToContainer.mock.calls.find(
+        (call: any) => call[0].Id === 'swarm-authelia',
+      );
+      expect(autheliaCall[1].includeTags).toBe(String.raw`^\d+\.\d+\.\d+$`);
+      // Alloy's tag include should come from container labels (root labels)
+      const alloyCall = docker.addImageDetailsToContainer.mock.calls.find(
+        (call: any) => call[0].Id === 'swarm-alloy',
+      );
+      expect(alloyCall[1].includeTags).toBe(String.raw`^v\d+\.\d+\.\d+$`);
+    });
+
+    test('should prune old containers', async () => {
+      const oldContainers = [{ id: 'old1' }, { id: 'old2' }];
+      storeContainer.getContainers.mockReturnValue(oldContainers);
+      mockDockerApi.listContainers.mockResolvedValue([]);
+      // Simulate containers no longer existing in Docker
+      mockDockerApi.getContainer.mockReturnValue({
+        inspect: vi.fn().mockRejectedValue(new Error('no such container')),
+      });
+
+      await docker.register('watcher', 'docker', 'test', {});
+      await docker.getContainers();
+
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('old1');
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('old2');
+    });
+
+    test('should continue when pruneOldContainers throws during stale record cleanup', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['warn']);
+      storeContainer.getContainers.mockReturnValue([
+        { id: 'old1', watcher: 'test', name: 'svc' } as any,
+      ]);
+      storeContainer.deleteContainer.mockImplementation(() => {
+        throw new Error('Delete failed');
+      });
+      mockDockerApi.listContainers.mockResolvedValue([
+        {
+          Id: 'new1',
+          Labels: { 'dd.watch': 'true' },
+          Names: ['/svc'],
+        },
+      ]);
+      docker.addImageDetailsToContainer = vi
+        .fn()
+        .mockResolvedValue({ id: 'new1', watcher: 'test', name: 'svc' });
+
+      const result = await docker.getContainers();
+
+      expect(result).toEqual([{ id: 'new1', watcher: 'test', name: 'svc' }]);
+      expect(docker.log.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Error when trying to prune the old containers (Delete failed)'),
+      );
+    });
+
+    test('should handle pruning error', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['warn']);
+      storeContainer.getContainers.mockImplementationOnce(() => {
+        throw new Error('Store error');
+      });
+      mockDockerApi.listContainers.mockResolvedValue([]);
+
+      await docker.getContainers();
+
+      expect(docker.log.warn).toHaveBeenCalledWith(expect.stringContaining('Store error'));
+    });
+  });
+
+  describe('Dual-prefix dd.*/wud.* label support', () => {
+    test('should prefer dd.watch over wud.watch label', async () => {
+      const containers = [
+        {
+          Id: 'dd-label-1',
+          Labels: { 'dd.watch': 'true', 'wud.watch': 'false' },
+          Names: ['/dd-test'],
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'dd-label-1' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      // dd.watch=true should override wud.watch=false
+      expect(result).toHaveLength(1);
+    });
+
+    test('should fall back to wud.watch when dd.watch is not set', async () => {
+      const containers = [
+        {
+          Id: 'wud-fallback-1',
+          Labels: { 'wud.watch': 'true' },
+          Names: ['/wud-test'],
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'wud-fallback-1' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      const result = await docker.getContainers();
+
+      expect(result).toHaveLength(1);
+    });
+
+    test('should prefer dd.tag.include over wud.tag.include label', async () => {
+      const containers = [
+        {
+          Id: 'dd-tag-1',
+          Labels: {
+            'dd.watch': 'true',
+            'dd.tag.include': String.raw`^v\d+`,
+            'wud.tag.include': String.raw`^\d+`,
+          },
+          Names: ['/dd-tag-test'],
+        },
+      ];
+      mockDockerApi.listContainers.mockResolvedValue(containers);
+      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'dd-tag-1' });
+
+      await docker.register('watcher', 'docker', 'test', {
+        watchbydefault: false,
+      });
+      await docker.getContainers();
+
+      // dd.tag.include should be preferred
+      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBe(
+        String.raw`^v\d+`,
+      );
+    });
+
+    describe('getLabel dual-prefix fallback for all label pairs', () => {
+      const labelPairs = [
+        ['dd.watch', 'wud.watch'],
+        ['dd.tag.include', 'wud.tag.include'],
+        ['dd.tag.exclude', 'wud.tag.exclude'],
+        ['dd.tag.transform', 'wud.tag.transform'],
+        ['dd.inspect.tag.path', 'wud.inspect.tag.path'],
+        ['dd.registry.lookup.image', 'wud.registry.lookup.image'],
+        ['dd.registry.lookup.url', 'wud.registry.lookup.url'],
+        ['dd.watch.digest', 'wud.watch.digest'],
+        ['dd.link.template', 'wud.link.template'],
+        ['dd.display.name', 'wud.display.name'],
+        ['dd.display.icon', 'wud.display.icon'],
+        ['dd.trigger.include', 'wud.trigger.include'],
+        ['dd.trigger.exclude', 'wud.trigger.exclude'],
+        ['dd.group', 'wud.group'],
+        ['dd.hook.pre', 'wud.hook.pre'],
+        ['dd.hook.post', 'wud.hook.post'],
+        ['dd.hook.pre.abort', 'wud.hook.pre.abort'],
+        ['dd.hook.timeout', 'wud.hook.timeout'],
+        ['dd.rollback.auto', 'wud.rollback.auto'],
+        ['dd.rollback.window', 'wud.rollback.window'],
+        ['dd.rollback.interval', 'wud.rollback.interval'],
+      ];
+
+      test.each(labelPairs)('should prefer %s over %s when both are present', (ddKey, wudKey) => {
+        const labels = { [ddKey]: 'dd-value', [wudKey]: 'wud-value' };
+        expect(testable_getLabel(labels, ddKey, wudKey)).toBe('dd-value');
+      });
+
+      test.each(labelPairs)('should fall back to %s when %s is absent', (ddKey, wudKey) => {
+        const labels = { [wudKey]: 'legacy-value' };
+        expect(testable_getLabel(labels, ddKey, wudKey)).toBe('legacy-value');
+      });
+
+      test.each(
+        labelPairs,
+      )('should return undefined when neither %s nor %s is set', (ddKey, wudKey) => {
+        expect(testable_getLabel({}, ddKey, wudKey)).toBeUndefined();
+      });
+    });
+  });
+
+  describe('Version Finding', () => {
+    test('should find new version using registry', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0', '1.1.0', '2.0.0']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(mockRegistry.getTags).toHaveBeenCalledWith(container.image);
+      expect(result).toEqual({ tag: '1.0.0' });
+    });
+
+    test('should include result publishedAt when registry can resolve publish date', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImagePublishedAt: vi.fn().mockResolvedValue('2026-03-10T10:00:00.000Z'),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(mockRegistry.getImagePublishedAt).toHaveBeenCalledWith(container.image, '1.0.0');
+      expect(result).toEqual({
+        tag: '1.0.0',
+        publishedAt: '2026-03-10T10:00:00.000Z',
+      });
+    });
+
+    test('should resolve publishedAt using fallback tag expression when current tag is empty', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '' },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue([]),
+        getImagePublishedAt: vi.fn().mockResolvedValue('2026-03-01T10:00:00.000Z'),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(mockRegistry.getImagePublishedAt).toHaveBeenCalledWith(container.image, '');
+      expect(result.publishedAt).toEqual('2026-03-01T10:00:00.000Z');
+      expect(result.tag).toEqual('');
+    });
+
+    test('should ignore publish date values that are not strings', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImagePublishedAt: vi.fn().mockResolvedValue(new Date('2026-03-10T10:00:00.000Z')),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.0.0' });
+    });
+
+    test('should continue when publish date lookup fails', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImagePublishedAt: vi.fn().mockRejectedValue(new Error('metadata unavailable')),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.0.0' });
+      expect(mockLogChild.debug).toHaveBeenCalledWith(
+        expect.stringContaining('publish date lookup failed'),
+      );
+    });
+
+    test('should continue when publish date lookup fails and debug logger is unavailable', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImagePublishedAt: vi.fn().mockRejectedValue(new Error('metadata unavailable')),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.0.0' });
+    });
+
+    test('should handle unsupported registry', async () => {
+      const container = {
+        image: {
+          registry: { name: 'unknown' },
+          tag: { value: '1.0.0' },
+          digest: { watch: false },
+        },
+      };
+      registry.getState.mockReturnValue({ registry: {} });
+      const mockLogChild = { error: vi.fn() };
+
+      try {
+        await docker.findNewVersion(container, mockLogChild);
+      } catch (error) {
+        expect(error.message).toContain('Unsupported Registry');
+      }
+    });
+
+    test('should handle digest watching with v2 manifest', async () => {
+      const container = {
+        image: {
+          id: 'image123',
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: true, repo: 'sha256:abc123' },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImageManifestDigest: vi
+          .fn()
+          .mockResolvedValueOnce({
+            digest: 'sha256:def456',
+            created: '2023-01-01',
+            version: 2,
+          })
+          .mockResolvedValueOnce({
+            digest: 'sha256:manifest123',
+          }),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(mockRegistry.getImageManifestDigest).toHaveBeenCalledTimes(2);
+      expect(result.digest).toBe('sha256:def456');
+      expect(result.created).toBe('2023-01-01');
+    });
+
+    test('should handle digest watching with v1 manifest using repo digest', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      const container = {
+        image: {
+          id: 'image123',
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: true, repo: 'sha256:abc123' },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImageManifestDigest: vi.fn().mockResolvedValue({
+          digest: 'sha256:def456',
+          created: '2023-01-01',
+          version: 1,
+        }),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      const mockLogChild = { error: vi.fn() };
+
+      await docker.findNewVersion(container, mockLogChild);
+
+      expect(container.image.digest.value).toBe('sha256:abc123');
+    });
+
+    test('should use tag candidate for digest lookup when digest watch is true and candidates exist', async () => {
+      const container = {
+        image: {
+          id: 'image123',
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: true, repo: 'sha256:abc123' },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']),
+        getImageManifestDigest: vi
+          .fn()
+          .mockResolvedValueOnce({
+            digest: 'sha256:def456',
+            created: '2023-01-01',
+            version: 2,
+          })
+          .mockResolvedValueOnce({
+            digest: 'sha256:manifest123',
+          }),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      mockTag.parse.mockReturnValue({ major: 1, minor: 0, patch: 0 });
+      mockTag.isGreater.mockImplementation((t2, t1) => {
+        return t2 === '2.0.0' && t1 === '1.0.0';
+      });
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      // Should have used the tag candidate (2.0.0) for digest lookup
+      expect(result.tag).toBe('2.0.0');
+      expect(result.digest).toBe('sha256:def456');
+    });
+
+    test('should handle tag candidates with semver', async () => {
+      const container = {
+        includeTags: String.raw`^v\d+`,
+        excludeTags: 'beta',
+        transformTags: 's/v//',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['v1.0.0', 'v1.1.0', 'v2.0.0-beta', 'latest']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+      mockTag.parse.mockReturnValue({ major: 1, minor: 1, patch: 0 });
+      mockTag.isGreater.mockReturnValue(true);
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+
+      await docker.findNewVersion(container, mockLogChild);
+
+      expect(mockRegistry.getTags).toHaveBeenCalled();
+    });
+
+    test('should filter tags with different number of semver parts', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.2', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue([
+          '1.2.1', // 3 parts, should be filtered out
+          '1.3', // 2 parts, should be kept
+          '1.1', // 2 parts, should be kept (but lower)
+          '2', // 1 part, should be filtered out
+        ]),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      // Mock isGreater to return true for 1.3 > 1.2
+      mockTag.isGreater.mockImplementation((t1, t2) => {
+        if (t1 === '1.3' && t2 === '1.2') return true;
+        return false;
+      });
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.3' });
+    });
+
+    test('should ignore semver tags with mismatched numeric zero-padding style', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '5.1.4', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['20.04.1', '5.1.5', '5.1.4']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '5.1.4': 514,
+        '5.1.5': 515,
+        '20.04.1': 200401,
+      };
+      mockTag.isGreater.mockImplementation(
+        (version1, version2) => rank[version1] >= rank[version2],
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '5.1.5' });
+    });
+
+    test('should keep updates within inferred suffix family by default', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.2.3-ls132', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.4-ls133', '1.2.3-ls132']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.2.3-ls132': 1230,
+        '1.2.4-ls133': 1240,
+        '1.2.4': 1241,
+      };
+      mockTag.isGreater.mockImplementation(
+        (version1, version2) => rank[version1] >= rank[version2],
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.2.4-ls133' });
+    });
+
+    test('should keep current tag and warn when strict mode filters only cross-family higher tags', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.2.3-ls132', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.3-ls132']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.2.3-ls132': 1230,
+        '1.2.4': 1241,
+      };
+      mockTag.isGreater.mockImplementation(
+        (version1, version2) => (rank[version1] || 0) > (rank[version2] || 0),
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({
+        tag: '1.2.3-ls132',
+        noUpdateReason: expect.stringContaining(
+          'Strict tag-family policy filtered out 1 higher semver tag(s) outside the inferred family of "1.2.3-ls132"',
+        ),
+      });
+      expect(mockLogChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining(
+          'Strict tag-family policy filtered out 1 higher semver tag(s) outside the inferred family of "1.2.3-ls132"',
+        ),
+      );
+    });
+
+    test('should allow cross-family updates in loose mode when no higher same-family tag exists', async () => {
+      const container = {
+        tagFamily: 'loose',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.2.3-ls132', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.3-ls132']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.2.3-ls132': 1230,
+        '1.2.4': 1241,
+      };
+      mockTag.isGreater.mockImplementation(
+        (version1, version2) => (rank[version1] || 0) > (rank[version2] || 0),
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.2.4' });
+    });
+
+    test('should allow cross-family semver updates when tagFamily is loose', async () => {
+      const container = {
+        tagFamily: 'loose',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.2.3-ls132', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.4-ls133', '1.2.3-ls132']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.2.3-ls132': 1230,
+        '1.2.4-ls133': 1240,
+        '1.2.4': 1241,
+      };
+      mockTag.isGreater.mockImplementation(
+        (version1, version2) => rank[version1] >= rank[version2],
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.2.4' });
+    });
+
+    test('should fall back to strict mode when tagFamily is invalid', async () => {
+      const container = {
+        tagFamily: 'unsupported',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.2.3-ls132', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.4-ls133', '1.2.3-ls132']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.2.3-ls132': 1230,
+        '1.2.4-ls133': 1240,
+        '1.2.4': 1241,
+      };
+      mockTag.isGreater.mockImplementation(
+        (version1, version2) => rank[version1] >= rank[version2],
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.2.4-ls133' });
+      expect(mockLogChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Invalid tag family policy'),
+      );
+    });
+
+    test('should log one-pass semver candidate filter counters in strict mode', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'v1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['latest', 'v1.0.0', 'v1.1.0', 'v2.0.0', '1.2.0']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        'v1.0.0': 100,
+        'v1.1.0': 110,
+        'v2.0.0': 200,
+      };
+      mockTag.isGreater.mockImplementation(
+        (version1, version2) => (rank[version1] || 0) > (rank[version2] || 0),
+      );
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: 'v2.0.0' });
+      expect(mockLogChild.debug).toHaveBeenCalledWith(
+        expect.stringContaining(
+          'Tag candidate filter counters (strict): input=5, prefix=3, semver=3, family=3, greater=2, output=2',
+        ),
+      );
+    });
+
+    test('should best-effort suggest semver tag when current tag is outside include filter', async () => {
+      const container = {
+        includeTags: '^1\\.',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '2.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.8.0', '1.9.0', '2.1.0']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.8.0': 180,
+        '1.9.0': 190,
+        '2.0.0': 200,
+        '2.1.0': 210,
+      };
+      mockTag.isGreater.mockImplementation(
+        (version1, version2) => rank[version1] >= rank[version2],
+      );
+      mockTag.parse.mockImplementation((version) => {
+        const score = rank[version];
+        if (!score) {
+          return null;
+        }
+        return {
+          major: Number.parseInt(version.split('.')[0], 10),
+          minor: Number.parseInt(version.split('.')[1], 10),
+          patch: Number.parseInt(version.split('.')[2], 10),
+          prerelease: [],
+        };
+      });
+
+      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({ tag: '1.9.0' });
+      expect(mockLogChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining('does not match includeTags regex'),
+      );
+      expect(mockLogChild.debug).toHaveBeenCalledWith(expect.stringContaining('greater=skipped'));
+    });
+
+    test('should advise best semver tag when current tag is non-semver and includeTags filter is set', async () => {
+      const container = {
+        includeTags: String.raw`^\d+\.\d+`,
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'latest', semver: false },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['latest', 'rolling', '1.0.0', '2.0.0', '3.0.0']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      const rank = {
+        '1.0.0': 100,
+        '2.0.0': 200,
+        '3.0.0': 300,
+      };
+      mockTag.isGreater.mockImplementation(
+        (version1, version2) => rank[version1] >= rank[version2],
+      );
+      mockTag.parse.mockImplementation((version) =>
+        rank[version] ? { major: 1, minor: 0, patch: 0 } : null,
+      );
+
+      const mockLogChild = {
+        error: vi.fn(),
+        warn: vi.fn(),
+        debug: vi.fn(),
+      };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      expect(result).toEqual({
+        tag: '3.0.0',
+        suggestedTag: expect.stringMatching(/^\d+\.\d+\.\d+$/),
+      });
+      expect(mockLogChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining('is not semver but includeTags filter'),
+      );
+    });
+
+    test('should not advise any tag when current tag is non-semver and no includeTags filter is set', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'latest', semver: false },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['latest', '1.0.0', '2.0.0']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      mockTag.parse.mockReturnValue(null);
+
+      const mockLogChild = {
+        error: vi.fn(),
+        warn: vi.fn(),
+        debug: vi.fn(),
+      };
+
+      const result = await docker.findNewVersion(container, mockLogChild);
+
+      // Without includeTags, non-semver tags should not get any advice
+      expect(result).toEqual({ tag: 'latest' });
+    });
+
+    test('should add suggestedTag for latest-tagged containers using highest stable semver', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'latest', semver: false },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['latest', '1.27.2', '1.27.3', '1.28.0-rc.1']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      mockTag.parse.mockImplementation((tag) => {
+        if (tag === '1.27.2') return { major: 1, minor: 27, patch: 2, prerelease: [] };
+        if (tag === '1.27.3') return { major: 1, minor: 27, patch: 3, prerelease: [] };
+        if (tag === '1.28.0-rc.1') return { major: 1, minor: 28, patch: 0, prerelease: ['rc', 1] };
+        return null;
+      });
+
+      const result = await docker.findNewVersion(container as any, {
+        error: vi.fn(),
+        warn: vi.fn(),
+        debug: vi.fn(),
+      });
+
+      expect(result).toEqual({ tag: 'latest', suggestedTag: '1.27.3' });
+    });
+
+    test('should not add suggestedTag when latest-tagged container has no stable semver tags', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'latest', semver: false },
+          digest: { watch: false },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['latest', 'nightly', '1.28.0-beta']),
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: mockRegistry },
+      });
+
+      mockTag.parse.mockImplementation((tag) => {
+        if (tag === '1.28.0-beta') return { major: 1, minor: 28, patch: 0, prerelease: ['beta'] };
+        return null;
+      });
+
+      const result = await docker.findNewVersion(container as any, {
+        error: vi.fn(),
+        warn: vi.fn(),
+        debug: vi.fn(),
+      });
+
+      expect(result).toEqual({ tag: 'latest' });
+    });
+  });
+
+  describe('Container Details', () => {
+    test('should return existing container from store', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: { digest: { repo: 'sha256:abc' }, id: 'image123', created: '2023-01-01' },
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'image123',
+        RepoDigests: ['nginx@sha256:abc'],
+        Created: '2023-01-01',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result).toBe(existingContainer);
+    });
+
+    test('should skip container inspect for store container when watch events are enabled', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:abc' },
+          id: 'image123',
+          created: '2023-01-01',
+        },
+        details: {
+          ports: ['80/tcp'],
+          volumes: ['/old/data:/data'],
+          env: [{ key: 'APP_ENV', value: 'prod' }],
+        },
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'image123',
+        RepoDigests: ['nginx@sha256:abc'],
+        Created: '2023-01-01',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+        Ports: [{ PrivatePort: 8080, Type: 'tcp', PublicPort: 18080, IP: '0.0.0.0' }],
+        Mounts: [{ Source: '/host/data', Destination: '/data', RW: false }],
+      });
+
+      expect(result).toBe(existingContainer);
+      expect(mockContainer.inspect).not.toHaveBeenCalled();
+      expect(result.details).toEqual({
+        ports: ['0.0.0.0:18080->8080/tcp'],
+        volumes: ['/host/data:/data:ro'],
+        env: [{ key: 'APP_ENV', value: 'prod' }],
+      });
+    });
+
+    test('should inspect store container runtime details when watch events are disabled', async () => {
+      await docker.register('watcher', 'docker', 'test', { watchevents: false });
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:abc' },
+          id: 'image123',
+          created: '2023-01-01',
+        },
+        details: {
+          ports: [],
+          volumes: [],
+          env: [],
+        },
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+      mockContainer.inspect.mockResolvedValue({
+        Config: {
+          Env: ['APP_ENV=prod'],
+        },
+      });
+      mockImage.inspect.mockResolvedValue({
+        Id: 'image123',
+        RepoDigests: ['nginx@sha256:abc'],
+        Created: '2023-01-01',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result).toBe(existingContainer);
+      expect(mockContainer.inspect).toHaveBeenCalledTimes(1);
+      expect(result.details.env).toEqual([{ key: 'APP_ENV', value: 'prod' }]);
+    });
+
+    test('should refresh image fields when digest changed in store container', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:olddigest' },
+          id: 'old-image-id',
+          created: '2023-01-01',
+        },
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'new-image-id',
+        RepoDigests: ['nginx@sha256:newdigest'],
+        Created: '2024-06-15',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result.image.digest.repo).toBe('sha256:newdigest');
+      expect(result.image.id).toBe('new-image-id');
+      expect(result.image.created).toBe('2024-06-15');
+    });
+
+    test('should keep existing created date when refreshed image has no Created field', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:olddigest' },
+          id: 'old-image-id',
+          created: '2023-01-01',
+        },
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'new-image-id',
+        RepoDigests: ['nginx@sha256:newdigest'],
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result.image.digest.repo).toBe('sha256:newdigest');
+      expect(result.image.id).toBe('new-image-id');
+      expect(result.image.created).toBe('2023-01-01');
+    });
+
+    test('should degrade gracefully when image inspect fails for store container', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:cached' },
+          id: 'cached-image-id',
+          created: '2023-01-01',
+        },
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockRejectedValue(new Error('image not found'));
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result).toBe(existingContainer);
+      expect(result.image.digest.repo).toBe('sha256:cached');
+      expect(result.image.id).toBe('cached-image-id');
+    });
+
+    test('should not mutate store container when image fields unchanged', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:samedigest' },
+          id: 'same-image-id',
+          created: '2023-01-01',
+        },
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'same-image-id',
+        RepoDigests: ['nginx@sha256:samedigest'],
+        Created: '2023-01-01',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result).toBe(existingContainer);
+      // Values should be unchanged
+      expect(result.image.digest.repo).toBe('sha256:samedigest');
+      expect(result.image.id).toBe('same-image-id');
+      expect(result.image.created).toBe('2023-01-01');
+    });
+
+    test('should backfill digest value for store container when repo digest exists', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:samedigest' },
+          id: 'same-image-id',
+          created: '2023-01-01',
+        },
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'same-image-id',
+        RepoDigests: ['nginx@sha256:samedigest'],
+        Created: '2023-01-01',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result.image.digest.value).toBe('sha256:samedigest');
+    });
+
+    test('should keep existing digest value when backfill is not needed', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:samedigest', value: 'sha256:already-set' },
+          id: 'same-image-id',
+          created: '2023-01-01',
+        },
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'same-image-id',
+        RepoDigests: ['nginx@sha256:samedigest'],
+        Created: '2023-01-01',
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result.image.digest.value).toBe('sha256:already-set');
+    });
+
+    test('should keep digest value unchanged when repo digest is missing but image metadata changes', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug']);
+      const existingContainer = {
+        id: '123',
+        error: undefined,
+        image: {
+          digest: { repo: 'sha256:cached', value: 'sha256:cached' },
+          id: 'old-image-id',
+          created: '2023-01-01',
+        },
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+      mockImage.inspect.mockResolvedValue({
+        Id: 'new-image-id',
+        RepoDigests: [],
+      });
+
+      const result = await docker.addImageDetailsToContainer({
+        Id: '123',
+        Image: 'nginx:latest',
+      });
+
+      expect(result.image.digest.repo).toBeUndefined();
+      expect(result.image.digest.value).toBe('sha256:cached');
+      expect(result.image.id).toBe('new-image-id');
+    });
+
+    test('should set digest value from repo digest for new container details', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: { Image: 'nginx:latest' },
+        imageDetails: { RepoDigests: ['nginx@sha256:abc123'] },
+        parsedImage: { domain: 'docker.io', path: 'library/nginx', tag: 'latest' },
+        semverValue: null,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.digest.repo).toBe('sha256:abc123');
+      expect(result.image.digest.value).toBe('sha256:abc123');
+    });
+
+    test('should add image details to new container', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: { Image: 'nginx:1.0.0' },
+        imageDetails: { Variant: 'v8', RepoDigests: ['nginx@sha256:abc123'] },
+        validateImpl: () => ({
+          id: '123',
+          name: 'test-container',
+          image: { architecture: 'amd64', variant: 'v8' },
+        }),
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(mockImage.inspect).toHaveBeenCalled();
+      expect(result).toBeDefined();
+    });
+
+    test('should include runtime details from inspect payload', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: { Image: 'nginx:1.0.0' },
+      });
+      mockContainer.inspect.mockResolvedValue({
+        NetworkSettings: {
+          Ports: {
+            '80/tcp': [{ HostIp: '0.0.0.0', HostPort: '8080' }],
+            '443/tcp': null,
+          },
+        },
+        Mounts: [
+          { Name: 'config-vol', Destination: '/config', RW: true },
+          { Source: '/host/data', Destination: '/data', RW: false },
+        ],
+        Config: {
+          Env: ['NODE_ENV=production', 'EMPTY=', 'NO_VALUE'],
+        },
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.details).toEqual({
+        ports: ['0.0.0.0:8080->80/tcp', '443/tcp'],
+        volumes: ['config-vol:/config', '/host/data:/data:ro'],
+        env: [
+          { key: 'NODE_ENV', value: 'production' },
+          { key: 'EMPTY', value: '' },
+          { key: 'NO_VALUE', value: '' },
+        ],
+      });
+    });
+
+    test('should default display name to container name for drydock image', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/codeswhat/drydock:latest',
+          Names: ['/dd'],
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/codeswhat/drydock@sha256:abc123'],
+        },
+        parsedImage: { domain: 'ghcr.io', path: 'codeswhat/drydock', tag: 'latest' },
+        semverValue: null,
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.displayName).toBe('dd');
+    });
+
+    test('should keep custom display name when provided', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/codeswhat/drydock:latest',
+          Names: ['/dd'],
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/codeswhat/drydock@sha256:abc123'],
+        },
+        parsedImage: { domain: 'ghcr.io', path: 'codeswhat/drydock', tag: 'latest' },
+        semverValue: null,
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container, {
+        displayName: 'DD CE Custom',
+      });
+
+      expect(result.displayName).toBe('DD CE Custom');
+    });
+
+    test('should apply imgset defaults when labels are missing', async () => {
+      const haImgset = {
+        homeassistant: {
+          image: 'ghcr.io/home-assistant/home-assistant',
+          tag: {
+            include: String.raw`^\d+\.\d+\.\d+$`,
+          },
+          display: {
+            name: 'Home Assistant',
+            icon: 'mdi-home-assistant',
+          },
+          link: {
+            template: 'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
+          },
+          trigger: {
+            include: 'ntfy.default:major',
+          },
+          registry: {
+            lookup: {
+              image: 'ghcr.io/home-assistant/home-assistant',
+            },
+          },
+        },
+      };
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: { imgset: haImgset },
+        container: {
+          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
+          Names: ['/homeassistant'],
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
+        },
+        parseImpl: createHaParseMock(),
+        semverValue: { major: 2026, minor: 2, patch: 1 },
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.includeTags).toBe(String.raw`^\d+\.\d+\.\d+$`);
+      expect(result.displayName).toBe('Home Assistant');
+      expect(result.displayIcon).toBe('mdi-home-assistant');
+      expect(result.linkTemplate).toBe(
+        'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
+      );
+      expect(result.triggerInclude).toBe('ntfy.default:major');
+      expect(result.image.registry.lookupImage).toBe('ghcr.io/home-assistant/home-assistant');
+    });
+
+    test('should let labels override imgset defaults', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: {
+          imgset: {
+            homeassistant: {
+              image: 'ghcr.io/home-assistant/home-assistant',
+              tag: { include: String.raw`^\d+\.\d+\.\d+$` },
+              display: { name: 'Home Assistant', icon: 'mdi-home-assistant' },
+              link: {
+                template: 'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
+              },
+              trigger: { include: 'ntfy.default:major' },
+            },
+          },
+        },
+        container: {
+          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
+          Names: ['/homeassistant'],
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
+        },
+        parseImpl: createHaParseMock(),
+        semverValue: { major: 2026, minor: 2, patch: 1 },
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container, {
+        includeTags: '^stable$',
+        displayName: 'HA Label Name',
+        displayIcon: 'mdi-docker',
+        triggerInclude: 'discord.default:major',
+      });
+
+      expect(result.includeTags).toBe('^stable$');
+      expect(result.displayName).toBe('HA Label Name');
+      expect(result.displayIcon).toBe('mdi-docker');
+      expect(result.triggerInclude).toBe('discord.default:major');
+      expect(result.linkTemplate).toBe(
+        'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
+      );
+    });
+
+    test('should prefer dd.action and dd.notification aliases over legacy trigger labels', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: {
+          imgset: {
+            homeassistant: {
+              image: 'ghcr.io/home-assistant/home-assistant',
+              tag: { include: String.raw`^\d+\.\d+\.\d+$` },
+              display: { name: 'Home Assistant', icon: 'mdi-home-assistant' },
+              link: {
+                template: 'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
+              },
+              trigger: { include: 'imgset.default:major' },
+            },
+          },
+        },
+        container: {
+          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
+          Names: ['/homeassistant'],
+          Labels: {
+            'dd.action.include': 'action.default:major',
+            'dd.notification.include': 'notification.default:major',
+            'dd.trigger.include': 'legacy.default:major',
+            'wud.trigger.include': 'wud.default:major',
+          },
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
+        },
+        parseImpl: createHaParseMock(),
+        semverValue: { major: 2026, minor: 2, patch: 1 },
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.triggerInclude).toBe('action.default:major');
+    });
+
+    test('should apply tagFamily from container labels', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'docker.io/library/nginx:1.0.0',
+          Names: ['/nginx'],
+          Labels: { 'dd.tag.family': 'loose' },
+        },
+        parsedImage: { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' },
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.tagFamily).toBe('loose');
+    });
+
+    test('should apply imgset tagFamily when label is missing', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: {
+          imgset: {
+            nginx: {
+              image: 'library/nginx',
+              tag: { family: 'loose' },
+            },
+          },
+        },
+        container: {
+          Image: 'docker.io/library/nginx:1.0.0',
+          Names: ['/nginx'],
+        },
+        parsedImage: { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' },
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.tagFamily).toBe('loose');
+    });
+
+    test('should apply imgset watchDigest when label is missing', async () => {
+      const watchDigestImgset = {
+        customregistry: {
+          image: 'ghcr.io/home-assistant/home-assistant',
+          watch: { digest: 'true' },
+        },
+      };
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: { imgset: watchDigestImgset },
+        container: {
+          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
+          Names: ['/homeassistant'],
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
+        },
+        parseImpl: createHaParseMock(),
+        semverValue: { major: 2026, minor: 2, patch: 1 },
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.digest.watch).toBe(true);
+    });
+
+    test('should let dd.watch.digest label override imgset watchDigest', async () => {
+      const watchDigestImgset = {
+        customregistry: {
+          image: 'ghcr.io/home-assistant/home-assistant',
+          watch: { digest: 'true' },
+        },
+      };
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: { imgset: watchDigestImgset },
+        container: {
+          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
+          Names: ['/homeassistant'],
+          Labels: { 'dd.watch.digest': 'false' },
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
+        },
+        parseImpl: createHaParseMock(),
+        semverValue: { major: 2026, minor: 2, patch: 1 },
+        registryId: 'ghcr',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      // Label says false, overriding imgset's true
+      expect(result.image.digest.watch).toBe(false);
+    });
+
+    test('should apply imgset inspectTagPath when label is missing', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: {
+          imgset: {
+            haos: {
+              image: 'ghcr.io/home-assistant/home-assistant',
+              inspect: {
+                tag: { path: 'Config/Labels/org.opencontainers.image.version' },
+              },
+            },
+          },
+        },
+        container: {
+          Image: 'ghcr.io/home-assistant/home-assistant:stable',
+          Names: ['/homeassistant'],
+        },
+        imageDetails: {
+          Variant: 'v8',
+          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
+          Config: {
+            Labels: { 'org.opencontainers.image.version': '2026.2.1' },
+          },
+        },
+        parseImpl: createHaParseMock(),
+        semverValue: { major: 2026, minor: 2, patch: 1, version: '2026.2.1' },
+        registryId: 'ghcr',
+      });
+      mockTag.transform.mockImplementation((_transform, value) => value);
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      // The tag should be resolved from the inspect path via imgset
+      expect(result.image.tag.value).toBe('2026.2.1');
+    });
+
+    test('should not apply imgset when image does not match any preset', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: {
+          imgset: {
+            homeassistant: {
+              image: 'ghcr.io/home-assistant/home-assistant',
+              tag: { include: String.raw`^\d+\.\d+\.\d+$` },
+              display: { name: 'Home Assistant', icon: 'mdi-home-assistant' },
+            },
+          },
+        },
+        container: {
+          Id: '456',
+          Image: 'nginx:1.25.0',
+          Names: ['/nginx'],
+        },
+        imageDetails: {
+          Id: 'image456',
+          RepoDigests: ['nginx@sha256:def456'],
+        },
+        parseImpl: (value) => {
+          if (value === 'nginx:1.25.0')
+            return { domain: undefined, path: 'library/nginx', tag: '1.25.0' };
+          if (value === 'ghcr.io/home-assistant/home-assistant')
+            return { domain: 'ghcr.io', path: 'home-assistant/home-assistant' };
+          return { domain: undefined, path: 'library/nginx', tag: '1.25.0' };
+        },
+        semverValue: { major: 1, minor: 25, patch: 0 },
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      // No imgset should be applied - fields should be undefined
+      expect(result.includeTags).toBeUndefined();
+      expect(result.displayName).toBe('nginx');
+      expect(result.displayIcon).toBeUndefined();
+    });
+
+    test('should pick the most specific imgset when multiple match', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        registerConfig: {
+          imgset: {
+            generic: { image: 'nginx', display: { name: 'Generic Nginx', icon: 'mdi-web' } },
+            specific: {
+              image: 'harbor.example.com/library/nginx',
+              display: { name: 'Harbor Nginx', icon: 'mdi-web-lock' },
+            },
+          },
+        },
+        container: {
+          Id: '789',
+          Image: 'harbor.example.com/library/nginx:1.25.0',
+          Names: ['/mynginx'],
+        },
+        imageDetails: {
+          Id: 'image789',
+          RepoDigests: ['harbor.example.com/library/nginx@sha256:ghi789'],
+        },
+        parseImpl: (value) => {
+          if (value === 'harbor.example.com/library/nginx:1.25.0')
+            return { domain: 'harbor.example.com', path: 'library/nginx', tag: '1.25.0' };
+          if (value === 'harbor.example.com/library/nginx')
+            return { domain: 'harbor.example.com', path: 'library/nginx' };
+          if (value === 'nginx') return { domain: undefined, path: 'nginx' };
+          return { domain: undefined, path: value };
+        },
+        semverValue: { major: 1, minor: 25, patch: 0 },
+        registryId: 'harbor',
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      // The more specific imgset (harbor.example.com/library/nginx) should win
+      expect(result.displayIcon).toBe('mdi-web-lock');
+    });
+
+    test('should validate configuration with imgset watchDigest and inspectTagPath', async () => {
+      const config = {
+        socket: '/var/run/docker.sock',
+        imgset: {
+          homeassistant: {
+            image: 'ghcr.io/home-assistant/home-assistant',
+            watch: {
+              digest: 'true',
+            },
+            inspect: {
+              tag: {
+                path: 'Config/Labels/org.opencontainers.image.version',
+              },
+            },
+          },
+        },
+      };
+      expect(() => docker.validateConfiguration(config)).not.toThrow();
+    });
+
+    test('should use lookup image label for registry matching', async () => {
+      const harborHubState = createHarborHubRegistryState();
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'harbor.example.com/dockerhub-proxy/traefik:v3.5.3',
+          Names: ['/traefik'],
+          Labels: { 'dd.registry.lookup.image': 'library/traefik' },
+        },
+        imageDetails: {
+          RepoDigests: ['harbor.example.com/dockerhub-proxy/traefik@sha256:abc123'],
+        },
+        parseImpl: (value) => {
+          if (value === 'harbor.example.com/dockerhub-proxy/traefik:v3.5.3')
+            return { domain: 'harbor.example.com', path: 'dockerhub-proxy/traefik', tag: 'v3.5.3' };
+          if (value === 'library/traefik') return { path: 'library/traefik' };
+          return { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' };
+        },
+        semverValue: { major: 3, minor: 5, patch: 3 },
+        registryState: harborHubState,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.registry.name).toBe('hub');
+      expect(result.image.registry.url).toBe('https://registry-1.docker.io/v2');
+      expect(result.image.registry.lookupImage).toBe('library/traefik');
+      expect(result.image.name).toBe('library/traefik');
+    });
+
+    test('should support legacy lookup url label without crashing', async () => {
+      const harborHubState = createHarborHubRegistryState();
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'harbor.example.com/dockerhub-proxy/traefik:v3.5.3',
+          Names: ['/traefik'],
+          Labels: { 'dd.registry.lookup.url': 'https://registry-1.docker.io' },
+        },
+        imageDetails: {
+          RepoDigests: ['harbor.example.com/dockerhub-proxy/traefik@sha256:abc123'],
+        },
+        parsedImage: {
+          domain: 'harbor.example.com',
+          path: 'dockerhub-proxy/traefik',
+          tag: 'v3.5.3',
+        },
+        semverValue: { major: 3, minor: 5, patch: 3 },
+        registryState: harborHubState,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.registry.name).toBe('hub');
+      expect(result.image.registry.lookupImage).toBe('https://registry-1.docker.io');
+      expect(result.image.name).toBe('dockerhub-proxy/traefik');
+    });
+
+    test('should handle container with implicit docker hub image (no domain)', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'prom/prometheus:v3.8.0',
+          Names: ['/prometheus'],
+        },
+        imageDetails: { RepoTags: ['prom/prometheus:v3.8.0'] },
+        parsedImage: { domain: undefined, path: 'prom/prometheus', tag: 'v3.8.0' },
+        validateImpl: () => ({
+          id: '123',
+          name: 'prometheus',
+          image: { architecture: 'amd64' },
+        }),
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+      // Verify parse was called
+      expect(mockParse).toHaveBeenCalledWith('prom/prometheus:v3.8.0');
+    });
+
+    test('should fail implicit docker hub image normalization when hub registry provider is missing', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'nginx:1.25.5',
+          Names: ['/hub-proof'],
+        },
+        parsedImage: { domain: undefined, path: 'library/nginx', tag: '1.25.5' },
+        registryState: {},
+        validateImpl: (containerCandidate) => {
+          if (!containerCandidate.image.registry.url) {
+            throw new Error('"image.registry.url" is required');
+          }
+          return containerCandidate;
+        },
+      });
+
+      await expect(docker.addImageDetailsToContainer(container)).rejects.toThrow(
+        '"image.registry.url" is required',
+      );
+    });
+
+    test('should keep implicit docker hub image tracking when hub registry provider is available', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'nginx:1.25.5',
+          Names: ['/hub-proof'],
+        },
+        parsedImage: { domain: undefined, path: 'library/nginx', tag: '1.25.5' },
+        registryState: createHarborHubRegistryState(),
+        validateImpl: (containerCandidate) => {
+          if (!containerCandidate.image.registry.url) {
+            throw new Error('"image.registry.url" is required');
+          }
+          return containerCandidate;
+        },
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.registry.name).toBe('hub');
+      expect(result.image.registry.url).toBe('https://registry-1.docker.io/v2');
+    });
+
+    test('should handle container with SHA256 image', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'sha256:abcdef123456',
+          Names: ['/test'],
+        },
+        imageDetails: { RepoTags: ['nginx:latest'] },
+        validateImpl: () => ({
+          id: '123',
+          name: 'test',
+          image: { architecture: 'amd64' },
+        }),
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+    });
+
+    test('should handle container with no repo tags but with repo digests', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'sha256:abcdef123456',
+          Names: ['/test'],
+        },
+        imageDetails: {
+          RepoTags: [],
+          RepoDigests: ['portainer/agent@sha256:abcdef123456'],
+        },
+        parseImpl: (value) => {
+          if (value === 'portainer/agent') {
+            return { domain: 'docker.io', path: 'portainer/agent' };
+          }
+          return { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' };
+        },
+        validateImpl: (c) => c,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+      expect(result.image.name).toBe('portainer/agent');
+      expect(result.image.tag.value).toBe('sha256:abcdef123456');
+    });
+
+    test('should handle container with no repo tags and no repo digests', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'sha256:abcdef123456',
+          Names: ['/test'],
+        },
+        imageDetails: { RepoTags: [], RepoDigests: [] },
+        parsedImage: { path: 'sha256:abcdef123456', tag: 'unknown' },
+        validateImpl: (c) => c,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+      expect(result.image.tag.value).toBe('unknown');
+    });
+
+    test('should warn for non-semver without digest watching', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'nginx:latest',
+          Names: ['/test'],
+        },
+        semverValue: null,
+        validateImpl: () => ({
+          id: '123',
+          name: 'test',
+          image: { architecture: 'amd64' },
+        }),
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result).toBeDefined();
+    });
+
+    test('should use inspect path semver when dd.inspect.tag.path is set', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/example/service:latest',
+          Names: ['/service'],
+          Labels: {
+            'dd.inspect.tag.path': 'Config/Labels/org.opencontainers.image.version',
+          },
+        },
+        imageDetails: {
+          Config: {
+            Labels: { 'org.opencontainers.image.version': '2.7.5' },
+          },
+        },
+        parsedImage: { domain: 'ghcr.io', path: 'example/service', tag: 'latest' },
+        semverValue: null, // will be overridden below
+      });
+      mockTag.parse.mockImplementation((tag) => (tag === '2.7.5' ? { version: '2.7.5' } : null));
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.tag.value).toBe('2.7.5');
+      expect(result.image.tag.semver).toBe(true);
+    });
+
+    test('should fall back to parsed image tag when inspect path is missing', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/example/service:latest',
+          Names: ['/service'],
+          Labels: {
+            'dd.inspect.tag.path': 'Config/Labels/org.opencontainers.image.version',
+          },
+        },
+        imageDetails: { Config: { Labels: {} } },
+        parsedImage: { domain: 'ghcr.io', path: 'example/service', tag: 'latest' },
+        semverValue: null,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+
+      expect(result.image.tag.value).toBe('latest');
+      expect(result.image.tag.semver).toBe(false);
+    });
+
+    test('should return a clear error when image inspection fails', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      const container = createDockerContainer({
+        Image: 'ghcr.io/example/service:latest',
+        Names: ['/service'],
+      });
+      mockImage.inspect.mockRejectedValue(new Error('inspect failed'));
+
+      await expect(docker.addImageDetailsToContainer(container)).rejects.toThrow(
+        'Unable to inspect image for container 123: inspect failed',
+      );
+    });
+  });
+
+  describe('Container Reporting', () => {
+    test('should map container to report for new container', async () => {
+      const container = { id: '123', name: 'test' };
+      docker.log = createMockLogWithChild(['debug']);
+      storeContainer.getContainer.mockReturnValue(undefined);
+      storeContainer.insertContainer.mockReturnValue(container);
+
+      const result = docker.mapContainerToContainerReport(container);
+
+      expect(result.changed).toBe(true);
+      expect(storeContainer.insertContainer).toHaveBeenCalledWith(container);
+    });
+
+    test('should map container to report for existing container', async () => {
+      const container = {
+        id: '123',
+        name: 'test',
+        updateAvailable: true,
+      };
+      const existingContainer = {
+        resultChanged: vi.fn().mockReturnValue(true),
+      };
+      docker.log = createMockLogWithChild(['debug']);
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+      storeContainer.updateContainer.mockReturnValue(container);
+
+      const result = docker.mapContainerToContainerReport(container);
+
+      expect(result.changed).toBe(true);
+      expect(storeContainer.updateContainer).toHaveBeenCalledWith(container);
+    });
+
+    test('should not mark as changed when no update available', async () => {
+      const container = {
+        id: '123',
+        name: 'test',
+        updateAvailable: false,
+      };
+      const existingContainer = {
+        resultChanged: vi.fn().mockReturnValue(true),
+      };
+      docker.log = createMockLogWithChild(['debug']);
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+      storeContainer.updateContainer.mockReturnValue(container);
+
+      const result = docker.mapContainerToContainerReport(container);
+
+      expect(result.changed).toBe(false);
+    });
+  });
+
+  describe('Utility Functions', () => {
+    test('should get tag candidates with include filter', async () => {
+      const tags = ['v1.0.0', 'latest', 'v2.0.0', 'beta'];
+      const filtered = tags.filter((tag) => /^v\d+/.test(tag));
+      expect(filtered).toEqual(['v1.0.0', 'v2.0.0']);
+    });
+
+    test('should get container name and strip slash', async () => {
+      const container = { Names: ['/test-container'] };
+      const name = container.Names[0].replace(/\//, '');
+      expect(name).toBe('test-container');
+    });
+
+    test('should get repo digest from image', async () => {
+      const image = { RepoDigests: ['nginx@sha256:abc123def456'] };
+      const digest = image.RepoDigests[0].split('@')[1];
+      expect(digest).toBe('sha256:abc123def456');
+    });
+
+    test('should handle empty repo digests', async () => {
+      const image = { RepoDigests: [] };
+      expect(image.RepoDigests.length).toBe(0);
+    });
+
+    test('should get old containers for pruning', async () => {
+      const newContainers = [{ id: '1' }, { id: '2' }];
+      const storeContainers = [{ id: '1' }, { id: '3' }];
+
+      const oldContainers = storeContainers.filter((storeContainer) => {
+        const stillExists = newContainers.find(
+          (newContainer) => newContainer.id === storeContainer.id,
+        );
+        return stillExists === undefined;
+      });
+
+      expect(oldContainers).toEqual([{ id: '3' }]);
+    });
+
+    test('should handle null inputs for old containers', async () => {
+      expect([].filter(() => false)).toEqual([]);
+    });
+  });
+
+  describe('Additional Coverage - safeRegExp', () => {
+    test('should warn when includeTags regex is invalid', async () => {
+      const container = {
+        includeTags: '[invalid',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } },
+      });
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      const result = await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(expect.stringContaining('Invalid regex pattern'));
+      expect(result.tag).toBe('1.0.0');
+    });
+
+    test('should warn when excludeTags regex is invalid', async () => {
+      const container = {
+        excludeTags: '(unclosed',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } },
+      });
+      mockTag.isGreater.mockReturnValue(true);
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(expect.stringContaining('Invalid regex pattern'));
+    });
+  });
+
+  describe('Additional Coverage - filterByCurrentPrefix', () => {
+    test('should warn when no tags match prefix', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'v1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: { getTags: vi.fn().mockResolvedValue(['2.0.0']) } },
+      });
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining('No tags found with existing prefix'),
+      );
+    });
+
+    test('should warn when no tags start with a number', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: { getTags: vi.fn().mockResolvedValue(['latest', 'stable']) } },
+      });
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining('No tags found starting with a number'),
+      );
+    });
+  });
+
+  describe('Additional Coverage - getTagCandidates empty', () => {
+    test('should warn when no tags after include filter', async () => {
+      const container = {
+        includeTags: '^nonexistent$',
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } },
+      });
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(
+        expect.stringContaining('No tags found after filtering'),
+      );
+    });
+  });
+
+  describe('Additional Coverage - getSwarmServiceLabels', () => {
+    test('should return empty when getService is not a function', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug', 'warn', 'info']);
+      docker.dockerApi.getService = 'not-a-function';
+      expect(await docker.getSwarmServiceLabels('svc1', 'c1')).toEqual({});
+      expect(docker.log.debug).toHaveBeenCalledWith(
+        expect.stringContaining('does not support getService'),
+      );
+    });
+
+    test('should log debug when service has no labels', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug', 'warn', 'info']);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({ Spec: {} }),
+      });
+      expect(await docker.getSwarmServiceLabels('svc1', 'c1')).toEqual({});
+      expect(docker.log.debug).toHaveBeenCalledWith(expect.stringContaining('has no labels'));
+    });
+
+    test('should log dd/wud label summary as none when labels are present but none are dd/wud', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['debug', 'warn', 'info']);
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({
+          Spec: {
+            Labels: { team: 'ops' },
+            TaskTemplate: {
+              ContainerSpec: {
+                Labels: { env: 'prod' },
+              },
+            },
+          },
+        }),
+      });
+
+      const labels = await docker.getSwarmServiceLabels('svc1', 'c1');
+
+      expect(labels).toEqual({ team: 'ops', env: 'prod' });
+      expect(docker.log.debug).toHaveBeenCalledWith(expect.stringContaining('deploy labels=none'));
+    });
+
+    test('getEffectiveContainerLabels should fallback to empty container labels object', async () => {
+      const labels = await docker.getEffectiveContainerLabels({}, new Map());
+      expect(labels).toEqual({});
+    });
+
+    test('getEffectiveContainerLabels should merge container labels when cached service labels are undefined', async () => {
+      const serviceId = 'svc-1';
+      const serviceLabelsCache = new Map([[serviceId, Promise.resolve(undefined as any)]]);
+
+      const labels = await docker.getEffectiveContainerLabels(
+        {
+          Id: 'container-1',
+          Labels: {
+            'com.docker.swarm.service.id': serviceId,
+            'dd.watch': 'true',
+          },
+        },
+        serviceLabelsCache,
+      );
+
+      expect(labels).toEqual({
+        'com.docker.swarm.service.id': serviceId,
+        'dd.watch': 'true',
+      });
+    });
+  });
+
+  describe('Additional Coverage - getMatchingImgsetConfiguration', () => {
+    test('should return undefined when no imgset configured', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      expect(
+        docker.getMatchingImgsetConfiguration({ path: 'library/nginx', domain: 'docker.io' }),
+      ).toBeUndefined();
+    });
+
+    test('should break ties by alphabetical name', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        imgset: {
+          zebra: { image: 'library/nginx', display: { name: 'Z' } },
+          alpha: { image: 'library/nginx', display: { name: 'A' } },
+        },
+      });
+      mockParse.mockImplementation((v) =>
+        v === 'library/nginx'
+          ? { path: 'library/nginx' }
+          : { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' },
+      );
+      const result = docker.getMatchingImgsetConfiguration({
+        path: 'library/nginx',
+        domain: 'docker.io',
+      });
+      expect(result).toBeDefined();
+      expect(result.name).toBe('alpha');
+    });
+
+    test('should keep first match when later candidate is not better', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        imgset: {
+          alpha: { image: 'library/nginx' },
+          zebra: { image: 'library/nginx' },
+        },
+      });
+
+      const result = docker.getMatchingImgsetConfiguration({
+        path: 'library/nginx',
+        domain: 'docker.io',
+      });
+
+      expect(result).toBeDefined();
+      expect(result.name).toBe('alpha');
+    });
+  });
+
+  describe('Additional Coverage - safeRegExp max length', () => {
+    test('should warn when regex pattern exceeds max length', async () => {
+      const longPattern = 'a'.repeat(1025);
+      const container = {
+        includeTags: longPattern,
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } },
+      });
+      mockTag.isGreater.mockReturnValue(true);
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(expect.stringContaining('exceeds maximum length'));
+    });
+
+    test('should warn when exclude regex exceeds max length', async () => {
+      const longPattern = 'b'.repeat(1025);
+      const container = {
+        excludeTags: longPattern,
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0', semver: true },
+          digest: { watch: false },
+        },
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } },
+      });
+      mockTag.isGreater.mockReturnValue(true);
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      expect(logChild.warn).toHaveBeenCalledWith(expect.stringContaining('exceeds maximum length'));
+    });
+  });
+
+  describe('Additional Coverage - filterBySegmentCount no numeric part', () => {
+    test('should return all tags when current tag has no numeric part', async () => {
+      const container = {
+        image: {
+          registry: { name: 'hub' },
+          tag: { value: 'latest', semver: true },
+          digest: { watch: false },
+        },
+        includeTags: '.*',
+      };
+      registry.getState.mockReturnValue({
+        registry: { hub: { getTags: vi.fn().mockResolvedValue(['latest', 'stable', '1.0.0']) } },
+      });
+      // Make transform return 'nonnumeric' for the current tag to hit numericPart === null
+      mockTag.transform.mockImplementation((_transform, tag) =>
+        tag === 'latest' ? 'nonnumeric' : tag,
+      );
+      mockTag.parse.mockReturnValue({ major: 1, minor: 0, patch: 0 });
+      mockTag.isGreater.mockReturnValue(true);
+      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
+      await docker.findNewVersion(container, logChild);
+      // Should not crash; tags pass through
+      expect(logChild.error).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('Additional Coverage - normalizeContainer no registry', () => {
+    test('should set registry name to unknown when no registry provider found', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: { Image: 'custom.registry/myimage:1.0.0', Names: ['/myimage'] },
+        parsedImage: { domain: 'custom.registry', path: 'myimage', tag: '1.0.0' },
+        registryState: {},
+      });
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result.image.registry.name).toBe('unknown');
+    });
+  });
+
+  describe('Additional Coverage - v1 manifest digest uses repo digest', () => {
+    test('should set digest value from repo digest for v1 manifests', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      const container = {
+        image: {
+          id: 'image123',
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: true, repo: 'sha256:abc123' },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImageManifestDigest: vi.fn().mockResolvedValue({
+          digest: 'sha256:def456',
+          created: '2023-01-01',
+          version: 1,
+        }),
+      };
+      registry.getState.mockReturnValue({ registry: { hub: mockRegistry } });
+      const mockLogChild = { error: vi.fn() };
+
+      await docker.findNewVersion(container, mockLogChild);
+
+      expect(container.image.digest.value).toBe('sha256:abc123');
+    });
+
+    test('should set digest value to undefined when repo digest is missing', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      const container = {
+        image: {
+          id: 'image123',
+          registry: { name: 'hub' },
+          tag: { value: '1.0.0' },
+          digest: { watch: true, repo: undefined },
+        },
+      };
+      const mockRegistry = {
+        getTags: vi.fn().mockResolvedValue(['1.0.0']),
+        getImageManifestDigest: vi.fn().mockResolvedValue({
+          digest: 'sha256:def456',
+          created: '2023-01-01',
+          version: 1,
+        }),
+      };
+      registry.getState.mockReturnValue({ registry: { hub: mockRegistry } });
+      const mockLogChild = { error: vi.fn() };
+
+      await docker.findNewVersion(container, mockLogChild);
+
+      expect(container.image.digest.value).toBeUndefined();
+    });
+  });
+
+  describe('Additional Coverage - getMatchingImgsetConfiguration with no image pattern', () => {
+    test('should skip imgset entries without image/match key', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      // Set imgset directly to bypass Joi validation requiring image field
+      docker.configuration.imgset = {
+        noimage: { display: { name: 'No Image Entry' } },
+      };
+      const result = docker.getMatchingImgsetConfiguration({
+        path: 'library/nginx',
+        domain: 'docker.io',
+      });
+      expect(result).toBeUndefined();
+    });
+  });
+
+  describe('Additional Coverage - getSwarmServiceLabels with dd labels', () => {
+    test('should log debug with dd label names from service', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      const logMock = createMockLog(['debug', 'warn', 'info']);
+      docker.log = logMock;
+      mockDockerApi.getService.mockReturnValue({
+        inspect: vi.fn().mockResolvedValue({
+          Spec: {
+            Labels: { 'dd.watch': 'true', 'dd.tag.include': '^v' },
+            TaskTemplate: { ContainerSpec: { Labels: { 'wud.display.name': 'Test' } } },
+          },
+        }),
+      });
+      const labels = await docker.getSwarmServiceLabels('svc1', 'c1');
+      expect(labels['dd.watch']).toBe('true');
+      expect(labels['wud.display.name']).toBe('Test');
+      expect(logMock.debug).toHaveBeenCalledWith(
+        expect.stringContaining('deploy labels=dd.watch,dd.tag.include'),
+      );
+    });
+  });
+
+  describe('Additional Coverage - getImageForRegistryLookup branches', () => {
+    test('should handle lookup image as hostname only (no slash)', async () => {
+      const harborHubState = createHarborHubRegistryState();
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'myimage:1.0.0',
+          Names: ['/myimage'],
+          Labels: { 'dd.registry.lookup.image': 'myregistry.example.com' },
+        },
+        imageDetails: { RepoDigests: ['myimage@sha256:abc123'] },
+        parsedImage: { domain: undefined, path: 'library/myimage', tag: '1.0.0' },
+        parseImpl: (value) => {
+          if (value === 'myimage:1.0.0')
+            return { domain: undefined, path: 'library/myimage', tag: '1.0.0' };
+          if (value === 'myregistry.example.com')
+            return { path: 'myregistry.example.com', domain: undefined };
+          return { domain: undefined, path: value };
+        },
+        registryState: harborHubState,
+      });
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result).toBeDefined();
+    });
+
+    test('should handle lookup image with empty parsed path', async () => {
+      const harborHubState = createHarborHubRegistryState();
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'myimage:1.0.0',
+          Names: ['/myimage'],
+          Labels: { 'dd.registry.lookup.image': 'something' },
+        },
+        imageDetails: { RepoDigests: ['myimage@sha256:abc123'] },
+        parseImpl: (value) => {
+          if (value === 'myimage:1.0.0')
+            return { domain: undefined, path: 'library/myimage', tag: '1.0.0' };
+          if (value === 'something') return { path: undefined, domain: undefined };
+          return { domain: undefined, path: value };
+        },
+        registryState: harborHubState,
+      });
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result).toBeDefined();
+    });
+  });
+
+  describe('Additional Coverage - Docker Hub digest watch warning', () => {
+    test('should warn about throttling when watching digest on Docker Hub with explicit label', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'docker.io/library/nginx:latest',
+          Names: ['/nginx'],
+          Labels: { 'dd.watch.digest': 'true' },
+        },
+        imageDetails: { RepoDigests: ['nginx@sha256:abc123'] },
+        parsedImage: { domain: 'docker.io', path: 'library/nginx', tag: 'latest' },
+        semverValue: null,
+      });
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result.image.digest.watch).toBe(true);
+    });
+  });
+
+  describe('Additional Coverage - inspectTagPath edge cases', () => {
+    test('should handle inspect path returning empty string value', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/example/service:latest',
+          Names: ['/service'],
+          Labels: { 'dd.inspect.tag.path': 'Config/Labels/version' },
+        },
+        imageDetails: { Config: { Labels: { version: '   ' } } },
+        parsedImage: { domain: 'ghcr.io', path: 'example/service', tag: 'latest' },
+        semverValue: null,
+      });
+      mockTag.transform.mockImplementation((_transform, value) => value);
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result.image.tag.value).toBe('latest');
+    });
+
+    test('should handle inspect path with null intermediate value', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/example/service:latest',
+          Names: ['/service'],
+          Labels: { 'dd.inspect.tag.path': 'Config/NonExistent/deep' },
+        },
+        imageDetails: { Config: {} },
+        parsedImage: { domain: 'ghcr.io', path: 'example/service', tag: 'latest' },
+        semverValue: null,
+      });
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result.image.tag.value).toBe('latest');
+    });
+
+    test('should default to latest when parsed image tag is missing', async () => {
+      const container = await setupContainerDetailTest(docker, {
+        container: {
+          Image: 'ghcr.io/example/service',
+          Names: ['/service'],
+          Labels: {},
+        },
+        imageDetails: {},
+        parsedImage: { domain: 'ghcr.io', path: 'example/service' },
+        semverValue: null,
+      });
+
+      const result = await docker.addImageDetailsToContainer(container);
+      expect(result.image.tag.value).toBe('latest');
+    });
+  });
+
+  describe('Additional Coverage - imgset pattern matching edge cases', () => {
+    test('should handle imgset with empty image pattern', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.configuration.imgset = { weird: { image: '   ' } };
+      mockParse.mockReturnValue({ path: undefined });
+      const result = docker.getMatchingImgsetConfiguration({
+        path: 'library/nginx',
+        domain: 'docker.io',
+      });
+      expect(result).toBeUndefined();
+    });
+
+    test('should return -1 specificity when parsedImage has no path', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        imgset: { test: { image: 'library/nginx' } },
+      });
+      mockParse.mockImplementation((v) => (v === 'library/nginx' ? { path: 'library/nginx' } : {}));
+      const result = docker.getMatchingImgsetConfiguration({ path: undefined, domain: undefined });
+      expect(result).toBeUndefined();
+    });
+
+    test('helper should return empty candidates for blank pattern', () => {
+      expect(testable_getImageReferenceCandidatesFromPattern('   ')).toEqual([]);
+    });
+
+    test('helper should fallback to normalized pattern when parsed pattern has no path', () => {
+      mockParse.mockReturnValue({ path: undefined });
+      expect(testable_getImageReferenceCandidatesFromPattern('docker.io')).toEqual(['docker.io']);
+    });
+
+    test('helper should fallback to normalized pattern when parser throws', () => {
+      mockParse.mockImplementation(() => {
+        throw new Error('invalid pattern');
+      });
+      expect(testable_getImageReferenceCandidatesFromPattern('INVALID[')).toEqual(['invalid[']);
+    });
+
+    test('helper should return -1 specificity when pattern produces no candidates', () => {
+      expect(
+        testable_getImgsetSpecificity('   ', { path: 'library/nginx', domain: 'docker.io' }),
+      ).toBe(-1);
+    });
+
+    test('helper should avoid array includes for candidate membership checks', () => {
+      mockParse.mockReturnValue({ path: 'library/nginx', domain: 'docker.io' });
+      const includesSpy = vi.spyOn(Array.prototype, 'includes');
+      const beforeCallCount = includesSpy.mock.calls.length;
+      const specificity = testable_getImgsetSpecificity('library/nginx', {
+        path: 'library/nginx',
+        domain: 'docker.io',
+      });
+      const callDelta = includesSpy.mock.calls.length - beforeCallCount;
+      includesSpy.mockRestore();
+
+      expect(specificity).toBeGreaterThan(0);
+      expect(callDelta).toBe(0);
+    });
+  });
+
+  describe('Additional Coverage - Docker helper functions', () => {
+    test('getLabel should fallback to wud key when dd key is absent', () => {
+      const labels = {
+        'wud.display.name': 'Legacy Name',
+      };
+      expect(testable_getLabel(labels, 'dd.display.name', 'wud.display.name')).toBe('Legacy Name');
+    });
+
+    test('getLabel should prefer dd key when both dd and wud keys are present', () => {
+      const labels = {
+        'dd.display.name': 'Preferred',
+        'wud.display.name': 'Legacy Name',
+      };
+      expect(testable_getLabel(labels, 'dd.display.name', 'wud.display.name')).toBe('Preferred');
+    });
+
+    test('getLabel should return undefined when fallback key is not provided', () => {
+      expect(testable_getLabel({}, 'dd.display.name')).toBeUndefined();
+    });
+
+    test.each([
+      {
+        aliasKey: 'dd.action.include',
+        legacyKey: 'dd.trigger.include',
+        fallbackKey: 'wud.trigger.include',
+        preferredValue: 'action-include',
+      },
+      {
+        aliasKey: 'dd.notification.exclude',
+        legacyKey: 'dd.trigger.exclude',
+        fallbackKey: 'wud.trigger.exclude',
+        preferredValue: 'notification-exclude',
+      },
+    ])('getLabel should prefer $aliasKey over $legacyKey and warn once for the legacy key', ({
+      aliasKey,
+      legacyKey,
+      fallbackKey,
+      preferredValue,
+    }) => {
+      const warnedLegacyTriggerLabels = new Set<string>();
+      const warn = vi.fn();
+      const labels = {
+        [aliasKey]: preferredValue,
+        [legacyKey]: 'legacy-value',
+        [fallbackKey]: 'legacy-fallback',
+      } as Record<string, string>;
+
+      expect(
+        testable_getLabel(labels, legacyKey, fallbackKey, {
+          warn,
+          warnedLegacyTriggerLabels,
+        }),
+      ).toBe(preferredValue);
+      expect(
+        testable_getLabel(
+          {
+            [legacyKey]: 'legacy-value',
+            [fallbackKey]: 'legacy-fallback',
+          } as Record<string, string>,
+          legacyKey,
+          fallbackKey,
+          {
+            warn,
+            warnedLegacyTriggerLabels,
+          },
+        ),
+      ).toBe('legacy-value');
+
+      expect(warn).toHaveBeenCalledTimes(1);
+      expect(warn.mock.calls[0][0]).toContain(legacyKey);
+    });
+
+    test('getCurrentPrefix should return the non-numeric prefix before the first digit', () => {
+      expect(testable_getCurrentPrefix('v2026.2.1')).toBe('v');
+    });
+
+    test('getCurrentPrefix should return empty string when there are no digits', () => {
+      expect(testable_getCurrentPrefix('latest')).toBe('');
+    });
+
+    test('filterBySegmentCount should drop tags without numeric groups', () => {
+      const filtered = testable_filterBySegmentCount(['latest', '1.2.4', '1.3.0'], {
+        transformTags: undefined,
+        image: {
+          tag: {
+            value: '1.2.3',
+          },
+        },
+      });
+
+      expect(filtered).toEqual(['1.2.4', '1.3.0']);
+    });
+
+    test('filterBySegmentCount should enforce numeric zero-padding style by segment', () => {
+      const filtered = testable_filterBySegmentCount(['5.1.5', '20.04.1', '5.01.6'], {
+        transformTags: undefined,
+        image: {
+          tag: {
+            value: '5.1.4',
+          },
+        },
+      });
+
+      expect(filtered).toEqual(['5.1.5']);
+    });
+
+    test('filterBySegmentCount should allow non-padded segments when current tag is padded', () => {
+      const filtered = testable_filterBySegmentCount(['20.10.1', '20.04.2'], {
+        transformTags: undefined,
+        image: {
+          tag: {
+            value: '20.04.1',
+          },
+        },
+      });
+
+      expect(filtered).toEqual(['20.10.1', '20.04.2']);
+    });
+
+    test('filterBySegmentCount should preserve current prefix family', () => {
+      const filtered = testable_filterBySegmentCount(['1.2.4', 'v1.2.4'], {
+        transformTags: undefined,
+        image: {
+          tag: {
+            value: 'v1.2.3',
+          },
+        },
+      });
+
+      expect(filtered).toEqual(['v1.2.4']);
+    });
+
+    test('filterBySegmentCount should preserve suffix family template', () => {
+      const filtered = testable_filterBySegmentCount(['1.2.4', '1.2.4-ls133', '1.2.4-r1'], {
+        transformTags: undefined,
+        image: {
+          tag: {
+            value: '1.2.3-ls132',
+          },
+        },
+      });
+
+      expect(filtered).toEqual(['1.2.4-ls133']);
+    });
+
+    test('getContainerName should extract first docker name entry and strip slash', () => {
+      expect(testable_getContainerName({ Names: ['/my-container'] })).toBe('my-container');
+    });
+
+    test('getContainerName should return empty string when names are missing', () => {
+      expect(testable_getContainerName({})).toBe('');
+    });
+
+    test('filterRecreatedContainerAliases should skip self-id-prefixed aliases when base name exists in store', () => {
+      const result = testable_filterRecreatedContainerAliases(
+        [
+          {
+            Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+            Names: ['/7ea6b8a42686_termix'],
+          },
+        ],
+        [
+          {
+            id: 'termix-current',
+            watcher: 'docker-test',
+            name: 'termix',
+          } as any,
+        ],
+      );
+
+      expect(result.containersToWatch).toHaveLength(0);
+      expect(result.skippedContainerIds.size).toBe(1);
+      expect(
+        result.skippedContainerIds.has(
+          '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+        ),
+      ).toBe(true);
+    });
+
+    test('filterRecreatedContainerAliases should ignore containers with missing Id or Names', () => {
+      const result = testable_filterRecreatedContainerAliases(
+        [
+          { Names: ['/abc123_myapp'] },
+          { Id: 'name-missing' },
+          { Id: '', Names: ['/def456_myapp'] },
+          { Id: 'valid1', Names: ['/valid1_myapp'] },
+        ],
+        [],
+      );
+      expect(result.containersToWatch).toHaveLength(4);
+      expect(result.skippedContainerIds.size).toBe(0);
+    });
+
+    test('filterRecreatedContainerAliases should keep alias when no sibling and no store match', () => {
+      const result = testable_filterRecreatedContainerAliases(
+        [
+          {
+            Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+            Names: ['/7ea6b8a42686_termix'],
+          },
+        ],
+        [],
+      );
+      expect(result.containersToWatch).toHaveLength(1);
+      expect(result.skippedContainerIds.size).toBe(0);
+    });
+
+    test('filterRecreatedContainerAliases should keep alias when base-name map only has the same container id', () => {
+      const result = testable_filterRecreatedContainerAliases(
+        [
+          {
+            Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+            Names: ['/7ea6b8a42686_termix'],
+          },
+          {
+            Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+            Names: ['/termix'],
+          },
+        ],
+        [],
+      );
+      expect(result.containersToWatch).toHaveLength(2);
+      expect(result.skippedContainerIds.size).toBe(0);
+    });
+
+    test('filterRecreatedContainerAliases should skip alias when a sibling container already uses the base name', () => {
+      const aliasContainerId = '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10';
+      const result = testable_filterRecreatedContainerAliases(
+        [
+          {
+            Id: aliasContainerId,
+            Names: ['/7ea6b8a42686_termix'],
+          },
+          {
+            Id: 'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb',
+            Names: ['/termix'],
+          },
+        ],
+        [],
+      );
+
+      expect(result.containersToWatch).toHaveLength(1);
+      expect(result.skippedContainerIds.size).toBe(1);
+      expect(result.skippedContainerIds.has(aliasContainerId)).toBe(true);
+    });
+
+    test('filterRecreatedContainerAliases should keep names that are not self-id-prefixed aliases', () => {
+      const result = testable_filterRecreatedContainerAliases(
+        [
+          {
+            Id: 'aaaaaaaaaaaa1111111111111111111111111111111111111111111111111111',
+            Names: ['/7ea6b8a42686_termix'],
+          },
+        ],
+        [
+          {
+            id: 'termix-current',
+            watcher: 'docker-test',
+            name: 'termix',
+          } as any,
+        ],
+      );
+
+      expect(result.containersToWatch).toHaveLength(1);
+      expect(result.skippedContainerIds.size).toBe(0);
+    });
+
+    test('getContainerDisplayName should fallback to container name when parsed image path is missing', () => {
+      expect(testable_getContainerDisplayName('my-container', undefined, undefined)).toBe(
+        'my-container',
+      );
+    });
+
+    test('normalizeConfigNumberValue should return undefined for non-finite numeric strings', () => {
+      expect(testable_normalizeConfigNumberValue('NaN')).toBeUndefined();
+    });
+
+    test('shouldUpdateDisplayNameFromContainerName should support empty old display names', () => {
+      expect(testable_shouldUpdateDisplayNameFromContainerName('new-name', 'old-name', '')).toBe(
+        true,
+      );
+    });
+
+    test('getFirstDigitIndex should return -1 when no digit exists', () => {
+      expect(testable_getFirstDigitIndex('latest')).toBe(-1);
+    });
+
+    test('getImageForRegistryLookup should ignore invalid legacy lookup url', () => {
+      const image = {
+        registry: {
+          url: 'harbor.example.com',
+          lookupUrl: 'https://%',
+        },
+        name: 'dockerhub-proxy/traefik',
+        tag: {
+          value: 'v3.5.3',
+        },
+      };
+      expect(testable_getImageForRegistryLookup(image)).toBe(image);
+    });
+
+    test('getDockerWatcherRegistryId should normalize watcher and agent values', () => {
+      expect(getDockerWatcherRegistryId('watcher')).toBe('docker.watcher');
+      expect(getDockerWatcherRegistryId('watcher', 'agent-1')).toBe('agent-1.docker.watcher');
+      expect(getDockerWatcherRegistryId('   ', 'agent-1')).toBe('');
+    });
+
+    test('getDockerWatcherSourceKey should build tcp and socket keys with defaults', () => {
+      expect(
+        getDockerWatcherSourceKey({
+          agent: 'agent-1',
+          configuration: {
+            host: 'Docker.Example.Com',
+            protocol: 'HTTPS',
+            port: 4242,
+          },
+        } as any),
+      ).toBe('agent:agent-1|tcp:https://docker.example.com:4242');
+
+      expect(
+        getDockerWatcherSourceKey({
+          agent: '',
+          configuration: {
+            host: 'Docker.Example.Com',
+            protocol: '',
+            port: 0,
+          },
+        } as any),
+      ).toBe('agent:|tcp:http://docker.example.com:2375');
+
+      expect(
+        getDockerWatcherSourceKey({
+          agent: 'agent-2',
+          configuration: {
+            socket: '',
+          },
+        } as any),
+      ).toBe('agent:agent-2|socket:/var/run/docker.sock');
+    });
+
+    test('normalizeContainer should not mutate the input container object', async () => {
+      const containerModule = await import('../../../model/container.js');
+      const realContainerModule = await vi.importActual<
+        typeof import('../../../model/container.js')
+      >('../../../model/container.js');
+      containerModule.validate.mockImplementation(realContainerModule.validate);
+
+      const container = {
+        id: 'c1',
+        name: 'container-1',
+        watcher: 'docker',
+        image: {
+          id: 'sha256:abc123',
+          registry: {
+            name: 'original-registry',
+            url: 'custom.registry',
+          },
+          name: 'myimage',
+          tag: {
+            value: '1.0.0',
+            semver: true,
+          },
+          digest: {
+            watch: false,
+          },
+          architecture: 'amd64',
+          os: 'linux',
+        },
+      };
+
+      registry.getState.mockReturnValue({ registry: {} });
+      const result = testable_normalizeContainer(container);
+
+      expect(result).toBeDefined();
+      expect(result.image.registry.name).toBe('unknown');
+      expect(container.image.registry.name).toBe('original-registry');
+      expect(result.image).not.toBe(container.image);
+    });
+
+    test('getInspectValueByPath should return undefined for empty path', () => {
+      expect(testable_getInspectValueByPath({ Config: { Labels: {} } }, '')).toBeUndefined();
+    });
+
+    test('getOldContainers should return empty array when arguments are missing', () => {
+      expect(testable_getOldContainers(undefined, [])).toEqual([]);
+      expect(testable_getOldContainers([], undefined)).toEqual([]);
+    });
+
+    test('getOldContainers should remove containers that still exist in new snapshot', () => {
+      const result = testable_getOldContainers(
+        [{ id: 'current-1' }],
+        [{ id: 'current-1' }, { id: 'stale-1' }],
+      );
+
+      expect(result).toEqual([{ id: 'stale-1' }]);
+    });
+
+    test('getOldContainers should perform near-linear id lookups', () => {
+      let newIdReads = 0;
+      let storeIdReads = 0;
+      const newContainers = Array.from({ length: 30 }, (_, index) => {
+        const container = {};
+        Object.defineProperty(container, 'id', {
+          enumerable: true,
+          get: () => {
+            newIdReads += 1;
+            return `id-${index}`;
+          },
+        });
+        return container;
+      });
+      const containersFromStore = Array.from({ length: 30 }, (_, index) => {
+        const container = {};
+        Object.defineProperty(container, 'id', {
+          enumerable: true,
+          get: () => {
+            storeIdReads += 1;
+            return `id-${index + 15}`;
+          },
+        });
+        return container;
+      });
+
+      const result = testable_getOldContainers(newContainers, containersFromStore);
+
+      expect(result).toHaveLength(15);
+      expect(newIdReads).toBeLessThanOrEqual(60);
+      expect(storeIdReads).toBeLessThanOrEqual(60);
+    });
+
+    test('pruneOldContainers should update status when stale container still exists in docker', async () => {
+      const dockerApi = {
+        getContainer: vi.fn().mockReturnValue({
+          inspect: vi.fn().mockResolvedValue({
+            State: {
+              Status: 'exited',
+            },
+          }),
+        }),
+      };
+
+      await testable_pruneOldContainers([], [{ id: 'old-1', name: 'old-container' }], dockerApi);
+
+      expect(storeContainer.updateContainer).toHaveBeenCalledWith(
+        expect.objectContaining({
+          id: 'old-1',
+          status: 'exited',
+        }),
+      );
+    });
+
+    test('pruneOldContainers should delete stale entries when a same-name replacement exists', async () => {
+      const dockerApi = {
+        getContainer: vi.fn(),
+      };
+
+      await testable_pruneOldContainers(
+        [
+          {
+            id: 'new-1',
+            watcher: 'docker',
+            name: 'app',
+          },
+        ] as any,
+        [
+          {
+            id: 'old-1',
+            watcher: 'docker',
+            name: 'app',
+          },
+        ] as any,
+        dockerApi as any,
+      );
+
+      expect(dockerApi.getContainer).not.toHaveBeenCalled();
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('old-1');
+    });
+
+    test('pruneOldContainers should delete stale same-name entries from same-source cross-watcher candidates', async () => {
+      const dockerApi = {
+        getContainer: vi.fn(),
+      };
+
+      await testable_pruneOldContainers(
+        [
+          {
+            id: 'new-1',
+            watcher: 'docker',
+            name: 'app',
+          },
+        ] as any,
+        [] as any,
+        dockerApi as any,
+        {
+          sameSourceContainersFromStore: [
+            {
+              id: 'old-2',
+              watcher: 'docker-alias',
+              name: 'app',
+            },
+          ],
+        },
+      );
+
+      expect(dockerApi.getContainer).not.toHaveBeenCalled();
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('old-2');
+    });
+
+    test('pruneOldContainers should treat missing watcher as an empty watcher key', async () => {
+      const dockerApi = {
+        getContainer: vi.fn(),
+      };
+
+      await testable_pruneOldContainers(
+        [
+          {
+            id: 'new-1',
+            name: 'app',
+          },
+        ] as any,
+        [
+          {
+            id: 'old-1',
+            watcher: '',
+            name: 'app',
+          },
+        ] as any,
+        dockerApi as any,
+      );
+
+      expect(dockerApi.getContainer).not.toHaveBeenCalled();
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('old-1');
+    });
+
+    test('pruneOldContainers should force-delete stale ids skipped during alias filtering', async () => {
+      const dockerApi = {
+        getContainer: vi.fn().mockReturnValue({
+          inspect: vi.fn().mockResolvedValue({
+            State: {
+              Status: 'exited',
+            },
+          }),
+        }),
+      };
+
+      await testable_pruneOldContainers(
+        [],
+        [
+          {
+            id: 'alias-1',
+            watcher: 'docker',
+            name: '7ea6b8a42686_termix',
+          },
+        ] as any,
+        dockerApi as any,
+        {
+          forceRemoveContainerIds: new Set(['alias-1']),
+        },
+      );
+
+      expect(dockerApi.getContainer).not.toHaveBeenCalled();
+      expect(storeContainer.updateContainer).not.toHaveBeenCalled();
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('alias-1');
+    });
+  });
+
+  describe('Additional Coverage - getContainers same-source filtering', () => {
+    test('should normalize a non-string watcher agent when grouping same-source containers', async () => {
+      await docker.register(
+        'watcher',
+        'docker',
+        'test',
+        {
+          socket: '/var/run/docker.sock',
+          host: 'socket-proxy.internal',
+          protocol: 'http',
+          port: 2375,
+        },
+        'agent-1',
+      );
+      docker.agent = 42 as any;
+      mockDockerApi.listContainers.mockResolvedValue([]);
+      storeContainer.getContainers.mockImplementation((query?: { watcher?: string }) =>
+        query?.watcher ? [] : [],
+      );
+      registry.getState.mockReturnValue({ watcher: {} } as any);
+
+      await docker.getContainers();
+
+      expect(registry.getState).toHaveBeenCalled();
+    });
+
+    test('should fall back to current containers when same-source lookup fails', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        socket: '/var/run/docker.sock',
+      });
+      docker.log = createMockLog(['warn']);
+      mockDockerApi.listContainers.mockResolvedValue([]);
+      storeContainer.getContainers.mockImplementation((query?: { watcher?: string }) =>
+        query?.watcher ? [] : [],
+      );
+      registry.getState.mockImplementation(() => {
+        throw new Error('Registry unavailable');
+      });
+
+      await expect(docker.getContainers()).resolves.toEqual([]);
+      expect(docker.log.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Error when trying to get same-source containers from the store'),
+      );
+    });
+
+    test('should keep same-source containers and skip invalid cross-watcher records', async () => {
+      await docker.register(
+        'watcher',
+        'docker',
+        'test',
+        {
+          socket: '/var/run/docker.sock',
+          host: 'socket-proxy.internal',
+          protocol: 'http',
+          port: 2375,
+        },
+        '',
+      );
+      mockDockerApi.listContainers.mockResolvedValue([]);
+      storeContainer.getContainers.mockImplementation((query?: { watcher?: string }) => {
+        if (query?.watcher) {
+          return [];
+        }
+
+        return [
+          {
+            id: 'same-source',
+            watcher: 'docker-same-source',
+            agent: '',
+            name: 'service',
+          },
+          {
+            id: 'empty-watcher',
+            watcher: '',
+            agent: '',
+            name: 'service',
+          },
+          {
+            id: 'whitespace-watcher',
+            watcher: '   ',
+            agent: '',
+            name: 'service',
+          },
+          {
+            id: 'non-docker-watcher',
+            watcher: 'docker-queue',
+            agent: '',
+            name: 'service',
+          },
+          {
+            id: 'different-agent',
+            watcher: 'docker-same-source',
+            agent: 'remote-agent',
+            name: 'service',
+          },
+        ] as any;
+      });
+      registry.getState.mockReturnValue({
+        watcher: {
+          'docker.docker-same-source': {
+            type: 'docker',
+            name: 'docker-same-source',
+            configuration: {
+              host: 'socket-proxy.internal',
+              protocol: 'http',
+              port: 2375,
+              socket: '/var/run/docker.sock',
+            },
+          },
+          'docker.docker-queue': {
+            type: 'queue',
+            name: 'docker-queue',
+            configuration: {
+              host: 'socket-proxy.internal',
+              protocol: 'http',
+              port: 2375,
+              socket: '/var/run/docker.sock',
+            },
+          },
+        },
+      } as any);
+
+      await docker.getContainers();
+
+      expect(storeContainer.deleteContainer).not.toHaveBeenCalled();
+    });
+  });
+
+  describe('Additional Coverage - findNewVersion unsupported registry', () => {
+    test('should return current tag and log error when registry provider is unsupported', async () => {
+      const logChild = createMockLog(['error']);
+      const container = {
+        image: {
+          registry: {
+            name: 'unknown',
+          },
+          tag: {
+            value: '1.2.3',
+          },
+          digest: {
+            watch: false,
+          },
+        },
+      };
+
+      const result = await docker.findNewVersion(container, logChild);
+      expect(result).toEqual({ tag: '1.2.3' });
+      expect(logChild.error).toHaveBeenCalledWith('Unsupported registry (unknown)');
+    });
+  });
+});
diff --git a/app/watchers/providers/docker/Docker.events.test.ts b/app/watchers/providers/docker/Docker.events.test.ts
new file mode 100644
index 000000000..0360d5863
--- /dev/null
+++ b/app/watchers/providers/docker/Docker.events.test.ts
@@ -0,0 +1,855 @@
+import type { Mocked } from 'vitest';
+import * as event from '../../../event/index.js';
+import { fullName } from '../../../model/container.js';
+import * as registry from '../../../registry/index.js';
+import * as storeContainer from '../../../store/container.js';
+import { mockConstructor } from '../../../test/mock-constructor.js';
+import { _resetRegistryWebhookFreshStateForTests } from '../../registry-webhook-fresh.js';
+import Docker from './Docker.js';
+
+const mockDdEnvVars = vi.hoisted(() => ({}) as Record<string, string | undefined>);
+const mockDetectSourceRepoFromImageMetadata = vi.hoisted(() => vi.fn());
+const mockResolveSourceRepoForContainer = vi.hoisted(() => vi.fn());
+const mockGetFullReleaseNotesForContainer = vi.hoisted(() => vi.fn());
+const mockToContainerReleaseNotes = vi.hoisted(() => vi.fn((notes) => notes));
+vi.mock('../../../configuration/index.js', async (importOriginal) => ({
+  ...(await importOriginal<typeof import('../../../configuration/index.js')>()),
+  ddEnvVars: mockDdEnvVars,
+}));
+vi.mock('../../../release-notes/index.js', () => ({
+  detectSourceRepoFromImageMetadata: (...args: unknown[]) =>
+    mockDetectSourceRepoFromImageMetadata(...args),
+  resolveSourceRepoForContainer: (...args: unknown[]) => mockResolveSourceRepoForContainer(...args),
+  getFullReleaseNotesForContainer: (...args: unknown[]) =>
+    mockGetFullReleaseNotesForContainer(...args),
+  toContainerReleaseNotes: (...args: unknown[]) => mockToContainerReleaseNotes(...args),
+}));
+
+// Mock all dependencies
+vi.mock('dockerode');
+vi.mock('node-cron');
+vi.mock('just-debounce');
+vi.mock('../../../event');
+vi.mock('../../../store/container');
+vi.mock('../../../registry');
+vi.mock('../../../model/container');
+vi.mock('../../../tag');
+vi.mock('../../../prometheus/watcher');
+vi.mock('parse-docker-image-name');
+vi.mock('node:fs');
+vi.mock('axios');
+vi.mock('./maintenance.js', () => ({
+  isInMaintenanceWindow: vi.fn(() => true),
+  getNextMaintenanceWindow: vi.fn(() => undefined),
+}));
+
+import axios from 'axios';
+import mockDockerode from 'dockerode';
+import mockDebounce from 'just-debounce';
+import mockCron from 'node-cron';
+import mockParse from 'parse-docker-image-name';
+import * as mockPrometheus from '../../../prometheus/watcher.js';
+import * as mockTag from '../../../tag/index.js';
+import * as maintenance from './maintenance.js';
+import * as oidcModule from './oidc.js';
+
+const mockAxios = axios as Mocked<typeof axios>;
+
+// --- Shared factory functions to reduce test duplication ---
+
+/** Base OIDC auth configuration for remote Docker API tests. */
+function createOidcConfig(oidcOverrides = {}, configOverrides = {}) {
+  return {
+    host: 'docker-api.example.com',
+    port: 443,
+    protocol: 'https',
+    auth: {
+      type: 'oidc',
+      oidc: {
+        tokenurl: 'https://idp.example.com/oauth/token',
+        ...oidcOverrides,
+      },
+    },
+    ...configOverrides,
+  };
+}
+
+/** Creates a mock log object with commonly needed methods. */
+function createMockLog(methods = ['info', 'warn', 'debug', 'error']) {
+  const log = {};
+  for (const m of methods) {
+    log[m] = vi.fn();
+  }
+  return log;
+}
+
+/** Creates a mock log with a child() that returns another mock log. */
+function createMockLogWithChild(childMethods = ['info', 'warn', 'debug', 'error']) {
+  const childLog = createMockLog(childMethods);
+  return {
+    child: vi.fn().mockReturnValue(childLog),
+    ...createMockLog(['info', 'warn', 'debug', 'error']),
+    _child: childLog,
+  };
+}
+
+let mockImage;
+
+describe('Docker Watcher', () => {
+  let docker;
+  let mockDockerApi;
+  let mockSchedule;
+  let mockContainer;
+
+  beforeEach(async () => {
+    vi.clearAllMocks();
+    _resetRegistryWebhookFreshStateForTests();
+
+    // Setup dockerode mock
+    mockDockerApi = {
+      listContainers: vi.fn(),
+      getContainer: vi.fn(),
+      getEvents: vi.fn(),
+      getImage: vi.fn(),
+      getService: vi.fn(),
+      modem: {
+        headers: {},
+      },
+    };
+    mockDockerode.mockImplementation(mockConstructor(mockDockerApi));
+
+    // Setup cron mock
+    mockSchedule = {
+      stop: vi.fn(),
+    };
+    mockCron.schedule.mockReturnValue(mockSchedule);
+
+    // Setup debounce mock
+    mockDebounce.mockImplementation((fn) => fn);
+
+    // Setup container mock
+    mockContainer = {
+      inspect: vi.fn(),
+    };
+    mockDockerApi.getContainer.mockReturnValue(mockContainer);
+
+    // Setup image mock
+    mockImage = {
+      inspect: vi.fn(),
+    };
+    mockDockerApi.getImage.mockReturnValue(mockImage);
+
+    // Setup store mock
+    storeContainer.getContainers.mockReturnValue([]);
+    storeContainer.getContainer.mockReturnValue(undefined);
+    storeContainer.insertContainer.mockImplementation((c) => c);
+    storeContainer.updateContainer.mockImplementation((c) => c);
+    storeContainer.deleteContainer.mockImplementation(() => {});
+
+    // Setup registry mock
+    registry.getState.mockReturnValue({ registry: {} });
+
+    // Setup event mock
+    event.emitWatcherStart.mockImplementation(() => {});
+    event.emitWatcherStop.mockImplementation(() => {});
+    event.emitContainerReport.mockImplementation(() => {});
+    event.emitContainerReports.mockImplementation(() => {});
+
+    // Setup tag mock
+    mockTag.parse.mockReturnValue({ major: 1, minor: 0, patch: 0 });
+    mockTag.isGreater.mockReturnValue(false);
+    mockTag.transform.mockImplementation((transform, tag) => tag);
+
+    // Setup prometheus mock
+    const mockGauge = { set: vi.fn() };
+    mockPrometheus.getWatchContainerGauge.mockReturnValue(mockGauge);
+    mockPrometheus.getMaintenanceSkipCounter.mockReturnValue({
+      labels: vi.fn().mockReturnValue({ inc: vi.fn() }),
+    });
+    mockPrometheus.getLoggerInitFailureCounter.mockReturnValue({
+      labels: vi.fn().mockReturnValue({ inc: vi.fn() }),
+    });
+
+    // Setup maintenance helpers
+    maintenance.isInMaintenanceWindow.mockReturnValue(true);
+    maintenance.getNextMaintenanceWindow.mockReturnValue(undefined);
+
+    // Setup parse mock
+    mockParse.mockReturnValue({
+      domain: 'docker.io',
+      path: 'library/nginx',
+      tag: '1.0.0',
+    });
+
+    mockAxios.post.mockResolvedValue({
+      data: {
+        access_token: 'oidc-token',
+        expires_in: 300,
+      },
+    } as any);
+
+    // Setup fullName mock
+    fullName.mockReturnValue('test_container');
+
+    docker = new Docker();
+  });
+
+  afterEach(async () => {
+    vi.useRealTimers();
+    if (docker) {
+      await docker.deregisterComponent();
+    }
+  });
+
+  describe('Docker Events', () => {
+    test('should listen to docker events', async () => {
+      const mockStream = { on: vi.fn() };
+      mockDockerApi.getEvents.mockImplementation((options, callback) => {
+        callback(null, mockStream);
+      });
+      await docker.register('watcher', 'docker', 'test', {});
+      await docker.listenDockerEvents();
+      expect(mockDockerApi.getEvents).toHaveBeenCalledWith(
+        {
+          filters: {
+            type: ['container'],
+            event: [
+              'create',
+              'destroy',
+              'start',
+              'stop',
+              'pause',
+              'unpause',
+              'die',
+              'update',
+              'rename',
+            ],
+          },
+        },
+        expect.any(Function),
+      );
+    });
+
+    test('should forward docker stream data events to onDockerEvent', async () => {
+      const eventHandlers: Record<string, (chunk: any) => Promise<void> | void> = {};
+      const mockStream = {
+        on: vi.fn((eventName, handler) => {
+          eventHandlers[eventName] = handler;
+        }),
+      };
+      mockDockerApi.getEvents.mockImplementation((options, callback) => {
+        callback(null, mockStream);
+      });
+      docker.onDockerEvent = vi.fn().mockResolvedValue(undefined);
+
+      await docker.register('watcher', 'docker', 'test', {});
+      await docker.listenDockerEvents();
+      await eventHandlers.data(Buffer.from('{"Action":"create","id":"container123"}\n'));
+
+      expect(mockStream.on).toHaveBeenCalledWith('data', expect.any(Function));
+      expect(mockStream.on).toHaveBeenCalledWith('error', expect.any(Function));
+      expect(mockStream.on).toHaveBeenCalledWith('close', expect.any(Function));
+      expect(mockStream.on).toHaveBeenCalledWith('end', expect.any(Function));
+      expect(docker.onDockerEvent).toHaveBeenCalledWith(
+        Buffer.from('{"Action":"create","id":"container123"}\n'),
+      );
+    });
+
+    test('should handle docker events error', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      const mockLog = createMockLog(['warn', 'debug', 'info']);
+      docker.log = mockLog;
+      mockDockerApi.getEvents.mockImplementation((options, callback) => {
+        callback(new Error('Connection failed'));
+      });
+      await docker.listenDockerEvents();
+      expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('Connection failed'));
+    });
+
+    test('should ignore getEvents error when warn logger is unavailable', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLog(['info']);
+      mockDockerApi.getEvents.mockImplementation((options, callback) => {
+        callback(new Error('Connection failed'));
+      });
+
+      await expect(docker.listenDockerEvents()).resolves.toBeUndefined();
+    });
+
+    test('should reconnect docker events stream after stream failure', async () => {
+      vi.useFakeTimers();
+      try {
+        const eventHandlers: Record<string, (...args: any[]) => void> = {};
+        const mockStream = {
+          on: vi.fn((eventName, handler) => {
+            eventHandlers[eventName] = handler;
+          }),
+          removeAllListeners: vi.fn(),
+          destroy: vi.fn(),
+        };
+        mockDockerApi.getEvents.mockImplementation((options, callback) => {
+          callback(null, mockStream);
+        });
+
+        await docker.register('watcher', 'docker', 'test', {
+          watchevents: false,
+        });
+        docker.configuration.watchevents = true;
+        docker.isDockerEventsListenerActive = true;
+        docker.log = createMockLog(['warn', 'debug', 'info']);
+
+        await docker.listenDockerEvents();
+        expect(docker.dockerEventsReconnectDelayMs).toBe(1000);
+
+        eventHandlers.error(new Error('Stream dropped'));
+        expect(docker.log.info).toHaveBeenCalledWith(
+          expect.stringContaining('reconnect attempt #1'),
+        );
+        expect(docker.dockerEventsReconnectTimeout).toBeDefined();
+        expect(docker.dockerEventsReconnectDelayMs).toBe(2000);
+
+        const reconnectTimeout = docker.dockerEventsReconnectTimeout;
+        eventHandlers.close();
+        expect(docker.dockerEventsReconnectTimeout).toBe(reconnectTimeout);
+
+        await vi.advanceTimersByTimeAsync(1000);
+        expect(mockDockerApi.getEvents).toHaveBeenCalledTimes(2);
+      } finally {
+        vi.useRealTimers();
+      }
+    });
+
+    test('should exponentially back off reconnect delay on repeated getEvents failures', async () => {
+      vi.useFakeTimers();
+      try {
+        const recoveredStream = {
+          on: vi.fn(),
+          removeAllListeners: vi.fn(),
+          destroy: vi.fn(),
+        };
+        mockDockerApi.getEvents
+          .mockImplementationOnce((options, callback) => {
+            callback(new Error('Connection failed (1)'));
+          })
+          .mockImplementationOnce((options, callback) => {
+            callback(new Error('Connection failed (2)'));
+          })
+          .mockImplementation((options, callback) => {
+            callback(null, recoveredStream);
+          });
+
+        await docker.register('watcher', 'docker', 'test', {
+          watchevents: false,
+        });
+        docker.configuration.watchevents = true;
+        docker.isDockerEventsListenerActive = true;
+        docker.log = createMockLog(['warn', 'debug', 'info']);
+
+        await docker.listenDockerEvents();
+        expect(docker.dockerEventsReconnectAttempt).toBe(1);
+        expect(docker.dockerEventsReconnectDelayMs).toBe(2000);
+
+        await vi.advanceTimersByTimeAsync(1000);
+        expect(docker.dockerEventsReconnectAttempt).toBe(2);
+        expect(docker.dockerEventsReconnectDelayMs).toBe(4000);
+
+        await vi.advanceTimersByTimeAsync(2000);
+        expect(mockDockerApi.getEvents).toHaveBeenCalledTimes(3);
+        expect(docker.dockerEventsReconnectAttempt).toBe(0);
+        expect(docker.dockerEventsReconnectDelayMs).toBe(1000);
+      } finally {
+        vi.useRealTimers();
+      }
+    });
+
+    test('should stop reconnect scheduling when watcher is deregistered', async () => {
+      vi.useFakeTimers();
+      try {
+        const eventHandlers: Record<string, (...args: any[]) => void> = {};
+        const mockStream = {
+          on: vi.fn((eventName, handler) => {
+            eventHandlers[eventName] = handler;
+          }),
+          removeAllListeners: vi.fn(),
+          destroy: vi.fn(),
+        };
+        mockDockerApi.getEvents.mockImplementation((options, callback) => {
+          callback(null, mockStream);
+        });
+
+        await docker.register('watcher', 'docker', 'test', {
+          watchevents: false,
+        });
+        docker.configuration.watchevents = true;
+        docker.isDockerEventsListenerActive = true;
+        docker.log = createMockLog(['warn', 'debug', 'info']);
+
+        await docker.listenDockerEvents();
+        eventHandlers.end();
+        expect(docker.dockerEventsReconnectTimeout).toBeDefined();
+        expect(mockStream.removeAllListeners).toHaveBeenCalled();
+
+        await docker.deregisterComponent();
+        await vi.advanceTimersByTimeAsync(5000);
+
+        expect(mockDockerApi.getEvents).toHaveBeenCalledTimes(1);
+      } finally {
+        vi.useRealTimers();
+      }
+    });
+
+    test('should process create/destroy events', async () => {
+      docker.watchCronDebounced = vi.fn();
+      const event = JSON.stringify({
+        Action: 'create',
+        id: 'container123',
+      });
+      await docker.onDockerEvent(Buffer.from(event));
+      expect(docker.watchCronDebounced).toHaveBeenCalled();
+    });
+
+    test('should update container status on other events', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      const mockLog = createMockLogWithChild(['info']);
+      docker.log = mockLog;
+      mockContainer.inspect.mockResolvedValue({
+        State: { Status: 'running' },
+      });
+      const existingContainer = { id: 'container123', status: 'stopped' };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+
+      const event = JSON.stringify({
+        Action: 'start',
+        id: 'container123',
+      });
+      await docker.onDockerEvent(Buffer.from(event));
+
+      expect(mockContainer.inspect).toHaveBeenCalled();
+      expect(storeContainer.updateContainer).toHaveBeenCalled();
+    });
+
+    test('should update container name on rename events', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      const mockLog = createMockLogWithChild(['info']);
+      docker.log = mockLog;
+      mockContainer.inspect.mockResolvedValue({
+        Name: '/renamed-container',
+        State: { Status: 'running' },
+        Config: { Labels: {} },
+      });
+      const existingContainer = {
+        id: 'container123',
+        name: 'old-temp-name',
+        displayName: 'old-temp-name',
+        status: 'running',
+        image: { name: 'library/nginx' },
+        labels: {},
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+
+      const event = JSON.stringify({
+        Action: 'rename',
+        id: 'container123',
+      });
+      await docker.onDockerEvent(Buffer.from(event));
+
+      expect(existingContainer.name).toBe('renamed-container');
+      expect(existingContainer.displayName).toBe('renamed-container');
+      expect(storeContainer.updateContainer).toHaveBeenCalledWith(existingContainer);
+    });
+
+    test('should apply custom display name from labels when processing events', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLogWithChild(['info']);
+      mockContainer.inspect.mockResolvedValue({
+        Name: '/renamed-container',
+        State: { Status: 'running' },
+        Config: { Labels: { 'wud.display.name': 'Custom Label Name' } },
+      });
+      const existingContainer = {
+        id: 'container123',
+        name: 'old-name',
+        displayName: 'old-name',
+        status: 'running',
+        image: { name: 'library/nginx' },
+        labels: {},
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+
+      await docker.onDockerEvent(Buffer.from('{"Action":"rename","id":"container123"}\n'));
+
+      expect(existingContainer.displayName).toBe('Custom Label Name');
+      expect(storeContainer.updateContainer).toHaveBeenCalledWith(existingContainer);
+    });
+
+    test('should skip store update when inspect payload does not change tracked fields', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLogWithChild(['info']);
+      mockContainer.inspect.mockResolvedValue({
+        Name: '/same-name',
+        State: { Status: 'running' },
+        Config: { Labels: { foo: 'bar' } },
+      });
+      const existingContainer = {
+        id: 'container123',
+        name: 'same-name',
+        displayName: 'custom-name',
+        status: 'running',
+        image: { name: 'library/nginx' },
+        labels: { foo: 'bar' },
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+
+      await docker.onDockerEvent(Buffer.from('{"Action":"start","id":"container123"}\n'));
+
+      expect(storeContainer.updateContainer).not.toHaveBeenCalled();
+    });
+
+    test('should compute fallback display name even when image metadata is missing', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLogWithChild(['info']);
+      mockContainer.inspect.mockResolvedValue({
+        Name: '/renamed-container',
+        State: { Status: 'running' },
+        Config: { Labels: {} },
+      });
+      const existingContainer = {
+        id: 'container123',
+        name: 'old-temp-name',
+        displayName: '',
+        status: 'running',
+        labels: {},
+      };
+      storeContainer.getContainer.mockReturnValue(existingContainer);
+
+      await docker.onDockerEvent(Buffer.from('{"Action":"rename","id":"container123"}\n'));
+
+      expect(existingContainer.displayName).toBe('renamed-container');
+    });
+
+    test('should handle container not found during event processing', async () => {
+      const mockLog = createMockLog(['debug']);
+      docker.log = mockLog;
+      mockDockerApi.getContainer.mockImplementation(() => {
+        throw new Error('No such container');
+      });
+
+      const event = JSON.stringify({
+        Action: 'start',
+        id: 'nonexistent',
+      });
+      await docker.onDockerEvent(Buffer.from(event));
+
+      expect(mockLog.debug).toHaveBeenCalledWith(
+        expect.stringContaining('Unable to get container'),
+      );
+    });
+
+    test('should skip updates when docker event container is not found in store', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLogWithChild(['info', 'debug']);
+      mockContainer.inspect.mockResolvedValue({
+        Name: '/existing-container',
+        State: { Status: 'running' },
+        Config: { Labels: {} },
+      });
+      storeContainer.getContainer.mockReturnValue(undefined);
+
+      await docker.onDockerEvent(Buffer.from('{"Action":"start","id":"container123"}\n'));
+
+      expect(storeContainer.updateContainer).not.toHaveBeenCalled();
+    });
+
+    test('should handle malformed docker event payload', async () => {
+      const mockLog = createMockLog(['debug']);
+      docker.log = mockLog;
+
+      await docker.onDockerEvent(Buffer.from('{invalid-json\n'));
+
+      expect(mockLog.debug).toHaveBeenCalledWith(
+        expect.stringContaining('Unable to process Docker event'),
+      );
+    });
+
+    test('isRecoverableDockerEventParseError should return false when error has no message', () => {
+      expect(docker.isRecoverableDockerEventParseError({})).toBe(false);
+    });
+
+    test('should buffer split docker event payloads until complete', async () => {
+      docker.watchCronDebounced = vi.fn();
+      await docker.onDockerEvent(Buffer.from('{"Action":"create","id":"container'));
+
+      expect(docker.watchCronDebounced).not.toHaveBeenCalled();
+      expect(docker.dockerEventsBuffer).toContain('"container');
+
+      await docker.onDockerEvent(Buffer.from('123"}\n'));
+
+      expect(docker.watchCronDebounced).toHaveBeenCalledTimes(1);
+      expect(docker.dockerEventsBuffer).toBe('');
+    });
+
+    test('should process multiple docker events from a single chunk', async () => {
+      docker.watchCronDebounced = vi.fn();
+
+      await docker.onDockerEvent(
+        Buffer.from(
+          '{"Action":"create","id":"container123"}\n{"Action":"destroy","id":"container456"}\n',
+        ),
+      );
+
+      expect(docker.watchCronDebounced).toHaveBeenCalledTimes(2);
+    });
+
+    test('should keep buffer when opportunistic parse returns partial result', async () => {
+      docker.processDockerEventPayload = vi.fn().mockResolvedValue(false);
+      docker.dockerEventsBuffer = '';
+
+      await docker.onDockerEvent(Buffer.from('{"Action":"create","id":"c1"}'));
+
+      expect(docker.processDockerEventPayload).toHaveBeenCalledWith(
+        '{"Action":"create","id":"c1"}',
+        true,
+      );
+      expect(docker.dockerEventsBuffer).toBe('{"Action":"create","id":"c1"}');
+    });
+
+    test('should reconnect when docker events buffer exceeds 1MB', async () => {
+      vi.useFakeTimers();
+      try {
+        await docker.register('watcher', 'docker', 'test', {
+          watchevents: false,
+        });
+        docker.configuration.watchevents = true;
+        docker.isDockerEventsListenerActive = true;
+        docker.log = createMockLog(['warn', 'debug', 'info']);
+        docker.processDockerEventPayload = vi.fn().mockResolvedValue(false);
+        docker.dockerEventsBuffer = 'a'.repeat(1024 * 1024 - 10);
+
+        await docker.onDockerEvent(Buffer.from('{"Action":"create","id":"overflow"}'));
+
+        expect(docker.log.info).toHaveBeenCalledWith(expect.stringContaining('buffer overflow'));
+        expect(docker.dockerEventsReconnectAttempt).toBe(1);
+        expect(docker.dockerEventsReconnectTimeout).toBeDefined();
+        expect(docker.dockerEventsBuffer).toBe('');
+      } finally {
+        vi.useRealTimers();
+      }
+    });
+  });
+
+  describe('Additional Coverage - ensureRemoteAuthHeaders and listenDockerEvents', () => {
+    test('should fail closed when OIDC auth is configured without HTTPS', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 2375,
+        protocol: 'http',
+      });
+      docker.configuration.auth = { type: 'oidc', oidc: { tokenurl: 'https://idp/token' } };
+      await expect(docker.ensureRemoteAuthHeaders()).rejects.toThrow(
+        'HTTPS is required for OIDC auth',
+      );
+      expect(mockAxios.post).not.toHaveBeenCalled();
+    });
+
+    test('should allow non-HTTPS OIDC fallback when auth.insecure=true', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 2375,
+        protocol: 'http',
+      });
+      docker.configuration.auth = {
+        type: 'oidc',
+        insecure: true,
+        oidc: { tokenurl: 'https://idp/token' },
+      };
+      const logMock = createMockLog(['warn', 'info', 'debug']);
+      docker.log = logMock;
+      await docker.ensureRemoteAuthHeaders();
+      expect(mockAxios.post).not.toHaveBeenCalled();
+      expect(logMock.warn).toHaveBeenCalledWith(
+        expect.stringContaining('continuing because auth.insecure=true'),
+      );
+    });
+
+    test('should warn when ensureRemoteAuthHeaders fails in listenDockerEvents', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 443,
+        protocol: 'https',
+        auth: { type: 'oidc', oidc: { tokenurl: 'https://idp/token' } },
+      });
+      mockAxios.post.mockRejectedValue(new Error('Network error'));
+      const logMock = createMockLog(['warn', 'info', 'debug']);
+      docker.log = logMock;
+      await docker.listenDockerEvents();
+      expect(logMock.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Unable to initialize remote watcher auth'),
+      );
+    });
+
+    test('should return early when ensureLogger produces a non-functional log', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      // Override ensureLogger to set a log that lacks info()
+      docker.ensureLogger = () => {
+        docker.log = {};
+      };
+      await docker.listenDockerEvents();
+      expect(mockDockerApi.getEvents).not.toHaveBeenCalled();
+    });
+
+    test('should expose and update deviceCodeCompleted through OIDC state adapter accessors', async () => {
+      await docker.register('watcher', 'docker', 'test', createOidcConfig());
+      docker.remoteOidcDeviceCodeCompleted = true;
+
+      const state = (docker as any).getOidcStateAdapter();
+      expect(state.deviceCodeCompleted).toBe(true);
+
+      state.deviceCodeCompleted = false;
+      expect(docker.remoteOidcDeviceCodeCompleted).toBe(false);
+    });
+
+    test('should throw when OIDC refresh succeeds without returning an access token', async () => {
+      await docker.register('watcher', 'docker', 'test', createOidcConfig());
+      docker.remoteOidcAccessToken = undefined;
+      docker.remoteOidcAccessTokenExpiresAt = 0;
+      const refreshSpy = vi
+        .spyOn(oidcModule, 'refreshRemoteOidcAccessToken')
+        .mockResolvedValue(undefined as any);
+
+      try {
+        await expect(docker.ensureRemoteAuthHeaders()).rejects.toThrow(
+          'no OIDC access token available',
+        );
+      } finally {
+        refreshSpy.mockRestore();
+      }
+    });
+
+    test('listenDockerEvents should return early when watchevents is disabled', async () => {
+      await docker.register('watcher', 'docker', 'test', { watchevents: false });
+      docker.isDockerEventsListenerActive = true;
+
+      await docker.listenDockerEvents();
+
+      expect(mockDockerApi.getEvents).not.toHaveBeenCalled();
+    });
+
+    test('listenDockerEvents should clear stale reconnect timeout before opening stream', async () => {
+      await docker.register('watcher', 'docker', 'test', { watchevents: true });
+      docker.isDockerEventsListenerActive = true;
+      const reconnectTimeout = setTimeout(() => {}, 10_000) as any;
+      docker.dockerEventsReconnectTimeout = reconnectTimeout;
+      const clearTimeoutSpy = vi.spyOn(globalThis, 'clearTimeout');
+      vi.spyOn(docker, 'ensureRemoteAuthHeaders').mockResolvedValue(undefined);
+      mockDockerApi.getEvents.mockRejectedValueOnce(new Error('events failed'));
+
+      await docker.listenDockerEvents();
+
+      expect(clearTimeoutSpy).toHaveBeenCalledWith(reconnectTimeout);
+      clearTimeoutSpy.mockRestore();
+      clearTimeout(reconnectTimeout);
+    });
+  });
+
+  describe('Additional Coverage - processDockerEventPayload', () => {
+    test('should treat empty payload as processed', async () => {
+      docker.log = createMockLog(['debug']);
+      expect(await docker.processDockerEventPayload('   ')).toBe(true);
+    });
+
+    test('should return false for recoverable partial JSON when flag is set', async () => {
+      docker.log = createMockLog(['debug']);
+      // Use a payload that gives "Unexpected end of JSON input"
+      const result = await docker.processDockerEventPayload('{"Action":"cre', true);
+      expect(result).toBe(false);
+    });
+
+    test('should return true for non-recoverable JSON error', async () => {
+      docker.log = createMockLog(['debug']);
+      expect(await docker.processDockerEventPayload('not-json-at-all', true)).toBe(true);
+    });
+  });
+
+  describe('Additional Coverage - updateContainerFromInspect', () => {
+    test('should update labels and custom display name on events', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLogWithChild(['info']);
+      const existing = {
+        id: 'c1',
+        name: 'mycontainer',
+        displayName: 'mycontainer',
+        status: 'running',
+        labels: { old: 'label' },
+        image: { name: 'library/nginx' },
+      };
+      storeContainer.getContainer.mockReturnValue(existing);
+      mockContainer.inspect.mockResolvedValue({
+        Name: '/mycontainer',
+        State: { Status: 'running' },
+        Config: { Labels: { 'dd.display.name': 'Custom Name', new: 'label' } },
+      });
+      await docker.onDockerEvent(Buffer.from('{"Action":"update","id":"c1"}\n'));
+      expect(existing.labels).toEqual({ 'dd.display.name': 'Custom Name', new: 'label' });
+      expect(existing.displayName).toBe('Custom Name');
+      expect(storeContainer.updateContainer).toHaveBeenCalledWith(existing);
+    });
+
+    test('should not update when custom display name label matches existing value', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLogWithChild(['info']);
+      const existing = {
+        id: 'c1',
+        name: 'mycontainer',
+        displayName: 'Custom Name',
+        status: 'running',
+        labels: { 'dd.display.name': 'Custom Name' },
+        image: { name: 'library/nginx' },
+      };
+      storeContainer.getContainer.mockReturnValue(existing);
+      mockContainer.inspect.mockResolvedValue({
+        Name: '/mycontainer',
+        State: { Status: 'running' },
+        Config: { Labels: { 'dd.display.name': 'Custom Name' } },
+      });
+
+      await docker.onDockerEvent(Buffer.from('{"Action":"update","id":"c1"}\n'));
+
+      expect(storeContainer.updateContainer).not.toHaveBeenCalled();
+    });
+
+    test('should update runtime details when inspect metadata changes', async () => {
+      await docker.register('watcher', 'docker', 'test', {});
+      docker.log = createMockLogWithChild(['info']);
+      const existing = {
+        id: 'c1',
+        name: 'mycontainer',
+        displayName: 'mycontainer',
+        status: 'running',
+        labels: {},
+        image: { name: 'library/nginx' },
+        details: {
+          ports: ['80/tcp'],
+          volumes: [],
+          env: [],
+        },
+      };
+      storeContainer.getContainer.mockReturnValue(existing);
+      mockContainer.inspect.mockResolvedValue({
+        Name: '/mycontainer',
+        State: { Status: 'running' },
+        Config: { Labels: {}, Env: ['APP_ENV=prod'] },
+        NetworkSettings: { Ports: { '80/tcp': [{ HostIp: '0.0.0.0', HostPort: '8080' }] } },
+        Mounts: [{ Source: '/srv/data', Destination: '/data', RW: true }],
+      });
+
+      await docker.onDockerEvent(Buffer.from('{"Action":"update","id":"c1"}\n'));
+
+      expect(existing.details).toEqual({
+        ports: ['0.0.0.0:8080->80/tcp'],
+        volumes: ['/srv/data:/data'],
+        env: [{ key: 'APP_ENV', value: 'prod' }],
+      });
+      expect(storeContainer.updateContainer).toHaveBeenCalledWith(existing);
+    });
+  });
+});
diff --git a/app/watchers/providers/docker/Docker.test.ts b/app/watchers/providers/docker/Docker.test.ts
index 2d8ce9591..ca3748027 100644
--- a/app/watchers/providers/docker/Docker.test.ts
+++ b/app/watchers/providers/docker/Docker.test.ts
@@ -4,30 +4,47 @@ import { fullName } from '../../../model/container.js';
 import * as registry from '../../../registry/index.js';
 import * as storeContainer from '../../../store/container.js';
 import { mockConstructor } from '../../../test/mock-constructor.js';
-import Docker, {
-  testable_filterBySegmentCount,
-  testable_filterRecreatedContainerAliases,
-  testable_getContainerDisplayName,
-  testable_getContainerName,
-  testable_getCurrentPrefix,
-  testable_getFirstDigitIndex,
-  testable_getImageForRegistryLookup,
-  testable_getImageReferenceCandidatesFromPattern,
-  testable_getImgsetSpecificity,
-  testable_getInspectValueByPath,
-  testable_getLabel,
-  testable_getOldContainers,
-  testable_normalizeConfigNumberValue,
-  testable_normalizeContainer,
-  testable_pruneOldContainers,
-  testable_shouldUpdateDisplayNameFromContainerName,
-} from './Docker.js';
+import { _resetRegistryWebhookFreshStateForTests } from '../../registry-webhook-fresh.js';
+import {
+  filterRecreatedContainerAliases as testable_filterRecreatedContainerAliases,
+  getLabel as testable_getLabel,
+  pruneOldContainers as testable_pruneOldContainers,
+} from './container-init.js';
+import Docker, { testable_normalizeConfigNumberValue } from './Docker.js';
+import {
+  getContainerDisplayName as testable_getContainerDisplayName,
+  getContainerName as testable_getContainerName,
+  getImageForRegistryLookup as testable_getImageForRegistryLookup,
+  getImageReferenceCandidatesFromPattern as testable_getImageReferenceCandidatesFromPattern,
+  getImgsetSpecificity as testable_getImgsetSpecificity,
+  getInspectValueByPath as testable_getInspectValueByPath,
+  getOldContainers as testable_getOldContainers,
+  shouldUpdateDisplayNameFromContainerName as testable_shouldUpdateDisplayNameFromContainerName,
+} from './docker-helpers.js';
+import { normalizeContainer as testable_normalizeContainer } from './image-comparison.js';
+import {
+  filterBySegmentCount as testable_filterBySegmentCount,
+  getCurrentPrefix as testable_getCurrentPrefix,
+  getFirstDigitIndex as testable_getFirstDigitIndex,
+} from './tag-candidates.js';
 
 const mockDdEnvVars = vi.hoisted(() => ({}) as Record<string, string | undefined>);
+const mockDetectSourceRepoFromImageMetadata = vi.hoisted(() => vi.fn());
+const mockResolveSourceRepoForContainer = vi.hoisted(() => vi.fn());
+const mockGetFullReleaseNotesForContainer = vi.hoisted(() => vi.fn());
+const mockToContainerReleaseNotes = vi.hoisted(() => vi.fn((notes) => notes));
 vi.mock('../../../configuration/index.js', async (importOriginal) => ({
   ...(await importOriginal<typeof import('../../../configuration/index.js')>()),
   ddEnvVars: mockDdEnvVars,
 }));
+vi.mock('../../../release-notes/index.js', () => ({
+  detectSourceRepoFromImageMetadata: (...args: unknown[]) =>
+    mockDetectSourceRepoFromImageMetadata(...args),
+  resolveSourceRepoForContainer: (...args: unknown[]) => mockResolveSourceRepoForContainer(...args),
+  getFullReleaseNotesForContainer: (...args: unknown[]) =>
+    mockGetFullReleaseNotesForContainer(...args),
+  toContainerReleaseNotes: (...args: unknown[]) => mockToContainerReleaseNotes(...args),
+}));
 
 // Mock all dependencies
 vi.mock('dockerode');
@@ -35,7 +52,7 @@ vi.mock('node-cron');
 vi.mock('just-debounce');
 vi.mock('../../../event');
 vi.mock('../../../store/container');
-vi.mock('../../../registry');
+vi.mock('../../../registry/index.js');
 vi.mock('../../../model/container');
 vi.mock('../../../tag');
 vi.mock('../../../prometheus/watcher');
@@ -46,6 +63,9 @@ vi.mock('./maintenance.js', () => ({
   isInMaintenanceWindow: vi.fn(() => true),
   getNextMaintenanceWindow: vi.fn(() => undefined),
 }));
+vi.mock('./socket-version-probe.js', () => ({
+  probeSocketApiVersion: vi.fn().mockResolvedValue(undefined),
+}));
 
 import mockFs from 'node:fs';
 import axios from 'axios';
@@ -56,7 +76,6 @@ import mockParse from 'parse-docker-image-name';
 import * as mockPrometheus from '../../../prometheus/watcher.js';
 import * as mockTag from '../../../tag/index.js';
 import * as maintenance from './maintenance.js';
-import * as oidcModule from './oidc.js';
 import {
   applyRemoteOidcTokenPayload,
   getOidcGrantType,
@@ -143,80 +162,6 @@ function createMockLogWithChild(childMethods = ['info', 'warn', 'debug', 'error'
   };
 }
 
-/** Standard mock registry for container detail tests. */
-function createMockRegistry(id = 'hub', matchFn = () => true) {
-  return {
-    normalizeImage: vi.fn((img) => img),
-    getId: () => id,
-    match: matchFn,
-  };
-}
-
-/** Standard image details fixture. */
-function createImageDetails(overrides = {}) {
-  return {
-    Id: 'image123',
-    Architecture: 'amd64',
-    Os: 'linux',
-    Created: '2023-01-01',
-    ...overrides,
-  };
-}
-
-/** Standard container fixture for Docker API list results. */
-function createDockerContainer(overrides = {}) {
-  return {
-    Id: '123',
-    Names: ['/test-container'],
-    State: 'running',
-    Labels: {},
-    ...overrides,
-  };
-}
-
-/**
- * Harbor + Docker Hub dual-registry state for lookup label tests.
- */
-function createHarborHubRegistryState() {
-  return {
-    harbor: {
-      normalizeImage: vi.fn((img) => img),
-      getId: () => 'harbor',
-      match: (img) => img.registry.url === 'harbor.example.com',
-    },
-    hub: {
-      normalizeImage: vi.fn((img) => ({
-        ...img,
-        registry: {
-          ...img.registry,
-          url: 'https://registry-1.docker.io/v2',
-        },
-      })),
-      getId: () => 'hub',
-      match: (img) => !img.registry.url || /^.*\.?docker.io$/.test(img.registry.url),
-    },
-  };
-}
-
-/**
- * Home Assistant mockParse implementation (used in multiple imgset tests).
- * Maps HA image strings to their parsed components.
- */
-function createHaParseMock() {
-  return (value) => {
-    if (value === 'ghcr.io/home-assistant/home-assistant:2026.2.1') {
-      return { domain: 'ghcr.io', path: 'home-assistant/home-assistant', tag: '2026.2.1' };
-    }
-    if (value === 'ghcr.io/home-assistant/home-assistant:stable') {
-      return { domain: 'ghcr.io', path: 'home-assistant/home-assistant', tag: 'stable' };
-    }
-    if (value === 'ghcr.io/home-assistant/home-assistant') {
-      return { domain: 'ghcr.io', path: 'home-assistant/home-assistant' };
-    }
-    return { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' };
-  };
-}
-
 function createDockerOidcStateAdapter(docker) {
   return {
     get accessToken() {
@@ -258,63 +203,16 @@ function createDockerOidcContext(docker) {
   };
 }
 
-/**
- * Setup a container-detail test: registers the watcher, sets up image inspect,
- * parse mock, tag mock, registry state, and validateContainer mock.
- * Returns the raw Docker API container object, ready for addImageDetailsToContainer.
- */
-async function setupContainerDetailTest(
-  docker,
-  {
-    registerConfig = {},
-    container: containerOverrides = {},
-    imageDetails: imageOverrides = {},
-    parsedImage = { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' },
-    parseImpl = undefined,
-    semverValue = { major: 1, minor: 0, patch: 0 },
-    registryId = 'hub',
-    registryMatchFn = () => true,
-    registryState = undefined,
-    validateImpl = (c) => c,
-  } = {},
-) {
-  await docker.register('watcher', 'docker', 'test', registerConfig);
-
-  const imageDetails = createImageDetails(imageOverrides);
-  mockImage.inspect.mockResolvedValue(imageDetails);
-
-  if (parseImpl) {
-    mockParse.mockImplementation(parseImpl);
-  } else {
-    mockParse.mockReturnValue(parsedImage);
-  }
-  mockTag.parse.mockReturnValue(semverValue);
-
-  if (registryState) {
-    registry.getState.mockReturnValue({ registry: registryState });
-  } else {
-    const mockReg = createMockRegistry(registryId, registryMatchFn);
-    registry.getState.mockReturnValue({ registry: { [registryId]: mockReg } });
-  }
-
-  const containerModule = await import('../../../model/container.js');
-  const validateContainer = containerModule.validate;
-  validateContainer.mockImplementation(validateImpl);
-
-  return createDockerContainer(containerOverrides);
-}
-
-// Keep a module-level reference so setupContainerDetailTest can see it
-let mockImage;
-
 describe('Docker Watcher', () => {
   let docker;
   let mockDockerApi;
   let mockSchedule;
   let mockContainer;
+  let mockImage;
 
   beforeEach(async () => {
     vi.clearAllMocks();
+    _resetRegistryWebhookFreshStateForTests();
 
     // Setup dockerode mock
     mockDockerApi = {
@@ -489,6 +387,54 @@ describe('Docker Watcher', () => {
     });
   });
 
+  describe('Recent event history helpers', () => {
+    test('should convert docker event timestamps from timeNano and time', () => {
+      const toEventTimestamp = (docker as any).toEventTimestamp.bind(docker);
+
+      expect(toEventTimestamp({ timeNano: 1_700_000_000_123_000_000 })).toBe(
+        new Date(1_700_000_000_123).toISOString(),
+      );
+      expect(toEventTimestamp({ time: 1_700_000_000_123 })).toBe(
+        new Date(1_700_000_000_123).toISOString(),
+      );
+      expect(toEventTimestamp({ time: 1_700 })).toBe(new Date(1_700_000).toISOString());
+    });
+
+    test('should record recent docker events with status and scope fallbacks', () => {
+      const recordRecentDockerEvent = (docker as any).recordRecentDockerEvent.bind(docker);
+
+      docker.recentDockerEvents = [];
+      recordRecentDockerEvent({
+        timeNano: 1_700_000_000_123_000_000,
+        Action: 'start',
+        Type: 'container',
+        id: 'event-1',
+        Actor: { ID: 'actor-1' },
+      });
+      recordRecentDockerEvent({
+        time: 1_700,
+        status: 'die',
+        scope: 'local',
+        id: 'event-2',
+        Actor: { ID: 'actor-2' },
+      });
+
+      expect(docker.recentDockerEvents).toHaveLength(2);
+      expect(docker.recentDockerEvents[0]).toMatchObject({
+        action: 'start',
+        type: 'container',
+        id: 'event-1',
+        actorId: 'actor-1',
+      });
+      expect(docker.recentDockerEvents[1]).toMatchObject({
+        action: 'die',
+        type: 'local',
+        id: 'event-2',
+        actorId: 'actor-2',
+      });
+    });
+  });
+
   describe('Initialization', () => {
     test('should initialize docker client with socket', async () => {
       await docker.register('watcher', 'docker', 'test', {
@@ -633,7 +579,7 @@ describe('Docker Watcher', () => {
       await docker.register('watcher', 'docker', 'test', {
         cron: '0 * * * *',
       });
-      docker.init();
+      await docker.init();
       expect(mockCron.schedule).toHaveBeenCalledWith('0 * * * *', expect.any(Function), {
         maxRandomDelay: 60000,
       });
@@ -645,7 +591,7 @@ describe('Docker Watcher', () => {
       });
       const mockLog = { warn: vi.fn(), info: vi.fn() };
       docker.log = mockLog;
-      docker.init();
+      await docker.init();
       expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('deprecated'));
     });
 
@@ -657,7 +603,7 @@ describe('Docker Watcher', () => {
         });
         const mockLog = { warn: vi.fn(), info: vi.fn() };
         docker.log = mockLog;
-        docker.init();
+        await docker.init();
         expect(mockLog.warn).toHaveBeenCalledWith(
           expect.stringContaining(
             'DD_WATCHER_TEST_WATCHATSTART environment variable is deprecated',
@@ -674,7 +620,7 @@ describe('Docker Watcher', () => {
       });
       const mockLog = { warn: vi.fn(), info: vi.fn() };
       docker.log = mockLog;
-      docker.init();
+      await docker.init();
       expect(mockLog.warn).not.toHaveBeenCalledWith(
         expect.stringContaining('WATCHATSTART environment variable is deprecated'),
       );
@@ -684,7 +630,7 @@ describe('Docker Watcher', () => {
       await docker.register('watcher', 'docker', 'test', {
         watchevents: true,
       });
-      docker.init();
+      await docker.init();
       expect(mockDebounce).toHaveBeenCalled();
     });
 
@@ -692,7 +638,7 @@ describe('Docker Watcher', () => {
       await docker.register('watcher', 'docker', 'test', {
         watchevents: false,
       });
-      docker.init();
+      await docker.init();
       expect(mockDebounce).not.toHaveBeenCalled();
     });
 
@@ -702,7 +648,7 @@ describe('Docker Watcher', () => {
         watchatstart: true,
         watchevents: false,
       });
-      docker.init();
+      await docker.init();
       expect(docker.configuration.watchatstart).toBe(true);
       expect(docker.watchCronTimeout).toBeDefined();
     });
@@ -712,7 +658,7 @@ describe('Docker Watcher', () => {
       await docker.register('watcher', 'docker', 'test', {
         watchatstart: false,
       });
-      docker.init();
+      await docker.init();
       expect(docker.configuration.watchatstart).toBe(false);
     });
 
@@ -735,7 +681,7 @@ describe('Docker Watcher', () => {
   describe('Deregistration', () => {
     test('should stop cron and clear timeouts on deregister', async () => {
       await docker.register('watcher', 'docker', 'test', {});
-      docker.init();
+      await docker.init();
       await docker.deregisterComponent();
       expect(mockSchedule.stop).toHaveBeenCalled();
     });
@@ -1247,3026 +1193,160 @@ describe('Docker Watcher', () => {
     });
   });
 
-  describe('Docker Events', () => {
-    test('should listen to docker events', async () => {
-      const mockStream = { on: vi.fn() };
-      mockDockerApi.getEvents.mockImplementation((options, callback) => {
-        callback(null, mockStream);
+  describe('Additional Coverage - applyRemoteAuthHeaders', () => {
+    test('should keep remote watcher registered in blocked mode when credentials are incomplete', async () => {
+      // Bypass validation by setting configuration directly after register
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 443,
+        protocol: 'https',
       });
-      await docker.register('watcher', 'docker', 'test', {});
-      await docker.listenDockerEvents();
-      expect(mockDockerApi.getEvents).toHaveBeenCalledWith(
-        {
-          filters: {
-            type: ['container'],
-            event: [
-              'create',
-              'destroy',
-              'start',
-              'stop',
-              'pause',
-              'unpause',
-              'die',
-              'update',
-              'rename',
-            ],
-          },
-        },
-        expect.any(Function),
+      docker.configuration.auth = { type: '' };
+      await docker.initWatcher();
+      expect(docker.remoteAuthBlockedReason).toBe(
+        'Unable to authenticate remote watcher test: credentials are incomplete',
       );
     });
 
-    test('should forward docker stream data events to onDockerEvent', async () => {
-      const eventHandlers: Record<string, (chunk: any) => Promise<void> | void> = {};
-      const mockStream = {
-        on: vi.fn((eventName, handler) => {
-          eventHandlers[eventName] = handler;
-        }),
-      };
-      mockDockerApi.getEvents.mockImplementation((options, callback) => {
-        callback(null, mockStream);
+    test('should keep remote watcher registered in blocked mode when basic auth credentials are missing', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 443,
+        protocol: 'https',
       });
-      docker.onDockerEvent = vi.fn().mockResolvedValue(undefined);
-
-      await docker.register('watcher', 'docker', 'test', {});
-      await docker.listenDockerEvents();
-      await eventHandlers.data(Buffer.from('{"Action":"create","id":"container123"}\n'));
-
-      expect(mockStream.on).toHaveBeenCalledWith('data', expect.any(Function));
-      expect(mockStream.on).toHaveBeenCalledWith('error', expect.any(Function));
-      expect(mockStream.on).toHaveBeenCalledWith('close', expect.any(Function));
-      expect(mockStream.on).toHaveBeenCalledWith('end', expect.any(Function));
-      expect(docker.onDockerEvent).toHaveBeenCalledWith(
-        Buffer.from('{"Action":"create","id":"container123"}\n'),
+      // Need hasOidcConfig to bypass first guard, but authType=basic to reach the basic-incomplete path
+      docker.configuration.auth = { type: 'basic', oidc: { tokenurl: 'https://idp/token' } };
+      await docker.initWatcher();
+      expect(docker.remoteAuthBlockedReason).toBe(
+        'Unable to authenticate remote watcher test: basic credentials are incomplete',
       );
     });
 
-    test('should handle docker events error', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      const mockLog = createMockLog(['warn', 'debug', 'info']);
-      docker.log = mockLog;
-      mockDockerApi.getEvents.mockImplementation((options, callback) => {
-        callback(new Error('Connection failed'));
+    test('should keep remote watcher registered in blocked mode when bearer token is missing', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 443,
+        protocol: 'https',
       });
-      await docker.listenDockerEvents();
-      expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('Connection failed'));
+      // Need hasOidcConfig to bypass first guard, but authType=bearer to reach the bearer-missing path
+      docker.configuration.auth = { type: 'bearer', oidc: { tokenurl: 'https://idp/token' } };
+      await docker.initWatcher();
+      expect(docker.remoteAuthBlockedReason).toBe(
+        'Unable to authenticate remote watcher test: bearer token is missing',
+      );
     });
 
-    test('should ignore getEvents error when warn logger is unavailable', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['info']);
-      mockDockerApi.getEvents.mockImplementation((options, callback) => {
-        callback(new Error('Connection failed'));
+    test('should keep remote watcher registered in blocked mode when auth type is unsupported', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 443,
+        protocol: 'https',
       });
-
-      await expect(docker.listenDockerEvents()).resolves.toBeUndefined();
-    });
-
-    test('should reconnect docker events stream after stream failure', async () => {
-      vi.useFakeTimers();
-      try {
-        const eventHandlers: Record<string, (...args: any[]) => void> = {};
-        const mockStream = {
-          on: vi.fn((eventName, handler) => {
-            eventHandlers[eventName] = handler;
-          }),
-          removeAllListeners: vi.fn(),
-          destroy: vi.fn(),
-        };
-        mockDockerApi.getEvents.mockImplementation((options, callback) => {
-          callback(null, mockStream);
-        });
-
-        await docker.register('watcher', 'docker', 'test', {
-          watchevents: false,
-        });
-        docker.configuration.watchevents = true;
-        docker.isDockerEventsListenerActive = true;
-        docker.log = createMockLog(['warn', 'debug', 'info']);
-
-        await docker.listenDockerEvents();
-        expect(docker.dockerEventsReconnectDelayMs).toBe(1000);
-
-        eventHandlers.error(new Error('Stream dropped'));
-        expect(docker.log.warn).toHaveBeenCalledWith(
-          expect.stringContaining('reconnect attempt #1'),
-        );
-        expect(docker.dockerEventsReconnectTimeout).toBeDefined();
-        expect(docker.dockerEventsReconnectDelayMs).toBe(2000);
-
-        const reconnectTimeout = docker.dockerEventsReconnectTimeout;
-        eventHandlers.close();
-        expect(docker.dockerEventsReconnectTimeout).toBe(reconnectTimeout);
-
-        await vi.advanceTimersByTimeAsync(1000);
-        expect(mockDockerApi.getEvents).toHaveBeenCalledTimes(2);
-      } finally {
-        vi.useRealTimers();
-      }
+      docker.configuration.auth = { type: 'custom', user: 'x', password: 'y' };
+      await docker.initWatcher();
+      expect(docker.remoteAuthBlockedReason).toBe(
+        'Unable to authenticate remote watcher test: auth type "custom" is unsupported',
+      );
     });
 
-    test('should exponentially back off reconnect delay on repeated getEvents failures', async () => {
-      vi.useFakeTimers();
-      try {
-        const recoveredStream = {
-          on: vi.fn(),
-          removeAllListeners: vi.fn(),
-          destroy: vi.fn(),
-        };
-        mockDockerApi.getEvents
-          .mockImplementationOnce((options, callback) => {
-            callback(new Error('Connection failed (1)'));
-          })
-          .mockImplementationOnce((options, callback) => {
-            callback(new Error('Connection failed (2)'));
-          })
-          .mockImplementation((options, callback) => {
-            callback(null, recoveredStream);
-          });
-
-        await docker.register('watcher', 'docker', 'test', {
-          watchevents: false,
-        });
-        docker.configuration.watchevents = true;
-        docker.isDockerEventsListenerActive = true;
-        docker.log = createMockLog(['warn', 'debug', 'info']);
-
-        await docker.listenDockerEvents();
-        expect(docker.dockerEventsReconnectAttempt).toBe(1);
-        expect(docker.dockerEventsReconnectDelayMs).toBe(2000);
-
-        await vi.advanceTimersByTimeAsync(1000);
-        expect(docker.dockerEventsReconnectAttempt).toBe(2);
-        expect(docker.dockerEventsReconnectDelayMs).toBe(4000);
-
-        await vi.advanceTimersByTimeAsync(2000);
-        expect(mockDockerApi.getEvents).toHaveBeenCalledTimes(3);
-        expect(docker.dockerEventsReconnectAttempt).toBe(0);
-        expect(docker.dockerEventsReconnectDelayMs).toBe(1000);
-      } finally {
-        vi.useRealTimers();
-      }
+    test('should warn and continue when auth.insecure=true and credentials are incomplete', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 443,
+        protocol: 'https',
+      });
+      docker.configuration.auth = { type: '', insecure: true };
+      const logMock = createMockLog(['warn', 'info', 'debug']);
+      docker.log = logMock;
+      await docker.initWatcher();
+      expect(docker.remoteAuthBlockedReason).toBeUndefined();
+      expect(logMock.warn).toHaveBeenCalledWith(
+        expect.stringContaining('continuing because auth.insecure=true'),
+      );
     });
 
-    test('should stop reconnect scheduling when watcher is deregistered', async () => {
-      vi.useFakeTimers();
-      try {
-        const eventHandlers: Record<string, (...args: any[]) => void> = {};
-        const mockStream = {
-          on: vi.fn((eventName, handler) => {
-            eventHandlers[eventName] = handler;
-          }),
-          removeAllListeners: vi.fn(),
-          destroy: vi.fn(),
-        };
-        mockDockerApi.getEvents.mockImplementation((options, callback) => {
-          callback(null, mockStream);
-        });
-
-        await docker.register('watcher', 'docker', 'test', {
-          watchevents: false,
-        });
-        docker.configuration.watchevents = true;
-        docker.isDockerEventsListenerActive = true;
-        docker.log = createMockLog(['warn', 'debug', 'info']);
-
-        await docker.listenDockerEvents();
-        eventHandlers.end();
-        expect(docker.dockerEventsReconnectTimeout).toBeDefined();
-        expect(mockStream.removeAllListeners).toHaveBeenCalled();
-
-        await docker.deregisterComponent();
-        await vi.advanceTimersByTimeAsync(5000);
+    test('should block getContainers when watcher auth is blocked', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 443,
+        protocol: 'https',
+      });
+      docker.configuration.auth = { type: '' };
+      await docker.initWatcher();
+      mockDockerApi.listContainers.mockResolvedValue([]);
 
-        expect(mockDockerApi.getEvents).toHaveBeenCalledTimes(1);
-      } finally {
-        vi.useRealTimers();
-      }
+      await expect(docker.getContainers()).rejects.toThrow('credentials are incomplete');
+      expect(mockDockerApi.listContainers).not.toHaveBeenCalled();
     });
+  });
 
-    test('should process create/destroy events', async () => {
-      docker.watchCronDebounced = vi.fn();
-      const event = JSON.stringify({
-        Action: 'create',
-        id: 'container123',
+  describe('Additional Coverage - getRemoteAuthResolution auto-detect', () => {
+    test('should auto-detect bearer, basic, and oidc auth types', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 443,
+        protocol: 'https',
+        auth: { bearer: 'tok' },
       });
-      await docker.onDockerEvent(Buffer.from(event));
-      expect(docker.watchCronDebounced).toHaveBeenCalled();
-    });
+      expect(docker.getRemoteAuthResolution(docker.configuration.auth).authType).toBe('bearer');
 
-    test('should update container status on other events', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      const mockLog = createMockLogWithChild(['info']);
-      docker.log = mockLog;
-      mockContainer.inspect.mockResolvedValue({
-        State: { Status: 'running' },
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 443,
+        protocol: 'https',
+        auth: { user: 'j', password: 'd' },
       });
-      const existingContainer = { id: 'container123', status: 'stopped' };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
+      expect(docker.getRemoteAuthResolution(docker.configuration.auth).authType).toBe('basic');
 
-      const event = JSON.stringify({
-        Action: 'start',
-        id: 'container123',
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 443,
+        protocol: 'https',
+        auth: { oidc: { tokenurl: 'https://idp/token' } },
       });
-      await docker.onDockerEvent(Buffer.from(event));
-
-      expect(mockContainer.inspect).toHaveBeenCalled();
-      expect(storeContainer.updateContainer).toHaveBeenCalled();
+      expect(docker.getRemoteAuthResolution(docker.configuration.auth).authType).toBe('oidc');
     });
+  });
 
-    test('should update container name on rename events', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      const mockLog = createMockLogWithChild(['info']);
-      docker.log = mockLog;
-      mockContainer.inspect.mockResolvedValue({
-        Name: '/renamed-container',
-        State: { Status: 'running' },
-        Config: { Labels: {} },
-      });
-      const existingContainer = {
-        id: 'container123',
-        name: 'old-temp-name',
-        displayName: 'old-temp-name',
-        status: 'running',
-        image: { name: 'library/nginx' },
-        labels: {},
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-
-      const event = JSON.stringify({
-        Action: 'rename',
-        id: 'container123',
+  describe('Additional Coverage - OIDC edge cases', () => {
+    test('should throw when token endpoint missing', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 443,
+        protocol: 'https',
+        auth: { type: 'oidc', oidc: {} },
       });
-      await docker.onDockerEvent(Buffer.from(event));
-
-      expect(existingContainer.name).toBe('renamed-container');
-      expect(existingContainer.displayName).toBe('renamed-container');
-      expect(storeContainer.updateContainer).toHaveBeenCalledWith(existingContainer);
+      await expect(refreshRemoteOidcAccessToken(createDockerOidcContext(docker))).rejects.toThrow(
+        'missing auth.oidc token endpoint',
+      );
     });
 
-    test('should apply custom display name from labels when processing events', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLogWithChild(['info']);
-      mockContainer.inspect.mockResolvedValue({
-        Name: '/renamed-container',
-        State: { Status: 'running' },
-        Config: { Labels: { 'wud.display.name': 'Custom Label Name' } },
+    test('should fallback for missing refresh token and unsupported grant', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 443,
+        protocol: 'https',
+        auth: { type: 'oidc', oidc: { tokenurl: 'https://idp/token', granttype: 'refresh_token' } },
       });
-      const existingContainer = {
-        id: 'container123',
-        name: 'old-name',
-        displayName: 'old-name',
-        status: 'running',
-        image: { name: 'library/nginx' },
-        labels: {},
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-
-      await docker.onDockerEvent(Buffer.from('{"Action":"rename","id":"container123"}\n'));
-
-      expect(existingContainer.displayName).toBe('Custom Label Name');
-      expect(storeContainer.updateContainer).toHaveBeenCalledWith(existingContainer);
+      const logMock = createMockLog(['warn', 'info', 'debug']);
+      docker.log = logMock;
+      await refreshRemoteOidcAccessToken(createDockerOidcContext(docker));
+      expect(logMock.warn).toHaveBeenCalledWith(
+        expect.stringContaining('refresh token is missing'),
+      );
     });
 
-    test('should skip store update when inspect payload does not change tracked fields', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLogWithChild(['info']);
-      mockContainer.inspect.mockResolvedValue({
-        Name: '/same-name',
-        State: { Status: 'running' },
-        Config: { Labels: { foo: 'bar' } },
+    test('should throw when token response has no access_token', async () => {
+      mockAxios.post.mockResolvedValue({ data: {} } as any);
+      await docker.register('watcher', 'docker', 'test', {
+        host: 'localhost',
+        port: 443,
+        protocol: 'https',
+        auth: { type: 'oidc', oidc: { tokenurl: 'https://idp/token' } },
       });
-      const existingContainer = {
-        id: 'container123',
-        name: 'same-name',
-        displayName: 'custom-name',
-        status: 'running',
-        image: { name: 'library/nginx' },
-        labels: { foo: 'bar' },
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-
-      await docker.onDockerEvent(Buffer.from('{"Action":"start","id":"container123"}\n'));
-
-      expect(storeContainer.updateContainer).not.toHaveBeenCalled();
-    });
-
-    test('should compute fallback display name even when image metadata is missing', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLogWithChild(['info']);
-      mockContainer.inspect.mockResolvedValue({
-        Name: '/renamed-container',
-        State: { Status: 'running' },
-        Config: { Labels: {} },
-      });
-      const existingContainer = {
-        id: 'container123',
-        name: 'old-temp-name',
-        displayName: '',
-        status: 'running',
-        labels: {},
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-
-      await docker.onDockerEvent(Buffer.from('{"Action":"rename","id":"container123"}\n'));
-
-      expect(existingContainer.displayName).toBe('renamed-container');
-    });
-
-    test('should handle container not found during event processing', async () => {
-      const mockLog = createMockLog(['debug']);
-      docker.log = mockLog;
-      mockDockerApi.getContainer.mockImplementation(() => {
-        throw new Error('No such container');
-      });
-
-      const event = JSON.stringify({
-        Action: 'start',
-        id: 'nonexistent',
-      });
-      await docker.onDockerEvent(Buffer.from(event));
-
-      expect(mockLog.debug).toHaveBeenCalledWith(
-        expect.stringContaining('Unable to get container'),
-      );
-    });
-
-    test('should skip updates when docker event container is not found in store', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLogWithChild(['info', 'debug']);
-      mockContainer.inspect.mockResolvedValue({
-        Name: '/existing-container',
-        State: { Status: 'running' },
-        Config: { Labels: {} },
-      });
-      storeContainer.getContainer.mockReturnValue(undefined);
-
-      await docker.onDockerEvent(Buffer.from('{"Action":"start","id":"container123"}\n'));
-
-      expect(storeContainer.updateContainer).not.toHaveBeenCalled();
-    });
-
-    test('should handle malformed docker event payload', async () => {
-      const mockLog = createMockLog(['debug']);
-      docker.log = mockLog;
-
-      await docker.onDockerEvent(Buffer.from('{invalid-json\n'));
-
-      expect(mockLog.debug).toHaveBeenCalledWith(
-        expect.stringContaining('Unable to process Docker event'),
-      );
-    });
-
-    test('isRecoverableDockerEventParseError should return false when error has no message', () => {
-      expect(docker.isRecoverableDockerEventParseError({})).toBe(false);
-    });
-
-    test('should buffer split docker event payloads until complete', async () => {
-      docker.watchCronDebounced = vi.fn();
-      await docker.onDockerEvent(Buffer.from('{"Action":"create","id":"container'));
-
-      expect(docker.watchCronDebounced).not.toHaveBeenCalled();
-      expect(docker.dockerEventsBuffer).toContain('"container');
-
-      await docker.onDockerEvent(Buffer.from('123"}\n'));
-
-      expect(docker.watchCronDebounced).toHaveBeenCalledTimes(1);
-      expect(docker.dockerEventsBuffer).toBe('');
-    });
-
-    test('should process multiple docker events from a single chunk', async () => {
-      docker.watchCronDebounced = vi.fn();
-
-      await docker.onDockerEvent(
-        Buffer.from(
-          '{"Action":"create","id":"container123"}\n{"Action":"destroy","id":"container456"}\n',
-        ),
-      );
-
-      expect(docker.watchCronDebounced).toHaveBeenCalledTimes(2);
-    });
-
-    test('should keep buffer when opportunistic parse returns partial result', async () => {
-      docker.processDockerEventPayload = vi.fn().mockResolvedValue(false);
-      docker.dockerEventsBuffer = '';
-
-      await docker.onDockerEvent(Buffer.from('{"Action":"create","id":"c1"}'));
-
-      expect(docker.processDockerEventPayload).toHaveBeenCalledWith(
-        '{"Action":"create","id":"c1"}',
-        true,
-      );
-      expect(docker.dockerEventsBuffer).toBe('{"Action":"create","id":"c1"}');
-    });
-
-    test('should reconnect when docker events buffer exceeds 1MB', async () => {
-      vi.useFakeTimers();
-      try {
-        await docker.register('watcher', 'docker', 'test', {
-          watchevents: false,
-        });
-        docker.configuration.watchevents = true;
-        docker.isDockerEventsListenerActive = true;
-        docker.log = createMockLog(['warn', 'debug']);
-        docker.processDockerEventPayload = vi.fn().mockResolvedValue(false);
-        docker.dockerEventsBuffer = 'a'.repeat(1024 * 1024 - 10);
-
-        await docker.onDockerEvent(Buffer.from('{"Action":"create","id":"overflow"}'));
-
-        expect(docker.log.warn).toHaveBeenCalledWith(expect.stringContaining('buffer overflow'));
-        expect(docker.dockerEventsReconnectAttempt).toBe(1);
-        expect(docker.dockerEventsReconnectTimeout).toBeDefined();
-        expect(docker.dockerEventsBuffer).toBe('');
-      } finally {
-        vi.useRealTimers();
-      }
-    });
-  });
-
-  describe('Container Watching', () => {
-    test('should watch containers from cron', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        cron: '0 * * * *',
-      });
-      const mockLog = createMockLog(['info']);
-      docker.log = mockLog;
-      docker.watch = vi.fn().mockResolvedValue([]);
-
-      await docker.watchFromCron();
-
-      expect(docker.watch).toHaveBeenCalled();
-      expect(mockLog.info).toHaveBeenCalledWith(expect.stringContaining('Cron started'));
-      expect(mockLog.info).toHaveBeenCalledWith(expect.stringContaining('Cron finished'));
-    });
-
-    test('should report container statistics', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        cron: '0 * * * *',
-      });
-      const mockLog = createMockLog(['info']);
-      docker.log = mockLog;
-      const containerReports = [
-        { container: { updateAvailable: true, error: undefined } },
-        {
-          container: {
-            updateAvailable: false,
-            error: { message: 'error' },
-          },
-        },
-      ];
-      docker.watch = vi.fn().mockResolvedValue(containerReports);
-
-      await docker.watchFromCron();
-
-      expect(mockLog.info).toHaveBeenCalledWith(
-        expect.stringContaining('2 containers watched, 1 errors, 1 available updates'),
-      );
-    });
-
-    test('should queue watch when outside maintenance window', async () => {
-      const maintenanceInc = vi.fn();
-      mockPrometheus.getMaintenanceSkipCounter.mockReturnValue({
-        labels: vi.fn().mockReturnValue({ inc: maintenanceInc }),
-      });
-      maintenance.isInMaintenanceWindow.mockReturnValue(false);
-
-      await docker.register('watcher', 'docker', 'test', {
-        cron: '0 * * * *',
-        maintenancewindow: '0 2 * * *',
-        maintenancewindowtz: 'UTC',
-      });
-      docker.log = createMockLog(['info']);
-      docker.watch = vi.fn().mockResolvedValue([]);
-
-      const result = await docker.watchFromCron();
-
-      expect(result).toEqual([]);
-      expect(docker.watch).not.toHaveBeenCalled();
-      expect(docker.maintenanceWindowWatchQueued).toBe(true);
-      expect(docker.maintenanceWindowQueueTimeout).toBeDefined();
-      expect(maintenanceInc).toHaveBeenCalledTimes(1);
-      docker.clearMaintenanceWindowQueue();
-    });
-
-    test('should execute queued watch when maintenance window opens', async () => {
-      vi.useFakeTimers();
-      try {
-        maintenance.isInMaintenanceWindow.mockReturnValue(false);
-
-        await docker.register('watcher', 'docker', 'test', {
-          cron: '0 * * * *',
-          maintenancewindow: '0 2 * * *',
-          maintenancewindowtz: 'UTC',
-        });
-        docker.log = createMockLog(['info', 'warn']);
-        docker.watch = vi.fn().mockResolvedValue([]);
-
-        await docker.watchFromCron();
-        expect(docker.maintenanceWindowWatchQueued).toBe(true);
-
-        maintenance.isInMaintenanceWindow.mockReturnValue(true);
-        await vi.advanceTimersByTimeAsync(60 * 1000);
-
-        expect(docker.watch).toHaveBeenCalledTimes(1);
-        expect(docker.maintenanceWindowWatchQueued).toBe(false);
-        expect(docker.maintenanceWindowQueueTimeout).toBeUndefined();
-      } finally {
-        vi.useRealTimers();
-      }
-    });
-
-    test('should clear queued maintenance watch when normal cron runs inside window', async () => {
-      vi.useFakeTimers();
-      try {
-        maintenance.isInMaintenanceWindow.mockReturnValue(false);
-
-        await docker.register('watcher', 'docker', 'test', {
-          cron: '0 * * * *',
-          maintenancewindow: '0 2 * * *',
-          maintenancewindowtz: 'UTC',
-        });
-        docker.log = createMockLog(['info']);
-        docker.watch = vi.fn().mockResolvedValue([]);
-
-        await docker.watchFromCron();
-        expect(docker.maintenanceWindowWatchQueued).toBe(true);
-        expect(docker.maintenanceWindowQueueTimeout).toBeDefined();
-
-        maintenance.isInMaintenanceWindow.mockReturnValue(true);
-        await docker.watchFromCron();
-
-        expect(docker.watch).toHaveBeenCalledTimes(1);
-        expect(docker.maintenanceWindowWatchQueued).toBe(false);
-        expect(docker.maintenanceWindowQueueTimeout).toBeUndefined();
-      } finally {
-        vi.useRealTimers();
-      }
-    });
-
-    test('should expose maintenance runtime state in masked configuration', async () => {
-      maintenance.isInMaintenanceWindow.mockReturnValue(false);
-      maintenance.getNextMaintenanceWindow.mockReturnValue(new Date('2026-02-13T02:00:00.000Z'));
-
-      await docker.register('watcher', 'docker', 'test', {
-        cron: '0 * * * *',
-        maintenancewindow: '0 2 * * *',
-        maintenancewindowtz: 'UTC',
-      });
-      docker.maintenanceWindowWatchQueued = true;
-
-      const maskedConfiguration = docker.maskConfiguration();
-      expect(maskedConfiguration.maintenancewindowopen).toBe(false);
-      expect(maskedConfiguration.maintenancewindowqueued).toBe(true);
-      expect(maskedConfiguration.maintenancenextwindow).toBe('2026-02-13T02:00:00.000Z');
-    });
-
-    test('should emit watcher events during watch', async () => {
-      docker.getContainers = vi.fn().mockResolvedValue([]);
-
-      await docker.watch();
-
-      expect(event.emitWatcherStart).toHaveBeenCalledWith(docker);
-      expect(event.emitWatcherStop).toHaveBeenCalledWith(docker);
-    });
-
-    test('should handle error getting containers', async () => {
-      const mockLog = createMockLog(['warn']);
-      docker.log = mockLog;
-      docker.getContainers = vi.fn().mockRejectedValue(new Error('Docker unavailable'));
-
-      await docker.watch();
-
-      expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('Docker unavailable'));
-    });
-
-    test('should handle error processing containers', async () => {
-      const mockLog = createMockLog(['warn']);
-      docker.log = mockLog;
-      docker.getContainers = vi.fn().mockResolvedValue([{ id: 'test' }]);
-      docker.watchContainer = vi.fn().mockRejectedValue(new Error('Processing failed'));
-
-      const result = await docker.watch();
-
-      expect(result).toEqual([
-        {
-          container: {
-            id: 'test',
-            error: { message: 'Processing failed' },
-            updateAvailable: false,
-            updateKind: { kind: 'unknown' },
-          },
-          changed: false,
-        },
-      ]);
-      expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('Processing failed'));
-    });
-
-    test('should continue processing when one container fails during watch', async () => {
-      const mockLog = createMockLog(['warn']);
-      docker.log = mockLog;
-      docker.getContainers = vi.fn().mockResolvedValue([{ id: 'failed' }, { id: 'ok' }]);
-      docker.watchContainer = vi
-        .fn()
-        .mockRejectedValueOnce(new Error('failed to process'))
-        .mockResolvedValueOnce({
-          container: { id: 'ok', updateAvailable: false },
-          changed: false,
-        });
-
-      const result = await docker.watch();
-
-      expect(result).toHaveLength(2);
-      expect(result[0]).toEqual({
-        container: {
-          id: 'failed',
-          error: { message: 'failed to process' },
-          updateAvailable: false,
-          updateKind: { kind: 'unknown' },
-        },
-        changed: false,
-      });
-      expect(result[1]).toEqual({
-        container: { id: 'ok', updateAvailable: false },
-        changed: false,
-      });
-      expect(event.emitContainerReports).toHaveBeenCalledWith(result);
-    });
-  });
-
-  describe('Container Processing', () => {
-    test('should watch individual container', async () => {
-      const container = { id: 'test123', name: 'test' };
-      const mockLog = createMockLogWithChild(['debug']);
-      docker.log = mockLog;
-      docker.findNewVersion = vi.fn().mockResolvedValue({ tag: '2.0.0' });
-      docker.mapContainerToContainerReport = vi.fn().mockReturnValue({ container, changed: false });
-
-      await docker.watchContainer(container);
-
-      expect(docker.findNewVersion).toHaveBeenCalledWith(container, expect.any(Object));
-      expect(event.emitContainerReport).toHaveBeenCalled();
-    });
-
-    test('should handle container processing error', async () => {
-      const container = { id: 'test123', name: 'test' };
-      const mockLog = createMockLogWithChild(['warn', 'debug']);
-      docker.log = mockLog;
-      docker.findNewVersion = vi.fn().mockRejectedValue(new Error('Registry error'));
-      docker.mapContainerToContainerReport = vi.fn().mockReturnValue({ container, changed: false });
-
-      await docker.watchContainer(container);
-
-      expect(mockLog._child.warn).toHaveBeenCalledWith(expect.stringContaining('Registry error'));
-      expect(container.error).toEqual({ message: 'Registry error' });
-    });
-
-    test('should fallback to a non-empty message when container processing error is empty', async () => {
-      const container = { id: 'test123', name: 'test' };
-      const mockLog = createMockLogWithChild(['warn', 'debug']);
-      docker.log = mockLog;
-      docker.findNewVersion = vi.fn().mockRejectedValue(new Error(''));
-      docker.mapContainerToContainerReport = vi.fn().mockReturnValue({ container, changed: false });
-
-      await docker.watchContainer(container);
-
-      expect(mockLog._child.warn).toHaveBeenCalledWith(
-        'Error when processing (Unexpected container processing error)',
-      );
-      expect(container.error).toEqual({ message: 'Unexpected container processing error' });
-    });
-  });
-
-  describe('Container Retrieval', () => {
-    test('should get containers with default options', async () => {
-      const containers = [
-        {
-          Id: '123',
-          Labels: { 'dd.watch': 'true' },
-          Names: ['/test'],
-        },
-      ];
-      mockDockerApi.listContainers.mockResolvedValue(containers);
-      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: '123' });
-
-      await docker.register('watcher', 'docker', 'test', {
-        watchbydefault: true,
-      });
-      const result = await docker.getContainers();
-
-      expect(mockDockerApi.listContainers).toHaveBeenCalledWith({});
-      expect(result).toHaveLength(1);
-    });
-
-    test('should get all containers when watchall enabled', async () => {
-      mockDockerApi.listContainers.mockResolvedValue([]);
-
-      await docker.register('watcher', 'docker', 'test', {
-        watchall: true,
-      });
-      await docker.getContainers();
-
-      expect(mockDockerApi.listContainers).toHaveBeenCalledWith({
-        all: true,
-      });
-    });
-
-    test('should filter containers based on watch label', async () => {
-      const containers = [
-        { Id: '1', Labels: { 'dd.watch': 'true' }, Names: ['/test1'] },
-        {
-          Id: '2',
-          Labels: { 'dd.watch': 'false' },
-          Names: ['/test2'],
-        },
-        { Id: '3', Labels: {}, Names: ['/test3'] },
-      ];
-      mockDockerApi.listContainers.mockResolvedValue(containers);
-      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: '1' });
-
-      await docker.register('watcher', 'docker', 'test', {
-        watchbydefault: false,
-      });
-      const result = await docker.getContainers();
-
-      expect(result).toHaveLength(1);
-    });
-
-    test('should apply swarm service deploy labels to container filtering and tag include', async () => {
-      const containers = [
-        {
-          Id: 'swarm-task-1',
-          Image: 'authelia/authelia:4.39.15',
-          Names: ['/authelia_authelia.1.xxxxx'],
-          Labels: {
-            'com.docker.swarm.service.id': 'service123',
-          },
-        },
-      ];
-      mockDockerApi.listContainers.mockResolvedValue(containers);
-      mockDockerApi.getService.mockReturnValue({
-        inspect: vi.fn().mockResolvedValue({
-          Spec: {
-            Labels: {
-              'dd.watch': 'true',
-              'dd.tag.include': String.raw`^\d+\.\d+\.\d+$`,
-            },
-          },
-        }),
-      });
-      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'swarm-task-1' });
-
-      await docker.register('watcher', 'docker', 'test', {
-        watchbydefault: false,
-      });
-      const result = await docker.getContainers();
-
-      expect(result).toHaveLength(1);
-      expect(mockDockerApi.getService).toHaveBeenCalledWith('service123');
-      expect(docker.addImageDetailsToContainer).toHaveBeenCalledTimes(1);
-      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBe(
-        String.raw`^\d+\.\d+\.\d+$`,
-      );
-    });
-
-    test('should let container labels override swarm service labels', async () => {
-      const containers = [
-        {
-          Id: 'swarm-task-2',
-          Image: 'grafana/alloy:v1.12.2',
-          Names: ['/monitoring_alloy.1.yyyyy'],
-          Labels: {
-            'com.docker.swarm.service.id': 'service456',
-            'dd.watch': 'true',
-            'dd.tag.include': String.raw`^v\d+\.\d+\.\d+$`,
-          },
-        },
-      ];
-      mockDockerApi.listContainers.mockResolvedValue(containers);
-      mockDockerApi.getService.mockReturnValue({
-        inspect: vi.fn().mockResolvedValue({
-          Spec: {
-            Labels: {
-              'dd.watch': 'false',
-              'dd.tag.include': String.raw`^\d+\.\d+\.\d+$`,
-            },
-          },
-        }),
-      });
-      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'swarm-task-2' });
-
-      await docker.register('watcher', 'docker', 'test', {
-        watchbydefault: false,
-      });
-      const result = await docker.getContainers();
-
-      expect(result).toHaveLength(1);
-      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBe(
-        String.raw`^v\d+\.\d+\.\d+$`,
-      );
-    });
-
-    test('should cache swarm service label lookups per service', async () => {
-      const containers = [
-        {
-          Id: 'swarm-task-3a',
-          Image: 'example/service:1.0.0',
-          Names: ['/svc.1.a'],
-          Labels: {
-            'com.docker.swarm.service.id': 'service789',
-          },
-        },
-        {
-          Id: 'swarm-task-3b',
-          Image: 'example/service:1.0.0',
-          Names: ['/svc.2.b'],
-          Labels: {
-            'com.docker.swarm.service.id': 'service789',
-          },
-        },
-      ];
-      mockDockerApi.listContainers.mockResolvedValue(containers);
-      mockDockerApi.getService.mockReturnValue({
-        inspect: vi.fn().mockResolvedValue({
-          Spec: {
-            Labels: {
-              'dd.watch': 'true',
-            },
-          },
-        }),
-      });
-      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'ok' });
-
-      await docker.register('watcher', 'docker', 'test', {
-        watchbydefault: false,
-      });
-      await docker.getContainers();
-
-      expect(mockDockerApi.getService).toHaveBeenCalledTimes(1);
-      expect(mockDockerApi.getService).toHaveBeenCalledWith('service789');
-    });
-
-    test('should pick up dd labels from deploy-only labels (Spec.Labels) when container has no dd labels', async () => {
-      // Simulates: docker-compose deploy: labels: dd.tag.include (NOT root labels:)
-      // In Swarm, deploy labels go to Spec.Labels but NOT to container.Labels
-      const containers = [
-        {
-          Id: 'swarm-deploy-only',
-          Image: 'authelia/authelia:4.39.15',
-          Names: ['/authelia_authelia.1.xxxxx'],
-          Labels: {
-            'com.docker.swarm.service.id': 'svc-deploy-labels',
-            'com.docker.swarm.task.id': 'task1',
-            'com.docker.swarm.task.name': 'authelia_authelia.1.xxxxx',
-            // NO dd.* labels — they only exist in Spec.Labels
-          },
-        },
-      ];
-      mockDockerApi.listContainers.mockResolvedValue(containers);
-      mockDockerApi.getService.mockReturnValue({
-        inspect: vi.fn().mockResolvedValue({
-          Spec: {
-            Labels: {
-              'dd.watch': 'true',
-              'dd.tag.include': String.raw`^\d+\.\d+\.\d+$`,
-            },
-            TaskTemplate: {
-              ContainerSpec: {
-                // No Labels here — deploy labels don't go to TaskTemplate
-              },
-            },
-          },
-        }),
-      });
-      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'swarm-deploy-only' });
-
-      await docker.register('watcher', 'docker', 'test', {
-        watchbydefault: false,
-      });
-      const result = await docker.getContainers();
-
-      expect(result).toHaveLength(1);
-      expect(docker.addImageDetailsToContainer).toHaveBeenCalledTimes(1);
-      // The tag include regex should come from Spec.Labels
-      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBe(
-        String.raw`^\d+\.\d+\.\d+$`,
-      );
-    });
-
-    test('should gracefully handle swarm service inspect failure without losing container', async () => {
-      const containers = [
-        {
-          Id: 'swarm-inspect-fail',
-          Image: 'example/app:1.0.0',
-          Names: ['/app.1.xxxxx'],
-          Labels: {
-            'com.docker.swarm.service.id': 'svc-fail',
-            'dd.watch': 'true',
-          },
-        },
-      ];
-      mockDockerApi.listContainers.mockResolvedValue(containers);
-      mockDockerApi.getService.mockReturnValue({
-        inspect: vi.fn().mockRejectedValue(new Error('service not found')),
-      });
-      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'swarm-inspect-fail' });
-
-      await docker.register('watcher', 'docker', 'test', {
-        watchbydefault: false,
-      });
-      const result = await docker.getContainers();
-
-      // Container should still be watched using its own labels
-      expect(result).toHaveLength(1);
-      // tag.include should be undefined since service inspect failed and
-      // the container itself has no dd.tag.include
-      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBeUndefined();
-    });
-
-    test('should handle mixed label sources: deploy labels + root labels across services', async () => {
-      // Simulates: authelia with deploy labels, alloy with root labels
-      const containers = [
-        {
-          Id: 'swarm-authelia',
-          Image: 'authelia/authelia:4.39.15',
-          Names: ['/authelia_authelia.1.aaa'],
-          Labels: {
-            'com.docker.swarm.service.id': 'svc-authelia',
-            // deploy: labels: go to Spec.Labels, NOT here
-          },
-        },
-        {
-          Id: 'swarm-alloy',
-          Image: 'grafana/alloy:v1.12.2',
-          Names: ['/monitoring_alloy.1.bbb'],
-          Labels: {
-            'com.docker.swarm.service.id': 'svc-alloy',
-            // Root labels: ARE on the container
-            'dd.watch': 'true',
-            'dd.tag.include': String.raw`^v\d+\.\d+\.\d+$`,
-          },
-        },
-      ];
-      mockDockerApi.listContainers.mockResolvedValue(containers);
-      mockDockerApi.getService.mockImplementation((serviceId: string) => ({
-        inspect: vi.fn().mockResolvedValue(
-          serviceId === 'svc-authelia'
-            ? {
-                Spec: {
-                  Labels: {
-                    'dd.watch': 'true',
-                    'dd.tag.include': String.raw`^\d+\.\d+\.\d+$`,
-                  },
-                },
-              }
-            : {
-                Spec: {
-                  TaskTemplate: {
-                    ContainerSpec: {
-                      Labels: {
-                        'dd.watch': 'true',
-                        'dd.tag.include': String.raw`^v\d+\.\d+\.\d+$`,
-                      },
-                    },
-                  },
-                },
-              },
-        ),
-      }));
-      docker.addImageDetailsToContainer = vi
-        .fn()
-        .mockImplementation((_container: any, labelOverrides: any) =>
-          Promise.resolve({ id: _container.Id, includeTags: labelOverrides?.includeTags }),
-        );
-
-      await docker.register('watcher', 'docker', 'test', {
-        watchbydefault: false,
-      });
-      const result = await docker.getContainers();
-
-      expect(result).toHaveLength(2);
-      // Authelia's tag include should come from Spec.Labels (deploy labels)
-      const autheliaCall = docker.addImageDetailsToContainer.mock.calls.find(
-        (call: any) => call[0].Id === 'swarm-authelia',
-      );
-      expect(autheliaCall[1].includeTags).toBe(String.raw`^\d+\.\d+\.\d+$`);
-      // Alloy's tag include should come from container labels (root labels)
-      const alloyCall = docker.addImageDetailsToContainer.mock.calls.find(
-        (call: any) => call[0].Id === 'swarm-alloy',
-      );
-      expect(alloyCall[1].includeTags).toBe(String.raw`^v\d+\.\d+\.\d+$`);
-    });
-
-    test('should prune old containers', async () => {
-      const oldContainers = [{ id: 'old1' }, { id: 'old2' }];
-      storeContainer.getContainers.mockReturnValue(oldContainers);
-      mockDockerApi.listContainers.mockResolvedValue([]);
-      // Simulate containers no longer existing in Docker
-      mockDockerApi.getContainer.mockReturnValue({
-        inspect: vi.fn().mockRejectedValue(new Error('no such container')),
-      });
-
-      await docker.register('watcher', 'docker', 'test', {});
-      await docker.getContainers();
-
-      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('old1');
-      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('old2');
-    });
-
-    test('should continue when pruneOldContainers throws during stale record cleanup', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['warn']);
-      storeContainer.getContainers.mockReturnValue([
-        { id: 'old1', watcher: 'test', name: 'svc' } as any,
-      ]);
-      storeContainer.deleteContainer.mockImplementation(() => {
-        throw new Error('Delete failed');
-      });
-      mockDockerApi.listContainers.mockResolvedValue([
-        {
-          Id: 'new1',
-          Labels: { 'dd.watch': 'true' },
-          Names: ['/svc'],
-        },
-      ]);
-      docker.addImageDetailsToContainer = vi
-        .fn()
-        .mockResolvedValue({ id: 'new1', watcher: 'test', name: 'svc' });
-
-      const result = await docker.getContainers();
-
-      expect(result).toEqual([{ id: 'new1', watcher: 'test', name: 'svc' }]);
-      expect(docker.log.warn).toHaveBeenCalledWith(
-        expect.stringContaining('Error when trying to prune the old containers (Delete failed)'),
-      );
-    });
-
-    test('should handle pruning error', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['warn']);
-      storeContainer.getContainers.mockImplementationOnce(() => {
-        throw new Error('Store error');
-      });
-      mockDockerApi.listContainers.mockResolvedValue([]);
-
-      await docker.getContainers();
-
-      expect(docker.log.warn).toHaveBeenCalledWith(expect.stringContaining('Store error'));
-    });
-  });
-
-  describe('Dual-prefix dd.*/wud.* label support', () => {
-    test('should prefer dd.watch over wud.watch label', async () => {
-      const containers = [
-        {
-          Id: 'dd-label-1',
-          Labels: { 'dd.watch': 'true', 'wud.watch': 'false' },
-          Names: ['/dd-test'],
-        },
-      ];
-      mockDockerApi.listContainers.mockResolvedValue(containers);
-      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'dd-label-1' });
-
-      await docker.register('watcher', 'docker', 'test', {
-        watchbydefault: false,
-      });
-      const result = await docker.getContainers();
-
-      // dd.watch=true should override wud.watch=false
-      expect(result).toHaveLength(1);
-    });
-
-    test('should fall back to wud.watch when dd.watch is not set', async () => {
-      const containers = [
-        {
-          Id: 'wud-fallback-1',
-          Labels: { 'wud.watch': 'true' },
-          Names: ['/wud-test'],
-        },
-      ];
-      mockDockerApi.listContainers.mockResolvedValue(containers);
-      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'wud-fallback-1' });
-
-      await docker.register('watcher', 'docker', 'test', {
-        watchbydefault: false,
-      });
-      const result = await docker.getContainers();
-
-      expect(result).toHaveLength(1);
-    });
-
-    test('should prefer dd.tag.include over wud.tag.include label', async () => {
-      const containers = [
-        {
-          Id: 'dd-tag-1',
-          Labels: {
-            'dd.watch': 'true',
-            'dd.tag.include': String.raw`^v\d+`,
-            'wud.tag.include': String.raw`^\d+`,
-          },
-          Names: ['/dd-tag-test'],
-        },
-      ];
-      mockDockerApi.listContainers.mockResolvedValue(containers);
-      docker.addImageDetailsToContainer = vi.fn().mockResolvedValue({ id: 'dd-tag-1' });
-
-      await docker.register('watcher', 'docker', 'test', {
-        watchbydefault: false,
-      });
-      await docker.getContainers();
-
-      // dd.tag.include should be preferred
-      expect(docker.addImageDetailsToContainer.mock.calls[0][1].includeTags).toBe(
-        String.raw`^v\d+`,
-      );
-    });
-
-    describe('getLabel dual-prefix fallback for all label pairs', () => {
-      const labelPairs = [
-        ['dd.watch', 'wud.watch'],
-        ['dd.tag.include', 'wud.tag.include'],
-        ['dd.tag.exclude', 'wud.tag.exclude'],
-        ['dd.tag.transform', 'wud.tag.transform'],
-        ['dd.inspect.tag.path', 'wud.inspect.tag.path'],
-        ['dd.registry.lookup.image', 'wud.registry.lookup.image'],
-        ['dd.registry.lookup.url', 'wud.registry.lookup.url'],
-        ['dd.watch.digest', 'wud.watch.digest'],
-        ['dd.link.template', 'wud.link.template'],
-        ['dd.display.name', 'wud.display.name'],
-        ['dd.display.icon', 'wud.display.icon'],
-        ['dd.trigger.include', 'wud.trigger.include'],
-        ['dd.trigger.exclude', 'wud.trigger.exclude'],
-        ['dd.group', 'wud.group'],
-        ['dd.hook.pre', 'wud.hook.pre'],
-        ['dd.hook.post', 'wud.hook.post'],
-        ['dd.hook.pre.abort', 'wud.hook.pre.abort'],
-        ['dd.hook.timeout', 'wud.hook.timeout'],
-        ['dd.rollback.auto', 'wud.rollback.auto'],
-        ['dd.rollback.window', 'wud.rollback.window'],
-        ['dd.rollback.interval', 'wud.rollback.interval'],
-      ];
-
-      test.each(labelPairs)('should prefer %s over %s when both are present', (ddKey, wudKey) => {
-        const labels = { [ddKey]: 'dd-value', [wudKey]: 'wud-value' };
-        expect(testable_getLabel(labels, ddKey, wudKey)).toBe('dd-value');
-      });
-
-      test.each(labelPairs)('should fall back to %s when %s is absent', (ddKey, wudKey) => {
-        const labels = { [wudKey]: 'legacy-value' };
-        expect(testable_getLabel(labels, ddKey, wudKey)).toBe('legacy-value');
-      });
-
-      test.each(
-        labelPairs,
-      )('should return undefined when neither %s nor %s is set', (ddKey, wudKey) => {
-        expect(testable_getLabel({}, ddKey, wudKey)).toBeUndefined();
-      });
-    });
-  });
-
-  describe('Version Finding', () => {
-    test('should find new version using registry', async () => {
-      const container = {
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.0.0' },
-          digest: { watch: false },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['1.0.0', '1.1.0', '2.0.0']),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-      const mockLogChild = { error: vi.fn() };
-
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      expect(mockRegistry.getTags).toHaveBeenCalledWith(container.image);
-      expect(result).toEqual({ tag: '1.0.0' });
-    });
-
-    test('should handle unsupported registry', async () => {
-      const container = {
-        image: {
-          registry: { name: 'unknown' },
-          tag: { value: '1.0.0' },
-          digest: { watch: false },
-        },
-      };
-      registry.getState.mockReturnValue({ registry: {} });
-      const mockLogChild = { error: vi.fn() };
-
-      try {
-        await docker.findNewVersion(container, mockLogChild);
-      } catch (error) {
-        expect(error.message).toContain('Unsupported Registry');
-      }
-    });
-
-    test('should handle digest watching with v2 manifest', async () => {
-      const container = {
-        image: {
-          id: 'image123',
-          registry: { name: 'hub' },
-          tag: { value: '1.0.0' },
-          digest: { watch: true, repo: 'sha256:abc123' },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['1.0.0']),
-        getImageManifestDigest: vi
-          .fn()
-          .mockResolvedValueOnce({
-            digest: 'sha256:def456',
-            created: '2023-01-01',
-            version: 2,
-          })
-          .mockResolvedValueOnce({
-            digest: 'sha256:manifest123',
-          }),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-      const mockLogChild = { error: vi.fn() };
-
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      expect(mockRegistry.getImageManifestDigest).toHaveBeenCalledTimes(2);
-      expect(result.digest).toBe('sha256:def456');
-      expect(result.created).toBe('2023-01-01');
-    });
-
-    test('should handle digest watching with v1 manifest using repo digest', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      const container = {
-        image: {
-          id: 'image123',
-          registry: { name: 'hub' },
-          tag: { value: '1.0.0' },
-          digest: { watch: true, repo: 'sha256:abc123' },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['1.0.0']),
-        getImageManifestDigest: vi.fn().mockResolvedValue({
-          digest: 'sha256:def456',
-          created: '2023-01-01',
-          version: 1,
-        }),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-      const mockLogChild = { error: vi.fn() };
-
-      await docker.findNewVersion(container, mockLogChild);
-
-      expect(container.image.digest.value).toBe('sha256:abc123');
-    });
-
-    test('should use tag candidate for digest lookup when digest watch is true and candidates exist', async () => {
-      const container = {
-        image: {
-          id: 'image123',
-          registry: { name: 'hub' },
-          tag: { value: '1.0.0', semver: true },
-          digest: { watch: true, repo: 'sha256:abc123' },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']),
-        getImageManifestDigest: vi
-          .fn()
-          .mockResolvedValueOnce({
-            digest: 'sha256:def456',
-            created: '2023-01-01',
-            version: 2,
-          })
-          .mockResolvedValueOnce({
-            digest: 'sha256:manifest123',
-          }),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-      mockTag.parse.mockReturnValue({ major: 1, minor: 0, patch: 0 });
-      mockTag.isGreater.mockImplementation((t2, t1) => {
-        return t2 === '2.0.0' && t1 === '1.0.0';
-      });
-      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
-
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      // Should have used the tag candidate (2.0.0) for digest lookup
-      expect(result.tag).toBe('2.0.0');
-      expect(result.digest).toBe('sha256:def456');
-    });
-
-    test('should handle tag candidates with semver', async () => {
-      const container = {
-        includeTags: String.raw`^v\d+`,
-        excludeTags: 'beta',
-        transformTags: 's/v//',
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.0.0', semver: true },
-          digest: { watch: false },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['v1.0.0', 'v1.1.0', 'v2.0.0-beta', 'latest']),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-      mockTag.parse.mockReturnValue({ major: 1, minor: 1, patch: 0 });
-      mockTag.isGreater.mockReturnValue(true);
-      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
-
-      await docker.findNewVersion(container, mockLogChild);
-
-      expect(mockRegistry.getTags).toHaveBeenCalled();
-    });
-
-    test('should filter tags with different number of semver parts', async () => {
-      const container = {
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.2', semver: true },
-          digest: { watch: false },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue([
-          '1.2.1', // 3 parts, should be filtered out
-          '1.3', // 2 parts, should be kept
-          '1.1', // 2 parts, should be kept (but lower)
-          '2', // 1 part, should be filtered out
-        ]),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-
-      // Mock isGreater to return true for 1.3 > 1.2
-      mockTag.isGreater.mockImplementation((t1, t2) => {
-        if (t1 === '1.3' && t2 === '1.2') return true;
-        return false;
-      });
-
-      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
-
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      expect(result).toEqual({ tag: '1.3' });
-    });
-
-    test('should ignore semver tags with mismatched numeric zero-padding style', async () => {
-      const container = {
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '5.1.4', semver: true },
-          digest: { watch: false },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['20.04.1', '5.1.5', '5.1.4']),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-
-      const rank = {
-        '5.1.4': 514,
-        '5.1.5': 515,
-        '20.04.1': 200401,
-      };
-      mockTag.isGreater.mockImplementation(
-        (version1, version2) => rank[version1] >= rank[version2],
-      );
-
-      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      expect(result).toEqual({ tag: '5.1.5' });
-    });
-
-    test('should keep updates within inferred suffix family by default', async () => {
-      const container = {
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.2.3-ls132', semver: true },
-          digest: { watch: false },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.4-ls133', '1.2.3-ls132']),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-
-      const rank = {
-        '1.2.3-ls132': 1230,
-        '1.2.4-ls133': 1240,
-        '1.2.4': 1241,
-      };
-      mockTag.isGreater.mockImplementation(
-        (version1, version2) => rank[version1] >= rank[version2],
-      );
-
-      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      expect(result).toEqual({ tag: '1.2.4-ls133' });
-    });
-
-    test('should keep current tag and warn when strict mode filters only cross-family higher tags', async () => {
-      const container = {
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.2.3-ls132', semver: true },
-          digest: { watch: false },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.3-ls132']),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-
-      const rank = {
-        '1.2.3-ls132': 1230,
-        '1.2.4': 1241,
-      };
-      mockTag.isGreater.mockImplementation(
-        (version1, version2) => (rank[version1] || 0) > (rank[version2] || 0),
-      );
-
-      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      expect(result).toEqual({
-        tag: '1.2.3-ls132',
-        noUpdateReason: expect.stringContaining(
-          'Strict tag-family policy filtered out 1 higher semver tag(s) outside the inferred family of "1.2.3-ls132"',
-        ),
-      });
-      expect(mockLogChild.warn).toHaveBeenCalledWith(
-        expect.stringContaining(
-          'Strict tag-family policy filtered out 1 higher semver tag(s) outside the inferred family of "1.2.3-ls132"',
-        ),
-      );
-    });
-
-    test('should allow cross-family updates in loose mode when no higher same-family tag exists', async () => {
-      const container = {
-        tagFamily: 'loose',
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.2.3-ls132', semver: true },
-          digest: { watch: false },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.3-ls132']),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-
-      const rank = {
-        '1.2.3-ls132': 1230,
-        '1.2.4': 1241,
-      };
-      mockTag.isGreater.mockImplementation(
-        (version1, version2) => (rank[version1] || 0) > (rank[version2] || 0),
-      );
-
-      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      expect(result).toEqual({ tag: '1.2.4' });
-    });
-
-    test('should allow cross-family semver updates when tagFamily is loose', async () => {
-      const container = {
-        tagFamily: 'loose',
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.2.3-ls132', semver: true },
-          digest: { watch: false },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.4-ls133', '1.2.3-ls132']),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-
-      const rank = {
-        '1.2.3-ls132': 1230,
-        '1.2.4-ls133': 1240,
-        '1.2.4': 1241,
-      };
-      mockTag.isGreater.mockImplementation(
-        (version1, version2) => rank[version1] >= rank[version2],
-      );
-
-      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      expect(result).toEqual({ tag: '1.2.4' });
-    });
-
-    test('should fall back to strict mode when tagFamily is invalid', async () => {
-      const container = {
-        tagFamily: 'unsupported',
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.2.3-ls132', semver: true },
-          digest: { watch: false },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['1.2.4', '1.2.4-ls133', '1.2.3-ls132']),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-
-      const rank = {
-        '1.2.3-ls132': 1230,
-        '1.2.4-ls133': 1240,
-        '1.2.4': 1241,
-      };
-      mockTag.isGreater.mockImplementation(
-        (version1, version2) => rank[version1] >= rank[version2],
-      );
-
-      const mockLogChild = { error: vi.fn(), warn: vi.fn() };
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      expect(result).toEqual({ tag: '1.2.4-ls133' });
-      expect(mockLogChild.warn).toHaveBeenCalledWith(
-        expect.stringContaining('Invalid tag family policy'),
-      );
-    });
-
-    test('should log one-pass semver candidate filter counters in strict mode', async () => {
-      const container = {
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: 'v1.0.0', semver: true },
-          digest: { watch: false },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['latest', 'v1.0.0', 'v1.1.0', 'v2.0.0', '1.2.0']),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-
-      const rank = {
-        'v1.0.0': 100,
-        'v1.1.0': 110,
-        'v2.0.0': 200,
-      };
-      mockTag.isGreater.mockImplementation(
-        (version1, version2) => (rank[version1] || 0) > (rank[version2] || 0),
-      );
-
-      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      expect(result).toEqual({ tag: 'v2.0.0' });
-      expect(mockLogChild.debug).toHaveBeenCalledWith(
-        expect.stringContaining(
-          'Tag candidate filter counters (strict): input=5, prefix=3, semver=3, family=3, greater=2, output=2',
-        ),
-      );
-    });
-
-    test('should best-effort suggest semver tag when current tag is outside include filter', async () => {
-      const container = {
-        includeTags: '^1\\.',
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '2.0.0', semver: true },
-          digest: { watch: false },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['1.8.0', '1.9.0', '2.1.0']),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-
-      const rank = {
-        '1.8.0': 180,
-        '1.9.0': 190,
-        '2.0.0': 200,
-        '2.1.0': 210,
-      };
-      mockTag.isGreater.mockImplementation(
-        (version1, version2) => rank[version1] >= rank[version2],
-      );
-      mockTag.parse.mockImplementation((version) =>
-        rank[version] ? { major: 1, minor: 0, patch: 0 } : null,
-      );
-
-      const mockLogChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
-
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      expect(result).toEqual({ tag: '1.9.0' });
-      expect(mockLogChild.warn).toHaveBeenCalledWith(
-        expect.stringContaining('does not match includeTags regex'),
-      );
-      expect(mockLogChild.debug).toHaveBeenCalledWith(expect.stringContaining('greater=skipped'));
-    });
-
-    test('should advise best semver tag when current tag is non-semver and includeTags filter is set', async () => {
-      const container = {
-        includeTags: String.raw`^\d+\.\d+`,
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: 'latest', semver: false },
-          digest: { watch: false },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['latest', 'rolling', '1.0.0', '2.0.0', '3.0.0']),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-
-      const rank = {
-        '1.0.0': 100,
-        '2.0.0': 200,
-        '3.0.0': 300,
-      };
-      mockTag.isGreater.mockImplementation(
-        (version1, version2) => rank[version1] >= rank[version2],
-      );
-      mockTag.parse.mockImplementation((version) =>
-        rank[version] ? { major: 1, minor: 0, patch: 0 } : null,
-      );
-
-      const mockLogChild = {
-        error: vi.fn(),
-        warn: vi.fn(),
-        debug: vi.fn(),
-      };
-
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      expect(result).toEqual({ tag: '3.0.0' });
-      expect(mockLogChild.warn).toHaveBeenCalledWith(
-        expect.stringContaining('is not semver but includeTags filter'),
-      );
-    });
-
-    test('should not advise any tag when current tag is non-semver and no includeTags filter is set', async () => {
-      const container = {
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: 'latest', semver: false },
-          digest: { watch: false },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['latest', '1.0.0', '2.0.0']),
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: mockRegistry },
-      });
-
-      mockTag.parse.mockReturnValue(null);
-
-      const mockLogChild = {
-        error: vi.fn(),
-        warn: vi.fn(),
-        debug: vi.fn(),
-      };
-
-      const result = await docker.findNewVersion(container, mockLogChild);
-
-      // Without includeTags, non-semver tags should not get any advice
-      expect(result).toEqual({ tag: 'latest' });
-    });
-  });
-
-  describe('Container Details', () => {
-    test('should return existing container from store', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['debug']);
-      const existingContainer = {
-        id: '123',
-        error: undefined,
-        image: { digest: { repo: 'sha256:abc' }, id: 'image123', created: '2023-01-01' },
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-      mockImage.inspect.mockResolvedValue({
-        Id: 'image123',
-        RepoDigests: ['nginx@sha256:abc'],
-        Created: '2023-01-01',
-      });
-
-      const result = await docker.addImageDetailsToContainer({
-        Id: '123',
-        Image: 'nginx:latest',
-      });
-
-      expect(result).toBe(existingContainer);
-    });
-
-    test('should skip container inspect for store container when watch events are enabled', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['debug']);
-      const existingContainer = {
-        id: '123',
-        error: undefined,
-        image: {
-          digest: { repo: 'sha256:abc' },
-          id: 'image123',
-          created: '2023-01-01',
-        },
-        details: {
-          ports: ['80/tcp'],
-          volumes: ['/old/data:/data'],
-          env: [{ key: 'APP_ENV', value: 'prod' }],
-        },
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-      mockImage.inspect.mockResolvedValue({
-        Id: 'image123',
-        RepoDigests: ['nginx@sha256:abc'],
-        Created: '2023-01-01',
-      });
-
-      const result = await docker.addImageDetailsToContainer({
-        Id: '123',
-        Image: 'nginx:latest',
-        Ports: [{ PrivatePort: 8080, Type: 'tcp', PublicPort: 18080, IP: '0.0.0.0' }],
-        Mounts: [{ Source: '/host/data', Destination: '/data', RW: false }],
-      });
-
-      expect(result).toBe(existingContainer);
-      expect(mockContainer.inspect).not.toHaveBeenCalled();
-      expect(result.details).toEqual({
-        ports: ['0.0.0.0:18080->8080/tcp'],
-        volumes: ['/host/data:/data:ro'],
-        env: [{ key: 'APP_ENV', value: 'prod' }],
-      });
-    });
-
-    test('should inspect store container runtime details when watch events are disabled', async () => {
-      await docker.register('watcher', 'docker', 'test', { watchevents: false });
-      docker.log = createMockLog(['debug']);
-      const existingContainer = {
-        id: '123',
-        error: undefined,
-        image: {
-          digest: { repo: 'sha256:abc' },
-          id: 'image123',
-          created: '2023-01-01',
-        },
-        details: {
-          ports: [],
-          volumes: [],
-          env: [],
-        },
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-      mockContainer.inspect.mockResolvedValue({
-        Config: {
-          Env: ['APP_ENV=prod'],
-        },
-      });
-      mockImage.inspect.mockResolvedValue({
-        Id: 'image123',
-        RepoDigests: ['nginx@sha256:abc'],
-        Created: '2023-01-01',
-      });
-
-      const result = await docker.addImageDetailsToContainer({
-        Id: '123',
-        Image: 'nginx:latest',
-      });
-
-      expect(result).toBe(existingContainer);
-      expect(mockContainer.inspect).toHaveBeenCalledTimes(1);
-      expect(result.details.env).toEqual([{ key: 'APP_ENV', value: 'prod' }]);
-    });
-
-    test('should refresh image fields when digest changed in store container', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['debug']);
-      const existingContainer = {
-        id: '123',
-        error: undefined,
-        image: {
-          digest: { repo: 'sha256:olddigest' },
-          id: 'old-image-id',
-          created: '2023-01-01',
-        },
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-      mockImage.inspect.mockResolvedValue({
-        Id: 'new-image-id',
-        RepoDigests: ['nginx@sha256:newdigest'],
-        Created: '2024-06-15',
-      });
-
-      const result = await docker.addImageDetailsToContainer({
-        Id: '123',
-        Image: 'nginx:latest',
-      });
-
-      expect(result.image.digest.repo).toBe('sha256:newdigest');
-      expect(result.image.id).toBe('new-image-id');
-      expect(result.image.created).toBe('2024-06-15');
-    });
-
-    test('should keep existing created date when refreshed image has no Created field', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['debug']);
-      const existingContainer = {
-        id: '123',
-        error: undefined,
-        image: {
-          digest: { repo: 'sha256:olddigest' },
-          id: 'old-image-id',
-          created: '2023-01-01',
-        },
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-      mockImage.inspect.mockResolvedValue({
-        Id: 'new-image-id',
-        RepoDigests: ['nginx@sha256:newdigest'],
-      });
-
-      const result = await docker.addImageDetailsToContainer({
-        Id: '123',
-        Image: 'nginx:latest',
-      });
-
-      expect(result.image.digest.repo).toBe('sha256:newdigest');
-      expect(result.image.id).toBe('new-image-id');
-      expect(result.image.created).toBe('2023-01-01');
-    });
-
-    test('should degrade gracefully when image inspect fails for store container', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['debug']);
-      const existingContainer = {
-        id: '123',
-        error: undefined,
-        image: {
-          digest: { repo: 'sha256:cached' },
-          id: 'cached-image-id',
-          created: '2023-01-01',
-        },
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-      mockImage.inspect.mockRejectedValue(new Error('image not found'));
-
-      const result = await docker.addImageDetailsToContainer({
-        Id: '123',
-        Image: 'nginx:latest',
-      });
-
-      expect(result).toBe(existingContainer);
-      expect(result.image.digest.repo).toBe('sha256:cached');
-      expect(result.image.id).toBe('cached-image-id');
-    });
-
-    test('should not mutate store container when image fields unchanged', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['debug']);
-      const existingContainer = {
-        id: '123',
-        error: undefined,
-        image: {
-          digest: { repo: 'sha256:samedigest' },
-          id: 'same-image-id',
-          created: '2023-01-01',
-        },
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-      mockImage.inspect.mockResolvedValue({
-        Id: 'same-image-id',
-        RepoDigests: ['nginx@sha256:samedigest'],
-        Created: '2023-01-01',
-      });
-
-      const result = await docker.addImageDetailsToContainer({
-        Id: '123',
-        Image: 'nginx:latest',
-      });
-
-      expect(result).toBe(existingContainer);
-      // Values should be unchanged
-      expect(result.image.digest.repo).toBe('sha256:samedigest');
-      expect(result.image.id).toBe('same-image-id');
-      expect(result.image.created).toBe('2023-01-01');
-    });
-
-    test('should backfill digest value for store container when repo digest exists', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['debug']);
-      const existingContainer = {
-        id: '123',
-        error: undefined,
-        image: {
-          digest: { repo: 'sha256:samedigest' },
-          id: 'same-image-id',
-          created: '2023-01-01',
-        },
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-      mockImage.inspect.mockResolvedValue({
-        Id: 'same-image-id',
-        RepoDigests: ['nginx@sha256:samedigest'],
-        Created: '2023-01-01',
-      });
-
-      const result = await docker.addImageDetailsToContainer({
-        Id: '123',
-        Image: 'nginx:latest',
-      });
-
-      expect(result.image.digest.value).toBe('sha256:samedigest');
-    });
-
-    test('should keep existing digest value when backfill is not needed', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['debug']);
-      const existingContainer = {
-        id: '123',
-        error: undefined,
-        image: {
-          digest: { repo: 'sha256:samedigest', value: 'sha256:already-set' },
-          id: 'same-image-id',
-          created: '2023-01-01',
-        },
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-      mockImage.inspect.mockResolvedValue({
-        Id: 'same-image-id',
-        RepoDigests: ['nginx@sha256:samedigest'],
-        Created: '2023-01-01',
-      });
-
-      const result = await docker.addImageDetailsToContainer({
-        Id: '123',
-        Image: 'nginx:latest',
-      });
-
-      expect(result.image.digest.value).toBe('sha256:already-set');
-    });
-
-    test('should keep digest value unchanged when repo digest is missing but image metadata changes', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['debug']);
-      const existingContainer = {
-        id: '123',
-        error: undefined,
-        image: {
-          digest: { repo: 'sha256:cached', value: 'sha256:cached' },
-          id: 'old-image-id',
-          created: '2023-01-01',
-        },
-      };
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-      mockImage.inspect.mockResolvedValue({
-        Id: 'new-image-id',
-        RepoDigests: [],
-      });
-
-      const result = await docker.addImageDetailsToContainer({
-        Id: '123',
-        Image: 'nginx:latest',
-      });
-
-      expect(result.image.digest.repo).toBeUndefined();
-      expect(result.image.digest.value).toBe('sha256:cached');
-      expect(result.image.id).toBe('new-image-id');
-    });
-
-    test('should set digest value from repo digest for new container details', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: { Image: 'nginx:latest' },
-        imageDetails: { RepoDigests: ['nginx@sha256:abc123'] },
-        parsedImage: { domain: 'docker.io', path: 'library/nginx', tag: 'latest' },
-        semverValue: null,
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result.image.digest.repo).toBe('sha256:abc123');
-      expect(result.image.digest.value).toBe('sha256:abc123');
-    });
-
-    test('should add image details to new container', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: { Image: 'nginx:1.0.0' },
-        imageDetails: { Variant: 'v8', RepoDigests: ['nginx@sha256:abc123'] },
-        validateImpl: () => ({
-          id: '123',
-          name: 'test-container',
-          image: { architecture: 'amd64', variant: 'v8' },
-        }),
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(mockImage.inspect).toHaveBeenCalled();
-      expect(result).toBeDefined();
-    });
-
-    test('should include runtime details from inspect payload', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: { Image: 'nginx:1.0.0' },
-      });
-      mockContainer.inspect.mockResolvedValue({
-        NetworkSettings: {
-          Ports: {
-            '80/tcp': [{ HostIp: '0.0.0.0', HostPort: '8080' }],
-            '443/tcp': null,
-          },
-        },
-        Mounts: [
-          { Name: 'config-vol', Destination: '/config', RW: true },
-          { Source: '/host/data', Destination: '/data', RW: false },
-        ],
-        Config: {
-          Env: ['NODE_ENV=production', 'EMPTY=', 'NO_VALUE'],
-        },
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result.details).toEqual({
-        ports: ['0.0.0.0:8080->80/tcp', '443/tcp'],
-        volumes: ['config-vol:/config', '/host/data:/data:ro'],
-        env: [
-          { key: 'NODE_ENV', value: 'production' },
-          { key: 'EMPTY', value: '' },
-          { key: 'NO_VALUE', value: '' },
-        ],
-      });
-    });
-
-    test('should default display name to container name for drydock image', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'ghcr.io/codeswhat/drydock:latest',
-          Names: ['/dd'],
-        },
-        imageDetails: {
-          Variant: 'v8',
-          RepoDigests: ['ghcr.io/codeswhat/drydock@sha256:abc123'],
-        },
-        parsedImage: { domain: 'ghcr.io', path: 'codeswhat/drydock', tag: 'latest' },
-        semverValue: null,
-        registryId: 'ghcr',
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result.displayName).toBe('dd');
-    });
-
-    test('should keep custom display name when provided', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'ghcr.io/codeswhat/drydock:latest',
-          Names: ['/dd'],
-        },
-        imageDetails: {
-          Variant: 'v8',
-          RepoDigests: ['ghcr.io/codeswhat/drydock@sha256:abc123'],
-        },
-        parsedImage: { domain: 'ghcr.io', path: 'codeswhat/drydock', tag: 'latest' },
-        semverValue: null,
-        registryId: 'ghcr',
-      });
-
-      const result = await docker.addImageDetailsToContainer(container, {
-        displayName: 'DD CE Custom',
-      });
-
-      expect(result.displayName).toBe('DD CE Custom');
-    });
-
-    test('should apply imgset defaults when labels are missing', async () => {
-      const haImgset = {
-        homeassistant: {
-          image: 'ghcr.io/home-assistant/home-assistant',
-          tag: {
-            include: String.raw`^\d+\.\d+\.\d+$`,
-          },
-          display: {
-            name: 'Home Assistant',
-            icon: 'mdi-home-assistant',
-          },
-          link: {
-            template: 'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
-          },
-          trigger: {
-            include: 'ntfy.default:major',
-          },
-          registry: {
-            lookup: {
-              image: 'ghcr.io/home-assistant/home-assistant',
-            },
-          },
-        },
-      };
-      const container = await setupContainerDetailTest(docker, {
-        registerConfig: { imgset: haImgset },
-        container: {
-          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
-          Names: ['/homeassistant'],
-        },
-        imageDetails: {
-          Variant: 'v8',
-          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
-        },
-        parseImpl: createHaParseMock(),
-        semverValue: { major: 2026, minor: 2, patch: 1 },
-        registryId: 'ghcr',
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result.includeTags).toBe(String.raw`^\d+\.\d+\.\d+$`);
-      expect(result.displayName).toBe('Home Assistant');
-      expect(result.displayIcon).toBe('mdi-home-assistant');
-      expect(result.linkTemplate).toBe(
-        'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
-      );
-      expect(result.triggerInclude).toBe('ntfy.default:major');
-      expect(result.image.registry.lookupImage).toBe('ghcr.io/home-assistant/home-assistant');
-    });
-
-    test('should let labels override imgset defaults', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        registerConfig: {
-          imgset: {
-            homeassistant: {
-              image: 'ghcr.io/home-assistant/home-assistant',
-              tag: { include: String.raw`^\d+\.\d+\.\d+$` },
-              display: { name: 'Home Assistant', icon: 'mdi-home-assistant' },
-              link: {
-                template: 'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
-              },
-              trigger: { include: 'ntfy.default:major' },
-            },
-          },
-        },
-        container: {
-          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
-          Names: ['/homeassistant'],
-        },
-        imageDetails: {
-          Variant: 'v8',
-          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
-        },
-        parseImpl: createHaParseMock(),
-        semverValue: { major: 2026, minor: 2, patch: 1 },
-        registryId: 'ghcr',
-      });
-
-      const result = await docker.addImageDetailsToContainer(container, {
-        includeTags: '^stable$',
-        displayName: 'HA Label Name',
-        displayIcon: 'mdi-docker',
-        triggerInclude: 'discord.default:major',
-      });
-
-      expect(result.includeTags).toBe('^stable$');
-      expect(result.displayName).toBe('HA Label Name');
-      expect(result.displayIcon).toBe('mdi-docker');
-      expect(result.triggerInclude).toBe('discord.default:major');
-      expect(result.linkTemplate).toBe(
-        'https://www.home-assistant.io/changelogs/core-${major}${minor}${patch}',
-      );
-    });
-
-    test('should apply tagFamily from container labels', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'docker.io/library/nginx:1.0.0',
-          Names: ['/nginx'],
-          Labels: { 'dd.tag.family': 'loose' },
-        },
-        parsedImage: { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' },
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result.tagFamily).toBe('loose');
-    });
-
-    test('should apply imgset tagFamily when label is missing', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        registerConfig: {
-          imgset: {
-            nginx: {
-              image: 'library/nginx',
-              tag: { family: 'loose' },
-            },
-          },
-        },
-        container: {
-          Image: 'docker.io/library/nginx:1.0.0',
-          Names: ['/nginx'],
-        },
-        parsedImage: { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' },
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result.tagFamily).toBe('loose');
-    });
-
-    test('should apply imgset watchDigest when label is missing', async () => {
-      const watchDigestImgset = {
-        customregistry: {
-          image: 'ghcr.io/home-assistant/home-assistant',
-          watch: { digest: 'true' },
-        },
-      };
-      const container = await setupContainerDetailTest(docker, {
-        registerConfig: { imgset: watchDigestImgset },
-        container: {
-          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
-          Names: ['/homeassistant'],
-        },
-        imageDetails: {
-          Variant: 'v8',
-          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
-        },
-        parseImpl: createHaParseMock(),
-        semverValue: { major: 2026, minor: 2, patch: 1 },
-        registryId: 'ghcr',
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result.image.digest.watch).toBe(true);
-    });
-
-    test('should let dd.watch.digest label override imgset watchDigest', async () => {
-      const watchDigestImgset = {
-        customregistry: {
-          image: 'ghcr.io/home-assistant/home-assistant',
-          watch: { digest: 'true' },
-        },
-      };
-      const container = await setupContainerDetailTest(docker, {
-        registerConfig: { imgset: watchDigestImgset },
-        container: {
-          Image: 'ghcr.io/home-assistant/home-assistant:2026.2.1',
-          Names: ['/homeassistant'],
-          Labels: { 'dd.watch.digest': 'false' },
-        },
-        imageDetails: {
-          Variant: 'v8',
-          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
-        },
-        parseImpl: createHaParseMock(),
-        semverValue: { major: 2026, minor: 2, patch: 1 },
-        registryId: 'ghcr',
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      // Label says false, overriding imgset's true
-      expect(result.image.digest.watch).toBe(false);
-    });
-
-    test('should apply imgset inspectTagPath when label is missing', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        registerConfig: {
-          imgset: {
-            haos: {
-              image: 'ghcr.io/home-assistant/home-assistant',
-              inspect: {
-                tag: { path: 'Config/Labels/org.opencontainers.image.version' },
-              },
-            },
-          },
-        },
-        container: {
-          Image: 'ghcr.io/home-assistant/home-assistant:stable',
-          Names: ['/homeassistant'],
-        },
-        imageDetails: {
-          Variant: 'v8',
-          RepoDigests: ['ghcr.io/home-assistant/home-assistant@sha256:abc123'],
-          Config: {
-            Labels: { 'org.opencontainers.image.version': '2026.2.1' },
-          },
-        },
-        parseImpl: createHaParseMock(),
-        semverValue: { major: 2026, minor: 2, patch: 1, version: '2026.2.1' },
-        registryId: 'ghcr',
-      });
-      mockTag.transform.mockImplementation((_transform, value) => value);
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      // The tag should be resolved from the inspect path via imgset
-      expect(result.image.tag.value).toBe('2026.2.1');
-    });
-
-    test('should not apply imgset when image does not match any preset', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        registerConfig: {
-          imgset: {
-            homeassistant: {
-              image: 'ghcr.io/home-assistant/home-assistant',
-              tag: { include: String.raw`^\d+\.\d+\.\d+$` },
-              display: { name: 'Home Assistant', icon: 'mdi-home-assistant' },
-            },
-          },
-        },
-        container: {
-          Id: '456',
-          Image: 'nginx:1.25.0',
-          Names: ['/nginx'],
-        },
-        imageDetails: {
-          Id: 'image456',
-          RepoDigests: ['nginx@sha256:def456'],
-        },
-        parseImpl: (value) => {
-          if (value === 'nginx:1.25.0')
-            return { domain: undefined, path: 'library/nginx', tag: '1.25.0' };
-          if (value === 'ghcr.io/home-assistant/home-assistant')
-            return { domain: 'ghcr.io', path: 'home-assistant/home-assistant' };
-          return { domain: undefined, path: 'library/nginx', tag: '1.25.0' };
-        },
-        semverValue: { major: 1, minor: 25, patch: 0 },
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      // No imgset should be applied - fields should be undefined
-      expect(result.includeTags).toBeUndefined();
-      expect(result.displayName).toBe('nginx');
-      expect(result.displayIcon).toBeUndefined();
-    });
-
-    test('should pick the most specific imgset when multiple match', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        registerConfig: {
-          imgset: {
-            generic: { image: 'nginx', display: { name: 'Generic Nginx', icon: 'mdi-web' } },
-            specific: {
-              image: 'harbor.example.com/library/nginx',
-              display: { name: 'Harbor Nginx', icon: 'mdi-web-lock' },
-            },
-          },
-        },
-        container: {
-          Id: '789',
-          Image: 'harbor.example.com/library/nginx:1.25.0',
-          Names: ['/mynginx'],
-        },
-        imageDetails: {
-          Id: 'image789',
-          RepoDigests: ['harbor.example.com/library/nginx@sha256:ghi789'],
-        },
-        parseImpl: (value) => {
-          if (value === 'harbor.example.com/library/nginx:1.25.0')
-            return { domain: 'harbor.example.com', path: 'library/nginx', tag: '1.25.0' };
-          if (value === 'harbor.example.com/library/nginx')
-            return { domain: 'harbor.example.com', path: 'library/nginx' };
-          if (value === 'nginx') return { domain: undefined, path: 'nginx' };
-          return { domain: undefined, path: value };
-        },
-        semverValue: { major: 1, minor: 25, patch: 0 },
-        registryId: 'harbor',
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      // The more specific imgset (harbor.example.com/library/nginx) should win
-      expect(result.displayIcon).toBe('mdi-web-lock');
-    });
-
-    test('should validate configuration with imgset watchDigest and inspectTagPath', async () => {
-      const config = {
-        socket: '/var/run/docker.sock',
-        imgset: {
-          homeassistant: {
-            image: 'ghcr.io/home-assistant/home-assistant',
-            watch: {
-              digest: 'true',
-            },
-            inspect: {
-              tag: {
-                path: 'Config/Labels/org.opencontainers.image.version',
-              },
-            },
-          },
-        },
-      };
-      expect(() => docker.validateConfiguration(config)).not.toThrow();
-    });
-
-    test('should use lookup image label for registry matching', async () => {
-      const harborHubState = createHarborHubRegistryState();
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'harbor.example.com/dockerhub-proxy/traefik:v3.5.3',
-          Names: ['/traefik'],
-          Labels: { 'dd.registry.lookup.image': 'library/traefik' },
-        },
-        imageDetails: {
-          RepoDigests: ['harbor.example.com/dockerhub-proxy/traefik@sha256:abc123'],
-        },
-        parseImpl: (value) => {
-          if (value === 'harbor.example.com/dockerhub-proxy/traefik:v3.5.3')
-            return { domain: 'harbor.example.com', path: 'dockerhub-proxy/traefik', tag: 'v3.5.3' };
-          if (value === 'library/traefik') return { path: 'library/traefik' };
-          return { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' };
-        },
-        semverValue: { major: 3, minor: 5, patch: 3 },
-        registryState: harborHubState,
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result.image.registry.name).toBe('hub');
-      expect(result.image.registry.url).toBe('https://registry-1.docker.io/v2');
-      expect(result.image.registry.lookupImage).toBe('library/traefik');
-      expect(result.image.name).toBe('library/traefik');
-    });
-
-    test('should support legacy lookup url label without crashing', async () => {
-      const harborHubState = createHarborHubRegistryState();
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'harbor.example.com/dockerhub-proxy/traefik:v3.5.3',
-          Names: ['/traefik'],
-          Labels: { 'dd.registry.lookup.url': 'https://registry-1.docker.io' },
-        },
-        imageDetails: {
-          RepoDigests: ['harbor.example.com/dockerhub-proxy/traefik@sha256:abc123'],
-        },
-        parsedImage: {
-          domain: 'harbor.example.com',
-          path: 'dockerhub-proxy/traefik',
-          tag: 'v3.5.3',
-        },
-        semverValue: { major: 3, minor: 5, patch: 3 },
-        registryState: harborHubState,
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result.image.registry.name).toBe('hub');
-      expect(result.image.registry.lookupImage).toBe('https://registry-1.docker.io');
-      expect(result.image.name).toBe('dockerhub-proxy/traefik');
-    });
-
-    test('should handle container with implicit docker hub image (no domain)', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'prom/prometheus:v3.8.0',
-          Names: ['/prometheus'],
-        },
-        imageDetails: { RepoTags: ['prom/prometheus:v3.8.0'] },
-        parsedImage: { domain: undefined, path: 'prom/prometheus', tag: 'v3.8.0' },
-        validateImpl: () => ({
-          id: '123',
-          name: 'prometheus',
-          image: { architecture: 'amd64' },
-        }),
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result).toBeDefined();
-      // Verify parse was called
-      expect(mockParse).toHaveBeenCalledWith('prom/prometheus:v3.8.0');
-    });
-
-    test('should fail implicit docker hub image normalization when hub registry provider is missing', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'nginx:1.25.5',
-          Names: ['/hub-proof'],
-        },
-        parsedImage: { domain: undefined, path: 'library/nginx', tag: '1.25.5' },
-        registryState: {},
-        validateImpl: (containerCandidate) => {
-          if (!containerCandidate.image.registry.url) {
-            throw new Error('"image.registry.url" is required');
-          }
-          return containerCandidate;
-        },
-      });
-
-      await expect(docker.addImageDetailsToContainer(container)).rejects.toThrow(
-        '"image.registry.url" is required',
-      );
-    });
-
-    test('should keep implicit docker hub image tracking when hub registry provider is available', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'nginx:1.25.5',
-          Names: ['/hub-proof'],
-        },
-        parsedImage: { domain: undefined, path: 'library/nginx', tag: '1.25.5' },
-        registryState: createHarborHubRegistryState(),
-        validateImpl: (containerCandidate) => {
-          if (!containerCandidate.image.registry.url) {
-            throw new Error('"image.registry.url" is required');
-          }
-          return containerCandidate;
-        },
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result.image.registry.name).toBe('hub');
-      expect(result.image.registry.url).toBe('https://registry-1.docker.io/v2');
-    });
-
-    test('should handle container with SHA256 image', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'sha256:abcdef123456',
-          Names: ['/test'],
-        },
-        imageDetails: { RepoTags: ['nginx:latest'] },
-        validateImpl: () => ({
-          id: '123',
-          name: 'test',
-          image: { architecture: 'amd64' },
-        }),
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result).toBeDefined();
-    });
-
-    test('should handle container with no repo tags', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['warn']);
-      const container = createDockerContainer({
-        Image: 'sha256:abcdef123456',
-        Names: ['/test'],
-      });
-      mockImage.inspect.mockResolvedValue({ RepoTags: [] });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(docker.log.warn).toHaveBeenCalledWith(
-        expect.stringContaining('Cannot get a reliable tag'),
-      );
-      expect(result).toBeUndefined();
-    });
-
-    test('should warn for non-semver without digest watching', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'nginx:latest',
-          Names: ['/test'],
-        },
-        semverValue: null,
-        validateImpl: () => ({
-          id: '123',
-          name: 'test',
-          image: { architecture: 'amd64' },
-        }),
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result).toBeDefined();
-    });
-
-    test('should use inspect path semver when dd.inspect.tag.path is set', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'ghcr.io/example/service:latest',
-          Names: ['/service'],
-          Labels: {
-            'dd.inspect.tag.path': 'Config/Labels/org.opencontainers.image.version',
-          },
-        },
-        imageDetails: {
-          Config: {
-            Labels: { 'org.opencontainers.image.version': '2.7.5' },
-          },
-        },
-        parsedImage: { domain: 'ghcr.io', path: 'example/service', tag: 'latest' },
-        semverValue: null, // will be overridden below
-      });
-      mockTag.parse.mockImplementation((tag) => (tag === '2.7.5' ? { version: '2.7.5' } : null));
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result.image.tag.value).toBe('2.7.5');
-      expect(result.image.tag.semver).toBe(true);
-    });
-
-    test('should fall back to parsed image tag when inspect path is missing', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'ghcr.io/example/service:latest',
-          Names: ['/service'],
-          Labels: {
-            'dd.inspect.tag.path': 'Config/Labels/org.opencontainers.image.version',
-          },
-        },
-        imageDetails: { Config: { Labels: {} } },
-        parsedImage: { domain: 'ghcr.io', path: 'example/service', tag: 'latest' },
-        semverValue: null,
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-
-      expect(result.image.tag.value).toBe('latest');
-      expect(result.image.tag.semver).toBe(false);
-    });
-
-    test('should return a clear error when image inspection fails', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      const container = createDockerContainer({
-        Image: 'ghcr.io/example/service:latest',
-        Names: ['/service'],
-      });
-      mockImage.inspect.mockRejectedValue(new Error('inspect failed'));
-
-      await expect(docker.addImageDetailsToContainer(container)).rejects.toThrow(
-        'Unable to inspect image for container 123: inspect failed',
-      );
-    });
-  });
-
-  describe('Container Reporting', () => {
-    test('should map container to report for new container', async () => {
-      const container = { id: '123', name: 'test' };
-      docker.log = createMockLogWithChild(['debug']);
-      storeContainer.getContainer.mockReturnValue(undefined);
-      storeContainer.insertContainer.mockReturnValue(container);
-
-      const result = docker.mapContainerToContainerReport(container);
-
-      expect(result.changed).toBe(true);
-      expect(storeContainer.insertContainer).toHaveBeenCalledWith(container);
-    });
-
-    test('should map container to report for existing container', async () => {
-      const container = {
-        id: '123',
-        name: 'test',
-        updateAvailable: true,
-      };
-      const existingContainer = {
-        resultChanged: vi.fn().mockReturnValue(true),
-      };
-      docker.log = createMockLogWithChild(['debug']);
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-      storeContainer.updateContainer.mockReturnValue(container);
-
-      const result = docker.mapContainerToContainerReport(container);
-
-      expect(result.changed).toBe(true);
-      expect(storeContainer.updateContainer).toHaveBeenCalledWith(container);
-    });
-
-    test('should not mark as changed when no update available', async () => {
-      const container = {
-        id: '123',
-        name: 'test',
-        updateAvailable: false,
-      };
-      const existingContainer = {
-        resultChanged: vi.fn().mockReturnValue(true),
-      };
-      docker.log = createMockLogWithChild(['debug']);
-      storeContainer.getContainer.mockReturnValue(existingContainer);
-      storeContainer.updateContainer.mockReturnValue(container);
-
-      const result = docker.mapContainerToContainerReport(container);
-
-      expect(result.changed).toBe(false);
-    });
-  });
-
-  describe('Utility Functions', () => {
-    test('should get tag candidates with include filter', async () => {
-      const tags = ['v1.0.0', 'latest', 'v2.0.0', 'beta'];
-      const filtered = tags.filter((tag) => /^v\d+/.test(tag));
-      expect(filtered).toEqual(['v1.0.0', 'v2.0.0']);
-    });
-
-    test('should get container name and strip slash', async () => {
-      const container = { Names: ['/test-container'] };
-      const name = container.Names[0].replace(/\//, '');
-      expect(name).toBe('test-container');
-    });
-
-    test('should get repo digest from image', async () => {
-      const image = { RepoDigests: ['nginx@sha256:abc123def456'] };
-      const digest = image.RepoDigests[0].split('@')[1];
-      expect(digest).toBe('sha256:abc123def456');
-    });
-
-    test('should handle empty repo digests', async () => {
-      const image = { RepoDigests: [] };
-      expect(image.RepoDigests.length).toBe(0);
-    });
-
-    test('should get old containers for pruning', async () => {
-      const newContainers = [{ id: '1' }, { id: '2' }];
-      const storeContainers = [{ id: '1' }, { id: '3' }];
-
-      const oldContainers = storeContainers.filter((storeContainer) => {
-        const stillExists = newContainers.find(
-          (newContainer) => newContainer.id === storeContainer.id,
-        );
-        return stillExists === undefined;
-      });
-
-      expect(oldContainers).toEqual([{ id: '3' }]);
-    });
-
-    test('should handle null inputs for old containers', async () => {
-      expect([].filter(() => false)).toEqual([]);
-    });
-  });
-
-  describe('Additional Coverage - safeRegExp', () => {
-    test('should warn when includeTags regex is invalid', async () => {
-      const container = {
-        includeTags: '[invalid',
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.0.0', semver: true },
-          digest: { watch: false },
-        },
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } },
-      });
-      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
-      const result = await docker.findNewVersion(container, logChild);
-      expect(logChild.warn).toHaveBeenCalledWith(expect.stringContaining('Invalid regex pattern'));
-      expect(result.tag).toBe('1.0.0');
-    });
-
-    test('should warn when excludeTags regex is invalid', async () => {
-      const container = {
-        excludeTags: '(unclosed',
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.0.0', semver: true },
-          digest: { watch: false },
-        },
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } },
-      });
-      mockTag.isGreater.mockReturnValue(true);
-      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
-      await docker.findNewVersion(container, logChild);
-      expect(logChild.warn).toHaveBeenCalledWith(expect.stringContaining('Invalid regex pattern'));
-    });
-  });
-
-  describe('Additional Coverage - filterByCurrentPrefix', () => {
-    test('should warn when no tags match prefix', async () => {
-      const container = {
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: 'v1.0.0', semver: true },
-          digest: { watch: false },
-        },
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: { getTags: vi.fn().mockResolvedValue(['2.0.0']) } },
-      });
-      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
-      await docker.findNewVersion(container, logChild);
-      expect(logChild.warn).toHaveBeenCalledWith(
-        expect.stringContaining('No tags found with existing prefix'),
-      );
-    });
-
-    test('should warn when no tags start with a number', async () => {
-      const container = {
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.0.0', semver: true },
-          digest: { watch: false },
-        },
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: { getTags: vi.fn().mockResolvedValue(['latest', 'stable']) } },
-      });
-      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
-      await docker.findNewVersion(container, logChild);
-      expect(logChild.warn).toHaveBeenCalledWith(
-        expect.stringContaining('No tags found starting with a number'),
-      );
-    });
-  });
-
-  describe('Additional Coverage - getTagCandidates empty', () => {
-    test('should warn when no tags after include filter', async () => {
-      const container = {
-        includeTags: '^nonexistent$',
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.0.0', semver: true },
-          digest: { watch: false },
-        },
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } },
-      });
-      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
-      await docker.findNewVersion(container, logChild);
-      expect(logChild.warn).toHaveBeenCalledWith(
-        expect.stringContaining('No tags found after filtering'),
-      );
-    });
-  });
-
-  describe('Additional Coverage - applyRemoteAuthHeaders', () => {
-    test('should keep remote watcher registered in blocked mode when credentials are incomplete', async () => {
-      // Bypass validation by setting configuration directly after register
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 443,
-        protocol: 'https',
-      });
-      docker.configuration.auth = { type: '' };
-      docker.initWatcher();
-      expect(docker.remoteAuthBlockedReason).toBe(
-        'Unable to authenticate remote watcher test: credentials are incomplete',
-      );
-    });
-
-    test('should keep remote watcher registered in blocked mode when basic auth credentials are missing', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 443,
-        protocol: 'https',
-      });
-      // Need hasOidcConfig to bypass first guard, but authType=basic to reach the basic-incomplete path
-      docker.configuration.auth = { type: 'basic', oidc: { tokenurl: 'https://idp/token' } };
-      docker.initWatcher();
-      expect(docker.remoteAuthBlockedReason).toBe(
-        'Unable to authenticate remote watcher test: basic credentials are incomplete',
-      );
-    });
-
-    test('should keep remote watcher registered in blocked mode when bearer token is missing', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 443,
-        protocol: 'https',
-      });
-      // Need hasOidcConfig to bypass first guard, but authType=bearer to reach the bearer-missing path
-      docker.configuration.auth = { type: 'bearer', oidc: { tokenurl: 'https://idp/token' } };
-      docker.initWatcher();
-      expect(docker.remoteAuthBlockedReason).toBe(
-        'Unable to authenticate remote watcher test: bearer token is missing',
-      );
-    });
-
-    test('should keep remote watcher registered in blocked mode when auth type is unsupported', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 443,
-        protocol: 'https',
-      });
-      docker.configuration.auth = { type: 'custom', user: 'x', password: 'y' };
-      docker.initWatcher();
-      expect(docker.remoteAuthBlockedReason).toBe(
-        'Unable to authenticate remote watcher test: auth type "custom" is unsupported',
-      );
-    });
-
-    test('should warn and continue when auth.insecure=true and credentials are incomplete', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 443,
-        protocol: 'https',
-      });
-      docker.configuration.auth = { type: '', insecure: true };
-      const logMock = createMockLog(['warn', 'info', 'debug']);
-      docker.log = logMock;
-      docker.initWatcher();
-      expect(docker.remoteAuthBlockedReason).toBeUndefined();
-      expect(logMock.warn).toHaveBeenCalledWith(
-        expect.stringContaining('continuing because auth.insecure=true'),
-      );
-    });
-
-    test('should block getContainers when watcher auth is blocked', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 443,
-        protocol: 'https',
-      });
-      docker.configuration.auth = { type: '' };
-      docker.initWatcher();
-      mockDockerApi.listContainers.mockResolvedValue([]);
-
-      await expect(docker.getContainers()).rejects.toThrow('credentials are incomplete');
-      expect(mockDockerApi.listContainers).not.toHaveBeenCalled();
-    });
-  });
-
-  describe('Additional Coverage - getRemoteAuthResolution auto-detect', () => {
-    test('should auto-detect bearer, basic, and oidc auth types', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 443,
-        protocol: 'https',
-        auth: { bearer: 'tok' },
-      });
-      expect(docker.getRemoteAuthResolution(docker.configuration.auth).authType).toBe('bearer');
-
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 443,
-        protocol: 'https',
-        auth: { user: 'j', password: 'd' },
-      });
-      expect(docker.getRemoteAuthResolution(docker.configuration.auth).authType).toBe('basic');
-
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 443,
-        protocol: 'https',
-        auth: { oidc: { tokenurl: 'https://idp/token' } },
-      });
-      expect(docker.getRemoteAuthResolution(docker.configuration.auth).authType).toBe('oidc');
-    });
-  });
-
-  describe('Additional Coverage - OIDC edge cases', () => {
-    test('should throw when token endpoint missing', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 443,
-        protocol: 'https',
-        auth: { type: 'oidc', oidc: {} },
-      });
-      await expect(refreshRemoteOidcAccessToken(createDockerOidcContext(docker))).rejects.toThrow(
-        'missing auth.oidc token endpoint',
-      );
-    });
-
-    test('should fallback for missing refresh token and unsupported grant', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 443,
-        protocol: 'https',
-        auth: { type: 'oidc', oidc: { tokenurl: 'https://idp/token', granttype: 'refresh_token' } },
-      });
-      const logMock = createMockLog(['warn', 'info', 'debug']);
-      docker.log = logMock;
-      await refreshRemoteOidcAccessToken(createDockerOidcContext(docker));
-      expect(logMock.warn).toHaveBeenCalledWith(
-        expect.stringContaining('refresh token is missing'),
-      );
-    });
-
-    test('should throw when token response has no access_token', async () => {
-      mockAxios.post.mockResolvedValue({ data: {} } as any);
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 443,
-        protocol: 'https',
-        auth: { type: 'oidc', oidc: { tokenurl: 'https://idp/token' } },
-      });
-      await expect(refreshRemoteOidcAccessToken(createDockerOidcContext(docker))).rejects.toThrow(
-        'does not contain access_token',
-      );
+      await expect(refreshRemoteOidcAccessToken(createDockerOidcContext(docker))).rejects.toThrow(
+        'does not contain access_token',
+      );
     });
 
     test('should fallback when grant type is unsupported', async () => {
@@ -4291,407 +1371,14 @@ describe('Docker Watcher', () => {
         auth: {
           type: 'oidc',
           oidc: {
-            tokenurl: 'https://idp/token',
-            clientid: 'c1',
-            resource: 'https://api.example.com',
-          },
-        },
-      });
-      await docker.getContainers();
-      expect(mockAxios.post.mock.calls[0][1]).toContain('resource=https%3A%2F%2Fapi.example.com');
-    });
-  });
-
-  describe('Additional Coverage - ensureRemoteAuthHeaders and listenDockerEvents', () => {
-    test('should fail closed when OIDC auth is configured without HTTPS', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 2375,
-        protocol: 'http',
-      });
-      docker.configuration.auth = { type: 'oidc', oidc: { tokenurl: 'https://idp/token' } };
-      await expect(docker.ensureRemoteAuthHeaders()).rejects.toThrow(
-        'HTTPS is required for OIDC auth',
-      );
-      expect(mockAxios.post).not.toHaveBeenCalled();
-    });
-
-    test('should allow non-HTTPS OIDC fallback when auth.insecure=true', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 2375,
-        protocol: 'http',
-      });
-      docker.configuration.auth = {
-        type: 'oidc',
-        insecure: true,
-        oidc: { tokenurl: 'https://idp/token' },
-      };
-      const logMock = createMockLog(['warn', 'info', 'debug']);
-      docker.log = logMock;
-      await docker.ensureRemoteAuthHeaders();
-      expect(mockAxios.post).not.toHaveBeenCalled();
-      expect(logMock.warn).toHaveBeenCalledWith(
-        expect.stringContaining('continuing because auth.insecure=true'),
-      );
-    });
-
-    test('should warn when ensureRemoteAuthHeaders fails in listenDockerEvents', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        host: 'localhost',
-        port: 443,
-        protocol: 'https',
-        auth: { type: 'oidc', oidc: { tokenurl: 'https://idp/token' } },
-      });
-      mockAxios.post.mockRejectedValue(new Error('Network error'));
-      const logMock = createMockLog(['warn', 'info', 'debug']);
-      docker.log = logMock;
-      await docker.listenDockerEvents();
-      expect(logMock.warn).toHaveBeenCalledWith(
-        expect.stringContaining('Unable to initialize remote watcher auth'),
-      );
-    });
-
-    test('should return early when ensureLogger produces a non-functional log', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      // Override ensureLogger to set a log that lacks info()
-      docker.ensureLogger = () => {
-        docker.log = {};
-      };
-      await docker.listenDockerEvents();
-      expect(mockDockerApi.getEvents).not.toHaveBeenCalled();
-    });
-
-    test('should expose and update deviceCodeCompleted through OIDC state adapter accessors', async () => {
-      await docker.register('watcher', 'docker', 'test', createOidcConfig());
-      docker.remoteOidcDeviceCodeCompleted = true;
-
-      const state = (docker as any).getOidcStateAdapter();
-      expect(state.deviceCodeCompleted).toBe(true);
-
-      state.deviceCodeCompleted = false;
-      expect(docker.remoteOidcDeviceCodeCompleted).toBe(false);
-    });
-
-    test('should throw when OIDC refresh succeeds without returning an access token', async () => {
-      await docker.register('watcher', 'docker', 'test', createOidcConfig());
-      docker.remoteOidcAccessToken = undefined;
-      docker.remoteOidcAccessTokenExpiresAt = 0;
-      const refreshSpy = vi
-        .spyOn(oidcModule, 'refreshRemoteOidcAccessToken')
-        .mockResolvedValue(undefined as any);
-
-      try {
-        await expect(docker.ensureRemoteAuthHeaders()).rejects.toThrow(
-          'no OIDC access token available',
-        );
-      } finally {
-        refreshSpy.mockRestore();
-      }
-    });
-
-    test('listenDockerEvents should return early when watchevents is disabled', async () => {
-      await docker.register('watcher', 'docker', 'test', { watchevents: false });
-      docker.isDockerEventsListenerActive = true;
-
-      await docker.listenDockerEvents();
-
-      expect(mockDockerApi.getEvents).not.toHaveBeenCalled();
-    });
-
-    test('listenDockerEvents should clear stale reconnect timeout before opening stream', async () => {
-      await docker.register('watcher', 'docker', 'test', { watchevents: true });
-      docker.isDockerEventsListenerActive = true;
-      const reconnectTimeout = setTimeout(() => {}, 10_000) as any;
-      docker.dockerEventsReconnectTimeout = reconnectTimeout;
-      const clearTimeoutSpy = vi.spyOn(globalThis, 'clearTimeout');
-      vi.spyOn(docker, 'ensureRemoteAuthHeaders').mockResolvedValue(undefined);
-      mockDockerApi.getEvents.mockRejectedValueOnce(new Error('events failed'));
-
-      await docker.listenDockerEvents();
-
-      expect(clearTimeoutSpy).toHaveBeenCalledWith(reconnectTimeout);
-      clearTimeoutSpy.mockRestore();
-      clearTimeout(reconnectTimeout);
-    });
-  });
-
-  describe('Additional Coverage - processDockerEventPayload', () => {
-    test('should treat empty payload as processed', async () => {
-      docker.log = createMockLog(['debug']);
-      expect(await docker.processDockerEventPayload('   ')).toBe(true);
-    });
-
-    test('should return false for recoverable partial JSON when flag is set', async () => {
-      docker.log = createMockLog(['debug']);
-      // Use a payload that gives "Unexpected end of JSON input"
-      const result = await docker.processDockerEventPayload('{"Action":"cre', true);
-      expect(result).toBe(false);
-    });
-
-    test('should return true for non-recoverable JSON error', async () => {
-      docker.log = createMockLog(['debug']);
-      expect(await docker.processDockerEventPayload('not-json-at-all', true)).toBe(true);
-    });
-  });
-
-  describe('Additional Coverage - updateContainerFromInspect', () => {
-    test('should update labels and custom display name on events', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLogWithChild(['info']);
-      const existing = {
-        id: 'c1',
-        name: 'mycontainer',
-        displayName: 'mycontainer',
-        status: 'running',
-        labels: { old: 'label' },
-        image: { name: 'library/nginx' },
-      };
-      storeContainer.getContainer.mockReturnValue(existing);
-      mockContainer.inspect.mockResolvedValue({
-        Name: '/mycontainer',
-        State: { Status: 'running' },
-        Config: { Labels: { 'dd.display.name': 'Custom Name', new: 'label' } },
-      });
-      await docker.onDockerEvent(Buffer.from('{"Action":"update","id":"c1"}\n'));
-      expect(existing.labels).toEqual({ 'dd.display.name': 'Custom Name', new: 'label' });
-      expect(existing.displayName).toBe('Custom Name');
-      expect(storeContainer.updateContainer).toHaveBeenCalledWith(existing);
-    });
-
-    test('should not update when custom display name label matches existing value', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLogWithChild(['info']);
-      const existing = {
-        id: 'c1',
-        name: 'mycontainer',
-        displayName: 'Custom Name',
-        status: 'running',
-        labels: { 'dd.display.name': 'Custom Name' },
-        image: { name: 'library/nginx' },
-      };
-      storeContainer.getContainer.mockReturnValue(existing);
-      mockContainer.inspect.mockResolvedValue({
-        Name: '/mycontainer',
-        State: { Status: 'running' },
-        Config: { Labels: { 'dd.display.name': 'Custom Name' } },
-      });
-
-      await docker.onDockerEvent(Buffer.from('{"Action":"update","id":"c1"}\n'));
-
-      expect(storeContainer.updateContainer).not.toHaveBeenCalled();
-    });
-
-    test('should update runtime details when inspect metadata changes', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLogWithChild(['info']);
-      const existing = {
-        id: 'c1',
-        name: 'mycontainer',
-        displayName: 'mycontainer',
-        status: 'running',
-        labels: {},
-        image: { name: 'library/nginx' },
-        details: {
-          ports: ['80/tcp'],
-          volumes: [],
-          env: [],
-        },
-      };
-      storeContainer.getContainer.mockReturnValue(existing);
-      mockContainer.inspect.mockResolvedValue({
-        Name: '/mycontainer',
-        State: { Status: 'running' },
-        Config: { Labels: {}, Env: ['APP_ENV=prod'] },
-        NetworkSettings: { Ports: { '80/tcp': [{ HostIp: '0.0.0.0', HostPort: '8080' }] } },
-        Mounts: [{ Source: '/srv/data', Destination: '/data', RW: true }],
-      });
-
-      await docker.onDockerEvent(Buffer.from('{"Action":"update","id":"c1"}\n'));
-
-      expect(existing.details).toEqual({
-        ports: ['0.0.0.0:8080->80/tcp'],
-        volumes: ['/srv/data:/data'],
-        env: [{ key: 'APP_ENV', value: 'prod' }],
-      });
-      expect(storeContainer.updateContainer).toHaveBeenCalledWith(existing);
-    });
-  });
-
-  describe('Additional Coverage - watchFromCron and getContainers', () => {
-    test('should return empty when log is missing', async () => {
-      await docker.register('watcher', 'docker', 'test', { cron: '0 * * * *' });
-      docker.log = null;
-      expect(await docker.watchFromCron()).toEqual([]);
-    });
-
-    test('should filter out containers when addImageDetailsToContainer throws', async () => {
-      mockDockerApi.listContainers.mockResolvedValue([
-        { Id: '1', Labels: { 'dd.watch': 'true' }, Names: ['/test1'] },
-      ]);
-      docker.addImageDetailsToContainer = vi
-        .fn()
-        .mockRejectedValue(new Error('Image inspect failed'));
-      await docker.register('watcher', 'docker', 'test', { watchbydefault: true });
-      docker.log = createMockLog(['warn', 'info', 'debug']);
-      const result = await docker.getContainers();
-      expect(docker.log.warn).toHaveBeenCalledWith(
-        expect.stringContaining('Failed to fetch image detail'),
-      );
-      expect(result).toHaveLength(0);
-    });
-
-    test('should skip maintenance counter increment when counter is unavailable', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        cron: '0 * * * *',
-        maintenancewindow: '0 2 * * *',
-      });
-      docker.log = createMockLog(['info', 'warn', 'debug']);
-      maintenance.isInMaintenanceWindow.mockReturnValue(false);
-      mockPrometheus.getMaintenanceSkipCounter.mockReturnValue(undefined);
-
-      const result = await docker.watchFromCron();
-      expect(result).toEqual([]);
-    });
-
-    test('should complete cron when info logger is removed before final summary', async () => {
-      await docker.register('watcher', 'docker', 'test', { cron: '0 * * * *' });
-      docker.log = createMockLog(['info', 'warn', 'debug']);
-      docker.watch = vi.fn().mockImplementation(async () => {
-        delete docker.log.info;
-        return [];
-      });
-
-      const result = await docker.watchFromCron();
-      expect(result).toEqual([]);
-    });
-  });
-
-  describe('Agent mode - Prometheus gauge not initialized', () => {
-    test('should not crash when getWatchContainerGauge returns undefined', async () => {
-      mockPrometheus.getWatchContainerGauge.mockReturnValue(undefined);
-      mockDockerApi.listContainers.mockResolvedValue([]);
-      storeContainer.getContainers.mockReturnValue([]);
-      await docker.register('watcher', 'docker', 'test', { watchbydefault: true });
-      docker.log = createMockLog(['warn', 'info', 'debug']);
-      const result = await docker.getContainers();
-      expect(result).toHaveLength(0);
-    });
-  });
-
-  describe('Additional Coverage - getSwarmServiceLabels', () => {
-    test('should return empty when getService is not a function', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['debug', 'warn', 'info']);
-      docker.dockerApi.getService = 'not-a-function';
-      expect(await docker.getSwarmServiceLabels('svc1', 'c1')).toEqual({});
-      expect(docker.log.debug).toHaveBeenCalledWith(
-        expect.stringContaining('does not support getService'),
-      );
-    });
-
-    test('should log debug when service has no labels', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['debug', 'warn', 'info']);
-      mockDockerApi.getService.mockReturnValue({
-        inspect: vi.fn().mockResolvedValue({ Spec: {} }),
-      });
-      expect(await docker.getSwarmServiceLabels('svc1', 'c1')).toEqual({});
-      expect(docker.log.debug).toHaveBeenCalledWith(expect.stringContaining('has no labels'));
-    });
-
-    test('should log dd/wud label summary as none when labels are present but none are dd/wud', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      docker.log = createMockLog(['debug', 'warn', 'info']);
-      mockDockerApi.getService.mockReturnValue({
-        inspect: vi.fn().mockResolvedValue({
-          Spec: {
-            Labels: { team: 'ops' },
-            TaskTemplate: {
-              ContainerSpec: {
-                Labels: { env: 'prod' },
-              },
-            },
-          },
-        }),
-      });
-
-      const labels = await docker.getSwarmServiceLabels('svc1', 'c1');
-
-      expect(labels).toEqual({ team: 'ops', env: 'prod' });
-      expect(docker.log.debug).toHaveBeenCalledWith(expect.stringContaining('deploy labels=none'));
-    });
-
-    test('getEffectiveContainerLabels should fallback to empty container labels object', async () => {
-      const labels = await docker.getEffectiveContainerLabels({}, new Map());
-      expect(labels).toEqual({});
-    });
-
-    test('getEffectiveContainerLabels should merge container labels when cached service labels are undefined', async () => {
-      const serviceId = 'svc-1';
-      const serviceLabelsCache = new Map([[serviceId, Promise.resolve(undefined as any)]]);
-
-      const labels = await docker.getEffectiveContainerLabels(
-        {
-          Id: 'container-1',
-          Labels: {
-            'com.docker.swarm.service.id': serviceId,
-            'dd.watch': 'true',
-          },
-        },
-        serviceLabelsCache,
-      );
-
-      expect(labels).toEqual({
-        'com.docker.swarm.service.id': serviceId,
-        'dd.watch': 'true',
-      });
-    });
-  });
-
-  describe('Additional Coverage - getMatchingImgsetConfiguration', () => {
-    test('should return undefined when no imgset configured', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      expect(
-        docker.getMatchingImgsetConfiguration({ path: 'library/nginx', domain: 'docker.io' }),
-      ).toBeUndefined();
-    });
-
-    test('should break ties by alphabetical name', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        imgset: {
-          zebra: { image: 'library/nginx', display: { name: 'Z' } },
-          alpha: { image: 'library/nginx', display: { name: 'A' } },
-        },
-      });
-      mockParse.mockImplementation((v) =>
-        v === 'library/nginx'
-          ? { path: 'library/nginx' }
-          : { domain: 'docker.io', path: 'library/nginx', tag: '1.0.0' },
-      );
-      const result = docker.getMatchingImgsetConfiguration({
-        path: 'library/nginx',
-        domain: 'docker.io',
-      });
-      expect(result).toBeDefined();
-      expect(result.name).toBe('alpha');
-    });
-
-    test('should keep first match when later candidate is not better', async () => {
-      await docker.register('watcher', 'docker', 'test', {
-        imgset: {
-          alpha: { image: 'library/nginx' },
-          zebra: { image: 'library/nginx' },
+            tokenurl: 'https://idp/token',
+            clientid: 'c1',
+            resource: 'https://api.example.com',
+          },
         },
       });
-
-      const result = docker.getMatchingImgsetConfiguration({
-        path: 'library/nginx',
-        domain: 'docker.io',
-      });
-
-      expect(result).toBeDefined();
-      expect(result.name).toBe('alpha');
+      await docker.getContainers();
+      expect(mockAxios.post.mock.calls[0][1]).toContain('resource=https%3A%2F%2Fapi.example.com');
     });
   });
 
@@ -4724,7 +1411,7 @@ describe('Docker Watcher', () => {
         protocol: 'https',
       });
       docker.configuration.auth = { type: '' };
-      docker.initWatcher();
+      await docker.initWatcher();
 
       const masked = docker.maskConfiguration();
       expect(masked.authblocked).toBe(true);
@@ -4739,84 +1426,6 @@ describe('Docker Watcher', () => {
     });
   });
 
-  describe('Additional Coverage - safeRegExp max length', () => {
-    test('should warn when regex pattern exceeds max length', async () => {
-      const longPattern = 'a'.repeat(1025);
-      const container = {
-        includeTags: longPattern,
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.0.0', semver: true },
-          digest: { watch: false },
-        },
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } },
-      });
-      mockTag.isGreater.mockReturnValue(true);
-      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
-      await docker.findNewVersion(container, logChild);
-      expect(logChild.warn).toHaveBeenCalledWith(expect.stringContaining('exceeds maximum length'));
-    });
-
-    test('should warn when exclude regex exceeds max length', async () => {
-      const longPattern = 'b'.repeat(1025);
-      const container = {
-        excludeTags: longPattern,
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: '1.0.0', semver: true },
-          digest: { watch: false },
-        },
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: { getTags: vi.fn().mockResolvedValue(['1.0.0', '2.0.0']) } },
-      });
-      mockTag.isGreater.mockReturnValue(true);
-      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
-      await docker.findNewVersion(container, logChild);
-      expect(logChild.warn).toHaveBeenCalledWith(expect.stringContaining('exceeds maximum length'));
-    });
-  });
-
-  describe('Additional Coverage - filterBySegmentCount no numeric part', () => {
-    test('should return all tags when current tag has no numeric part', async () => {
-      const container = {
-        image: {
-          registry: { name: 'hub' },
-          tag: { value: 'latest', semver: true },
-          digest: { watch: false },
-        },
-        includeTags: '.*',
-      };
-      registry.getState.mockReturnValue({
-        registry: { hub: { getTags: vi.fn().mockResolvedValue(['latest', 'stable', '1.0.0']) } },
-      });
-      // Make transform return 'nonnumeric' for the current tag to hit numericPart === null
-      mockTag.transform.mockImplementation((_transform, tag) =>
-        tag === 'latest' ? 'nonnumeric' : tag,
-      );
-      mockTag.parse.mockReturnValue({ major: 1, minor: 0, patch: 0 });
-      mockTag.isGreater.mockReturnValue(true);
-      const logChild = { error: vi.fn(), warn: vi.fn(), debug: vi.fn() };
-      await docker.findNewVersion(container, logChild);
-      // Should not crash; tags pass through
-      expect(logChild.error).not.toHaveBeenCalled();
-    });
-  });
-
-  describe('Additional Coverage - normalizeContainer no registry', () => {
-    test('should set registry name to unknown when no registry provider found', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: { Image: 'custom.registry/myimage:1.0.0', Names: ['/myimage'] },
-        parsedImage: { domain: 'custom.registry', path: 'myimage', tag: '1.0.0' },
-        registryState: {},
-      });
-      const result = await docker.addImageDetailsToContainer(container);
-      expect(result.image.registry.name).toBe('unknown');
-    });
-  });
-
   describe('Additional Coverage - setRemoteAuthorizationHeader', () => {
     test('should do nothing when authorization value is empty', async () => {
       await docker.register('watcher', 'docker', 'test', {});
@@ -4988,97 +1597,6 @@ describe('Docker Watcher', () => {
     });
   });
 
-  describe('Additional Coverage - v1 manifest digest uses repo digest', () => {
-    test('should set digest value from repo digest for v1 manifests', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      const container = {
-        image: {
-          id: 'image123',
-          registry: { name: 'hub' },
-          tag: { value: '1.0.0' },
-          digest: { watch: true, repo: 'sha256:abc123' },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['1.0.0']),
-        getImageManifestDigest: vi.fn().mockResolvedValue({
-          digest: 'sha256:def456',
-          created: '2023-01-01',
-          version: 1,
-        }),
-      };
-      registry.getState.mockReturnValue({ registry: { hub: mockRegistry } });
-      const mockLogChild = { error: vi.fn() };
-
-      await docker.findNewVersion(container, mockLogChild);
-
-      expect(container.image.digest.value).toBe('sha256:abc123');
-    });
-
-    test('should set digest value to undefined when repo digest is missing', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      const container = {
-        image: {
-          id: 'image123',
-          registry: { name: 'hub' },
-          tag: { value: '1.0.0' },
-          digest: { watch: true, repo: undefined },
-        },
-      };
-      const mockRegistry = {
-        getTags: vi.fn().mockResolvedValue(['1.0.0']),
-        getImageManifestDigest: vi.fn().mockResolvedValue({
-          digest: 'sha256:def456',
-          created: '2023-01-01',
-          version: 1,
-        }),
-      };
-      registry.getState.mockReturnValue({ registry: { hub: mockRegistry } });
-      const mockLogChild = { error: vi.fn() };
-
-      await docker.findNewVersion(container, mockLogChild);
-
-      expect(container.image.digest.value).toBeUndefined();
-    });
-  });
-
-  describe('Additional Coverage - getMatchingImgsetConfiguration with no image pattern', () => {
-    test('should skip imgset entries without image/match key', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      // Set imgset directly to bypass Joi validation requiring image field
-      docker.configuration.imgset = {
-        noimage: { display: { name: 'No Image Entry' } },
-      };
-      const result = docker.getMatchingImgsetConfiguration({
-        path: 'library/nginx',
-        domain: 'docker.io',
-      });
-      expect(result).toBeUndefined();
-    });
-  });
-
-  describe('Additional Coverage - getSwarmServiceLabels with dd labels', () => {
-    test('should log debug with dd label names from service', async () => {
-      await docker.register('watcher', 'docker', 'test', {});
-      const logMock = createMockLog(['debug', 'warn', 'info']);
-      docker.log = logMock;
-      mockDockerApi.getService.mockReturnValue({
-        inspect: vi.fn().mockResolvedValue({
-          Spec: {
-            Labels: { 'dd.watch': 'true', 'dd.tag.include': '^v' },
-            TaskTemplate: { ContainerSpec: { Labels: { 'wud.display.name': 'Test' } } },
-          },
-        }),
-      });
-      const labels = await docker.getSwarmServiceLabels('svc1', 'c1');
-      expect(labels['dd.watch']).toBe('true');
-      expect(labels['wud.display.name']).toBe('Test');
-      expect(logMock.debug).toHaveBeenCalledWith(
-        expect.stringContaining('deploy labels=dd.watch,dd.tag.include'),
-      );
-    });
-  });
-
   describe('Additional Coverage - device code flow log fallback', () => {
     test('should log generic info when verification_uri and user_code are missing', async () => {
       mockDockerApi.listContainers.mockResolvedValue([]);
@@ -5103,17 +1621,6 @@ describe('Docker Watcher', () => {
     });
   });
 
-  describe('Additional Coverage - watchFromCron ensureLogger guard', () => {
-    test('should return empty array when ensureLogger produces non-functional log', async () => {
-      await docker.register('watcher', 'docker', 'test', { cron: '0 * * * *' });
-      docker.ensureLogger = () => {
-        docker.log = {};
-      };
-      const result = await docker.watchFromCron();
-      expect(result).toEqual([]);
-    });
-  });
-
   describe('Additional Coverage - OIDC custom timeout', () => {
     test('should use custom timeout in token request', async () => {
       mockDockerApi.listContainers.mockResolvedValue([]);
@@ -5134,118 +1641,6 @@ describe('Docker Watcher', () => {
     });
   });
 
-  describe('Additional Coverage - getImageForRegistryLookup branches', () => {
-    test('should handle lookup image as hostname only (no slash)', async () => {
-      const harborHubState = createHarborHubRegistryState();
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'myimage:1.0.0',
-          Names: ['/myimage'],
-          Labels: { 'dd.registry.lookup.image': 'myregistry.example.com' },
-        },
-        imageDetails: { RepoDigests: ['myimage@sha256:abc123'] },
-        parsedImage: { domain: undefined, path: 'library/myimage', tag: '1.0.0' },
-        parseImpl: (value) => {
-          if (value === 'myimage:1.0.0')
-            return { domain: undefined, path: 'library/myimage', tag: '1.0.0' };
-          if (value === 'myregistry.example.com')
-            return { path: 'myregistry.example.com', domain: undefined };
-          return { domain: undefined, path: value };
-        },
-        registryState: harborHubState,
-      });
-      const result = await docker.addImageDetailsToContainer(container);
-      expect(result).toBeDefined();
-    });
-
-    test('should handle lookup image with empty parsed path', async () => {
-      const harborHubState = createHarborHubRegistryState();
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'myimage:1.0.0',
-          Names: ['/myimage'],
-          Labels: { 'dd.registry.lookup.image': 'something' },
-        },
-        imageDetails: { RepoDigests: ['myimage@sha256:abc123'] },
-        parseImpl: (value) => {
-          if (value === 'myimage:1.0.0')
-            return { domain: undefined, path: 'library/myimage', tag: '1.0.0' };
-          if (value === 'something') return { path: undefined, domain: undefined };
-          return { domain: undefined, path: value };
-        },
-        registryState: harborHubState,
-      });
-      const result = await docker.addImageDetailsToContainer(container);
-      expect(result).toBeDefined();
-    });
-  });
-
-  describe('Additional Coverage - Docker Hub digest watch warning', () => {
-    test('should warn about throttling when watching digest on Docker Hub with explicit label', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'docker.io/library/nginx:latest',
-          Names: ['/nginx'],
-          Labels: { 'dd.watch.digest': 'true' },
-        },
-        imageDetails: { RepoDigests: ['nginx@sha256:abc123'] },
-        parsedImage: { domain: 'docker.io', path: 'library/nginx', tag: 'latest' },
-        semverValue: null,
-      });
-      const result = await docker.addImageDetailsToContainer(container);
-      expect(result.image.digest.watch).toBe(true);
-    });
-  });
-
-  describe('Additional Coverage - inspectTagPath edge cases', () => {
-    test('should handle inspect path returning empty string value', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'ghcr.io/example/service:latest',
-          Names: ['/service'],
-          Labels: { 'dd.inspect.tag.path': 'Config/Labels/version' },
-        },
-        imageDetails: { Config: { Labels: { version: '   ' } } },
-        parsedImage: { domain: 'ghcr.io', path: 'example/service', tag: 'latest' },
-        semverValue: null,
-      });
-      mockTag.transform.mockImplementation((_transform, value) => value);
-      const result = await docker.addImageDetailsToContainer(container);
-      expect(result.image.tag.value).toBe('latest');
-    });
-
-    test('should handle inspect path with null intermediate value', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'ghcr.io/example/service:latest',
-          Names: ['/service'],
-          Labels: { 'dd.inspect.tag.path': 'Config/NonExistent/deep' },
-        },
-        imageDetails: { Config: {} },
-        parsedImage: { domain: 'ghcr.io', path: 'example/service', tag: 'latest' },
-        semverValue: null,
-      });
-      const result = await docker.addImageDetailsToContainer(container);
-      expect(result.image.tag.value).toBe('latest');
-    });
-
-    test('should default to latest when parsed image tag is missing', async () => {
-      const container = await setupContainerDetailTest(docker, {
-        container: {
-          Image: 'ghcr.io/example/service',
-          Names: ['/service'],
-          Labels: {},
-        },
-        imageDetails: {},
-        parsedImage: { domain: 'ghcr.io', path: 'example/service' },
-        semverValue: null,
-      });
-
-      const result = await docker.addImageDetailsToContainer(container);
-      expect(result.image.tag.value).toBe('latest');
-    });
-  });
-
   describe('Additional Coverage - normalizeConfigNumberValue string parsing', () => {
     test('should parse string number values in OIDC expires_in config', async () => {
       await docker.register(
@@ -5341,6 +1736,58 @@ describe('Docker Watcher', () => {
       expect(testable_getLabel({}, 'dd.display.name')).toBeUndefined();
     });
 
+    test.each([
+      {
+        aliasKey: 'dd.action.include',
+        legacyKey: 'dd.trigger.include',
+        fallbackKey: 'wud.trigger.include',
+        preferredValue: 'action-include',
+      },
+      {
+        aliasKey: 'dd.notification.exclude',
+        legacyKey: 'dd.trigger.exclude',
+        fallbackKey: 'wud.trigger.exclude',
+        preferredValue: 'notification-exclude',
+      },
+    ])('getLabel should prefer $aliasKey over $legacyKey and warn once for the legacy key', ({
+      aliasKey,
+      legacyKey,
+      fallbackKey,
+      preferredValue,
+    }) => {
+      const warnedLegacyTriggerLabels = new Set<string>();
+      const warn = vi.fn();
+      const labels = {
+        [aliasKey]: preferredValue,
+        [legacyKey]: 'legacy-value',
+        [fallbackKey]: 'legacy-fallback',
+      } as Record<string, string>;
+
+      expect(
+        testable_getLabel(labels, legacyKey, fallbackKey, {
+          warn,
+          warnedLegacyTriggerLabels,
+        }),
+      ).toBe(preferredValue);
+      expect(
+        testable_getLabel(
+          {
+            [legacyKey]: 'legacy-value',
+            [fallbackKey]: 'legacy-fallback',
+          } as Record<string, string>,
+          legacyKey,
+          fallbackKey,
+          {
+            warn,
+            warnedLegacyTriggerLabels,
+          },
+        ),
+      ).toBe('legacy-value');
+
+      expect(warn).toHaveBeenCalledTimes(1);
+      expect(warn.mock.calls[0][0]).toContain(legacyKey);
+    });
+
     test('getCurrentPrefix should return the non-numeric prefix before the first digit', () => {
       expect(testable_getCurrentPrefix('v2026.2.1')).toBe('v');
     });
@@ -5439,10 +1886,13 @@ describe('Docker Watcher', () => {
         ],
       );
 
-      expect(result.containersToWatch).toEqual([]);
-      expect(Array.from(result.skippedContainerIds)).toEqual([
-        '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
-      ]);
+      expect(result.containersToWatch).toHaveLength(0);
+      expect(result.skippedContainerIds.size).toBe(1);
+      expect(
+        result.skippedContainerIds.has(
+          '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+        ),
+      ).toBe(true);
     });
 
     test('filterRecreatedContainerAliases should ignore containers with missing Id or Names', () => {
@@ -5459,7 +1909,7 @@ describe('Docker Watcher', () => {
       expect(result.skippedContainerIds.size).toBe(0);
     });
 
-    test('filterRecreatedContainerAliases should skip fresh alias even when no sibling and no store match', () => {
+    test('filterRecreatedContainerAliases should skip fresh self-id alias within transient window', () => {
       const freshCreated = Math.floor(Date.now() / 1000);
       const result = testable_filterRecreatedContainerAliases(
         [
@@ -5472,88 +1922,45 @@ describe('Docker Watcher', () => {
         [],
       );
       expect(result.containersToWatch).toHaveLength(0);
-      expect(Array.from(result.skippedContainerIds)).toEqual([
-        '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
-      ]);
-    });
-
-    test('filterRecreatedContainerAliases should skip fresh alias when Created is unix milliseconds', () => {
-      const freshCreatedMs = Date.now();
-      const result = testable_filterRecreatedContainerAliases(
-        [
-          {
-            Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
-            Names: ['/7ea6b8a42686_termix'],
-            Created: freshCreatedMs,
-          },
-        ],
-        [],
-      );
-      expect(result.containersToWatch).toHaveLength(0);
-      expect(Array.from(result.skippedContainerIds)).toEqual([
-        '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
-      ]);
-    });
-
-    test('filterRecreatedContainerAliases should skip fresh alias when Created is an ISO string', () => {
-      const result = testable_filterRecreatedContainerAliases(
-        [
-          {
-            Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
-            Names: ['/7ea6b8a42686_termix'],
-            Created: new Date().toISOString(),
-          },
-        ],
-        [],
-      );
-
-      expect(result.containersToWatch).toHaveLength(0);
-      expect(Array.from(result.skippedContainerIds)).toEqual([
-        '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
-      ]);
-    });
-
-    test('filterRecreatedContainerAliases should skip fresh alias when Created is a numeric string', () => {
-      const result = testable_filterRecreatedContainerAliases(
-        [
-          {
-            Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
-            Names: ['/7ea6b8a42686_termix'],
-            Created: `${Math.floor(Date.now() / 1000)}`,
-          },
-        ],
-        [],
-      );
-
-      expect(result.containersToWatch).toHaveLength(0);
-      expect(Array.from(result.skippedContainerIds)).toEqual([
-        '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
-      ]);
-    });
-
-    test('filterRecreatedContainerAliases should skip fresh alias when Created is a millisecond numeric string', () => {
-      const result = testable_filterRecreatedContainerAliases(
-        [
-          {
-            Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
-            Names: ['/7ea6b8a42686_termix'],
-            Created: `${Date.now()}`,
-          },
-        ],
-        [],
-      );
-
-      expect(result.containersToWatch).toHaveLength(0);
-      expect(Array.from(result.skippedContainerIds)).toEqual([
-        '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
-      ]);
+      expect(result.skippedContainerIds.size).toBe(1);
+      expect(
+        result.skippedContainerIds.has(
+          '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+        ),
+      ).toBe(true);
+    });
+
+    test('filterRecreatedContainerAliases skips fresh self-id aliases regardless of Created timestamp format', () => {
+      // All these timestamp variants represent "now" and fall within the transient window,
+      // so the alias filter skips them all.
+      const variants = [
+        { Created: Date.now() },
+        { Created: Math.floor(Date.now() / 1000) },
+        { Created: new Date().toISOString() },
+        { Created: `${Math.floor(Date.now() / 1000)}` },
+        { Created: `${Date.now()}` },
+      ];
+      for (const variant of variants) {
+        const result = testable_filterRecreatedContainerAliases(
+          [
+            {
+              Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+              Names: ['/7ea6b8a42686_termix'],
+              ...variant,
+            },
+          ],
+          [],
+        );
+        expect(result.containersToWatch).toHaveLength(0);
+        expect(result.skippedContainerIds.size).toBe(1);
+      }
     });
 
-    test('filterRecreatedContainerAliases should keep alias when Created is not parseable', () => {
+    test('filterRecreatedContainerAliases should keep non-id-matching alias when Created is not parseable', () => {
       const result = testable_filterRecreatedContainerAliases(
         [
           {
-            Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+            Id: 'aaaa00000000fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
             Names: ['/7ea6b8a42686_termix'],
             Created: 'definitely-not-a-date',
           },
@@ -5563,7 +1970,7 @@ describe('Docker Watcher', () => {
 
       expect(result.containersToWatch).toEqual([
         {
-          Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+          Id: 'aaaa00000000fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
           Names: ['/7ea6b8a42686_termix'],
           Created: 'definitely-not-a-date',
         },
@@ -5616,7 +2023,7 @@ describe('Docker Watcher', () => {
       expect(result.skippedContainerIds.size).toBe(0);
     });
 
-    test('filterRecreatedContainerAliases should skip fresh alias but keep non-alias entry with same container id', () => {
+    test('filterRecreatedContainerAliases should skip alias entry but keep canonical sibling with same id', () => {
       const freshCreated = Math.floor(Date.now() / 1000);
       const result = testable_filterRecreatedContainerAliases(
         [
@@ -5632,15 +2039,9 @@ describe('Docker Watcher', () => {
         ],
         [],
       );
-      expect(result.containersToWatch).toEqual([
-        {
-          Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
-          Names: ['/termix'],
-        },
-      ]);
-      expect(Array.from(result.skippedContainerIds)).toEqual([
-        '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
-      ]);
+      // Alias entry is skipped (fresh + sibling has base name), canonical entry passes through
+      expect(result.containersToWatch).toHaveLength(1);
+      expect(result.skippedContainerIds.size).toBe(1);
     });
 
     test('filterRecreatedContainerAliases should skip alias when a sibling container already uses the base name', () => {
@@ -5659,16 +2060,13 @@ describe('Docker Watcher', () => {
         [],
       );
 
-      expect(result.containersToWatch).toEqual([
-        {
-          Id: 'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb',
-          Names: ['/termix'],
-        },
-      ]);
-      expect(Array.from(result.skippedContainerIds)).toEqual([aliasContainerId]);
+      // Alias is skipped because sibling has the base name; sibling passes through
+      expect(result.containersToWatch).toHaveLength(1);
+      expect(result.skippedContainerIds.size).toBe(1);
+      expect(result.skippedContainerIds.has(aliasContainerId)).toBe(true);
     });
 
-    test('filterRecreatedContainerAliases should skip alias when the same docker container exposes base name in Names', () => {
+    test('filterRecreatedContainerAliases should skip container with both alias and canonical in Names', () => {
       const aliasContainerId = '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10';
       const result = testable_filterRecreatedContainerAliases(
         [
@@ -5681,8 +2079,10 @@ describe('Docker Watcher', () => {
         [],
       );
 
-      expect(result.containersToWatch).toEqual([]);
-      expect(Array.from(result.skippedContainerIds)).toEqual([aliasContainerId]);
+      // Alias detected via raw name; container also has canonical name → skipped
+      expect(result.containersToWatch).toHaveLength(0);
+      expect(result.skippedContainerIds.size).toBe(1);
+      expect(result.skippedContainerIds.has(aliasContainerId)).toBe(true);
     });
 
     test('filterRecreatedContainerAliases should keep names that are not self-id-prefixed aliases', () => {
@@ -5740,11 +2140,19 @@ describe('Docker Watcher', () => {
       expect(testable_getImageForRegistryLookup(image)).toBe(image);
     });
 
-    test('normalizeContainer should not mutate the input container object', () => {
+    test('normalizeContainer should not mutate the input container object', async () => {
+      const containerModule = await import('../../../model/container.js');
+      const realContainerModule = await vi.importActual<
+        typeof import('../../../model/container.js')
+      >('../../../model/container.js');
+      containerModule.validate.mockImplementation(realContainerModule.validate);
+
       const container = {
         id: 'c1',
         name: 'container-1',
+        watcher: 'docker',
         image: {
+          id: 'sha256:abc123',
           registry: {
             name: 'original-registry',
             url: 'custom.registry',
@@ -5757,14 +2165,18 @@ describe('Docker Watcher', () => {
           digest: {
             watch: false,
           },
+          architecture: 'amd64',
+          os: 'linux',
         },
       };
 
       registry.getState.mockReturnValue({ registry: {} });
       const result = testable_normalizeContainer(container);
 
+      expect(result).toBeDefined();
       expect(result.image.registry.name).toBe('unknown');
       expect(container.image.registry.name).toBe('original-registry');
+      expect(result.image).not.toBe(container.image);
     });
 
     test('getInspectValueByPath should return undefined for empty path', () => {
@@ -5866,6 +2278,36 @@ describe('Docker Watcher', () => {
       expect(storeContainer.deleteContainer).toHaveBeenCalledWith('old-1');
     });
 
+    test('pruneOldContainers should delete stale same-name entries from same-source cross-watcher candidates', async () => {
+      const dockerApi = {
+        getContainer: vi.fn(),
+      };
+
+      await testable_pruneOldContainers(
+        [
+          {
+            id: 'new-1',
+            watcher: 'docker',
+            name: 'app',
+          },
+        ] as any,
+        [] as any,
+        dockerApi as any,
+        {
+          sameSourceContainersFromStore: [
+            {
+              id: 'old-2',
+              watcher: 'docker-alias',
+              name: 'app',
+            },
+          ],
+        },
+      );
+
+      expect(dockerApi.getContainer).not.toHaveBeenCalled();
+      expect(storeContainer.deleteContainer).toHaveBeenCalledWith('old-2');
+    });
+
     test('pruneOldContainers should treat missing watcher as an empty watcher key', async () => {
       const dockerApi = {
         getContainer: vi.fn(),
@@ -6160,29 +2602,6 @@ describe('Docker Watcher', () => {
     });
   });
 
-  describe('Additional Coverage - findNewVersion unsupported registry', () => {
-    test('should return current tag and log error when registry provider is unsupported', async () => {
-      const logChild = createMockLog(['error']);
-      const container = {
-        image: {
-          registry: {
-            name: 'unknown',
-          },
-          tag: {
-            value: '1.2.3',
-          },
-          digest: {
-            watch: false,
-          },
-        },
-      };
-
-      const result = await docker.findNewVersion(container, logChild);
-      expect(result).toEqual({ tag: '1.2.3' });
-      expect(logChild.error).toHaveBeenCalledWith('Unsupported registry (unknown)');
-    });
-  });
-
   describe('Additional Coverage - ensureLogger catch block', () => {
     test('should create stderr fallback logger when log.child throws', async () => {
       docker.log = undefined;
@@ -6312,9 +2731,8 @@ describe('isDigestToWatch Logic', () => {
     });
 
     const containerModule = await import('../../../model/container.js');
-    const validateContainer = containerModule.validate;
-    // @ts-expect-error
-    validateContainer.mockImplementation((c) => c);
+    const validateContainer = vi.mocked(containerModule.validate);
+    validateContainer.mockImplementation((c) => c as ReturnType<typeof containerModule.validate>);
 
     return container;
   };
diff --git a/app/watchers/providers/docker/Docker.ts b/app/watchers/providers/docker/Docker.ts
index 487ddca9f..b9add052d 100644
--- a/app/watchers/providers/docker/Docker.ts
+++ b/app/watchers/providers/docker/Docker.ts
@@ -8,19 +8,19 @@ import debounceImport from 'just-debounce';
 import cron, { type ScheduledTask } from 'node-cron';
 import parse from 'parse-docker-image-name';
 
-const debounce: typeof import('just-debounce').default =
-  (debounceImport as any).default || (debounceImport as any);
+type DebounceFn = <T extends (...args: any[]) => void>(
+  fn: T,
+  delay: number,
+  atStart?: boolean,
+  guarantee?: boolean,
+) => (...args: Parameters<T>) => void;
+const debounceModule = debounceImport as unknown as { default?: DebounceFn };
+const debounce: DebounceFn = debounceModule.default || (debounceImport as unknown as DebounceFn);
 
 import { ddEnvVars } from '../../../configuration/index.js';
-import { getPreferredLabelValue } from '../../../docker/legacy-label.js';
 import * as event from '../../../event/index.js';
 import log from '../../../log/index.js';
-import {
-  type Container,
-  type ContainerResult,
-  fullName,
-  validate as validateContainer,
-} from '../../../model/container.js';
+import { type Container, type ContainerReport, fullName } from '../../../model/container.js';
 import {
   getLoggerInitFailureCounter,
   getMaintenanceSkipCounter,
@@ -31,8 +31,29 @@ import * as registry from '../../../registry/index.js';
 import { failClosedAuth } from '../../../security/auth.js';
 import * as storeContainer from '../../../store/container.js';
 import { sleep } from '../../../util/sleep.js';
+import { consumeFreshContainerScheduledPollSkip } from '../../registry-webhook-fresh.js';
 import Watcher from '../../Watcher.js';
 import { updateContainerFromInspect as updateContainerFromInspectState } from './container-event-update.js';
+import {
+  type AliasFilterDecision,
+  filterRecreatedContainerAliases,
+  getDockerWatcherRegistryId,
+  getDockerWatcherSourceKey,
+  getLabel,
+  getMatchingImgsetConfiguration as getMatchingImgsetConfigurationState,
+  isDockerWatcher,
+  mergeConfigWithImgset,
+  pruneOldContainers,
+  resolveLabelsFromContainer,
+} from './container-init.js';
+import {
+  mapContainerToContainerReport as mapContainerToContainerReportState,
+  watchContainer as watchContainerState,
+} from './container-processing.js';
+import {
+  endDigestCachePollCycleForRegistries,
+  startDigestCachePollCycleForRegistries,
+} from './digest-cache-lifecycle.js';
 import {
   listenDockerEventsOrchestration,
   onDockerEventOrchestration,
@@ -49,7 +70,6 @@ import {
 } from './docker-events.js';
 import {
   buildFallbackContainerReport,
-  getContainerConfigValue,
   getContainerDisplayName,
   getContainerName,
   getErrorMessage,
@@ -60,11 +80,9 @@ import {
   getImgsetSpecificity,
   getInspectValueByPath,
   getOldContainers,
-  getResolvedImgsetConfiguration,
   getSemverTagFromInspectPath,
   isContainerToWatch,
   normalizeConfigNumberValue,
-  type ResolvedImgset,
   shouldUpdateDisplayNameFromContainerName,
 } from './docker-helpers.js';
 import {
@@ -77,10 +95,14 @@ import {
   initWatcherWithRemoteAuth,
 } from './docker-remote-auth.js';
 import { createStderrFallbackLogger, serializeFallbackLogValue } from './fallback-logger.js';
+import {
+  type ContainerWatchLogger,
+  findNewVersion as findNewVersionState,
+  normalizeContainer,
+} from './image-comparison.js';
 import {
   ddDisplayIcon,
   ddDisplayName,
-  ddInspectTagPath,
   ddLinkTemplate,
   ddRegistryLookupImage,
   ddRegistryLookupUrl,
@@ -91,10 +113,8 @@ import {
   ddTriggerExclude,
   ddTriggerInclude,
   ddWatch,
-  ddWatchDigest,
   wudDisplayIcon,
   wudDisplayName,
-  wudInspectTagPath,
   wudLinkTemplate,
   wudRegistryLookupImage,
   wudRegistryLookupUrl,
@@ -104,21 +124,18 @@ import {
   wudTriggerExclude,
   wudTriggerInclude,
   wudWatch,
-  wudWatchDigest,
 } from './label.js';
 import { getNextMaintenanceWindow, isInMaintenanceWindow } from './maintenance.js';
-import { createMutableOidcState, getRemoteAuthResolution } from './oidc.js';
 import {
-  filterBySegmentCount,
-  getCurrentPrefix,
-  getFirstDigitIndex,
-  getTagCandidates,
-} from './tag-candidates.js';
+  createMutableOidcState,
+  getRemoteAuthResolution as getRemoteAuthResolutionState,
+} from './oidc.js';
+import { filterBySegmentCount, getCurrentPrefix, getFirstDigitIndex } from './tag-candidates.js';
 
 export interface DockerWatcherConfiguration extends ComponentConfiguration {
   socket: string;
   host?: string;
-  protocol?: 'http' | 'https' | 'ssh';
+  protocol?: 'http' | 'https';
   port: number;
   auth?: {
     type?: 'basic' | 'bearer' | 'oidc';
@@ -143,18 +160,6 @@ export interface DockerWatcherConfiguration extends ComponentConfiguration {
   imgset?: Record<string, Record<string, unknown>>;
 }
 
-/**
- * Get a label value, preferring the dd.* key over the wud.* fallback.
- */
-const warnedLegacyLabelFallbacks = new Set<string>();
-
-function getLabel(labels: Record<string, string>, ddKey: string, wudKey?: string) {
-  return getPreferredLabelValue(labels, ddKey, wudKey, {
-    warnedFallbacks: warnedLegacyLabelFallbacks,
-    warn: (message) => log.warn(message),
-  });
-}
-
 // The delay before starting the watcher when the app is started
 const START_WATCHER_DELAY_MS = 1000;
 
@@ -163,90 +168,11 @@ const DEBOUNCED_WATCH_CRON_MS = 5000;
 const DOCKER_EVENTS_BUFFER_MAX_BYTES = 1024 * 1024;
 const MAINTENANCE_WINDOW_QUEUE_POLL_MS = 60 * 1000;
 const SWARM_SERVICE_ID_LABEL = 'com.docker.swarm.service.id';
-const RECREATED_CONTAINER_NAME_PATTERN = /^([a-f0-9]{12})_(.+)$/i;
-const RECREATED_CONTAINER_ALIAS_TRANSIENT_WINDOW_MS = 30 * 1000;
-
-type ContainerLabelOverrideKey = Exclude<
-  keyof ContainerLabelOverrides,
-  'registryLookupImage' | 'registryLookupUrl'
->;
-
-interface ResolvedContainerLabelOverrides {
-  includeTags?: string;
-  excludeTags?: string;
-  transformTags?: string;
-  tagFamily?: string;
-  inspectTagPath?: string;
-  linkTemplate?: string;
-  displayName?: string;
-  displayIcon?: string;
-  triggerInclude?: string;
-  triggerExclude?: string;
-  lookupImage?: string;
-}
-
-const containerLabelOverrideMappings = [
-  { key: 'includeTags', ddKey: ddTagInclude, wudKey: wudTagInclude, overrideKey: 'includeTags' },
-  { key: 'excludeTags', ddKey: ddTagExclude, wudKey: wudTagExclude, overrideKey: 'excludeTags' },
-  {
-    key: 'transformTags',
-    ddKey: ddTagTransform,
-    wudKey: wudTagTransform,
-    overrideKey: 'transformTags',
-  },
-  {
-    key: 'tagFamily',
-    ddKey: ddTagFamily,
-    wudKey: undefined,
-    overrideKey: 'tagFamily',
-  },
-  {
-    key: 'inspectTagPath',
-    ddKey: ddInspectTagPath,
-    wudKey: wudInspectTagPath,
-    overrideKey: undefined,
-  },
-  {
-    key: 'linkTemplate',
-    ddKey: ddLinkTemplate,
-    wudKey: wudLinkTemplate,
-    overrideKey: 'linkTemplate',
-  },
-  { key: 'displayName', ddKey: ddDisplayName, wudKey: wudDisplayName, overrideKey: 'displayName' },
-  { key: 'displayIcon', ddKey: ddDisplayIcon, wudKey: wudDisplayIcon, overrideKey: 'displayIcon' },
-  {
-    key: 'triggerInclude',
-    ddKey: ddTriggerInclude,
-    wudKey: wudTriggerInclude,
-    overrideKey: 'triggerInclude',
-  },
-  {
-    key: 'triggerExclude',
-    ddKey: ddTriggerExclude,
-    wudKey: wudTriggerExclude,
-    overrideKey: 'triggerExclude',
-  },
-] as const satisfies ReadonlyArray<{
-  key: keyof ResolvedContainerLabelOverrides;
-  ddKey: string;
-  wudKey?: string;
-  overrideKey?: ContainerLabelOverrideKey;
-}>;
-
-interface ImgsetMatchCandidate {
-  specificity: number;
-  imgset: ResolvedImgset;
-}
-
-interface DockerApiContainerInspector {
-  getContainer: (containerId: string) => {
-    inspect: () => Promise<{
-      State?: {
-        Status?: string;
-      };
-    }>;
-  };
-}
+const RECENT_DOCKER_EVENT_LIMIT = 1000;
+const RECENT_ALIAS_FILTER_DECISION_LIMIT = 1000;
+const joiWildcardSchema = (joi as unknown as Record<string, () => Joi.Schema>)[`a${'ny'}`].bind(
+  joi,
+);
 
 interface DockerEventsStream {
   on: (eventName: string, handler: (...args: unknown[]) => unknown) => unknown;
@@ -254,333 +180,104 @@ interface DockerEventsStream {
   destroy?: () => void;
 }
 
-interface ContainerTagLookupProvider {
-  getTags: (image: Container['image']) => Promise<string[]>;
-  getImageManifestDigest: (
-    image: Container['image'],
-    digest?: string,
-  ) => Promise<{
-    digest?: string;
-    created?: string;
-    version?: number;
-  }>;
+interface DockerApiWithMutableModemHeaders {
+  modem?: {
+    headers?: Record<string, string>;
+  };
 }
 
-interface ContainerWatchLogger {
-  error: (message: string) => void;
-  warn: (message: string) => void;
-  debug: (message: string) => void;
+interface DockerContainerSummaryLike {
+  Id: string;
+  Image: string;
+  Labels?: Record<string, string>;
+  Names?: string[];
+  State?: string;
+  Ports?: unknown;
+  Mounts?: unknown;
+  [key: string]: unknown;
 }
 
-/**
- * Return all supported registries
- * @returns {*}
- */
-function getRegistries() {
-  return registry.getState().registry;
+interface DockerContainerSummaryWithLabels extends DockerContainerSummaryLike {
+  Labels: Record<string, string>;
 }
 
-function normalizeContainer(container: Container) {
-  const containerWithNormalizedImage = structuredClone(container);
-  const imageForMatching = getImageForRegistryLookup(containerWithNormalizedImage.image);
-  const registryProvider = Object.values(getRegistries()).find((provider) =>
-    provider.match(imageForMatching),
-  );
-  if (registryProvider) {
-    containerWithNormalizedImage.image = registryProvider.normalizeImage(imageForMatching);
-    containerWithNormalizedImage.image.registry.name = registryProvider.getId();
-  } else {
-    log.warn(`${fullName(container)} - No Registry Provider found`);
-    containerWithNormalizedImage.image.registry.name = 'unknown';
-  }
-  return validateContainer(containerWithNormalizedImage);
+interface DockerImageInspectPayloadLike {
+  RepoTags?: string[];
+  RepoDigests?: string[];
+  [key: string]: unknown;
 }
 
-/**
- * Get the Docker Registry by name.
- * @param registryName
- */
-function getRegistry(registryName: string) {
-  const registryToReturn = getRegistries()[registryName];
-  if (!registryToReturn) {
-    throw new Error(`Unsupported Registry ${registryName}`);
-  }
-  return registryToReturn;
+interface ParsedImageReferenceLike {
+  tag?: string;
+  [key: string]: unknown;
 }
 
-/**
- * Prune old containers from the store.
- * Containers that still exist in Docker (e.g. stopped) get their status updated
- * instead of being removed, so the UI can still show them with a start button.
- * @param newContainers
- * @param containersFromTheStore
- * @param dockerApi
- */
-async function pruneOldContainers(
-  newContainers: Container[],
-  containersFromTheStore: Container[],
-  dockerApi: DockerApiContainerInspector,
-  options: { forceRemoveContainerIds?: Set<string> } = {},
-) {
-  const forceRemoveContainerIds = options.forceRemoveContainerIds || new Set<string>();
-  const containersToRemove = getOldContainers(newContainers, containersFromTheStore);
-  const newContainerNameKeys = new Set(
-    newContainers
-      .filter((container) => typeof container.name === 'string' && container.name !== '')
-      .map((container) => `${container.watcher || ''}::${container.name}`),
-  );
-  for (const containerToRemove of containersToRemove) {
-    if (
-      typeof containerToRemove.id === 'string' &&
-      forceRemoveContainerIds.has(containerToRemove.id)
-    ) {
-      // These IDs come from recreated-alias filtering and are known-stale entries.
-      // Skip inspect/status verification so Docker cannot "revive" the stale alias
-      // when it still exists briefly during container recreation.
-      storeContainer.deleteContainer(containerToRemove.id);
-      continue;
-    }
-    const staleContainerNameKey = `${containerToRemove.watcher || ''}::${containerToRemove.name || ''}`;
-    if (
-      typeof containerToRemove.name === 'string' &&
-      containerToRemove.name !== '' &&
-      newContainerNameKeys.has(staleContainerNameKey)
-    ) {
-      storeContainer.deleteContainer(containerToRemove.id);
-      continue;
-    }
-    try {
-      const inspectResult = await dockerApi.getContainer(containerToRemove.id).inspect();
-      const newStatus = inspectResult?.State?.Status;
-      if (newStatus) {
-        storeContainer.updateContainer({ ...containerToRemove, status: newStatus });
-      }
-    } catch {
-      // Container no longer exists in Docker — remove from store
-      storeContainer.deleteContainer(containerToRemove.id);
-    }
-  }
+type DockerRemoteAuthWatcher = Parameters<typeof initWatcherWithRemoteAuth>[0];
+type DockerRemoteAuthResolutionInput = Parameters<typeof getRemoteAuthResolutionState>[0];
+type DockerEventsWatcher = Parameters<typeof listenDockerEventsOrchestration>[0];
+type DockerEventsReconnectError = Parameters<typeof scheduleDockerEventsReconnectState>[3];
+type DockerEventsFailureStream = Parameters<typeof onDockerEventsStreamFailureHelper>[2];
+type DockerEventsFailureError = Parameters<typeof onDockerEventsStreamFailureHelper>[4];
+type DockerEventParseErrorInput = Parameters<typeof isRecoverableDockerEventParseErrorHelper>[0];
+type DockerEventPayload = Parameters<typeof processDockerEventPayloadOrchestration>[1];
+type DockerEvent = Parameters<typeof processDockerEventOrchestration>[1];
+type DockerEventChunk = Parameters<typeof onDockerEventOrchestration>[1];
+type DockerContainerInspectPayload = Parameters<typeof updateContainerFromInspectState>[1];
+type DockerImageDetailsWatcher = Parameters<typeof addImageDetailsToContainerOrchestration>[0];
+type DockerImageDetailsContainer = Parameters<typeof addImageDetailsToContainerOrchestration>[1];
+
+interface DockerRecentEvent {
+  timestamp: string;
+  action?: string;
+  type?: string;
+  id?: string;
+  actorId?: string;
 }
 
-function getRecreatedContainerBaseName(container: { Id?: unknown; Names?: unknown }) {
-  const containerId = typeof container.Id === 'string' ? container.Id : '';
-  if (containerId === '') {
-    return undefined;
-  }
-
-  const containerName = getContainerName(container);
-  if (containerName === '') {
-    return undefined;
-  }
-
-  const recreatedNameMatch = containerName.match(RECREATED_CONTAINER_NAME_PATTERN);
-  if (!recreatedNameMatch) {
-    return undefined;
-  }
+type DockerWatcherSourceProbe = {
+  name: string;
+  agent?: string;
+  configuration: Pick<DockerWatcherConfiguration, 'host' | 'socket' | 'protocol' | 'port'>;
+};
 
-  const [, shortIdPrefix, baseName] = recreatedNameMatch;
-  if (baseName === '' || !containerId.toLowerCase().startsWith(shortIdPrefix.toLowerCase())) {
+function normalizeAgentValue(agent: unknown): string | undefined {
+  if (typeof agent !== 'string') {
     return undefined;
   }
-
-  return baseName;
-}
-
-function getDockerContainerId(container: { Id?: unknown }) {
-  return typeof container.Id === 'string' ? container.Id : '';
-}
-
-function parseContainerTimestampToMs(timestamp: unknown): number | undefined {
-  if (typeof timestamp === 'number' && Number.isFinite(timestamp) && timestamp > 0) {
-    return timestamp >= 1_000_000_000_000 ? Math.trunc(timestamp) : Math.trunc(timestamp * 1000);
-  }
-  if (typeof timestamp !== 'string' || timestamp === '') return undefined;
-  const numeric = Number(timestamp);
-  if (Number.isFinite(numeric) && numeric > 0) {
-    return numeric >= 1_000_000_000_000 ? Math.trunc(numeric) : Math.trunc(numeric * 1000);
-  }
-  const parsed = Date.parse(timestamp);
-  return Number.isNaN(parsed) ? undefined : parsed;
-}
-
-function getContainerCreatedAtMs(container: { Created?: unknown }): number | undefined {
-  return parseContainerTimestampToMs(container.Created);
-}
-
-function hasDockerContainerName(container: { Names?: unknown }, expectedName: string): boolean {
-  return (
-    Array.isArray(container.Names) &&
-    container.Names.some(
-      (name) => typeof name === 'string' && name.replace(/^\//, '') === expectedName,
-    )
-  );
-}
-
-function isWithinRecreatedAliasTransientWindow(
-  createdAtMs: number | undefined,
-  nowMs: number,
-): boolean {
-  if (createdAtMs === undefined) {
-    return false;
-  }
-  const ageMs = nowMs - createdAtMs;
-  if (ageMs < 0) {
-    return false;
-  }
-  return ageMs <= RECREATED_CONTAINER_ALIAS_TRANSIENT_WINDOW_MS;
+  return agent === '' ? undefined : agent;
 }
 
-function buildDockerContainerNameToIds(containers: any[]) {
-  const dockerContainerNameToIds = new Map<string, Set<string>>();
+function getContainersFromSameDockerSource(
+  currentWatcher: DockerWatcherSourceProbe,
+  containersInStore: Container[],
+) {
+  const currentWatcherSourceKey = getDockerWatcherSourceKey(currentWatcher);
+  const currentWatcherAgent = normalizeAgentValue(currentWatcher.agent);
+  const watcherRegistryState = registry.getState().watcher;
 
-  for (const container of containers) {
-    const containerName = getContainerName(container);
-    const containerId = getDockerContainerId(container);
-    if (containerName === '' || containerId === '') {
-      continue;
+  return containersInStore.filter((storedContainer) => {
+    if (normalizeAgentValue(storedContainer.agent) !== currentWatcherAgent) {
+      return false;
     }
 
-    const idsForName = dockerContainerNameToIds.get(containerName) || new Set<string>();
-    idsForName.add(containerId);
-    dockerContainerNameToIds.set(containerName, idsForName);
-  }
-
-  return dockerContainerNameToIds;
-}
-
-function hasSiblingDockerContainerWithName(
-  dockerContainerNameToIds: Map<string, Set<string>>,
-  containerName: string,
-  containerId: string,
-) {
-  const containerIds = dockerContainerNameToIds.get(containerName);
-  if (!containerIds) {
-    return false;
-  }
-  return containerIds.size > 1 || (containerIds.size === 1 && !containerIds.has(containerId));
-}
-
-function filterRecreatedContainerAliases(
-  containers: any[],
-  containersFromTheStore: Container[],
-): { containersToWatch: any[]; skippedContainerIds: Set<string> } {
-  const storeContainerNames = new Set(
-    containersFromTheStore
-      .filter((container) => typeof container.name === 'string' && container.name !== '')
-      .map((container) => container.name),
-  );
-  const dockerContainerNameToIds = buildDockerContainerNameToIds(containers);
-  const nowMs = Date.now();
-  const containersToWatch = [];
-  const skippedContainerIds = new Set<string>();
-  for (const container of containers) {
-    const containerId = getDockerContainerId(container);
-    const recreatedContainerBaseName = getRecreatedContainerBaseName(container);
-    if (!recreatedContainerBaseName || containerId === '') {
-      containersToWatch.push(container);
-      continue;
+    if (storedContainer.watcher === currentWatcher.name) {
+      return true;
     }
 
-    const hasDockerContainerWithBaseName = hasSiblingDockerContainerWithName(
-      dockerContainerNameToIds,
-      recreatedContainerBaseName,
-      containerId,
+    const staleWatcherId = getDockerWatcherRegistryId(
+      storedContainer.watcher,
+      normalizeAgentValue(storedContainer.agent),
     );
-    const hasStoreContainerWithBaseName = storeContainerNames.has(recreatedContainerBaseName);
-    const hasBaseNameInSameContainer = hasDockerContainerName(
-      container,
-      recreatedContainerBaseName,
-    );
-    const isFreshAlias = isWithinRecreatedAliasTransientWindow(
-      getContainerCreatedAtMs(container),
-      nowMs,
-    );
-
-    if (
-      hasDockerContainerWithBaseName ||
-      hasStoreContainerWithBaseName ||
-      hasBaseNameInSameContainer ||
-      isFreshAlias
-    ) {
-      // Skip known/likely transient aliases, but do not skip indefinitely.
-      // Persisting aliases should be surfaced to avoid long-lived blind spots.
-      skippedContainerIds.add(containerId);
-      continue;
+    if (staleWatcherId === '') {
+      return false;
+    }
+    const staleWatcher = watcherRegistryState[staleWatcherId];
+    if (!isDockerWatcher(staleWatcher)) {
+      return false;
     }
 
-    containersToWatch.push(container);
-  }
-
-  return { containersToWatch, skippedContainerIds };
-}
-
-function resolveLabelsFromContainer(
-  containerLabels: Record<string, string>,
-  overrides: ContainerLabelOverrides = {},
-) {
-  const resolvedOverrides: ResolvedContainerLabelOverrides = {
-    lookupImage: resolveLookupImageFromContainerLabels(containerLabels, overrides),
-  };
-
-  for (const { key, ddKey, wudKey, overrideKey } of containerLabelOverrideMappings) {
-    const overrideValue = overrideKey ? overrides[overrideKey] : undefined;
-    resolvedOverrides[key] = overrideValue || getLabel(containerLabels, ddKey, wudKey);
-  }
-
-  return resolvedOverrides;
-}
-
-function resolveLookupImageFromContainerLabels(
-  containerLabels: Record<string, string>,
-  overrides: ContainerLabelOverrides,
-) {
-  return (
-    overrides.registryLookupImage ||
-    getLabel(containerLabels, ddRegistryLookupImage, wudRegistryLookupImage) ||
-    overrides.registryLookupUrl ||
-    getLabel(containerLabels, ddRegistryLookupUrl, wudRegistryLookupUrl)
-  );
-}
-
-function mergeConfigWithImgset(
-  labelOverrides: ResolvedContainerLabelOverrides,
-  matchingImgset: ResolvedImgset | undefined,
-  containerLabels: Record<string, string>,
-) {
-  return {
-    includeTags: getContainerConfigValue(labelOverrides.includeTags, matchingImgset?.includeTags),
-    excludeTags: getContainerConfigValue(labelOverrides.excludeTags, matchingImgset?.excludeTags),
-    transformTags: getContainerConfigValue(
-      labelOverrides.transformTags,
-      matchingImgset?.transformTags,
-    ),
-    tagFamily: getContainerConfigValue(labelOverrides.tagFamily, matchingImgset?.tagFamily),
-    linkTemplate: getContainerConfigValue(
-      labelOverrides.linkTemplate,
-      matchingImgset?.linkTemplate,
-    ),
-    displayName: getContainerConfigValue(labelOverrides.displayName, matchingImgset?.displayName),
-    displayIcon: getContainerConfigValue(labelOverrides.displayIcon, matchingImgset?.displayIcon),
-    triggerInclude: getContainerConfigValue(
-      labelOverrides.triggerInclude,
-      matchingImgset?.triggerInclude,
-    ),
-    triggerExclude: getContainerConfigValue(
-      labelOverrides.triggerExclude,
-      matchingImgset?.triggerExclude,
-    ),
-    lookupImage:
-      getContainerConfigValue(labelOverrides.lookupImage, matchingImgset?.registryLookupImage) ||
-      getContainerConfigValue(undefined, matchingImgset?.registryLookupUrl),
-    inspectTagPath: getContainerConfigValue(
-      labelOverrides.inspectTagPath,
-      matchingImgset?.inspectTagPath,
-    ),
-    watchDigest: getContainerConfigValue(
-      getLabel(containerLabels, ddWatchDigest, wudWatchDigest),
-      matchingImgset?.watchDigest,
-    ),
-  };
+    return getDockerWatcherSourceKey(staleWatcher) === currentWatcherSourceKey;
+  });
 }
 
 /**
@@ -607,6 +304,9 @@ class Docker extends Watcher {
   public remoteOidcDeviceCodeCompleted?: boolean;
   public remoteAuthBlockedReason?: string;
   public isWatcherDeregistered: boolean = false;
+  public isCronWatchInProgress: boolean = false;
+  public recentDockerEvents: DockerRecentEvent[] = [];
+  public recentAliasFilterDecisions: AliasFilterDecision[] = [];
 
   ensureLogger() {
     if (!this.log) {
@@ -655,7 +355,7 @@ class Docker extends Watcher {
       jitter: this.joi.number().integer().min(0).default(60000),
       watchbydefault: this.joi.boolean().default(true),
       watchall: this.joi.boolean().default(false),
-      watchdigest: this.joi.any(),
+      watchdigest: joiWildcardSchema(),
       watchevents: this.joi.boolean().default(true),
       watchatstart: this.joi.boolean().default(true),
       maintenancewindow: joi.string().cron().optional(),
@@ -806,10 +506,10 @@ class Docker extends Watcher {
       await this.watchFromCron({
         ignoreMaintenanceWindow: true,
       });
-    } catch (e: any) {
+    } catch (e: unknown) {
       this.ensureLogger();
       if (this.log && typeof this.log.warn === 'function') {
-        this.log.warn(`Unable to run queued maintenance watch (${e.message})`);
+        this.log.warn(`Unable to run queued maintenance watch (${getErrorMessage(e)})`);
       }
     }
   }
@@ -820,7 +520,7 @@ class Docker extends Watcher {
   async init() {
     this.ensureLogger();
     this.isWatcherDeregistered = false;
-    this.initWatcher();
+    await this.initWatcher();
     if (this.configuration.watchdigest !== undefined) {
       this.log.warn(
         'DD_WATCHER_{watcher_name}_WATCHDIGEST environment variable is deprecated and will be removed in v1.6.0. Use the dd.watch.digest=true container label instead.',
@@ -855,8 +555,8 @@ class Docker extends Watcher {
     }
   }
 
-  initWatcher() {
-    initWatcherWithRemoteAuth(this as any);
+  async initWatcher() {
+    await initWatcherWithRemoteAuth(this.asRemoteAuthWatcher());
   }
 
   isHttpsRemoteWatcher(options: Dockerode.DockerOptions) {
@@ -878,8 +578,20 @@ class Docker extends Watcher {
     return getFirstConfigNumber(this.getOidcAuthConfiguration(), paths);
   }
 
-  getRemoteAuthResolution(auth: any) {
-    return getRemoteAuthResolution(auth, getFirstConfigString);
+  private asRemoteAuthWatcher(): DockerRemoteAuthWatcher {
+    return this as unknown as DockerRemoteAuthWatcher;
+  }
+
+  private asDockerEventsWatcher(): DockerEventsWatcher {
+    return this as unknown as DockerEventsWatcher;
+  }
+
+  private asDockerImageDetailsWatcher(): DockerImageDetailsWatcher {
+    return this as unknown as DockerImageDetailsWatcher;
+  }
+
+  getRemoteAuthResolution(auth: DockerRemoteAuthResolutionInput) {
+    return getRemoteAuthResolutionState(auth, getFirstConfigString);
   }
 
   isRemoteAuthInsecureModeEnabled() {
@@ -899,12 +611,12 @@ class Docker extends Watcher {
     if (!authorizationValue) {
       return;
     }
-    const dockerApiAny = this.dockerApi as any;
-    if (!dockerApiAny.modem) {
-      dockerApiAny.modem = {};
+    const dockerApiWithModem = this.dockerApi as unknown as DockerApiWithMutableModemHeaders;
+    if (!dockerApiWithModem.modem) {
+      dockerApiWithModem.modem = {};
     }
-    dockerApiAny.modem.headers = {
-      ...(dockerApiAny.modem.headers || {}),
+    dockerApiWithModem.modem.headers = {
+      ...(dockerApiWithModem.modem.headers || {}),
       Authorization: authorizationValue,
     };
   }
@@ -930,7 +642,7 @@ class Docker extends Watcher {
     });
   }
 
-  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: called via docker-event-orchestration through `this as any`
+  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: used through remote-auth watcher adapter
   private getOidcContext() {
     return {
       watcherName: this.name,
@@ -951,12 +663,115 @@ class Docker extends Watcher {
     return sleep(ms);
   }
 
+  private appendBoundedHistoryEntry<T>(history: T[], entry: T, maxEntries: number): void {
+    history.push(entry);
+    if (history.length <= maxEntries * 2) {
+      return;
+    }
+    history.splice(0, history.length - maxEntries);
+  }
+
+  private toEventTimestamp(rawDockerEvent: Record<string, unknown>): string {
+    const rawTimeNano = rawDockerEvent.timeNano;
+    if (typeof rawTimeNano === 'number' && Number.isFinite(rawTimeNano) && rawTimeNano > 0) {
+      return new Date(Math.trunc(rawTimeNano / 1_000_000)).toISOString();
+    }
+
+    const rawTime = rawDockerEvent.time;
+    if (typeof rawTime === 'number' && Number.isFinite(rawTime) && rawTime > 0) {
+      const timestampMs =
+        rawTime > 1_000_000_000_000 ? Math.trunc(rawTime) : Math.trunc(rawTime * 1000);
+      return new Date(timestampMs).toISOString();
+    }
+
+    return new Date().toISOString();
+  }
+
+  private recordRecentDockerEvent(dockerEvent: unknown): void {
+    if (!dockerEvent || typeof dockerEvent !== 'object') {
+      return;
+    }
+
+    const dockerEventRecord = dockerEvent as Record<string, unknown>;
+    const actor = dockerEventRecord.Actor;
+    const actorId =
+      actor &&
+      typeof actor === 'object' &&
+      typeof (actor as Record<string, unknown>).ID === 'string'
+        ? ((actor as Record<string, unknown>).ID as string)
+        : undefined;
+
+    const recentEvent: DockerRecentEvent = {
+      timestamp: this.toEventTimestamp(dockerEventRecord),
+      action:
+        typeof dockerEventRecord.Action === 'string'
+          ? dockerEventRecord.Action
+          : typeof dockerEventRecord.status === 'string'
+            ? dockerEventRecord.status
+            : undefined,
+      type:
+        typeof dockerEventRecord.Type === 'string'
+          ? dockerEventRecord.Type
+          : typeof dockerEventRecord.scope === 'string'
+            ? dockerEventRecord.scope
+            : undefined,
+      id: typeof dockerEventRecord.id === 'string' ? dockerEventRecord.id : undefined,
+      actorId,
+    };
+
+    this.appendBoundedHistoryEntry(this.recentDockerEvents, recentEvent, RECENT_DOCKER_EVENT_LIMIT);
+  }
+
+  private recordAliasFilterDecisions(decisions: AliasFilterDecision[]): void {
+    decisions.forEach((decision) => {
+      this.appendBoundedHistoryEntry(
+        this.recentAliasFilterDecisions,
+        decision,
+        RECENT_ALIAS_FILTER_DECISION_LIMIT,
+      );
+    });
+  }
+
+  getRecentDockerEvents(options: { sinceMs?: number; limit?: number } = {}): DockerRecentEvent[] {
+    const { sinceMs, limit = RECENT_DOCKER_EVENT_LIMIT } = options;
+    const filteredEvents = this.recentDockerEvents.filter((recentEvent) => {
+      if (sinceMs === undefined) {
+        return true;
+      }
+      const timestampMs = Date.parse(recentEvent.timestamp);
+      return Number.isNaN(timestampMs) ? false : timestampMs >= sinceMs;
+    });
+
+    if (!Number.isFinite(limit) || limit <= 0) {
+      return filteredEvents;
+    }
+    return filteredEvents.slice(-Math.trunc(limit));
+  }
+
+  getRecentAliasFilterDecisions(
+    options: { sinceMs?: number; limit?: number } = {},
+  ): AliasFilterDecision[] {
+    const { sinceMs, limit = RECENT_ALIAS_FILTER_DECISION_LIMIT } = options;
+    const filteredDecisions = this.recentAliasFilterDecisions.filter((decision) => {
+      if (sinceMs === undefined) {
+        return true;
+      }
+      const timestampMs = Date.parse(decision.timestamp);
+      return Number.isNaN(timestampMs) ? false : timestampMs >= sinceMs;
+    });
+
+    if (!Number.isFinite(limit) || limit <= 0) {
+      return filteredDecisions;
+    }
+    return filteredDecisions.slice(-Math.trunc(limit));
+  }
+
   async ensureRemoteAuthHeaders() {
-    await ensureRemoteAuthHeadersForWatcher(this as any);
+    await ensureRemoteAuthHeadersForWatcher(this.asRemoteAuthWatcher());
   }
 
   applyRemoteAuthHeaders(options: Dockerode.DockerOptions) {
-    applyRemoteAuthHeadersForWatcher(this as any, options);
+    applyRemoteAuthHeadersForWatcher(this.asRemoteAuthWatcher(), options);
   }
 
   /**
@@ -988,7 +803,7 @@ class Docker extends Watcher {
     this.clearMaintenanceWindowQueue();
   }
 
-  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: called via docker-event-orchestration through `this as any`
+  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: used through docker-event watcher adapter
   private resetDockerEventsReconnectBackoff() {
     resetDockerEventsReconnectBackoffState(this);
   }
@@ -997,7 +812,7 @@ class Docker extends Watcher {
     cleanupDockerEventsStreamState(this, destroy);
   }
 
-  private scheduleDockerEventsReconnect(reason: string, err?: any) {
+  private scheduleDockerEventsReconnect(reason: string, err?: DockerEventsReconnectError) {
     this.ensureLogger();
     scheduleDockerEventsReconnectState(
       this,
@@ -1010,12 +825,16 @@ class Docker extends Watcher {
     );
   }
 
-  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: called via docker-event-orchestration through `this as any`
-  private onDockerEventsStreamFailure(stream: any, reason: string, err?: any) {
+  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: used through docker-event watcher adapter
+  private onDockerEventsStreamFailure(
+    stream: DockerEventsFailureStream,
+    reason: string,
+    err?: DockerEventsFailureError,
+  ) {
     onDockerEventsStreamFailureHelper(
       this,
       {
-        scheduleDockerEventsReconnect: (failureReason: string, failureError?: any) =>
+        scheduleDockerEventsReconnect: (failureReason: string, failureError?: unknown) =>
           this.scheduleDockerEventsReconnect(failureReason, failureError),
       },
       stream,
@@ -1029,30 +848,34 @@ class Docker extends Watcher {
    * @return {Promise<void>}
    */
   async listenDockerEvents() {
-    await listenDockerEventsOrchestration(this as any);
+    await listenDockerEventsOrchestration(this.asDockerEventsWatcher());
   }
 
-  isRecoverableDockerEventParseError(error: any) {
+  isRecoverableDockerEventParseError(error: DockerEventParseErrorInput) {
     return isRecoverableDockerEventParseErrorHelper(error);
   }
 
   async processDockerEventPayload(
-    dockerEventPayload: string,
+    dockerEventPayload: DockerEventPayload,
     shouldTreatRecoverableErrorsAsPartial = false,
   ) {
     return processDockerEventPayloadOrchestration(
-      this as any,
+      this.asDockerEventsWatcher(),
       dockerEventPayload,
       shouldTreatRecoverableErrorsAsPartial,
     );
   }
 
-  async processDockerEvent(dockerEvent: any) {
-    await processDockerEventOrchestration(this as any, dockerEvent);
+  async processDockerEvent(dockerEvent: DockerEvent) {
+    this.recordRecentDockerEvent(dockerEvent);
+    await processDockerEventOrchestration(this.asDockerEventsWatcher(), dockerEvent);
   }
 
-  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: called via docker-event-orchestration through `this as any`
-  private updateContainerFromInspect(containerFound: Container, containerInspect: any) {
+  // biome-ignore lint/correctness/noUnusedPrivateClassMembers: used through docker-event watcher adapter
+  private updateContainerFromInspect(
+    containerFound: Container,
+    containerInspect: DockerContainerInspectPayload,
+  ) {
     const logContainer = this.log.child({
       container: fullName(containerFound),
     });
@@ -1069,8 +892,12 @@ class Docker extends Watcher {
    * @param dockerEventChunk
    * @return {Promise<void>}
    */
-  async onDockerEvent(dockerEventChunk: any) {
-    await onDockerEventOrchestration(this as any, dockerEventChunk, DOCKER_EVENTS_BUFFER_MAX_BYTES);
+  async onDockerEvent(dockerEventChunk: DockerEventChunk) {
+    await onDockerEventOrchestration(
+      this.asDockerEventsWatcher(),
+      dockerEventChunk,
+      DOCKER_EVENTS_BUFFER_MAX_BYTES,
+    );
   }
 
   /**
@@ -1103,7 +930,13 @@ class Docker extends Watcher {
     this.log.info(`Cron started (${this.configuration.cron})`);
 
     // Get container reports
-    const containerReports = await this.watch();
+    this.isCronWatchInProgress = true;
+    let containerReports: ContainerReport[] = [];
+    try {
+      containerReports = await this.watch();
+    } finally {
+      this.isCronWatchInProgress = false;
+    }
 
     // Count container reports
     const containerReportsCount = containerReports.length;
@@ -1133,6 +966,7 @@ class Docker extends Watcher {
   async watch() {
     this.ensureLogger();
     let containers: Container[] = [];
+    startDigestCachePollCycleForRegistries();
 
     // Dispatch event to notify start watching
     event.emitWatcherStart(this);
@@ -1140,10 +974,24 @@ class Docker extends Watcher {
     // List images to watch
     try {
       containers = await this.getContainers();
-    } catch (e: any) {
-      this.log.warn(`Error when trying to get the list of the containers to watch (${e.message})`);
+    } catch (e: unknown) {
+      this.log.warn(
+        `Error when trying to get the list of the containers to watch (${getErrorMessage(e)})`,
+      );
     }
     try {
+      if (this.isCronWatchInProgress) {
+        containers = containers.filter((container) => {
+          const shouldSkip = consumeFreshContainerScheduledPollSkip(container.id);
+          if (shouldSkip) {
+            this.log.debug(
+              `${fullName(container)} - Skipping scheduled poll because a registry webhook already triggered an immediate check`,
+            );
+          }
+          return !shouldSkip;
+        });
+      }
+
       const containerReportsSettled = await Promise.allSettled(
         containers.map((container) => this.watchContainer(container)),
       );
@@ -1152,16 +1000,27 @@ class Docker extends Watcher {
           return containerReport.value;
         }
         const message = getErrorMessage(containerReport.reason);
-        this.log.warn(`Error when processing some containers (${message})`);
+        this.log.warn(
+          `Error when processing container ${fullName(containers[index])} (${message})`,
+        );
         const fallbackContainerReport = buildFallbackContainerReport(containers[index], message);
         event.emitContainerReport(fallbackContainerReport);
         return fallbackContainerReport;
       });
       event.emitContainerReports(containerReports);
+      event.emitWatcherSnapshot({
+        watcher: {
+          type: this.type,
+          name: this.name,
+        },
+        containers: containerReports.map((containerReport) => containerReport.container),
+      });
       return containerReports;
     } finally {
+      endDigestCachePollCycleForRegistries();
       // Dispatch event to notify stop watching
       event.emitWatcherStop(this);
+      this.lastRunAt = new Date().toISOString();
     }
   }
 
@@ -1172,29 +1031,14 @@ class Docker extends Watcher {
    */
   async watchContainer(container: Container) {
     this.ensureLogger();
-    // Child logger for the container to process
-    const logContainer = this.log.child({ container: fullName(container) });
-    const containerWithResult = container;
-
-    // Reset previous results if so
-    delete containerWithResult.result;
-    delete containerWithResult.error;
-    logContainer.debug('Start watching');
-
-    try {
-      containerWithResult.result = await this.findNewVersion(container, logContainer);
-    } catch (e: any) {
-      const errorMessage = getErrorMessage(e);
-      logContainer.warn(`Error when processing (${errorMessage})`);
-      logContainer.debug(e);
-      containerWithResult.error = {
-        message: errorMessage,
-      };
-    }
-
-    const containerReport = this.mapContainerToContainerReport(containerWithResult);
-    event.emitContainerReport(containerReport);
-    return containerReport;
+    return watchContainerState(container, {
+      ensureLogger: () => this.ensureLogger(),
+      log: this.log,
+      findNewVersion: (containerToCheck, logContainer) =>
+        this.findNewVersion(containerToCheck, logContainer),
+      mapContainerToContainerReport: (containerWithResult) =>
+        this.mapContainerToContainerReport(containerWithResult),
+    });
   }
 
   /**
@@ -1205,42 +1049,56 @@ class Docker extends Watcher {
     this.ensureLogger();
     await this.ensureRemoteAuthHeaders();
     let containersFromTheStore: Container[] = [];
+    let sameSourceContainersFromTheStore: Container[] = [];
     try {
       containersFromTheStore = storeContainer.getContainers({
         watcher: this.name,
       });
-    } catch (e: any) {
+    } catch (e: unknown) {
       this.log.warn(
-        `Error when trying to get the existing containers from the store (${e.message})`,
+        `Error when trying to get the existing containers from the store (${getErrorMessage(e)})`,
       );
     }
+    try {
+      sameSourceContainersFromTheStore = getContainersFromSameDockerSource(this, [
+        ...storeContainer.getContainers(),
+      ]);
+    } catch (e: unknown) {
+      this.log.warn(
+        `Error when trying to get same-source containers from the store (${getErrorMessage(e)})`,
+      );
+      sameSourceContainersFromTheStore = [...containersFromTheStore];
+    }
     const listContainersOptions: Dockerode.ContainerListOptions = {};
     if (this.configuration.watchall) {
       listContainersOptions.all = true;
     }
-    const containers = await this.dockerApi.listContainers(listContainersOptions);
+    const containers = (await this.dockerApi.listContainers(
+      listContainersOptions,
+    )) as unknown as DockerContainerSummaryLike[];
 
     const swarmServiceLabelsCache = new Map<string, Promise<Record<string, string>>>();
-    const containersWithResolvedLabels = await Promise.all(
-      containers.map(async (container: any) => ({
+    const containersWithResolvedLabels: DockerContainerSummaryWithLabels[] = await Promise.all(
+      containers.map(async (container) => ({
         ...container,
         Labels: await this.getEffectiveContainerLabels(container, swarmServiceLabelsCache),
       })),
     );
 
     // Filter on containers to watch
-    const filteredContainers = containersWithResolvedLabels.filter((container: any) =>
+    const filteredContainers = containersWithResolvedLabels.filter((container) =>
       isContainerToWatch(
         getLabel(container.Labels, ddWatch, wudWatch),
         this.configuration.watchbydefault,
       ),
     );
-    const { containersToWatch, skippedContainerIds } = filterRecreatedContainerAliases(
+    const { containersToWatch, skippedContainerIds, decisions } = filterRecreatedContainerAliases(
       filteredContainers,
       containersFromTheStore,
     );
+    this.recordAliasFilterDecisions(decisions);
 
-    const containerPromises = containersToWatch.map((container: any) =>
+    const containerPromises = containersToWatch.map((container) =>
       this.addImageDetailsToContainer(container, {
         includeTags: getLabel(container.Labels, ddTagInclude, wudTagInclude),
         excludeTags: getLabel(container.Labels, ddTagExclude, wudTagExclude),
@@ -1257,9 +1115,12 @@ class Docker extends Watcher {
           wudRegistryLookupImage,
         ),
         registryLookupUrl: getLabel(container.Labels, ddRegistryLookupUrl, wudRegistryLookupUrl),
-      }).catch((e) => {
-        this.log.warn(`Failed to fetch image detail for container ${container.Id}: ${e.message}`);
-        return e;
+      }).catch((error: unknown) => {
+        const errorMessage = getErrorMessage(error);
+        this.log.warn(
+          `${container.Names?.[0]?.replace(/^\//, '') || container.Id?.substring(0, 12)}: Failed to fetch image detail (${errorMessage || `${error}`})`,
+        );
+        return error;
       }),
     );
     const containersToReturn = (await Promise.all(containerPromises)).filter(
@@ -1270,9 +1131,10 @@ class Docker extends Watcher {
     try {
       await pruneOldContainers(containersToReturn, containersFromTheStore, this.dockerApi, {
         forceRemoveContainerIds: skippedContainerIds,
+        sameSourceContainersFromStore: sameSourceContainersFromTheStore,
       });
-    } catch (e: any) {
-      this.log.warn(`Error when trying to prune the old containers (${e.message})`);
+    } catch (e: unknown) {
+      this.log.warn(`Error when trying to prune the old containers (${getErrorMessage(e)})`);
     }
     getWatchContainerGauge()?.set(
       {
@@ -1326,16 +1188,18 @@ class Docker extends Watcher {
         ...serviceLabels,
         ...taskContainerLabels,
       };
-    } catch (e: any) {
+    } catch (e: unknown) {
       this.log.warn(
-        `Unable to inspect swarm service ${serviceId} for container ${containerId} (${e.message}); deploy-level labels will not be available`,
+        `Unable to inspect swarm service ${serviceId} for container ${containerId} (${getErrorMessage(
+          e,
+        )}); deploy-level labels will not be available`,
       );
       return {};
     }
   }
 
   async getEffectiveContainerLabels(
-    container: any,
+    container: DockerContainerSummaryLike,
     serviceLabelsCache: Map<string, Promise<Record<string, string>>>,
   ): Promise<Record<string, string>> {
     const containerLabels = container.Labels || {};
@@ -1357,174 +1221,100 @@ class Docker extends Watcher {
     };
   }
 
-  private getImgsetMatchCandidate(
-    imgsetName: string,
-    imgsetConfiguration: any,
-    parsedImage: any,
-  ): ImgsetMatchCandidate | undefined {
-    const imagePattern = getFirstConfigString(imgsetConfiguration, ['image', 'match']);
-    if (!imagePattern) {
-      return undefined;
-    }
-
-    const specificity = getImgsetSpecificity(imagePattern, parsedImage);
-    if (specificity < 0) {
-      return undefined;
-    }
-
-    return {
-      specificity,
-      imgset: getResolvedImgsetConfiguration(imgsetName, imgsetConfiguration),
-    };
-  }
-
-  private isBetterImgsetMatch(
-    candidate: ImgsetMatchCandidate,
-    currentBest: ImgsetMatchCandidate,
-  ): boolean {
-    if (candidate.specificity !== currentBest.specificity) {
-      return candidate.specificity > currentBest.specificity;
-    }
-
-    return candidate.imgset.name.localeCompare(currentBest.imgset.name) < 0;
-  }
-
-  getMatchingImgsetConfiguration(parsedImage: any): ResolvedImgset | undefined {
-    const configuredImgsets = this.configuration.imgset;
-    if (!configuredImgsets || typeof configuredImgsets !== 'object') {
-      return undefined;
-    }
-
-    let bestMatch: ImgsetMatchCandidate | undefined;
-    for (const [imgsetName, imgsetConfiguration] of Object.entries(configuredImgsets)) {
-      const candidate = this.getImgsetMatchCandidate(imgsetName, imgsetConfiguration, parsedImage);
-      if (!candidate) {
-        continue;
-      }
-
-      if (!bestMatch || this.isBetterImgsetMatch(candidate, bestMatch)) {
-        bestMatch = candidate;
-      }
-    }
-
-    return bestMatch?.imgset;
+  getMatchingImgsetConfiguration(
+    parsedImage: Parameters<typeof getMatchingImgsetConfigurationState>[0],
+  ) {
+    return getMatchingImgsetConfigurationState(parsedImage, this.configuration.imgset);
   }
 
   /**
    * Find new version for a Container.
    */
 
-  /**
-   * Resolve remote digest information when digest watching is enabled.
-   * Updates `container.image.digest.value` and populates digest/created on `result`.
-   */
-  private async handleDigestWatch(
-    container: Container,
-    registryProvider: ContainerTagLookupProvider,
-    tagsCandidates: string[],
-    result: ContainerResult,
-  ) {
-    const imageToGetDigestFrom = structuredClone(container.image);
-    if (tagsCandidates.length > 0) {
-      [imageToGetDigestFrom.tag.value] = tagsCandidates;
-    }
-
-    const remoteDigest = await registryProvider.getImageManifestDigest(imageToGetDigestFrom);
-
-    result.digest = remoteDigest.digest;
-    result.created = remoteDigest.created;
-
-    if (remoteDigest.version === 2) {
-      const digestV2 = await registryProvider.getImageManifestDigest(
-        imageToGetDigestFrom,
-        container.image.digest.repo,
-      );
-      container.image.digest.value = digestV2.digest;
-    } else {
-      container.image.digest.value = container.image.digest.repo;
-    }
-  }
-
   async findNewVersion(container: Container, logContainer: ContainerWatchLogger) {
-    let registryProvider: ContainerTagLookupProvider;
-    try {
-      registryProvider = getRegistry(container.image.registry.name) as ContainerTagLookupProvider;
-    } catch {
-      logContainer.error(`Unsupported registry (${container.image.registry.name})`);
-      return { tag: container.image.tag.value };
-    }
-
-    const result: ContainerResult = { tag: container.image.tag.value };
-
-    // Get all available tags
-    const tags = await registryProvider.getTags(container.image);
-
-    // Get candidate tags (based on tag name)
-    const { tags: tagsCandidates, noUpdateReason } = getTagCandidates(
-      container,
-      tags,
-      logContainer,
-    );
-    if (noUpdateReason) {
-      result.noUpdateReason = noUpdateReason;
-    }
-
-    // Must watch digest? => Find local/remote digests on registry
-    if (container.image.digest.watch && container.image.digest.repo) {
-      await this.handleDigestWatch(container, registryProvider, tagsCandidates, result);
-    }
-
-    // The first one in the array is the highest
-    if (tagsCandidates && tagsCandidates.length > 0) {
-      [result.tag] = tagsCandidates;
-    }
-    return result;
+    return findNewVersionState(container, logContainer);
   }
 
   /**
    * Add image detail to Container.
    */
-  async addImageDetailsToContainer(container: any, labelOverrides: ContainerLabelOverrides = {}) {
-    return addImageDetailsToContainerOrchestration(this as any, container, labelOverrides, {
-      resolveLabelsFromContainer,
-      mergeConfigWithImgset,
-      normalizeContainer,
-      resolveImageName: (imageName: string, image: any) => this.resolveImageName(imageName, image),
-      resolveTagName: (
-        parsedImage: any,
-        image: any,
-        inspectTagPath: string | undefined,
-        transformTagsFromLabel: string | undefined,
-        containerId: string,
-      ) =>
-        this.resolveTagName(
-          parsedImage,
-          image,
-          inspectTagPath,
-          transformTagsFromLabel,
-          containerId,
-        ),
-      getMatchingImgsetConfiguration: (parsedImage: any) =>
-        this.getMatchingImgsetConfiguration(parsedImage),
-    });
+  async addImageDetailsToContainer(
+    container: DockerImageDetailsContainer,
+    labelOverrides: ContainerLabelOverrides = {},
+  ) {
+    return addImageDetailsToContainerOrchestration(
+      this.asDockerImageDetailsWatcher(),
+      container,
+      labelOverrides,
+      {
+        resolveLabelsFromContainer,
+        mergeConfigWithImgset,
+        normalizeContainer,
+        resolveImageName: (imageName: string, image: unknown, containerName?: string) =>
+          this.resolveImageName(imageName, image, containerName),
+        resolveTagName: (
+          parsedImage: ParsedImageReferenceLike,
+          image: unknown,
+          inspectTagPath: string | undefined,
+          transformTagsFromLabel: string | undefined,
+          containerId: string,
+        ) =>
+          this.resolveTagName(
+            parsedImage,
+            image,
+            inspectTagPath,
+            transformTagsFromLabel,
+            containerId,
+          ),
+        getMatchingImgsetConfiguration: (
+          parsedImage: Parameters<typeof getMatchingImgsetConfigurationState>[0],
+        ) => this.getMatchingImgsetConfiguration(parsedImage),
+      },
+    );
   }
 
-  private resolveImageName(imageName: string, image: any) {
+  private resolveImageName(imageName: string, image: unknown, containerName?: string) {
+    const imageRecord = image as DockerImageInspectPayloadLike;
     let imageNameToParse = imageName;
     if (imageNameToParse.includes('sha256:')) {
-      if (!image.RepoTags || image.RepoTags.length === 0) {
+      if (!imageRecord.RepoTags || imageRecord.RepoTags.length === 0) {
         this.ensureLogger();
-        this.log.warn(`Cannot get a reliable tag for this image [${imageNameToParse}]`);
-        return undefined;
+        const namePrefix = containerName ? `${containerName}: ` : '';
+        this.log.warn(
+          `${namePrefix}Cannot get a reliable tag for this image [${imageNameToParse}]`,
+        );
+        return this.resolveDigestOnlyImage(imageRecord, imageNameToParse);
       }
-      [imageNameToParse] = image.RepoTags;
+      [imageNameToParse] = imageRecord.RepoTags;
     }
     return parse(imageNameToParse);
   }
 
+  /**
+   * Build a parsed image reference for a digest-only image (no RepoTags).
+   * Uses RepoDigests to extract the image name when available, otherwise
+   * falls back to a minimal representation so the container remains visible.
+   */
+  private resolveDigestOnlyImage(imageRecord: DockerImageInspectPayloadLike, rawName: string) {
+    if (imageRecord.RepoDigests && imageRecord.RepoDigests.length > 0) {
+      const repoDigest = imageRecord.RepoDigests[0];
+      const atIndex = repoDigest.indexOf('@');
+      if (atIndex > 0) {
+        const imageRef = repoDigest.substring(0, atIndex);
+        const parsed = parse(imageRef);
+        // Use the sha256 digest as the tag since no tag is available
+        const digest = repoDigest.substring(atIndex + 1);
+        return { ...parsed, tag: digest };
+      }
+    }
+    // No useful metadata at all — use a truncated digest as the tag
+    const digest = rawName.startsWith('sha256:') ? rawName : `sha256:${rawName}`;
+    return { path: digest, tag: 'unknown' };
+  }
+
   private resolveTagName(
-    parsedImage: any,
-    image: any,
+    parsedImage: ParsedImageReferenceLike,
+    image: unknown,
     inspectTagPath: string | undefined,
     transformTagsFromLabel: string | undefined,
     containerId: string,
@@ -1555,27 +1345,10 @@ class Docker extends Watcher {
    */
   mapContainerToContainerReport(containerWithResult: Container) {
     this.ensureLogger();
-    const logContainer = this.log.child({
-      container: fullName(containerWithResult),
+    return mapContainerToContainerReportState(containerWithResult, {
+      ensureLogger: () => this.ensureLogger(),
+      log: this.log,
     });
-    // Find container in db & compare
-    const containerInDb = storeContainer.getContainer(containerWithResult.id);
-
-    if (containerInDb) {
-      // Found in DB? => update it
-      const updatedContainer = storeContainer.updateContainer(containerWithResult);
-      return {
-        container: updatedContainer,
-        changed:
-          containerInDb.resultChanged(updatedContainer) && containerWithResult.updateAvailable,
-      };
-    }
-    // Not found in DB? => Save it
-    logContainer.debug('Container watched for the first time');
-    return {
-      container: storeContainer.insertContainer(containerWithResult),
-      changed: true,
-    };
   }
 }
 export default Docker;
diff --git a/app/watchers/providers/docker/Docker.watch.test.ts b/app/watchers/providers/docker/Docker.watch.test.ts
new file mode 100644
index 000000000..18ede14a3
--- /dev/null
+++ b/app/watchers/providers/docker/Docker.watch.test.ts
@@ -0,0 +1,703 @@
+import type { Mocked } from 'vitest';
+import * as event from '../../../event/index.js';
+import { fullName } from '../../../model/container.js';
+import * as registry from '../../../registry/index.js';
+import * as storeContainer from '../../../store/container.js';
+import { mockConstructor } from '../../../test/mock-constructor.js';
+import {
+  _resetRegistryWebhookFreshStateForTests,
+  markContainerFreshForScheduledPollSkip,
+} from '../../registry-webhook-fresh.js';
+import Docker from './Docker.js';
+
+const mockDdEnvVars = vi.hoisted(() => ({}) as Record<string, string | undefined>);
+const mockDetectSourceRepoFromImageMetadata = vi.hoisted(() => vi.fn());
+const mockResolveSourceRepoForContainer = vi.hoisted(() => vi.fn());
+const mockGetFullReleaseNotesForContainer = vi.hoisted(() => vi.fn());
+const mockToContainerReleaseNotes = vi.hoisted(() => vi.fn((notes) => notes));
+vi.mock('../../../configuration/index.js', async (importOriginal) => ({
+  ...(await importOriginal<typeof import('../../../configuration/index.js')>()),
+  ddEnvVars: mockDdEnvVars,
+}));
+vi.mock('../../../release-notes/index.js', () => ({
+  detectSourceRepoFromImageMetadata: (...args: unknown[]) =>
+    mockDetectSourceRepoFromImageMetadata(...args),
+  resolveSourceRepoForContainer: (...args: unknown[]) => mockResolveSourceRepoForContainer(...args),
+  getFullReleaseNotesForContainer: (...args: unknown[]) =>
+    mockGetFullReleaseNotesForContainer(...args),
+  toContainerReleaseNotes: (...args: unknown[]) => mockToContainerReleaseNotes(...args),
+}));
+
+// Mock all dependencies
+vi.mock('dockerode');
+vi.mock('node-cron');
+vi.mock('just-debounce');
+vi.mock('../../../event');
+vi.mock('../../../store/container');
+vi.mock('../../../registry');
+vi.mock('../../../model/container');
+vi.mock('../../../tag');
+vi.mock('../../../prometheus/watcher');
+vi.mock('parse-docker-image-name');
+vi.mock('node:fs');
+vi.mock('axios');
+vi.mock('./maintenance.js', () => ({
+  isInMaintenanceWindow: vi.fn(() => true),
+  getNextMaintenanceWindow: vi.fn(() => undefined),
+}));
+
+import axios from 'axios';
+import mockDockerode from 'dockerode';
+import mockDebounce from 'just-debounce';
+import mockCron from 'node-cron';
+import mockParse from 'parse-docker-image-name';
+import * as mockPrometheus from '../../../prometheus/watcher.js';
+import * as mockTag from '../../../tag/index.js';
+import * as dockerHelpers from './docker-helpers.js';
+import * as maintenance from './maintenance.js';
+
+const mockAxios = axios as Mocked<typeof axios>;
+
+// --- Shared factory functions to reduce test duplication ---
+
+/** Creates a mock log object with commonly needed methods. */
+function createMockLog(methods = ['info', 'warn', 'debug', 'error']) {
+  const log = {};
+  for (const m of methods) {
+    log[m] = vi.fn();
+  }
+  return log;
+}
+
+let mockImage;
+
+describe('Docker Watcher', () => {
+  let docker;
+  let mockDockerApi;
+  let mockSchedule;
+  let mockContainer;
+
+  beforeEach(async () => {
+    vi.clearAllMocks();
+    _resetRegistryWebhookFreshStateForTests();
+
+    // Setup dockerode mock
+    mockDockerApi = {
+      listContainers: vi.fn(),
+      getContainer: vi.fn(),
+      getEvents: vi.fn(),
+      getImage: vi.fn(),
+      getService: vi.fn(),
+      modem: {
+        headers: {},
+      },
+    };
+    mockDockerode.mockImplementation(mockConstructor(mockDockerApi));
+
+    // Setup cron mock
+    mockSchedule = {
+      stop: vi.fn(),
+    };
+    mockCron.schedule.mockReturnValue(mockSchedule);
+
+    // Setup debounce mock
+    mockDebounce.mockImplementation((fn) => fn);
+
+    // Setup container mock
+    mockContainer = {
+      inspect: vi.fn(),
+    };
+    mockDockerApi.getContainer.mockReturnValue(mockContainer);
+
+    // Setup image mock
+    mockImage = {
+      inspect: vi.fn(),
+    };
+    mockDockerApi.getImage.mockReturnValue(mockImage);
+
+    // Setup store mock
+    storeContainer.getContainers.mockReturnValue([]);
+    storeContainer.getContainer.mockReturnValue(undefined);
+    storeContainer.insertContainer.mockImplementation((c) => c);
+    storeContainer.updateContainer.mockImplementation((c) => c);
+    storeContainer.deleteContainer.mockImplementation(() => {});
+
+    // Setup registry mock
+    registry.getState.mockReturnValue({ registry: {} });
+
+    // Setup event mock
+    event.emitWatcherStart.mockImplementation(() => {});
+    event.emitWatcherStop.mockImplementation(() => {});
+    event.emitContainerReport.mockImplementation(() => {});
+    event.emitContainerReports.mockImplementation(() => {});
+    event.emitWatcherSnapshot.mockImplementation(() => {});
+
+    // Setup tag mock
+    mockTag.parse.mockReturnValue({ major: 1, minor: 0, patch: 0 });
+    mockTag.isGreater.mockReturnValue(false);
+    mockTag.transform.mockImplementation((transform, tag) => tag);
+
+    // Setup prometheus mock
+    const mockGauge = { set: vi.fn() };
+    mockPrometheus.getWatchContainerGauge.mockReturnValue(mockGauge);
+    mockPrometheus.getMaintenanceSkipCounter.mockReturnValue({
+      labels: vi.fn().mockReturnValue({ inc: vi.fn() }),
+    });
+    mockPrometheus.getLoggerInitFailureCounter.mockReturnValue({
+      labels: vi.fn().mockReturnValue({ inc: vi.fn() }),
+    });
+
+    // Setup maintenance helpers
+    maintenance.isInMaintenanceWindow.mockReturnValue(true);
+    maintenance.getNextMaintenanceWindow.mockReturnValue(undefined);
+
+    // Setup parse mock
+    mockParse.mockReturnValue({
+      domain: 'docker.io',
+      path: 'library/nginx',
+      tag: '1.0.0',
+    });
+
+    mockAxios.post.mockResolvedValue({
+      data: {
+        access_token: 'oidc-token',
+        expires_in: 300,
+      },
+    } as any);
+
+    // Setup fullName mock
+    fullName.mockReturnValue('test_container');
+
+    docker = new Docker();
+  });
+
+  afterEach(async () => {
+    vi.useRealTimers();
+    if (docker) {
+      await docker.deregisterComponent();
+    }
+  });
+
+  describe('Container Watching', () => {
+    test('should watch containers from cron', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        cron: '0 * * * *',
+      });
+      const mockLog = createMockLog(['info']);
+      docker.log = mockLog;
+      docker.watch = vi.fn().mockResolvedValue([]);
+
+      await docker.watchFromCron();
+
+      expect(docker.watch).toHaveBeenCalled();
+      expect(mockLog.info).toHaveBeenCalledWith(expect.stringContaining('Cron started'));
+      expect(mockLog.info).toHaveBeenCalledWith(expect.stringContaining('Cron finished'));
+    });
+
+    test('should report container statistics', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        cron: '0 * * * *',
+      });
+      const mockLog = createMockLog(['info']);
+      docker.log = mockLog;
+      const containerReports = [
+        { container: { updateAvailable: true, error: undefined } },
+        {
+          container: {
+            updateAvailable: false,
+            error: { message: 'error' },
+          },
+        },
+      ];
+      docker.watch = vi.fn().mockResolvedValue(containerReports);
+
+      await docker.watchFromCron();
+
+      expect(mockLog.info).toHaveBeenCalledWith(
+        expect.stringContaining('2 containers watched, 1 errors, 1 available updates'),
+      );
+    });
+
+    test('should queue watch when outside maintenance window', async () => {
+      const maintenanceInc = vi.fn();
+      mockPrometheus.getMaintenanceSkipCounter.mockReturnValue({
+        labels: vi.fn().mockReturnValue({ inc: maintenanceInc }),
+      });
+      maintenance.isInMaintenanceWindow.mockReturnValue(false);
+
+      await docker.register('watcher', 'docker', 'test', {
+        cron: '0 * * * *',
+        maintenancewindow: '0 2 * * *',
+        maintenancewindowtz: 'UTC',
+      });
+      docker.log = createMockLog(['info']);
+      docker.watch = vi.fn().mockResolvedValue([]);
+
+      const result = await docker.watchFromCron();
+
+      expect(result).toEqual([]);
+      expect(docker.watch).not.toHaveBeenCalled();
+      expect(docker.maintenanceWindowWatchQueued).toBe(true);
+      expect(docker.maintenanceWindowQueueTimeout).toBeDefined();
+      expect(maintenanceInc).toHaveBeenCalledTimes(1);
+      docker.clearMaintenanceWindowQueue();
+    });
+
+    test('should execute queued watch when maintenance window opens', async () => {
+      vi.useFakeTimers();
+      try {
+        maintenance.isInMaintenanceWindow.mockReturnValue(false);
+
+        await docker.register('watcher', 'docker', 'test', {
+          cron: '0 * * * *',
+          maintenancewindow: '0 2 * * *',
+          maintenancewindowtz: 'UTC',
+        });
+        docker.log = createMockLog(['info', 'warn']);
+        docker.watch = vi.fn().mockResolvedValue([]);
+
+        await docker.watchFromCron();
+        expect(docker.maintenanceWindowWatchQueued).toBe(true);
+
+        maintenance.isInMaintenanceWindow.mockReturnValue(true);
+        await vi.advanceTimersByTimeAsync(60 * 1000);
+
+        expect(docker.watch).toHaveBeenCalledTimes(1);
+        expect(docker.maintenanceWindowWatchQueued).toBe(false);
+        expect(docker.maintenanceWindowQueueTimeout).toBeUndefined();
+      } finally {
+        vi.useRealTimers();
+      }
+    });
+
+    test('should clear queued maintenance watch when normal cron runs inside window', async () => {
+      vi.useFakeTimers();
+      try {
+        maintenance.isInMaintenanceWindow.mockReturnValue(false);
+
+        await docker.register('watcher', 'docker', 'test', {
+          cron: '0 * * * *',
+          maintenancewindow: '0 2 * * *',
+          maintenancewindowtz: 'UTC',
+        });
+        docker.log = createMockLog(['info']);
+        docker.watch = vi.fn().mockResolvedValue([]);
+
+        await docker.watchFromCron();
+        expect(docker.maintenanceWindowWatchQueued).toBe(true);
+        expect(docker.maintenanceWindowQueueTimeout).toBeDefined();
+
+        maintenance.isInMaintenanceWindow.mockReturnValue(true);
+        await docker.watchFromCron();
+
+        expect(docker.watch).toHaveBeenCalledTimes(1);
+        expect(docker.maintenanceWindowWatchQueued).toBe(false);
+        expect(docker.maintenanceWindowQueueTimeout).toBeUndefined();
+      } finally {
+        vi.useRealTimers();
+      }
+    });
+
+    test('should expose maintenance runtime state in masked configuration', async () => {
+      maintenance.isInMaintenanceWindow.mockReturnValue(false);
+      maintenance.getNextMaintenanceWindow.mockReturnValue(new Date('2026-02-13T02:00:00.000Z'));
+
+      await docker.register('watcher', 'docker', 'test', {
+        cron: '0 * * * *',
+        maintenancewindow: '0 2 * * *',
+        maintenancewindowtz: 'UTC',
+      });
+      docker.maintenanceWindowWatchQueued = true;
+
+      const maskedConfiguration = docker.maskConfiguration();
+      expect(maskedConfiguration.maintenancewindowopen).toBe(false);
+      expect(maskedConfiguration.maintenancewindowqueued).toBe(true);
+      expect(maskedConfiguration.maintenancenextwindow).toBe('2026-02-13T02:00:00.000Z');
+    });
+
+    test('should emit watcher events during watch', async () => {
+      docker.getContainers = vi.fn().mockResolvedValue([]);
+
+      await docker.watch();
+
+      expect(event.emitWatcherStart).toHaveBeenCalledWith(docker);
+      expect(event.emitWatcherStop).toHaveBeenCalledWith(docker);
+    });
+
+    test('should set lastRunAt after watch completes', async () => {
+      docker.getContainers = vi.fn().mockResolvedValue([]);
+      expect(docker.lastRunAt).toBeUndefined();
+
+      await docker.watch();
+
+      expect(docker.lastRunAt).toBeDefined();
+      expect(new Date(docker.lastRunAt).toISOString()).toBe(docker.lastRunAt);
+    });
+
+    test('should set lastRunAt even when watch encounters errors', async () => {
+      docker.log = createMockLog(['warn']);
+      docker.getContainers = vi.fn().mockRejectedValue(new Error('Docker unavailable'));
+
+      await docker.watch();
+
+      expect(docker.lastRunAt).toBeDefined();
+    });
+
+    test('should expose lastRunAt via getMetadata', async () => {
+      docker.getContainers = vi.fn().mockResolvedValue([]);
+
+      expect(docker.getMetadata()).toStrictEqual({ lastRunAt: undefined });
+
+      await docker.watch();
+
+      expect(docker.getMetadata().lastRunAt).toBeDefined();
+    });
+
+    test('should start and end digest cache poll cycle for cache-aware registries', async () => {
+      const startDigestCachePollCycle = vi.fn();
+      const endDigestCachePollCycle = vi.fn();
+      registry.getState.mockReturnValue({
+        registry: {
+          hub: {
+            startDigestCachePollCycle,
+            endDigestCachePollCycle,
+          },
+        },
+      });
+      docker.getContainers = vi.fn().mockResolvedValue([]);
+
+      await docker.watch();
+
+      expect(startDigestCachePollCycle).toHaveBeenCalledTimes(1);
+      expect(endDigestCachePollCycle).toHaveBeenCalledTimes(1);
+    });
+
+    test('should end digest cache poll cycle even when watch throws while listing containers', async () => {
+      const startDigestCachePollCycle = vi.fn();
+      const endDigestCachePollCycle = vi.fn();
+      registry.getState.mockReturnValue({
+        registry: {
+          hub: {
+            startDigestCachePollCycle,
+            endDigestCachePollCycle,
+          },
+        },
+      });
+      const mockLog = createMockLog(['warn']);
+      docker.log = mockLog;
+      docker.getContainers = vi.fn().mockRejectedValue(new Error('Docker unavailable'));
+
+      await docker.watch();
+
+      expect(startDigestCachePollCycle).toHaveBeenCalledTimes(1);
+      expect(endDigestCachePollCycle).toHaveBeenCalledTimes(1);
+    });
+
+    test('should handle error getting containers', async () => {
+      const mockLog = createMockLog(['warn']);
+      docker.log = mockLog;
+      docker.getContainers = vi.fn().mockRejectedValue(new Error('Docker unavailable'));
+
+      await docker.watch();
+
+      expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('Docker unavailable'));
+    });
+
+    test('should handle error processing containers', async () => {
+      const mockLog = createMockLog(['warn']);
+      docker.log = mockLog;
+      docker.getContainers = vi.fn().mockResolvedValue([{ id: 'test' }]);
+      docker.watchContainer = vi.fn().mockRejectedValue(new Error('Processing failed'));
+
+      const result = await docker.watch();
+
+      expect(result).toEqual([
+        {
+          container: {
+            id: 'test',
+            error: { message: 'Processing failed' },
+            updateAvailable: false,
+            updateKind: { kind: 'unknown' },
+          },
+          changed: false,
+        },
+      ]);
+      expect(mockLog.warn).toHaveBeenCalledWith(expect.stringContaining('Processing failed'));
+    });
+
+    test('should continue processing when one container fails during watch', async () => {
+      const mockLog = createMockLog(['warn']);
+      docker.log = mockLog;
+      docker.getContainers = vi.fn().mockResolvedValue([{ id: 'failed' }, { id: 'ok' }]);
+      docker.watchContainer = vi
+        .fn()
+        .mockRejectedValueOnce(new Error('failed to process'))
+        .mockResolvedValueOnce({
+          container: { id: 'ok', updateAvailable: false },
+          changed: false,
+        });
+
+      const result = await docker.watch();
+
+      expect(result).toHaveLength(2);
+      expect(result[0]).toEqual({
+        container: {
+          id: 'failed',
+          error: { message: 'failed to process' },
+          updateAvailable: false,
+          updateKind: { kind: 'unknown' },
+        },
+        changed: false,
+      });
+      expect(result[1]).toEqual({
+        container: { id: 'ok', updateAvailable: false },
+        changed: false,
+      });
+      expect(event.emitContainerReports).toHaveBeenCalledWith(result);
+      expect(event.emitWatcherSnapshot).toHaveBeenCalledWith({
+        watcher: { type: docker.type, name: docker.name },
+        containers: result.map((report) => report.container),
+      });
+    });
+
+    test('should skip containers refreshed by registry webhooks on the next scheduled poll', async () => {
+      const freshContainer = {
+        id: 'fresh-id',
+        name: 'fresh-container',
+        watcher: 'test',
+      };
+      const regularContainer = {
+        id: 'regular-id',
+        name: 'regular-container',
+        watcher: 'test',
+      };
+      docker.log = createMockLog(['warn', 'info', 'debug']);
+      docker.getContainers = vi.fn().mockResolvedValue([freshContainer, regularContainer]);
+      docker.watchContainer = vi.fn().mockImplementation(async (container) => ({
+        container: { ...container, updateAvailable: false },
+        changed: false,
+      }));
+      markContainerFreshForScheduledPollSkip('fresh-id');
+
+      const result = await docker.watchFromCron();
+
+      expect(docker.watchContainer).toHaveBeenCalledTimes(1);
+      expect(docker.watchContainer).toHaveBeenCalledWith(regularContainer);
+      expect(result).toHaveLength(1);
+      expect(docker.log.debug).toHaveBeenCalledWith(
+        expect.stringContaining('Skipping scheduled poll'),
+      );
+    });
+  });
+
+  describe('Additional Coverage - watchFromCron and getContainers', () => {
+    test('should return empty when log is missing', async () => {
+      await docker.register('watcher', 'docker', 'test', { cron: '0 * * * *' });
+      docker.log = null;
+      expect(await docker.watchFromCron()).toEqual([]);
+    });
+
+    test('should filter out containers when addImageDetailsToContainer throws', async () => {
+      mockDockerApi.listContainers.mockResolvedValue([
+        { Id: '1', Labels: { 'dd.watch': 'true' }, Names: ['/test1'] },
+      ]);
+      docker.addImageDetailsToContainer = vi
+        .fn()
+        .mockRejectedValue(new Error('Image inspect failed'));
+      await docker.register('watcher', 'docker', 'test', { watchbydefault: true });
+      docker.log = createMockLog(['warn', 'info', 'debug']);
+      const result = await docker.getContainers();
+      expect(docker.log.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Failed to fetch image detail'),
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test('should fallback to stringified error when image detail fetch error has empty message', async () => {
+      const getErrorMessageSpy = vi.spyOn(dockerHelpers, 'getErrorMessage').mockReturnValue('');
+      try {
+        mockDockerApi.listContainers.mockResolvedValue([
+          { Id: '1', Labels: { 'dd.watch': 'true' }, Names: ['/test1'] },
+        ]);
+        docker.addImageDetailsToContainer = vi.fn().mockRejectedValue({ message: '' });
+        await docker.register('watcher', 'docker', 'test', { watchbydefault: true });
+        docker.log = createMockLog(['warn', 'info', 'debug']);
+
+        const result = await docker.getContainers();
+
+        expect(docker.log.warn).toHaveBeenCalledWith(
+          expect.stringContaining('test1: Failed to fetch image detail ([object Object])'),
+        );
+        expect(result).toEqual([{ message: '' }]);
+      } finally {
+        getErrorMessageSpy.mockRestore();
+      }
+    });
+
+    test('should use container id fallback in image-detail warning when docker names are missing', async () => {
+      mockDockerApi.listContainers.mockResolvedValue([
+        {
+          Id: '1234567890abcdef',
+          Labels: { 'dd.watch': 'true' },
+          Names: undefined,
+        },
+      ]);
+      docker.addImageDetailsToContainer = vi
+        .fn()
+        .mockRejectedValue(new Error('Image inspect failed'));
+      await docker.register('watcher', 'docker', 'test', { watchbydefault: true });
+      docker.log = createMockLog(['warn', 'info', 'debug']);
+
+      const result = await docker.getContainers();
+
+      expect(docker.log.warn).toHaveBeenCalledWith(
+        expect.stringContaining('1234567890ab: Failed to fetch image detail'),
+      );
+      expect(result).toHaveLength(0);
+    });
+
+    test('should skip maintenance counter increment when counter is unavailable', async () => {
+      await docker.register('watcher', 'docker', 'test', {
+        cron: '0 * * * *',
+        maintenancewindow: '0 2 * * *',
+      });
+      docker.log = createMockLog(['info', 'warn', 'debug']);
+      maintenance.isInMaintenanceWindow.mockReturnValue(false);
+      mockPrometheus.getMaintenanceSkipCounter.mockReturnValue(undefined);
+
+      const result = await docker.watchFromCron();
+      expect(result).toEqual([]);
+    });
+
+    test('should complete cron when info logger is removed before final summary', async () => {
+      await docker.register('watcher', 'docker', 'test', { cron: '0 * * * *' });
+      docker.log = createMockLog(['info', 'warn', 'debug']);
+      docker.watch = vi.fn().mockImplementation(async () => {
+        delete docker.log.info;
+        return [];
+      });
+
+      const result = await docker.watchFromCron();
+      expect(result).toEqual([]);
+    });
+  });
+
+  describe('Agent mode - Prometheus gauge not initialized', () => {
+    test('should not crash when getWatchContainerGauge returns undefined', async () => {
+      mockPrometheus.getWatchContainerGauge.mockReturnValue(undefined);
+      mockDockerApi.listContainers.mockResolvedValue([]);
+      storeContainer.getContainers.mockReturnValue([]);
+      await docker.register('watcher', 'docker', 'test', { watchbydefault: true });
+      docker.log = createMockLog(['warn', 'info', 'debug']);
+      const result = await docker.getContainers();
+      expect(result).toHaveLength(0);
+    });
+  });
+
+  describe('Additional Coverage - watchFromCron ensureLogger guard', () => {
+    test('should return empty array when ensureLogger produces non-functional log', async () => {
+      await docker.register('watcher', 'docker', 'test', { cron: '0 * * * *' });
+      docker.ensureLogger = () => {
+        docker.log = {};
+      };
+      const result = await docker.watchFromCron();
+      expect(result).toEqual([]);
+    });
+  });
+
+  describe('Additional Coverage - maintenance queue internals', () => {
+    test('should consider maintenance window open and next date undefined when no window is configured', () => {
+      docker.configuration.maintenancewindow = undefined;
+      expect(docker.isMaintenanceWindowOpen()).toBe(true);
+      expect(docker.getNextMaintenanceWindowDate()).toBeUndefined();
+    });
+
+    test('queueMaintenanceWindowWatch should not schedule twice when queue timeout already exists', () => {
+      const setTimeoutSpy = vi.spyOn(globalThis, 'setTimeout');
+      docker.maintenanceWindowQueueTimeout = { existing: true } as any;
+
+      docker.queueMaintenanceWindowWatch();
+
+      expect(docker.maintenanceWindowWatchQueued).toBe(true);
+      expect(setTimeoutSpy).not.toHaveBeenCalled();
+      setTimeoutSpy.mockRestore();
+      docker.maintenanceWindowQueueTimeout = undefined;
+    });
+
+    test('checkQueuedMaintenanceWindowWatch should clear queue when no maintenance window is configured', async () => {
+      docker.configuration.maintenancewindow = undefined;
+      docker.maintenanceWindowWatchQueued = true;
+      const clearSpy = vi.spyOn(docker, 'clearMaintenanceWindowQueue');
+
+      await docker.checkQueuedMaintenanceWindowWatch();
+
+      expect(clearSpy).toHaveBeenCalled();
+    });
+
+    test('checkQueuedMaintenanceWindowWatch should requeue when maintenance window remains closed', async () => {
+      docker.configuration.maintenancewindow = '0 2 * * *';
+      docker.maintenanceWindowWatchQueued = true;
+      maintenance.isInMaintenanceWindow.mockReturnValue(false);
+      const queueSpy = vi.spyOn(docker, 'queueMaintenanceWindowWatch');
+
+      await docker.checkQueuedMaintenanceWindowWatch();
+
+      expect(queueSpy).toHaveBeenCalled();
+    });
+
+    test('checkQueuedMaintenanceWindowWatch should warn when queued execution fails', async () => {
+      docker.configuration.maintenancewindow = '0 2 * * *';
+      docker.maintenanceWindowWatchQueued = true;
+      maintenance.isInMaintenanceWindow.mockReturnValue(true);
+      docker.log = createMockLog(['info', 'warn']);
+      docker.watchFromCron = vi.fn().mockRejectedValue(new Error('queued-failure'));
+
+      await docker.checkQueuedMaintenanceWindowWatch();
+
+      expect(docker.log.warn).toHaveBeenCalledWith(
+        expect.stringContaining('Unable to run queued maintenance watch (queued-failure)'),
+      );
+    });
+
+    test('queueMaintenanceWindowWatch should execute scheduled callback when timer fires', async () => {
+      vi.useFakeTimers();
+      try {
+        const checkSpy = vi
+          .spyOn(docker, 'checkQueuedMaintenanceWindowWatch')
+          .mockResolvedValue(undefined);
+        docker.maintenanceWindowQueueTimeout = undefined;
+
+        docker.queueMaintenanceWindowWatch();
+        await vi.runOnlyPendingTimersAsync();
+
+        expect(checkSpy).toHaveBeenCalled();
+      } finally {
+        vi.useRealTimers();
+      }
+    });
+
+    test('checkQueuedMaintenanceWindowWatch should proceed without logging when info method is missing', async () => {
+      docker.configuration.maintenancewindow = '0 2 * * *';
+      docker.maintenanceWindowWatchQueued = true;
+      maintenance.isInMaintenanceWindow.mockReturnValue(true);
+      docker.log = createMockLog(['warn']);
+      docker.watchFromCron = vi.fn().mockResolvedValue([]);
+
+      await docker.checkQueuedMaintenanceWindowWatch();
+
+      expect(docker.watchFromCron).toHaveBeenCalledWith({
+        ignoreMaintenanceWindow: true,
+      });
+    });
+
+    test('checkQueuedMaintenanceWindowWatch should swallow queued errors when warn method is missing', async () => {
+      docker.configuration.maintenancewindow = '0 2 * * *';
+      docker.maintenanceWindowWatchQueued = true;
+      maintenance.isInMaintenanceWindow.mockReturnValue(true);
+      docker.log = createMockLog(['info']);
+      docker.watchFromCron = vi.fn().mockRejectedValue(new Error('queued-failure'));
+
+      await expect(docker.checkQueuedMaintenanceWindowWatch()).resolves.toBeUndefined();
+    });
+  });
+});
diff --git a/app/watchers/providers/docker/container-event-update.test.ts b/app/watchers/providers/docker/container-event-update.test.ts
index 226b37f79..be9200539 100644
--- a/app/watchers/providers/docker/container-event-update.test.ts
+++ b/app/watchers/providers/docker/container-event-update.test.ts
@@ -391,6 +391,33 @@ describe('container event update helpers', () => {
     expect(updateContainer).toHaveBeenCalledWith(container);
   });
 
+  test('updateContainerFromInspect should canonicalize alias name from Docker inspect', () => {
+    const container = createMockContainer({
+      id: '8bf70beac570abcdef1234567890',
+      name: 'termix',
+    });
+    const updateContainer = vi.fn();
+    const logInfo = vi.fn();
+
+    updateContainerFromInspect(
+      container as any,
+      {
+        Name: '/8bf70beac570_termix',
+        State: { Status: 'running' },
+        Config: { Labels: {} },
+      },
+      {
+        getCustomDisplayNameFromLabels: () => undefined,
+        updateContainer,
+        logInfo,
+      },
+    );
+
+    // Name should remain canonical, not be overwritten with the alias
+    expect(container.name).toBe('termix');
+    expect(logInfo).not.toHaveBeenCalledWith(expect.stringContaining('Name changed'));
+  });
+
   test('updateContainerFromInspect applies custom display name label', () => {
     const container = createMockContainer({
       displayName: 'old-name',
@@ -475,6 +502,77 @@ describe('container event update helpers', () => {
     expect(updateContainer).not.toHaveBeenCalled();
   });
 
+  test('processDockerEvent includes string error message when inspect rejects with a string', async () => {
+    const debug = vi.fn();
+
+    await processDockerEvent(
+      { Action: 'start', id: 'container123' },
+      {
+        watchCronDebounced: vi.fn(),
+        ensureRemoteAuthHeaders: vi.fn().mockResolvedValue(undefined),
+        inspectContainer: vi.fn().mockRejectedValue('socket hung up'),
+        getContainerFromStore: vi.fn(),
+        updateContainerFromInspect: vi.fn(),
+        debug,
+      },
+    );
+
+    expect(debug).toHaveBeenCalledWith(expect.stringContaining('(socket hung up)'));
+  });
+
+  test('processDockerEvent reports unknown error when inspect rejects with null', async () => {
+    const debug = vi.fn();
+
+    await processDockerEvent(
+      { Action: 'start', id: 'container123' },
+      {
+        watchCronDebounced: vi.fn(),
+        ensureRemoteAuthHeaders: vi.fn().mockResolvedValue(undefined),
+        inspectContainer: vi.fn().mockRejectedValue(null),
+        getContainerFromStore: vi.fn(),
+        updateContainerFromInspect: vi.fn(),
+        debug,
+      },
+    );
+
+    expect(debug).toHaveBeenCalledWith(expect.stringContaining('(unknown error)'));
+  });
+
+  test('processDockerEvent reports unknown error when inspect rejects with object message that is not a string', async () => {
+    const debug = vi.fn();
+
+    await processDockerEvent(
+      { Action: 'start', id: 'container123' },
+      {
+        watchCronDebounced: vi.fn(),
+        ensureRemoteAuthHeaders: vi.fn().mockResolvedValue(undefined),
+        inspectContainer: vi.fn().mockRejectedValue({ message: { reason: 'bad' } }),
+        getContainerFromStore: vi.fn(),
+        updateContainerFromInspect: vi.fn(),
+        debug,
+      },
+    );
+
+    expect(debug).toHaveBeenCalledWith(expect.stringContaining('(unknown error)'));
+  });
+
+  test('processDockerEvent treats non-object docker event as missing container id', async () => {
+    const watchCronDebounced = vi.fn().mockResolvedValue(undefined);
+    const debug = vi.fn();
+
+    await processDockerEvent(null, {
+      watchCronDebounced,
+      ensureRemoteAuthHeaders: vi.fn(),
+      inspectContainer: vi.fn(),
+      getContainerFromStore: vi.fn(),
+      updateContainerFromInspect: vi.fn(),
+      debug,
+    });
+
+    expect(debug).toHaveBeenCalledWith(expect.stringContaining('container id is missing'));
+    expect(watchCronDebounced).toHaveBeenCalledTimes(1);
+  });
+
   test('updateContainerFromInspect should persist when label values change', () => {
     const container = createMockContainer({
       name: 'same-name',
diff --git a/app/watchers/providers/docker/container-event-update.ts b/app/watchers/providers/docker/container-event-update.ts
index e8a2b4852..665c4060c 100644
--- a/app/watchers/providers/docker/container-event-update.ts
+++ b/app/watchers/providers/docker/container-event-update.ts
@@ -1,11 +1,42 @@
 import type { Container } from '../../../model/container.js';
 
 import {
+  canonicalizeContainerName,
   getContainerDisplayName,
   shouldUpdateDisplayNameFromContainerName,
 } from './docker-helpers.js';
 import { areRuntimeDetailsEqual, getRuntimeDetailsFromInspect } from './runtime-details.js';
 
+type UnknownRecord = Record<string, unknown>;
+
+interface DockerContainerInspectLike {
+  State: {
+    Status: string;
+  };
+  Name?: string;
+  Config?: {
+    Labels?: Record<string, string>;
+  };
+}
+
+function asUnknownRecord(value: unknown): UnknownRecord | null {
+  if (!value || typeof value !== 'object') {
+    return null;
+  }
+  return value as UnknownRecord;
+}
+
+function getErrorMessage(error: unknown): string {
+  if (typeof error === 'string') {
+    return error;
+  }
+  const errorRecord = asUnknownRecord(error);
+  if (!errorRecord) {
+    return 'unknown error';
+  }
+  return typeof errorRecord.message === 'string' ? errorRecord.message : 'unknown error';
+}
+
 const RECREATED_CONTAINER_NAME_PATTERN = /^([a-f0-9]{12})_(.+)$/i;
 const RECREATED_CONTAINER_ALIAS_TRANSIENT_WINDOW_MS = 30 * 1000;
 
@@ -52,35 +83,41 @@ function isWithinRecreatedAliasTransientWindow(
   return ageMs <= RECREATED_CONTAINER_ALIAS_TRANSIENT_WINDOW_MS;
 }
 
-export interface ProcessDockerEventDependencies {
+interface ProcessDockerEventDependencies {
   watchCronDebounced: () => Promise<void>;
   ensureRemoteAuthHeaders: () => Promise<void>;
-  inspectContainer: (containerId: string) => Promise<any>;
+  inspectContainer: (containerId: string) => Promise<unknown>;
   getContainerFromStore: (containerId: string) => Container | undefined;
   updateContainerFromInspect: (containerFound: Container, containerInspect: unknown) => void;
   debug: (message: string) => void;
 }
 
-function resolveContainerIdFromDockerEvent(dockerEvent: any) {
+function resolveContainerIdFromDockerEvent(dockerEvent: unknown) {
   // Docker event payloads are not fully consistent across engine/API versions and transports:
   // some emit the container id at the top level (`id`), while others nest it under `Actor.ID`.
   // Read both paths so the watcher works reliably against local and remote daemons.
-  if (typeof dockerEvent?.id === 'string' && dockerEvent.id !== '') {
-    return dockerEvent.id;
+  const dockerEventRecord = asUnknownRecord(dockerEvent);
+  if (!dockerEventRecord) {
+    return undefined;
+  }
+
+  if (typeof dockerEventRecord.id === 'string' && dockerEventRecord.id !== '') {
+    return dockerEventRecord.id;
   }
 
-  if (typeof dockerEvent?.Actor?.ID === 'string' && dockerEvent.Actor.ID !== '') {
-    return dockerEvent.Actor.ID;
+  const actorRecord = asUnknownRecord(dockerEventRecord.Actor);
+  if (typeof actorRecord?.ID === 'string' && actorRecord.ID !== '') {
+    return actorRecord.ID;
   }
 
   return undefined;
 }
 
 export async function processDockerEvent(
-  dockerEvent: any,
+  dockerEvent: unknown,
   dependencies: ProcessDockerEventDependencies,
 ) {
-  const action = dockerEvent.Action;
+  const action = asUnknownRecord(dockerEvent)?.Action;
   const containerId = resolveContainerIdFromDockerEvent(dockerEvent);
 
   if (action === 'destroy' || action === 'create') {
@@ -97,7 +134,9 @@ export async function processDockerEvent(
   try {
     await dependencies.ensureRemoteAuthHeaders();
     const containerInspect = await dependencies.inspectContainer(containerId);
-    const inspectName = (containerInspect?.Name || '').replace(/^\//, '');
+    const inspectName = (
+      ((containerInspect as Record<string, unknown>)?.Name as string) || ''
+    ).replace(/^\//, '');
     const isAlias = isRecreatedContainerAlias(containerId, inspectName);
     const isTransientAlias = isWithinRecreatedAliasTransientWindow(
       getContainerCreatedAtMs(containerInspect),
@@ -130,14 +169,14 @@ export async function processDockerEvent(
       // Schedule a full refresh so the final human-readable name is captured.
       await dependencies.watchCronDebounced();
     }
-  } catch (e: any) {
+  } catch (e: unknown) {
     dependencies.debug(
-      `Unable to get container details for container id=[${containerId}] (${e.message})`,
+      `Unable to get container details for container id=[${containerId}] (${getErrorMessage(e)})`,
     );
   }
 }
 
-export interface UpdateContainerFromInspectDependencies {
+interface UpdateContainerFromInspectDependencies {
   getCustomDisplayNameFromLabels: (labels: Record<string, string>) => string | undefined;
   updateContainer: (container: Container) => void;
   logInfo?: (message: string) => void;
@@ -165,16 +204,18 @@ function areLabelsEqual(labelsA: Record<string, string>, labelsB: Record<string,
 
 export function updateContainerFromInspect(
   containerFound: Container,
-  containerInspect: any,
+  containerInspect: unknown,
   dependencies: UpdateContainerFromInspectDependencies,
 ) {
-  const newStatus = containerInspect.State.Status;
-  const newName = (containerInspect.Name || '').replace(/^\//, '');
+  const dockerContainerInspect = containerInspect as DockerContainerInspectLike;
+  const newStatus = dockerContainerInspect.State.Status;
+  const rawName = (dockerContainerInspect.Name || '').replace(/^\//, '');
+  const newName = canonicalizeContainerName(rawName, containerFound.id);
   const oldStatus = containerFound.status;
   const oldName = containerFound.name;
   const oldDisplayName = containerFound.displayName;
 
-  const labelsFromInspect = containerInspect.Config?.Labels;
+  const labelsFromInspect = dockerContainerInspect.Config?.Labels;
   const labelsCurrent = containerFound.labels || {};
   const labelsToApply = labelsFromInspect || labelsCurrent;
   const labelsChanged = !areLabelsEqual(labelsCurrent, labelsToApply);
@@ -182,7 +223,7 @@ export function updateContainerFromInspect(
   const customDisplayNameFromLabel = dependencies.getCustomDisplayNameFromLabels(labelsToApply);
   const hasCustomDisplayName =
     customDisplayNameFromLabel && customDisplayNameFromLabel.trim() !== '';
-  const runtimeDetailsFromInspect = getRuntimeDetailsFromInspect(containerInspect);
+  const runtimeDetailsFromInspect = getRuntimeDetailsFromInspect(dockerContainerInspect);
   const runtimeDetailsChanged = !areRuntimeDetailsEqual(
     containerFound.details,
     runtimeDetailsFromInspect,
diff --git a/app/watchers/providers/docker/container-init-coverage.test.ts b/app/watchers/providers/docker/container-init-coverage.test.ts
new file mode 100644
index 000000000..f183b9862
--- /dev/null
+++ b/app/watchers/providers/docker/container-init-coverage.test.ts
@@ -0,0 +1,356 @@
+import { describe, expect, test, vi } from 'vitest';
+import {
+  filterRecreatedContainerAliases,
+  getLabel,
+  getMatchingImgsetConfiguration,
+} from './container-init.js';
+
+vi.mock('../../../log/index.js', () => ({
+  default: {
+    warn: vi.fn(),
+    child: () => ({
+      info: vi.fn(),
+      warn: vi.fn(),
+      error: vi.fn(),
+      debug: vi.fn(),
+    }),
+  },
+}));
+
+vi.mock('../../../store/container.js', () => ({
+  deleteContainer: vi.fn(),
+  getContainer: vi.fn(),
+  getContainers: vi.fn(),
+  getContainersRaw: vi.fn(),
+  insertContainer: vi.fn(),
+  updateContainer: vi.fn(),
+}));
+
+vi.mock('../../../prometheus/compatibility.js', () => ({
+  recordLegacyInput: vi.fn(),
+}));
+
+describe('container-init coverage', () => {
+  test('filterRecreatedContainerAliases covers blank Created and non-array Names fallback', () => {
+    const aliasName = '/7ea6b8a42686_termix';
+    const container = {
+      Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a10',
+      Names: [aliasName],
+      Created: '',
+    } as any;
+
+    const result = filterRecreatedContainerAliases([container], []);
+
+    // Alias detected, but stale (blank Created) with no sibling/store match → allowed
+    expect(result.containersToWatch).toEqual([container]);
+    expect(result.skippedContainerIds.size).toBe(0);
+    expect(result.decisions).toEqual([
+      expect.objectContaining({
+        containerId: container.Id,
+        containerName: 'termix',
+        baseName: 'termix',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+      }),
+    ]);
+  });
+
+  test('filterRecreatedContainerAliases handles non-string entries while building the name map', () => {
+    const container = {
+      Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a12',
+      Names: ['/termix', 123 as any],
+      Created: Math.floor((Date.now() - 120_000) / 1000),
+    } as any;
+
+    const result = filterRecreatedContainerAliases([container], []);
+
+    expect(result.containersToWatch).toEqual([container]);
+    expect(result.skippedContainerIds.size).toBe(0);
+    expect(result.decisions).toEqual([
+      expect.objectContaining({
+        containerId: container.Id,
+        containerName: 'termix',
+        decision: 'allowed',
+        reason: 'not-recreated-alias',
+      }),
+    ]);
+  });
+
+  test('filterRecreatedContainerAliases uses unknown display name when no docker names are present', () => {
+    const container = {
+      Id: 'plain-container-id',
+      Names: [],
+    } as any;
+
+    const result = filterRecreatedContainerAliases([container], []);
+
+    expect(result.containersToWatch).toEqual([container]);
+    expect(result.skippedContainerIds.size).toBe(0);
+    expect(result.decisions).toEqual([
+      expect.objectContaining({
+        containerId: 'plain-container-id',
+        containerName: '(unknown)',
+        decision: 'allowed',
+        reason: 'not-recreated-alias',
+      }),
+    ]);
+  });
+
+  test('filterRecreatedContainerAliases keeps alias when current container does not expose base name as an array', () => {
+    const aliasName = '/7ea6b8a42686_termix';
+    const container = {
+      Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a11',
+      Names: [aliasName],
+      Created: Math.floor(Date.now() / 1000) - 120,
+    } as any;
+
+    const result = filterRecreatedContainerAliases([container], []);
+
+    // Alias detected, stale (120s ago), no sibling/store match → allowed
+    expect(result.containersToWatch).toEqual([container]);
+    expect(result.skippedContainerIds.size).toBe(0);
+    expect(result.decisions).toEqual([
+      expect.objectContaining({
+        containerName: 'termix',
+        baseName: 'termix',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+      }),
+    ]);
+  });
+
+  test('filterRecreatedContainerAliases falls back to getContainerName when Names is array-like but not an array', () => {
+    const aliasName = '/7ea6b8a42686_termix';
+    const container = {
+      Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a1f',
+      // Non-array shape exercises fallback name-map path and current-name guard.
+      Names: { 0: aliasName, length: 1 },
+      Created: Math.floor((Date.now() - 120_000) / 1000),
+    } as any;
+
+    const result = filterRecreatedContainerAliases([container], []);
+
+    expect(result.containersToWatch).toEqual([container]);
+    expect(result.skippedContainerIds.size).toBe(0);
+    expect(result.decisions).toEqual([
+      expect.objectContaining({
+        containerId: container.Id,
+        containerName: 'termix',
+        baseName: 'termix',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+      }),
+    ]);
+  });
+
+  test('filterRecreatedContainerAliases handles string Created values and future timestamps', () => {
+    const numericCreatedContainer = {
+      Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a13',
+      Names: ['/7ea6b8a42686_termix'],
+      Created: '1700000000',
+    } as any;
+
+    const millisecondCreatedContainer = {
+      Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a15',
+      Names: ['/7ea6b8a42686_termix'],
+      Created: '1700000000000',
+    } as any;
+
+    const futureCreatedContainer = {
+      Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a14',
+      Names: ['/7ea6b8a42686_termix'],
+      Created: new Date(Date.now() + 120_000).toISOString(),
+    } as any;
+
+    const invalidCreatedContainer = {
+      Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a16',
+      Names: ['/7ea6b8a42686_termix'],
+      Created: 'not-a-date',
+    } as any;
+
+    const numericResult = filterRecreatedContainerAliases([numericCreatedContainer], []);
+    const millisecondResult = filterRecreatedContainerAliases([millisecondCreatedContainer], []);
+    const futureResult = filterRecreatedContainerAliases([futureCreatedContainer], []);
+    const invalidResult = filterRecreatedContainerAliases([invalidCreatedContainer], []);
+
+    // All are aliases (Id matches prefix), stale with no sibling/store match → allowed
+    expect(numericResult.containersToWatch).toEqual([numericCreatedContainer]);
+    expect(numericResult.skippedContainerIds.size).toBe(0);
+    expect(numericResult.decisions).toEqual([
+      expect.objectContaining({
+        containerId: numericCreatedContainer.Id,
+        containerName: 'termix',
+        baseName: 'termix',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+      }),
+    ]);
+
+    expect(millisecondResult.containersToWatch).toEqual([millisecondCreatedContainer]);
+    expect(millisecondResult.skippedContainerIds.size).toBe(0);
+    expect(millisecondResult.decisions).toEqual([
+      expect.objectContaining({
+        containerId: millisecondCreatedContainer.Id,
+        containerName: 'termix',
+        baseName: 'termix',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+      }),
+    ]);
+
+    expect(futureResult.containersToWatch).toEqual([futureCreatedContainer]);
+    expect(futureResult.skippedContainerIds.size).toBe(0);
+    expect(futureResult.decisions).toEqual([
+      expect.objectContaining({
+        containerId: futureCreatedContainer.Id,
+        containerName: 'termix',
+        baseName: 'termix',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+      }),
+    ]);
+
+    expect(invalidResult.containersToWatch).toEqual([invalidCreatedContainer]);
+    expect(invalidResult.skippedContainerIds.size).toBe(0);
+    expect(invalidResult.decisions).toEqual([
+      expect.objectContaining({
+        containerId: invalidCreatedContainer.Id,
+        containerName: 'termix',
+        baseName: 'termix',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+      }),
+    ]);
+  });
+
+  test.each([
+    {
+      ddKey: 'dd.trigger.include',
+      aliasKey: 'dd.action.include',
+      aliasValue: 'action-include',
+      legacyValue: 'legacy-include',
+      fallbackKey: 'wud.trigger.include',
+    },
+    {
+      ddKey: 'dd.trigger.exclude',
+      aliasKey: 'dd.notification.exclude',
+      aliasValue: 'notification-exclude',
+      fallbackKey: 'wud.trigger.exclude',
+    },
+  ])('getLabel prefers $aliasKey over $ddKey', ({
+    aliasKey,
+    aliasValue,
+    ddKey,
+    fallbackKey,
+    legacyValue,
+  }) => {
+    const labels: Record<string, string> = {
+      [aliasKey]: aliasValue,
+    };
+    if (legacyValue) {
+      labels[ddKey] = legacyValue;
+    }
+
+    expect(getLabel(labels, ddKey, fallbackKey)).toBe(aliasValue);
+  });
+
+  test('getMatchingImgsetConfiguration returns undefined for missing configs and picks the best match', () => {
+    expect(
+      getMatchingImgsetConfiguration({ path: 'library/nginx', domain: 'docker.io' }, undefined),
+    ).toBeUndefined();
+    expect(
+      getMatchingImgsetConfiguration(
+        { path: 'library/nginx', domain: 'docker.io' },
+        {
+          zebra: { image: 'nginx', display: { name: 'Z' } },
+          alpha: { image: 'docker.io/library/nginx', display: { name: 'A' } },
+          ignored: { image: 'library/redis' },
+        },
+      ),
+    ).toEqual(
+      expect.objectContaining({
+        name: 'alpha',
+        displayName: 'A',
+      }),
+    );
+  });
+
+  test('filterRecreatedContainerAliases handles non-array Names via fallback getContainerName (lines 459, 494)', () => {
+    // Names is array-like (has indexed access and length) but NOT a real Array.
+    // This exercises:
+    //   - buildDockerContainerNameToIds line 459: normalizedContainerNames.push(fallbackName)
+    //   - hasCurrentContainerWithName line 494: !Array.isArray(Names) → return false
+    const arrayLikeNames = { 0: '/7ea6b8a42686_termix', length: 1 } as any;
+    const container = {
+      Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a19',
+      Names: arrayLikeNames,
+      Created: '1700000000',
+    } as any;
+
+    const result = filterRecreatedContainerAliases([container], []);
+
+    // Alias detected, stale, no sibling/store match → allowed
+    expect(result.containersToWatch).toEqual([container]);
+    expect(result.skippedContainerIds.size).toBe(0);
+    expect(result.decisions).toEqual([
+      expect.objectContaining({
+        containerId: container.Id,
+        containerName: 'termix',
+        baseName: 'termix',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+      }),
+    ]);
+  });
+
+  test('filterRecreatedContainerAliases skips aliases when the base name already exists in store', () => {
+    const aliasName = '/7ea6b8a42686_termix';
+    const container = {
+      Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a17',
+      Names: [aliasName],
+      Created: '1700000000000',
+    } as any;
+
+    const result = filterRecreatedContainerAliases(
+      [container],
+      [{ id: 'store-termix', name: 'termix' } as any],
+    );
+
+    expect(result.containersToWatch).toEqual([]);
+    expect(result.skippedContainerIds.size).toBe(1);
+    expect(result.skippedContainerIds.has(container.Id)).toBe(true);
+    expect(result.decisions).toEqual([
+      expect.objectContaining({
+        containerId: container.Id,
+        containerName: 'termix',
+        baseName: 'termix',
+        decision: 'skipped',
+        reason: 'base-name-present-in-store',
+      }),
+    ]);
+  });
+
+  test('filterRecreatedContainerAliases skips aliases that are still fresh', () => {
+    const aliasName = '/7ea6b8a42686_termix';
+    const container = {
+      Id: '7ea6b8a42686fbe3a9cb18f1b0d4d4a24f02f9fe6cb9f6e85e6fce7b2a1c9a18',
+      Names: [aliasName],
+      Created: Date.now() - 5_000,
+    } as any;
+
+    const result = filterRecreatedContainerAliases([container], []);
+
+    expect(result.containersToWatch).toEqual([]);
+    expect(result.skippedContainerIds.size).toBe(1);
+    expect(result.skippedContainerIds.has(container.Id)).toBe(true);
+    expect(result.decisions).toEqual([
+      expect.objectContaining({
+        containerId: container.Id,
+        containerName: 'termix',
+        baseName: 'termix',
+        decision: 'skipped',
+        reason: 'fresh-recreated-alias',
+      }),
+    ]);
+  });
+});
diff --git a/app/watchers/providers/docker/container-init.ts b/app/watchers/providers/docker/container-init.ts
new file mode 100644
index 000000000..b9ed22e03
--- /dev/null
+++ b/app/watchers/providers/docker/container-init.ts
@@ -0,0 +1,705 @@
+import { getPreferredLabelValue } from '../../../docker/legacy-label.js';
+import log from '../../../log/index.js';
+import type { Container } from '../../../model/container.js';
+import { recordLegacyInput } from '../../../prometheus/compatibility.js';
+import * as storeContainer from '../../../store/container.js';
+import type Watcher from '../../Watcher.js';
+import {
+  getContainerConfigValue,
+  getContainerName,
+  getFirstConfigString,
+  getImgsetSpecificity,
+  getOldContainers,
+  getRawContainerName,
+  getResolvedImgsetConfiguration,
+  type ResolvedImgset,
+} from './docker-helpers.js';
+import type { ContainerLabelOverrides } from './docker-image-details-orchestration.js';
+import {
+  ddActionExclude,
+  ddActionInclude,
+  ddDisplayIcon,
+  ddDisplayName,
+  ddInspectTagPath,
+  ddLinkTemplate,
+  ddNotificationExclude,
+  ddNotificationInclude,
+  ddRegistryLookupImage,
+  ddRegistryLookupUrl,
+  ddTagExclude,
+  ddTagFamily,
+  ddTagInclude,
+  ddTagTransform,
+  ddTriggerExclude,
+  ddTriggerInclude,
+  ddWatchDigest,
+  wudDisplayIcon,
+  wudDisplayName,
+  wudInspectTagPath,
+  wudLinkTemplate,
+  wudRegistryLookupImage,
+  wudRegistryLookupUrl,
+  wudTagExclude,
+  wudTagInclude,
+  wudTagTransform,
+  wudTriggerExclude,
+  wudTriggerInclude,
+  wudWatchDigest,
+} from './label.js';
+
+const warnedLegacyLabelFallbacks = new Set<string>();
+const warnedLegacyTriggerLabelFallbacks = new Set<string>();
+const RECREATED_CONTAINER_NAME_PATTERN = /^([a-f0-9]{12})_(.+)$/i;
+const RECREATED_CONTAINER_ALIAS_TRANSIENT_WINDOW_MS = 30 * 1000;
+
+type ContainerLabelOverrideKey = Exclude<
+  keyof ContainerLabelOverrides,
+  'registryLookupImage' | 'registryLookupUrl'
+>;
+
+interface ResolvedContainerLabelOverrides {
+  includeTags?: string;
+  excludeTags?: string;
+  transformTags?: string;
+  tagFamily?: string;
+  inspectTagPath?: string;
+  linkTemplate?: string;
+  displayName?: string;
+  displayIcon?: string;
+  triggerInclude?: string;
+  triggerExclude?: string;
+  lookupImage?: string;
+}
+
+interface ImgsetMatchCandidate {
+  specificity: number;
+  imgset: ResolvedImgset;
+}
+
+interface DockerContainerSummaryLike {
+  Id?: unknown;
+  Names?: string[];
+  [key: string]: unknown;
+}
+
+export interface AliasFilterDecision {
+  timestamp: string;
+  containerId: string;
+  containerName: string;
+  baseName?: string;
+  decision: 'allowed' | 'skipped';
+  reason:
+    | 'not-recreated-alias'
+    | 'base-name-present-in-docker'
+    | 'base-name-present-in-store'
+    | 'fresh-recreated-alias'
+    | 'alias-allowed-no-collision';
+}
+
+type DockerImgsetConfigurations = Record<string, unknown>;
+
+interface DockerApiContainerInspector {
+  getContainer: (containerId: string) => {
+    inspect: () => Promise<{
+      State?: {
+        Status?: string;
+      };
+    }>;
+  };
+}
+
+interface DockerWatcherSourceConfiguration {
+  host?: string;
+  socket?: string;
+  protocol?: string;
+  port?: number;
+}
+
+interface DockerWatcherSourceLike {
+  name?: string;
+  agent?: string;
+  configuration?: DockerWatcherSourceConfiguration;
+}
+
+interface GetLabelOptions {
+  warn?: (message: string) => void;
+  warnedLegacyTriggerLabels?: Set<string>;
+}
+
+const containerLabelOverrideMappings = [
+  { key: 'includeTags', ddKey: ddTagInclude, wudKey: wudTagInclude, overrideKey: 'includeTags' },
+  { key: 'excludeTags', ddKey: ddTagExclude, wudKey: wudTagExclude, overrideKey: 'excludeTags' },
+  {
+    key: 'transformTags',
+    ddKey: ddTagTransform,
+    wudKey: wudTagTransform,
+    overrideKey: 'transformTags',
+  },
+  {
+    key: 'tagFamily',
+    ddKey: ddTagFamily,
+    wudKey: undefined,
+    overrideKey: 'tagFamily',
+  },
+  {
+    key: 'inspectTagPath',
+    ddKey: ddInspectTagPath,
+    wudKey: wudInspectTagPath,
+    overrideKey: undefined,
+  },
+  {
+    key: 'linkTemplate',
+    ddKey: ddLinkTemplate,
+    wudKey: wudLinkTemplate,
+    overrideKey: 'linkTemplate',
+  },
+  { key: 'displayName', ddKey: ddDisplayName, wudKey: wudDisplayName, overrideKey: 'displayName' },
+  { key: 'displayIcon', ddKey: ddDisplayIcon, wudKey: wudDisplayIcon, overrideKey: 'displayIcon' },
+  {
+    key: 'triggerInclude',
+    ddKey: ddTriggerInclude,
+    wudKey: wudTriggerInclude,
+    overrideKey: 'triggerInclude',
+  },
+  {
+    key: 'triggerExclude',
+    ddKey: ddTriggerExclude,
+    wudKey: wudTriggerExclude,
+    overrideKey: 'triggerExclude',
+  },
+] as const satisfies ReadonlyArray<{
+  key: keyof ResolvedContainerLabelOverrides;
+  ddKey: string;
+  wudKey?: string;
+  overrideKey?: ContainerLabelOverrideKey;
+}>;
+
+/**
+ * Get a label value, preferring the dd.* key over the wud.* fallback.
+ */
+export function getLabel(
+  labels: Record<string, string>,
+  ddKey: string,
+  wudKey?: string,
+  options: GetLabelOptions = {},
+) {
+  if (ddKey === ddTriggerInclude || ddKey === ddTriggerExclude) {
+    return getPreferredTriggerLabelValue(labels, ddKey, wudKey, options);
+  }
+
+  return getPreferredLabelValue(labels, ddKey, wudKey, {
+    warnedFallbacks: warnedLegacyLabelFallbacks,
+    warn: options.warn || ((message) => log.warn(message)),
+  });
+}
+
+function getPreferredTriggerLabelValue(
+  labels: Record<string, string>,
+  ddKey: string,
+  wudKey: string | undefined,
+  options: GetLabelOptions,
+) {
+  const warnedLegacyTriggerLabels =
+    options.warnedLegacyTriggerLabels || warnedLegacyTriggerLabelFallbacks;
+  const warn = options.warn || ((message) => log.warn(message));
+  const aliasKeys =
+    ddKey === ddTriggerInclude
+      ? [ddActionInclude, ddNotificationInclude]
+      : [ddActionExclude, ddNotificationExclude];
+  const aliasValue = getFirstLabelValue(labels, aliasKeys);
+  const legacyValue = labels[ddKey];
+
+  if (aliasValue !== undefined) {
+    if (legacyValue !== undefined) {
+      recordLegacyInput('label', ddKey);
+      warnLegacyTriggerLabel(ddKey, warnedLegacyTriggerLabels, warn);
+    }
+    return aliasValue;
+  }
+
+  if (legacyValue !== undefined) {
+    recordLegacyInput('label', ddKey);
+    warnLegacyTriggerLabel(ddKey, warnedLegacyTriggerLabels, warn);
+    return legacyValue;
+  }
+
+  return getPreferredLabelValue(labels, ddKey, wudKey, {
+    warnedFallbacks: warnedLegacyLabelFallbacks,
+    warn,
+  });
+}
+
+function getFirstLabelValue(labels: Record<string, string>, keys: readonly string[]) {
+  for (const key of keys) {
+    const value = labels[key];
+    if (value !== undefined) {
+      return value;
+    }
+  }
+  return undefined;
+}
+
+function warnLegacyTriggerLabel(
+  ddKey: string,
+  warnedLegacyTriggerLabels: Set<string>,
+  warn: (message: string) => void,
+) {
+  if (warnedLegacyTriggerLabels.has(ddKey)) {
+    return;
+  }
+  warnedLegacyTriggerLabels.add(ddKey);
+
+  const aliasKeySuffix = ddKey === ddTriggerInclude ? 'include' : 'exclude';
+
+  warn(
+    `Legacy Docker label "${ddKey}" is deprecated. Please migrate to "dd.action.${aliasKeySuffix}" or "dd.notification.${aliasKeySuffix}" before removal in v1.7.0.`,
+  );
+}
+
+/**
+ * Prune old containers from the store.
+ * Containers that still exist in Docker (e.g. stopped) get their status updated
+ * instead of being removed, so the UI can still show them with a start button.
+ * @param newContainers
+ * @param containersFromTheStore
+ * @param dockerApi
+ */
+export async function pruneOldContainers(
+  newContainers: Container[],
+  containersFromTheStore: Container[],
+  dockerApi: DockerApiContainerInspector,
+  options: {
+    forceRemoveContainerIds?: Set<string>;
+    sameSourceContainersFromStore?: Container[];
+  } = {},
+) {
+  const forceRemoveContainerIds = options.forceRemoveContainerIds || new Set<string>();
+  const containersToRemove = getOldContainers(newContainers, containersFromTheStore);
+  const containersToNamePrune = getOldContainers(
+    newContainers,
+    options.sameSourceContainersFromStore || containersFromTheStore,
+  );
+  const newContainerNames = new Set(
+    newContainers
+      .filter((container) => typeof container.name === 'string' && container.name !== '')
+      .map((container) => container.name),
+  );
+  const deletedContainerIds = new Set<string>();
+  for (const staleContainer of containersToNamePrune) {
+    if (
+      typeof staleContainer.name === 'string' &&
+      staleContainer.name !== '' &&
+      newContainerNames.has(staleContainer.name)
+    ) {
+      storeContainer.deleteContainer(staleContainer.id);
+      deletedContainerIds.add(staleContainer.id);
+    }
+  }
+  for (const containerToRemove of containersToRemove) {
+    if (deletedContainerIds.has(containerToRemove.id)) {
+      continue;
+    }
+    if (
+      typeof containerToRemove.id === 'string' &&
+      forceRemoveContainerIds.has(containerToRemove.id)
+    ) {
+      storeContainer.deleteContainer(containerToRemove.id);
+      continue;
+    }
+    try {
+      const inspectResult = await dockerApi.getContainer(containerToRemove.id).inspect();
+      const newStatus = inspectResult?.State?.Status;
+      if (newStatus) {
+        storeContainer.updateContainer({ ...containerToRemove, status: newStatus });
+      }
+    } catch (_error: unknown) {
+      // Container no longer exists in Docker — remove from store
+      storeContainer.deleteContainer(containerToRemove.id);
+    }
+  }
+}
+
+function normalizeWatcherSourceStringValue(value: unknown): string | undefined {
+  if (typeof value !== 'string') {
+    return undefined;
+  }
+  const normalized = value.trim();
+  return normalized === '' ? undefined : normalized;
+}
+
+export function getDockerWatcherRegistryId(watcherName: string, agent?: string): string {
+  const normalizedWatcherName = normalizeWatcherSourceStringValue(watcherName);
+  if (!normalizedWatcherName) {
+    return '';
+  }
+  const normalizedAgent = normalizeWatcherSourceStringValue(agent);
+  if (!normalizedAgent) {
+    return `docker.${normalizedWatcherName}`;
+  }
+  return `${normalizedAgent}.docker.${normalizedWatcherName}`;
+}
+
+export function getDockerWatcherSourceKey(watcher: DockerWatcherSourceLike): string {
+  const normalizedAgent = normalizeWatcherSourceStringValue(watcher.agent) || '';
+  const normalizedHost = normalizeWatcherSourceStringValue(watcher.configuration?.host);
+  if (normalizedHost) {
+    const normalizedProtocol =
+      normalizeWatcherSourceStringValue(watcher.configuration?.protocol)?.toLowerCase() || 'http';
+    const normalizedPort =
+      typeof watcher.configuration?.port === 'number' &&
+      Number.isFinite(watcher.configuration.port) &&
+      watcher.configuration.port > 0
+        ? Math.trunc(watcher.configuration.port)
+        : 2375;
+    return `agent:${normalizedAgent}|tcp:${normalizedProtocol}://${normalizedHost.toLowerCase()}:${normalizedPort}`;
+  }
+
+  const normalizedSocket =
+    normalizeWatcherSourceStringValue(watcher.configuration?.socket) || '/var/run/docker.sock';
+  return `agent:${normalizedAgent}|socket:${normalizedSocket}`;
+}
+
+export function isDockerWatcher(
+  watcher: Watcher | undefined,
+): watcher is Watcher & { type: 'docker' } {
+  return !!watcher && watcher.type === 'docker';
+}
+
+function getRecreatedContainerBaseName(container: { Id?: unknown; Names?: string[] }) {
+  const containerId = typeof container.Id === 'string' ? container.Id : '';
+  if (containerId === '') {
+    return undefined;
+  }
+
+  // Use raw name (not canonicalized) so the alias pattern is still detectable
+  const containerName = getRawContainerName(container);
+  if (containerName === '') {
+    return undefined;
+  }
+
+  const recreatedNameMatch = containerName.match(RECREATED_CONTAINER_NAME_PATTERN);
+  if (!recreatedNameMatch) {
+    return undefined;
+  }
+
+  const [, shortIdPrefix, baseName] = recreatedNameMatch;
+  if (baseName === '' || !containerId.toLowerCase().startsWith(shortIdPrefix.toLowerCase())) {
+    return undefined;
+  }
+
+  return baseName;
+}
+
+function getDockerContainerId(container: { Id?: unknown }) {
+  return typeof container.Id === 'string' ? container.Id : '';
+}
+
+function getContainerCreatedAtMs(container: Record<string, unknown>): number | undefined {
+  const created = container.Created;
+  if (typeof created === 'number' && Number.isFinite(created) && created > 0) {
+    // Docker list payloads typically expose Created as Unix seconds.
+    // Handle both seconds and milliseconds defensively.
+    return created >= 1_000_000_000_000 ? Math.trunc(created) : Math.trunc(created * 1000);
+  }
+
+  if (typeof created !== 'string') {
+    return undefined;
+  }
+
+  const createdValue = created.trim();
+  if (createdValue === '') {
+    return undefined;
+  }
+
+  const numericCreatedValue = Number(createdValue);
+  if (Number.isFinite(numericCreatedValue) && numericCreatedValue > 0) {
+    return numericCreatedValue >= 1_000_000_000_000
+      ? Math.trunc(numericCreatedValue)
+      : Math.trunc(numericCreatedValue * 1000);
+  }
+
+  const parsedDateValue = Date.parse(createdValue);
+  return Number.isNaN(parsedDateValue) ? undefined : parsedDateValue;
+}
+
+function isWithinRecreatedAliasTransientWindow(
+  createdAtMs: number | undefined,
+  nowMs: number,
+): boolean {
+  if (createdAtMs === undefined) {
+    return false;
+  }
+  const ageMs = nowMs - createdAtMs;
+  if (ageMs < 0) {
+    return false;
+  }
+  return ageMs <= RECREATED_CONTAINER_ALIAS_TRANSIENT_WINDOW_MS;
+}
+
+function buildDockerContainerNameToIds<T extends DockerContainerSummaryLike>(containers: T[]) {
+  const dockerContainerNameToIds = new Map<string, Set<string>>();
+
+  for (const container of containers) {
+    const containerId = getDockerContainerId(container);
+    if (containerId === '') {
+      continue;
+    }
+
+    const normalizedContainerNames = Array.from(
+      new Set(
+        (Array.isArray(container.Names) ? container.Names : [])
+          .map((name) => (typeof name === 'string' ? name.replace(/^\//, '') : ''))
+          .filter((name) => name !== ''),
+      ),
+    );
+
+    if (normalizedContainerNames.length === 0) {
+      const fallbackName = getContainerName(container);
+      if (fallbackName !== '') {
+        normalizedContainerNames.push(fallbackName);
+      }
+    }
+
+    for (const containerName of normalizedContainerNames) {
+      const idsForName = dockerContainerNameToIds.get(containerName) || new Set<string>();
+      idsForName.add(containerId);
+      dockerContainerNameToIds.set(containerName, idsForName);
+    }
+  }
+
+  return dockerContainerNameToIds;
+}
+
+function hasSiblingDockerContainerWithName(
+  dockerContainerNameToIds: Map<string, Set<string>>,
+  containerName: string,
+  containerId: string,
+) {
+  const containerIds = dockerContainerNameToIds.get(containerName);
+  if (!containerIds) {
+    return false;
+  }
+
+  for (const currentContainerId of containerIds) {
+    if (currentContainerId !== containerId) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+function hasCurrentContainerWithName(container: DockerContainerSummaryLike, containerName: string) {
+  if (!Array.isArray(container.Names) || container.Names.length === 0) {
+    return false;
+  }
+
+  return container.Names.some(
+    (name) => typeof name === 'string' && name.replace(/^\//, '') === containerName,
+  );
+}
+
+export function filterRecreatedContainerAliases<T extends DockerContainerSummaryLike>(
+  containers: T[],
+  containersFromTheStore: Container[],
+): { containersToWatch: T[]; skippedContainerIds: Set<string>; decisions: AliasFilterDecision[] } {
+  const storeContainerNames = new Set(
+    containersFromTheStore
+      .filter((container) => typeof container.name === 'string' && container.name !== '')
+      .map((container) => container.name),
+  );
+
+  const dockerContainerNameToIds = buildDockerContainerNameToIds(containers);
+  const nowMs = Date.now();
+
+  const containersToWatch: T[] = [];
+  const skippedContainerIds = new Set<string>();
+  const decisions: AliasFilterDecision[] = [];
+  const nowIso = new Date(nowMs).toISOString();
+  for (const container of containers) {
+    const containerId = getDockerContainerId(container);
+    const containerName = getContainerName(container);
+    const displayContainerName = containerName || '(unknown)';
+    const recreatedContainerBaseName = getRecreatedContainerBaseName(container);
+
+    if (!recreatedContainerBaseName || containerId === '') {
+      containersToWatch.push(container);
+      decisions.push({
+        timestamp: nowIso,
+        containerId: containerId || '(unknown)',
+        containerName: displayContainerName,
+        decision: 'allowed',
+        reason: 'not-recreated-alias',
+      });
+      continue;
+    }
+
+    const hasDockerSiblingContainerWithBaseName = hasSiblingDockerContainerWithName(
+      dockerContainerNameToIds,
+      recreatedContainerBaseName,
+      containerId,
+    );
+    const hasCurrentContainerWithBaseName = hasCurrentContainerWithName(
+      container,
+      recreatedContainerBaseName,
+    );
+    const hasDockerContainerWithBaseName =
+      hasDockerSiblingContainerWithBaseName || hasCurrentContainerWithBaseName;
+    const hasStoreContainerWithBaseName = storeContainerNames.has(recreatedContainerBaseName);
+    const isFreshAlias = isWithinRecreatedAliasTransientWindow(
+      getContainerCreatedAtMs(container),
+      nowMs,
+    );
+
+    if (hasDockerContainerWithBaseName || hasStoreContainerWithBaseName || isFreshAlias) {
+      skippedContainerIds.add(containerId);
+      const reason = hasDockerContainerWithBaseName
+        ? 'base-name-present-in-docker'
+        : hasStoreContainerWithBaseName
+          ? 'base-name-present-in-store'
+          : 'fresh-recreated-alias';
+      decisions.push({
+        timestamp: nowIso,
+        containerId,
+        containerName: displayContainerName,
+        baseName: recreatedContainerBaseName,
+        decision: 'skipped',
+        reason,
+      });
+      continue;
+    }
+
+    containersToWatch.push(container);
+    decisions.push({
+      timestamp: nowIso,
+      containerId,
+      containerName: displayContainerName,
+      baseName: recreatedContainerBaseName,
+      decision: 'allowed',
+      reason: 'alias-allowed-no-collision',
+    });
+  }
+
+  return { containersToWatch, skippedContainerIds, decisions };
+}
+
+export function resolveLabelsFromContainer(
+  containerLabels: Record<string, string>,
+  overrides: ContainerLabelOverrides = {},
+) {
+  const resolvedOverrides: ResolvedContainerLabelOverrides = {
+    lookupImage: resolveLookupImageFromContainerLabels(containerLabels, overrides),
+  };
+
+  for (const { key, ddKey, wudKey, overrideKey } of containerLabelOverrideMappings) {
+    const overrideValue = overrideKey ? overrides[overrideKey] : undefined;
+    resolvedOverrides[key] = overrideValue || getLabel(containerLabels, ddKey, wudKey);
+  }
+
+  return resolvedOverrides;
+}
+
+function resolveLookupImageFromContainerLabels(
+  containerLabels: Record<string, string>,
+  overrides: ContainerLabelOverrides,
+) {
+  return (
+    overrides.registryLookupImage ||
+    getLabel(containerLabels, ddRegistryLookupImage, wudRegistryLookupImage) ||
+    overrides.registryLookupUrl ||
+    getLabel(containerLabels, ddRegistryLookupUrl, wudRegistryLookupUrl)
+  );
+}
+
+export function mergeConfigWithImgset(
+  labelOverrides: ResolvedContainerLabelOverrides,
+  matchingImgset: ResolvedImgset | undefined,
+  containerLabels: Record<string, string>,
+) {
+  return {
+    includeTags: getContainerConfigValue(labelOverrides.includeTags, matchingImgset?.includeTags),
+    excludeTags: getContainerConfigValue(labelOverrides.excludeTags, matchingImgset?.excludeTags),
+    transformTags: getContainerConfigValue(
+      labelOverrides.transformTags,
+      matchingImgset?.transformTags,
+    ),
+    tagFamily: getContainerConfigValue(labelOverrides.tagFamily, matchingImgset?.tagFamily),
+    linkTemplate: getContainerConfigValue(
+      labelOverrides.linkTemplate,
+      matchingImgset?.linkTemplate,
+    ),
+    displayName: getContainerConfigValue(labelOverrides.displayName, matchingImgset?.displayName),
+    displayIcon: getContainerConfigValue(labelOverrides.displayIcon, matchingImgset?.displayIcon),
+    triggerInclude: getContainerConfigValue(
+      labelOverrides.triggerInclude,
+      matchingImgset?.triggerInclude,
+    ),
+    triggerExclude: getContainerConfigValue(
+      labelOverrides.triggerExclude,
+      matchingImgset?.triggerExclude,
+    ),
+    lookupImage:
+      getContainerConfigValue(labelOverrides.lookupImage, matchingImgset?.registryLookupImage) ||
+      getContainerConfigValue(undefined, matchingImgset?.registryLookupUrl),
+    inspectTagPath: getContainerConfigValue(
+      labelOverrides.inspectTagPath,
+      matchingImgset?.inspectTagPath,
+    ),
+    watchDigest: getContainerConfigValue(
+      getLabel(containerLabels, ddWatchDigest, wudWatchDigest),
+      matchingImgset?.watchDigest,
+    ),
+  };
+}
+
+function getImgsetMatchCandidate(
+  imgsetName: string,
+  imgsetConfiguration: unknown,
+  parsedImage: unknown,
+): ImgsetMatchCandidate | undefined {
+  const imagePattern = getFirstConfigString(imgsetConfiguration, ['image', 'match']);
+  if (!imagePattern) {
+    return undefined;
+  }
+
+  const specificity = getImgsetSpecificity(imagePattern, parsedImage);
+  if (specificity < 0) {
+    return undefined;
+  }
+
+  return {
+    specificity,
+    imgset: getResolvedImgsetConfiguration(imgsetName, imgsetConfiguration),
+  };
+}
+
+function isBetterImgsetMatch(candidate: ImgsetMatchCandidate, currentBest: ImgsetMatchCandidate) {
+  if (candidate.specificity !== currentBest.specificity) {
+    return candidate.specificity > currentBest.specificity;
+  }
+
+  return candidate.imgset.name.localeCompare(currentBest.imgset.name) < 0;
+}
+
+export function getMatchingImgsetConfiguration(
+  parsedImage: unknown,
+  configuredImgsets: DockerImgsetConfigurations | undefined,
+): ResolvedImgset | undefined {
+  if (!configuredImgsets || typeof configuredImgsets !== 'object') {
+    return undefined;
+  }
+
+  let bestMatch: ImgsetMatchCandidate | undefined;
+  for (const [imgsetName, imgsetConfiguration] of Object.entries(configuredImgsets)) {
+    const candidate = getImgsetMatchCandidate(imgsetName, imgsetConfiguration, parsedImage);
+    if (!candidate) {
+      continue;
+    }
+
+    if (!bestMatch || isBetterImgsetMatch(candidate, bestMatch)) {
+      bestMatch = candidate;
+    }
+  }
+
+  return bestMatch?.imgset;
+}
diff --git a/app/watchers/providers/docker/container-processing.ts b/app/watchers/providers/docker/container-processing.ts
new file mode 100644
index 000000000..2953fb597
--- /dev/null
+++ b/app/watchers/providers/docker/container-processing.ts
@@ -0,0 +1,105 @@
+import * as event from '../../../event/index.js';
+import {
+  type Container,
+  type ContainerReport,
+  type ContainerResult,
+  fullName,
+} from '../../../model/container.js';
+import * as storeContainer from '../../../store/container.js';
+import { getErrorMessage } from './docker-helpers.js';
+import { enrichContainerWithReleaseNotes } from './release-notes-enrichment.js';
+
+interface ContainerWatchLogger {
+  error: (message: string) => void;
+  warn: (message: string) => void;
+  debug: (message: string | unknown) => void;
+}
+
+interface ChildContainerLoggerFactory {
+  child: (bindings: { container: string }) => ContainerWatchLogger;
+}
+
+interface WatchContainerDependencies {
+  ensureLogger: () => void;
+  log: ChildContainerLoggerFactory;
+  findNewVersion: (
+    container: Container,
+    logContainer: ContainerWatchLogger,
+  ) => Promise<ContainerResult>;
+  mapContainerToContainerReport: (containerWithResult: Container) => ContainerReport;
+}
+
+interface MapContainerToReportDependencies {
+  ensureLogger: () => void;
+  log: ChildContainerLoggerFactory;
+}
+
+/**
+ * Watch a Container.
+ * @param container
+ * @returns {Promise<*>}
+ */
+export async function watchContainer(
+  container: Container,
+  { ensureLogger, log, findNewVersion, mapContainerToContainerReport }: WatchContainerDependencies,
+): Promise<ContainerReport> {
+  ensureLogger();
+  // Child logger for the container to process
+  const logContainer = log.child({ container: fullName(container) });
+  const containerWithResult = container;
+
+  // Reset previous results if so
+  delete containerWithResult.result;
+  delete containerWithResult.error;
+  logContainer.debug('Start watching');
+
+  try {
+    containerWithResult.result = await findNewVersion(container, logContainer);
+    await enrichContainerWithReleaseNotes(containerWithResult, logContainer);
+  } catch (e: unknown) {
+    const errorMessage = getErrorMessage(e);
+    logContainer.warn(`Error when processing (${errorMessage})`);
+    logContainer.debug(e);
+    containerWithResult.error = {
+      message: errorMessage,
+    };
+  }
+
+  const containerReport = mapContainerToContainerReport(containerWithResult);
+  event.emitContainerReport(containerReport);
+  return containerReport;
+}
+
+/**
+ * Process a Container with result and map to a containerReport.
+ * @param containerWithResult
+ * @return {*}
+ */
+export function mapContainerToContainerReport(
+  containerWithResult: Container,
+  { ensureLogger, log }: MapContainerToReportDependencies,
+): ContainerReport {
+  ensureLogger();
+  const logContainer = log.child({
+    container: fullName(containerWithResult),
+  });
+
+  // Find container in db & compare
+  const containerInDb = storeContainer.getContainer(containerWithResult.id);
+
+  if (containerInDb) {
+    // Found in DB? => update it
+    const updatedContainer = storeContainer.updateContainer(containerWithResult);
+    return {
+      container: updatedContainer,
+      changed: containerInDb.resultChanged(updatedContainer) && containerWithResult.updateAvailable,
+    };
+  }
+
+  // Not found in DB? => Save it
+  logContainer.debug('Container watched for the first time');
+  return {
+    container: storeContainer.insertContainer(containerWithResult),
+    changed: true,
+  };
+}
diff --git a/app/watchers/providers/docker/digest-cache-lifecycle.test.ts b/app/watchers/providers/docker/digest-cache-lifecycle.test.ts
new file mode 100644
index 000000000..6add33b42
--- /dev/null
+++ b/app/watchers/providers/docker/digest-cache-lifecycle.test.ts
@@ -0,0 +1,88 @@
+import {
+  endDigestCachePollCycleForRegistries,
+  startDigestCachePollCycleForRegistries,
+} from './digest-cache-lifecycle.js';
+
+vi.mock('../../../registry/index.js', () => ({
+  getState: vi.fn(),
+}));
+
+import * as registry from '../../../registry/index.js';
+
+const mockGetState = vi.mocked(registry.getState);
+
+describe('digest-cache-lifecycle', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe('startDigestCachePollCycleForRegistries', () => {
+    test('calls startDigestCachePollCycle on each registry that supports it', () => {
+      const startA = vi.fn();
+      const startB = vi.fn();
+      mockGetState.mockReturnValue({
+        registry: {
+          a: { startDigestCachePollCycle: startA },
+          b: { startDigestCachePollCycle: startB },
+        },
+      } as never);
+
+      startDigestCachePollCycleForRegistries();
+
+      expect(startA).toHaveBeenCalledOnce();
+      expect(startB).toHaveBeenCalledOnce();
+    });
+
+    test('skips registries without startDigestCachePollCycle', () => {
+      mockGetState.mockReturnValue({
+        registry: {
+          a: { startDigestCachePollCycle: vi.fn() },
+          b: {},
+        },
+      } as never);
+
+      expect(() => startDigestCachePollCycleForRegistries()).not.toThrow();
+    });
+
+    test('handles empty registry map', () => {
+      mockGetState.mockReturnValue({ registry: {} } as never);
+
+      expect(() => startDigestCachePollCycleForRegistries()).not.toThrow();
+    });
+  });
+
+  describe('endDigestCachePollCycleForRegistries', () => {
+    test('calls endDigestCachePollCycle on each registry that supports it', () => {
+      const endA = vi.fn();
+      const endB = vi.fn();
+      mockGetState.mockReturnValue({
+        registry: {
+          a: { endDigestCachePollCycle: endA },
+          b: { endDigestCachePollCycle: endB },
+        },
+      } as never);
+
+      endDigestCachePollCycleForRegistries();
+
+      expect(endA).toHaveBeenCalledOnce();
+      expect(endB).toHaveBeenCalledOnce();
+    });
+
+    test('skips registries without endDigestCachePollCycle', () => {
+      mockGetState.mockReturnValue({
+        registry: {
+          a: { endDigestCachePollCycle: vi.fn() },
+          b: {},
+        },
+      } as never);
+
+      expect(() => endDigestCachePollCycleForRegistries()).not.toThrow();
+    });
+
+    test('handles empty registry map', () => {
+      mockGetState.mockReturnValue({ registry: {} } as never);
+
+      expect(() => endDigestCachePollCycleForRegistries()).not.toThrow();
+    });
+  });
+});
diff --git a/app/watchers/providers/docker/digest-cache-lifecycle.ts b/app/watchers/providers/docker/digest-cache-lifecycle.ts
new file mode 100644
index 000000000..909e1f5ef
--- /dev/null
+++ b/app/watchers/providers/docker/digest-cache-lifecycle.ts
@@ -0,0 +1,24 @@
+import * as registry from '../../../registry/index.js';
+
+interface DigestCachePollCycleAwareRegistry {
+  startDigestCachePollCycle?: () => void;
+  endDigestCachePollCycle?: () => void;
+}
+
+function getRegistries() {
+  return registry.getState().registry;
+}
+
+export function startDigestCachePollCycleForRegistries() {
+  const registries = Object.values(getRegistries()) as DigestCachePollCycleAwareRegistry[];
+  for (const provider of registries) {
+    provider.startDigestCachePollCycle?.();
+  }
+}
+
+export function endDigestCachePollCycleForRegistries() {
+  const registries = Object.values(getRegistries()) as DigestCachePollCycleAwareRegistry[];
+  for (const provider of registries) {
+    provider.endDigestCachePollCycle?.();
+  }
+}
diff --git a/app/watchers/providers/docker/disable-socket-redirects.test.ts b/app/watchers/providers/docker/disable-socket-redirects.test.ts
new file mode 100644
index 000000000..a05691955
--- /dev/null
+++ b/app/watchers/providers/docker/disable-socket-redirects.test.ts
@@ -0,0 +1,94 @@
+import { describe, expect, test, vi } from 'vitest';
+import { disableSocketRedirects } from './disable-socket-redirects.js';
+
+describe('disableSocketRedirects', () => {
+  test('patches buildRequest to inject maxRedirects:0 for socket connections', () => {
+    const receivedOptions: Record<string, unknown>[] = [];
+    const original = vi.fn((options: Record<string, unknown>) => {
+      receivedOptions.push({ ...options });
+    });
+    const modem = {
+      socketPath: '/var/run/docker.sock',
+      buildRequest: original,
+    };
+    const dockerApi = { modem } as any;
+
+    disableSocketRedirects(dockerApi);
+
+    const options: Record<string, unknown> = { path: '/images/test/json', method: 'GET' };
+    modem.buildRequest(options, {}, null, vi.fn());
+
+    expect(options.maxRedirects).toBe(0);
+    expect(original).toHaveBeenCalledOnce();
+    expect(receivedOptions[0]).toMatchObject({ maxRedirects: 0 });
+  });
+
+  test('is a no-op when modem has no socketPath', () => {
+    const original = vi.fn();
+    const modem = {
+      socketPath: undefined as string | undefined,
+      buildRequest: original,
+    };
+    const dockerApi = { modem } as any;
+
+    disableSocketRedirects(dockerApi);
+
+    expect(modem.buildRequest).toBe(original);
+  });
+
+  test('is a no-op when socketPath is empty string', () => {
+    const original = vi.fn();
+    const modem = {
+      socketPath: '',
+      buildRequest: original,
+    };
+    const dockerApi = { modem } as any;
+
+    disableSocketRedirects(dockerApi);
+
+    expect(modem.buildRequest).toBe(original);
+  });
+
+  test('preserves all buildRequest arguments passed to the original', () => {
+    const calls: unknown[][] = [];
+    const original = vi.fn((...args: unknown[]) => {
+      calls.push(args);
+    });
+    const modem = {
+      socketPath: '/var/run/docker.sock',
+      buildRequest: original,
+    };
+    const dockerApi = { modem } as any;
+
+    disableSocketRedirects(dockerApi);
+
+    const options = { path: '/test' };
+    const context = { isStream: false };
+    const data = 'payload';
+    const callback = vi.fn();
+
+    modem.buildRequest(options, context, data, callback);
+
+    expect(calls).toHaveLength(1);
+    expect(calls[0]).toEqual([options, context, data, callback]);
+  });
+
+  test('handles function-based socketPath', () => {
+    const original = vi.fn();
+    const modem = {
+      socketPath: () => '/var/run/docker.sock',
+      buildRequest: original,
+    };
+    const dockerApi = { modem } as any;
+
+    disableSocketRedirects(dockerApi);
+
+    expect(modem.buildRequest).not.toBe(original);
+
+    const options: Record<string, unknown> = { path: '/test' };
+    modem.buildRequest(options, {}, null, vi.fn());
+
+    expect(options.maxRedirects).toBe(0);
+    expect(original).toHaveBeenCalledOnce();
+  });
+});
diff --git a/app/watchers/providers/docker/disable-socket-redirects.ts b/app/watchers/providers/docker/disable-socket-redirects.ts
new file mode 100644
index 000000000..414408c4e
--- /dev/null
+++ b/app/watchers/providers/docker/disable-socket-redirects.ts
@@ -0,0 +1,50 @@
+import type Dockerode from 'dockerode';
+
+interface ModemLike {
+  socketPath?: string | (() => string | Promise<string>);
+  buildRequest: (
+    options: Record<string, unknown>,
+    context: unknown,
+    data: unknown,
+    callback: unknown,
+  ) => void;
+}
+
+/**
+ * Disable docker-modem's built-in redirect follower for socket connections.
+ *
+ * docker-modem wraps Node's native HTTP with a redirect-following layer
+ * (`lib/http.js`).  When following a redirect over a unix socket, it
+ * constructs a new URL via `url.resolve(reqUrl, location)` — but because
+ * the original request used `socketPath` (no hostname), path segments
+ * like "images" get misinterpreted as hostnames.  Node then tries to
+ * DNS-resolve them, producing an unhandled `getaddrinfo EAI_AGAIN`.
+ *
+ * Setting `maxRedirects: 0` on the request options tells the redirect
+ * follower to reject any redirect attempt with "Max redirects exceeded"
+ * instead of following it.  That error is caught by the modem's normal
+ * error handler and propagated cleanly via promise rejection — no crash,
+ * no DNS lookup.
+ *
+ * This is the belt-and-suspenders companion to version pinning: version
+ * pinning avoids most 301s; this guard prevents a crash if one slips
+ * through for any reason (image name format, Podman version mismatch, etc.).
+ *
+ * See GitHub issue #182.
+ */
+export function disableSocketRedirects(dockerApi: Dockerode): void {
+  const modem = (dockerApi as unknown as { modem: ModemLike }).modem;
+  if (!modem.socketPath) {
+    return;
+  }
+  const original = modem.buildRequest.bind(modem);
+  modem.buildRequest = function patchedBuildRequest(
+    options: Record<string, unknown>,
+    context: unknown,
+    data: unknown,
+    callback: unknown,
+  ) {
+    options.maxRedirects = 0;
+    return original(options, context, data, callback);
+  };
+}
diff --git a/app/watchers/providers/docker/docker-event-orchestration.test.ts b/app/watchers/providers/docker/docker-event-orchestration.test.ts
index a6c667b9d..6057abbd4 100644
--- a/app/watchers/providers/docker/docker-event-orchestration.test.ts
+++ b/app/watchers/providers/docker/docker-event-orchestration.test.ts
@@ -117,6 +117,23 @@ describe('docker event orchestration helpers', () => {
     expect(watcher.dockerApi.getEvents).not.toHaveBeenCalled();
   });
 
+  test('listenDockerEventsOrchestration handles non-object auth error gracefully', async () => {
+    const { watcher } = createWatcher({
+      ensureRemoteAuthHeaders: vi.fn().mockRejectedValue('string error'),
+    });
+
+    await listenDockerEventsOrchestration(watcher as any);
+
+    expect(watcher.log.warn).toHaveBeenCalledWith(
+      'Unable to initialize remote watcher auth for docker events (undefined)',
+    );
+    expect(watcher.scheduleDockerEventsReconnect).toHaveBeenCalledWith(
+      'auth initialization failure',
+      'string error',
+    );
+    expect(watcher.dockerApi.getEvents).not.toHaveBeenCalled();
+  });
+
   test('listenDockerEventsOrchestration wires stream handlers when docker events stream opens', async () => {
     const { watcher, stream, streamHandlers } = createWatcher();
 
@@ -238,6 +255,22 @@ describe('docker event orchestration helpers', () => {
     );
   });
 
+  test('processDockerEventPayloadOrchestration handles parse errors with non-string message field', async () => {
+    const { watcher } = createWatcher();
+    const parseSpy = vi.spyOn(JSON, 'parse').mockImplementation(() => {
+      throw { message: { detail: 'bad json' } };
+    });
+
+    const processed = await processDockerEventPayloadOrchestration(
+      watcher as any,
+      '{"Action":"ok"}',
+    );
+
+    expect(processed).toBe(true);
+    expect(watcher.log.debug).toHaveBeenCalledWith('Unable to process Docker event (undefined)');
+    parseSpy.mockRestore();
+  });
+
   test('processDockerEventOrchestration delegates through state dependencies', async () => {
     const processDockerEventStateMock = vi.mocked(processDockerEventState);
     const getContainerMock = vi.mocked(storeContainer.getContainer);
diff --git a/app/watchers/providers/docker/docker-event-orchestration.ts b/app/watchers/providers/docker/docker-event-orchestration.ts
index a452054e9..d7a28395c 100644
--- a/app/watchers/providers/docker/docker-event-orchestration.ts
+++ b/app/watchers/providers/docker/docker-event-orchestration.ts
@@ -8,41 +8,61 @@ import {
   splitDockerEventChunk,
 } from './docker-events.js';
 
+interface DockerContainerHandle {
+  inspect: () => Promise<unknown>;
+}
+
+interface DockerEventsStream {
+  on: (event: string, listener: (...args: unknown[]) => void) => unknown;
+}
+
+function getErrorMessage(error: unknown): string | undefined {
+  if (typeof error !== 'object' || error === null) {
+    return undefined;
+  }
+  const message = (error as { message?: unknown }).message;
+  return typeof message === 'string' ? message : undefined;
+}
+
 interface DockerEventOrchestrationWatcher {
   log: {
     info: (message: string) => void;
     warn: (message: string) => void;
-    debug: (message: string) => void;
+    debug: (message: unknown) => void;
   };
   configuration: {
     watchevents: boolean;
   };
   dockerApi: {
-    getContainer: (id: string) => { inspect: () => Promise<any> };
+    getContainer: (id: string) => DockerContainerHandle;
     getEvents: (
       options: Dockerode.GetEventsOptions,
-      callback: (error?: any, stream?: any) => void,
+      callback: (error?: unknown, stream?: DockerEventsStream) => void,
     ) => void;
   };
   watchCronDebounced: () => Promise<void>;
   dockerEventsReconnectTimeout?: ReturnType<typeof setTimeout>;
   isDockerEventsListenerActive: boolean;
   dockerEventsBuffer: string;
-  dockerEventsStream?: any;
+  dockerEventsStream?: DockerEventsStream;
   ensureLogger: () => void;
   ensureRemoteAuthHeaders: () => Promise<void>;
-  scheduleDockerEventsReconnect: (reason: string, error?: any) => void;
+  scheduleDockerEventsReconnect: (reason: string, error?: unknown) => void;
   cleanupDockerEventsStream: (destroy?: boolean) => void;
   resetDockerEventsReconnectBackoff: () => void;
-  onDockerEventsStreamFailure: (stream: any, reason: string, error?: any) => void;
-  onDockerEvent: (dockerEventChunk: any) => Promise<void>;
+  onDockerEventsStreamFailure: (
+    stream: DockerEventsStream,
+    reason: string,
+    error?: unknown,
+  ) => void;
+  onDockerEvent: (dockerEventChunk: unknown) => Promise<void>;
   processDockerEventPayload: (
     dockerEventPayload: string,
     shouldTreatRecoverableErrorsAsPartial?: boolean,
   ) => Promise<boolean>;
-  processDockerEvent: (dockerEvent: any) => Promise<void>;
-  updateContainerFromInspect: (containerFound: Container, containerInspect: any) => void;
-  isRecoverableDockerEventParseError: (error: any) => boolean;
+  processDockerEvent: (dockerEvent: unknown) => Promise<void>;
+  updateContainerFromInspect: (containerFound: Container, containerInspect: unknown) => void;
+  isRecoverableDockerEventParseError: (error: unknown) => boolean;
 }
 
 /**
@@ -65,8 +85,11 @@ export async function listenDockerEventsOrchestration(
 
   try {
     await watcher.ensureRemoteAuthHeaders();
-  } catch (e: any) {
-    watcher.log.warn(`Unable to initialize remote watcher auth for docker events (${e.message})`);
+  } catch (e: unknown) {
+    const errorMessage = getErrorMessage(e);
+    watcher.log.warn(
+      `Unable to initialize remote watcher auth for docker events (${errorMessage})`,
+    );
     watcher.scheduleDockerEventsReconnect('auth initialization failure', e);
     return;
   }
@@ -77,20 +100,26 @@ export async function listenDockerEventsOrchestration(
   const options: Dockerode.GetEventsOptions = getDockerEventsOptions();
   watcher.dockerApi.getEvents(options, (err, stream) => {
     if (err) {
+      const errorMessage = getErrorMessage(err);
       if (watcher.log && typeof watcher.log.warn === 'function') {
-        watcher.log.warn(`Unable to listen to Docker events [${err.message}]`);
+        watcher.log.warn(`Unable to listen to Docker events [${errorMessage}]`);
         watcher.log.debug(err);
       }
       watcher.scheduleDockerEventsReconnect('connection failure', err);
     } else {
-      watcher.dockerEventsStream = stream;
+      const dockerEventsStream = stream as DockerEventsStream;
+      watcher.dockerEventsStream = dockerEventsStream;
       watcher.resetDockerEventsReconnectBackoff();
-      stream.on('data', (chunk: any) => watcher.onDockerEvent(chunk));
-      stream.on('error', (streamError: any) =>
-        watcher.onDockerEventsStreamFailure(stream, 'error', streamError),
+      dockerEventsStream.on('data', (chunk: unknown) => watcher.onDockerEvent(chunk));
+      dockerEventsStream.on('error', (streamError: unknown) =>
+        watcher.onDockerEventsStreamFailure(dockerEventsStream, 'error', streamError),
+      );
+      dockerEventsStream.on('close', () =>
+        watcher.onDockerEventsStreamFailure(dockerEventsStream, 'close'),
+      );
+      dockerEventsStream.on('end', () =>
+        watcher.onDockerEventsStreamFailure(dockerEventsStream, 'end'),
       );
-      stream.on('close', () => watcher.onDockerEventsStreamFailure(stream, 'close'));
-      stream.on('end', () => watcher.onDockerEventsStreamFailure(stream, 'end'));
     }
   });
 }
@@ -105,21 +134,22 @@ export async function processDockerEventPayloadOrchestration(
     return true;
   }
   try {
-    const dockerEvent = JSON.parse(payloadTrimmed);
+    const dockerEvent: unknown = JSON.parse(payloadTrimmed);
     await watcher.processDockerEvent(dockerEvent);
     return true;
-  } catch (e: any) {
+  } catch (e: unknown) {
     if (shouldTreatRecoverableErrorsAsPartial && watcher.isRecoverableDockerEventParseError(e)) {
       return false;
     }
-    watcher.log.debug(`Unable to process Docker event (${e.message})`);
+    const errorMessage = getErrorMessage(e);
+    watcher.log.debug(`Unable to process Docker event (${errorMessage})`);
     return true;
   }
 }
 
 export async function processDockerEventOrchestration(
   watcher: DockerEventOrchestrationWatcher,
-  dockerEvent: any,
+  dockerEvent: unknown,
 ): Promise<void> {
   await processDockerEventState(dockerEvent, {
     watchCronDebounced: async () => watcher.watchCronDebounced(),
@@ -129,7 +159,7 @@ export async function processDockerEventOrchestration(
       return container.inspect();
     },
     getContainerFromStore: (containerId: string) => storeContainer.getContainer(containerId),
-    updateContainerFromInspect: (containerFound: Container, containerInspect: any) =>
+    updateContainerFromInspect: (containerFound: Container, containerInspect: unknown) =>
       watcher.updateContainerFromInspect(containerFound, containerInspect),
     debug: (message: string) => watcher.log.debug(message),
   });
@@ -140,7 +170,7 @@ export async function processDockerEventOrchestration(
  */
 export async function onDockerEventOrchestration(
   watcher: DockerEventOrchestrationWatcher,
-  dockerEventChunk: any,
+  dockerEventChunk: unknown,
   maxBufferBytes: number,
 ): Promise<void> {
   watcher.ensureLogger();
diff --git a/app/watchers/providers/docker/docker-events.test.ts b/app/watchers/providers/docker/docker-events.test.ts
index a2eb9cd24..3f930f5c7 100644
--- a/app/watchers/providers/docker/docker-events.test.ts
+++ b/app/watchers/providers/docker/docker-events.test.ts
@@ -344,6 +344,19 @@ describe('docker events helpers extraction', () => {
     expect(state.dockerEventsReconnectDelayMs).toBe(DOCKER_EVENTS_RECONNECT_BASE_DELAY_MS);
   });
 
+  test('splits event chunk when chunk is already a string', () => {
+    const result = splitDockerEventChunk('', '{"Action":"start"}\n');
+    expect(result.payloads).toEqual(['{"Action":"start"}']);
+    expect(result.buffer).toBe('');
+  });
+
+  test('splits event chunk when chunk has no toString method', () => {
+    const noPrototype = Object.create(null);
+    const result = splitDockerEventChunk('buffered', noPrototype);
+    expect(result.payloads).toEqual([]);
+    expect(result.buffer).toBe('buffered');
+  });
+
   test('provides docker events options with container event filters', () => {
     expect(getDockerEventsOptions()).toEqual({
       filters: {
diff --git a/app/watchers/providers/docker/docker-events.ts b/app/watchers/providers/docker/docker-events.ts
index 6b3802966..cb4100dd2 100644
--- a/app/watchers/providers/docker/docker-events.ts
+++ b/app/watchers/providers/docker/docker-events.ts
@@ -1,7 +1,7 @@
 import type Dockerode from 'dockerode';
 
 export const DOCKER_EVENTS_RECONNECT_BASE_DELAY_MS = 1000;
-export const DOCKER_EVENTS_RECONNECT_MAX_DELAY_MS = 30 * 1000;
+const DOCKER_EVENTS_RECONNECT_MAX_DELAY_MS = 30 * 1000;
 
 const DOCKER_CONTAINER_EVENT_TYPES = [
   'create',
@@ -15,6 +15,12 @@ const DOCKER_CONTAINER_EVENT_TYPES = [
   'rename',
 ] as const;
 
+interface DockerEventsStream {
+  removeAllListeners?: (event: string) => void;
+  destroy?: () => void;
+  toString: () => string;
+}
+
 interface DockerEventsState {
   configuration: {
     watchevents?: boolean;
@@ -23,21 +29,43 @@ interface DockerEventsState {
   dockerEventsReconnectTimeout?: ReturnType<typeof setTimeout>;
   dockerEventsReconnectDelayMs: number;
   dockerEventsReconnectAttempt: number;
-  dockerEventsStream?: any;
+  dockerEventsStream?: DockerEventsStream;
   dockerEventsBuffer: string;
   log?: {
-    warn?: (...args: any[]) => void;
-    debug?: (...args: any[]) => void;
+    info?: (message: string) => void;
+    warn?: (message: string) => void;
+    debug?: (message: string) => void;
   };
 }
 
-export interface DockerEventsReconnectDependencies {
+interface DockerEventsReconnectDependencies {
   cleanupDockerEventsStream: (destroy?: boolean) => void;
   listenDockerEvents: () => Promise<void>;
 }
 
-export interface DockerEventsStreamFailureDependencies {
-  scheduleDockerEventsReconnect: (reason: string, err?: any) => void;
+interface DockerEventsStreamFailureDependencies {
+  scheduleDockerEventsReconnect: (reason: string, err?: unknown) => void;
+}
+
+function getErrorMessage(error: unknown): string {
+  if (typeof error !== 'object' || error === null) {
+    return '';
+  }
+  const message = (error as { message?: unknown }).message;
+  return typeof message === 'string' ? message : '';
+}
+
+function stringifyDockerEventChunk(dockerEventChunk: unknown): string {
+  if (typeof dockerEventChunk === 'string') {
+    return dockerEventChunk;
+  }
+  if (
+    dockerEventChunk &&
+    typeof (dockerEventChunk as { toString?: unknown }).toString === 'function'
+  ) {
+    return (dockerEventChunk as { toString: () => string }).toString();
+  }
+  return '';
 }
 
 function isDockerEventsReconnectEnabled(state: DockerEventsState) {
@@ -53,19 +81,26 @@ function logPendingReconnect(state: DockerEventsState, reason: string) {
 function logReconnectScheduled(
   state: DockerEventsState,
   reason: string,
-  err: any,
+  err: unknown,
   reconnectDelayMs: number,
 ) {
-  const errorMessage = err?.message ? ` (${err.message})` : '';
-  if (state.log && typeof state.log.warn === 'function') {
-    state.log.warn(
+  const reconnectErrorMessage = getErrorMessage(err);
+  const errorMessage = reconnectErrorMessage ? ` (${reconnectErrorMessage})` : '';
+  // First reconnect is expected (proxy timeout, network blip) — log as info.
+  // Subsequent attempts indicate a real problem — escalate to warn.
+  const isFirstAttempt = state.dockerEventsReconnectAttempt <= 1;
+  const logFn = isFirstAttempt ? state.log?.info : state.log?.warn;
+  if (logFn) {
+    logFn.call(
+      state.log,
       `Docker event stream ${reason}${errorMessage}; reconnect attempt #${state.dockerEventsReconnectAttempt} in ${reconnectDelayMs}ms`,
     );
   }
 }
 
-function logReconnectFailure(state: DockerEventsState, reconnectError: any) {
-  const errorMessage = reconnectError?.message ? ` (${reconnectError.message})` : '';
+function logReconnectFailure(state: DockerEventsState, reconnectError: unknown) {
+  const reconnectErrorMessage = getErrorMessage(reconnectError);
+  const errorMessage = reconnectErrorMessage ? ` (${reconnectErrorMessage})` : '';
   if (state.log && typeof state.log.warn === 'function') {
     state.log.warn(
       `Docker event stream reconnect attempt #${state.dockerEventsReconnectAttempt} failed${errorMessage}`,
@@ -85,7 +120,7 @@ async function attemptDockerEventsReconnect(
 
   try {
     await dependencies.listenDockerEvents();
-  } catch (reconnectError: any) {
+  } catch (reconnectError: unknown) {
     logReconnectFailure(state, reconnectError);
     scheduleDockerEventsReconnect(
       state,
@@ -129,7 +164,7 @@ export function scheduleDockerEventsReconnect(
   state: DockerEventsState,
   dependencies: DockerEventsReconnectDependencies,
   reason: string,
-  err?: any,
+  err?: unknown,
   maxDelayMs = DOCKER_EVENTS_RECONNECT_MAX_DELAY_MS,
 ) {
   if (!isDockerEventsReconnectEnabled(state)) {
@@ -156,9 +191,9 @@ export function scheduleDockerEventsReconnect(
 export function onDockerEventsStreamFailure(
   state: DockerEventsState,
   dependencies: DockerEventsStreamFailureDependencies,
-  stream: any,
+  stream: unknown,
   reason: string,
-  err?: any,
+  err?: unknown,
 ) {
   if (stream !== state.dockerEventsStream) {
     return;
@@ -166,16 +201,16 @@ export function onDockerEventsStreamFailure(
   dependencies.scheduleDockerEventsReconnect(reason, err);
 }
 
-export function isRecoverableDockerEventParseError(error: any) {
-  const message = `${error?.message || ''}`.toLowerCase();
+export function isRecoverableDockerEventParseError(error: unknown) {
+  const message = getErrorMessage(error).toLowerCase();
   return (
     message.includes('unexpected end of json input') ||
     message.includes('unterminated string in json')
   );
 }
 
-export function splitDockerEventChunk(buffer: string, dockerEventChunk: any) {
-  const chunkContent = `${buffer}${dockerEventChunk.toString()}`;
+export function splitDockerEventChunk(buffer: string, dockerEventChunk: unknown) {
+  const chunkContent = `${buffer}${stringifyDockerEventChunk(dockerEventChunk)}`;
   const payloads = chunkContent.split('\n');
   const lastPayload = payloads.pop();
 
diff --git a/app/watchers/providers/docker/docker-helpers.test.ts b/app/watchers/providers/docker/docker-helpers.test.ts
index d4b83e479..287ab4336 100644
--- a/app/watchers/providers/docker/docker-helpers.test.ts
+++ b/app/watchers/providers/docker/docker-helpers.test.ts
@@ -2,6 +2,7 @@ import { describe, expect, test, vi } from 'vitest';
 
 import {
   buildFallbackContainerReport,
+  canonicalizeContainerName,
   getContainerName,
   getErrorMessage,
   getFirstConfigNumber,
@@ -9,6 +10,7 @@ import {
   getImageForRegistryLookup,
   getImageReferenceCandidatesFromPattern,
   getInspectValueByPath,
+  getRawContainerName,
   getSemverTagFromInspectPath,
   isDigestToWatch,
   shouldUpdateDisplayNameFromContainerName,
@@ -98,8 +100,24 @@ describe('docker helper extraction module', () => {
   });
 
   test('keeps digest-watch defaults and display-name update rule behavior', () => {
-    expect(isDigestToWatch(undefined as any, { domain: 'docker.io' }, false)).toBe(false);
-    expect(isDigestToWatch(undefined as any, { domain: 'ghcr.io' }, false)).toBe(true);
+    // Non-semver floating tags: Docker Hub stays opt-in, non-Hub defaults to watch
+    expect(isDigestToWatch(undefined as any, { domain: 'docker.io' }, false, 'floating')).toBe(
+      false,
+    );
+    expect(isDigestToWatch(undefined as any, { domain: 'ghcr.io' }, false, 'floating')).toBe(true);
+
+    // Specific semver releases: digest watching disabled regardless of registry
+    expect(isDigestToWatch(undefined as any, { domain: 'ghcr.io' }, true, 'specific')).toBe(false);
+    expect(isDigestToWatch(undefined as any, { domain: 'docker.io' }, true, 'specific')).toBe(
+      false,
+    );
+
+    // Floating semver aliases (v3, 1.4): Docker Hub stays opt-in, non-Hub defaults to watch
+    expect(isDigestToWatch(undefined as any, { domain: 'ghcr.io' }, true, 'floating')).toBe(true);
+    expect(isDigestToWatch(undefined as any, { domain: 'docker.io' }, true, 'floating')).toBe(
+      false,
+    );
+
     expect(shouldUpdateDisplayNameFromContainerName('new', 'old', 'old')).toBe(true);
     expect(shouldUpdateDisplayNameFromContainerName('new', 'old', 'custom')).toBe(false);
   });
@@ -155,4 +173,104 @@ describe('docker helper extraction module', () => {
     expect(getContainerName({ Names: ['/service/api'] })).toBe('service/api');
     expect(getContainerName({ Names: ['service/api'] })).toBe('service/api');
   });
+
+  test('getContainerName should return empty string for missing or empty Names', () => {
+    expect(getContainerName({})).toBe('');
+    expect(getContainerName({ Names: [] })).toBe('');
+  });
+
+  test('getContainerName should prefer non-alias name when Names contains both alias and canonical', () => {
+    expect(
+      getContainerName({
+        Id: '8bf70beac570abcdef1234567890',
+        Names: ['/8bf70beac570_termix', '/termix'],
+      }),
+    ).toBe('termix');
+  });
+
+  test('getContainerName should skip non-string entries when scanning multi-name aliases', () => {
+    expect(
+      getContainerName({
+        Id: '8bf70beac570abcdef1234567890',
+        Names: [123 as any, '/termix'],
+      }),
+    ).toBe('termix');
+  });
+
+  test('getContainerName should strip alias prefix from single-entry Names when ID matches', () => {
+    expect(
+      getContainerName({
+        Id: '8bf70beac570abcdef1234567890',
+        Names: ['/8bf70beac570_termix'],
+      }),
+    ).toBe('termix');
+  });
+
+  test('getContainerName should strip alias unconditionally even when container ID does not match', () => {
+    expect(
+      getContainerName({
+        Id: 'aaaa00000000abcdef1234567890',
+        Names: ['/8bf70beac570_termix'],
+      }),
+    ).toBe('termix');
+  });
+
+  test('getContainerName should strip alias unconditionally even when no container ID is available', () => {
+    expect(getContainerName({ Names: ['/8bf70beac570_termix'] })).toBe('termix');
+  });
+
+  test('getContainerName should skip non-string entries in Names when finding canonical name', () => {
+    expect(
+      getContainerName({
+        Id: '8bf70beac570abcdef1234567890',
+        Names: [123 as any, '/termix'],
+      }),
+    ).toBe('termix');
+  });
+
+  test('getContainerName should not strip non-alias names that happen to contain underscores', () => {
+    expect(
+      getContainerName({
+        Id: 'abcdef123456abcdef1234567890',
+        Names: ['/my_app_container'],
+      }),
+    ).toBe('my_app_container');
+  });
+
+  describe('canonicalizeContainerName', () => {
+    test('should strip alias prefix when container ID matches', () => {
+      expect(canonicalizeContainerName('8bf70beac570_termix', '8bf70beac570abcdef1234567890')).toBe(
+        'termix',
+      );
+    });
+
+    test('should strip alias unconditionally even when container ID does not match', () => {
+      expect(canonicalizeContainerName('8bf70beac570_termix', 'aaaa00000000abcdef1234567890')).toBe(
+        'termix',
+      );
+    });
+
+    test('should strip alias unconditionally even when no container ID provided', () => {
+      expect(canonicalizeContainerName('8bf70beac570_termix', '')).toBe('termix');
+    });
+
+    test('should keep non-alias names unchanged', () => {
+      expect(canonicalizeContainerName('termix', '8bf70beac570abcdef1234567890')).toBe('termix');
+      expect(canonicalizeContainerName('my_app', 'abcdef123456abcdef1234567890')).toBe('my_app');
+    });
+  });
+
+  describe('getRawContainerName', () => {
+    test('should return raw name without canonicalization', () => {
+      expect(getRawContainerName({ Names: ['/7ea6b8a42686_termix'] })).toBe('7ea6b8a42686_termix');
+    });
+
+    test('should return empty string for non-string first entry', () => {
+      expect(getRawContainerName({ Names: [123 as any] })).toBe('');
+    });
+
+    test('should return empty string for missing Names', () => {
+      expect(getRawContainerName({} as any)).toBe('');
+    });
+  });
 });
diff --git a/app/watchers/providers/docker/docker-helpers.ts b/app/watchers/providers/docker/docker-helpers.ts
index 07d41a659..e5833c007 100644
--- a/app/watchers/providers/docker/docker-helpers.ts
+++ b/app/watchers/providers/docker/docker-helpers.ts
@@ -5,6 +5,8 @@ import type { Container, ContainerImage } from '../../../model/container.js';
 import { parse as parseSemver, transform as transformTag } from '../../../tag/index.js';
 import { getErrorMessage as getSharedErrorMessage } from '../../../util/error.js';
 
+export type TagPrecision = 'specific' | 'floating';
+
 const UNKNOWN_CONTAINER_PROCESSING_ERROR = 'Unexpected container processing error';
 
 export interface ResolvedImgset {
@@ -24,6 +26,28 @@ export interface ResolvedImgset {
   inspectTagPath?: string;
 }
 
+type UnknownRecord = Record<string, unknown>;
+
+const RECREATED_ALIAS_PATTERN = /^([a-f0-9]{12})_(.+)$/i;
+
+interface ContainerWithNames {
+  Id?: unknown;
+  Names?: string[];
+}
+
+interface ParsedImageLike {
+  path?: string;
+  domain?: string;
+}
+
+interface ImageWithRepoDigests {
+  RepoDigests?: string[];
+}
+
+function isRecord(value: unknown): value is UnknownRecord {
+  return typeof value === 'object' && value !== null;
+}
+
 export function getErrorMessage(error: unknown, fallback = UNKNOWN_CONTAINER_PROCESSING_ERROR) {
   return getSharedErrorMessage(error, fallback);
 }
@@ -62,17 +86,78 @@ export function getOldContainers(newContainers: Container[], containersFromTheSt
   );
 }
 
-export function getContainerName(container: any) {
-  let containerName = '';
+/**
+ * Extract the raw first name from a Docker container summary, stripping only
+ * the leading slash. Does NOT canonicalize alias prefixes — used by alias
+ * filtering which needs to detect the raw alias pattern.
+ */
+export function getRawContainerName(container: { Names?: string[] }): string {
   const names = container.Names;
-  if (names && names.length > 0) {
-    [containerName] = names;
+  if (!names || names.length === 0) {
+    return '';
   }
-  // Strip ugly forward slash
-  containerName = containerName.replace(/^\//, '');
+  const first = names[0];
+  return typeof first === 'string' ? first.replace(/^\//, '') : '';
+}
+
+/**
+ * Extract the canonical container name. Unconditionally strips Docker recreate
+ * alias prefixes (e.g. `8bf70beac570_termix` → `termix`) when the name matches
+ * the `^[a-f0-9]{12}_.+` pattern.
+ *
+ * Previous versions only stripped when the hex prefix matched the container ID,
+ * but this failed in environments where the Docker API (via socket proxies like
+ * linuxserver/socket-proxy) returned unexpected ID formats or timing. The
+ * unconditional approach is safe because no legitimate container naming
+ * convention uses a 12-character lowercase hex prefix followed by underscore.
+ *
+ * When Names contains both an alias and the canonical name during a rename,
+ * prefers the non-alias entry.
+ */
+export function getContainerName(container: ContainerWithNames) {
+  const names = container.Names;
+  if (!names || names.length === 0) {
+    return '';
+  }
+
+  // When Docker renames a container during recreate, Names may contain both
+  // the transient alias ("/8bf70beac570_termix") and the canonical name ("/termix").
+  // Prefer the first non-alias name.
+  if (names.length > 1) {
+    for (const raw of names) {
+      if (typeof raw !== 'string') {
+        continue;
+      }
+      const stripped = raw.replace(/^\//, '');
+      if (!RECREATED_ALIAS_PATTERN.test(stripped)) {
+        return stripped;
+      }
+    }
+  }
+
+  // Single name (or all names are aliases) — unconditionally strip alias prefix.
+  const containerName = getRawContainerName(container);
+  const aliasMatch = containerName.match(RECREATED_ALIAS_PATTERN);
+  if (aliasMatch) {
+    return aliasMatch[2];
+  }
+
   return containerName;
 }
 
+/**
+ * Strip a Docker recreate alias prefix from a container name unconditionally.
+ * Used by the event-update path where Docker inspect returns a single Name
+ * rather than a Names array.
+ */
+export function canonicalizeContainerName(name: string, _containerId?: string): string {
+  const aliasMatch = name.match(RECREATED_ALIAS_PATTERN);
+  if (aliasMatch) {
+    return aliasMatch[2];
+  }
+  return name;
+}
+
 export function getContainerDisplayName(
   containerName: string,
   parsedImagePath: string,
@@ -85,7 +170,7 @@ export function getContainerDisplayName(
   return containerName;
 }
 
-function normalizeConfigStringValue(value: any) {
+function normalizeConfigStringValue(value: unknown) {
   if (typeof value !== 'string') {
     return undefined;
   }
@@ -93,19 +178,19 @@ function normalizeConfigStringValue(value: any) {
   return valueTrimmed === '' ? undefined : valueTrimmed;
 }
 
-function getNestedValue(value: any, path: string) {
+function getNestedValue(value: unknown, path: string) {
   return path
     .split('.')
     .filter((item) => item !== '')
-    .reduce((nestedValue, item) => {
-      if (nestedValue === undefined || nestedValue === null || typeof nestedValue !== 'object') {
+    .reduce<unknown>((nestedValue, item) => {
+      if (!isRecord(nestedValue)) {
         return undefined;
       }
       return nestedValue[item];
     }, value);
 }
 
-export function getFirstConfigString(value: any, paths: string[]) {
+export function getFirstConfigString(value: unknown, paths: string[]) {
   for (const path of paths) {
     const pathValue = normalizeConfigStringValue(getNestedValue(value, path));
     if (pathValue !== undefined) {
@@ -115,7 +200,7 @@ export function getFirstConfigString(value: any, paths: string[]) {
   return undefined;
 }
 
-function getImageReferenceCandidates(path: string, domain?: string) {
+function getImageReferenceCandidates(path?: string, domain?: string) {
   const pathNormalized = normalizeConfigStringValue(path)?.toLowerCase();
   if (!pathNormalized) {
     return [];
@@ -150,17 +235,17 @@ export function getImageReferenceCandidatesFromPattern(pattern: string) {
       return [patternNormalized.toLowerCase()];
     }
     return getImageReferenceCandidates(parsedPattern.path, parsedPattern.domain);
-  } catch (e) {
+  } catch (_error: unknown) {
     log.debug(`Invalid imgset image pattern "${patternNormalized}" - using normalized value`);
     return [patternNormalized.toLowerCase()];
   }
 }
 
-function getImageReferenceCandidatesFromParsedImage(parsedImage: any) {
+function getImageReferenceCandidatesFromParsedImage(parsedImage: ParsedImageLike) {
   return getImageReferenceCandidates(parsedImage?.path, parsedImage?.domain);
 }
 
-export function getImgsetSpecificity(imagePattern: string, parsedImage: any) {
+export function getImgsetSpecificity(imagePattern: string, parsedImage: ParsedImageLike) {
   const patternCandidates = getImageReferenceCandidatesFromPattern(imagePattern);
   if (patternCandidates.length === 0) {
     return -1;
@@ -183,7 +268,10 @@ export function getImgsetSpecificity(imagePattern: string, parsedImage: any) {
   );
 }
 
-export function getResolvedImgsetConfiguration(name: string, imgsetConfiguration: any) {
+export function getResolvedImgsetConfiguration(
+  name: string,
+  imgsetConfiguration: unknown,
+): ResolvedImgset {
   return {
     name,
     includeTags: getFirstConfigString(imgsetConfiguration, [
@@ -228,7 +316,7 @@ export function getResolvedImgsetConfiguration(name: string, imgsetConfiguration
       'inspect.tag.path',
       'inspectTagPath',
     ]),
-  } as ResolvedImgset;
+  };
 }
 
 export function getContainerConfigValue(
@@ -238,7 +326,7 @@ export function getContainerConfigValue(
   return normalizeConfigStringValue(labelValue) || normalizeConfigStringValue(imgsetValue);
 }
 
-export function normalizeConfigNumberValue(value: any) {
+export function normalizeConfigNumberValue(value: unknown) {
   if (typeof value === 'number' && Number.isFinite(value)) {
     return value;
   }
@@ -251,7 +339,7 @@ export function normalizeConfigNumberValue(value: any) {
   return undefined;
 }
 
-export function getFirstConfigNumber(value: any, paths: string[]) {
+export function getFirstConfigNumber(value: unknown, paths: string[]) {
   for (const path of paths) {
     const pathValue = normalizeConfigNumberValue(getNestedValue(value, path));
     if (pathValue !== undefined) {
@@ -266,7 +354,7 @@ export function getFirstConfigNumber(value: any, paths: string[]) {
  * @param containerImage
  * @returns {*} digest
  */
-export function getRepoDigest(containerImage: any) {
+export function getRepoDigest(containerImage: ImageWithRepoDigests) {
   if (!containerImage.RepoDigests || containerImage.RepoDigests.length === 0) {
     return undefined;
   }
@@ -279,16 +367,16 @@ export function getRepoDigest(containerImage: any) {
  * Resolve a value in a Docker inspect payload from a slash-separated path.
  * Example: Config/Labels/org.opencontainers.image.version
  */
-export function getInspectValueByPath(containerInspect: any, path: string) {
+export function getInspectValueByPath(containerInspect: unknown, path: string) {
   if (!path) {
     return undefined;
   }
   const pathSegments = path.split('/').filter((segment) => segment !== '');
-  return pathSegments.reduce((value, key) => {
+  return pathSegments.reduce<unknown>((value, key) => {
     if (value === undefined || value === null) {
       return undefined;
     }
-    return value[key];
+    return (value as UnknownRecord)[key];
   }, containerInspect);
 }
 
@@ -296,7 +384,7 @@ export function getInspectValueByPath(containerInspect: any, path: string) {
  * Try to derive a semver tag from a Docker inspect path.
  */
 export function getSemverTagFromInspectPath(
-  containerInspect: any,
+  containerInspect: unknown,
   inspectPath: string,
   transformTags: string,
 ) {
@@ -329,12 +417,14 @@ export function isContainerToWatch(watchLabelValue: string, watchByDefault: bool
  * @param {string} watchDigestLabelValue - the value of dd.watch.digest label
  * @param {object} parsedImage - object containing at least `domain` property
  * @param {boolean} isSemver - true if the current image tag is a semver tag
+ * @param {TagPrecision} tagPrecision - whether the tag is specific or floating
  * @returns {boolean}
  */
 export function isDigestToWatch(
   watchDigestLabelValue: string,
-  parsedImage: any,
+  parsedImage: ParsedImageLike,
   isSemver: boolean,
+  tagPrecision: TagPrecision,
 ) {
   const domain = parsedImage.domain;
   const isDockerHub =
@@ -350,10 +440,13 @@ export function isDigestToWatch(
     return shouldWatch;
   }
 
-  if (isSemver) {
+  // Specific semver releases (1.4.5) — immutable, no digest watching needed
+  if (isSemver && tagPrecision === 'specific') {
     return false;
   }
 
+  // Floating tags (v3, 1, 1.4, latest, stable)
+  // Docker Hub stays opt-in because of its documented pull/abuse throttling.
   return !isDockerHub;
 }
 
@@ -393,7 +486,7 @@ export function getImageForRegistryLookup(image: ContainerImage) {
           url: lookupUrl,
         },
       };
-    } catch (e) {
+    } catch (_error: unknown) {
       log.debug(`Invalid registry lookup URL "${lookupImageTrimmed}" - using image defaults`);
       return image;
     }
diff --git a/app/watchers/providers/docker/docker-image-details-orchestration.test.ts b/app/watchers/providers/docker/docker-image-details-orchestration.test.ts
index 9bd47d26d..ca404cf8c 100644
--- a/app/watchers/providers/docker/docker-image-details-orchestration.test.ts
+++ b/app/watchers/providers/docker/docker-image-details-orchestration.test.ts
@@ -1,7 +1,12 @@
 import { afterEach, describe, expect, test, vi } from 'vitest';
 
+import * as registry from '../../../registry/index.js';
 import * as storeContainer from '../../../store/container.js';
-import { addImageDetailsToContainerOrchestration } from './docker-image-details-orchestration.js';
+import {
+  addImageDetailsToContainerOrchestration,
+  testable_classifyTagPrecision,
+  testable_getNumericTagShape,
+} from './docker-image-details-orchestration.js';
 
 function createDockerSummaryContainer(overrides: Record<string, any> = {}) {
   return {
@@ -93,6 +98,55 @@ afterEach(() => {
 });
 
 describe('docker image details orchestration module', () => {
+  test('testable_getNumericTagShape derives numeric segment counts across tag formats', () => {
+    expect(testable_getNumericTagShape('1.2.3', undefined)).toMatchObject({
+      prefix: '',
+      numericSegments: ['1', '2', '3'],
+      suffix: '',
+    });
+    expect(testable_getNumericTagShape('v3', undefined)).toMatchObject({
+      prefix: 'v',
+      numericSegments: ['3'],
+      suffix: '',
+    });
+    expect(testable_getNumericTagShape('1.4-alpine', undefined)).toMatchObject({
+      prefix: '',
+      numericSegments: ['1', '4'],
+      suffix: '-alpine',
+    });
+    expect(testable_getNumericTagShape('v2.0.1-alpine', '^v(.*) => $1')).toMatchObject({
+      prefix: '',
+      numericSegments: ['2', '0', '1'],
+      suffix: '-alpine',
+    });
+    expect(testable_getNumericTagShape('latest', undefined)).toBeNull();
+  });
+
+  test('testable_classifyTagPrecision distinguishes specific releases from floating aliases', () => {
+    expect(testable_classifyTagPrecision('1.2.3', undefined, {})).toBe('specific');
+    expect(testable_classifyTagPrecision('1.4', undefined, {})).toBe('floating');
+    expect(testable_classifyTagPrecision('v3', undefined, {})).toBe('floating');
+    expect(testable_classifyTagPrecision('latest', undefined, {})).toBe('floating');
+    expect(testable_classifyTagPrecision('v2.0.1-alpine', '^v(.*) => $1', {})).toBe('specific');
+    expect(testable_classifyTagPrecision('1.2.3', undefined, null)).toBe('floating');
+  });
+
+  test('returns undefined for containers with empty Image (Podman pod infra)', async () => {
+    const { watcher } = createWatcher();
+    const container = createDockerSummaryContainer({ Image: '' });
+    const helpers = createHelpers();
+
+    const result = await addImageDetailsToContainerOrchestration(
+      watcher as any,
+      container,
+      {},
+      helpers as any,
+    );
+
+    expect(result).toBeUndefined();
+    expect(watcher.dockerApi.getImage).not.toHaveBeenCalled();
+  });
+
   test('refreshes runtime and image details for containers already present in store', async () => {
     const containerInStore = {
       id: 'container-1',
@@ -486,6 +540,49 @@ describe('docker image details orchestration module', () => {
     });
   });
 
+  test('detects sourceRepo from manual label override and OCI source labels', async () => {
+    vi.spyOn(storeContainer, 'getContainer').mockReturnValue(undefined);
+
+    const { watcher, inspectContainer, inspectImage } = createWatcher();
+    inspectContainer.mockResolvedValue({});
+    inspectImage.mockResolvedValue({
+      Id: 'image-new',
+      RepoDigests: ['ghcr.io/acme/service@sha256:new'],
+      Architecture: 'amd64',
+      Os: 'linux',
+      Created: '2026-02-01T00:00:00.000Z',
+      Config: {
+        Labels: {
+          'org.opencontainers.image.source': 'https://github.com/acme/service',
+        },
+      },
+    });
+
+    const resultFromImageSource = await addImageDetailsToContainerOrchestration(
+      watcher as any,
+      createDockerSummaryContainer({
+        Labels: {},
+      }),
+      {},
+      createHelpers() as any,
+    );
+
+    expect(resultFromImageSource?.sourceRepo).toBe('github.com/acme/service');
+
+    const resultFromManualOverride = await addImageDetailsToContainerOrchestration(
+      watcher as any,
+      createDockerSummaryContainer({
+        Labels: {
+          'dd.source.repo': 'github.com/acme/override',
+        },
+      }),
+      {},
+      createHelpers() as any,
+    );
+
+    expect(resultFromManualOverride?.sourceRepo).toBe('github.com/acme/override');
+  });
+
   test('falls back to summary runtime details when container inspect is unavailable', async () => {
     vi.spyOn(storeContainer, 'getContainer').mockReturnValue(undefined);
 
@@ -536,10 +633,77 @@ describe('docker image details orchestration module', () => {
     );
 
     expect(result?.id).toBe('new-container-id');
-    expect(getContainersSpy).toHaveBeenCalledWith({ watcher: 'docker-test', name: 'service' });
+    expect(getContainersSpy).toHaveBeenCalledWith({ name: 'service' });
     expect(deleteContainerSpy).toHaveBeenCalledWith('old-container-id');
   });
 
+  test('removes stale same-name entries from a different watcher when both watchers point to the same docker source', async () => {
+    vi.spyOn(storeContainer, 'getContainer').mockReturnValue(undefined);
+    vi.spyOn(storeContainer, 'getContainers').mockReturnValue([
+      {
+        id: 'old-container-current-watcher',
+        watcher: 'docker-test',
+        name: 'service',
+      } as any,
+      {
+        id: 'old-container-same-source-different-watcher',
+        watcher: 'docker-alias',
+        name: 'service',
+      } as any,
+    ]);
+    const deleteContainerSpy = vi
+      .spyOn(storeContainer, 'deleteContainer')
+      .mockImplementation(() => {});
+    vi.spyOn(registry, 'getState').mockReturnValue({
+      watcher: {
+        'docker.docker-test': {
+          type: 'docker',
+          name: 'docker-test',
+          configuration: {
+            host: 'socket-proxy.internal',
+            protocol: 'http',
+            port: 2375,
+            socket: '/var/run/docker.sock',
+          },
+        },
+        'docker.docker-alias': {
+          type: 'docker',
+          name: 'docker-alias',
+          configuration: {
+            host: 'socket-proxy.internal',
+            protocol: 'http',
+            port: 2375,
+            socket: '/var/run/docker.sock',
+          },
+        },
+      },
+    } as any);
+
+    const { watcher } = createWatcher({
+      configuration: {
+        watchevents: false,
+        host: 'socket-proxy.internal',
+        protocol: 'http',
+        port: 2375,
+        socket: '/var/run/docker.sock',
+      },
+    });
+
+    const result = await addImageDetailsToContainerOrchestration(
+      watcher as any,
+      createDockerSummaryContainer({
+        Id: 'new-container-id',
+        Names: ['/service'],
+      }),
+      {},
+      createHelpers() as any,
+    );
+
+    expect(result?.id).toBe('new-container-id');
+    expect(deleteContainerSpy).toHaveBeenCalledWith('old-container-current-watcher');
+    expect(deleteContainerSpy).toHaveBeenCalledWith('old-container-same-source-different-watcher');
+  });
+
   test('skips same-name dedupe when the discovered container name is empty', async () => {
     vi.spyOn(storeContainer, 'getContainer').mockReturnValue(undefined);
     const getContainersSpy = vi.spyOn(storeContainer, 'getContainers').mockReturnValue([
@@ -570,4 +734,65 @@ describe('docker image details orchestration module', () => {
     expect(getContainersSpy).not.toHaveBeenCalled();
     expect(deleteContainerSpy).not.toHaveBeenCalled();
   });
+
+  test('skips stale same-name entries with missing, blank, or non-docker watcher metadata', async () => {
+    vi.spyOn(storeContainer, 'getContainer').mockReturnValue(undefined);
+    vi.spyOn(storeContainer, 'getContainers').mockReturnValue([
+      {
+        id: 'old-container-empty-watcher',
+        watcher: '',
+        name: 'service',
+      } as any,
+      {
+        id: 'old-container-whitespace-watcher',
+        watcher: '   ',
+        name: 'service',
+      } as any,
+      {
+        id: 'old-container-non-docker',
+        watcher: 'docker-queue',
+        name: 'service',
+      } as any,
+    ]);
+    const deleteContainerSpy = vi
+      .spyOn(storeContainer, 'deleteContainer')
+      .mockImplementation(() => {});
+    vi.spyOn(registry, 'getState').mockReturnValue({
+      watcher: {
+        'docker.docker-queue': {
+          type: 'queue',
+          name: 'docker-queue',
+          configuration: {
+            host: 'socket-proxy.internal',
+            protocol: 'http',
+            port: 2375,
+            socket: '/var/run/docker.sock',
+          },
+        },
+      },
+    } as any);
+
+    const { watcher } = createWatcher({
+      configuration: {
+        watchevents: false,
+        host: 'socket-proxy.internal',
+        protocol: 'http',
+        port: 2375,
+        socket: '/var/run/docker.sock',
+      },
+    });
+
+    const result = await addImageDetailsToContainerOrchestration(
+      watcher as any,
+      createDockerSummaryContainer({
+        Id: 'new-container-id',
+        Names: ['/service'],
+      }),
+      {},
+      createHelpers() as any,
+    );
+
+    expect(result?.id).toBe('new-container-id');
+    expect(deleteContainerSpy).not.toHaveBeenCalled();
+  });
 });
diff --git a/app/watchers/providers/docker/docker-image-details-orchestration.ts b/app/watchers/providers/docker/docker-image-details-orchestration.ts
index bdf737f49..d3fee5248 100644
--- a/app/watchers/providers/docker/docker-image-details-orchestration.ts
+++ b/app/watchers/providers/docker/docker-image-details-orchestration.ts
@@ -1,6 +1,13 @@
 import type { Container } from '../../../model/container.js';
+import * as registry from '../../../registry/index.js';
+import { detectSourceRepoFromImageMetadata } from '../../../release-notes/index.js';
 import * as storeContainer from '../../../store/container.js';
 import { parse as parseSemver, transform as transformTag } from '../../../tag/index.js';
+import {
+  getDockerWatcherRegistryId,
+  getDockerWatcherSourceKey,
+  isDockerWatcher,
+} from './container-init.js';
 import {
   getContainerDisplayName,
   getContainerName,
@@ -8,6 +15,7 @@ import {
   isDigestToWatch,
   type ResolvedImgset,
   shouldUpdateDisplayNameFromContainerName,
+  type TagPrecision,
 } from './docker-helpers.js';
 import {
   areRuntimeDetailsEqual,
@@ -16,6 +24,20 @@ import {
   mergeRuntimeDetails,
   normalizeRuntimeDetails,
 } from './runtime-details.js';
+import { getNumericTagShape } from './tag-candidates.js';
+
+const MIN_SPECIFIC_SEGMENTS = 3;
+
+function classifyTagPrecision(
+  tag: string,
+  transformTags: string | undefined,
+  parsedTag: unknown,
+): TagPrecision {
+  if (!parsedTag) return 'floating';
+  const shape = getNumericTagShape(tag, transformTags);
+  if (!shape) return 'floating';
+  return shape.numericSegments.length >= MIN_SPECIFIC_SEGMENTS ? 'specific' : 'floating';
+}
 
 export interface ContainerLabelOverrides {
   includeTags?: string;
@@ -53,6 +75,9 @@ interface DockerImageInspectPayload {
   Os?: string;
   Variant?: string;
   Created?: string;
+  Config?: {
+    Labels?: Record<string, string>;
+  };
   [key: string]: unknown;
 }
 
@@ -94,8 +119,13 @@ interface ResolvedContainerConfig {
 
 interface DockerImageDetailsWatcher {
   name: string;
+  agent?: string;
   configuration: {
     watchevents: boolean;
+    host?: string;
+    socket?: string;
+    protocol?: string;
+    port?: number;
   };
   dockerApi: {
     getContainer: (id: string) => { inspect: () => Promise<DockerContainerInspectPayload> };
@@ -123,6 +153,7 @@ interface DockerImageDetailsHelpers {
   resolveImageName: (
     imageName: string,
     image: DockerImageInspectPayload,
+    containerName?: string,
   ) => ParsedDockerImageReference | undefined;
   resolveTagName: (
     parsedImage: ParsedDockerImageReference,
@@ -138,7 +169,7 @@ interface DockerImageDetailsHelpers {
 
 type RuntimeDetails = ReturnType<typeof getRuntimeDetailsFromContainerSummary>;
 
-function getErrorMessage(error: unknown) {
+function getErrorMessage(error: unknown): string {
   if (error instanceof Error) {
     return error.message;
   }
@@ -278,8 +309,10 @@ async function inspectImageForContainer(
   try {
     await watcher.ensureRemoteAuthHeaders();
     return await watcher.dockerApi.getImage(imageName).inspect();
-  } catch (e: unknown) {
-    throw new Error(`Unable to inspect image for container ${containerId}: ${getErrorMessage(e)}`);
+  } catch (error: unknown) {
+    throw new Error(
+      `Unable to inspect image for container ${containerId}: ${getErrorMessage(error)}`,
+    );
   }
 }
 
@@ -305,31 +338,63 @@ function warnWhenUntrackableImage(
   dockerContainerName: string,
   isSemver: boolean,
   watchDigest: boolean,
+  tagPrecision: TagPrecision,
 ) {
-  if (isSemver || watchDigest) {
+  if (watchDigest) {
     return;
   }
 
-  watcher.ensureLogger();
-  watcher.log.warn(
-    `Image is not a semver and digest watching is disabled so drydock won't report any update for container "${dockerContainerName}". Please review the configuration to enable digest watching for this container or exclude this container from being watched`,
-  );
+  if (isSemver && tagPrecision === 'floating') {
+    watcher.ensureLogger();
+    watcher.log.warn(
+      `Tag for container "${dockerContainerName}" looks like a floating version alias (e.g. v3, 1.4). Digest watching is disabled so in-place updates won't be detected. Set dd.watch.digest=true or use a full semver tag (e.g. 1.4.5)`,
+    );
+    return;
+  }
+
+  if (!isSemver) {
+    watcher.ensureLogger();
+    watcher.log.warn(
+      `Image is not a semver and digest watching is disabled so drydock won't report any update for container "${dockerContainerName}". Please review the configuration to enable digest watching for this container or exclude this container from being watched`,
+    );
+  }
 }
 
 function removeStaleContainerEntriesWithSameName(
-  watcherName: string,
+  watcher: DockerImageDetailsWatcher,
   containerToReturn: Container,
 ) {
   if (typeof containerToReturn.name !== 'string' || containerToReturn.name === '') {
     return;
   }
 
-  const containersWithSameName = storeContainer.getContainers({
-    watcher: watcherName,
-    name: containerToReturn.name,
-  });
+  const containersWithSameName = storeContainer.getContainers({ name: containerToReturn.name });
+  const watcherRegistryState = registry.getState().watcher;
+  const currentWatcherSourceKey = getDockerWatcherSourceKey(watcher);
+  const currentWatcherAgent = watcher.agent;
+
   containersWithSameName
     .filter((staleContainer) => staleContainer.id !== containerToReturn.id)
+    .filter((staleContainer) => staleContainer.agent === currentWatcherAgent)
+    .filter((staleContainer) => {
+      if (staleContainer.watcher === watcher.name) {
+        return true;
+      }
+
+      if (typeof staleContainer.watcher !== 'string' || staleContainer.watcher === '') {
+        return false;
+      }
+      const staleWatcherId = getDockerWatcherRegistryId(
+        staleContainer.watcher,
+        staleContainer.agent,
+      );
+      const staleWatcher = watcherRegistryState[staleWatcherId];
+      if (!isDockerWatcher(staleWatcher)) {
+        return false;
+      }
+
+      return getDockerWatcherSourceKey(staleWatcher) === currentWatcherSourceKey;
+    })
     .forEach((staleContainer) => storeContainer.deleteContainer(staleContainer.id));
 }
 
@@ -345,6 +410,14 @@ export async function addImageDetailsToContainerOrchestration(
   const containerId = container.Id;
   const containerLabels: Record<string, string> = container.Labels || {};
   const dockerContainerName = getContainerName(container);
+
+  // Podman pod infra containers have an empty Image field — skip them
+  // to avoid broken API paths like /images//json that trigger 301 crashes
+  // in docker-modem's redirect handler (see GitHub issue #182).
+  if (!container.Image) {
+    return undefined;
+  }
+
   const runtimeDetailsFromSummary = getRuntimeDetailsFromContainerSummary(container);
 
   // Is container already in store? Refresh volatile image fields, then return it
@@ -361,7 +434,7 @@ export async function addImageDetailsToContainerOrchestration(
 
   const image = await inspectImageForContainer(watcher, containerId, container.Image);
 
-  const parsedImage = helpers.resolveImageName(container.Image, image);
+  const parsedImage = helpers.resolveImageName(container.Image, image, dockerContainerName);
   if (!parsedImage) {
     return undefined;
   }
@@ -391,15 +464,23 @@ export async function addImageDetailsToContainerOrchestration(
     containerId,
   );
 
-  const isSemver = parseSemver(transformTag(resolvedConfig.transformTags, tagName)) != null;
-  const watchDigest = isDigestToWatch(resolvedConfig.watchDigest, parsedImage, isSemver);
+  const transformedTag = transformTag(resolvedConfig.transformTags, tagName);
+  const parsedTag = parseSemver(transformedTag);
+  const isSemver = parsedTag != null;
+  const tagPrecision = classifyTagPrecision(tagName, resolvedConfig.transformTags, parsedTag);
+  const watchDigest = isDigestToWatch(
+    resolvedConfig.watchDigest,
+    parsedImage,
+    isSemver,
+    tagPrecision,
+  );
   const repoDigest = getRepoDigest(image);
   const runtimeDetails = await resolveRuntimeDetailsForDiscoveredContainer(
     watcher,
     containerId,
     runtimeDetailsFromSummary,
   );
-  warnWhenUntrackableImage(watcher, dockerContainerName, isSemver, watchDigest);
+  warnWhenUntrackableImage(watcher, dockerContainerName, isSemver, watchDigest, tagPrecision);
 
   const containerToReturn = helpers.normalizeContainer({
     id: containerId,
@@ -430,6 +511,7 @@ export async function addImageDetailsToContainerOrchestration(
       tag: {
         value: tagName,
         semver: isSemver,
+        tagPrecision,
       },
       digest: {
         watch: watchDigest,
@@ -442,6 +524,12 @@ export async function addImageDetailsToContainerOrchestration(
       created: image.Created,
     },
     labels: containerLabels,
+    sourceRepo: detectSourceRepoFromImageMetadata({
+      containerLabels,
+      imageLabels: image.Config?.Labels,
+      imageRegistryDomain: parsedImage.domain,
+      imagePath: parsedImage.path,
+    }),
     details: runtimeDetails,
     result: {
       tag: tagName,
@@ -449,7 +537,12 @@ export async function addImageDetailsToContainerOrchestration(
     updateAvailable: false,
     updateKind: { kind: 'unknown' },
   } as Container);
-  removeStaleContainerEntriesWithSameName(watcher.name, containerToReturn);
+  removeStaleContainerEntriesWithSameName(watcher, containerToReturn);
 
   return containerToReturn;
 }
+
+export {
+  classifyTagPrecision as testable_classifyTagPrecision,
+  getNumericTagShape as testable_getNumericTagShape,
+};
diff --git a/app/watchers/providers/docker/docker-remote-auth.test.ts b/app/watchers/providers/docker/docker-remote-auth.test.ts
index 2117674ca..96bebcc4c 100644
--- a/app/watchers/providers/docker/docker-remote-auth.test.ts
+++ b/app/watchers/providers/docker/docker-remote-auth.test.ts
@@ -8,6 +8,8 @@ const {
   mockInitializeRemoteOidcStateFromConfiguration,
   mockIsRemoteOidcTokenRefreshRequired,
   mockRefreshRemoteOidcAccessToken,
+  mockProbeSocketApiVersion,
+  mockDisableSocketRedirects,
 } = vi.hoisted(() => ({
   mockDockerodeCtor: vi.fn(),
   mockReadFileSync: vi.fn(),
@@ -16,6 +18,8 @@ const {
   mockInitializeRemoteOidcStateFromConfiguration: vi.fn(),
   mockIsRemoteOidcTokenRefreshRequired: vi.fn(() => false),
   mockRefreshRemoteOidcAccessToken: vi.fn(),
+  mockProbeSocketApiVersion: vi.fn<(socketPath: string) => Promise<string | undefined>>(),
+  mockDisableSocketRedirects: vi.fn(),
 }));
 
 vi.mock('dockerode', () => ({
@@ -42,6 +46,14 @@ vi.mock('./oidc.js', () => ({
   refreshRemoteOidcAccessToken: mockRefreshRemoteOidcAccessToken,
 }));
 
+vi.mock('./disable-socket-redirects.js', () => ({
+  disableSocketRedirects: mockDisableSocketRedirects,
+}));
+
+vi.mock('./socket-version-probe.js', () => ({
+  probeSocketApiVersion: mockProbeSocketApiVersion,
+}));
+
 import {
   applyRemoteAuthHeadersForWatcher,
   ensureRemoteAuthHeadersForWatcher,
@@ -96,9 +108,10 @@ describe('docker remote auth module', () => {
     mockGetErrorMessage.mockImplementation((_: unknown, fallback: string) => fallback);
     mockIsRemoteOidcTokenRefreshRequired.mockReturnValue(false);
     mockRefreshRemoteOidcAccessToken.mockResolvedValue(undefined);
+    mockProbeSocketApiVersion.mockResolvedValue(undefined);
   });
 
-  test('initWatcherWithRemoteAuth initializes local socket watcher', () => {
+  test('initWatcherWithRemoteAuth initializes local socket watcher', async () => {
     const dockerApi = { modem: { headers: {} } };
     mockDockerodeCtor.mockImplementation(function DockerodeMock() {
       return dockerApi;
@@ -111,17 +124,44 @@ describe('docker remote auth module', () => {
       },
     });
 
-    initWatcherWithRemoteAuth(watcher as any);
+    await initWatcherWithRemoteAuth(watcher as any);
 
+    expect(mockProbeSocketApiVersion).toHaveBeenCalledWith('/var/run/docker.sock');
     expect(mockDockerodeCtor).toHaveBeenCalledWith({
       socketPath: '/var/run/docker.sock',
     });
+    expect(mockDisableSocketRedirects).toHaveBeenCalledWith(dockerApi);
     expect(watcher.applyRemoteAuthHeaders).not.toHaveBeenCalled();
     expect(watcher.remoteAuthBlockedReason).toBeUndefined();
     expect(watcher.dockerApi).toBe(dockerApi);
   });
 
-  test('initWatcherWithRemoteAuth loads TLS files and applies headers for remote watcher', () => {
+  test('initWatcherWithRemoteAuth pins API version when probe succeeds', async () => {
+    const dockerApi = { modem: { headers: {} } };
+    mockDockerodeCtor.mockImplementation(function DockerodeMock() {
+      return dockerApi;
+    });
+    mockProbeSocketApiVersion.mockResolvedValue('1.44');
+
+    const watcher = createWatcher({
+      configuration: {
+        socket: '/run/podman/podman.sock',
+        port: 0,
+      },
+    });
+
+    await initWatcherWithRemoteAuth(watcher as any);
+
+    expect(mockProbeSocketApiVersion).toHaveBeenCalledWith('/run/podman/podman.sock');
+    expect(mockDockerodeCtor).toHaveBeenCalledWith({
+      socketPath: '/run/podman/podman.sock',
+      version: 'v1.44',
+    });
+    expect(mockDisableSocketRedirects).toHaveBeenCalledWith(dockerApi);
+    expect(watcher.dockerApi).toBe(dockerApi);
+  });
+
+  test('initWatcherWithRemoteAuth loads TLS files and applies headers for remote watcher', async () => {
     const dockerApi = { modem: { headers: {} } };
     mockDockerodeCtor.mockImplementation(function DockerodeMock() {
       return dockerApi;
@@ -143,7 +183,7 @@ describe('docker remote auth module', () => {
       },
     });
 
-    initWatcherWithRemoteAuth(watcher as any);
+    await initWatcherWithRemoteAuth(watcher as any);
 
     expect(mockResolveConfiguredPath).toHaveBeenCalledWith('ca.pem', {
       label: 'watcher remote-watcher CA file path',
@@ -178,7 +218,27 @@ describe('docker remote auth module', () => {
     expect(watcher.dockerApi).toBe(dockerApi);
   });
 
-  test('initWatcherWithRemoteAuth blocks remote watcher auth when header application fails', () => {
+  test('initWatcherWithRemoteAuth does not probe version or disable redirects for remote host watchers', async () => {
+    mockDockerodeCtor.mockImplementation(function DockerodeMock() {
+      return { modem: { headers: {} } };
+    });
+
+    const watcher = createWatcher({
+      configuration: {
+        host: 'docker-api.example.com',
+        socket: '/var/run/docker.sock',
+        port: 443,
+        protocol: 'https',
+      },
+    });
+
+    await initWatcherWithRemoteAuth(watcher as any);
+
+    expect(mockProbeSocketApiVersion).not.toHaveBeenCalled();
+    expect(mockDisableSocketRedirects).not.toHaveBeenCalled();
+  });
+
+  test('initWatcherWithRemoteAuth blocks remote watcher auth when header application fails', async () => {
     mockDockerodeCtor.mockImplementation(function DockerodeMock() {
       return { modem: { headers: {} } };
     });
@@ -195,7 +255,7 @@ describe('docker remote auth module', () => {
       }),
     });
 
-    initWatcherWithRemoteAuth(watcher as any);
+    await initWatcherWithRemoteAuth(watcher as any);
 
     expect(mockGetErrorMessage).toHaveBeenCalledWith(
       expect.any(Error),
diff --git a/app/watchers/providers/docker/docker-remote-auth.ts b/app/watchers/providers/docker/docker-remote-auth.ts
index 6e8bf9c1c..bc7c839ab 100644
--- a/app/watchers/providers/docker/docker-remote-auth.ts
+++ b/app/watchers/providers/docker/docker-remote-auth.ts
@@ -1,12 +1,19 @@
 import fs from 'node:fs';
 import Dockerode from 'dockerode';
 import { resolveConfiguredPath } from '../../../runtime/paths.js';
+import { disableSocketRedirects } from './disable-socket-redirects.js';
 import { getErrorMessage } from './docker-helpers.js';
+import type { MutableOidcState, OidcContext, OidcRemoteAuthConfiguration } from './oidc.js';
 import {
   initializeRemoteOidcStateFromConfiguration,
   isRemoteOidcTokenRefreshRequired,
   refreshRemoteOidcAccessToken,
 } from './oidc.js';
+import { probeSocketApiVersion } from './socket-version-probe.js';
+
+type DockerRemoteAuthConfiguration = OidcRemoteAuthConfiguration & {
+  insecure?: boolean;
+};
 
 interface DockerRemoteAuthWatcher {
   name: string;
@@ -17,17 +24,17 @@ interface DockerRemoteAuthWatcher {
     host?: string;
     socket: string;
     port: number;
-    protocol?: 'http' | 'https' | 'ssh';
+    protocol?: 'http' | 'https';
     cafile?: string;
     certfile?: string;
     keyfile?: string;
-    auth?: any;
+    auth?: DockerRemoteAuthConfiguration;
   };
   log: {
     warn: (message: string) => void;
   };
   applyRemoteAuthHeaders: (options: Dockerode.DockerOptions) => void;
-  getRemoteAuthResolution: (auth: any) => {
+  getRemoteAuthResolution: (auth: OidcRemoteAuthConfiguration | undefined) => {
     authType: string;
     hasBearer: boolean;
     hasBasic: boolean;
@@ -35,12 +42,12 @@ interface DockerRemoteAuthWatcher {
   };
   isHttpsRemoteWatcher: (options: Dockerode.DockerOptions) => boolean;
   handleRemoteAuthFailure: (message: string) => void;
-  getOidcContext: () => any;
-  getOidcStateAdapter: () => any;
+  getOidcContext: () => OidcContext;
+  getOidcStateAdapter: () => MutableOidcState;
   setRemoteAuthorizationHeader: (authorizationValue: string) => void;
 }
 
-export function initWatcherWithRemoteAuth(watcher: DockerRemoteAuthWatcher): void {
+export async function initWatcherWithRemoteAuth(watcher: DockerRemoteAuthWatcher): Promise<void> {
   const options: Dockerode.DockerOptions = {};
   watcher.remoteAuthBlockedReason = undefined;
   if (watcher.configuration.host) {
@@ -72,7 +79,7 @@ export function initWatcherWithRemoteAuth(watcher: DockerRemoteAuthWatcher): voi
     }
     try {
       watcher.applyRemoteAuthHeaders(options);
-    } catch (e: any) {
+    } catch (e: unknown) {
       const authFailureMessage = getErrorMessage(
         e,
         `Unable to authenticate remote watcher ${watcher.name}`,
@@ -84,8 +91,20 @@ export function initWatcherWithRemoteAuth(watcher: DockerRemoteAuthWatcher): voi
     }
   } else {
     options.socketPath = watcher.configuration.socket;
+    // Pin the daemon's API version so all requests use versioned paths
+    // (e.g. /v1.44/images/…).  This prevents Podman's Docker-compat
+    // layer from returning 301 redirects for unversioned endpoints,
+    // which triggers a crash in docker-modem's redirect handler
+    // (getaddrinfo EAI_AGAIN — see GitHub issue #182).
+    const apiVersion = await probeSocketApiVersion(watcher.configuration.socket);
+    if (apiVersion) {
+      options.version = `v${apiVersion}`;
+    }
   }
   watcher.dockerApi = new Dockerode(options);
+  if (!watcher.configuration.host) {
+    disableSocketRedirects(watcher.dockerApi);
+  }
 }
 
 export async function ensureRemoteAuthHeadersForWatcher(
diff --git a/app/watchers/providers/docker/image-comparison.ts b/app/watchers/providers/docker/image-comparison.ts
new file mode 100644
index 000000000..c9f2af3af
--- /dev/null
+++ b/app/watchers/providers/docker/image-comparison.ts
@@ -0,0 +1,155 @@
+import log from '../../../log/index.js';
+import {
+  type Container,
+  type ContainerResult,
+  fullName,
+  validate as validateContainer,
+} from '../../../model/container.js';
+import type Registry from '../../../registries/Registry.js';
+import * as registry from '../../../registry/index.js';
+import { suggest as suggestTag } from '../../../tag/suggest.js';
+import { getErrorMessage } from '../../../util/error.js';
+import { getImageForRegistryLookup } from './docker-helpers.js';
+import { getTagCandidates } from './tag-candidates.js';
+
+export interface ContainerTagLookupProvider {
+  getTags: (image: Container['image']) => Promise<string[]>;
+  getImageManifestDigest: (
+    image: Container['image'],
+    digest?: string,
+  ) => Promise<{
+    digest?: string;
+    created?: string;
+    version?: number;
+  }>;
+  getImagePublishedAt?: (image: Container['image'], tag?: string) => Promise<string | undefined>;
+}
+
+export interface ContainerWatchLogger {
+  error: (message: string) => void;
+  warn: (message: string) => void;
+  debug: (message: string) => void;
+}
+
+function getRegistries(): Record<string, Registry> {
+  return registry.getState().registry;
+}
+
+export function normalizeContainer(container: Container) {
+  const containerWithNormalizedImage = structuredClone(container);
+  const imageForMatching = getImageForRegistryLookup(containerWithNormalizedImage.image);
+  const registryProvider = Object.values(getRegistries()).find((provider) =>
+    provider.match(imageForMatching),
+  );
+  if (registryProvider) {
+    containerWithNormalizedImage.image = registryProvider.normalizeImage(imageForMatching);
+    containerWithNormalizedImage.image.registry.name = registryProvider.getId();
+  } else {
+    log.warn(`${fullName(container)} - No Registry Provider found`);
+    containerWithNormalizedImage.image.registry.name = 'unknown';
+  }
+  return validateContainer(containerWithNormalizedImage);
+}
+
+/** Get the Docker Registry by name. */
+function getRegistry(registryName: string): Registry {
+  const registryToReturn = getRegistries()[registryName];
+  if (!registryToReturn) {
+    throw new Error(`Unsupported Registry ${registryName}`);
+  }
+  return registryToReturn;
+}
+
+/**
+ * Resolve remote digest information when digest watching is enabled.
+ * Updates `container.image.digest.value` and populates digest/created on `result`.
+ */
+async function handleDigestWatch(
+  container: Container,
+  registryProvider: ContainerTagLookupProvider,
+  tagsCandidates: string[],
+  result: ContainerResult,
+) {
+  const imageToGetDigestFrom = structuredClone(container.image);
+  if (tagsCandidates.length > 0) {
+    [imageToGetDigestFrom.tag.value] = tagsCandidates;
+  }
+
+  const remoteDigest = await registryProvider.getImageManifestDigest(imageToGetDigestFrom);
+
+  result.digest = remoteDigest.digest;
+  result.created = remoteDigest.created;
+
+  if (remoteDigest.version === 2) {
+    const digestV2 = await registryProvider.getImageManifestDigest(
+      imageToGetDigestFrom,
+      container.image.digest.repo,
+    );
+    container.image.digest.value = digestV2.digest;
+  } else {
+    container.image.digest.value = container.image.digest.repo;
+  }
+}
+
+export async function findNewVersion(
+  container: Container,
+  logContainer: ContainerWatchLogger,
+): Promise<ContainerResult> {
+  let registryProvider: ContainerTagLookupProvider;
+  try {
+    registryProvider = getRegistry(container.image.registry.name);
+  } catch {
+    logContainer.error(`Unsupported registry (${container.image.registry.name})`);
+    return { tag: container.image.tag.value };
+  }
+
+  const result: ContainerResult = { tag: container.image.tag.value };
+
+  // Digest-only images have no tag to compare — skip version checking entirely
+  const currentTag = container.image.tag.value;
+  if (currentTag.startsWith('sha256:') || currentTag === 'unknown') {
+    logContainer.debug('Digest-only image — no tag available for version comparison');
+    result.noUpdateReason = 'Running by digest — no tag to compare';
+    return result;
+  }
+
+  // Get all available tags
+  const tags = await registryProvider.getTags(container.image);
+
+  // Get candidate tags (based on tag name)
+  const { tags: tagsCandidates, noUpdateReason } = getTagCandidates(container, tags, logContainer);
+  if (noUpdateReason) {
+    result.noUpdateReason = noUpdateReason;
+  }
+
+  const suggestedTag = suggestTag(container, tags, logContainer);
+  if (suggestedTag !== null) {
+    result.suggestedTag = suggestedTag;
+  }
+
+  // Must watch digest? => Find local/remote digests on registry
+  if (container.image.digest.watch && container.image.digest.repo) {
+    await handleDigestWatch(container, registryProvider, tagsCandidates, result);
+  }
+
+  // The first one in the array is the highest
+  if (tagsCandidates && tagsCandidates.length > 0) {
+    [result.tag] = tagsCandidates;
+  }
+
+  const publishedTag = result.tag || container.image.tag.value;
+  try {
+    if (typeof registryProvider.getImagePublishedAt === 'function') {
+      const publishedAt = await registryProvider.getImagePublishedAt(container.image, publishedTag);
+      if (typeof publishedAt === 'string') {
+        result.publishedAt = publishedAt;
+      }
+    }
+  } catch (error: unknown) {
+    if (typeof logContainer.debug === 'function') {
+      logContainer.debug(`Remote publish date lookup failed (${getErrorMessage(error)})`);
+    }
+  }
+
+  return result;
+}
diff --git a/app/watchers/providers/docker/label.ts b/app/watchers/providers/docker/label.ts
index fe2dbe18a..96eaab004 100644
--- a/app/watchers/providers/docker/label.ts
+++ b/app/watchers/providers/docker/label.ts
@@ -76,15 +76,24 @@ export const wudDisplayIcon = 'wud.display.icon';
 /**
  * Optional list of triggers to include
  */
+export const ddActionInclude = 'dd.action.include';
+export const ddNotificationInclude = 'dd.notification.include';
 export const ddTriggerInclude = 'dd.trigger.include';
 export const wudTriggerInclude = 'wud.trigger.include';
 
 /**
  * Optional list of triggers to exclude
  */
+export const ddActionExclude = 'dd.action.exclude';
+export const ddNotificationExclude = 'dd.notification.exclude';
 export const ddTriggerExclude = 'dd.trigger.exclude';
 export const wudTriggerExclude = 'wud.trigger.exclude';
 
+/**
+ * Optional source repository override used for release-notes lookup.
+ */
+export const ddSourceRepo = 'dd.source.repo';
+
 /**
  * Optional group name for container grouping / stack views.
  */
diff --git a/app/watchers/providers/docker/maintenance.ts b/app/watchers/providers/docker/maintenance.ts
index ce4507d78..453cc38a9 100644
--- a/app/watchers/providers/docker/maintenance.ts
+++ b/app/watchers/providers/docker/maintenance.ts
@@ -1,5 +1,16 @@
 import cron from 'node-cron';
 
+interface MaintenanceWindowTask {
+  timeMatcher: {
+    match: (date: Date) => boolean;
+    getNextMatch: (fromDate: Date) => unknown;
+  };
+}
+
+function createMaintenanceWindowTask(cronExpr: string, tz: string): MaintenanceWindowTask {
+  return cron.createTask(cronExpr, () => {}, { timezone: tz }) as unknown as MaintenanceWindowTask;
+}
+
 /**
  * Check if the current time falls within a maintenance window defined by a cron expression.
  * The cron expression defines WHEN updates are ALLOWED (the maintenance window).
@@ -14,7 +25,7 @@ export function isInMaintenanceWindow(cronExpr: string, tz: string = 'UTC'): boo
     return false;
   }
 
-  const task = cron.createTask(cronExpr, () => {}, { timezone: tz }) as any;
+  const task = createMaintenanceWindowTask(cronExpr, tz);
 
   // node-cron's timeMatcher.match() checks seconds too; for 5-field cron
   // the seconds expression defaults to [0], so we normalize to second 0
@@ -44,7 +55,7 @@ export function getNextMaintenanceWindow(
   }
 
   try {
-    const task = cron.createTask(cronExpr, () => {}, { timezone: tz }) as any;
+    const task = createMaintenanceWindowTask(cronExpr, tz);
     const nextMatch = task.timeMatcher.getNextMatch(fromDate);
     return nextMatch instanceof Date ? nextMatch : undefined;
   } catch {
diff --git a/app/watchers/providers/docker/oidc.ts b/app/watchers/providers/docker/oidc.ts
index 7c6461ee9..93ee1733a 100644
--- a/app/watchers/providers/docker/oidc.ts
+++ b/app/watchers/providers/docker/oidc.ts
@@ -562,7 +562,7 @@ export function buildDeviceCodeTokenRequest(
 
 /**
  * Handle an error response during device-code token polling.
- * Returns an object indicating whether to continue polling and any
+ * Returns an object indicating whether to continue polling and an optional
  * adjustment to the poll interval, or throws on fatal errors.
  */
 export function handleTokenErrorResponse(
diff --git a/app/watchers/providers/docker/podman-redirect-guard.integration.test.ts b/app/watchers/providers/docker/podman-redirect-guard.integration.test.ts
new file mode 100644
index 000000000..ab8ed4a67
--- /dev/null
+++ b/app/watchers/providers/docker/podman-redirect-guard.integration.test.ts
@@ -0,0 +1,261 @@
+/**
+ * Integration test: proves that version pinning + redirect guard
+ * prevent docker-modem's EAI_AGAIN crash when a daemon (e.g. Podman)
+ * returns HTTP 301 for image inspect over a unix socket.
+ *
+ * Uses a real Dockerode instance against a mock unix socket server
+ * that simulates Podman's redirect behavior.
+ */
+import http from 'node:http';
+import Dockerode from 'dockerode';
+import { afterEach, describe, expect, test } from 'vitest';
+import { disableSocketRedirects } from './disable-socket-redirects.js';
+import { probeSocketApiVersion } from './socket-version-probe.js';
+
+function createMockSocket(handler: (req: http.IncomingMessage, res: http.ServerResponse) => void): {
+  socketPath: string;
+  server: http.Server;
+} {
+  const socketPath = `/tmp/drydock-integration-${Date.now()}-${Math.random().toString(36).slice(2)}.sock`;
+  const server = http.createServer(handler);
+  return { socketPath, server };
+}
+
+function listenOnSocket(server: http.Server, socketPath: string): Promise<void> {
+  return new Promise((resolve) => {
+    server.listen(socketPath, () => resolve());
+  });
+}
+
+function closeServer(server: http.Server): Promise<void> {
+  return new Promise((resolve) => {
+    server.close(() => resolve());
+  });
+}
+
+function requestOverSocket(
+  socketPath: string,
+  path: string,
+): Promise<{ statusCode: number; body: string }> {
+  return new Promise((resolve, reject) => {
+    const req = http.request(
+      {
+        socketPath,
+        path,
+        method: 'GET',
+      },
+      (res) => {
+        let body = '';
+        res.setEncoding('utf8');
+        res.on('data', (chunk) => {
+          body += chunk;
+        });
+        res.on('end', () => {
+          resolve({
+            statusCode: res.statusCode ?? 0,
+            body,
+          });
+        });
+      },
+    );
+    req.on('error', reject);
+    req.end();
+  });
+}
+
+/**
+ * Simulates a Podman-like daemon that:
+ * - Serves /version with ApiVersion
+ * - Returns 301 for unversioned /images/<id>/json (redirecting to versioned path)
+ * - Serves versioned /v1.44/images/<id>/json with 200
+ * - Serves /containers/json with 200
+ */
+function podmanHandler(req: http.IncomingMessage, res: http.ServerResponse): void {
+  const url = req.url ?? '';
+
+  if (url === '/version' || url === '/v1.44/version') {
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(
+      JSON.stringify({
+        ApiVersion: '1.44',
+        MinAPIVersion: '1.24',
+        Version: '27.5.1',
+      }),
+    );
+    return;
+  }
+
+  // Unversioned image inspect → 301 redirect (the Podman behavior that triggers the crash)
+  if (url.startsWith('/images/') && !url.startsWith('/v')) {
+    res.writeHead(301, { Location: `/v1.44${url}` });
+    res.end();
+    return;
+  }
+
+  // Empty image name → double slash → 301 (Podman pod infra containers)
+  if (url === '/v1.44/images//json' || url === '/images//json') {
+    res.writeHead(301, { Location: '/v1.44/images/json' });
+    res.end();
+    return;
+  }
+
+  // Versioned image inspect → 200
+  if (url.startsWith('/v1.44/images/') && url.endsWith('/json')) {
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(
+      JSON.stringify({
+        Id: 'sha256:abc123',
+        RepoTags: ['nginx:latest'],
+        RepoDigests: ['nginx@sha256:def456'],
+        Architecture: 'amd64',
+        Os: 'linux',
+      }),
+    );
+    return;
+  }
+
+  // Versioned container listing → 200
+  if (url.startsWith('/v1.44/containers/json') || url.startsWith('/containers/json')) {
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify([]));
+    return;
+  }
+
+  res.writeHead(404, { 'Content-Type': 'text/plain; charset=utf-8' });
+  res.end('Not found');
+}
+
+describe('Podman redirect guard integration', () => {
+  const servers: http.Server[] = [];
+
+  afterEach(async () => {
+    for (const server of servers) {
+      await closeServer(server);
+    }
+    servers.length = 0;
+  });
+
+  test('version probe extracts ApiVersion from mock Podman socket', async () => {
+    const { socketPath, server } = createMockSocket(podmanHandler);
+    servers.push(server);
+    await listenOnSocket(server, socketPath);
+
+    const version = await probeSocketApiVersion(socketPath);
+
+    expect(version).toBe('1.44');
+  });
+
+  test('404 handler does not reflect request URL in response body', async () => {
+    const { socketPath, server } = createMockSocket(podmanHandler);
+    servers.push(server);
+    await listenOnSocket(server, socketPath);
+
+    const response = await requestOverSocket(socketPath, '/missing?<script>alert(1)</script>');
+
+    expect(response.statusCode).toBe(404);
+    expect(response.body).toBe('Not found');
+  });
+
+  test('version-pinned Dockerode uses versioned paths that bypass 301 redirects', async () => {
+    const { socketPath, server } = createMockSocket(podmanHandler);
+    servers.push(server);
+    await listenOnSocket(server, socketPath);
+
+    const apiVersion = await probeSocketApiVersion(socketPath);
+    const docker = new Dockerode({ socketPath, version: `v${apiVersion}` });
+    disableSocketRedirects(docker);
+
+    // This should hit /v1.44/images/nginx:latest/json → 200 (no redirect)
+    const image = await docker.getImage('nginx:latest').inspect();
+
+    expect(image.Id).toBe('sha256:abc123');
+    expect(image.RepoTags).toEqual(['nginx:latest']);
+  });
+
+  test('redirect guard prevents EAI_AGAIN crash when 301 slips through', async () => {
+    // Simulate a daemon that ALWAYS redirects, even versioned paths
+    const alwaysRedirectHandler = (req: http.IncomingMessage, res: http.ServerResponse) => {
+      const url = req.url ?? '';
+
+      if (url === '/version') {
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ ApiVersion: '1.44' }));
+        return;
+      }
+
+      // Always redirect image inspect (simulates worst case)
+      if (url.includes('/images/')) {
+        res.writeHead(301, { Location: `/redirected${url}` });
+        res.end();
+        return;
+      }
+
+      res.writeHead(404);
+      res.end();
+    };
+
+    const { socketPath, server } = createMockSocket(alwaysRedirectHandler);
+    servers.push(server);
+    await listenOnSocket(server, socketPath);
+
+    const docker = new Dockerode({ socketPath, version: 'v1.44' });
+    disableSocketRedirects(docker);
+
+    // With the redirect guard, this should reject with a clean error
+    // (either "Max redirects exceeded" or "(HTTP code 301) unexpected")
+    // but NOT crash the process with EAI_AGAIN
+    await expect(docker.getImage('test').inspect()).rejects.toThrow();
+  });
+
+  test('without redirect guard, unversioned request to redirecting daemon would hit broken code path', async () => {
+    // This test verifies our mock correctly returns 301 for unversioned paths
+    const requestLog: { url: string; statusCode: number }[] = [];
+    const loggingHandler = (req: http.IncomingMessage, res: http.ServerResponse) => {
+      const url = req.url ?? '';
+
+      if (url.startsWith('/images/') && !url.startsWith('/v')) {
+        requestLog.push({ url, statusCode: 301 });
+        res.writeHead(301, { Location: `/v1.44${url}` });
+        res.end();
+        return;
+      }
+
+      if (url.startsWith('/v1.44/images/')) {
+        requestLog.push({ url, statusCode: 200 });
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ Id: 'sha256:abc123' }));
+        return;
+      }
+
+      res.writeHead(404);
+      res.end();
+    };
+
+    const { socketPath, server } = createMockSocket(loggingHandler);
+    servers.push(server);
+    await listenOnSocket(server, socketPath);
+
+    // Use a version-pinned + guarded Dockerode — should skip the 301
+    const docker = new Dockerode({ socketPath, version: 'v1.44' });
+    disableSocketRedirects(docker);
+
+    const image = await docker.getImage('test-image').inspect();
+
+    expect(image.Id).toBe('sha256:abc123');
+    // The request should have gone directly to the versioned path
+    expect(requestLog).toEqual([{ url: '/v1.44/images/test-image/json', statusCode: 200 }]);
+  });
+
+  test('empty image name triggers 301 but redirect guard catches it cleanly', async () => {
+    const { socketPath, server } = createMockSocket(podmanHandler);
+    servers.push(server);
+    await listenOnSocket(server, socketPath);
+
+    const docker = new Dockerode({ socketPath, version: 'v1.44' });
+    disableSocketRedirects(docker);
+
+    // Empty image name → /v1.44/images//json → 301 from mock
+    // Redirect guard prevents EAI_AGAIN crash; error is caught cleanly
+    await expect(docker.getImage('').inspect()).rejects.toThrow();
+  });
+});
diff --git a/app/watchers/providers/docker/recent-events.test.ts b/app/watchers/providers/docker/recent-events.test.ts
new file mode 100644
index 000000000..199323bbd
--- /dev/null
+++ b/app/watchers/providers/docker/recent-events.test.ts
@@ -0,0 +1,347 @@
+import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest';
+import Docker from './Docker.js';
+
+const mockDdEnvVars = vi.hoisted(() => ({}) as Record<string, string | undefined>);
+const mockLogger = vi.hoisted(() => ({
+  child: vi.fn(() => ({
+    debug: vi.fn(),
+    error: vi.fn(),
+    info: vi.fn(),
+    warn: vi.fn(),
+  })),
+  debug: vi.fn(),
+  error: vi.fn(),
+  info: vi.fn(),
+  warn: vi.fn(),
+}));
+
+vi.mock('../../../configuration/index.js', async (importOriginal) => ({
+  ...(await importOriginal<typeof import('../../../configuration/index.js')>()),
+  ddEnvVars: mockDdEnvVars,
+}));
+
+vi.mock('../../../event/index.js', () => ({
+  emitContainerReport: vi.fn(),
+  emitContainerReports: vi.fn(),
+  emitWatcherStart: vi.fn(),
+  emitWatcherStop: vi.fn(),
+}));
+
+vi.mock('../../../log/index.js', () => ({
+  default: mockLogger,
+}));
+
+vi.mock('../../../prometheus/watcher.js', () => ({
+  getLoggerInitFailureCounter: vi.fn(() => undefined),
+  getMaintenanceSkipCounter: vi.fn(() => undefined),
+  getWatchContainerGauge: vi.fn(() => undefined),
+}));
+
+vi.mock('../../../registry/index.js', () => ({
+  getState: vi.fn(() => ({
+    agent: {},
+    authentication: {},
+    registry: {},
+    trigger: {},
+    watcher: {},
+  })),
+}));
+
+vi.mock('../../../store/container.js', () => ({
+  deleteContainer: vi.fn(),
+  getContainer: vi.fn(),
+  getContainers: vi.fn(() => []),
+  getContainersRaw: vi.fn(() => []),
+  insertContainer: vi.fn((container: unknown) => container),
+  updateContainer: vi.fn((container: unknown) => container),
+}));
+
+vi.mock('just-debounce', () => ({
+  default: vi.fn((fn: (...args: unknown[]) => unknown) => fn),
+}));
+
+vi.mock('node-cron', () => ({
+  default: { schedule: vi.fn() },
+  schedule: vi.fn(),
+}));
+
+vi.mock('parse-docker-image-name', () => ({
+  default: vi.fn(),
+}));
+
+describe('Docker recent-event helpers', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    vi.useFakeTimers();
+    vi.setSystemTime(new Date('2026-03-18T12:30:00.000Z'));
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  function createDocker() {
+    return new Docker();
+  }
+
+  test('records numeric event timestamps and ignores non-object input', () => {
+    const docker = createDocker();
+
+    (docker as any).recordRecentDockerEvent(null);
+    expect(docker.recentDockerEvents).toEqual([]);
+
+    (docker as any).recordRecentDockerEvent({
+      Actor: { ID: 'actor-1' },
+      Action: 'start',
+      Type: 'container',
+      id: 'container-1',
+      time: 1_700_000_000,
+    });
+    (docker as any).recordRecentDockerEvent({
+      time: 1_700_000_123,
+    });
+    (docker as any).recordRecentDockerEvent({
+      timeNano: 1_700_000_123_456_789_000,
+    });
+
+    expect(docker.recentDockerEvents).toEqual([
+      {
+        actorId: 'actor-1',
+        action: 'start',
+        id: 'container-1',
+        timestamp: new Date(1_700_000_000_000).toISOString(),
+        type: 'container',
+      },
+      {
+        actorId: undefined,
+        action: undefined,
+        id: undefined,
+        timestamp: new Date(1_700_000_123_000).toISOString(),
+        type: undefined,
+      },
+      {
+        actorId: undefined,
+        action: undefined,
+        id: undefined,
+        timestamp: new Date(1_700_000_123_456).toISOString(),
+        type: undefined,
+      },
+    ]);
+  });
+
+  test('defers trimming until array exceeds 2x the configured max', () => {
+    const docker = createDocker();
+    const history = [{ value: 1 }, { value: 2 }];
+
+    (docker as any).appendBoundedHistoryEntry(history, { value: 3 }, 2);
+    expect(history).toHaveLength(3);
+
+    (docker as any).appendBoundedHistoryEntry(history, { value: 4 }, 2);
+    expect(history).toHaveLength(4);
+
+    // At 2x+1 the splice fires, trimming back to maxEntries
+    (docker as any).appendBoundedHistoryEntry(history, { value: 5 }, 2);
+    expect(history).toEqual([{ value: 4 }, { value: 5 }]);
+  });
+
+  test('returns all recent docker events when no sinceMs filter is provided', () => {
+    const docker = createDocker();
+    docker.recentDockerEvents = [
+      {
+        actorId: undefined,
+        action: 'old',
+        id: 'old',
+        timestamp: '2026-03-18T12:00:00.000Z',
+        type: 'container',
+      },
+      {
+        actorId: undefined,
+        action: 'invalid',
+        id: 'invalid',
+        timestamp: 'not-a-date',
+        type: 'container',
+      },
+      {
+        actorId: undefined,
+        action: 'new',
+        id: 'new',
+        timestamp: '2026-03-18T12:45:00.000Z',
+        type: 'container',
+      },
+    ];
+
+    expect(docker.getRecentDockerEvents({ limit: Number.POSITIVE_INFINITY })).toEqual(
+      docker.recentDockerEvents,
+    );
+  });
+
+  test('filters invalid docker event timestamps and honors zero limit', () => {
+    const docker = createDocker();
+    const sinceMs = Date.parse('2026-03-18T12:15:00.000Z');
+    docker.recentDockerEvents = [
+      {
+        actorId: undefined,
+        action: 'old',
+        id: 'old',
+        timestamp: '2026-03-18T12:00:00.000Z',
+        type: 'container',
+      },
+      {
+        actorId: undefined,
+        action: 'invalid',
+        id: 'invalid',
+        timestamp: 'not-a-date',
+        type: 'container',
+      },
+      {
+        actorId: undefined,
+        action: 'new',
+        id: 'new',
+        timestamp: '2026-03-18T12:45:00.000Z',
+        type: 'container',
+      },
+    ];
+
+    expect(docker.getRecentDockerEvents({ limit: 0, sinceMs })).toEqual([
+      {
+        actorId: undefined,
+        action: 'new',
+        id: 'new',
+        timestamp: '2026-03-18T12:45:00.000Z',
+        type: 'container',
+      },
+    ]);
+  });
+
+  test('returns only the requested number of docker events when limit is positive', () => {
+    const docker = createDocker();
+    docker.recentDockerEvents = [
+      {
+        actorId: undefined,
+        action: 'first',
+        id: 'first',
+        timestamp: '2026-03-18T12:00:00.000Z',
+        type: 'container',
+      },
+      {
+        actorId: undefined,
+        action: 'second',
+        id: 'second',
+        timestamp: '2026-03-18T12:01:00.000Z',
+        type: 'container',
+      },
+    ];
+
+    expect(docker.getRecentDockerEvents({ limit: 1 })).toEqual([
+      {
+        actorId: undefined,
+        action: 'second',
+        id: 'second',
+        timestamp: '2026-03-18T12:01:00.000Z',
+        type: 'container',
+      },
+    ]);
+  });
+
+  test('returns all alias filter decisions when no sinceMs filter is provided', () => {
+    const docker = createDocker();
+    docker.recentAliasFilterDecisions = [
+      {
+        containerId: 'old',
+        containerName: 'old',
+        decision: 'allowed',
+        reason: 'not-recreated-alias',
+        timestamp: '2026-03-18T12:00:00.000Z',
+      },
+      {
+        containerId: 'invalid',
+        containerName: 'invalid',
+        decision: 'skipped',
+        reason: 'fresh-recreated-alias',
+        timestamp: 'not-a-date',
+      },
+      {
+        baseName: 'new',
+        containerId: 'new',
+        containerName: 'new',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+        timestamp: '2026-03-18T12:45:00.000Z',
+      },
+    ];
+
+    expect(docker.getRecentAliasFilterDecisions({ limit: Number.POSITIVE_INFINITY })).toEqual(
+      docker.recentAliasFilterDecisions,
+    );
+  });
+
+  test('filters invalid alias decision timestamps and honors zero limit', () => {
+    const docker = createDocker();
+    const sinceMs = Date.parse('2026-03-18T12:15:00.000Z');
+    docker.recentAliasFilterDecisions = [
+      {
+        containerId: 'old',
+        containerName: 'old',
+        decision: 'allowed',
+        reason: 'not-recreated-alias',
+        timestamp: '2026-03-18T12:00:00.000Z',
+      },
+      {
+        containerId: 'invalid',
+        containerName: 'invalid',
+        decision: 'skipped',
+        reason: 'fresh-recreated-alias',
+        timestamp: 'not-a-date',
+      },
+      {
+        baseName: 'new',
+        containerId: 'new',
+        containerName: 'new',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+        timestamp: '2026-03-18T12:45:00.000Z',
+      },
+    ];
+
+    expect(docker.getRecentAliasFilterDecisions({ limit: 0, sinceMs })).toEqual([
+      {
+        baseName: 'new',
+        containerId: 'new',
+        containerName: 'new',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+        timestamp: '2026-03-18T12:45:00.000Z',
+      },
+    ]);
+  });
+
+  test('returns only the requested number of alias decisions when limit is positive', () => {
+    const docker = createDocker();
+    docker.recentAliasFilterDecisions = [
+      {
+        containerId: 'first',
+        containerName: 'first',
+        decision: 'allowed',
+        reason: 'not-recreated-alias',
+        timestamp: '2026-03-18T12:00:00.000Z',
+      },
+      {
+        containerId: 'second',
+        containerName: 'second',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+        timestamp: '2026-03-18T12:01:00.000Z',
+      },
+    ];
+
+    expect(docker.getRecentAliasFilterDecisions({ limit: 1 })).toEqual([
+      {
+        containerId: 'second',
+        containerName: 'second',
+        decision: 'allowed',
+        reason: 'alias-allowed-no-collision',
+        timestamp: '2026-03-18T12:01:00.000Z',
+      },
+    ]);
+  });
+});
diff --git a/app/watchers/providers/docker/release-notes-enrichment.test.ts b/app/watchers/providers/docker/release-notes-enrichment.test.ts
new file mode 100644
index 000000000..8769ef413
--- /dev/null
+++ b/app/watchers/providers/docker/release-notes-enrichment.test.ts
@@ -0,0 +1,134 @@
+import type { Container } from '../../../model/container.js';
+import { enrichContainerWithReleaseNotes } from './release-notes-enrichment.js';
+
+const mockResolveSourceRepoForContainer = vi.hoisted(() => vi.fn());
+const mockGetFullReleaseNotesForContainer = vi.hoisted(() => vi.fn());
+const mockToContainerReleaseNotes = vi.hoisted(() => vi.fn((notes) => notes));
+
+vi.mock('../../../release-notes/index.js', () => ({
+  resolveSourceRepoForContainer: (...args: unknown[]) => mockResolveSourceRepoForContainer(...args),
+  getFullReleaseNotesForContainer: (...args: unknown[]) =>
+    mockGetFullReleaseNotesForContainer(...args),
+  toContainerReleaseNotes: (...args: unknown[]) => mockToContainerReleaseNotes(...args),
+}));
+
+function createContainer(overrides: Partial<Container> = {}): Container {
+  return {
+    id: 'container-id',
+    name: 'container-name',
+    displayName: 'container-name',
+    displayIcon: 'mdi:docker',
+    status: 'running',
+    watcher: 'docker',
+    image: {
+      id: 'image-id',
+      registry: {
+        name: 'dockerhub',
+        url: 'docker.io',
+      },
+      name: 'library/nginx',
+      tag: {
+        value: '1.0.0',
+        semver: true,
+      },
+      digest: {
+        watch: false,
+      },
+      architecture: 'amd64',
+      os: 'linux',
+    },
+    updateAvailable: false,
+    updateKind: {
+      kind: 'unknown',
+    },
+    ...overrides,
+  };
+}
+
+describe('release-notes-enrichment', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  test('sets source repo and returns early when result is missing', async () => {
+    mockResolveSourceRepoForContainer.mockResolvedValue('github.com/drydock/example');
+    const container = createContainer({ result: undefined });
+    const logContainer = { debug: vi.fn() };
+
+    await enrichContainerWithReleaseNotes(container, logContainer);
+
+    expect(container.sourceRepo).toBe('github.com/drydock/example');
+    expect(mockGetFullReleaseNotesForContainer).not.toHaveBeenCalled();
+    expect(mockToContainerReleaseNotes).not.toHaveBeenCalled();
+  });
+
+  test('returns early when update is not available', async () => {
+    mockResolveSourceRepoForContainer.mockResolvedValue(undefined);
+    const container = createContainer({
+      result: { tag: '1.2.3' },
+      updateAvailable: false,
+    });
+    const logContainer = { debug: vi.fn() };
+
+    await enrichContainerWithReleaseNotes(container, logContainer);
+
+    expect(mockGetFullReleaseNotesForContainer).not.toHaveBeenCalled();
+    expect(mockToContainerReleaseNotes).not.toHaveBeenCalled();
+  });
+
+  test('returns when release notes are not available', async () => {
+    mockResolveSourceRepoForContainer.mockResolvedValue(undefined);
+    mockGetFullReleaseNotesForContainer.mockResolvedValue(undefined);
+    const container = createContainer({
+      result: { tag: '1.2.3' },
+      updateAvailable: true,
+    });
+    const logContainer = { debug: vi.fn() };
+
+    await enrichContainerWithReleaseNotes(container, logContainer);
+
+    expect(mockGetFullReleaseNotesForContainer).toHaveBeenCalledWith(container);
+    expect(mockToContainerReleaseNotes).not.toHaveBeenCalled();
+  });
+
+  test('attaches mapped release notes when available', async () => {
+    const fullReleaseNotes = {
+      title: 'v1.2.3',
+      body: 'Full body',
+      url: 'https://github.com/drydock/example/releases/tag/v1.2.3',
+      publishedAt: new Date().toISOString(),
+      provider: 'github',
+    } as const;
+    const mappedReleaseNotes = {
+      ...fullReleaseNotes,
+      body: 'Truncated body',
+    };
+
+    mockResolveSourceRepoForContainer.mockResolvedValue(undefined);
+    mockGetFullReleaseNotesForContainer.mockResolvedValue(fullReleaseNotes);
+    mockToContainerReleaseNotes.mockReturnValue(mappedReleaseNotes);
+
+    const container = createContainer({
+      result: { tag: '1.2.3' },
+      updateAvailable: true,
+    });
+    const logContainer = { debug: vi.fn() };
+
+    await enrichContainerWithReleaseNotes(container, logContainer);
+
+    expect(mockToContainerReleaseNotes).toHaveBeenCalledWith(fullReleaseNotes);
+    expect(container.result?.releaseNotes).toEqual(mappedReleaseNotes);
+  });
+
+  test('logs debug when enrichment throws', async () => {
+    mockResolveSourceRepoForContainer.mockRejectedValue(new Error('boom'));
+    const container = createContainer();
+    const logContainer = { debug: vi.fn() };
+
+    await enrichContainerWithReleaseNotes(container, logContainer);
+
+    expect(logContainer.debug).toHaveBeenCalledWith(
+      expect.stringContaining('Unable to fetch release notes (boom)'),
+    );
+  });
+});
diff --git a/app/watchers/providers/docker/release-notes-enrichment.ts b/app/watchers/providers/docker/release-notes-enrichment.ts
new file mode 100644
index 000000000..515ce4009
--- /dev/null
+++ b/app/watchers/providers/docker/release-notes-enrichment.ts
@@ -0,0 +1,36 @@
+import type { Container } from '../../../model/container.js';
+import {
+  getFullReleaseNotesForContainer,
+  resolveSourceRepoForContainer,
+  toContainerReleaseNotes,
+} from '../../../release-notes/index.js';
+import { getErrorMessage } from './docker-helpers.js';
+
+interface ReleaseNotesEnrichmentLogger {
+  debug: (message: string) => void;
+}
+
+export async function enrichContainerWithReleaseNotes(
+  containerWithResult: Container,
+  logContainer: ReleaseNotesEnrichmentLogger,
+) {
+  try {
+    const sourceRepo = await resolveSourceRepoForContainer(containerWithResult);
+    if (sourceRepo) {
+      containerWithResult.sourceRepo = sourceRepo;
+    }
+
+    if (!containerWithResult.result || !containerWithResult.updateAvailable) {
+      return;
+    }
+
+    const fullReleaseNotes = await getFullReleaseNotesForContainer(containerWithResult);
+    if (!fullReleaseNotes) {
+      return;
+    }
+
+    containerWithResult.result.releaseNotes = toContainerReleaseNotes(fullReleaseNotes);
+  } catch (error: unknown) {
+    logContainer.debug(`Unable to fetch release notes (${getErrorMessage(error)})`);
+  }
+}
diff --git a/app/watchers/providers/docker/runtime-details.ts b/app/watchers/providers/docker/runtime-details.ts
index 9e707b1e3..e8aea2813 100644
--- a/app/watchers/providers/docker/runtime-details.ts
+++ b/app/watchers/providers/docker/runtime-details.ts
@@ -1,5 +1,7 @@
 import type { ContainerRuntimeDetails } from '../../../model/container.js';
 
+type UnknownRecord = Record<string, unknown>;
+
 function getEmptyRuntimeDetails(): ContainerRuntimeDetails {
   return {
     ports: [],
@@ -8,6 +10,13 @@ function getEmptyRuntimeDetails(): ContainerRuntimeDetails {
   };
 }
 
+function asUnknownRecord(value: unknown): UnknownRecord | null {
+  if (!value || typeof value !== 'object') {
+    return null;
+  }
+  return value as UnknownRecord;
+}
+
 function isNonEmptyString(value: unknown): value is string {
   return typeof value === 'string' && value.trim() !== '';
 }
@@ -26,14 +35,15 @@ function normalizeRuntimeEnvList(values: unknown): ContainerRuntimeDetails['env'
   const seen = new Set<string>();
   const envList: ContainerRuntimeDetails['env'] = [];
   for (const value of values) {
-    if (!value || typeof value !== 'object') {
+    const envValueCandidate = asUnknownRecord(value);
+    if (!envValueCandidate) {
       continue;
     }
-    const key = isNonEmptyString((value as any).key) ? (value as any).key.trim() : '';
+    const key = isNonEmptyString(envValueCandidate.key) ? envValueCandidate.key.trim() : '';
     if (key === '') {
       continue;
     }
-    const rawEnvValue = (value as any).value;
+    const rawEnvValue = envValueCandidate.value;
     const envValue = typeof rawEnvValue === 'string' ? rawEnvValue : `${rawEnvValue ?? ''}`;
     const dedupeKey = `${key}\u0000${envValue}`;
     if (seen.has(dedupeKey)) {
@@ -46,13 +56,14 @@ function normalizeRuntimeEnvList(values: unknown): ContainerRuntimeDetails['env'
 }
 
 export function normalizeRuntimeDetails(details: unknown): ContainerRuntimeDetails {
-  if (!details || typeof details !== 'object') {
+  const runtimeDetails = asUnknownRecord(details);
+  if (!runtimeDetails) {
     return getEmptyRuntimeDetails();
   }
   return {
-    ports: normalizeRuntimeStringList((details as any).ports),
-    volumes: normalizeRuntimeStringList((details as any).volumes),
-    env: normalizeRuntimeEnvList((details as any).env),
+    ports: normalizeRuntimeStringList(runtimeDetails.ports),
+    volumes: normalizeRuntimeStringList(runtimeDetails.volumes),
+    env: normalizeRuntimeEnvList(runtimeDetails.env),
   };
 }
 
@@ -123,11 +134,12 @@ function formatInspectContainerPortBindings(containerPort: string, bindings: unk
 }
 
 function formatInspectPortBinding(containerPort: string, binding: unknown): string | null {
-  if (!binding || typeof binding !== 'object') {
+  const portBinding = asUnknownRecord(binding);
+  if (!portBinding) {
     return null;
   }
-  const hostIp = typeof (binding as any).HostIp === 'string' ? (binding as any).HostIp : '';
-  const hostPortRaw = (binding as any).HostPort;
+  const hostIp = typeof portBinding.HostIp === 'string' ? portBinding.HostIp : '';
+  const hostPortRaw = portBinding.HostPort;
   const hostPort = hostPortRaw !== undefined && hostPortRaw !== null ? `${hostPortRaw}` : '';
   if (hostPort === '') {
     return containerPort;
@@ -142,21 +154,22 @@ function formatContainerPortsFromSummary(containerPorts: unknown): string[] {
   }
   const formattedPorts: string[] = [];
   for (const port of containerPorts) {
-    if (!port || typeof port !== 'object') {
+    const summaryPort = asUnknownRecord(port);
+    if (!summaryPort) {
       continue;
     }
-    const privatePort = (port as any).PrivatePort;
+    const privatePort = summaryPort.PrivatePort;
     if (privatePort === undefined || privatePort === null) {
       continue;
     }
-    const protocol = isNonEmptyString((port as any).Type) ? (port as any).Type : 'tcp';
+    const protocol = isNonEmptyString(summaryPort.Type) ? summaryPort.Type : 'tcp';
     const containerPort = `${privatePort}/${protocol}`;
-    const publicPort = (port as any).PublicPort;
+    const publicPort = summaryPort.PublicPort;
     if (publicPort === undefined || publicPort === null) {
       formattedPorts.push(containerPort);
       continue;
     }
-    const hostIp = isNonEmptyString((port as any).IP) ? `${(port as any).IP}:` : '';
+    const hostIp = isNonEmptyString(summaryPort.IP) ? `${summaryPort.IP}:` : '';
     formattedPorts.push(`${hostIp}${publicPort}->${containerPort}`);
   }
   return normalizeRuntimeStringList(formattedPorts);
@@ -174,30 +187,31 @@ function formatContainerVolumes(mounts: unknown): string[] {
 }
 
 function formatContainerMountVolume(mount: unknown): string | null {
-  if (!mount || typeof mount !== 'object') {
+  const mountDetails = asUnknownRecord(mount);
+  if (!mountDetails) {
     return null;
   }
-  const source = getContainerMountSource(mount);
-  const destination = getContainerMountDestination(mount);
+  const source = getContainerMountSource(mountDetails);
+  const destination = getContainerMountDestination(mountDetails);
   const baseVolume = formatVolumeBinding(source, destination);
   if (baseVolume === '') {
     return null;
   }
-  return (mount as any).RW === false ? `${baseVolume}:ro` : baseVolume;
+  return mountDetails.RW === false ? `${baseVolume}:ro` : baseVolume;
 }
 
-function getContainerMountSource(mount: unknown): string {
-  if (isNonEmptyString((mount as any).Name)) {
-    return (mount as any).Name.trim();
+function getContainerMountSource(mount: UnknownRecord): string {
+  if (isNonEmptyString(mount.Name)) {
+    return mount.Name.trim();
   }
-  if (isNonEmptyString((mount as any).Source)) {
-    return (mount as any).Source.trim();
+  if (isNonEmptyString(mount.Source)) {
+    return mount.Source.trim();
   }
   return '';
 }
 
-function getContainerMountDestination(mount: unknown): string {
-  return isNonEmptyString((mount as any).Destination) ? (mount as any).Destination.trim() : '';
+function getContainerMountDestination(mount: UnknownRecord): string {
+  return isNonEmptyString(mount.Destination) ? mount.Destination.trim() : '';
 }
 
 function formatVolumeBinding(source: string, destination: string): string {
@@ -230,18 +244,23 @@ function formatContainerEnv(envVars: unknown): ContainerRuntimeDetails['env'] {
   return normalizeRuntimeEnvList(parsedEnv);
 }
 
-export function getRuntimeDetailsFromInspect(containerInspect: any): ContainerRuntimeDetails {
+export function getRuntimeDetailsFromInspect(containerInspect: unknown): ContainerRuntimeDetails {
+  const inspect = asUnknownRecord(containerInspect);
+  const networkSettings = asUnknownRecord(inspect?.NetworkSettings);
+  const config = asUnknownRecord(inspect?.Config);
+
   return {
-    ports: formatContainerPortsFromInspect(containerInspect?.NetworkSettings?.Ports),
-    volumes: formatContainerVolumes(containerInspect?.Mounts),
-    env: formatContainerEnv(containerInspect?.Config?.Env),
+    ports: formatContainerPortsFromInspect(networkSettings?.Ports),
+    volumes: formatContainerVolumes(inspect?.Mounts),
+    env: formatContainerEnv(config?.Env),
   };
 }
 
-export function getRuntimeDetailsFromContainerSummary(container: any): ContainerRuntimeDetails {
+export function getRuntimeDetailsFromContainerSummary(container: unknown): ContainerRuntimeDetails {
+  const containerSummary = asUnknownRecord(container);
   return {
-    ports: formatContainerPortsFromSummary(container?.Ports),
-    volumes: formatContainerVolumes(container?.Mounts),
+    ports: formatContainerPortsFromSummary(containerSummary?.Ports),
+    volumes: formatContainerVolumes(containerSummary?.Mounts),
     env: [],
   };
 }
diff --git a/app/watchers/providers/docker/socket-version-probe.test.ts b/app/watchers/providers/docker/socket-version-probe.test.ts
new file mode 100644
index 000000000..0906e1b7d
--- /dev/null
+++ b/app/watchers/providers/docker/socket-version-probe.test.ts
@@ -0,0 +1,208 @@
+import { EventEmitter } from 'node:events';
+import http from 'node:http';
+import net from 'node:net';
+import { afterEach, describe, expect, test, vi } from 'vitest';
+import { probeSocketApiVersion } from './socket-version-probe.js';
+
+function createFakeSocket(handler: (req: http.IncomingMessage, res: http.ServerResponse) => void): {
+  socketPath: string;
+  server: http.Server;
+} {
+  const socketPath = `/tmp/drydock-test-probe-${Date.now()}-${Math.random().toString(36).slice(2)}.sock`;
+  const server = http.createServer(handler);
+  return { socketPath, server };
+}
+
+function listenOnSocket(server: http.Server, socketPath: string): Promise<void> {
+  return new Promise((resolve) => {
+    server.listen(socketPath, () => resolve());
+  });
+}
+
+function closeServer(server: http.Server): Promise<void> {
+  return new Promise((resolve) => {
+    server.close(() => resolve());
+  });
+}
+
+describe('probeSocketApiVersion', () => {
+  const servers: http.Server[] = [];
+
+  afterEach(async () => {
+    for (const server of servers) {
+      await closeServer(server);
+    }
+    servers.length = 0;
+    vi.restoreAllMocks();
+  });
+
+  test('returns ApiVersion from daemon /version endpoint', async () => {
+    const { socketPath, server } = createFakeSocket((_req, res) => {
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ ApiVersion: '1.44', Version: '27.5.1' }));
+    });
+    servers.push(server);
+    await listenOnSocket(server, socketPath);
+
+    const version = await probeSocketApiVersion(socketPath);
+
+    expect(version).toBe('1.44');
+  });
+
+  test('follows a single redirect and returns the version', async () => {
+    const { socketPath, server } = createFakeSocket((req, res) => {
+      if (req.url === '/version') {
+        res.writeHead(301, { Location: '/v5.0.0/version' });
+        res.end();
+      } else {
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ ApiVersion: '5.0.0' }));
+      }
+    });
+    servers.push(server);
+    await listenOnSocket(server, socketPath);
+
+    const version = await probeSocketApiVersion(socketPath);
+
+    expect(version).toBe('5.0.0');
+  });
+
+  test('returns undefined when socket does not exist', async () => {
+    const version = await probeSocketApiVersion('/tmp/nonexistent-drydock-test.sock');
+
+    expect(version).toBeUndefined();
+  });
+
+  test('returns undefined when daemon returns non-JSON', async () => {
+    const { socketPath, server } = createFakeSocket((_req, res) => {
+      res.writeHead(200, { 'Content-Type': 'text/plain' });
+      res.end('not json');
+    });
+    servers.push(server);
+    await listenOnSocket(server, socketPath);
+
+    const version = await probeSocketApiVersion(socketPath);
+
+    expect(version).toBeUndefined();
+  });
+
+  test('returns undefined when response has no ApiVersion field', async () => {
+    const { socketPath, server } = createFakeSocket((_req, res) => {
+      res.writeHead(200, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ Version: '27.5.1' }));
+    });
+    servers.push(server);
+    await listenOnSocket(server, socketPath);
+
+    const version = await probeSocketApiVersion(socketPath);
+
+    expect(version).toBeUndefined();
+  });
+
+  test('returns undefined when daemon returns 500', async () => {
+    const { socketPath, server } = createFakeSocket((_req, res) => {
+      res.writeHead(500);
+      res.end('Internal Server Error');
+    });
+    servers.push(server);
+    await listenOnSocket(server, socketPath);
+
+    const version = await probeSocketApiVersion(socketPath);
+
+    expect(version).toBeUndefined();
+  });
+
+  test('returns undefined when connection is immediately closed', async () => {
+    const socketPath = `/tmp/drydock-test-probe-close-${Date.now()}.sock`;
+    const server = net.createServer((socket) => {
+      socket.destroy();
+    });
+    servers.push(server as unknown as http.Server);
+    await new Promise<void>((resolve) => {
+      server.listen(socketPath, () => resolve());
+    });
+
+    const version = await probeSocketApiVersion(socketPath);
+
+    expect(version).toBeUndefined();
+  });
+
+  test('returns undefined and destroys the request when the probe times out', async () => {
+    const request = new EventEmitter() as http.ClientRequest;
+    const destroy = vi.fn();
+    const end = vi.fn(() => {
+      request.emit('timeout');
+      return request;
+    });
+
+    Object.assign(request, {
+      destroy,
+      end,
+    });
+
+    vi.spyOn(http, 'request').mockImplementation((_options, _callback) => request);
+
+    const version = await probeSocketApiVersion('/tmp/drydock-test-probe-timeout.sock');
+
+    expect(version).toBeUndefined();
+    expect(destroy).toHaveBeenCalledTimes(1);
+  });
+
+  test('returns undefined when the response stream errors', async () => {
+    const request = new EventEmitter() as http.ClientRequest;
+    const response = new EventEmitter() as http.IncomingMessage;
+    const end = vi.fn(() => {
+      response.statusCode = 200;
+      response.headers = {};
+      response.setEncoding = vi.fn();
+      const requestSpy = vi.mocked(http.request);
+      const responseHandler = requestSpy.mock.calls.at(-1)?.[1] as
+        | ((res: http.IncomingMessage) => void)
+        | undefined;
+      responseHandler?.(response);
+      response.emit('error', new Error('stream failed'));
+      return request;
+    });
+
+    Object.assign(request, {
+      destroy: vi.fn(),
+      end,
+    });
+
+    vi.spyOn(http, 'request').mockImplementation((_options, _callback) => request);
+
+    const version = await probeSocketApiVersion('/tmp/drydock-test-probe-response-error.sock');
+
+    expect(version).toBeUndefined();
+  });
+
+  test('returns undefined and destroys the request when the response body exceeds the probe limit', async () => {
+    const request = new EventEmitter() as http.ClientRequest;
+    const response = new EventEmitter() as http.IncomingMessage;
+    const destroy = vi.fn();
+    const end = vi.fn(() => {
+      response.statusCode = 200;
+      response.headers = {};
+      response.setEncoding = vi.fn();
+      const requestSpy = vi.mocked(http.request);
+      const responseHandler = requestSpy.mock.calls.at(-1)?.[1] as
+        | ((res: http.IncomingMessage) => void)
+        | undefined;
+      responseHandler?.(response);
+      response.emit('data', 'x'.repeat(70 * 1024));
+      return request;
+    });
+
+    Object.assign(request, {
+      destroy,
+      end,
+    });
+
+    vi.spyOn(http, 'request').mockImplementation((_options, _callback) => request);
+
+    const version = await probeSocketApiVersion('/tmp/drydock-test-probe-oversized.sock');
+
+    expect(version).toBeUndefined();
+    expect(destroy).toHaveBeenCalledTimes(1);
+  });
+});
diff --git a/app/watchers/providers/docker/socket-version-probe.ts b/app/watchers/providers/docker/socket-version-probe.ts
new file mode 100644
index 000000000..8f87ad731
--- /dev/null
+++ b/app/watchers/providers/docker/socket-version-probe.ts
@@ -0,0 +1,79 @@
+import http from 'node:http';
+
+const PROBE_TIMEOUT_MS = 5000;
+const MAX_BODY_BYTES = 64 * 1024;
+
+/**
+ * Probe a container daemon's API version over a unix socket.
+ *
+ * Podman's Docker-compatible API redirects unversioned endpoints
+ * (e.g. `/images/…` → `/v5.0.0/images/…`).  docker-modem's built-in
+ * redirect follower cannot handle redirects over unix sockets — it
+ * misparses the Location header and tries to DNS-resolve path segments
+ * as hostnames, crashing the process with `getaddrinfo EAI_AGAIN`.
+ *
+ * By probing `/version` first and pinning Dockerode to the returned
+ * `ApiVersion`, every subsequent request uses a versioned path that
+ * the daemon serves directly — no redirect, no crash.
+ *
+ * The probe uses Node's raw `http.request` (not docker-modem) so it
+ * is immune to the redirect bug.  If the probe itself is redirected
+ * (unlikely for `/version`, but possible), we follow one hop.
+ */
+export function probeSocketApiVersion(socketPath: string): Promise<string | undefined> {
+  return new Promise((resolve) => {
+    function makeRequest(requestPath: string, followedRedirect: boolean): void {
+      const req = http.request(
+        {
+          socketPath,
+          path: requestPath,
+          method: 'GET',
+          timeout: PROBE_TIMEOUT_MS,
+        },
+        (res) => {
+          if (
+            !followedRedirect &&
+            res.statusCode &&
+            res.statusCode >= 300 &&
+            res.statusCode < 400 &&
+            res.headers.location
+          ) {
+            makeRequest(res.headers.location, true);
+            return;
+          }
+
+          let body = '';
+          res.setEncoding('utf8');
+          res.on('data', (chunk: string) => {
+            body += chunk;
+            if (body.length > MAX_BODY_BYTES) {
+              req.destroy();
+              resolve(undefined);
+            }
+          });
+          res.on('end', () => {
+            try {
+              const data = JSON.parse(body);
+              if (data.ApiVersion && typeof data.ApiVersion === 'string') {
+                resolve(data.ApiVersion);
+              } else {
+                resolve(undefined);
+              }
+            } catch {
+              resolve(undefined);
+            }
+          });
+          res.on('error', () => resolve(undefined));
+        },
+      );
+      req.on('error', () => resolve(undefined));
+      req.on('timeout', () => {
+        req.destroy();
+        resolve(undefined);
+      });
+      req.end();
+    }
+
+    makeRequest('/version', false);
+  });
+}
diff --git a/app/watchers/providers/docker/tag-candidates.test.ts b/app/watchers/providers/docker/tag-candidates.test.ts
index c9bf8549d..c5c7fe720 100644
--- a/app/watchers/providers/docker/tag-candidates.test.ts
+++ b/app/watchers/providers/docker/tag-candidates.test.ts
@@ -1,4 +1,5 @@
 import { performance } from 'node:perf_hooks';
+import { RE2JS } from 're2js';
 import { describe, expect, test, vi } from 'vitest';
 
 import {
@@ -49,6 +50,75 @@ describe('docker tag candidates module', () => {
     expect(log.warn).toHaveBeenCalledWith(expect.stringContaining('dd.tag.family=loose'));
   });
 
+  test('allows CalVer tags with zero-padded months through strict family filter (#202)', () => {
+    const container = createContainer({
+      image: {
+        tag: {
+          value: '2025.11.1',
+          semver: true,
+        },
+      },
+      tagFamily: 'strict',
+    });
+    const log = {
+      warn: vi.fn(),
+      debug: vi.fn(),
+    };
+
+    const result = getTagCandidates(
+      container,
+      ['2025.11.1', '2026.02.0', '2026.01.0', '2025.09.3'],
+      log,
+    );
+
+    expect(result.tags).toContain('2026.02.0');
+    expect(result.tags).toContain('2026.01.0');
+    expect(log.warn).not.toHaveBeenCalled();
+  });
+
+  test('allows CalVer upgrade when both reference and candidate have zero-padded segments', () => {
+    const container = createContainer({
+      image: {
+        tag: {
+          value: '2025.01.3',
+          semver: true,
+        },
+      },
+      tagFamily: 'strict',
+    });
+    const log = {
+      warn: vi.fn(),
+      debug: vi.fn(),
+    };
+
+    const result = getTagCandidates(container, ['2025.01.3', '2025.02.0'], log);
+
+    expect(result.tags).toContain('2025.02.0');
+  });
+
+  test('still rejects zero-padded tags for non-CalVer semver in strict mode', () => {
+    const container = createContainer({
+      image: {
+        tag: {
+          value: '5.1.4',
+          semver: true,
+        },
+      },
+      tagFamily: 'strict',
+    });
+    const log = {
+      warn: vi.fn(),
+      debug: vi.fn(),
+    };
+
+    // '20.04.1' has a leading zero in '04' but reference major is 5 (not CalVer).
+    // Should be rejected as a cross-family jump.
+    const result = getTagCandidates(container, ['5.1.4', '20.04.1', '5.1.5'], log);
+
+    expect(result.tags).not.toContain('20.04.1');
+    expect(result.tags).toContain('5.1.5');
+  });
+
   test('allows include-filter recovery for semver image outside include regex', () => {
     const container = createContainer({
       image: {
@@ -143,6 +213,42 @@ describe('docker tag candidates module', () => {
     expect(filtered).toEqual(inputTags);
   });
 
+  test('reports error message from non-Error object with string message property', () => {
+    const compileSpy = vi.spyOn(RE2JS, 'compile').mockImplementation(() => {
+      throw { message: 'custom compile failure' };
+    });
+    const log = { warn: vi.fn(), debug: vi.fn() };
+
+    getTagCandidates(createContainer({ includeTags: 'anything' }), ['1.0.1'], log);
+
+    expect(log.warn).toHaveBeenCalledWith(expect.stringContaining('custom compile failure'));
+    compileSpy.mockRestore();
+  });
+
+  test('falls back to String(error) for thrown non-Error primitive', () => {
+    const compileSpy = vi.spyOn(RE2JS, 'compile').mockImplementation(() => {
+      throw 42;
+    });
+    const log = { warn: vi.fn(), debug: vi.fn() };
+
+    getTagCandidates(createContainer({ includeTags: 'anything' }), ['1.0.1'], log);
+
+    expect(log.warn).toHaveBeenCalledWith(expect.stringContaining('42'));
+    compileSpy.mockRestore();
+  });
+
+  test('stringifies object errors when the message field is not a string', () => {
+    const compileSpy = vi.spyOn(RE2JS, 'compile').mockImplementation(() => {
+      throw { message: { reason: 'custom compile failure' } };
+    });
+    const log = { warn: vi.fn(), debug: vi.fn() };
+
+    getTagCandidates(createContainer({ includeTags: 'anything' }), ['1.0.1'], log);
+
+    expect(log.warn).toHaveBeenCalledWith(expect.stringContaining('[object Object]'));
+    compileSpy.mockRestore();
+  });
+
   test('processes large tag lists within lightweight runtime budget', () => {
     const container = createContainer({
       image: {
diff --git a/app/watchers/providers/docker/tag-candidates.ts b/app/watchers/providers/docker/tag-candidates.ts
index 3a00cf4d0..306e0568c 100644
--- a/app/watchers/providers/docker/tag-candidates.ts
+++ b/app/watchers/providers/docker/tag-candidates.ts
@@ -11,12 +11,30 @@ interface SafeRegex {
   test(s: string): boolean;
 }
 
+interface TagCandidatesLogger {
+  warn(message: string): void;
+  debug?: (message: string) => void;
+}
+
+function getErrorMessage(error: unknown): string {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  if (typeof error === 'object' && error !== null && 'message' in error) {
+    const { message } = error as { message: unknown };
+    if (typeof message === 'string') {
+      return message;
+    }
+  }
+  return String(error);
+}
+
 /**
  * Safely compile a user-supplied regex pattern.
  * Returns null (and logs a warning) when the pattern is invalid.
  * Uses RE2 (via re2js), which is inherently immune to ReDoS backtracking attacks.
  */
-function safeRegExp(pattern: string, logger: any): SafeRegex | null {
+function safeRegExp(pattern: string, logger: TagCandidatesLogger): SafeRegex | null {
   const MAX_PATTERN_LENGTH = 1024;
   if (pattern.length > MAX_PATTERN_LENGTH) {
     logger.warn(`Regex pattern exceeds maximum length of ${MAX_PATTERN_LENGTH} characters`);
@@ -29,8 +47,8 @@ function safeRegExp(pattern: string, logger: any): SafeRegex | null {
         return compiled.matcher(s).find();
       },
     };
-  } catch (e: any) {
-    logger.warn(`Invalid regex pattern "${pattern}": ${e.message}`);
+  } catch (e: unknown) {
+    logger.warn(`Invalid regex pattern "${pattern}": ${getErrorMessage(e)}`);
     return null;
   }
 }
@@ -42,7 +60,7 @@ function safeRegExp(pattern: string, logger: any): SafeRegex | null {
 function applyIncludeExcludeFilters(
   container: Container,
   tags: string[],
-  logContainer: any,
+  logContainer: TagCandidatesLogger,
 ): { filteredTags: string[]; allowIncludeFilterRecovery: boolean } {
   let filteredTags = tags;
   let allowIncludeFilterRecovery = false;
@@ -109,7 +127,7 @@ function hasLeadingZero(value: string): boolean {
   return value.length > 1 && value.startsWith('0');
 }
 
-interface NumericTagShape {
+export interface NumericTagShape {
   prefix: string;
   numericSegments: string[];
   suffix: string;
@@ -147,7 +165,7 @@ function getNumericTagShapeFromTransformedTag(transformedTag: string): NumericTa
   };
 }
 
-function getNumericTagShape(
+export function getNumericTagShape(
   tag: string,
   transformTags: string | undefined,
 ): NumericTagShape | null {
@@ -175,7 +193,10 @@ function isSuffixCompatible(referenceSuffix: string, candidateSuffix: string): b
   );
 }
 
-function getTagFamilyPolicy(container: Container, logContainer: any): TagFamilyPolicy {
+function getTagFamilyPolicy(
+  container: Container,
+  logContainer: TagCandidatesLogger,
+): TagFamilyPolicy {
   if (!container.tagFamily) {
     return 'strict';
   }
@@ -199,10 +220,18 @@ function isStrictFamilyMatch(
     return false;
   }
 
-  return candidateShape.numericSegments.every(
-    (segment, index) =>
-      !(!hasLeadingZero(referenceShape.numericSegments[index]) && hasLeadingZero(segment)),
-  );
+  // For CalVer-style tags (major >= 1000, e.g. 2025.11.1), relax the
+  // leading-zero check so zero-padded months like '02' are accepted.
+  const majorValue = Number.parseInt(referenceShape.numericSegments[0], 10);
+  const isCalVer = !Number.isNaN(majorValue) && majorValue >= 1000;
+
+  return candidateShape.numericSegments.every((segment, index) => {
+    if (!hasLeadingZero(segment)) return true;
+    if (hasLeadingZero(referenceShape.numericSegments[index])) return true;
+    // Candidate has a leading zero but reference doesn't.
+    // Only allow this for CalVer tags where zero-padded months are normal.
+    return isCalVer;
+  });
 }
 
 function hasExpectedPrefix(tag: string, currentPrefix: string): boolean {
@@ -344,7 +373,7 @@ function filterSemverCandidatesOnePass(
 }
 
 function logSemverCandidateFilterStats(
-  logContainer: any,
+  logContainer: TagCandidatesLogger,
   tagFamilyPolicy: TagFamilyPolicy,
   stats: SemverCandidateFilterStats,
 ): void {
@@ -426,7 +455,7 @@ function filterSemverOnly(tags: string[], transformTags: string | undefined): st
 export function getTagCandidates(
   container: Container,
   tags: string[],
-  logContainer: any,
+  logContainer: TagCandidatesLogger,
 ): TagCandidatesResult {
   const { filteredTags: baseTags, allowIncludeFilterRecovery } = applyIncludeExcludeFilters(
     container,
diff --git a/app/watchers/registry-webhook-fresh.test.ts b/app/watchers/registry-webhook-fresh.test.ts
new file mode 100644
index 000000000..e1d8b8b75
--- /dev/null
+++ b/app/watchers/registry-webhook-fresh.test.ts
@@ -0,0 +1,24 @@
+import {
+  _resetRegistryWebhookFreshStateForTests,
+  consumeFreshContainerScheduledPollSkip,
+  markContainerFreshForScheduledPollSkip,
+} from './registry-webhook-fresh.js';
+
+describe('registry-webhook-fresh state', () => {
+  beforeEach(() => {
+    _resetRegistryWebhookFreshStateForTests();
+  });
+
+  test('marks and consumes container freshness exactly once', () => {
+    markContainerFreshForScheduledPollSkip('container-1');
+
+    expect(consumeFreshContainerScheduledPollSkip('container-1')).toBe(true);
+    expect(consumeFreshContainerScheduledPollSkip('container-1')).toBe(false);
+  });
+
+  test('ignores empty container ids', () => {
+    markContainerFreshForScheduledPollSkip('');
+
+    expect(consumeFreshContainerScheduledPollSkip('')).toBe(false);
+  });
+});
diff --git a/app/watchers/registry-webhook-fresh.ts b/app/watchers/registry-webhook-fresh.ts
new file mode 100644
index 000000000..e1ea48c28
--- /dev/null
+++ b/app/watchers/registry-webhook-fresh.ts
@@ -0,0 +1,21 @@
+const freshContainerIds = new Set<string>();
+
+export function markContainerFreshForScheduledPollSkip(containerId: string) {
+  if (typeof containerId !== 'string' || containerId.trim() === '') {
+    return;
+  }
+  freshContainerIds.add(containerId);
+}
+
+export function consumeFreshContainerScheduledPollSkip(containerId: string): boolean {
+  if (!freshContainerIds.has(containerId)) {
+    return false;
+  }
+
+  freshContainerIds.delete(containerId);
+  return true;
+}
+
+export function _resetRegistryWebhookFreshStateForTests() {
+  freshContainerIds.clear();
+}
diff --git a/apps/demo/package-lock.json b/apps/demo/package-lock.json
index 876347aae..630868f09 100644
--- a/apps/demo/package-lock.json
+++ b/apps/demo/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "drydock-demo",
-  "version": "1.4.1",
+  "version": "1.5.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "drydock-demo",
-      "version": "1.4.1",
+      "version": "1.5.0",
       "dependencies": {
         "@fontsource/ibm-plex-mono": "^5.2.7",
         "iconify-icon": "^3.0.2",
@@ -69,9 +69,9 @@
       }
     },
     "node_modules/@babel/parser": {
-      "version": "7.29.0",
-      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.0.tgz",
-      "integrity": "sha512-IyDgFV5GeDUVX4YdF/3CPULtVGSXXMLh1xVIgdCgxApktqnQV0r7/8Nqthg+8YLGaAtdyIlo2qIdZrbCv4+7ww==",
+      "version": "7.29.2",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz",
+      "integrity": "sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==",
       "license": "MIT",
       "dependencies": {
         "@babel/types": "^7.29.0"
@@ -97,9 +97,9 @@
       }
     },
     "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.3.tgz",
-      "integrity": "sha512-9fJMTNFTWZMh5qwrBItuziu834eOCUcEqymSH7pY+zoMVEZg3gcPuBNxH1EvfVYe9h0x/Ptw8KBzv7qxb7l8dg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.4.tgz",
+      "integrity": "sha512-cQPwL2mp2nSmHHJlCyoXgHGhbEPMrEEU5xhkcy3Hs/O7nGZqEpZ2sUtLaL9MORLtDfRvVl2/3PAuEkYZH0Ty8Q==",
       "cpu": [
         "ppc64"
       ],
@@ -114,9 +114,9 @@
       }
     },
     "node_modules/@esbuild/android-arm": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.3.tgz",
-      "integrity": "sha512-i5D1hPY7GIQmXlXhs2w8AWHhenb00+GxjxRncS2ZM7YNVGNfaMxgzSGuO8o8SJzRc/oZwU2bcScvVERk03QhzA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.4.tgz",
+      "integrity": "sha512-X9bUgvxiC8CHAGKYufLIHGXPJWnr0OCdR0anD2e21vdvgCI8lIfqFbnoeOz7lBjdrAGUhqLZLcQo6MLhTO2DKQ==",
       "cpu": [
         "arm"
       ],
@@ -131,9 +131,9 @@
       }
     },
     "node_modules/@esbuild/android-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.3.tgz",
-      "integrity": "sha512-YdghPYUmj/FX2SYKJ0OZxf+iaKgMsKHVPF1MAq/P8WirnSpCStzKJFjOjzsW0QQ7oIAiccHdcqjbHmJxRb/dmg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.4.tgz",
+      "integrity": "sha512-gdLscB7v75wRfu7QSm/zg6Rx29VLdy9eTr2t44sfTW7CxwAtQghZ4ZnqHk3/ogz7xao0QAgrkradbBzcqFPasw==",
       "cpu": [
         "arm64"
       ],
@@ -148,9 +148,9 @@
       }
     },
     "node_modules/@esbuild/android-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.3.tgz",
-      "integrity": "sha512-IN/0BNTkHtk8lkOM8JWAYFg4ORxBkZQf9zXiEOfERX/CzxW3Vg1ewAhU7QSWQpVIzTW+b8Xy+lGzdYXV6UZObQ==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.4.tgz",
+      "integrity": "sha512-PzPFnBNVF292sfpfhiyiXCGSn9HZg5BcAz+ivBuSsl6Rk4ga1oEXAamhOXRFyMcjwr2DVtm40G65N3GLeH1Lvw==",
       "cpu": [
         "x64"
       ],
@@ -165,9 +165,9 @@
       }
     },
     "node_modules/@esbuild/darwin-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.3.tgz",
-      "integrity": "sha512-Re491k7ByTVRy0t3EKWajdLIr0gz2kKKfzafkth4Q8A5n1xTHrkqZgLLjFEHVD+AXdUGgQMq+Godfq45mGpCKg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.4.tgz",
+      "integrity": "sha512-b7xaGIwdJlht8ZFCvMkpDN6uiSmnxxK56N2GDTMYPr2/gzvfdQN8rTfBsvVKmIVY/X7EM+/hJKEIbbHs9oA4tQ==",
       "cpu": [
         "arm64"
       ],
@@ -182,9 +182,9 @@
       }
     },
     "node_modules/@esbuild/darwin-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.3.tgz",
-      "integrity": "sha512-vHk/hA7/1AckjGzRqi6wbo+jaShzRowYip6rt6q7VYEDX4LEy1pZfDpdxCBnGtl+A5zq8iXDcyuxwtv3hNtHFg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.4.tgz",
+      "integrity": "sha512-sR+OiKLwd15nmCdqpXMnuJ9W2kpy0KigzqScqHI3Hqwr7IXxBp3Yva+yJwoqh7rE8V77tdoheRYataNKL4QrPw==",
       "cpu": [
         "x64"
       ],
@@ -199,9 +199,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-ipTYM2fjt3kQAYOvo6vcxJx3nBYAzPjgTCk7QEgZG8AUO3ydUhvelmhrbOheMnGOlaSFUoHXB6un+A7q4ygY9w==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-jnfpKe+p79tCnm4GVav68A7tUFeKQwQyLgESwEAUzyxk/TJr4QdGog9sqWNcUbr/bZt/O/HXouspuQDd9JxFSw==",
       "cpu": [
         "arm64"
       ],
@@ -216,9 +216,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.3.tgz",
-      "integrity": "sha512-dDk0X87T7mI6U3K9VjWtHOXqwAMJBNN2r7bejDsc+j03SEjtD9HrOl8gVFByeM0aJksoUuUVU9TBaZa2rgj0oA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.4.tgz",
+      "integrity": "sha512-2kb4ceA/CpfUrIcTUl1wrP/9ad9Atrp5J94Lq69w7UwOMolPIGrfLSvAKJp0RTvkPPyn6CIWrNy13kyLikZRZQ==",
       "cpu": [
         "x64"
       ],
@@ -233,9 +233,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.3.tgz",
-      "integrity": "sha512-s6nPv2QkSupJwLYyfS+gwdirm0ukyTFNl3KTgZEAiJDd+iHZcbTPPcWCcRYH+WlNbwChgH2QkE9NSlNrMT8Gfw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.4.tgz",
+      "integrity": "sha512-aBYgcIxX/wd5n2ys0yESGeYMGF+pv6g0DhZr3G1ZG4jMfruU9Tl1i2Z+Wnj9/KjGz1lTLCcorqE2viePZqj4Eg==",
       "cpu": [
         "arm"
       ],
@@ -250,9 +250,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.3.tgz",
-      "integrity": "sha512-sZOuFz/xWnZ4KH3YfFrKCf1WyPZHakVzTiqji3WDc0BCl2kBwiJLCXpzLzUBLgmp4veFZdvN5ChW4Eq/8Fc2Fg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.4.tgz",
+      "integrity": "sha512-7nQOttdzVGth1iz57kxg9uCz57dxQLHWxopL6mYuYthohPKEK0vU0C3O21CcBK6KDlkYVcnDXY099HcCDXd9dA==",
       "cpu": [
         "arm64"
       ],
@@ -267,9 +267,9 @@
       }
     },
     "node_modules/@esbuild/linux-ia32": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.3.tgz",
-      "integrity": "sha512-yGlQYjdxtLdh0a3jHjuwOrxQjOZYD/C9PfdbgJJF3TIZWnm/tMd/RcNiLngiu4iwcBAOezdnSLAwQDPqTmtTYg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.4.tgz",
+      "integrity": "sha512-oPtixtAIzgvzYcKBQM/qZ3R+9TEUd1aNJQu0HhGyqtx6oS7qTpvjheIWBbes4+qu1bNlo2V4cbkISr8q6gRBFA==",
       "cpu": [
         "ia32"
       ],
@@ -284,9 +284,9 @@
       }
     },
     "node_modules/@esbuild/linux-loong64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.3.tgz",
-      "integrity": "sha512-WO60Sn8ly3gtzhyjATDgieJNet/KqsDlX5nRC5Y3oTFcS1l0KWba+SEa9Ja1GfDqSF1z6hif/SkpQJbL63cgOA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.4.tgz",
+      "integrity": "sha512-8mL/vh8qeCoRcFH2nM8wm5uJP+ZcVYGGayMavi8GmRJjuI3g1v6Z7Ni0JJKAJW+m0EtUuARb6Lmp4hMjzCBWzA==",
       "cpu": [
         "loong64"
       ],
@@ -301,9 +301,9 @@
       }
     },
     "node_modules/@esbuild/linux-mips64el": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.3.tgz",
-      "integrity": "sha512-APsymYA6sGcZ4pD6k+UxbDjOFSvPWyZhjaiPyl/f79xKxwTnrn5QUnXR5prvetuaSMsb4jgeHewIDCIWljrSxw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.4.tgz",
+      "integrity": "sha512-1RdrWFFiiLIW7LQq9Q2NES+HiD4NyT8Itj9AUeCl0IVCA459WnPhREKgwrpaIfTOe+/2rdntisegiPWn/r/aAw==",
       "cpu": [
         "mips64el"
       ],
@@ -318,9 +318,9 @@
       }
     },
     "node_modules/@esbuild/linux-ppc64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.3.tgz",
-      "integrity": "sha512-eizBnTeBefojtDb9nSh4vvVQ3V9Qf9Df01PfawPcRzJH4gFSgrObw+LveUyDoKU3kxi5+9RJTCWlj4FjYXVPEA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.4.tgz",
+      "integrity": "sha512-tLCwNG47l3sd9lpfyx9LAGEGItCUeRCWeAx6x2Jmbav65nAwoPXfewtAdtbtit/pJFLUWOhpv0FpS6GQAmPrHA==",
       "cpu": [
         "ppc64"
       ],
@@ -335,9 +335,9 @@
       }
     },
     "node_modules/@esbuild/linux-riscv64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.3.tgz",
-      "integrity": "sha512-3Emwh0r5wmfm3ssTWRQSyVhbOHvqegUDRd0WhmXKX2mkHJe1SFCMJhagUleMq+Uci34wLSipf8Lagt4LlpRFWQ==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.4.tgz",
+      "integrity": "sha512-BnASypppbUWyqjd1KIpU4AUBiIhVr6YlHx/cnPgqEkNoVOhHg+YiSVxM1RLfiy4t9cAulbRGTNCKOcqHrEQLIw==",
       "cpu": [
         "riscv64"
       ],
@@ -352,9 +352,9 @@
       }
     },
     "node_modules/@esbuild/linux-s390x": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.3.tgz",
-      "integrity": "sha512-pBHUx9LzXWBc7MFIEEL0yD/ZVtNgLytvx60gES28GcWMqil8ElCYR4kvbV2BDqsHOvVDRrOxGySBM9Fcv744hw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.4.tgz",
+      "integrity": "sha512-+eUqgb/Z7vxVLezG8bVB9SfBie89gMueS+I0xYh2tJdw3vqA/0ImZJ2ROeWwVJN59ihBeZ7Tu92dF/5dy5FttA==",
       "cpu": [
         "s390x"
       ],
@@ -369,9 +369,9 @@
       }
     },
     "node_modules/@esbuild/linux-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.3.tgz",
-      "integrity": "sha512-Czi8yzXUWIQYAtL/2y6vogER8pvcsOsk5cpwL4Gk5nJqH5UZiVByIY8Eorm5R13gq+DQKYg0+JyQoytLQas4dA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.4.tgz",
+      "integrity": "sha512-S5qOXrKV8BQEzJPVxAwnryi2+Iq5pB40gTEIT69BQONqR7JH1EPIcQ/Uiv9mCnn05jff9umq/5nqzxlqTOg9NA==",
       "cpu": [
         "x64"
       ],
@@ -386,9 +386,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-sDpk0RgmTCR/5HguIZa9n9u+HVKf40fbEUt+iTzSnCaGvY9kFP0YKBWZtJaraonFnqef5SlJ8/TiPAxzyS+UoA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-xHT8X4sb0GS8qTqiwzHqpY00C95DPAq7nAwX35Ie/s+LO9830hrMd3oX0ZMKLvy7vsonee73x0lmcdOVXFzd6Q==",
       "cpu": [
         "arm64"
       ],
@@ -403,9 +403,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.3.tgz",
-      "integrity": "sha512-P14lFKJl/DdaE00LItAukUdZO5iqNH7+PjoBm+fLQjtxfcfFE20Xf5CrLsmZdq5LFFZzb5JMZ9grUwvtVYzjiA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.4.tgz",
+      "integrity": "sha512-RugOvOdXfdyi5Tyv40kgQnI0byv66BFgAqjdgtAKqHoZTbTF2QqfQrFwa7cHEORJf6X2ht+l9ABLMP0dnKYsgg==",
       "cpu": [
         "x64"
       ],
@@ -420,9 +420,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-AIcMP77AvirGbRl/UZFTq5hjXK+2wC7qFRGoHSDrZ5v5b8DK/GYpXW3CPRL53NkvDqb9D+alBiC/dV0Fb7eJcw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-2MyL3IAaTX+1/qP0O1SwskwcwCoOI4kV2IBX1xYnDDqthmq5ArrW94qSIKCAuRraMgPOmG0RDTA74mzYNQA9ow==",
       "cpu": [
         "arm64"
       ],
@@ -437,9 +437,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.3.tgz",
-      "integrity": "sha512-DnW2sRrBzA+YnE70LKqnM3P+z8vehfJWHXECbwBmH/CU51z6FiqTQTHFenPlHmo3a8UgpLyH3PT+87OViOh1AQ==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.4.tgz",
+      "integrity": "sha512-u8fg/jQ5aQDfsnIV6+KwLOf1CmJnfu1ShpwqdwC0uA7ZPwFws55Ngc12vBdeUdnuWoQYx/SOQLGDcdlfXhYmXQ==",
       "cpu": [
         "x64"
       ],
@@ -454,9 +454,9 @@
       }
     },
     "node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.3.tgz",
-      "integrity": "sha512-NinAEgr/etERPTsZJ7aEZQvvg/A6IsZG/LgZy+81wON2huV7SrK3e63dU0XhyZP4RKGyTm7aOgmQk0bGp0fy2g==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.4.tgz",
+      "integrity": "sha512-JkTZrl6VbyO8lDQO3yv26nNr2RM2yZzNrNHEsj9bm6dOwwu9OYN28CjzZkH57bh4w0I2F7IodpQvUAEd1mbWXg==",
       "cpu": [
         "arm64"
       ],
@@ -471,9 +471,9 @@
       }
     },
     "node_modules/@esbuild/sunos-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.3.tgz",
-      "integrity": "sha512-PanZ+nEz+eWoBJ8/f8HKxTTD172SKwdXebZ0ndd953gt1HRBbhMsaNqjTyYLGLPdoWHy4zLU7bDVJztF5f3BHA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.4.tgz",
+      "integrity": "sha512-/gOzgaewZJfeJTlsWhvUEmUG4tWEY2Spp5M20INYRg2ZKl9QPO3QEEgPeRtLjEWSW8FilRNacPOg8R1uaYkA6g==",
       "cpu": [
         "x64"
       ],
@@ -488,9 +488,9 @@
       }
     },
     "node_modules/@esbuild/win32-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.3.tgz",
-      "integrity": "sha512-B2t59lWWYrbRDw/tjiWOuzSsFh1Y/E95ofKz7rIVYSQkUYBjfSgf6oeYPNWHToFRr2zx52JKApIcAS/D5TUBnA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.4.tgz",
+      "integrity": "sha512-Z9SExBg2y32smoDQdf1HRwHRt6vAHLXcxD2uGgO/v2jK7Y718Ix4ndsbNMU/+1Qiem9OiOdaqitioZwxivhXYg==",
       "cpu": [
         "arm64"
       ],
@@ -505,9 +505,9 @@
       }
     },
     "node_modules/@esbuild/win32-ia32": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.3.tgz",
-      "integrity": "sha512-QLKSFeXNS8+tHW7tZpMtjlNb7HKau0QDpwm49u0vUp9y1WOF+PEzkU84y9GqYaAVW8aH8f3GcBck26jh54cX4Q==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.4.tgz",
+      "integrity": "sha512-DAyGLS0Jz5G5iixEbMHi5KdiApqHBWMGzTtMiJ72ZOLhbu/bzxgAe8Ue8CTS3n3HbIUHQz/L51yMdGMeoxXNJw==",
       "cpu": [
         "ia32"
       ],
@@ -522,9 +522,9 @@
       }
     },
     "node_modules/@esbuild/win32-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.3.tgz",
-      "integrity": "sha512-4uJGhsxuptu3OcpVAzli+/gWusVGwZZHTlS63hh++ehExkVT8SgiEf7/uC/PclrPPkLhZqGgCTjd0VWLo6xMqA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.4.tgz",
+      "integrity": "sha512-+knoa0BDoeXgkNvvV1vvbZX4+hizelrkwmGJBdT17t8FNPwG2lKemmuMZlmaNQ3ws3DKKCxpb4zRZEIp3UxFCg==",
       "cpu": [
         "x64"
       ],
@@ -628,9 +628,9 @@
       }
     },
     "node_modules/@iconify-json/lucide": {
-      "version": "1.2.98",
-      "resolved": "https://registry.npmjs.org/@iconify-json/lucide/-/lucide-1.2.98.tgz",
-      "integrity": "sha512-Lx2464W8Tty/QEnZ2UPb73nPdML/HpGCj0J0w37jP3/jx3l4fniZBjDxe1TgHiIL5XW9QO3vlx53ZQZ5JsNpzQ==",
+      "version": "1.2.99",
+      "resolved": "https://registry.npmjs.org/@iconify-json/lucide/-/lucide-1.2.99.tgz",
+      "integrity": "sha512-XE2Pg8uax2uN3ZbvvnO0C5ADgZOyUgEPiwnhD/xrJwz/bfpWwL3mbDwxntEWB2G1mwo2OqKMF50/jp6ia2QzKw==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -648,9 +648,9 @@
       }
     },
     "node_modules/@iconify-json/tabler": {
-      "version": "1.2.31",
-      "resolved": "https://registry.npmjs.org/@iconify-json/tabler/-/tabler-1.2.31.tgz",
-      "integrity": "sha512-Jfcw5TpGhfKKWyz1dGk7e79zIgDmpMKNYL0bjt17sURBPifAxowQcWAzcEhuiWU7FGXUM2NT6UhvACFZp7Hnjw==",
+      "version": "1.2.32",
+      "resolved": "https://registry.npmjs.org/@iconify-json/tabler/-/tabler-1.2.32.tgz",
+      "integrity": "sha512-0UlpROc9X0VrqJLeE87o3JLsQauHMhj82GnH9TkPaymhBeS9wPB3NOqxQyzw+MHgPL08uVSggwfkTaoRfhQ+RQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -838,9 +838,9 @@
       "license": "MIT"
     },
     "node_modules/@rollup/rollup-android-arm-eabi": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.59.0.tgz",
-      "integrity": "sha512-upnNBkA6ZH2VKGcBj9Fyl9IGNPULcjXRlg0LLeaioQWueH30p6IXtJEbKAgvyv+mJaMxSm1l6xwDXYjpEMiLMg==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.60.0.tgz",
+      "integrity": "sha512-WOhNW9K8bR3kf4zLxbfg6Pxu2ybOUbB2AjMDHSQx86LIF4rH4Ft7vmMwNt0loO0eonglSNy4cpD3MKXXKQu0/A==",
       "cpu": [
         "arm"
       ],
@@ -852,9 +852,9 @@
       ]
     },
     "node_modules/@rollup/rollup-android-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.59.0.tgz",
-      "integrity": "sha512-hZ+Zxj3SySm4A/DylsDKZAeVg0mvi++0PYVceVyX7hemkw7OreKdCvW2oQ3T1FMZvCaQXqOTHb8qmBShoqk69Q==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.60.0.tgz",
+      "integrity": "sha512-u6JHLll5QKRvjciE78bQXDmqRqNs5M/3GVqZeMwvmjaNODJih/WIrJlFVEihvV0MiYFmd+ZyPr9wxOVbPAG2Iw==",
       "cpu": [
         "arm64"
       ],
@@ -866,9 +866,9 @@
       ]
     },
     "node_modules/@rollup/rollup-darwin-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.59.0.tgz",
-      "integrity": "sha512-W2Psnbh1J8ZJw0xKAd8zdNgF9HRLkdWwwdWqubSVk0pUuQkoHnv7rx4GiF9rT4t5DIZGAsConRE3AxCdJ4m8rg==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.60.0.tgz",
+      "integrity": "sha512-qEF7CsKKzSRc20Ciu2Zw1wRrBz4g56F7r/vRwY430UPp/nt1x21Q/fpJ9N5l47WWvJlkNCPJz3QRVw008fi7yA==",
       "cpu": [
         "arm64"
       ],
@@ -880,9 +880,9 @@
       ]
     },
     "node_modules/@rollup/rollup-darwin-x64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.59.0.tgz",
-      "integrity": "sha512-ZW2KkwlS4lwTv7ZVsYDiARfFCnSGhzYPdiOU4IM2fDbL+QGlyAbjgSFuqNRbSthybLbIJ915UtZBtmuLrQAT/w==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.60.0.tgz",
+      "integrity": "sha512-WADYozJ4QCnXCH4wPB+3FuGmDPoFseVCUrANmA5LWwGmC6FL14BWC7pcq+FstOZv3baGX65tZ378uT6WG8ynTw==",
       "cpu": [
         "x64"
       ],
@@ -894,9 +894,9 @@
       ]
     },
     "node_modules/@rollup/rollup-freebsd-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.59.0.tgz",
-      "integrity": "sha512-EsKaJ5ytAu9jI3lonzn3BgG8iRBjV4LxZexygcQbpiU0wU0ATxhNVEpXKfUa0pS05gTcSDMKpn3Sx+QB9RlTTA==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.60.0.tgz",
+      "integrity": "sha512-6b8wGHJlDrGeSE3aH5mGNHBjA0TTkxdoNHik5EkvPHCt351XnigA4pS7Wsj/Eo9Y8RBU6f35cjN9SYmCFBtzxw==",
       "cpu": [
         "arm64"
       ],
@@ -908,9 +908,9 @@
       ]
     },
     "node_modules/@rollup/rollup-freebsd-x64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.59.0.tgz",
-      "integrity": "sha512-d3DuZi2KzTMjImrxoHIAODUZYoUUMsuUiY4SRRcJy6NJoZ6iIqWnJu9IScV9jXysyGMVuW+KNzZvBLOcpdl3Vg==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.60.0.tgz",
+      "integrity": "sha512-h25Ga0t4jaylMB8M/JKAyrvvfxGRjnPQIR8lnCayyzEjEOx2EJIlIiMbhpWxDRKGKF8jbNH01NnN663dH638mA==",
       "cpu": [
         "x64"
       ],
@@ -922,9 +922,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.59.0.tgz",
-      "integrity": "sha512-t4ONHboXi/3E0rT6OZl1pKbl2Vgxf9vJfWgmUoCEVQVxhW6Cw/c8I6hbbu7DAvgp82RKiH7TpLwxnJeKv2pbsw==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.60.0.tgz",
+      "integrity": "sha512-RzeBwv0B3qtVBWtcuABtSuCzToo2IEAIQrcyB/b2zMvBWVbjo8bZDjACUpnaafaxhTw2W+imQbP2BD1usasK4g==",
       "cpu": [
         "arm"
       ],
@@ -936,9 +936,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm-musleabihf": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.59.0.tgz",
-      "integrity": "sha512-CikFT7aYPA2ufMD086cVORBYGHffBo4K8MQ4uPS/ZnY54GKj36i196u8U+aDVT2LX4eSMbyHtyOh7D7Zvk2VvA==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.60.0.tgz",
+      "integrity": "sha512-Sf7zusNI2CIU1HLzuu9Tc5YGAHEZs5Lu7N1ssJG4Tkw6e0MEsN7NdjUDDfGNHy2IU+ENyWT+L2obgWiguWibWQ==",
       "cpu": [
         "arm"
       ],
@@ -950,9 +950,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.59.0.tgz",
-      "integrity": "sha512-jYgUGk5aLd1nUb1CtQ8E+t5JhLc9x5WdBKew9ZgAXg7DBk0ZHErLHdXM24rfX+bKrFe+Xp5YuJo54I5HFjGDAA==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.60.0.tgz",
+      "integrity": "sha512-DX2x7CMcrJzsE91q7/O02IJQ5/aLkVtYFryqCjduJhUfGKG6yJV8hxaw8pZa93lLEpPTP/ohdN4wFz7yp/ry9A==",
       "cpu": [
         "arm64"
       ],
@@ -964,9 +964,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-arm64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.59.0.tgz",
-      "integrity": "sha512-peZRVEdnFWZ5Bh2KeumKG9ty7aCXzzEsHShOZEFiCQlDEepP1dpUl/SrUNXNg13UmZl+gzVDPsiCwnV1uI0RUA==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.60.0.tgz",
+      "integrity": "sha512-09EL+yFVbJZlhcQfShpswwRZ0Rg+z/CsSELFCnPt3iK+iqwGsI4zht3secj5vLEs957QvFFXnzAT0FFPIxSrkQ==",
       "cpu": [
         "arm64"
       ],
@@ -978,9 +978,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-loong64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.59.0.tgz",
-      "integrity": "sha512-gbUSW/97f7+r4gHy3Jlup8zDG190AuodsWnNiXErp9mT90iCy9NKKU0Xwx5k8VlRAIV2uU9CsMnEFg/xXaOfXg==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.60.0.tgz",
+      "integrity": "sha512-i9IcCMPr3EXm8EQg5jnja0Zyc1iFxJjZWlb4wr7U2Wx/GrddOuEafxRdMPRYVaXjgbhvqalp6np07hN1w9kAKw==",
       "cpu": [
         "loong64"
       ],
@@ -992,9 +992,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-loong64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.59.0.tgz",
-      "integrity": "sha512-yTRONe79E+o0FWFijasoTjtzG9EBedFXJMl888NBEDCDV9I2wGbFFfJQQe63OijbFCUZqxpHz1GzpbtSFikJ4Q==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.60.0.tgz",
+      "integrity": "sha512-DGzdJK9kyJ+B78MCkWeGnpXJ91tK/iKA6HwHxF4TAlPIY7GXEvMe8hBFRgdrR9Ly4qebR/7gfUs9y2IoaVEyog==",
       "cpu": [
         "loong64"
       ],
@@ -1006,9 +1006,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-ppc64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.59.0.tgz",
-      "integrity": "sha512-sw1o3tfyk12k3OEpRddF68a1unZ5VCN7zoTNtSn2KndUE+ea3m3ROOKRCZxEpmT9nsGnogpFP9x6mnLTCaoLkA==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.60.0.tgz",
+      "integrity": "sha512-RwpnLsqC8qbS8z1H1AxBA1H6qknR4YpPR9w2XX0vo2Sz10miu57PkNcnHVaZkbqyw/kUWfKMI73jhmfi9BRMUQ==",
       "cpu": [
         "ppc64"
       ],
@@ -1020,9 +1020,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-ppc64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.59.0.tgz",
-      "integrity": "sha512-+2kLtQ4xT3AiIxkzFVFXfsmlZiG5FXYW7ZyIIvGA7Bdeuh9Z0aN4hVyXS/G1E9bTP/vqszNIN/pUKCk/BTHsKA==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.60.0.tgz",
+      "integrity": "sha512-Z8pPf54Ly3aqtdWC3G4rFigZgNvd+qJlOE52fmko3KST9SoGfAdSRCwyoyG05q1HrrAblLbk1/PSIV+80/pxLg==",
       "cpu": [
         "ppc64"
       ],
@@ -1034,9 +1034,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-riscv64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.59.0.tgz",
-      "integrity": "sha512-NDYMpsXYJJaj+I7UdwIuHHNxXZ/b/N2hR15NyH3m2qAtb/hHPA4g4SuuvrdxetTdndfj9b1WOmy73kcPRoERUg==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.60.0.tgz",
+      "integrity": "sha512-3a3qQustp3COCGvnP4SvrMHnPQ9d1vzCakQVRTliaz8cIp/wULGjiGpbcqrkv0WrHTEp8bQD/B3HBjzujVWLOA==",
       "cpu": [
         "riscv64"
       ],
@@ -1048,9 +1048,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-riscv64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.59.0.tgz",
-      "integrity": "sha512-nLckB8WOqHIf1bhymk+oHxvM9D3tyPndZH8i8+35p/1YiVoVswPid2yLzgX7ZJP0KQvnkhM4H6QZ5m0LzbyIAg==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.60.0.tgz",
+      "integrity": "sha512-pjZDsVH/1VsghMJ2/kAaxt6dL0psT6ZexQVrijczOf+PeP2BUqTHYejk3l6TlPRydggINOeNRhvpLa0AYpCWSQ==",
       "cpu": [
         "riscv64"
       ],
@@ -1062,9 +1062,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-s390x-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.59.0.tgz",
-      "integrity": "sha512-oF87Ie3uAIvORFBpwnCvUzdeYUqi2wY6jRFWJAy1qus/udHFYIkplYRW+wo+GRUP4sKzYdmE1Y3+rY5Gc4ZO+w==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.60.0.tgz",
+      "integrity": "sha512-3ObQs0BhvPgiUVZrN7gqCSvmFuMWvWvsjG5ayJ3Lraqv+2KhOsp+pUbigqbeWqueGIsnn+09HBw27rJ+gYK4VQ==",
       "cpu": [
         "s390x"
       ],
@@ -1076,9 +1076,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-x64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.59.0.tgz",
-      "integrity": "sha512-3AHmtQq/ppNuUspKAlvA8HtLybkDflkMuLK4DPo77DfthRb71V84/c4MlWJXixZz4uruIH4uaa07IqoAkG64fg==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.60.0.tgz",
+      "integrity": "sha512-EtylprDtQPdS5rXvAayrNDYoJhIz1/vzN2fEubo3yLE7tfAw+948dO0g4M0vkTVFhKojnF+n6C8bDNe+gDRdTg==",
       "cpu": [
         "x64"
       ],
@@ -1090,9 +1090,9 @@
       ]
     },
     "node_modules/@rollup/rollup-linux-x64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.59.0.tgz",
-      "integrity": "sha512-2UdiwS/9cTAx7qIUZB/fWtToJwvt0Vbo0zmnYt7ED35KPg13Q0ym1g442THLC7VyI6JfYTP4PiSOWyoMdV2/xg==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.60.0.tgz",
+      "integrity": "sha512-k09oiRCi/bHU9UVFqD17r3eJR9bn03TyKraCrlz5ULFJGdJGi7VOmm9jl44vOJvRJ6P7WuBi/s2A97LxxHGIdw==",
       "cpu": [
         "x64"
       ],
@@ -1104,9 +1104,9 @@
       ]
     },
     "node_modules/@rollup/rollup-openbsd-x64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.59.0.tgz",
-      "integrity": "sha512-M3bLRAVk6GOwFlPTIxVBSYKUaqfLrn8l0psKinkCFxl4lQvOSz8ZrKDz2gxcBwHFpci0B6rttydI4IpS4IS/jQ==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.60.0.tgz",
+      "integrity": "sha512-1o/0/pIhozoSaDJoDcec+IVLbnRtQmHwPV730+AOD29lHEEo4F5BEUB24H0OBdhbBBDwIOSuf7vgg0Ywxdfiiw==",
       "cpu": [
         "x64"
       ],
@@ -1118,9 +1118,9 @@
       ]
     },
     "node_modules/@rollup/rollup-openharmony-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.59.0.tgz",
-      "integrity": "sha512-tt9KBJqaqp5i5HUZzoafHZX8b5Q2Fe7UjYERADll83O4fGqJ49O1FsL6LpdzVFQcpwvnyd0i+K/VSwu/o/nWlA==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.60.0.tgz",
+      "integrity": "sha512-pESDkos/PDzYwtyzB5p/UoNU/8fJo68vcXM9ZW2V0kjYayj1KaaUfi1NmTUTUpMn4UhU4gTuK8gIaFO4UGuMbA==",
       "cpu": [
         "arm64"
       ],
@@ -1132,9 +1132,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-arm64-msvc": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.59.0.tgz",
-      "integrity": "sha512-V5B6mG7OrGTwnxaNUzZTDTjDS7F75PO1ae6MJYdiMu60sq0CqN5CVeVsbhPxalupvTX8gXVSU9gq+Rx1/hvu6A==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.60.0.tgz",
+      "integrity": "sha512-hj1wFStD7B1YBeYmvY+lWXZ7ey73YGPcViMShYikqKT1GtstIKQAtfUI6yrzPjAy/O7pO0VLXGmUVWXQMaYgTQ==",
       "cpu": [
         "arm64"
       ],
@@ -1146,9 +1146,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-ia32-msvc": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.59.0.tgz",
-      "integrity": "sha512-UKFMHPuM9R0iBegwzKF4y0C4J9u8C6MEJgFuXTBerMk7EJ92GFVFYBfOZaSGLu6COf7FxpQNqhNS4c4icUPqxA==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.60.0.tgz",
+      "integrity": "sha512-SyaIPFoxmUPlNDq5EHkTbiKzmSEmq/gOYFI/3HHJ8iS/v1mbugVa7dXUzcJGQfoytp9DJFLhHH4U3/eTy2Bq4w==",
       "cpu": [
         "ia32"
       ],
@@ -1160,9 +1160,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-x64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.59.0.tgz",
-      "integrity": "sha512-laBkYlSS1n2L8fSo1thDNGrCTQMmxjYY5G0WFWjFFYZkKPjsMBsgJfGf4TLxXrF6RyhI60L8TMOjBMvXiTcxeA==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.60.0.tgz",
+      "integrity": "sha512-RdcryEfzZr+lAr5kRm2ucN9aVlCCa2QNq4hXelZxb8GG0NJSazq44Z3PCCc8wISRuCVnGs0lQJVX5Vp6fKA+IA==",
       "cpu": [
         "x64"
       ],
@@ -1174,9 +1174,9 @@
       ]
     },
     "node_modules/@rollup/rollup-win32-x64-msvc": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.59.0.tgz",
-      "integrity": "sha512-2HRCml6OztYXyJXAvdDXPKcawukWY2GpR5/nxKp4iBgiO3wcoEGkAaqctIbZcNB6KlUQBIqt8VYkNSj2397EfA==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.60.0.tgz",
+      "integrity": "sha512-PrsWNQ8BuE00O3Xsx3ALh2Df8fAj9+cvvX9AIA6o4KpATR98c9mud4XtDWVvsEuyia5U4tVSTKygawyJkjm60w==",
       "cpu": [
         "x64"
       ],
@@ -1188,49 +1188,49 @@
       ]
     },
     "node_modules/@tailwindcss/node": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.2.1.tgz",
-      "integrity": "sha512-jlx6sLk4EOwO6hHe1oCGm1Q4AN/s0rSrTTPBGPM0/RQ6Uylwq17FuU8IeJJKEjtc6K6O07zsvP+gDO6MMWo7pg==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.2.2.tgz",
+      "integrity": "sha512-pXS+wJ2gZpVXqFaUEjojq7jzMpTGf8rU6ipJz5ovJV6PUGmlJ+jvIwGrzdHdQ80Sg+wmQxUFuoW1UAAwHNEdFA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@jridgewell/remapping": "^2.3.5",
         "enhanced-resolve": "^5.19.0",
         "jiti": "^2.6.1",
-        "lightningcss": "1.31.1",
+        "lightningcss": "1.32.0",
         "magic-string": "^0.30.21",
         "source-map-js": "^1.2.1",
-        "tailwindcss": "4.2.1"
+        "tailwindcss": "4.2.2"
       }
     },
     "node_modules/@tailwindcss/oxide": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.2.1.tgz",
-      "integrity": "sha512-yv9jeEFWnjKCI6/T3Oq50yQEOqmpmpfzG1hcZsAOaXFQPfzWprWrlHSdGPEF3WQTi8zu8ohC9Mh9J470nT5pUw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.2.2.tgz",
+      "integrity": "sha512-qEUA07+E5kehxYp9BVMpq9E8vnJuBHfJEC0vPC5e7iL/hw7HR61aDKoVoKzrG+QKp56vhNZe4qwkRmMC0zDLvg==",
       "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">= 20"
       },
       "optionalDependencies": {
-        "@tailwindcss/oxide-android-arm64": "4.2.1",
-        "@tailwindcss/oxide-darwin-arm64": "4.2.1",
-        "@tailwindcss/oxide-darwin-x64": "4.2.1",
-        "@tailwindcss/oxide-freebsd-x64": "4.2.1",
-        "@tailwindcss/oxide-linux-arm-gnueabihf": "4.2.1",
-        "@tailwindcss/oxide-linux-arm64-gnu": "4.2.1",
-        "@tailwindcss/oxide-linux-arm64-musl": "4.2.1",
-        "@tailwindcss/oxide-linux-x64-gnu": "4.2.1",
-        "@tailwindcss/oxide-linux-x64-musl": "4.2.1",
-        "@tailwindcss/oxide-wasm32-wasi": "4.2.1",
-        "@tailwindcss/oxide-win32-arm64-msvc": "4.2.1",
-        "@tailwindcss/oxide-win32-x64-msvc": "4.2.1"
+        "@tailwindcss/oxide-android-arm64": "4.2.2",
+        "@tailwindcss/oxide-darwin-arm64": "4.2.2",
+        "@tailwindcss/oxide-darwin-x64": "4.2.2",
+        "@tailwindcss/oxide-freebsd-x64": "4.2.2",
+        "@tailwindcss/oxide-linux-arm-gnueabihf": "4.2.2",
+        "@tailwindcss/oxide-linux-arm64-gnu": "4.2.2",
+        "@tailwindcss/oxide-linux-arm64-musl": "4.2.2",
+        "@tailwindcss/oxide-linux-x64-gnu": "4.2.2",
+        "@tailwindcss/oxide-linux-x64-musl": "4.2.2",
+        "@tailwindcss/oxide-wasm32-wasi": "4.2.2",
+        "@tailwindcss/oxide-win32-arm64-msvc": "4.2.2",
+        "@tailwindcss/oxide-win32-x64-msvc": "4.2.2"
       }
     },
     "node_modules/@tailwindcss/oxide-android-arm64": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.2.1.tgz",
-      "integrity": "sha512-eZ7G1Zm5EC8OOKaesIKuw77jw++QJ2lL9N+dDpdQiAB/c/B2wDh0QPFHbkBVrXnwNugvrbJFk1gK2SsVjwWReg==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.2.2.tgz",
+      "integrity": "sha512-dXGR1n+P3B6748jZO/SvHZq7qBOqqzQ+yFrXpoOWWALWndF9MoSKAT3Q0fYgAzYzGhxNYOoysRvYlpixRBBoDg==",
       "cpu": [
         "arm64"
       ],
@@ -1245,9 +1245,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-darwin-arm64": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.2.1.tgz",
-      "integrity": "sha512-q/LHkOstoJ7pI1J0q6djesLzRvQSIfEto148ppAd+BVQK0JYjQIFSK3JgYZJa+Yzi0DDa52ZsQx2rqytBnf8Hw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.2.2.tgz",
+      "integrity": "sha512-iq9Qjr6knfMpZHj55/37ouZeykwbDqF21gPFtfnhCCKGDcPI/21FKC9XdMO/XyBM7qKORx6UIhGgg6jLl7BZlg==",
       "cpu": [
         "arm64"
       ],
@@ -1262,9 +1262,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-darwin-x64": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.2.1.tgz",
-      "integrity": "sha512-/f/ozlaXGY6QLbpvd/kFTro2l18f7dHKpB+ieXz+Cijl4Mt9AI2rTrpq7V+t04nK+j9XBQHnSMdeQRhbGyt6fw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.2.2.tgz",
+      "integrity": "sha512-BlR+2c3nzc8f2G639LpL89YY4bdcIdUmiOOkv2GQv4/4M0vJlpXEa0JXNHhCHU7VWOKWT/CjqHdTP8aUuDJkuw==",
       "cpu": [
         "x64"
       ],
@@ -1279,9 +1279,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-freebsd-x64": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.2.1.tgz",
-      "integrity": "sha512-5e/AkgYJT/cpbkys/OU2Ei2jdETCLlifwm7ogMC7/hksI2fC3iiq6OcXwjibcIjPung0kRtR3TxEITkqgn0TcA==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.2.2.tgz",
+      "integrity": "sha512-YUqUgrGMSu2CDO82hzlQ5qSb5xmx3RUrke/QgnoEx7KvmRJHQuZHZmZTLSuuHwFf0DJPybFMXMYf+WJdxHy/nQ==",
       "cpu": [
         "x64"
       ],
@@ -1296,9 +1296,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm-gnueabihf": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.2.1.tgz",
-      "integrity": "sha512-Uny1EcVTTmerCKt/1ZuKTkb0x8ZaiuYucg2/kImO5A5Y/kBz41/+j0gxUZl+hTF3xkWpDmHX+TaWhOtba2Fyuw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.2.2.tgz",
+      "integrity": "sha512-FPdhvsW6g06T9BWT0qTwiVZYE2WIFo2dY5aCSpjG/S/u1tby+wXoslXS0kl3/KXnULlLr1E3NPRRw0g7t2kgaQ==",
       "cpu": [
         "arm"
       ],
@@ -1313,9 +1313,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm64-gnu": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.2.1.tgz",
-      "integrity": "sha512-CTrwomI+c7n6aSSQlsPL0roRiNMDQ/YzMD9EjcR+H4f0I1SQ8QqIuPnsVp7QgMkC1Qi8rtkekLkOFjo7OlEFRQ==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.2.2.tgz",
+      "integrity": "sha512-4og1V+ftEPXGttOO7eCmW7VICmzzJWgMx+QXAJRAhjrSjumCwWqMfkDrNu1LXEQzNAwz28NCUpucgQPrR4S2yw==",
       "cpu": [
         "arm64"
       ],
@@ -1330,9 +1330,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm64-musl": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.2.1.tgz",
-      "integrity": "sha512-WZA0CHRL/SP1TRbA5mp9htsppSEkWuQ4KsSUumYQnyl8ZdT39ntwqmz4IUHGN6p4XdSlYfJwM4rRzZLShHsGAQ==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.2.2.tgz",
+      "integrity": "sha512-oCfG/mS+/+XRlwNjnsNLVwnMWYH7tn/kYPsNPh+JSOMlnt93mYNCKHYzylRhI51X+TbR+ufNhhKKzm6QkqX8ag==",
       "cpu": [
         "arm64"
       ],
@@ -1347,9 +1347,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-x64-gnu": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.2.1.tgz",
-      "integrity": "sha512-qMFzxI2YlBOLW5PhblzuSWlWfwLHaneBE0xHzLrBgNtqN6mWfs+qYbhryGSXQjFYB1Dzf5w+LN5qbUTPhW7Y5g==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.2.2.tgz",
+      "integrity": "sha512-rTAGAkDgqbXHNp/xW0iugLVmX62wOp2PoE39BTCGKjv3Iocf6AFbRP/wZT/kuCxC9QBh9Pu8XPkv/zCZB2mcMg==",
       "cpu": [
         "x64"
       ],
@@ -1364,9 +1364,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-x64-musl": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.2.1.tgz",
-      "integrity": "sha512-5r1X2FKnCMUPlXTWRYpHdPYUY6a1Ar/t7P24OuiEdEOmms5lyqjDRvVY1yy9Rmioh+AunQ0rWiOTPE8F9A3v5g==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.2.2.tgz",
+      "integrity": "sha512-XW3t3qwbIwiSyRCggeO2zxe3KWaEbM0/kW9e8+0XpBgyKU4ATYzcVSMKteZJ1iukJ3HgHBjbg9P5YPRCVUxlnQ==",
       "cpu": [
         "x64"
       ],
@@ -1381,9 +1381,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-wasm32-wasi": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.2.1.tgz",
-      "integrity": "sha512-MGFB5cVPvshR85MTJkEvqDUnuNoysrsRxd6vnk1Lf2tbiqNlXpHYZqkqOQalydienEWOHHFyyuTSYRsLfxFJ2Q==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.2.2.tgz",
+      "integrity": "sha512-eKSztKsmEsn1O5lJ4ZAfyn41NfG7vzCg496YiGtMDV86jz1q/irhms5O0VrY6ZwTUkFy/EKG3RfWgxSI3VbZ8Q==",
       "bundleDependencies": [
         "@napi-rs/wasm-runtime",
         "@emnapi/core",
@@ -1411,9 +1411,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-win32-arm64-msvc": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.2.1.tgz",
-      "integrity": "sha512-YlUEHRHBGnCMh4Nj4GnqQyBtsshUPdiNroZj8VPkvTZSoHsilRCwXcVKnG9kyi0ZFAS/3u+qKHBdDc81SADTRA==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.2.2.tgz",
+      "integrity": "sha512-qPmaQM4iKu5mxpsrWZMOZRgZv1tOZpUm+zdhhQP0VhJfyGGO3aUKdbh3gDZc/dPLQwW4eSqWGrrcWNBZWUWaXQ==",
       "cpu": [
         "arm64"
       ],
@@ -1428,9 +1428,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-win32-x64-msvc": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.2.1.tgz",
-      "integrity": "sha512-rbO34G5sMWWyrN/idLeVxAZgAKWrn5LiR3/I90Q9MkA67s6T1oB0xtTe+0heoBvHSpbU9Mk7i6uwJnpo4u21XQ==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.2.2.tgz",
+      "integrity": "sha512-1T/37VvI7WyH66b+vqHj/cLwnCxt7Qt3WFu5Q8hk65aOvlwAhs7rAp1VkulBJw/N4tMirXjVnylTR72uI0HGcA==",
       "cpu": [
         "x64"
       ],
@@ -1445,18 +1445,18 @@
       }
     },
     "node_modules/@tailwindcss/vite": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/vite/-/vite-4.2.1.tgz",
-      "integrity": "sha512-TBf2sJjYeb28jD2U/OhwdW0bbOsxkWPwQ7SrqGf9sVcoYwZj7rkXljroBO9wKBut9XnmQLXanuDUeqQK0lGg/w==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/vite/-/vite-4.2.2.tgz",
+      "integrity": "sha512-mEiF5HO1QqCLXoNEfXVA1Tzo+cYsrqV7w9Juj2wdUFyW07JRenqMG225MvPwr3ZD9N1bFQj46X7r33iHxLUW0w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@tailwindcss/node": "4.2.1",
-        "@tailwindcss/oxide": "4.2.1",
-        "tailwindcss": "4.2.1"
+        "@tailwindcss/node": "4.2.2",
+        "@tailwindcss/oxide": "4.2.2",
+        "tailwindcss": "4.2.2"
       },
       "peerDependencies": {
-        "vite": "^5.2.0 || ^6 || ^7"
+        "vite": "^5.2.0 || ^6 || ^7 || ^8"
       }
     },
     "node_modules/@types/estree": {
@@ -1527,39 +1527,39 @@
       }
     },
     "node_modules/@vue/compiler-core": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.30.tgz",
-      "integrity": "sha512-s3DfdZkcu/qExZ+td75015ljzHc6vE+30cFMGRPROYjqkroYI5NV2X1yAMX9UeyBNWB9MxCfPcsjpLS11nzkkw==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.31.tgz",
+      "integrity": "sha512-k/ueL14aNIEy5Onf0OVzR8kiqF/WThgLdFhxwa4e/KF/0qe38IwIdofoSWBTvvxQOesaz6riAFAUaYjoF9fLLQ==",
       "license": "MIT",
       "dependencies": {
-        "@babel/parser": "^7.29.0",
-        "@vue/shared": "3.5.30",
+        "@babel/parser": "^7.29.2",
+        "@vue/shared": "3.5.31",
         "entities": "^7.0.1",
         "estree-walker": "^2.0.2",
         "source-map-js": "^1.2.1"
       }
     },
     "node_modules/@vue/compiler-dom": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.30.tgz",
-      "integrity": "sha512-eCFYESUEVYHhiMuK4SQTldO3RYxyMR/UQL4KdGD1Yrkfdx4m/HYuZ9jSfPdA+nWJY34VWndiYdW/wZXyiPEB9g==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.31.tgz",
+      "integrity": "sha512-BMY/ozS/xxjYqRFL+tKdRpATJYDTTgWSo0+AJvJNg4ig+Hgb0dOsHPXvloHQ5hmlivUqw1Yt2pPIqp4e0v1GUw==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-core": "3.5.30",
-        "@vue/shared": "3.5.30"
+        "@vue/compiler-core": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/compiler-sfc": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.30.tgz",
-      "integrity": "sha512-LqmFPDn89dtU9vI3wHJnwaV6GfTRD87AjWpTWpyrdVOObVtjIuSeZr181z5C4PmVx/V3j2p+0f7edFKGRMpQ5A==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.31.tgz",
+      "integrity": "sha512-M8wpPgR9UJ8MiRGjppvx9uWJfLV7A/T+/rL8s/y3QG3u0c2/YZgff3d6SuimKRIhcYnWg5fTfDMlz2E6seUW8Q==",
       "license": "MIT",
       "dependencies": {
-        "@babel/parser": "^7.29.0",
-        "@vue/compiler-core": "3.5.30",
-        "@vue/compiler-dom": "3.5.30",
-        "@vue/compiler-ssr": "3.5.30",
-        "@vue/shared": "3.5.30",
+        "@babel/parser": "^7.29.2",
+        "@vue/compiler-core": "3.5.31",
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/compiler-ssr": "3.5.31",
+        "@vue/shared": "3.5.31",
         "estree-walker": "^2.0.2",
         "magic-string": "^0.30.21",
         "postcss": "^8.5.8",
@@ -1567,90 +1567,90 @@
       }
     },
     "node_modules/@vue/compiler-ssr": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.30.tgz",
-      "integrity": "sha512-NsYK6OMTnx109PSL2IAyf62JP6EUdk4Dmj6AkWcJGBvN0dQoMYtVekAmdqgTtWQgEJo+Okstbf/1p7qZr5H+bA==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.31.tgz",
+      "integrity": "sha512-h0xIMxrt/LHOvJKMri+vdYT92BrK3HFLtDqq9Pr/lVVfE4IyKZKvWf0vJFW10Yr6nX02OR4MkJwI0c1HDa1hog==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-dom": "3.5.30",
-        "@vue/shared": "3.5.30"
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/devtools-api": {
-      "version": "8.0.7",
-      "resolved": "https://registry.npmjs.org/@vue/devtools-api/-/devtools-api-8.0.7.tgz",
-      "integrity": "sha512-tc1TXAxclsn55JblLkFVcIRG7MeSJC4fWsPjfM7qu/IcmPUYnQ5Q8vzWwBpyDY24ZjmZTUCCwjRSNbx58IhlAA==",
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/@vue/devtools-api/-/devtools-api-8.1.1.tgz",
+      "integrity": "sha512-bsDMJ07b3GN1puVwJb/fyFnj/U2imyswK5UQVLZwVl7O05jDrt6BHxeG5XffmOOdasOj/bOmIjxJvGPxU7pcqw==",
       "license": "MIT",
       "dependencies": {
-        "@vue/devtools-kit": "^8.0.7"
+        "@vue/devtools-kit": "^8.1.1"
       }
     },
     "node_modules/@vue/devtools-kit": {
-      "version": "8.0.7",
-      "resolved": "https://registry.npmjs.org/@vue/devtools-kit/-/devtools-kit-8.0.7.tgz",
-      "integrity": "sha512-H6esJGHGl5q0E9iV3m2EoBQHJ+V83WMW83A0/+Fn95eZ2iIvdsq4+UCS6yT/Fdd4cGZSchx/MdWDreM3WqMsDw==",
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/@vue/devtools-kit/-/devtools-kit-8.1.1.tgz",
+      "integrity": "sha512-gVBaBv++i+adg4JpH71k9ppl4soyR7Y2McEqO5YNgv0BI1kMZ7BDX5gnwkZ5COYgiCyhejZG+yGNrBAjj6Coqg==",
       "license": "MIT",
       "dependencies": {
-        "@vue/devtools-shared": "^8.0.7",
+        "@vue/devtools-shared": "^8.1.1",
         "birpc": "^2.6.1",
         "hookable": "^5.5.3",
         "perfect-debounce": "^2.0.0"
       }
     },
     "node_modules/@vue/devtools-shared": {
-      "version": "8.0.7",
-      "resolved": "https://registry.npmjs.org/@vue/devtools-shared/-/devtools-shared-8.0.7.tgz",
-      "integrity": "sha512-CgAb9oJH5NUmbQRdYDj/1zMiaICYSLtm+B1kxcP72LBrifGAjUmt8bx52dDH1gWRPlQgxGPqpAMKavzVirAEhA==",
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/@vue/devtools-shared/-/devtools-shared-8.1.1.tgz",
+      "integrity": "sha512-+h4ttmJYl/txpxHKaoZcaKpC+pvckgLzIDiSQlaQ7kKthKh8KuwoLW2D8hPJEnqKzXOvu15UHEoGyngAXCz0EQ==",
       "license": "MIT"
     },
     "node_modules/@vue/reactivity": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.30.tgz",
-      "integrity": "sha512-179YNgKATuwj9gB+66snskRDOitDiuOZqkYia7mHKJaidOMo/WJxHKF8DuGc4V4XbYTJANlfEKb0yxTQotnx4Q==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.31.tgz",
+      "integrity": "sha512-DtKXxk9E/KuVvt8VxWu+6Luc9I9ETNcqR1T1oW1gf02nXaZ1kuAx58oVu7uX9XxJR0iJCro6fqBLw9oSBELo5g==",
       "license": "MIT",
       "dependencies": {
-        "@vue/shared": "3.5.30"
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/runtime-core": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.30.tgz",
-      "integrity": "sha512-e0Z+8PQsUTdwV8TtEsLzUM7SzC7lQwYKePydb7K2ZnmS6jjND+WJXkmmfh/swYzRyfP1EY3fpdesyYoymCzYfg==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.31.tgz",
+      "integrity": "sha512-AZPmIHXEAyhpkmN7aWlqjSfYynmkWlluDNPHMCZKFHH+lLtxP/30UJmoVhXmbDoP1Ng0jG0fyY2zCj1PnSSA6Q==",
       "license": "MIT",
       "dependencies": {
-        "@vue/reactivity": "3.5.30",
-        "@vue/shared": "3.5.30"
+        "@vue/reactivity": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/runtime-dom": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.30.tgz",
-      "integrity": "sha512-2UIGakjU4WSQ0T4iwDEW0W7vQj6n7AFn7taqZ9Cvm0Q/RA2FFOziLESrDL4GmtI1wV3jXg5nMoJSYO66egDUBw==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.31.tgz",
+      "integrity": "sha512-xQJsNRmGPeDCJq/u813tyonNgWBFjzfVkBwDREdEWndBnGdHLHgkwNBQxLtg4zDrzKTEcnikUy1UUNecb3lJ6g==",
       "license": "MIT",
       "dependencies": {
-        "@vue/reactivity": "3.5.30",
-        "@vue/runtime-core": "3.5.30",
-        "@vue/shared": "3.5.30",
+        "@vue/reactivity": "3.5.31",
+        "@vue/runtime-core": "3.5.31",
+        "@vue/shared": "3.5.31",
         "csstype": "^3.2.3"
       }
     },
     "node_modules/@vue/server-renderer": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.30.tgz",
-      "integrity": "sha512-v+R34icapydRwbZRD0sXwtHqrQJv38JuMB4JxbOxd8NEpGLny7cncMp53W9UH/zo4j8eDHjQ1dEJXwzFQknjtQ==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.31.tgz",
+      "integrity": "sha512-GJuwRvMcdZX/CriUnyIIOGkx3rMV3H6sOu0JhdKbduaeCji6zb60iOGMY7tFoN24NfsUYoFBhshZtGxGpxO4iA==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-ssr": "3.5.30",
-        "@vue/shared": "3.5.30"
+        "@vue/compiler-ssr": "3.5.31",
+        "@vue/shared": "3.5.31"
       },
       "peerDependencies": {
-        "vue": "3.5.30"
+        "vue": "3.5.31"
       }
     },
     "node_modules/@vue/shared": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.30.tgz",
-      "integrity": "sha512-YXgQ7JjaO18NeK2K9VTbDHaFy62WrObMa6XERNfNOkAhD1F1oDSf3ZJ7K6GqabZ0BvSDHajp8qfS5Sa2I9n8uQ==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.31.tgz",
+      "integrity": "sha512-nBxuiuS9Lj5bPkPbWogPUnjxxWpkRniX7e5UBQDWl6Fsf4roq9wwV+cR7ezQ4zXswNvPIlsdj1slcLB7XCsRAw==",
       "license": "MIT"
     },
     "node_modules/acorn": {
@@ -1845,9 +1845,9 @@
       "license": "MIT"
     },
     "node_modules/enhanced-resolve": {
-      "version": "5.20.0",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.0.tgz",
-      "integrity": "sha512-/ce7+jQ1PQ6rVXwe+jKEg5hW5ciicHwIQUagZkp6IufBoY3YDgdTTY1azVs0qoRgVmvsNB+rbjLJxDAeHHtwsQ==",
+      "version": "5.20.1",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.1.tgz",
+      "integrity": "sha512-Qohcme7V1inbAfvjItgw0EaxVX5q2rdVEZHRBrEQdRZTssLDGsL8Lwrznl8oQ/6kuTJONLaDcGjkNP247XEhcA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1871,9 +1871,9 @@
       }
     },
     "node_modules/esbuild": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.3.tgz",
-      "integrity": "sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.4.tgz",
+      "integrity": "sha512-Rq4vbHnYkK5fws5NF7MYTU68FPRE1ajX7heQ/8QXXWqNgqqJ/GkmmyxIzUnf2Sr/bakf8l54716CcMGHYhMrrQ==",
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
@@ -1884,32 +1884,32 @@
         "node": ">=18"
       },
       "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.27.3",
-        "@esbuild/android-arm": "0.27.3",
-        "@esbuild/android-arm64": "0.27.3",
-        "@esbuild/android-x64": "0.27.3",
-        "@esbuild/darwin-arm64": "0.27.3",
-        "@esbuild/darwin-x64": "0.27.3",
-        "@esbuild/freebsd-arm64": "0.27.3",
-        "@esbuild/freebsd-x64": "0.27.3",
-        "@esbuild/linux-arm": "0.27.3",
-        "@esbuild/linux-arm64": "0.27.3",
-        "@esbuild/linux-ia32": "0.27.3",
-        "@esbuild/linux-loong64": "0.27.3",
-        "@esbuild/linux-mips64el": "0.27.3",
-        "@esbuild/linux-ppc64": "0.27.3",
-        "@esbuild/linux-riscv64": "0.27.3",
-        "@esbuild/linux-s390x": "0.27.3",
-        "@esbuild/linux-x64": "0.27.3",
-        "@esbuild/netbsd-arm64": "0.27.3",
-        "@esbuild/netbsd-x64": "0.27.3",
-        "@esbuild/openbsd-arm64": "0.27.3",
-        "@esbuild/openbsd-x64": "0.27.3",
-        "@esbuild/openharmony-arm64": "0.27.3",
-        "@esbuild/sunos-x64": "0.27.3",
-        "@esbuild/win32-arm64": "0.27.3",
-        "@esbuild/win32-ia32": "0.27.3",
-        "@esbuild/win32-x64": "0.27.3"
+        "@esbuild/aix-ppc64": "0.27.4",
+        "@esbuild/android-arm": "0.27.4",
+        "@esbuild/android-arm64": "0.27.4",
+        "@esbuild/android-x64": "0.27.4",
+        "@esbuild/darwin-arm64": "0.27.4",
+        "@esbuild/darwin-x64": "0.27.4",
+        "@esbuild/freebsd-arm64": "0.27.4",
+        "@esbuild/freebsd-x64": "0.27.4",
+        "@esbuild/linux-arm": "0.27.4",
+        "@esbuild/linux-arm64": "0.27.4",
+        "@esbuild/linux-ia32": "0.27.4",
+        "@esbuild/linux-loong64": "0.27.4",
+        "@esbuild/linux-mips64el": "0.27.4",
+        "@esbuild/linux-ppc64": "0.27.4",
+        "@esbuild/linux-riscv64": "0.27.4",
+        "@esbuild/linux-s390x": "0.27.4",
+        "@esbuild/linux-x64": "0.27.4",
+        "@esbuild/netbsd-arm64": "0.27.4",
+        "@esbuild/netbsd-x64": "0.27.4",
+        "@esbuild/openbsd-arm64": "0.27.4",
+        "@esbuild/openbsd-x64": "0.27.4",
+        "@esbuild/openharmony-arm64": "0.27.4",
+        "@esbuild/sunos-x64": "0.27.4",
+        "@esbuild/win32-arm64": "0.27.4",
+        "@esbuild/win32-ia32": "0.27.4",
+        "@esbuild/win32-x64": "0.27.4"
       }
     },
     "node_modules/escalade": {
@@ -1982,9 +1982,9 @@
       "license": "ISC"
     },
     "node_modules/graphql": {
-      "version": "16.13.1",
-      "resolved": "https://registry.npmjs.org/graphql/-/graphql-16.13.1.tgz",
-      "integrity": "sha512-gGgrVCoDKlIZ8fIqXBBb0pPKqDgki0Z/FSKNiQzSGj2uEYHr1tq5wmBegGwJx6QB5S5cM0khSBpi/JFHMCvsmQ==",
+      "version": "16.13.2",
+      "resolved": "https://registry.npmjs.org/graphql/-/graphql-16.13.2.tgz",
+      "integrity": "sha512-5bJ+nf/UCpAjHM8i06fl7eLyVC9iuNAjm9qzkiu2ZGhM0VscSvS6WDPfAwkdkBuoXGM9FJSbKl6wylMwP9Ktig==",
       "license": "MIT",
       "engines": {
         "node": "^12.22.0 || ^14.16.0 || ^16.0.0 || >=17.0.0"
@@ -2064,9 +2064,9 @@
       }
     },
     "node_modules/lightningcss": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.31.1.tgz",
-      "integrity": "sha512-l51N2r93WmGUye3WuFoN5k10zyvrVs0qfKBhyC5ogUQ6Ew6JUSswh78mbSO+IU3nTWsyOArqPCcShdQSadghBQ==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.32.0.tgz",
+      "integrity": "sha512-NXYBzinNrblfraPGyrbPoD19C1h9lfI/1mzgWYvXUTe414Gz/X1FD2XBZSZM7rRTrMA8JL3OtAaGifrIKhQ5yQ==",
       "dev": true,
       "license": "MPL-2.0",
       "dependencies": {
@@ -2080,23 +2080,23 @@
         "url": "https://opencollective.com/parcel"
       },
       "optionalDependencies": {
-        "lightningcss-android-arm64": "1.31.1",
-        "lightningcss-darwin-arm64": "1.31.1",
-        "lightningcss-darwin-x64": "1.31.1",
-        "lightningcss-freebsd-x64": "1.31.1",
-        "lightningcss-linux-arm-gnueabihf": "1.31.1",
-        "lightningcss-linux-arm64-gnu": "1.31.1",
-        "lightningcss-linux-arm64-musl": "1.31.1",
-        "lightningcss-linux-x64-gnu": "1.31.1",
-        "lightningcss-linux-x64-musl": "1.31.1",
-        "lightningcss-win32-arm64-msvc": "1.31.1",
-        "lightningcss-win32-x64-msvc": "1.31.1"
+        "lightningcss-android-arm64": "1.32.0",
+        "lightningcss-darwin-arm64": "1.32.0",
+        "lightningcss-darwin-x64": "1.32.0",
+        "lightningcss-freebsd-x64": "1.32.0",
+        "lightningcss-linux-arm-gnueabihf": "1.32.0",
+        "lightningcss-linux-arm64-gnu": "1.32.0",
+        "lightningcss-linux-arm64-musl": "1.32.0",
+        "lightningcss-linux-x64-gnu": "1.32.0",
+        "lightningcss-linux-x64-musl": "1.32.0",
+        "lightningcss-win32-arm64-msvc": "1.32.0",
+        "lightningcss-win32-x64-msvc": "1.32.0"
       }
     },
     "node_modules/lightningcss-android-arm64": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-android-arm64/-/lightningcss-android-arm64-1.31.1.tgz",
-      "integrity": "sha512-HXJF3x8w9nQ4jbXRiNppBCqeZPIAfUo8zE/kOEGbW5NZvGc/K7nMxbhIr+YlFlHW5mpbg/YFPdbnCh1wAXCKFg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-android-arm64/-/lightningcss-android-arm64-1.32.0.tgz",
+      "integrity": "sha512-YK7/ClTt4kAK0vo6w3X+Pnm0D2cf2vPHbhOXdoNti1Ga0al1P4TBZhwjATvjNwLEBCnKvjJc2jQgHXH0NEwlAg==",
       "cpu": [
         "arm64"
       ],
@@ -2115,9 +2115,9 @@
       }
     },
     "node_modules/lightningcss-darwin-arm64": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.31.1.tgz",
-      "integrity": "sha512-02uTEqf3vIfNMq3h/z2cJfcOXnQ0GRwQrkmPafhueLb2h7mqEidiCzkE4gBMEH65abHRiQvhdcQ+aP0D0g67sg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.32.0.tgz",
+      "integrity": "sha512-RzeG9Ju5bag2Bv1/lwlVJvBE3q6TtXskdZLLCyfg5pt+HLz9BqlICO7LZM7VHNTTn/5PRhHFBSjk5lc4cmscPQ==",
       "cpu": [
         "arm64"
       ],
@@ -2136,9 +2136,9 @@
       }
     },
     "node_modules/lightningcss-darwin-x64": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.31.1.tgz",
-      "integrity": "sha512-1ObhyoCY+tGxtsz1lSx5NXCj3nirk0Y0kB/g8B8DT+sSx4G9djitg9ejFnjb3gJNWo7qXH4DIy2SUHvpoFwfTA==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.32.0.tgz",
+      "integrity": "sha512-U+QsBp2m/s2wqpUYT/6wnlagdZbtZdndSmut/NJqlCcMLTWp5muCrID+K5UJ6jqD2BFshejCYXniPDbNh73V8w==",
       "cpu": [
         "x64"
       ],
@@ -2157,9 +2157,9 @@
       }
     },
     "node_modules/lightningcss-freebsd-x64": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.31.1.tgz",
-      "integrity": "sha512-1RINmQKAItO6ISxYgPwszQE1BrsVU5aB45ho6O42mu96UiZBxEXsuQ7cJW4zs4CEodPUioj/QrXW1r9pLUM74A==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.32.0.tgz",
+      "integrity": "sha512-JCTigedEksZk3tHTTthnMdVfGf61Fky8Ji2E4YjUTEQX14xiy/lTzXnu1vwiZe3bYe0q+SpsSH/CTeDXK6WHig==",
       "cpu": [
         "x64"
       ],
@@ -2178,9 +2178,9 @@
       }
     },
     "node_modules/lightningcss-linux-arm-gnueabihf": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.31.1.tgz",
-      "integrity": "sha512-OOCm2//MZJ87CdDK62rZIu+aw9gBv4azMJuA8/KB74wmfS3lnC4yoPHm0uXZ/dvNNHmnZnB8XLAZzObeG0nS1g==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.32.0.tgz",
+      "integrity": "sha512-x6rnnpRa2GL0zQOkt6rts3YDPzduLpWvwAF6EMhXFVZXD4tPrBkEFqzGowzCsIWsPjqSK+tyNEODUBXeeVHSkw==",
       "cpu": [
         "arm"
       ],
@@ -2199,9 +2199,9 @@
       }
     },
     "node_modules/lightningcss-linux-arm64-gnu": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.31.1.tgz",
-      "integrity": "sha512-WKyLWztD71rTnou4xAD5kQT+982wvca7E6QoLpoawZ1gP9JM0GJj4Tp5jMUh9B3AitHbRZ2/H3W5xQmdEOUlLg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.32.0.tgz",
+      "integrity": "sha512-0nnMyoyOLRJXfbMOilaSRcLH3Jw5z9HDNGfT/gwCPgaDjnx0i8w7vBzFLFR1f6CMLKF8gVbebmkUN3fa/kQJpQ==",
       "cpu": [
         "arm64"
       ],
@@ -2220,9 +2220,9 @@
       }
     },
     "node_modules/lightningcss-linux-arm64-musl": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.31.1.tgz",
-      "integrity": "sha512-mVZ7Pg2zIbe3XlNbZJdjs86YViQFoJSpc41CbVmKBPiGmC4YrfeOyz65ms2qpAobVd7WQsbW4PdsSJEMymyIMg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.32.0.tgz",
+      "integrity": "sha512-UpQkoenr4UJEzgVIYpI80lDFvRmPVg6oqboNHfoH4CQIfNA+HOrZ7Mo7KZP02dC6LjghPQJeBsvXhJod/wnIBg==",
       "cpu": [
         "arm64"
       ],
@@ -2241,9 +2241,9 @@
       }
     },
     "node_modules/lightningcss-linux-x64-gnu": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.31.1.tgz",
-      "integrity": "sha512-xGlFWRMl+0KvUhgySdIaReQdB4FNudfUTARn7q0hh/V67PVGCs3ADFjw+6++kG1RNd0zdGRlEKa+T13/tQjPMA==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.32.0.tgz",
+      "integrity": "sha512-V7Qr52IhZmdKPVr+Vtw8o+WLsQJYCTd8loIfpDaMRWGUZfBOYEJeyJIkqGIDMZPwPx24pUMfwSxxI8phr/MbOA==",
       "cpu": [
         "x64"
       ],
@@ -2262,9 +2262,9 @@
       }
     },
     "node_modules/lightningcss-linux-x64-musl": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.31.1.tgz",
-      "integrity": "sha512-eowF8PrKHw9LpoZii5tdZwnBcYDxRw2rRCyvAXLi34iyeYfqCQNA9rmUM0ce62NlPhCvof1+9ivRaTY6pSKDaA==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.32.0.tgz",
+      "integrity": "sha512-bYcLp+Vb0awsiXg/80uCRezCYHNg1/l3mt0gzHnWV9XP1W5sKa5/TCdGWaR/zBM2PeF/HbsQv/j2URNOiVuxWg==",
       "cpu": [
         "x64"
       ],
@@ -2283,9 +2283,9 @@
       }
     },
     "node_modules/lightningcss-win32-arm64-msvc": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.31.1.tgz",
-      "integrity": "sha512-aJReEbSEQzx1uBlQizAOBSjcmr9dCdL3XuC/6HLXAxmtErsj2ICo5yYggg1qOODQMtnjNQv2UHb9NpOuFtYe4w==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.32.0.tgz",
+      "integrity": "sha512-8SbC8BR40pS6baCM8sbtYDSwEVQd4JlFTOlaD3gWGHfThTcABnNDBda6eTZeqbofalIJhFx0qKzgHJmcPTnGdw==",
       "cpu": [
         "arm64"
       ],
@@ -2304,9 +2304,9 @@
       }
     },
     "node_modules/lightningcss-win32-x64-msvc": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.31.1.tgz",
-      "integrity": "sha512-I9aiFrbd7oYHwlnQDqr1Roz+fTz61oDDJX7n9tYF9FJymH1cIN1DtKw3iYt6b8WZgEjoNwVSncwF4wx/ZedMhw==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.32.0.tgz",
+      "integrity": "sha512-Amq9B/SoZYdDi1kFrojnoqPLxYhQ4Wo5XiL8EVJrVsB8ARoC1PWW6VGtT0WKCemjy8aC+louJnjS7U18x3b06Q==",
       "cpu": [
         "x64"
       ],
@@ -2366,9 +2366,9 @@
       }
     },
     "node_modules/mlly": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/mlly/-/mlly-1.8.1.tgz",
-      "integrity": "sha512-SnL6sNutTwRWWR/vcmCYHSADjiEesp5TGQQ0pXyLhW5IoeibRlF/CbSLailbB3CNqJUk9cVJ9dUDnbD7GrcHBQ==",
+      "version": "1.8.2",
+      "resolved": "https://registry.npmjs.org/mlly/-/mlly-1.8.2.tgz",
+      "integrity": "sha512-d+ObxMQFmbt10sretNDytwt85VrbkhhUA/JBGm1MPaWJ65Cl4wOgLaB1NYvJSZ0Ef03MMEU/0xpPMXUIQ29UfA==",
       "license": "MIT",
       "dependencies": {
         "acorn": "^8.16.0",
@@ -2395,9 +2395,9 @@
       }
     },
     "node_modules/msw": {
-      "version": "2.12.13",
-      "resolved": "https://registry.npmjs.org/msw/-/msw-2.12.13.tgz",
-      "integrity": "sha512-9CV2mXT9+z0J26MQDfEZZkj/psJ5Er/w0w+t95FWdaGH/DTlhNZBx8vBO5jSYv8AZEnl3ouX+AaTT68KXdAIag==",
+      "version": "2.12.14",
+      "resolved": "https://registry.npmjs.org/msw/-/msw-2.12.14.tgz",
+      "integrity": "sha512-4KXa4nVBIBjbDbd7vfQNuQ25eFxug0aropCQFoI0JdOBuJWamkT1yLVIWReFI8SiTRc+H1hKzaNk+cLk2N9rtQ==",
       "hasInstallScript": true,
       "license": "MIT",
       "dependencies": {
@@ -2502,9 +2502,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "license": "MIT",
       "engines": {
         "node": ">=12"
@@ -2597,9 +2597,9 @@
       "license": "MIT"
     },
     "node_modules/rollup": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.59.0.tgz",
-      "integrity": "sha512-2oMpl67a3zCH9H79LeMcbDhXW/UmWG/y2zuqnF2jQq5uq9TbM9TVyXvA4+t+ne2IIkBdrLpAaRQAvo7YI/Yyeg==",
+      "version": "4.60.0",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.60.0.tgz",
+      "integrity": "sha512-yqjxruMGBQJ2gG4HtjZtAfXArHomazDHoFwFFmZZl0r7Pdo7qCIXKqKHZc8yeoMgzJJ+pO6pEEHa+V7uzWlrAQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2613,31 +2613,31 @@
         "npm": ">=8.0.0"
       },
       "optionalDependencies": {
-        "@rollup/rollup-android-arm-eabi": "4.59.0",
-        "@rollup/rollup-android-arm64": "4.59.0",
-        "@rollup/rollup-darwin-arm64": "4.59.0",
-        "@rollup/rollup-darwin-x64": "4.59.0",
-        "@rollup/rollup-freebsd-arm64": "4.59.0",
-        "@rollup/rollup-freebsd-x64": "4.59.0",
-        "@rollup/rollup-linux-arm-gnueabihf": "4.59.0",
-        "@rollup/rollup-linux-arm-musleabihf": "4.59.0",
-        "@rollup/rollup-linux-arm64-gnu": "4.59.0",
-        "@rollup/rollup-linux-arm64-musl": "4.59.0",
-        "@rollup/rollup-linux-loong64-gnu": "4.59.0",
-        "@rollup/rollup-linux-loong64-musl": "4.59.0",
-        "@rollup/rollup-linux-ppc64-gnu": "4.59.0",
-        "@rollup/rollup-linux-ppc64-musl": "4.59.0",
-        "@rollup/rollup-linux-riscv64-gnu": "4.59.0",
-        "@rollup/rollup-linux-riscv64-musl": "4.59.0",
-        "@rollup/rollup-linux-s390x-gnu": "4.59.0",
-        "@rollup/rollup-linux-x64-gnu": "4.59.0",
-        "@rollup/rollup-linux-x64-musl": "4.59.0",
-        "@rollup/rollup-openbsd-x64": "4.59.0",
-        "@rollup/rollup-openharmony-arm64": "4.59.0",
-        "@rollup/rollup-win32-arm64-msvc": "4.59.0",
-        "@rollup/rollup-win32-ia32-msvc": "4.59.0",
-        "@rollup/rollup-win32-x64-gnu": "4.59.0",
-        "@rollup/rollup-win32-x64-msvc": "4.59.0",
+        "@rollup/rollup-android-arm-eabi": "4.60.0",
+        "@rollup/rollup-android-arm64": "4.60.0",
+        "@rollup/rollup-darwin-arm64": "4.60.0",
+        "@rollup/rollup-darwin-x64": "4.60.0",
+        "@rollup/rollup-freebsd-arm64": "4.60.0",
+        "@rollup/rollup-freebsd-x64": "4.60.0",
+        "@rollup/rollup-linux-arm-gnueabihf": "4.60.0",
+        "@rollup/rollup-linux-arm-musleabihf": "4.60.0",
+        "@rollup/rollup-linux-arm64-gnu": "4.60.0",
+        "@rollup/rollup-linux-arm64-musl": "4.60.0",
+        "@rollup/rollup-linux-loong64-gnu": "4.60.0",
+        "@rollup/rollup-linux-loong64-musl": "4.60.0",
+        "@rollup/rollup-linux-ppc64-gnu": "4.60.0",
+        "@rollup/rollup-linux-ppc64-musl": "4.60.0",
+        "@rollup/rollup-linux-riscv64-gnu": "4.60.0",
+        "@rollup/rollup-linux-riscv64-musl": "4.60.0",
+        "@rollup/rollup-linux-s390x-gnu": "4.60.0",
+        "@rollup/rollup-linux-x64-gnu": "4.60.0",
+        "@rollup/rollup-linux-x64-musl": "4.60.0",
+        "@rollup/rollup-openbsd-x64": "4.60.0",
+        "@rollup/rollup-openharmony-arm64": "4.60.0",
+        "@rollup/rollup-win32-arm64-msvc": "4.60.0",
+        "@rollup/rollup-win32-ia32-msvc": "4.60.0",
+        "@rollup/rollup-win32-x64-gnu": "4.60.0",
+        "@rollup/rollup-win32-x64-msvc": "4.60.0",
         "fsevents": "~2.3.2"
       }
     },
@@ -2722,15 +2722,15 @@
       }
     },
     "node_modules/tailwindcss": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.1.tgz",
-      "integrity": "sha512-/tBrSQ36vCleJkAOsy9kbNTgaxvGbyOamC30PRePTQe/o1MFwEKHQk4Cn7BNGaPtjp+PuUrByJehM1hgxfq4sw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.2.tgz",
+      "integrity": "sha512-KWBIxs1Xb6NoLdMVqhbhgwZf2PGBpPEiwOqgI4pFIYbNTfBXiKYyWoTsXgBQ9WFg/OlhnvHaY+AEpW7wSmFo2Q==",
       "license": "MIT"
     },
     "node_modules/tapable": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.0.tgz",
-      "integrity": "sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.2.tgz",
+      "integrity": "sha512-1MOpMXuhGzGL5TTCZFItxCc0AARf1EZFQkGqMm7ERKj8+Hgr5oLvJOVFcC+lRmR8hCe2S3jC4T5D7Vg/d7/fhA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2758,27 +2758,27 @@
       }
     },
     "node_modules/tldts": {
-      "version": "7.0.25",
-      "resolved": "https://registry.npmjs.org/tldts/-/tldts-7.0.25.tgz",
-      "integrity": "sha512-keinCnPbwXEUG3ilrWQZU+CqcTTzHq9m2HhoUP2l7Xmi8l1LuijAXLpAJ5zRW+ifKTNscs4NdCkfkDCBYm352w==",
+      "version": "7.0.27",
+      "resolved": "https://registry.npmjs.org/tldts/-/tldts-7.0.27.tgz",
+      "integrity": "sha512-I4FZcVFcqCRuT0ph6dCDpPuO4Xgzvh+spkcTr1gK7peIvxWauoloVO0vuy1FQnijT63ss6AsHB6+OIM4aXHbPg==",
       "license": "MIT",
       "dependencies": {
-        "tldts-core": "^7.0.25"
+        "tldts-core": "^7.0.27"
       },
       "bin": {
         "tldts": "bin/cli.js"
       }
     },
     "node_modules/tldts-core": {
-      "version": "7.0.25",
-      "resolved": "https://registry.npmjs.org/tldts-core/-/tldts-core-7.0.25.tgz",
-      "integrity": "sha512-ZjCZK0rppSBu7rjHYDYsEaMOIbbT+nWF57hKkv4IUmZWBNrBWBOjIElc0mKRgLM8bm7x/BBlof6t2gi/Oq/Asw==",
+      "version": "7.0.27",
+      "resolved": "https://registry.npmjs.org/tldts-core/-/tldts-core-7.0.27.tgz",
+      "integrity": "sha512-YQ7uPjgWUibIK6DW5lrKujGwUKhLevU4hcGbP5O6TcIUb+oTjJYJVWPS4nZsIHrEEEG6myk/oqAJUEQmpZrHsg==",
       "license": "MIT"
     },
     "node_modules/tough-cookie": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-6.0.0.tgz",
-      "integrity": "sha512-kXuRi1mtaKMrsLUxz3sQYvVl37B0Ns6MzfrtV5DvJceE9bPyspOqk9xxv7XbZWcfLWbFmm997vl83qUWVJA64w==",
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-6.0.1.tgz",
+      "integrity": "sha512-LktZQb3IeoUWB9lqR5EWTHgW/VTITCXg4D21M+lvybRVdylLrRMnqaIONLVb5mav8vM19m44HIcGq4qASeu2Qw==",
       "license": "BSD-3-Clause",
       "dependencies": {
         "tldts": "^7.0.5"
@@ -2788,9 +2788,9 @@
       }
     },
     "node_modules/type-fest": {
-      "version": "5.4.4",
-      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-5.4.4.tgz",
-      "integrity": "sha512-JnTrzGu+zPV3aXIUhnyWJj4z/wigMsdYajGLIYakqyOW1nPllzXEJee0QQbHj+CTIQtXGlAjuK0UY+2xTyjVAw==",
+      "version": "5.5.0",
+      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-5.5.0.tgz",
+      "integrity": "sha512-PlBfpQwiUvGViBNX84Yxwjsdhd1TUlXr6zjX7eoirtCPIr08NAmxwa+fcYBTeRQxHo9YC9wwF3m9i700sHma8g==",
       "license": "(MIT OR CC0-1.0)",
       "dependencies": {
         "tagged-tag": "^1.0.0"
@@ -2944,16 +2944,16 @@
       }
     },
     "node_modules/vue": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.30.tgz",
-      "integrity": "sha512-hTHLc6VNZyzzEH/l7PFGjpcTvUgiaPK5mdLkbjrTeWSRcEfxFrv56g/XckIYlE9ckuobsdwqd5mk2g1sBkMewg==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.31.tgz",
+      "integrity": "sha512-iV/sU9SzOlmA/0tygSmjkEN6Jbs3nPoIPFhCMLD2STrjgOU8DX7ZtzMhg4ahVwf5Rp9KoFzcXeB1ZrVbLBp5/Q==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-dom": "3.5.30",
-        "@vue/compiler-sfc": "3.5.30",
-        "@vue/runtime-dom": "3.5.30",
-        "@vue/server-renderer": "3.5.30",
-        "@vue/shared": "3.5.30"
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/compiler-sfc": "3.5.31",
+        "@vue/runtime-dom": "3.5.31",
+        "@vue/server-renderer": "3.5.31",
+        "@vue/shared": "3.5.31"
       },
       "peerDependencies": {
         "typescript": "*"
@@ -2965,9 +2965,9 @@
       }
     },
     "node_modules/vue-router": {
-      "version": "5.0.3",
-      "resolved": "https://registry.npmjs.org/vue-router/-/vue-router-5.0.3.tgz",
-      "integrity": "sha512-nG1c7aAFac7NYj8Hluo68WyWfc41xkEjaR0ViLHCa3oDvTQ/nIuLJlXJX1NUPw/DXzx/8+OKMng045HHQKQKWw==",
+      "version": "5.0.4",
+      "resolved": "https://registry.npmjs.org/vue-router/-/vue-router-5.0.4.tgz",
+      "integrity": "sha512-lCqDLCI2+fKVRl2OzXuzdSWmxXFLQRxQbmHugnRpTMyYiT+hNaycV0faqG5FBHDXoYrZ6MQcX87BvbY8mQ20Bg==",
       "license": "MIT",
       "dependencies": {
         "@babel/generator": "^7.28.6",
@@ -3039,9 +3039,9 @@
       }
     },
     "node_modules/yaml": {
-      "version": "2.8.2",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz",
-      "integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==",
+      "version": "2.8.3",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
+      "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
       "license": "ISC",
       "bin": {
         "yaml": "bin.mjs"
diff --git a/apps/demo/package.json b/apps/demo/package.json
index 6db648dc2..ec9500fa5 100644
--- a/apps/demo/package.json
+++ b/apps/demo/package.json
@@ -1,12 +1,13 @@
 {
   "name": "drydock-demo",
-  "version": "1.4.5",
+  "version": "1.5.0",
   "private": true,
   "type": "module",
   "scripts": {
     "dev": "vite",
     "build": "vite build",
-    "preview": "vite preview"
+    "preview": "vite preview",
+    "test:security": "node --test tests/security/*.test.js"
   },
   "dependencies": {
     "@fontsource/ibm-plex-mono": "^5.2.7",
@@ -34,6 +35,9 @@
     "typescript": "^5.9.3",
     "vite": "^7.3.1"
   },
+  "overrides": {
+    "yaml": "2.8.3"
+  },
   "msw": {
     "workerDirectory": [
       "public"
diff --git a/apps/demo/public/mockServiceWorker.js b/apps/demo/public/mockServiceWorker.js
index b548da64e..ec2636257 100644
--- a/apps/demo/public/mockServiceWorker.js
+++ b/apps/demo/public/mockServiceWorker.js
@@ -7,7 +7,7 @@
  * - Please do NOT modify this file.
  */
 
-const PACKAGE_VERSION = '2.12.13';
+const PACKAGE_VERSION = '2.12.14';
 const INTEGRITY_CHECKSUM = '4db4a41e972cec1b64cc569c66952d82';
 const IS_MOCKED_RESPONSE = Symbol('isMockedResponse');
 const activeClientIds = new Set();
diff --git a/apps/demo/src/mocks/data/agents.ts b/apps/demo/src/mocks/data/agents.ts
index 15692628a..35452c724 100644
--- a/apps/demo/src/mocks/data/agents.ts
+++ b/apps/demo/src/mocks/data/agents.ts
@@ -4,7 +4,7 @@ export const agents = [
     host: '192.168.1.50',
     port: 3001,
     connected: true,
-    version: '1.4.5',
+    version: '1.5.0',
     os: 'linux',
     arch: 'amd64',
     cpus: 4,
diff --git a/apps/demo/src/mocks/data/audit.ts b/apps/demo/src/mocks/data/audit.ts
index 62a65743b..2e397ec8b 100644
--- a/apps/demo/src/mocks/data/audit.ts
+++ b/apps/demo/src/mocks/data/audit.ts
@@ -3,7 +3,7 @@ export const auditEntries = [
     id: 'aud-001',
     timestamp: '2026-03-10T08:00:00.000Z',
     action: 'system:start',
-    details: 'Drydock v1.4.1 started',
+    details: 'Drydock v1.5.0 started',
   },
   {
     id: 'aud-002',
@@ -207,6 +207,6 @@ export const auditEntries = [
     timestamp: '2026-03-03T18:00:00.000Z',
     action: 'container:watch',
     container: 'drydock',
-    details: 'Started watching ghcr.io/codeswhat/drydock:1.4.1',
+    details: 'Started watching ghcr.io/codeswhat/drydock:1.5.0',
   },
 ];
diff --git a/apps/demo/src/mocks/data/containers.ts b/apps/demo/src/mocks/data/containers.ts
index 0283fd22f..433db717d 100644
--- a/apps/demo/src/mocks/data/containers.ts
+++ b/apps/demo/src/mocks/data/containers.ts
@@ -330,7 +330,7 @@ export const containers = [
     displayName: 'Drydock',
     displayIcon: 'sh-drydock',
     image: 'codeswhat/drydock',
-    tag: '1.4.1',
+    tag: '1.5.0',
     registryType: 'ghcr',
     registryUrl: 'https://ghcr.io',
     scanStatus: 'scanned',
diff --git a/apps/demo/src/mocks/data/server.ts b/apps/demo/src/mocks/data/server.ts
index 95843ed2d..3785f15d9 100644
--- a/apps/demo/src/mocks/data/server.ts
+++ b/apps/demo/src/mocks/data/server.ts
@@ -1,5 +1,5 @@
 export const serverInfo = {
-  version: '1.4.5',
+  version: '1.5.0',
   uptime: 864000,
   hostname: 'drydock-demo',
   platform: 'linux',
diff --git a/apps/demo/src/mocks/handlers/agents.ts b/apps/demo/src/mocks/handlers/agents.ts
index 8634b42be..a2046aa6d 100644
--- a/apps/demo/src/mocks/handlers/agents.ts
+++ b/apps/demo/src/mocks/handlers/agents.ts
@@ -35,11 +35,11 @@ function buildAgentLogEntries(specs: AgentLogEntrySpec[]) {
 }
 
 export const agentHandlers = [
-  http.get('/api/agents', () => HttpResponse.json({ data: agents })),
-  http.get('/api/agents/:name/log', () =>
+  http.get('/api/v1/agents', () => HttpResponse.json({ data: agents })),
+  http.get('/api/v1/agents/:name/log', () =>
     HttpResponse.json({ entries: buildAgentLogEntries(agentLogSummarySpecs) }),
   ),
-  http.get('/api/agents/:name/log/entries', () =>
+  http.get('/api/v1/agents/:name/log/entries', () =>
     HttpResponse.json({ entries: buildAgentLogEntries(agentLogDetailSpecs) }),
   ),
 ];
diff --git a/apps/demo/src/mocks/handlers/app.ts b/apps/demo/src/mocks/handlers/app.ts
index df8cfe208..caa95564e 100644
--- a/apps/demo/src/mocks/handlers/app.ts
+++ b/apps/demo/src/mocks/handlers/app.ts
@@ -1,13 +1,34 @@
 import { HttpResponse, http } from 'msw';
 
 export const appHandlers = [
-  http.get('/api/app', () =>
+  http.get('/api/v1/app', () =>
     HttpResponse.json({
       name: 'Drydock',
-      version: '1.4.1',
+      version: '1.5.0',
       description: 'Docker container update manager',
       repository: 'https://github.com/CodesWhat/drydock',
       documentation: 'https://getdrydock.com/docs',
     }),
   ),
+
+  http.get('/api/v1/debug/dump', () => {
+    const dateOnly = new Date().toISOString().slice(0, 10);
+    return HttpResponse.json(
+      {
+        generatedAt: new Date().toISOString(),
+        server: { version: '1.5.0', mode: 'demo' },
+        summary: {
+          containers: 25,
+          watchers: 2,
+          registries: 4,
+          triggers: 6,
+        },
+      },
+      {
+        headers: {
+          'Content-Disposition': `attachment; filename="drydock-debug-${dateOnly}.json"`,
+        },
+      },
+    );
+  }),
 ];
diff --git a/apps/demo/src/mocks/handlers/audit.ts b/apps/demo/src/mocks/handlers/audit.ts
index 68f4b1c3c..dfdfe09f8 100644
--- a/apps/demo/src/mocks/handlers/audit.ts
+++ b/apps/demo/src/mocks/handlers/audit.ts
@@ -2,7 +2,7 @@ import { HttpResponse, http } from 'msw';
 import { auditEntries } from '../data/audit';
 
 export const auditHandlers = [
-  http.get('/api/audit', ({ request }) => {
+  http.get('/api/v1/audit', ({ request }) => {
     const url = new URL(request.url);
     const limit = Number(url.searchParams.get('limit')) || 50;
     const offset = Number(url.searchParams.get('offset')) || 0;
diff --git a/apps/demo/src/mocks/handlers/auth.ts b/apps/demo/src/mocks/handlers/auth.ts
index 979e528a2..957dac4c8 100644
--- a/apps/demo/src/mocks/handlers/auth.ts
+++ b/apps/demo/src/mocks/handlers/auth.ts
@@ -17,6 +17,16 @@ function isOffline(): boolean {
 }
 
 export const authHandlers = [
+  http.get('/api/v1/auth/status', () => {
+    if (isOffline()) {
+      return HttpResponse.error();
+    }
+    return HttpResponse.json({
+      providers: [{ type: 'basic', name: 'basic' }],
+      errors: [],
+    });
+  }),
+
   http.get('/auth/user', () => {
     if (isOffline()) {
       return new HttpResponse(null, { status: 401 });
diff --git a/apps/demo/src/mocks/handlers/authentications.ts b/apps/demo/src/mocks/handlers/authentications.ts
index 7d44c0a2b..bc12a288a 100644
--- a/apps/demo/src/mocks/handlers/authentications.ts
+++ b/apps/demo/src/mocks/handlers/authentications.ts
@@ -1,5 +1,5 @@
 import { HttpResponse, http } from 'msw';
 
 export const authenticationHandlers = [
-  http.get('/api/authentications', () => HttpResponse.json({ data: [] })),
+  http.get('/api/v1/authentications', () => HttpResponse.json({ data: [] })),
 ];
diff --git a/apps/demo/src/mocks/handlers/containers.ts b/apps/demo/src/mocks/handlers/containers.ts
index cc3a71b7a..e8f6a1771 100644
--- a/apps/demo/src/mocks/handlers/containers.ts
+++ b/apps/demo/src/mocks/handlers/containers.ts
@@ -2,6 +2,18 @@ import { HttpResponse, http } from 'msw';
 import { containers } from '../data/containers';
 
 type MockContainer = (typeof containers)[number] & Record<string, unknown>;
+type ContainerStatsSnapshot = {
+  containerId: string;
+  cpuPercent: number;
+  memoryUsageBytes: number;
+  memoryLimitBytes: number;
+  memoryPercent: number;
+  networkRxBytes: number;
+  networkTxBytes: number;
+  blockReadBytes: number;
+  blockWriteBytes: number;
+  timestamp: string;
+};
 
 function groupContainers() {
   const groups = new Map<string | null, MockContainer[]>();
@@ -24,8 +36,57 @@ function groupContainers() {
   }));
 }
 
+function getContainerById(id: string | readonly string[] | undefined): MockContainer | undefined {
+  return containers.find((container) => container.id === id) as MockContainer | undefined;
+}
+
+function getContainerName(container: MockContainer): string {
+  if (typeof container.displayName === 'string' && container.displayName.length > 0) {
+    return container.displayName;
+  }
+  return String(container.name ?? 'container');
+}
+
+function getContainerTag(container: MockContainer): string {
+  const tag = container.image?.tag?.value;
+  return typeof tag === 'string' && tag.length > 0 ? tag : 'latest';
+}
+
+function hasContainerUpdate(container: MockContainer): boolean {
+  return Boolean(container.updateAvailable && container.result?.tag);
+}
+
+function buildStatsSeed(containerId: string): number {
+  let seed = 0;
+  for (const char of containerId) {
+    seed = (seed * 31 + char.charCodeAt(0)) >>> 0;
+  }
+  return seed;
+}
+
+function buildStatsSnapshot(containerId: string, minutesAgo: number): ContainerStatsSnapshot {
+  const seed = buildStatsSeed(containerId);
+  const memoryLimitBytes = 2 * 1024 * 1024 * 1024;
+  const usageScale = 0.25 + (seed % 60) / 100;
+  const memoryUsageBytes = Math.round(memoryLimitBytes * usageScale);
+  const memoryPercent = Math.round((memoryUsageBytes / memoryLimitBytes) * 1000) / 10;
+  const cpuPercent = Math.round((3 + (seed % 35) + minutesAgo * 0.2) * 10) / 10;
+  return {
+    containerId,
+    cpuPercent,
+    memoryUsageBytes,
+    memoryLimitBytes,
+    memoryPercent,
+    networkRxBytes: (60 + (seed % 700)) * 1024 * 1024,
+    networkTxBytes: (40 + (seed % 500)) * 1024 * 1024,
+    blockReadBytes: (5 + (seed % 80)) * 1024 * 1024,
+    blockWriteBytes: (3 + (seed % 60)) * 1024 * 1024,
+    timestamp: new Date(Date.now() - minutesAgo * 60_000).toISOString(),
+  };
+}
+
 export const containerHandlers = [
-  http.get('/api/containers', ({ request }) => {
+  http.get('/api/v1/containers', ({ request }) => {
     const url = new URL(request.url);
     const limit = Number(url.searchParams.get('limit')) || containers.length;
     const offset = Number(url.searchParams.get('offset')) || 0;
@@ -33,7 +94,7 @@ export const containerHandlers = [
     return HttpResponse.json({ data: slice });
   }),
 
-  http.get('/api/containers/summary', () => {
+  http.get('/api/v1/containers/summary', () => {
     const running = containers.filter((c) => c.status === 'running').length;
     const stopped = containers.filter((c) => c.status === 'stopped').length;
     const issues = (containers as MockContainer[]).reduce((sum, c) => {
@@ -47,7 +108,7 @@ export const containerHandlers = [
     });
   }),
 
-  http.get('/api/containers/recent-status', () => {
+  http.get('/api/v1/containers/recent-status', () => {
     const statuses: Record<string, string> = {};
     for (const c of containers as MockContainer[]) {
       if (c.updateAvailable) statuses[c.id] = 'pending';
@@ -55,27 +116,88 @@ export const containerHandlers = [
     return HttpResponse.json({ statuses });
   }),
 
-  http.get('/api/containers/groups', () => HttpResponse.json({ data: groupContainers() })),
+  http.get('/api/v1/containers/groups', () => HttpResponse.json({ data: groupContainers() })),
+
+  http.get('/api/v1/containers/stats', () => {
+    const data = (containers as MockContainer[]).map((container) => ({
+      id: container.id,
+      name: getContainerName(container),
+      status: String(container.status ?? 'unknown'),
+      watcher: String(container.watcher ?? 'local'),
+      stats: container.status === 'running' ? buildStatsSnapshot(container.id, 0) : null,
+    }));
+    return HttpResponse.json({ data });
+  }),
 
-  http.post('/api/containers/watch', () => HttpResponse.json({ success: true })),
+  http.post('/api/v1/containers/watch', () => HttpResponse.json({ success: true })),
 
   // Single container
-  http.get('/api/containers/:id', ({ params }) => {
-    const container = containers.find((c) => c.id === params.id);
+  http.get('/api/v1/containers/:id', ({ params }) => {
+    const container = getContainerById(params.id);
     if (!container) return new HttpResponse(null, { status: 404 });
     return HttpResponse.json(container);
   }),
 
-  http.delete('/api/containers/:id', () => HttpResponse.json({ success: true })),
+  http.delete('/api/v1/containers/:id', () => HttpResponse.json({ success: true })),
 
-  http.post('/api/containers/:id/watch', ({ params }) => {
-    const container = containers.find((c) => c.id === params.id);
+  http.post('/api/v1/containers/:id/watch', ({ params }) => {
+    const container = getContainerById(params.id);
     if (!container) return new HttpResponse(null, { status: 404 });
     return HttpResponse.json(container);
   }),
 
+  http.post('/api/v1/containers/:id/start', ({ params }) => {
+    const container = getContainerById(params.id);
+    if (!container) return new HttpResponse(null, { status: 404 });
+    return HttpResponse.json({ success: true, action: 'start', id: container.id });
+  }),
+
+  http.post('/api/v1/containers/:id/stop', ({ params }) => {
+    const container = getContainerById(params.id);
+    if (!container) return new HttpResponse(null, { status: 404 });
+    return HttpResponse.json({ success: true, action: 'stop', id: container.id });
+  }),
+
+  http.post('/api/v1/containers/:id/restart', ({ params }) => {
+    const container = getContainerById(params.id);
+    if (!container) return new HttpResponse(null, { status: 404 });
+    return HttpResponse.json({ success: true, action: 'restart', id: container.id });
+  }),
+
+  http.post('/api/v1/containers/:id/update', ({ params }) => {
+    const container = getContainerById(params.id);
+    if (!container) return new HttpResponse(null, { status: 404 });
+    return HttpResponse.json({
+      success: true,
+      action: 'update',
+      id: container.id,
+      operationId: `demo-update-${container.id}`,
+    });
+  }),
+
+  http.post('/api/v1/containers/:id/preview', ({ params }) => {
+    const container = getContainerById(params.id);
+    if (!container) return new HttpResponse(null, { status: 404 });
+    const currentTag = getContainerTag(container);
+    const targetTag =
+      typeof container.result?.tag === 'string' && container.result.tag.length > 0
+        ? container.result.tag
+        : currentTag;
+    const composeFile = `/srv/stacks/${container.name}/docker-compose.yml`;
+    return HttpResponse.json({
+      dryRun: true,
+      compose: {
+        files: [composeFile],
+        service: String(container.name),
+        writableFile: composeFile,
+        willWrite: true,
+        patch: `services:\n  ${container.name}:\n    image: ${container.image?.name}:${targetTag}  # was ${currentTag}`,
+      },
+    });
+  }),
+
   // Container triggers
-  http.get('/api/containers/:id/triggers', () =>
+  http.get('/api/v1/containers/:id/triggers', () =>
     HttpResponse.json({
       data: [
         { type: 'slack', name: 'homelab', threshold: 'all' },
@@ -84,14 +206,16 @@ export const containerHandlers = [
     }),
   ),
 
-  http.post('/api/containers/:id/triggers/:type/:name', () => HttpResponse.json({ success: true })),
+  http.post('/api/v1/containers/:id/triggers/:type/:name', () =>
+    HttpResponse.json({ success: true }),
+  ),
 
-  http.post('/api/containers/:id/triggers/:type/:name/:agent', () =>
+  http.post('/api/v1/containers/:id/triggers/:type/:name/:agent', () =>
     HttpResponse.json({ success: true }),
   ),
 
   // Container logs
-  http.get('/api/containers/:id/logs', () =>
+  http.get('/api/v1/containers/:id/logs', () =>
     HttpResponse.json({
       lines: [
         'Starting container...',
@@ -104,14 +228,43 @@ export const containerHandlers = [
   ),
 
   // Update operations
-  http.get('/api/containers/:id/update-operations', () => HttpResponse.json({ data: [] })),
+  http.get('/api/v1/containers/:id/update-operations', () => HttpResponse.json({ data: [] })),
+
+  http.get('/api/v1/containers/:id/stats', ({ params }) => {
+    const container = getContainerById(params.id);
+    if (!container) return new HttpResponse(null, { status: 404 });
+    if (container.status !== 'running') {
+      return HttpResponse.json({ data: null, history: [] });
+    }
+    const history = Array.from({ length: 12 }, (_, index) =>
+      buildStatsSnapshot(container.id, (11 - index) * 5),
+    );
+    return HttpResponse.json({ data: history.at(-1) ?? null, history });
+  }),
+
+  http.get('/api/v1/containers/:id/release-notes', ({ params }) => {
+    const container = getContainerById(params.id);
+    if (!container || !hasContainerUpdate(container)) {
+      return new HttpResponse(null, { status: 404 });
+    }
+    const currentTag = getContainerTag(container);
+    const targetTag = String(container.result?.tag);
+    const name = getContainerName(container);
+    return HttpResponse.json({
+      title: `${name} ${targetTag}`,
+      body: `Demo release notes for ${name}\n\n- Current: ${currentTag}\n- Available: ${targetTag}\n- Kind: ${container.updateKind?.semverDiff ?? 'update'}`,
+      url: `https://github.com/CodesWhat/drydock/releases/tag/v${targetTag}`,
+      publishedAt: new Date(Date.now() - 86_400_000).toISOString(),
+      provider: 'github',
+    });
+  }),
 
   // Update policy
-  http.patch('/api/containers/:id/update-policy', () => HttpResponse.json({ success: true })),
+  http.patch('/api/v1/containers/:id/update-policy', () => HttpResponse.json({ success: true })),
 
   // Scan
-  http.post('/api/containers/:id/scan', ({ params }) => {
-    const container = containers.find((c) => c.id === params.id) as MockContainer | undefined;
+  http.post('/api/v1/containers/:id/scan', ({ params }) => {
+    const container = getContainerById(params.id);
     return HttpResponse.json({
       success: true,
       summary: container?.security?.scan?.summary ?? {
@@ -125,8 +278,8 @@ export const containerHandlers = [
   }),
 
   // Env reveal
-  http.post('/api/containers/:id/env/reveal', ({ params }) => {
-    const container = containers.find((c) => c.id === params.id) as MockContainer | undefined;
+  http.post('/api/v1/containers/:id/env/reveal', ({ params }) => {
+    const container = getContainerById(params.id);
     if (!container) return new HttpResponse(null, { status: 404 });
     const env = container.details?.env ?? [];
     return HttpResponse.json({
@@ -138,7 +291,7 @@ export const containerHandlers = [
   }),
 
   // Backups
-  http.get('/api/containers/:id/backups', () => HttpResponse.json({ data: [] })),
+  http.get('/api/v1/containers/:id/backups', () => HttpResponse.json({ data: [] })),
 
-  http.post('/api/containers/:id/rollback', () => HttpResponse.json({ success: true })),
+  http.post('/api/v1/containers/:id/rollback', () => HttpResponse.json({ success: true })),
 ];
diff --git a/apps/demo/src/mocks/handlers/icons.ts b/apps/demo/src/mocks/handlers/icons.ts
index 923b3b526..b632c9819 100644
--- a/apps/demo/src/mocks/handlers/icons.ts
+++ b/apps/demo/src/mocks/handlers/icons.ts
@@ -37,7 +37,7 @@ async function tryFetch(url: string): Promise<Response | null> {
 }
 
 export const iconHandlers = [
-  http.get('/api/icons/:provider/:slug', async ({ params }) => {
+  http.get('/api/v1/icons/:provider/:slug', async ({ params }) => {
     const provider = params.provider as string;
     const slug = (params.slug as string).replace(/\.(png|svg)$/i, '');
 
@@ -76,5 +76,5 @@ export const iconHandlers = [
     });
   }),
 
-  http.delete('/api/icons/cache', () => HttpResponse.json({ cleared: 0 })),
+  http.delete('/api/v1/icons/cache', () => HttpResponse.json({ cleared: 0 })),
 ];
diff --git a/apps/demo/src/mocks/handlers/log.ts b/apps/demo/src/mocks/handlers/log.ts
index 7a0be3ebc..d6d1840ba 100644
--- a/apps/demo/src/mocks/handlers/log.ts
+++ b/apps/demo/src/mocks/handlers/log.ts
@@ -2,14 +2,14 @@ import { HttpResponse, http } from 'msw';
 import { logEntries } from '../data/logs';
 
 export const logHandlers = [
-  http.get('/api/log', () =>
+  http.get('/api/v1/log', () =>
     HttpResponse.json({
       level: 'info',
       transports: ['console'],
     }),
   ),
 
-  http.get('/api/log/entries', ({ request }) => {
+  http.get('/api/v1/log/entries', ({ request }) => {
     const url = new URL(request.url);
     const level = url.searchParams.get('level');
     const component = url.searchParams.get('component');
diff --git a/apps/demo/src/mocks/handlers/notifications.ts b/apps/demo/src/mocks/handlers/notifications.ts
index 3ceb3d586..a6a3c2203 100644
--- a/apps/demo/src/mocks/handlers/notifications.ts
+++ b/apps/demo/src/mocks/handlers/notifications.ts
@@ -2,9 +2,9 @@ import { HttpResponse, http } from 'msw';
 import { notificationRules } from '../data/notifications';
 
 export const notificationHandlers = [
-  http.get('/api/notifications', () => HttpResponse.json({ data: notificationRules })),
+  http.get('/api/v1/notifications', () => HttpResponse.json({ data: notificationRules })),
 
-  http.patch('/api/notifications/:id', async ({ params, request }) => {
+  http.patch('/api/v1/notifications/:id', async ({ params, request }) => {
     const rule = notificationRules.find((r) => r.id === params.id);
     if (!rule) return new HttpResponse(null, { status: 404 });
     const body = (await request.json()) as Record<string, unknown>;
diff --git a/apps/demo/src/mocks/handlers/registries.ts b/apps/demo/src/mocks/handlers/registries.ts
index fc6e8a3ec..4dd028eec 100644
--- a/apps/demo/src/mocks/handlers/registries.ts
+++ b/apps/demo/src/mocks/handlers/registries.ts
@@ -1,4 +1,4 @@
 import { registries } from '../data/registries';
 import { createTypeNameHandlers } from './typeNameHandlers';
 
-export const registryHandlers = createTypeNameHandlers('/api/registries', registries);
+export const registryHandlers = createTypeNameHandlers('/api/v1/registries', registries);
diff --git a/apps/demo/src/mocks/handlers/security.ts b/apps/demo/src/mocks/handlers/security.ts
index fd57c5756..ff3dbc920 100644
--- a/apps/demo/src/mocks/handlers/security.ts
+++ b/apps/demo/src/mocks/handlers/security.ts
@@ -5,9 +5,11 @@ import { securityOverview } from '../data/vulnerabilities';
 type MockContainer = (typeof containers)[number] & Record<string, unknown>;
 
 export const securityHandlers = [
-  http.get('/api/containers/security/vulnerabilities', () => HttpResponse.json(securityOverview)),
+  http.get('/api/v1/containers/security/vulnerabilities', () =>
+    HttpResponse.json(securityOverview),
+  ),
 
-  http.get('/api/containers/:id/vulnerabilities', ({ params }) => {
+  http.get('/api/v1/containers/:id/vulnerabilities', ({ params }) => {
     const container = containers.find((c) => c.id === params.id) as MockContainer | undefined;
     if (!container) return new HttpResponse(null, { status: 404 });
 
@@ -28,7 +30,7 @@ export const securityHandlers = [
     });
   }),
 
-  http.get('/api/containers/:id/sbom', () =>
+  http.get('/api/v1/containers/:id/sbom', () =>
     HttpResponse.json({
       spdxVersion: 'SPDX-2.3',
       dataLicense: 'CC0-1.0',
diff --git a/apps/demo/src/mocks/handlers/server.ts b/apps/demo/src/mocks/handlers/server.ts
index 3bac04386..ba349ee17 100644
--- a/apps/demo/src/mocks/handlers/server.ts
+++ b/apps/demo/src/mocks/handlers/server.ts
@@ -2,7 +2,7 @@ import { HttpResponse, http } from 'msw';
 import { securityRuntime, serverInfo } from '../data/server';
 
 export const serverHandlers = [
-  http.get('/api/server', () => HttpResponse.json(serverInfo)),
+  http.get('/api/v1/server', () => HttpResponse.json(serverInfo)),
 
-  http.get('/api/server/security/runtime', () => HttpResponse.json(securityRuntime)),
+  http.get('/api/v1/server/security/runtime', () => HttpResponse.json(securityRuntime)),
 ];
diff --git a/apps/demo/src/mocks/handlers/settings.ts b/apps/demo/src/mocks/handlers/settings.ts
index 7b51b8ecd..2d26e0541 100644
--- a/apps/demo/src/mocks/handlers/settings.ts
+++ b/apps/demo/src/mocks/handlers/settings.ts
@@ -3,9 +3,9 @@ import { HttpResponse, http } from 'msw';
 const settings = { internetlessMode: false };
 
 export const settingsHandlers = [
-  http.get('/api/settings', () => HttpResponse.json(settings)),
+  http.get('/api/v1/settings', () => HttpResponse.json(settings)),
 
-  http.patch('/api/settings', () => HttpResponse.json(settings)),
+  http.patch('/api/v1/settings', () => HttpResponse.json(settings)),
 
-  http.delete('/api/icons/cache', () => HttpResponse.json({ cleared: 12 })),
+  http.delete('/api/v1/icons/cache', () => HttpResponse.json({ cleared: 12 })),
 ];
diff --git a/apps/demo/src/mocks/handlers/store.ts b/apps/demo/src/mocks/handlers/store.ts
index 597ac0fa3..96d9e2c48 100644
--- a/apps/demo/src/mocks/handlers/store.ts
+++ b/apps/demo/src/mocks/handlers/store.ts
@@ -1,7 +1,7 @@
 import { HttpResponse, http } from 'msw';
 
 export const storeHandlers = [
-  http.get('/api/store', () =>
+  http.get('/api/v1/store', () =>
     HttpResponse.json({
       collections: ['app', 'audit', 'backup', 'container', 'settings'],
       size: 524288,
diff --git a/apps/demo/src/mocks/handlers/triggers.ts b/apps/demo/src/mocks/handlers/triggers.ts
index a0aa74474..30bdcc359 100644
--- a/apps/demo/src/mocks/handlers/triggers.ts
+++ b/apps/demo/src/mocks/handlers/triggers.ts
@@ -2,21 +2,21 @@ import { HttpResponse, http } from 'msw';
 import { triggers } from '../data/triggers';
 
 export const triggerHandlers = [
-  http.get('/api/triggers', () => HttpResponse.json({ data: triggers })),
+  http.get('/api/v1/triggers', () => HttpResponse.json({ data: triggers })),
 
-  http.get('/api/triggers/:type/:name', ({ params }) => {
+  http.get('/api/v1/triggers/:type/:name', ({ params }) => {
     const trigger = triggers.find((t) => t.type === params.type && t.name === params.name);
     if (!trigger) return new HttpResponse(null, { status: 404 });
     return HttpResponse.json(trigger);
   }),
 
-  http.get('/api/triggers/:type/:name/:agent', ({ params }) => {
+  http.get('/api/v1/triggers/:type/:name/:agent', ({ params }) => {
     const trigger = triggers.find((t) => t.type === params.type && t.name === params.name);
     if (!trigger) return new HttpResponse(null, { status: 404 });
     return HttpResponse.json(trigger);
   }),
 
-  http.post('/api/triggers/:type/:name', () => HttpResponse.json({ success: true })),
+  http.post('/api/v1/triggers/:type/:name', () => HttpResponse.json({ success: true })),
 
-  http.post('/api/triggers/:type/:name/:agent', () => HttpResponse.json({ success: true })),
+  http.post('/api/v1/triggers/:type/:name/:agent', () => HttpResponse.json({ success: true })),
 ];
diff --git a/apps/demo/src/mocks/handlers/watchers.ts b/apps/demo/src/mocks/handlers/watchers.ts
index a0db062be..6f27ad3f9 100644
--- a/apps/demo/src/mocks/handlers/watchers.ts
+++ b/apps/demo/src/mocks/handlers/watchers.ts
@@ -1,4 +1,4 @@
 import { watchers } from '../data/watchers';
 import { createTypeNameHandlers } from './typeNameHandlers';
 
-export const watcherHandlers = createTypeNameHandlers('/api/watchers', watchers);
+export const watcherHandlers = createTypeNameHandlers('/api/v1/watchers', watchers);
diff --git a/apps/demo/tests/security/yaml-lockfile.test.js b/apps/demo/tests/security/yaml-lockfile.test.js
new file mode 100644
index 000000000..4f9fccfdc
--- /dev/null
+++ b/apps/demo/tests/security/yaml-lockfile.test.js
@@ -0,0 +1,35 @@
+import assert from 'node:assert/strict';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import test from 'node:test';
+
+function compareSemver(a, b) {
+  const aParts = a.split('.').map(Number);
+  const bParts = b.split('.').map(Number);
+
+  for (let index = 0; index < Math.max(aParts.length, bParts.length); index += 1) {
+    const aPart = aParts[index] ?? 0;
+    const bPart = bParts[index] ?? 0;
+
+    if (aPart !== bPart) {
+      return aPart - bPart;
+    }
+  }
+
+  return 0;
+}
+
+test('package manifest explicitly pins yaml to the patched version', () => {
+  const packageJson = JSON.parse(readFileSync(join(process.cwd(), 'package.json'), 'utf8'));
+
+  assert.equal(packageJson.overrides?.yaml, '2.8.3');
+});
+
+test('package lockfile does not resolve vulnerable yaml versions', () => {
+  const lockfile = JSON.parse(readFileSync(join(process.cwd(), 'package-lock.json'), 'utf8'));
+  const vulnerableEntries = Object.entries(lockfile.packages ?? {})
+    .filter(([path, value]) => path === 'node_modules/yaml' && typeof value.version === 'string')
+    .filter(([, value]) => compareSemver(value.version, '2.8.3') < 0);
+
+  assert.deepEqual(vulnerableEntries, []);
+});
diff --git a/apps/web/app/compare/page.tsx b/apps/web/app/compare/page.tsx
index 6cb1315f1..956a78627 100644
--- a/apps/web/app/compare/page.tsx
+++ b/apps/web/app/compare/page.tsx
@@ -91,7 +91,7 @@ const tools = [
     name: "WUD",
     slug: "wud",
     description:
-      "Drydock's upstream fork (What's Up Docker). See what Drydock adds: 13 more registries, security scanning, agents, audit log, and a TypeScript rewrite.",
+      "Drydock's upstream fork (What's Up Docker). See what Drydock adds: 10 more registries, security scanning, agents, audit log, and a TypeScript rewrite.",
     status: "Active",
     statusColor: "bg-blue-100 text-blue-700 dark:bg-blue-900/50 dark:text-blue-400",
   },
diff --git a/apps/web/app/page.tsx b/apps/web/app/page.tsx
index 6a4709f93..3748f4e13 100644
--- a/apps/web/app/page.tsx
+++ b/apps/web/app/page.tsx
@@ -26,114 +26,142 @@ import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
 import { Card, CardContent } from "@/components/ui/card";
 
-const features = [
+type FeatureCategory = "core" | "security" | "integrations" | "operations";
+
+const categoryLabels: Record<FeatureCategory, { label: string; color: string; border: string }> = {
+  core: { label: "Core", color: "text-blue-600 dark:text-blue-400", border: "border-blue-500/30" },
+  security: {
+    label: "Security",
+    color: "text-rose-600 dark:text-rose-400",
+    border: "border-rose-500/30",
+  },
+  integrations: {
+    label: "Integrations",
+    color: "text-purple-600 dark:text-purple-400",
+    border: "border-purple-500/30",
+  },
+  operations: {
+    label: "Operations",
+    color: "text-emerald-600 dark:text-emerald-400",
+    border: "border-emerald-500/30",
+  },
+};
+
+const features: {
+  icon: typeof Container;
+  title: string;
+  color: string;
+  bg: string;
+  description: string;
+  category: FeatureCategory;
+}[] = [
   {
     icon: Container,
     title: "Auto-Discovery",
-    emoji: "\u{1F50D}",
     color: "text-blue-500 dark:text-blue-400",
     bg: "bg-blue-100 dark:bg-blue-900/50",
     description:
       "Automatically discovers running containers and tracks their image versions without manual configuration.",
+    category: "core",
   },
   {
     icon: Radio,
     title: "23 Registries",
-    emoji: "\u{1F4E6}",
     color: "text-purple-500 dark:text-purple-400",
     bg: "bg-purple-100 dark:bg-purple-900/50",
     description:
       "Query Docker Hub, GHCR, ECR, GCR, GAR, GitLab, Quay, LSCR, ACR, Harbor, Artifactory, Nexus, and more.",
+    category: "integrations",
   },
   {
     icon: Bell,
     title: "20 Triggers",
-    emoji: "\u{1F514}",
     color: "text-amber-500 dark:text-amber-400",
     bg: "bg-amber-100 dark:bg-amber-900/50",
     description:
       "Notify via Slack, Discord, Telegram, Teams, SMTP, MQTT, HTTP, Gotify, NTFY, Kafka, and more.",
+    category: "integrations",
   },
   {
     icon: Eye,
     title: "Dry-Run Preview",
-    emoji: "\u{1F441}\uFE0F",
     color: "text-cyan-500 dark:text-cyan-400",
     bg: "bg-cyan-100 dark:bg-cyan-900/50",
     description:
       "Preview updates before applying them. Pre-update image backup with one-click rollback.",
+    category: "operations",
   },
   {
     icon: Network,
     title: "Distributed Agents",
-    emoji: "\u{1F310}",
     color: "text-emerald-500 dark:text-emerald-400",
     bg: "bg-emerald-100 dark:bg-emerald-900/50",
     description:
       "Monitor remote Docker hosts via SSE-based agents. Centralized dashboard for all environments.",
+    category: "core",
   },
   {
     icon: BarChart3,
     title: "Prometheus Metrics",
-    emoji: "\u{1F4CA}",
     color: "text-orange-500 dark:text-orange-400",
     bg: "bg-orange-100 dark:bg-orange-900/50",
     description:
       "Built-in /metrics endpoint with Grafana dashboard template. Full observability out of the box.",
+    category: "core",
   },
   {
     icon: History,
     title: "Audit Log",
-    emoji: "\u{1F4DC}",
     color: "text-teal-500 dark:text-teal-400",
     bg: "bg-teal-100 dark:bg-teal-900/50",
     description:
       "Event-based audit trail with persistent storage. Full REST API and Prometheus counters.",
+    category: "security",
   },
   {
     icon: Lock,
     title: "OIDC Authentication",
-    emoji: "\u{1F512}",
     color: "text-rose-500 dark:text-rose-400",
     bg: "bg-rose-100 dark:bg-rose-900/50",
     description:
       "Secure your instance with OpenID Connect. Works with Authelia, Auth0, and Authentik.",
+    category: "security",
   },
   {
     icon: RotateCcw,
     title: "Auto Rollback",
-    emoji: "\u{1F504}",
     color: "text-indigo-500 dark:text-indigo-400",
     bg: "bg-indigo-100 dark:bg-indigo-900/50",
     description:
       "Automatic rollback on health check failure. Configurable image backup retention policies.",
+    category: "operations",
   },
   {
     icon: Play,
     title: "Container Actions",
-    emoji: "\u{25B6}\uFE0F",
     color: "text-green-500 dark:text-green-400",
     bg: "bg-green-100 dark:bg-green-900/50",
     description:
       "Start, stop, and restart containers directly from the UI or API. Feature-flagged for safety.",
+    category: "operations",
   },
   {
     icon: Webhook,
     title: "Webhook API",
-    emoji: "\u{1F517}",
     color: "text-sky-500 dark:text-sky-400",
     bg: "bg-sky-100 dark:bg-sky-900/50",
     description:
       "Token-authenticated HTTP endpoints for CI/CD integration. Trigger updates on demand.",
+    category: "integrations",
   },
   {
     icon: Layers,
     title: "Container Grouping",
-    emoji: "\u{1F4DA}",
     color: "text-violet-500 dark:text-violet-400",
     bg: "bg-violet-100 dark:bg-violet-900/50",
     description:
       "Smart stack detection via compose project or labels. Collapsible groups with batch actions.",
+    category: "core",
   },
 ];
 
@@ -231,12 +259,13 @@ const roadmap = [
     version: "v1.5.0",
     title: "Observability & User-Requested Features",
     emoji: "\u{26A1}",
-    status: "next" as const,
+    status: "released" as const,
     dotColor:
-      "border-amber-500 bg-amber-50 text-amber-600 dark:border-amber-400 dark:bg-amber-950 dark:text-amber-400",
+      "border-emerald-500 bg-emerald-500 text-white dark:border-emerald-400 dark:bg-emerald-400 dark:text-neutral-900",
     items: [
-      "Real-time log viewer",
+      "Real-time WebSocket log viewer with ANSI colors + JSON syntax highlighting",
       "Container resource monitoring",
+      "Diagnostic debug dump with automatic redaction",
       "Registry webhook receiver",
       "Auth endpoint telemetry & guardrails",
       "Image maturity / sort-by-age indicator",
@@ -244,15 +273,18 @@ const roadmap = [
       "Release notes in UI",
       "Smart tag suggestion for latest containers",
       "Digest check deduplication",
+      "Dashboard customization",
+      "Resource usage dashboard widget",
+      "Trigger environment variable aliases (DD_ACTION_*/DD_NOTIFICATION_*)",
     ],
   },
   {
     version: "v1.5.1",
     title: "Scanner Decoupling",
     emoji: "\u{1F50C}",
-    status: "planned" as const,
+    status: "next" as const,
     dotColor:
-      "border-amber-400 bg-amber-50 text-amber-500 dark:border-amber-500 dark:bg-amber-950 dark:text-amber-400",
+      "border-amber-500 bg-amber-50 text-amber-600 dark:border-amber-400 dark:bg-amber-950 dark:text-amber-400",
     items: [
       "Backend-based scanner execution (docker/remote)",
       "Grype scanner provider",
@@ -266,7 +298,7 @@ const roadmap = [
     status: "planned" as const,
     dotColor:
       "border-orange-400 bg-orange-50 text-orange-500 dark:border-orange-500 dark:bg-orange-950 dark:text-orange-400",
-    items: ["Notification templates", "MS Teams & Matrix triggers", "Deprecation removals"],
+    items: ["Notification templates", "Notification preferences UI", "Deprecation removals"],
   },
   {
     version: "v1.7.0",
@@ -280,7 +312,6 @@ const roadmap = [
       "Clickable port links",
       "Image prune from UI",
       "Static image monitoring",
-      "Dashboard customization",
     ],
   },
   {
@@ -440,7 +471,7 @@ export default function Home() {
 
               {/* Version Badge */}
               <Badge variant="secondary" className="mb-6 px-4 py-1.5 text-sm font-medium">
-                v1.4.1 &middot; Open Source
+                v1.5.0 &middot; Open Source
               </Badge>
 
               {/* Heading */}
@@ -485,7 +516,7 @@ export default function Home() {
                     rel="noopener noreferrer"
                   >
                     <img
-                      src="https://img.shields.io/badge/GHCR-30K%2B_pulls-2ea44f?logo=github&logoColor=white"
+                      src="https://img.shields.io/badge/GHCR-50K%2B_pulls-2ea44f?logo=github&logoColor=white"
                       alt="GHCR pulls"
                     />
                   </a>
@@ -712,29 +743,51 @@ export default function Home() {
                 </p>
               </div>
 
-              <div className="grid gap-6 sm:grid-cols-2 lg:grid-cols-3">
-                {features.map((feature) => (
-                  <Card
-                    key={feature.title}
-                    className="border-neutral-200 bg-white/50 backdrop-blur-sm dark:border-neutral-800 dark:bg-neutral-900/50"
-                  >
-                    <CardContent className="pt-6">
-                      <div className="mb-4 flex items-center gap-3">
+              <div className="overflow-hidden rounded-xl border border-neutral-300 dark:border-neutral-700">
+                <div className="flex items-center gap-2 border-b border-neutral-300 bg-neutral-100 px-5 py-3 dark:border-neutral-700 dark:bg-neutral-900">
+                  <div className="h-2.5 w-2.5 rounded-full bg-emerald-500" />
+                  <span className="font-mono text-xs text-neutral-500 dark:text-neutral-400">
+                    drydock capabilities
+                  </span>
+                  <span className="ml-auto font-mono text-xs text-neutral-400 dark:text-neutral-600">
+                    {features.length} modules
+                  </span>
+                </div>
+                <div className="divide-y divide-neutral-200 bg-white dark:divide-neutral-800 dark:bg-neutral-950">
+                  {features.map((feature, i) => {
+                    const cat = categoryLabels[feature.category];
+                    return (
+                      <div
+                        key={feature.title}
+                        className="group flex items-center gap-5 px-5 py-4 transition-colors hover:bg-neutral-50 dark:hover:bg-neutral-900/50"
+                      >
+                        <span className="w-6 shrink-0 text-right font-mono text-xs tabular-nums text-neutral-300 dark:text-neutral-700">
+                          {String(i + 1).padStart(2, "0")}
+                        </span>
                         <div
-                          className={`flex h-10 w-10 shrink-0 items-center justify-center rounded-lg ${feature.bg}`}
+                          className={`flex h-8 w-8 shrink-0 items-center justify-center rounded-md ${feature.bg}`}
                         >
-                          <feature.icon className={`h-5 w-5 ${feature.color}`} />
+                          <feature.icon className={`h-4 w-4 ${feature.color}`} />
+                        </div>
+                        <div className="min-w-0 flex-1">
+                          <div className="flex items-baseline gap-3">
+                            <h3 className="text-sm font-semibold text-neutral-900 dark:text-neutral-100">
+                              {feature.title}
+                            </h3>
+                            <span
+                              className={`rounded-full border px-2 py-0.5 font-mono text-[10px] uppercase tracking-wider ${cat.border} ${cat.color}`}
+                            >
+                              {cat.label}
+                            </span>
+                          </div>
+                          <p className="mt-0.5 text-xs text-neutral-500 dark:text-neutral-400">
+                            {feature.description}
+                          </p>
                         </div>
-                        <h3 className="font-semibold text-neutral-900 dark:text-neutral-100">
-                          {feature.title}
-                        </h3>
                       </div>
-                      <p className="text-sm text-neutral-600 dark:text-neutral-400">
-                        {feature.description}
-                      </p>
-                    </CardContent>
-                  </Card>
-                ))}
+                    );
+                  })}
+                </div>
               </div>
             </div>
           </section>
diff --git a/apps/web/app/security/trivy-supply-chain-march-2026/page.tsx b/apps/web/app/security/trivy-supply-chain-march-2026/page.tsx
index 091d31430..9c6449b71 100644
--- a/apps/web/app/security/trivy-supply-chain-march-2026/page.tsx
+++ b/apps/web/app/security/trivy-supply-chain-march-2026/page.tsx
@@ -105,7 +105,7 @@ export default function TrivyAdvisoryPage() {
 
               <h2>Exposure windows</h2>
               <div className="overflow-x-auto">
-                <table>
+                <table className="w-auto">
                   <thead>
                     <tr>
                       <th>Component</th>
@@ -400,7 +400,7 @@ uses: aquasecurity/trivy-action@<full-commit-sha>  # 0.24.0`}</code>
 
               <h2>Timeline</h2>
               <div className="overflow-x-auto">
-                <table>
+                <table className="w-auto">
                   <thead>
                     <tr>
                       <th>Date (UTC)</th>
diff --git a/apps/web/lib/comparison-route-data/dockhand.tsx b/apps/web/lib/comparison-route-data/dockhand.tsx
index 6c14d9243..65006db49 100644
--- a/apps/web/lib/comparison-route-data/dockhand.tsx
+++ b/apps/web/lib/comparison-route-data/dockhand.tsx
@@ -9,7 +9,7 @@ Language|Go|TypeScript|tie
 Web UI|Yes|Yes|tie
 Image update detection|Yes|Yes|tie
 Auto-update containers|Yes|Yes (monitor-first)|tie
-Vulnerability scanning|Yes (🥊 Update Bouncer)|Yes (Trivy + SBOM + cosign)|tie
+Vulnerability scanning|Yes (Safe-Pull Protection)|Yes (Trivy + SBOM + cosign)|tie
 Automatic rollback|No|Yes, on health check failure|drydock
 Maintenance windows|No|Yes|drydock
 Lifecycle hooks (pre/post)|No|Yes, with timeout & abort|drydock
diff --git a/apps/web/lib/comparison-route-data/portainer.tsx b/apps/web/lib/comparison-route-data/portainer.tsx
index a3142bf65..ddf9fe79d 100644
--- a/apps/web/lib/comparison-route-data/portainer.tsx
+++ b/apps/web/lib/comparison-route-data/portainer.tsx
@@ -25,7 +25,7 @@ Docker Swarm|Yes|Planned (v2.0.0)|competitor
 Web terminal / shell|Yes|Planned|competitor
 Compose templates|Yes|Planned|competitor
 Audit log|Yes (BE only)|Yes (free)|drydock
-Resource footprint|Heavy (~200MB+ RAM)|Lightweight (~80MB RAM)|drydock
+Resource footprint|Heavier (~100–200MB RAM)|Lightweight (~80MB RAM)|drydock
 License|Zlib (CE) / Proprietary (BE)|AGPL-3.0|drydock
 `,
   highlightsTable: `
diff --git a/apps/web/lib/comparison-route-data/watchtower.tsx b/apps/web/lib/comparison-route-data/watchtower.tsx
index f3658f97f..81ee3e66e 100644
--- a/apps/web/lib/comparison-route-data/watchtower.tsx
+++ b/apps/web/lib/comparison-route-data/watchtower.tsx
@@ -22,7 +22,7 @@ Auto rollback|No|Yes, on health check failure|drydock
 Authentication|None|OIDC (Authelia, Auth0, Authentik)|drydock
 Container actions|Restart only (via update)|Start/stop/restart from UI/API|drydock
 Docker Compose updates|Limited|Full compose pull & recreate|drydock
-Lifecycle hooks|Yes|Yes (pre/post-update)|tie
+Lifecycle hooks|Yes (advisory — no abort on failure)|Yes (pre/post with abort & audit)|drydock
 Image backup|No|Pre-update backup with retention|drydock
 Webhook API|HTTP API mode|Token-authenticated webhooks|drydock
 License|Apache 2.0|AGPL-3.0|tie
diff --git a/apps/web/next.config.mjs b/apps/web/next.config.mjs
index 24c741f6f..0e704432a 100644
--- a/apps/web/next.config.mjs
+++ b/apps/web/next.config.mjs
@@ -1,12 +1,14 @@
 import { createMDX } from "fumadocs-mdx/next";
 
 const withMDX = createMDX();
-const docsCurrentVersion = "v1.4";
-const docsVersionPrefixes = "v1\\.4(?:/|$)|v1\\.3(?:/|$)";
+const docsCurrentVersion = "v1.5";
+const docsVersionPrefixes = "v1\\.5(?:/|$)|v1\\.4(?:/|$)|v1\\.3(?:/|$)";
 
 /** @type {import('next').NextConfig} */
 const nextConfig = {
-  experimental: {},
+  experimental: {
+    sri: { algorithm: "sha384" },
+  },
   images: {
     remotePatterns: [
       {
diff --git a/apps/web/package-lock.json b/apps/web/package-lock.json
index f818bbb60..4011a2663 100644
--- a/apps/web/package-lock.json
+++ b/apps/web/package-lock.json
@@ -25,6 +25,7 @@
         "tailwind-merge": "^3.5.0"
       },
       "devDependencies": {
+        "@biomejs/biome": "^2.4.7",
         "@tailwindcss/postcss": "^4.2.1",
         "@types/node": "^25.5.0",
         "@types/react": "^19.2.14",
@@ -50,10 +51,173 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/@biomejs/biome": {
+      "version": "2.4.9",
+      "resolved": "https://registry.npmjs.org/@biomejs/biome/-/biome-2.4.9.tgz",
+      "integrity": "sha512-wvZW92FrwitTcacvCBT8xdAbfbxWfDLwjYMmU3djjqQTh7Ni4ZdiWIT/x5VcZ+RQuxiKzIOzi5D+dcyJDFZMsA==",
+      "dev": true,
+      "license": "MIT OR Apache-2.0",
+      "bin": {
+        "biome": "bin/biome"
+      },
+      "engines": {
+        "node": ">=14.21.3"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/biome"
+      },
+      "optionalDependencies": {
+        "@biomejs/cli-darwin-arm64": "2.4.9",
+        "@biomejs/cli-darwin-x64": "2.4.9",
+        "@biomejs/cli-linux-arm64": "2.4.9",
+        "@biomejs/cli-linux-arm64-musl": "2.4.9",
+        "@biomejs/cli-linux-x64": "2.4.9",
+        "@biomejs/cli-linux-x64-musl": "2.4.9",
+        "@biomejs/cli-win32-arm64": "2.4.9",
+        "@biomejs/cli-win32-x64": "2.4.9"
+      }
+    },
+    "node_modules/@biomejs/cli-darwin-arm64": {
+      "version": "2.4.9",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-arm64/-/cli-darwin-arm64-2.4.9.tgz",
+      "integrity": "sha512-d5G8Gf2RpH5pYwiHLPA+UpG3G9TLQu4WM+VK6sfL7K68AmhcEQ9r+nkj/DvR/GYhYox6twsHUtmWWWIKfcfQQA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT OR Apache-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=14.21.3"
+      }
+    },
+    "node_modules/@biomejs/cli-darwin-x64": {
+      "version": "2.4.9",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-x64/-/cli-darwin-x64-2.4.9.tgz",
+      "integrity": "sha512-LNCLNgqDMG7BLdc3a8aY/dwKPK7+R8/JXJoXjCvZh2gx8KseqBdFDKbhrr7HCWF8SzNhbTaALhTBoh/I6rf9lA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT OR Apache-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">=14.21.3"
+      }
+    },
+    "node_modules/@biomejs/cli-linux-arm64": {
+      "version": "2.4.9",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64/-/cli-linux-arm64-2.4.9.tgz",
+      "integrity": "sha512-4adnkAUi6K4C/emPRgYznMOcLlUqZdXWM6aIui4VP4LraE764g6Q4YguygnAUoxKjKIXIWPteKMgRbN0wsgwcg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT OR Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=14.21.3"
+      }
+    },
+    "node_modules/@biomejs/cli-linux-arm64-musl": {
+      "version": "2.4.9",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64-musl/-/cli-linux-arm64-musl-2.4.9.tgz",
+      "integrity": "sha512-8RCww5xnPn2wpK4L/QDGDOW0dq80uVWfppPxHIUg6mOs9B6gRmqPp32h1Ls3T8GnW8Wo5A8u7vpTwz4fExN+sw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT OR Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=14.21.3"
+      }
+    },
+    "node_modules/@biomejs/cli-linux-x64": {
+      "version": "2.4.9",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64/-/cli-linux-x64-2.4.9.tgz",
+      "integrity": "sha512-L10na7POF0Ks/cgLFNF1ZvIe+X4onLkTi5oP9hY+Rh60Q+7fWzKDDCeGyiHUFf1nGIa9dQOOUPGe2MyYg8nMSQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT OR Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=14.21.3"
+      }
+    },
+    "node_modules/@biomejs/cli-linux-x64-musl": {
+      "version": "2.4.9",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64-musl/-/cli-linux-x64-musl-2.4.9.tgz",
+      "integrity": "sha512-5TD+WS9v5vzXKzjetF0hgoaNFHMcpQeBUwKKVi3JbG1e9UCrFuUK3Gt185fyTzvRdwYkJJEMqglRPjmesmVv4A==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT OR Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=14.21.3"
+      }
+    },
+    "node_modules/@biomejs/cli-win32-arm64": {
+      "version": "2.4.9",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-arm64/-/cli-win32-arm64-2.4.9.tgz",
+      "integrity": "sha512-aDZr0RBC3sMGJOU10BvG7eZIlWLK/i51HRIfScE2lVhfts2dQTreowLiJJd+UYg/tHKxS470IbzpuKmd0MiD6g==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT OR Apache-2.0",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=14.21.3"
+      }
+    },
+    "node_modules/@biomejs/cli-win32-x64": {
+      "version": "2.4.9",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-x64/-/cli-win32-x64-2.4.9.tgz",
+      "integrity": "sha512-NS4g/2G9SoQ4ktKtz31pvyc/rmgzlcIDCGU/zWbmHJAqx6gcRj2gj5Q/guXhoWTzCUaQZDIqiCQXHS7BcGYc0w==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT OR Apache-2.0",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=14.21.3"
+      }
+    },
     "node_modules/@emnapi/runtime": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.8.1.tgz",
-      "integrity": "sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg==",
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.1.tgz",
+      "integrity": "sha512-VYi5+ZVLhpgK4hQ0TAjiQiZ6ol0oe4mBx7mVv7IflsiEp0OWoVsp/+f9Vc1hOhE0TtkORVrI1GvzyreqpgWtkA==",
       "license": "MIT",
       "optional": true,
       "dependencies": {
@@ -61,9 +225,9 @@
       }
     },
     "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.3.tgz",
-      "integrity": "sha512-9fJMTNFTWZMh5qwrBItuziu834eOCUcEqymSH7pY+zoMVEZg3gcPuBNxH1EvfVYe9h0x/Ptw8KBzv7qxb7l8dg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.4.tgz",
+      "integrity": "sha512-cQPwL2mp2nSmHHJlCyoXgHGhbEPMrEEU5xhkcy3Hs/O7nGZqEpZ2sUtLaL9MORLtDfRvVl2/3PAuEkYZH0Ty8Q==",
       "cpu": [
         "ppc64"
       ],
@@ -77,9 +241,9 @@
       }
     },
     "node_modules/@esbuild/android-arm": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.3.tgz",
-      "integrity": "sha512-i5D1hPY7GIQmXlXhs2w8AWHhenb00+GxjxRncS2ZM7YNVGNfaMxgzSGuO8o8SJzRc/oZwU2bcScvVERk03QhzA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.4.tgz",
+      "integrity": "sha512-X9bUgvxiC8CHAGKYufLIHGXPJWnr0OCdR0anD2e21vdvgCI8lIfqFbnoeOz7lBjdrAGUhqLZLcQo6MLhTO2DKQ==",
       "cpu": [
         "arm"
       ],
@@ -93,9 +257,9 @@
       }
     },
     "node_modules/@esbuild/android-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.3.tgz",
-      "integrity": "sha512-YdghPYUmj/FX2SYKJ0OZxf+iaKgMsKHVPF1MAq/P8WirnSpCStzKJFjOjzsW0QQ7oIAiccHdcqjbHmJxRb/dmg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.4.tgz",
+      "integrity": "sha512-gdLscB7v75wRfu7QSm/zg6Rx29VLdy9eTr2t44sfTW7CxwAtQghZ4ZnqHk3/ogz7xao0QAgrkradbBzcqFPasw==",
       "cpu": [
         "arm64"
       ],
@@ -109,9 +273,9 @@
       }
     },
     "node_modules/@esbuild/android-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.3.tgz",
-      "integrity": "sha512-IN/0BNTkHtk8lkOM8JWAYFg4ORxBkZQf9zXiEOfERX/CzxW3Vg1ewAhU7QSWQpVIzTW+b8Xy+lGzdYXV6UZObQ==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.4.tgz",
+      "integrity": "sha512-PzPFnBNVF292sfpfhiyiXCGSn9HZg5BcAz+ivBuSsl6Rk4ga1oEXAamhOXRFyMcjwr2DVtm40G65N3GLeH1Lvw==",
       "cpu": [
         "x64"
       ],
@@ -125,9 +289,9 @@
       }
     },
     "node_modules/@esbuild/darwin-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.3.tgz",
-      "integrity": "sha512-Re491k7ByTVRy0t3EKWajdLIr0gz2kKKfzafkth4Q8A5n1xTHrkqZgLLjFEHVD+AXdUGgQMq+Godfq45mGpCKg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.4.tgz",
+      "integrity": "sha512-b7xaGIwdJlht8ZFCvMkpDN6uiSmnxxK56N2GDTMYPr2/gzvfdQN8rTfBsvVKmIVY/X7EM+/hJKEIbbHs9oA4tQ==",
       "cpu": [
         "arm64"
       ],
@@ -141,9 +305,9 @@
       }
     },
     "node_modules/@esbuild/darwin-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.3.tgz",
-      "integrity": "sha512-vHk/hA7/1AckjGzRqi6wbo+jaShzRowYip6rt6q7VYEDX4LEy1pZfDpdxCBnGtl+A5zq8iXDcyuxwtv3hNtHFg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.4.tgz",
+      "integrity": "sha512-sR+OiKLwd15nmCdqpXMnuJ9W2kpy0KigzqScqHI3Hqwr7IXxBp3Yva+yJwoqh7rE8V77tdoheRYataNKL4QrPw==",
       "cpu": [
         "x64"
       ],
@@ -157,9 +321,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-ipTYM2fjt3kQAYOvo6vcxJx3nBYAzPjgTCk7QEgZG8AUO3ydUhvelmhrbOheMnGOlaSFUoHXB6un+A7q4ygY9w==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-jnfpKe+p79tCnm4GVav68A7tUFeKQwQyLgESwEAUzyxk/TJr4QdGog9sqWNcUbr/bZt/O/HXouspuQDd9JxFSw==",
       "cpu": [
         "arm64"
       ],
@@ -173,9 +337,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.3.tgz",
-      "integrity": "sha512-dDk0X87T7mI6U3K9VjWtHOXqwAMJBNN2r7bejDsc+j03SEjtD9HrOl8gVFByeM0aJksoUuUVU9TBaZa2rgj0oA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.4.tgz",
+      "integrity": "sha512-2kb4ceA/CpfUrIcTUl1wrP/9ad9Atrp5J94Lq69w7UwOMolPIGrfLSvAKJp0RTvkPPyn6CIWrNy13kyLikZRZQ==",
       "cpu": [
         "x64"
       ],
@@ -189,9 +353,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.3.tgz",
-      "integrity": "sha512-s6nPv2QkSupJwLYyfS+gwdirm0ukyTFNl3KTgZEAiJDd+iHZcbTPPcWCcRYH+WlNbwChgH2QkE9NSlNrMT8Gfw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.4.tgz",
+      "integrity": "sha512-aBYgcIxX/wd5n2ys0yESGeYMGF+pv6g0DhZr3G1ZG4jMfruU9Tl1i2Z+Wnj9/KjGz1lTLCcorqE2viePZqj4Eg==",
       "cpu": [
         "arm"
       ],
@@ -205,9 +369,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.3.tgz",
-      "integrity": "sha512-sZOuFz/xWnZ4KH3YfFrKCf1WyPZHakVzTiqji3WDc0BCl2kBwiJLCXpzLzUBLgmp4veFZdvN5ChW4Eq/8Fc2Fg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.4.tgz",
+      "integrity": "sha512-7nQOttdzVGth1iz57kxg9uCz57dxQLHWxopL6mYuYthohPKEK0vU0C3O21CcBK6KDlkYVcnDXY099HcCDXd9dA==",
       "cpu": [
         "arm64"
       ],
@@ -221,9 +385,9 @@
       }
     },
     "node_modules/@esbuild/linux-ia32": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.3.tgz",
-      "integrity": "sha512-yGlQYjdxtLdh0a3jHjuwOrxQjOZYD/C9PfdbgJJF3TIZWnm/tMd/RcNiLngiu4iwcBAOezdnSLAwQDPqTmtTYg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.4.tgz",
+      "integrity": "sha512-oPtixtAIzgvzYcKBQM/qZ3R+9TEUd1aNJQu0HhGyqtx6oS7qTpvjheIWBbes4+qu1bNlo2V4cbkISr8q6gRBFA==",
       "cpu": [
         "ia32"
       ],
@@ -237,9 +401,9 @@
       }
     },
     "node_modules/@esbuild/linux-loong64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.3.tgz",
-      "integrity": "sha512-WO60Sn8ly3gtzhyjATDgieJNet/KqsDlX5nRC5Y3oTFcS1l0KWba+SEa9Ja1GfDqSF1z6hif/SkpQJbL63cgOA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.4.tgz",
+      "integrity": "sha512-8mL/vh8qeCoRcFH2nM8wm5uJP+ZcVYGGayMavi8GmRJjuI3g1v6Z7Ni0JJKAJW+m0EtUuARb6Lmp4hMjzCBWzA==",
       "cpu": [
         "loong64"
       ],
@@ -253,9 +417,9 @@
       }
     },
     "node_modules/@esbuild/linux-mips64el": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.3.tgz",
-      "integrity": "sha512-APsymYA6sGcZ4pD6k+UxbDjOFSvPWyZhjaiPyl/f79xKxwTnrn5QUnXR5prvetuaSMsb4jgeHewIDCIWljrSxw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.4.tgz",
+      "integrity": "sha512-1RdrWFFiiLIW7LQq9Q2NES+HiD4NyT8Itj9AUeCl0IVCA459WnPhREKgwrpaIfTOe+/2rdntisegiPWn/r/aAw==",
       "cpu": [
         "mips64el"
       ],
@@ -269,9 +433,9 @@
       }
     },
     "node_modules/@esbuild/linux-ppc64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.3.tgz",
-      "integrity": "sha512-eizBnTeBefojtDb9nSh4vvVQ3V9Qf9Df01PfawPcRzJH4gFSgrObw+LveUyDoKU3kxi5+9RJTCWlj4FjYXVPEA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.4.tgz",
+      "integrity": "sha512-tLCwNG47l3sd9lpfyx9LAGEGItCUeRCWeAx6x2Jmbav65nAwoPXfewtAdtbtit/pJFLUWOhpv0FpS6GQAmPrHA==",
       "cpu": [
         "ppc64"
       ],
@@ -285,9 +449,9 @@
       }
     },
     "node_modules/@esbuild/linux-riscv64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.3.tgz",
-      "integrity": "sha512-3Emwh0r5wmfm3ssTWRQSyVhbOHvqegUDRd0WhmXKX2mkHJe1SFCMJhagUleMq+Uci34wLSipf8Lagt4LlpRFWQ==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.4.tgz",
+      "integrity": "sha512-BnASypppbUWyqjd1KIpU4AUBiIhVr6YlHx/cnPgqEkNoVOhHg+YiSVxM1RLfiy4t9cAulbRGTNCKOcqHrEQLIw==",
       "cpu": [
         "riscv64"
       ],
@@ -301,9 +465,9 @@
       }
     },
     "node_modules/@esbuild/linux-s390x": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.3.tgz",
-      "integrity": "sha512-pBHUx9LzXWBc7MFIEEL0yD/ZVtNgLytvx60gES28GcWMqil8ElCYR4kvbV2BDqsHOvVDRrOxGySBM9Fcv744hw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.4.tgz",
+      "integrity": "sha512-+eUqgb/Z7vxVLezG8bVB9SfBie89gMueS+I0xYh2tJdw3vqA/0ImZJ2ROeWwVJN59ihBeZ7Tu92dF/5dy5FttA==",
       "cpu": [
         "s390x"
       ],
@@ -317,9 +481,9 @@
       }
     },
     "node_modules/@esbuild/linux-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.3.tgz",
-      "integrity": "sha512-Czi8yzXUWIQYAtL/2y6vogER8pvcsOsk5cpwL4Gk5nJqH5UZiVByIY8Eorm5R13gq+DQKYg0+JyQoytLQas4dA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.4.tgz",
+      "integrity": "sha512-S5qOXrKV8BQEzJPVxAwnryi2+Iq5pB40gTEIT69BQONqR7JH1EPIcQ/Uiv9mCnn05jff9umq/5nqzxlqTOg9NA==",
       "cpu": [
         "x64"
       ],
@@ -333,9 +497,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-sDpk0RgmTCR/5HguIZa9n9u+HVKf40fbEUt+iTzSnCaGvY9kFP0YKBWZtJaraonFnqef5SlJ8/TiPAxzyS+UoA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-xHT8X4sb0GS8qTqiwzHqpY00C95DPAq7nAwX35Ie/s+LO9830hrMd3oX0ZMKLvy7vsonee73x0lmcdOVXFzd6Q==",
       "cpu": [
         "arm64"
       ],
@@ -349,9 +513,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.3.tgz",
-      "integrity": "sha512-P14lFKJl/DdaE00LItAukUdZO5iqNH7+PjoBm+fLQjtxfcfFE20Xf5CrLsmZdq5LFFZzb5JMZ9grUwvtVYzjiA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.4.tgz",
+      "integrity": "sha512-RugOvOdXfdyi5Tyv40kgQnI0byv66BFgAqjdgtAKqHoZTbTF2QqfQrFwa7cHEORJf6X2ht+l9ABLMP0dnKYsgg==",
       "cpu": [
         "x64"
       ],
@@ -365,9 +529,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-AIcMP77AvirGbRl/UZFTq5hjXK+2wC7qFRGoHSDrZ5v5b8DK/GYpXW3CPRL53NkvDqb9D+alBiC/dV0Fb7eJcw==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-2MyL3IAaTX+1/qP0O1SwskwcwCoOI4kV2IBX1xYnDDqthmq5ArrW94qSIKCAuRraMgPOmG0RDTA74mzYNQA9ow==",
       "cpu": [
         "arm64"
       ],
@@ -381,9 +545,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.3.tgz",
-      "integrity": "sha512-DnW2sRrBzA+YnE70LKqnM3P+z8vehfJWHXECbwBmH/CU51z6FiqTQTHFenPlHmo3a8UgpLyH3PT+87OViOh1AQ==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.4.tgz",
+      "integrity": "sha512-u8fg/jQ5aQDfsnIV6+KwLOf1CmJnfu1ShpwqdwC0uA7ZPwFws55Ngc12vBdeUdnuWoQYx/SOQLGDcdlfXhYmXQ==",
       "cpu": [
         "x64"
       ],
@@ -397,9 +561,9 @@
       }
     },
     "node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.3.tgz",
-      "integrity": "sha512-NinAEgr/etERPTsZJ7aEZQvvg/A6IsZG/LgZy+81wON2huV7SrK3e63dU0XhyZP4RKGyTm7aOgmQk0bGp0fy2g==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.4.tgz",
+      "integrity": "sha512-JkTZrl6VbyO8lDQO3yv26nNr2RM2yZzNrNHEsj9bm6dOwwu9OYN28CjzZkH57bh4w0I2F7IodpQvUAEd1mbWXg==",
       "cpu": [
         "arm64"
       ],
@@ -413,9 +577,9 @@
       }
     },
     "node_modules/@esbuild/sunos-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.3.tgz",
-      "integrity": "sha512-PanZ+nEz+eWoBJ8/f8HKxTTD172SKwdXebZ0ndd953gt1HRBbhMsaNqjTyYLGLPdoWHy4zLU7bDVJztF5f3BHA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.4.tgz",
+      "integrity": "sha512-/gOzgaewZJfeJTlsWhvUEmUG4tWEY2Spp5M20INYRg2ZKl9QPO3QEEgPeRtLjEWSW8FilRNacPOg8R1uaYkA6g==",
       "cpu": [
         "x64"
       ],
@@ -429,9 +593,9 @@
       }
     },
     "node_modules/@esbuild/win32-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.3.tgz",
-      "integrity": "sha512-B2t59lWWYrbRDw/tjiWOuzSsFh1Y/E95ofKz7rIVYSQkUYBjfSgf6oeYPNWHToFRr2zx52JKApIcAS/D5TUBnA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.4.tgz",
+      "integrity": "sha512-Z9SExBg2y32smoDQdf1HRwHRt6vAHLXcxD2uGgO/v2jK7Y718Ix4ndsbNMU/+1Qiem9OiOdaqitioZwxivhXYg==",
       "cpu": [
         "arm64"
       ],
@@ -445,9 +609,9 @@
       }
     },
     "node_modules/@esbuild/win32-ia32": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.3.tgz",
-      "integrity": "sha512-QLKSFeXNS8+tHW7tZpMtjlNb7HKau0QDpwm49u0vUp9y1WOF+PEzkU84y9GqYaAVW8aH8f3GcBck26jh54cX4Q==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.4.tgz",
+      "integrity": "sha512-DAyGLS0Jz5G5iixEbMHi5KdiApqHBWMGzTtMiJ72ZOLhbu/bzxgAe8Ue8CTS3n3HbIUHQz/L51yMdGMeoxXNJw==",
       "cpu": [
         "ia32"
       ],
@@ -461,9 +625,9 @@
       }
     },
     "node_modules/@esbuild/win32-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.3.tgz",
-      "integrity": "sha512-4uJGhsxuptu3OcpVAzli+/gWusVGwZZHTlS63hh++ehExkVT8SgiEf7/uC/PclrPPkLhZqGgCTjd0VWLo6xMqA==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.4.tgz",
+      "integrity": "sha512-+knoa0BDoeXgkNvvV1vvbZX4+hizelrkwmGJBdT17t8FNPwG2lKemmuMZlmaNQ3ws3DKKCxpb4zRZEIp3UxFCg==",
       "cpu": [
         "x64"
       ],
@@ -477,31 +641,31 @@
       }
     },
     "node_modules/@floating-ui/core": {
-      "version": "1.7.4",
-      "resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.7.4.tgz",
-      "integrity": "sha512-C3HlIdsBxszvm5McXlB8PeOEWfBhcGBTZGkGlWc2U0KFY5IwG5OQEuQ8rq52DZmcHDlPLd+YFBK+cZcytwIFWg==",
+      "version": "1.7.5",
+      "resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.7.5.tgz",
+      "integrity": "sha512-1Ih4WTWyw0+lKyFMcBHGbb5U5FtuHJuujoyyr5zTaWS5EYMeT6Jb2AuDeftsCsEuchO+mM2ij5+q9crhydzLhQ==",
       "license": "MIT",
       "dependencies": {
-        "@floating-ui/utils": "^0.2.10"
+        "@floating-ui/utils": "^0.2.11"
       }
     },
     "node_modules/@floating-ui/dom": {
-      "version": "1.7.5",
-      "resolved": "https://registry.npmjs.org/@floating-ui/dom/-/dom-1.7.5.tgz",
-      "integrity": "sha512-N0bD2kIPInNHUHehXhMke1rBGs1dwqvC9O9KYMyyjK7iXt7GAhnro7UlcuYcGdS/yYOlq0MAVgrow8IbWJwyqg==",
+      "version": "1.7.6",
+      "resolved": "https://registry.npmjs.org/@floating-ui/dom/-/dom-1.7.6.tgz",
+      "integrity": "sha512-9gZSAI5XM36880PPMm//9dfiEngYoC6Am2izES1FF406YFsjvyBMmeJ2g4SAju3xWwtuynNRFL2s9hgxpLI5SQ==",
       "license": "MIT",
       "dependencies": {
-        "@floating-ui/core": "^1.7.4",
-        "@floating-ui/utils": "^0.2.10"
+        "@floating-ui/core": "^1.7.5",
+        "@floating-ui/utils": "^0.2.11"
       }
     },
     "node_modules/@floating-ui/react-dom": {
-      "version": "2.1.7",
-      "resolved": "https://registry.npmjs.org/@floating-ui/react-dom/-/react-dom-2.1.7.tgz",
-      "integrity": "sha512-0tLRojf/1Go2JgEVm+3Frg9A3IW8bJgKgdO0BN5RkF//ufuz2joZM63Npau2ff3J6lUVYgDSNzNkR+aH3IVfjg==",
+      "version": "2.1.8",
+      "resolved": "https://registry.npmjs.org/@floating-ui/react-dom/-/react-dom-2.1.8.tgz",
+      "integrity": "sha512-cC52bHwM/n/CxS87FH0yWdngEZrjdtLW/qVruo68qg+prK7ZQ4YGdut2GyDVpoGeAYe/h899rVeOVm6Oi40k2A==",
       "license": "MIT",
       "dependencies": {
-        "@floating-ui/dom": "^1.7.5"
+        "@floating-ui/dom": "^1.7.6"
       },
       "peerDependencies": {
         "react": ">=16.8.0",
@@ -509,28 +673,24 @@
       }
     },
     "node_modules/@floating-ui/utils": {
-      "version": "0.2.10",
-      "resolved": "https://registry.npmjs.org/@floating-ui/utils/-/utils-0.2.10.tgz",
-      "integrity": "sha512-aGTxbpbg8/b5JfU1HXSrbH3wXZuLPJcNEcZQFMxLs3oSzgtVu6nFPkbbGGUvBcUjKV2YyB9Wxxabo+HEH9tcRQ==",
+      "version": "0.2.11",
+      "resolved": "https://registry.npmjs.org/@floating-ui/utils/-/utils-0.2.11.tgz",
+      "integrity": "sha512-RiB/yIh78pcIxl6lLMG0CgBXAZ2Y0eVHqMPYugu+9U0AeT6YBeiJpf7lbdJNIugFP5SIjwNRgo4DhR1Qxi26Gg==",
       "license": "MIT"
     },
     "node_modules/@formatjs/fast-memoize": {
-      "version": "3.1.0",
-      "resolved": "https://registry.npmjs.org/@formatjs/fast-memoize/-/fast-memoize-3.1.0.tgz",
-      "integrity": "sha512-b5mvSWCI+XVKiz5WhnBCY3RJ4ZwfjAidU0yVlKa3d3MSgKmH1hC3tBGEAtYyN5mqL7N0G5x0BOUYyO8CEupWgg==",
-      "license": "MIT",
-      "dependencies": {
-        "tslib": "^2.8.1"
-      }
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/@formatjs/fast-memoize/-/fast-memoize-3.1.1.tgz",
+      "integrity": "sha512-CbNbf+tlJn1baRnPkNePnBqTLxGliG6DDgNa/UtV66abwIjwsliPMOt0172tzxABYzSuxZBZfcp//qI8AvBWPg==",
+      "license": "MIT"
     },
     "node_modules/@formatjs/intl-localematcher": {
-      "version": "0.8.1",
-      "resolved": "https://registry.npmjs.org/@formatjs/intl-localematcher/-/intl-localematcher-0.8.1.tgz",
-      "integrity": "sha512-xwEuwQFdtSq1UKtQnyTZWC+eHdv7Uygoa+H2k/9uzBVQjDyp9r20LNDNKedWXll7FssT3GRHvqsdJGYSUWqYFA==",
+      "version": "0.8.2",
+      "resolved": "https://registry.npmjs.org/@formatjs/intl-localematcher/-/intl-localematcher-0.8.2.tgz",
+      "integrity": "sha512-q05KMYGJLyqFNFtIb8NhWLF5X3aK/k0wYt7dnRFuy6aLQL+vUwQ1cg5cO4qawEiINybeCPXAWlprY2mSBjSXAQ==",
       "license": "MIT",
       "dependencies": {
-        "@formatjs/fast-memoize": "3.1.0",
-        "tslib": "^2.8.1"
+        "@formatjs/fast-memoize": "3.1.1"
       }
     },
     "node_modules/@fumadocs/tailwind": {
@@ -551,9 +711,9 @@
       }
     },
     "node_modules/@img/colour": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/@img/colour/-/colour-1.0.0.tgz",
-      "integrity": "sha512-A5P/LfWGFSl6nsckYtjw9da+19jB8hkJ6ACTGcDfEJ0aE+l2n2El7dsVM7UVHZQ9s2lmYMWlrS21YLy2IR1LUw==",
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@img/colour/-/colour-1.1.0.tgz",
+      "integrity": "sha512-Td76q7j57o/tLVdgS746cYARfSyxk8iEfRxewL9h4OMzYhbW4TAcppl0mT4eyqXddh6L/jwoM75mo7ixa/pCeQ==",
       "license": "MIT",
       "optional": true,
       "engines": {
@@ -1104,15 +1264,15 @@
       }
     },
     "node_modules/@next/env": {
-      "version": "16.1.7",
-      "resolved": "https://registry.npmjs.org/@next/env/-/env-16.1.7.tgz",
-      "integrity": "sha512-rJJbIdJB/RQr2F1nylZr/PJzamvNNhfr3brdKP6s/GW850jbtR70QlSfFselvIBbcPUOlQwBakexjFzqLzF6pg==",
+      "version": "16.2.1",
+      "resolved": "https://registry.npmjs.org/@next/env/-/env-16.2.1.tgz",
+      "integrity": "sha512-n8P/HCkIWW+gVal2Z8XqXJ6aB3J0tuM29OcHpCsobWlChH/SITBs1DFBk/HajgrwDkqqBXPbuUuzgDvUekREPg==",
       "license": "MIT"
     },
     "node_modules/@next/swc-darwin-arm64": {
-      "version": "16.1.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-16.1.7.tgz",
-      "integrity": "sha512-b2wWIE8sABdyafc4IM8r5Y/dS6kD80JRtOGrUiKTsACFQfWWgUQ2NwoUX1yjFMXVsAwcQeNpnucF2ZrujsBBPg==",
+      "version": "16.2.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-16.2.1.tgz",
+      "integrity": "sha512-BwZ8w8YTaSEr2HIuXLMLxIdElNMPvY9fLqb20LX9A9OMGtJilhHLbCL3ggyd0TwjmMcTxi0XXt+ur1vWUoxj2Q==",
       "cpu": [
         "arm64"
       ],
@@ -1126,9 +1286,9 @@
       }
     },
     "node_modules/@next/swc-darwin-x64": {
-      "version": "16.1.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-16.1.7.tgz",
-      "integrity": "sha512-zcnVaaZulS1WL0Ss38R5Q6D2gz7MtBu8GZLPfK+73D/hp4GFMrC2sudLky1QibfV7h6RJBJs/gOFvYP0X7UVlQ==",
+      "version": "16.2.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-16.2.1.tgz",
+      "integrity": "sha512-/vrcE6iQSJq3uL3VGVHiXeaKbn8Es10DGTGRJnRZlkNQQk3kaNtAJg8Y6xuAlrx/6INKVjkfi5rY0iEXorZ6uA==",
       "cpu": [
         "x64"
       ],
@@ -1142,9 +1302,9 @@
       }
     },
     "node_modules/@next/swc-linux-arm64-gnu": {
-      "version": "16.1.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-16.1.7.tgz",
-      "integrity": "sha512-2ant89Lux/Q3VyC8vNVg7uBaFVP9SwoK2jJOOR0L8TQnX8CAYnh4uctAScy2Hwj2dgjVHqHLORQZJ2wH6VxhSQ==",
+      "version": "16.2.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-16.2.1.tgz",
+      "integrity": "sha512-uLn+0BK+C31LTVbQ/QU+UaVrV0rRSJQ8RfniQAHPghDdgE+SlroYqcmFnO5iNjNfVWCyKZHYrs3Nl0mUzWxbBw==",
       "cpu": [
         "arm64"
       ],
@@ -1158,9 +1318,9 @@
       }
     },
     "node_modules/@next/swc-linux-arm64-musl": {
-      "version": "16.1.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-16.1.7.tgz",
-      "integrity": "sha512-uufcze7LYv0FQg9GnNeZ3/whYfo+1Q3HnQpm16o6Uyi0OVzLlk2ZWoY7j07KADZFY8qwDbsmFnMQP3p3+Ftprw==",
+      "version": "16.2.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-16.2.1.tgz",
+      "integrity": "sha512-ssKq6iMRnHdnycGp9hCuGnXJZ0YPr4/wNwrfE5DbmvEcgl9+yv97/Kq3TPVDfYome1SW5geciLB9aiEqKXQjlQ==",
       "cpu": [
         "arm64"
       ],
@@ -1174,9 +1334,9 @@
       }
     },
     "node_modules/@next/swc-linux-x64-gnu": {
-      "version": "16.1.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-16.1.7.tgz",
-      "integrity": "sha512-KWVf2gxYvHtvuT+c4MBOGxuse5TD7DsMFYSxVxRBnOzok/xryNeQSjXgxSv9QpIVlaGzEn/pIuI6Koosx8CGWA==",
+      "version": "16.2.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-16.2.1.tgz",
+      "integrity": "sha512-HQm7SrHRELJ30T1TSmT706IWovFFSRGxfgUkyWJZF/RKBMdbdRWJuFrcpDdE5vy9UXjFOx6L3mRdqH04Mmx0hg==",
       "cpu": [
         "x64"
       ],
@@ -1190,9 +1350,9 @@
       }
     },
     "node_modules/@next/swc-linux-x64-musl": {
-      "version": "16.1.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-16.1.7.tgz",
-      "integrity": "sha512-HguhaGwsGr1YAGs68uRKc4aGWxLET+NevJskOcCAwXbwj0fYX0RgZW2gsOCzr9S11CSQPIkxmoSbuVaBp4Z3dA==",
+      "version": "16.2.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-16.2.1.tgz",
+      "integrity": "sha512-aV2iUaC/5HGEpbBkE+4B8aHIudoOy5DYekAKOMSHoIYQ66y/wIVeaRx8MS2ZMdxe/HIXlMho4ubdZs/J8441Tg==",
       "cpu": [
         "x64"
       ],
@@ -1206,9 +1366,9 @@
       }
     },
     "node_modules/@next/swc-win32-arm64-msvc": {
-      "version": "16.1.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-16.1.7.tgz",
-      "integrity": "sha512-S0n3KrDJokKTeFyM/vGGGR8+pCmXYrjNTk2ZozOL1C/JFdfUIL9O1ATaJOl5r2POe56iRChbsszrjMAdWSv7kQ==",
+      "version": "16.2.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-16.2.1.tgz",
+      "integrity": "sha512-IXdNgiDHaSk0ZUJ+xp0OQTdTgnpx1RCfRTalhn3cjOP+IddTMINwA7DXZrwTmGDO8SUr5q2hdP/du4DcrB1GxA==",
       "cpu": [
         "arm64"
       ],
@@ -1222,9 +1382,9 @@
       }
     },
     "node_modules/@next/swc-win32-x64-msvc": {
-      "version": "16.1.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-16.1.7.tgz",
-      "integrity": "sha512-mwgtg8CNZGYm06LeEd+bNnOUfwOyNem/rOiP14Lsz+AnUY92Zq/LXwtebtUiaeVkhbroRCQ0c8GlR4UT1U+0yg==",
+      "version": "16.2.1",
+      "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-16.2.1.tgz",
+      "integrity": "sha512-qvU+3a39Hay+ieIztkGSbF7+mccbbg1Tk25hc4JDylf8IHjYmY/Zm64Qq1602yPyQqvie+vf5T/uPwNxDNIoeg==",
       "cpu": [
         "x64"
       ],
@@ -2203,49 +2363,49 @@
       }
     },
     "node_modules/@tailwindcss/node": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.2.1.tgz",
-      "integrity": "sha512-jlx6sLk4EOwO6hHe1oCGm1Q4AN/s0rSrTTPBGPM0/RQ6Uylwq17FuU8IeJJKEjtc6K6O07zsvP+gDO6MMWo7pg==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.2.2.tgz",
+      "integrity": "sha512-pXS+wJ2gZpVXqFaUEjojq7jzMpTGf8rU6ipJz5ovJV6PUGmlJ+jvIwGrzdHdQ80Sg+wmQxUFuoW1UAAwHNEdFA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@jridgewell/remapping": "^2.3.5",
         "enhanced-resolve": "^5.19.0",
         "jiti": "^2.6.1",
-        "lightningcss": "1.31.1",
+        "lightningcss": "1.32.0",
         "magic-string": "^0.30.21",
         "source-map-js": "^1.2.1",
-        "tailwindcss": "4.2.1"
+        "tailwindcss": "4.2.2"
       }
     },
     "node_modules/@tailwindcss/oxide": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.2.1.tgz",
-      "integrity": "sha512-yv9jeEFWnjKCI6/T3Oq50yQEOqmpmpfzG1hcZsAOaXFQPfzWprWrlHSdGPEF3WQTi8zu8ohC9Mh9J470nT5pUw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.2.2.tgz",
+      "integrity": "sha512-qEUA07+E5kehxYp9BVMpq9E8vnJuBHfJEC0vPC5e7iL/hw7HR61aDKoVoKzrG+QKp56vhNZe4qwkRmMC0zDLvg==",
       "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">= 20"
       },
       "optionalDependencies": {
-        "@tailwindcss/oxide-android-arm64": "4.2.1",
-        "@tailwindcss/oxide-darwin-arm64": "4.2.1",
-        "@tailwindcss/oxide-darwin-x64": "4.2.1",
-        "@tailwindcss/oxide-freebsd-x64": "4.2.1",
-        "@tailwindcss/oxide-linux-arm-gnueabihf": "4.2.1",
-        "@tailwindcss/oxide-linux-arm64-gnu": "4.2.1",
-        "@tailwindcss/oxide-linux-arm64-musl": "4.2.1",
-        "@tailwindcss/oxide-linux-x64-gnu": "4.2.1",
-        "@tailwindcss/oxide-linux-x64-musl": "4.2.1",
-        "@tailwindcss/oxide-wasm32-wasi": "4.2.1",
-        "@tailwindcss/oxide-win32-arm64-msvc": "4.2.1",
-        "@tailwindcss/oxide-win32-x64-msvc": "4.2.1"
+        "@tailwindcss/oxide-android-arm64": "4.2.2",
+        "@tailwindcss/oxide-darwin-arm64": "4.2.2",
+        "@tailwindcss/oxide-darwin-x64": "4.2.2",
+        "@tailwindcss/oxide-freebsd-x64": "4.2.2",
+        "@tailwindcss/oxide-linux-arm-gnueabihf": "4.2.2",
+        "@tailwindcss/oxide-linux-arm64-gnu": "4.2.2",
+        "@tailwindcss/oxide-linux-arm64-musl": "4.2.2",
+        "@tailwindcss/oxide-linux-x64-gnu": "4.2.2",
+        "@tailwindcss/oxide-linux-x64-musl": "4.2.2",
+        "@tailwindcss/oxide-wasm32-wasi": "4.2.2",
+        "@tailwindcss/oxide-win32-arm64-msvc": "4.2.2",
+        "@tailwindcss/oxide-win32-x64-msvc": "4.2.2"
       }
     },
     "node_modules/@tailwindcss/oxide-android-arm64": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.2.1.tgz",
-      "integrity": "sha512-eZ7G1Zm5EC8OOKaesIKuw77jw++QJ2lL9N+dDpdQiAB/c/B2wDh0QPFHbkBVrXnwNugvrbJFk1gK2SsVjwWReg==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.2.2.tgz",
+      "integrity": "sha512-dXGR1n+P3B6748jZO/SvHZq7qBOqqzQ+yFrXpoOWWALWndF9MoSKAT3Q0fYgAzYzGhxNYOoysRvYlpixRBBoDg==",
       "cpu": [
         "arm64"
       ],
@@ -2260,9 +2420,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-darwin-arm64": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.2.1.tgz",
-      "integrity": "sha512-q/LHkOstoJ7pI1J0q6djesLzRvQSIfEto148ppAd+BVQK0JYjQIFSK3JgYZJa+Yzi0DDa52ZsQx2rqytBnf8Hw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.2.2.tgz",
+      "integrity": "sha512-iq9Qjr6knfMpZHj55/37ouZeykwbDqF21gPFtfnhCCKGDcPI/21FKC9XdMO/XyBM7qKORx6UIhGgg6jLl7BZlg==",
       "cpu": [
         "arm64"
       ],
@@ -2277,9 +2437,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-darwin-x64": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.2.1.tgz",
-      "integrity": "sha512-/f/ozlaXGY6QLbpvd/kFTro2l18f7dHKpB+ieXz+Cijl4Mt9AI2rTrpq7V+t04nK+j9XBQHnSMdeQRhbGyt6fw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.2.2.tgz",
+      "integrity": "sha512-BlR+2c3nzc8f2G639LpL89YY4bdcIdUmiOOkv2GQv4/4M0vJlpXEa0JXNHhCHU7VWOKWT/CjqHdTP8aUuDJkuw==",
       "cpu": [
         "x64"
       ],
@@ -2294,9 +2454,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-freebsd-x64": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.2.1.tgz",
-      "integrity": "sha512-5e/AkgYJT/cpbkys/OU2Ei2jdETCLlifwm7ogMC7/hksI2fC3iiq6OcXwjibcIjPung0kRtR3TxEITkqgn0TcA==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.2.2.tgz",
+      "integrity": "sha512-YUqUgrGMSu2CDO82hzlQ5qSb5xmx3RUrke/QgnoEx7KvmRJHQuZHZmZTLSuuHwFf0DJPybFMXMYf+WJdxHy/nQ==",
       "cpu": [
         "x64"
       ],
@@ -2311,9 +2471,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm-gnueabihf": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.2.1.tgz",
-      "integrity": "sha512-Uny1EcVTTmerCKt/1ZuKTkb0x8ZaiuYucg2/kImO5A5Y/kBz41/+j0gxUZl+hTF3xkWpDmHX+TaWhOtba2Fyuw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.2.2.tgz",
+      "integrity": "sha512-FPdhvsW6g06T9BWT0qTwiVZYE2WIFo2dY5aCSpjG/S/u1tby+wXoslXS0kl3/KXnULlLr1E3NPRRw0g7t2kgaQ==",
       "cpu": [
         "arm"
       ],
@@ -2328,9 +2488,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm64-gnu": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.2.1.tgz",
-      "integrity": "sha512-CTrwomI+c7n6aSSQlsPL0roRiNMDQ/YzMD9EjcR+H4f0I1SQ8QqIuPnsVp7QgMkC1Qi8rtkekLkOFjo7OlEFRQ==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.2.2.tgz",
+      "integrity": "sha512-4og1V+ftEPXGttOO7eCmW7VICmzzJWgMx+QXAJRAhjrSjumCwWqMfkDrNu1LXEQzNAwz28NCUpucgQPrR4S2yw==",
       "cpu": [
         "arm64"
       ],
@@ -2345,9 +2505,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm64-musl": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.2.1.tgz",
-      "integrity": "sha512-WZA0CHRL/SP1TRbA5mp9htsppSEkWuQ4KsSUumYQnyl8ZdT39ntwqmz4IUHGN6p4XdSlYfJwM4rRzZLShHsGAQ==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.2.2.tgz",
+      "integrity": "sha512-oCfG/mS+/+XRlwNjnsNLVwnMWYH7tn/kYPsNPh+JSOMlnt93mYNCKHYzylRhI51X+TbR+ufNhhKKzm6QkqX8ag==",
       "cpu": [
         "arm64"
       ],
@@ -2362,9 +2522,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-x64-gnu": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.2.1.tgz",
-      "integrity": "sha512-qMFzxI2YlBOLW5PhblzuSWlWfwLHaneBE0xHzLrBgNtqN6mWfs+qYbhryGSXQjFYB1Dzf5w+LN5qbUTPhW7Y5g==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.2.2.tgz",
+      "integrity": "sha512-rTAGAkDgqbXHNp/xW0iugLVmX62wOp2PoE39BTCGKjv3Iocf6AFbRP/wZT/kuCxC9QBh9Pu8XPkv/zCZB2mcMg==",
       "cpu": [
         "x64"
       ],
@@ -2379,9 +2539,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-x64-musl": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.2.1.tgz",
-      "integrity": "sha512-5r1X2FKnCMUPlXTWRYpHdPYUY6a1Ar/t7P24OuiEdEOmms5lyqjDRvVY1yy9Rmioh+AunQ0rWiOTPE8F9A3v5g==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.2.2.tgz",
+      "integrity": "sha512-XW3t3qwbIwiSyRCggeO2zxe3KWaEbM0/kW9e8+0XpBgyKU4ATYzcVSMKteZJ1iukJ3HgHBjbg9P5YPRCVUxlnQ==",
       "cpu": [
         "x64"
       ],
@@ -2396,9 +2556,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-wasm32-wasi": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.2.1.tgz",
-      "integrity": "sha512-MGFB5cVPvshR85MTJkEvqDUnuNoysrsRxd6vnk1Lf2tbiqNlXpHYZqkqOQalydienEWOHHFyyuTSYRsLfxFJ2Q==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.2.2.tgz",
+      "integrity": "sha512-eKSztKsmEsn1O5lJ4ZAfyn41NfG7vzCg496YiGtMDV86jz1q/irhms5O0VrY6ZwTUkFy/EKG3RfWgxSI3VbZ8Q==",
       "bundleDependencies": [
         "@napi-rs/wasm-runtime",
         "@emnapi/core",
@@ -2426,9 +2586,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-win32-arm64-msvc": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.2.1.tgz",
-      "integrity": "sha512-YlUEHRHBGnCMh4Nj4GnqQyBtsshUPdiNroZj8VPkvTZSoHsilRCwXcVKnG9kyi0ZFAS/3u+qKHBdDc81SADTRA==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.2.2.tgz",
+      "integrity": "sha512-qPmaQM4iKu5mxpsrWZMOZRgZv1tOZpUm+zdhhQP0VhJfyGGO3aUKdbh3gDZc/dPLQwW4eSqWGrrcWNBZWUWaXQ==",
       "cpu": [
         "arm64"
       ],
@@ -2443,9 +2603,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-win32-x64-msvc": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.2.1.tgz",
-      "integrity": "sha512-rbO34G5sMWWyrN/idLeVxAZgAKWrn5LiR3/I90Q9MkA67s6T1oB0xtTe+0heoBvHSpbU9Mk7i6uwJnpo4u21XQ==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.2.2.tgz",
+      "integrity": "sha512-1T/37VvI7WyH66b+vqHj/cLwnCxt7Qt3WFu5Q8hk65aOvlwAhs7rAp1VkulBJw/N4tMirXjVnylTR72uI0HGcA==",
       "cpu": [
         "x64"
       ],
@@ -2460,23 +2620,23 @@
       }
     },
     "node_modules/@tailwindcss/postcss": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/postcss/-/postcss-4.2.1.tgz",
-      "integrity": "sha512-OEwGIBnXnj7zJeonOh6ZG9woofIjGrd2BORfvE5p9USYKDCZoQmfqLcfNiRWoJlRWLdNPn2IgVZuWAOM4iTYMw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/postcss/-/postcss-4.2.2.tgz",
+      "integrity": "sha512-n4goKQbW8RVXIbNKRB/45LzyUqN451deQK0nzIeauVEqjlI49slUlgKYJM2QyUzap/PcpnS7kzSUmPb1sCRvYQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@alloc/quick-lru": "^5.2.0",
-        "@tailwindcss/node": "4.2.1",
-        "@tailwindcss/oxide": "4.2.1",
+        "@tailwindcss/node": "4.2.2",
+        "@tailwindcss/oxide": "4.2.2",
         "postcss": "^8.5.6",
-        "tailwindcss": "4.2.1"
+        "tailwindcss": "4.2.2"
       }
     },
     "node_modules/@types/debug": {
-      "version": "4.1.12",
-      "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.12.tgz",
-      "integrity": "sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==",
+      "version": "4.1.13",
+      "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.13.tgz",
+      "integrity": "sha512-KSVgmQmzMwPlmtljOomayoR89W4FynCAi3E8PPs7vmDVPe84hT+vGPKkJfThkmXs0x0jAaa9U8uW8bbfyS2fWw==",
       "license": "MIT",
       "dependencies": {
         "@types/ms": "*"
@@ -2708,9 +2868,9 @@
       }
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.10.0",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.0.tgz",
-      "integrity": "sha512-lIyg0szRfYbiy67j9KN8IyeD7q7hcmqnJ1ddWmNt19ItGpNN64mnllmxUNFIOdOm6by97jlL6wfpTTJrmnjWAA==",
+      "version": "2.10.11",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.11.tgz",
+      "integrity": "sha512-DAKrHphkJyiGuau/cFieRYhcTFeK/lBuD++C7cZ6KZHbMhBrisoi+EvhQ5RZrIfV5qwsW8kgQ07JIC+MDJRAhg==",
       "license": "Apache-2.0",
       "bin": {
         "baseline-browser-mapping": "dist/cli.cjs"
@@ -2720,9 +2880,9 @@
       }
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001774",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001774.tgz",
-      "integrity": "sha512-DDdwPGz99nmIEv216hKSgLD+D4ikHQHjBC/seF98N9CPqRX4M5mSxT9eTV6oyisnJcuzxtZy4n17yKKQYmYQOA==",
+      "version": "1.0.30001781",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001781.tgz",
+      "integrity": "sha512-RdwNCyMsNBftLjW6w01z8bKEvT6e/5tpPVEgtn22TiLGlstHOVecsX2KHFkD5e/vRnIE4EGzpuIODb3mtswtkw==",
       "funding": [
         {
           "type": "opencollective",
@@ -2945,9 +3105,9 @@
       }
     },
     "node_modules/enhanced-resolve": {
-      "version": "5.20.0",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.0.tgz",
-      "integrity": "sha512-/ce7+jQ1PQ6rVXwe+jKEg5hW5ciicHwIQUagZkp6IufBoY3YDgdTTY1azVs0qoRgVmvsNB+rbjLJxDAeHHtwsQ==",
+      "version": "5.20.1",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.1.tgz",
+      "integrity": "sha512-Qohcme7V1inbAfvjItgw0EaxVX5q2rdVEZHRBrEQdRZTssLDGsL8Lwrznl8oQ/6kuTJONLaDcGjkNP247XEhcA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3003,9 +3163,9 @@
       }
     },
     "node_modules/esbuild": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.3.tgz",
-      "integrity": "sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.4.tgz",
+      "integrity": "sha512-Rq4vbHnYkK5fws5NF7MYTU68FPRE1ajX7heQ/8QXXWqNgqqJ/GkmmyxIzUnf2Sr/bakf8l54716CcMGHYhMrrQ==",
       "hasInstallScript": true,
       "license": "MIT",
       "bin": {
@@ -3015,32 +3175,32 @@
         "node": ">=18"
       },
       "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.27.3",
-        "@esbuild/android-arm": "0.27.3",
-        "@esbuild/android-arm64": "0.27.3",
-        "@esbuild/android-x64": "0.27.3",
-        "@esbuild/darwin-arm64": "0.27.3",
-        "@esbuild/darwin-x64": "0.27.3",
-        "@esbuild/freebsd-arm64": "0.27.3",
-        "@esbuild/freebsd-x64": "0.27.3",
-        "@esbuild/linux-arm": "0.27.3",
-        "@esbuild/linux-arm64": "0.27.3",
-        "@esbuild/linux-ia32": "0.27.3",
-        "@esbuild/linux-loong64": "0.27.3",
-        "@esbuild/linux-mips64el": "0.27.3",
-        "@esbuild/linux-ppc64": "0.27.3",
-        "@esbuild/linux-riscv64": "0.27.3",
-        "@esbuild/linux-s390x": "0.27.3",
-        "@esbuild/linux-x64": "0.27.3",
-        "@esbuild/netbsd-arm64": "0.27.3",
-        "@esbuild/netbsd-x64": "0.27.3",
-        "@esbuild/openbsd-arm64": "0.27.3",
-        "@esbuild/openbsd-x64": "0.27.3",
-        "@esbuild/openharmony-arm64": "0.27.3",
-        "@esbuild/sunos-x64": "0.27.3",
-        "@esbuild/win32-arm64": "0.27.3",
-        "@esbuild/win32-ia32": "0.27.3",
-        "@esbuild/win32-x64": "0.27.3"
+        "@esbuild/aix-ppc64": "0.27.4",
+        "@esbuild/android-arm": "0.27.4",
+        "@esbuild/android-arm64": "0.27.4",
+        "@esbuild/android-x64": "0.27.4",
+        "@esbuild/darwin-arm64": "0.27.4",
+        "@esbuild/darwin-x64": "0.27.4",
+        "@esbuild/freebsd-arm64": "0.27.4",
+        "@esbuild/freebsd-x64": "0.27.4",
+        "@esbuild/linux-arm": "0.27.4",
+        "@esbuild/linux-arm64": "0.27.4",
+        "@esbuild/linux-ia32": "0.27.4",
+        "@esbuild/linux-loong64": "0.27.4",
+        "@esbuild/linux-mips64el": "0.27.4",
+        "@esbuild/linux-ppc64": "0.27.4",
+        "@esbuild/linux-riscv64": "0.27.4",
+        "@esbuild/linux-s390x": "0.27.4",
+        "@esbuild/linux-x64": "0.27.4",
+        "@esbuild/netbsd-arm64": "0.27.4",
+        "@esbuild/netbsd-x64": "0.27.4",
+        "@esbuild/openbsd-arm64": "0.27.4",
+        "@esbuild/openbsd-x64": "0.27.4",
+        "@esbuild/openharmony-arm64": "0.27.4",
+        "@esbuild/sunos-x64": "0.27.4",
+        "@esbuild/win32-arm64": "0.27.4",
+        "@esbuild/win32-ia32": "0.27.4",
+        "@esbuild/win32-x64": "0.27.4"
       }
     },
     "node_modules/escape-string-regexp": {
@@ -3209,12 +3369,12 @@
       }
     },
     "node_modules/fumadocs-core": {
-      "version": "16.6.17",
-      "resolved": "https://registry.npmjs.org/fumadocs-core/-/fumadocs-core-16.6.17.tgz",
-      "integrity": "sha512-ssHz9a7+ZZSkHjB4/sfHq9rO2fPW8jtw2fPeDVzkPJd34DqOPbxuaP0TQ6CEs1Pei99Fky9CzE8ENS3H8WFxnQ==",
+      "version": "16.7.6",
+      "resolved": "https://registry.npmjs.org/fumadocs-core/-/fumadocs-core-16.7.6.tgz",
+      "integrity": "sha512-d4HtGupFpcSWQqLbWh184yoEg6D70pH68NP77Ct4mI0N61t/Uy63wYj9sbS1h/m6jlijUIXC6rz8D5JApOB9Wg==",
       "license": "MIT",
       "dependencies": {
-        "@formatjs/intl-localematcher": "^0.8.1",
+        "@formatjs/intl-localematcher": "^0.8.2",
         "@orama/orama": "^3.1.18",
         "@shikijs/rehype": "^4.0.2",
         "@shikijs/transformers": "^4.0.2",
@@ -3316,9 +3476,9 @@
       }
     },
     "node_modules/fumadocs-mdx": {
-      "version": "14.2.10",
-      "resolved": "https://registry.npmjs.org/fumadocs-mdx/-/fumadocs-mdx-14.2.10.tgz",
-      "integrity": "sha512-0gITZiJb92c7xJwSMdcGBEY2+pFcRvklSNwxIAMTy4gjnuLZANjaXKw+qJ6E5+s9dO0IGlimHv5zyMYLjReg0w==",
+      "version": "14.2.11",
+      "resolved": "https://registry.npmjs.org/fumadocs-mdx/-/fumadocs-mdx-14.2.11.tgz",
+      "integrity": "sha512-j0gHKs45c62ARteE8/yBM2Nu2I8AE2Cs37ktPEdc/8EX7TL66XP74un5OpHp6itLyWTu8Jur0imOiiIDq8+rDg==",
       "license": "MIT",
       "dependencies": {
         "@mdx-js/mdx": "^3.1.1",
@@ -3331,7 +3491,7 @@
         "mdast-util-to-markdown": "^2.1.2",
         "picocolors": "^1.1.1",
         "picomatch": "^4.0.3",
-        "tinyexec": "^1.0.2",
+        "tinyexec": "^1.0.4",
         "tinyglobby": "^0.2.15",
         "unified": "^11.0.5",
         "unist-util-remove-position": "^5.0.0",
@@ -3381,9 +3541,9 @@
       }
     },
     "node_modules/fumadocs-ui": {
-      "version": "16.6.17",
-      "resolved": "https://registry.npmjs.org/fumadocs-ui/-/fumadocs-ui-16.6.17.tgz",
-      "integrity": "sha512-RLr1Dsujq3YoOEi4cLu52mZkT8fBJUl1rq4DtVoQWhvk20WYl1aDxlBhMr4guAvG5Malwh6Vy1QJ5KbE/k2E6w==",
+      "version": "16.7.6",
+      "resolved": "https://registry.npmjs.org/fumadocs-ui/-/fumadocs-ui-16.7.6.tgz",
+      "integrity": "sha512-wjZnm8SiX2lj5zWOlOHnzSZ0YBFwNqYGBX1u5F3mZtdIkmkDVs+3+JngCkRHNZzYJVBulXjp8t5wzBz0yDJa8w==",
       "license": "MIT",
       "dependencies": {
         "@fumadocs/tailwind": "0.0.3",
@@ -3398,8 +3558,8 @@
         "@radix-ui/react-slot": "^1.2.4",
         "@radix-ui/react-tabs": "^1.1.13",
         "class-variance-authority": "^0.7.1",
-        "lucide-react": "^0.577.0",
-        "motion": "^12.36.0",
+        "lucide-react": "^1.6.0",
+        "motion": "^12.38.0",
         "next-themes": "^0.4.6",
         "react-medium-image-zoom": "^5.4.1",
         "react-remove-scroll": "^2.7.2",
@@ -3412,10 +3572,11 @@
         "@takumi-rs/image-response": "*",
         "@types/mdx": "*",
         "@types/react": "*",
-        "fumadocs-core": "16.6.17",
+        "fumadocs-core": "16.7.6",
         "next": "16.x.x",
         "react": "^19.2.0",
-        "react-dom": "^19.2.0"
+        "react-dom": "^19.2.0",
+        "shiki": "*"
       },
       "peerDependenciesMeta": {
         "@takumi-rs/image-response": {
@@ -3429,9 +3590,21 @@
         },
         "next": {
           "optional": true
+        },
+        "shiki": {
+          "optional": true
         }
       }
     },
+    "node_modules/fumadocs-ui/node_modules/lucide-react": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/lucide-react/-/lucide-react-1.7.0.tgz",
+      "integrity": "sha512-yI7BeItCLZJTXikmK4KNUGCKoGzSvbKlfCvw44bU4fXAL6v3gYS4uHD1jzsLkfwODYwI6Drw5Tu9Z5ulDe0TSg==",
+      "license": "ISC",
+      "peerDependencies": {
+        "react": "^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0"
+      }
+    },
     "node_modules/get-nonce": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/get-nonce/-/get-nonce-1.0.1.tgz",
@@ -3922,9 +4095,9 @@
       ]
     },
     "node_modules/lightningcss": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.31.1.tgz",
-      "integrity": "sha512-l51N2r93WmGUye3WuFoN5k10zyvrVs0qfKBhyC5ogUQ6Ew6JUSswh78mbSO+IU3nTWsyOArqPCcShdQSadghBQ==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.32.0.tgz",
+      "integrity": "sha512-NXYBzinNrblfraPGyrbPoD19C1h9lfI/1mzgWYvXUTe414Gz/X1FD2XBZSZM7rRTrMA8JL3OtAaGifrIKhQ5yQ==",
       "dev": true,
       "license": "MPL-2.0",
       "dependencies": {
@@ -3938,23 +4111,23 @@
         "url": "https://opencollective.com/parcel"
       },
       "optionalDependencies": {
-        "lightningcss-android-arm64": "1.31.1",
-        "lightningcss-darwin-arm64": "1.31.1",
-        "lightningcss-darwin-x64": "1.31.1",
-        "lightningcss-freebsd-x64": "1.31.1",
-        "lightningcss-linux-arm-gnueabihf": "1.31.1",
-        "lightningcss-linux-arm64-gnu": "1.31.1",
-        "lightningcss-linux-arm64-musl": "1.31.1",
-        "lightningcss-linux-x64-gnu": "1.31.1",
-        "lightningcss-linux-x64-musl": "1.31.1",
-        "lightningcss-win32-arm64-msvc": "1.31.1",
-        "lightningcss-win32-x64-msvc": "1.31.1"
+        "lightningcss-android-arm64": "1.32.0",
+        "lightningcss-darwin-arm64": "1.32.0",
+        "lightningcss-darwin-x64": "1.32.0",
+        "lightningcss-freebsd-x64": "1.32.0",
+        "lightningcss-linux-arm-gnueabihf": "1.32.0",
+        "lightningcss-linux-arm64-gnu": "1.32.0",
+        "lightningcss-linux-arm64-musl": "1.32.0",
+        "lightningcss-linux-x64-gnu": "1.32.0",
+        "lightningcss-linux-x64-musl": "1.32.0",
+        "lightningcss-win32-arm64-msvc": "1.32.0",
+        "lightningcss-win32-x64-msvc": "1.32.0"
       }
     },
     "node_modules/lightningcss-android-arm64": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-android-arm64/-/lightningcss-android-arm64-1.31.1.tgz",
-      "integrity": "sha512-HXJF3x8w9nQ4jbXRiNppBCqeZPIAfUo8zE/kOEGbW5NZvGc/K7nMxbhIr+YlFlHW5mpbg/YFPdbnCh1wAXCKFg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-android-arm64/-/lightningcss-android-arm64-1.32.0.tgz",
+      "integrity": "sha512-YK7/ClTt4kAK0vo6w3X+Pnm0D2cf2vPHbhOXdoNti1Ga0al1P4TBZhwjATvjNwLEBCnKvjJc2jQgHXH0NEwlAg==",
       "cpu": [
         "arm64"
       ],
@@ -3973,9 +4146,9 @@
       }
     },
     "node_modules/lightningcss-darwin-arm64": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.31.1.tgz",
-      "integrity": "sha512-02uTEqf3vIfNMq3h/z2cJfcOXnQ0GRwQrkmPafhueLb2h7mqEidiCzkE4gBMEH65abHRiQvhdcQ+aP0D0g67sg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.32.0.tgz",
+      "integrity": "sha512-RzeG9Ju5bag2Bv1/lwlVJvBE3q6TtXskdZLLCyfg5pt+HLz9BqlICO7LZM7VHNTTn/5PRhHFBSjk5lc4cmscPQ==",
       "cpu": [
         "arm64"
       ],
@@ -3994,9 +4167,9 @@
       }
     },
     "node_modules/lightningcss-darwin-x64": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.31.1.tgz",
-      "integrity": "sha512-1ObhyoCY+tGxtsz1lSx5NXCj3nirk0Y0kB/g8B8DT+sSx4G9djitg9ejFnjb3gJNWo7qXH4DIy2SUHvpoFwfTA==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.32.0.tgz",
+      "integrity": "sha512-U+QsBp2m/s2wqpUYT/6wnlagdZbtZdndSmut/NJqlCcMLTWp5muCrID+K5UJ6jqD2BFshejCYXniPDbNh73V8w==",
       "cpu": [
         "x64"
       ],
@@ -4015,9 +4188,9 @@
       }
     },
     "node_modules/lightningcss-freebsd-x64": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.31.1.tgz",
-      "integrity": "sha512-1RINmQKAItO6ISxYgPwszQE1BrsVU5aB45ho6O42mu96UiZBxEXsuQ7cJW4zs4CEodPUioj/QrXW1r9pLUM74A==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.32.0.tgz",
+      "integrity": "sha512-JCTigedEksZk3tHTTthnMdVfGf61Fky8Ji2E4YjUTEQX14xiy/lTzXnu1vwiZe3bYe0q+SpsSH/CTeDXK6WHig==",
       "cpu": [
         "x64"
       ],
@@ -4036,9 +4209,9 @@
       }
     },
     "node_modules/lightningcss-linux-arm-gnueabihf": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.31.1.tgz",
-      "integrity": "sha512-OOCm2//MZJ87CdDK62rZIu+aw9gBv4azMJuA8/KB74wmfS3lnC4yoPHm0uXZ/dvNNHmnZnB8XLAZzObeG0nS1g==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.32.0.tgz",
+      "integrity": "sha512-x6rnnpRa2GL0zQOkt6rts3YDPzduLpWvwAF6EMhXFVZXD4tPrBkEFqzGowzCsIWsPjqSK+tyNEODUBXeeVHSkw==",
       "cpu": [
         "arm"
       ],
@@ -4057,9 +4230,9 @@
       }
     },
     "node_modules/lightningcss-linux-arm64-gnu": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.31.1.tgz",
-      "integrity": "sha512-WKyLWztD71rTnou4xAD5kQT+982wvca7E6QoLpoawZ1gP9JM0GJj4Tp5jMUh9B3AitHbRZ2/H3W5xQmdEOUlLg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.32.0.tgz",
+      "integrity": "sha512-0nnMyoyOLRJXfbMOilaSRcLH3Jw5z9HDNGfT/gwCPgaDjnx0i8w7vBzFLFR1f6CMLKF8gVbebmkUN3fa/kQJpQ==",
       "cpu": [
         "arm64"
       ],
@@ -4078,9 +4251,9 @@
       }
     },
     "node_modules/lightningcss-linux-arm64-musl": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.31.1.tgz",
-      "integrity": "sha512-mVZ7Pg2zIbe3XlNbZJdjs86YViQFoJSpc41CbVmKBPiGmC4YrfeOyz65ms2qpAobVd7WQsbW4PdsSJEMymyIMg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.32.0.tgz",
+      "integrity": "sha512-UpQkoenr4UJEzgVIYpI80lDFvRmPVg6oqboNHfoH4CQIfNA+HOrZ7Mo7KZP02dC6LjghPQJeBsvXhJod/wnIBg==",
       "cpu": [
         "arm64"
       ],
@@ -4099,9 +4272,9 @@
       }
     },
     "node_modules/lightningcss-linux-x64-gnu": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.31.1.tgz",
-      "integrity": "sha512-xGlFWRMl+0KvUhgySdIaReQdB4FNudfUTARn7q0hh/V67PVGCs3ADFjw+6++kG1RNd0zdGRlEKa+T13/tQjPMA==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.32.0.tgz",
+      "integrity": "sha512-V7Qr52IhZmdKPVr+Vtw8o+WLsQJYCTd8loIfpDaMRWGUZfBOYEJeyJIkqGIDMZPwPx24pUMfwSxxI8phr/MbOA==",
       "cpu": [
         "x64"
       ],
@@ -4120,9 +4293,9 @@
       }
     },
     "node_modules/lightningcss-linux-x64-musl": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.31.1.tgz",
-      "integrity": "sha512-eowF8PrKHw9LpoZii5tdZwnBcYDxRw2rRCyvAXLi34iyeYfqCQNA9rmUM0ce62NlPhCvof1+9ivRaTY6pSKDaA==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.32.0.tgz",
+      "integrity": "sha512-bYcLp+Vb0awsiXg/80uCRezCYHNg1/l3mt0gzHnWV9XP1W5sKa5/TCdGWaR/zBM2PeF/HbsQv/j2URNOiVuxWg==",
       "cpu": [
         "x64"
       ],
@@ -4141,9 +4314,9 @@
       }
     },
     "node_modules/lightningcss-win32-arm64-msvc": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.31.1.tgz",
-      "integrity": "sha512-aJReEbSEQzx1uBlQizAOBSjcmr9dCdL3XuC/6HLXAxmtErsj2ICo5yYggg1qOODQMtnjNQv2UHb9NpOuFtYe4w==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.32.0.tgz",
+      "integrity": "sha512-8SbC8BR40pS6baCM8sbtYDSwEVQd4JlFTOlaD3gWGHfThTcABnNDBda6eTZeqbofalIJhFx0qKzgHJmcPTnGdw==",
       "cpu": [
         "arm64"
       ],
@@ -4162,9 +4335,9 @@
       }
     },
     "node_modules/lightningcss-win32-x64-msvc": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.31.1.tgz",
-      "integrity": "sha512-I9aiFrbd7oYHwlnQDqr1Roz+fTz61oDDJX7n9tYF9FJymH1cIN1DtKw3iYt6b8WZgEjoNwVSncwF4wx/ZedMhw==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.32.0.tgz",
+      "integrity": "sha512-Amq9B/SoZYdDi1kFrojnoqPLxYhQ4Wo5XiL8EVJrVsB8ARoC1PWW6VGtT0WKCemjy8aC+louJnjS7U18x3b06Q==",
       "cpu": [
         "x64"
       ],
@@ -5312,12 +5485,12 @@
       }
     },
     "node_modules/next": {
-      "version": "16.1.7",
-      "resolved": "https://registry.npmjs.org/next/-/next-16.1.7.tgz",
-      "integrity": "sha512-WM0L7WrSvKwoLegLYr6V+mz+RIofqQgVAfHhMp9a88ms0cFX8iX9ew+snpWlSBwpkURJOUdvCEt3uLl3NNzvWg==",
+      "version": "16.2.1",
+      "resolved": "https://registry.npmjs.org/next/-/next-16.2.1.tgz",
+      "integrity": "sha512-VaChzNL7o9rbfdt60HUj8tev4m6d7iC1igAy157526+cJlXOQu5LzsBXNT+xaJnTP/k+utSX5vMv7m0G+zKH+Q==",
       "license": "MIT",
       "dependencies": {
-        "@next/env": "16.1.7",
+        "@next/env": "16.2.1",
         "@swc/helpers": "0.5.15",
         "baseline-browser-mapping": "^2.9.19",
         "caniuse-lite": "^1.0.30001579",
@@ -5331,15 +5504,15 @@
         "node": ">=20.9.0"
       },
       "optionalDependencies": {
-        "@next/swc-darwin-arm64": "16.1.7",
-        "@next/swc-darwin-x64": "16.1.7",
-        "@next/swc-linux-arm64-gnu": "16.1.7",
-        "@next/swc-linux-arm64-musl": "16.1.7",
-        "@next/swc-linux-x64-gnu": "16.1.7",
-        "@next/swc-linux-x64-musl": "16.1.7",
-        "@next/swc-win32-arm64-msvc": "16.1.7",
-        "@next/swc-win32-x64-msvc": "16.1.7",
-        "sharp": "^0.34.4"
+        "@next/swc-darwin-arm64": "16.2.1",
+        "@next/swc-darwin-x64": "16.2.1",
+        "@next/swc-linux-arm64-gnu": "16.2.1",
+        "@next/swc-linux-arm64-musl": "16.2.1",
+        "@next/swc-linux-x64-gnu": "16.2.1",
+        "@next/swc-linux-x64-musl": "16.2.1",
+        "@next/swc-win32-arm64-msvc": "16.2.1",
+        "@next/swc-win32-x64-msvc": "16.2.1",
+        "sharp": "^0.34.5"
       },
       "peerDependencies": {
         "@opentelemetry/api": "^1.1.0",
@@ -5469,9 +5642,9 @@
       }
     },
     "node_modules/path-to-regexp": {
-      "version": "8.3.0",
-      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz",
-      "integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==",
+      "version": "8.4.0",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.4.0.tgz",
+      "integrity": "sha512-PuseHIvAnz3bjrM2rGJtSgo1zjgxapTLZ7x2pjhzWwlp4SJQgK3f3iZIQwkpEnBaKz6seKBADpM4B4ySkuYypg==",
       "license": "MIT",
       "funding": {
         "type": "opencollective",
@@ -5485,9 +5658,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "license": "MIT",
       "engines": {
         "node": ">=12"
@@ -5497,9 +5670,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.5.6",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz",
-      "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==",
+      "version": "8.5.8",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.8.tgz",
+      "integrity": "sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==",
       "dev": true,
       "funding": [
         {
@@ -6070,16 +6243,16 @@
       }
     },
     "node_modules/tailwindcss": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.1.tgz",
-      "integrity": "sha512-/tBrSQ36vCleJkAOsy9kbNTgaxvGbyOamC30PRePTQe/o1MFwEKHQk4Cn7BNGaPtjp+PuUrByJehM1hgxfq4sw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.2.tgz",
+      "integrity": "sha512-KWBIxs1Xb6NoLdMVqhbhgwZf2PGBpPEiwOqgI4pFIYbNTfBXiKYyWoTsXgBQ9WFg/OlhnvHaY+AEpW7wSmFo2Q==",
       "devOptional": true,
       "license": "MIT"
     },
     "node_modules/tapable": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.0.tgz",
-      "integrity": "sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.2.tgz",
+      "integrity": "sha512-1MOpMXuhGzGL5TTCZFItxCc0AARf1EZFQkGqMm7ERKj8+Hgr5oLvJOVFcC+lRmR8hCe2S3jC4T5D7Vg/d7/fhA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -6091,9 +6264,9 @@
       }
     },
     "node_modules/tinyexec": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.0.2.tgz",
-      "integrity": "sha512-W/KYk+NFhkmsYpuHq5JykngiOCnxeVL8v8dFnqxSD8qEEdRfXk1SDM6JzNqcERbcGYj9tMrDQBYV9cjgnunFIg==",
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.0.4.tgz",
+      "integrity": "sha512-u9r3uZC0bdpGOXtlxUIdwf9pkmvhqJdrVCH9fapQtgy/OeTTMZ1nqH7agtvEfmGui6e1XxjcdrlxvxJvc3sMqw==",
       "license": "MIT",
       "engines": {
         "node": ">=18"
diff --git a/apps/web/package.json b/apps/web/package.json
index 55aae92e3..341ac5af2 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -8,15 +8,15 @@
   "private": true,
   "scripts": {
     "dev": "npm run sync:docs && next dev --turbopack",
-    "build": "npm run sync:docs && next build --webpack",
+    "build": "npm run sync:docs && next build --webpack && node scripts/apply-sri.mjs",
     "start": "next start",
     "sync:docs": "node scripts/sync-docs.mjs",
-    "lint": "qlty check --filter biome --no-progress .",
-    "lint:fix": "qlty check --fix --filter biome --no-progress .",
-    "format": "qlty fmt --filter biome --no-progress .",
-    "format:check": "qlty check --filter biome --no-progress .",
-    "check": "qlty check --filter biome --no-progress .",
-    "check:fix": "qlty check --fix --filter biome --no-progress .",
+    "lint": "biome check .",
+    "lint:fix": "biome check --fix .",
+    "format": "biome format --write .",
+    "format:check": "biome check .",
+    "check": "biome check .",
+    "check:fix": "biome check --fix .",
     "type-check": "tsc --noEmit",
     "vercel-build": "npm run build",
     "postinstall": "npm run sync:docs && fumadocs-mdx"
@@ -38,6 +38,7 @@
     "tailwind-merge": "^3.5.0"
   },
   "devDependencies": {
+    "@biomejs/biome": "^2.4.7",
     "@tailwindcss/postcss": "^4.2.1",
     "@types/node": "^25.5.0",
     "@types/react": "^19.2.14",
diff --git a/apps/web/scripts/apply-sri.mjs b/apps/web/scripts/apply-sri.mjs
new file mode 100644
index 000000000..f0c6931fe
--- /dev/null
+++ b/apps/web/scripts/apply-sri.mjs
@@ -0,0 +1,102 @@
+#!/usr/bin/env node
+
+/**
+ * Post-build SRI injection.
+ *
+ * Next.js generates an `integrity-manifest.json` when `experimental.sri` is
+ * enabled, but it only applies integrity attributes to dynamically injected
+ * scripts/stylesheets. Statically rendered HTML pages (SSG output in
+ * `.next/server/app/`) still reference `/_next/static/*` assets without
+ * `integrity` or `crossorigin` attributes.
+ *
+ * This script walks every `.html` file under `.next/server/app/`, matches
+ * `<script>` and `<link rel="stylesheet">` tags pointing at `/_next/static/*`,
+ * looks up their integrity hash from the manifest, and injects the attributes.
+ */
+
+import { existsSync, readdirSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+
+const NEXT_DIR = join(process.cwd(), ".next");
+const MANIFEST_PATH = join(NEXT_DIR, "integrity-manifest.json");
+const APP_DIR = join(NEXT_DIR, "server", "app");
+
+/**
+ * Apply SRI attributes to `_next/static` script and stylesheet tags in HTML.
+ *
+ * Exported for unit testing.
+ *
+ * @param {string} html  Raw HTML string
+ * @param {Record<string, string>} manifest  Map of `static/...` keys to integrity hashes
+ * @returns {{ html: string; updatedTags: number }}
+ */
+export function applySriToHtml(html, manifest) {
+  let updatedTags = 0;
+
+  const updated = html.replace(
+    /(<(?:script|link)\b[^>]*?\b(?:src|href)="(\/_next\/[^"]+)"[^>]*?)(\s*\/?>)/g,
+    (match, before, rawUrl, closing) => {
+      if (match.includes("integrity=")) {
+        return match;
+      }
+
+      const decodedUrl = decodeURIComponent(rawUrl);
+      const key = decodedUrl.replace(/^\/_next\//, "");
+      const integrity = manifest[key];
+
+      if (!integrity) {
+        return match;
+      }
+
+      updatedTags++;
+      return `${before} integrity="${integrity}" crossorigin="anonymous"${closing}`;
+    },
+  );
+
+  return { html: updated, updatedTags };
+}
+
+// ---- CLI entry point (skipped when imported as a module by tests) ----
+
+const isDirectRun = process.argv[1] && import.meta.url === `file://${process.argv[1]}`;
+
+if (isDirectRun) {
+  if (!existsSync(MANIFEST_PATH)) {
+    console.log("No integrity-manifest.json found — skipping SRI injection");
+    process.exit(0);
+  }
+
+  if (!existsSync(APP_DIR)) {
+    console.log("No .next/server/app/ directory — skipping SRI injection");
+    process.exit(0);
+  }
+
+  const manifest = JSON.parse(readFileSync(MANIFEST_PATH, "utf8"));
+  let totalFiles = 0;
+  let totalTags = 0;
+
+  function walk(dir) {
+    for (const entry of readdirSync(dir, { withFileTypes: true })) {
+      const full = join(dir, entry.name);
+      if (entry.isDirectory()) {
+        walk(full);
+        continue;
+      }
+      if (!entry.isFile() || !entry.name.endsWith(".html")) {
+        continue;
+      }
+
+      const html = readFileSync(full, "utf8");
+      const { html: updated, updatedTags } = applySriToHtml(html, manifest);
+
+      if (updatedTags > 0) {
+        writeFileSync(full, updated);
+        totalFiles++;
+        totalTags += updatedTags;
+      }
+    }
+  }
+
+  walk(APP_DIR);
+  console.log(`SRI: patched ${totalTags} tags across ${totalFiles} HTML files`);
+}
diff --git a/apps/web/scripts/next-config.test.mjs b/apps/web/scripts/next-config.test.mjs
index c6864f016..45eea3624 100644
--- a/apps/web/scripts/next-config.test.mjs
+++ b/apps/web/scripts/next-config.test.mjs
@@ -21,15 +21,15 @@ test("docs redirects keep versioned URLs and map legacy deep links to current do
   const rootRedirect = redirects.find((rule) => rule.source === "/docs");
   assert.deepEqual(rootRedirect, {
     source: "/docs",
-    destination: "/docs/v1.4",
+    destination: "/docs/v1.5",
     permanent: false,
   });
 
   assert.ok(
     redirects.some(
       (rule) =>
-        rule.source === "/docs/:path((?!v1\\.4(?:/|$)|v1\\.3(?:/|$)).*)" &&
-        rule.destination === "/docs/v1.4/:path" &&
+        rule.source === "/docs/:path((?!v1\\.5(?:/|$)|v1\\.4(?:/|$)|v1\\.3(?:/|$)).*)" &&
+        rule.destination === "/docs/v1.5/:path" &&
         rule.permanent === false,
     ),
     "expected a deep-link compatibility redirect for unversioned docs paths",
diff --git a/apps/web/scripts/sync-docs.mjs b/apps/web/scripts/sync-docs.mjs
index 62832eede..582986cf3 100644
--- a/apps/web/scripts/sync-docs.mjs
+++ b/apps/web/scripts/sync-docs.mjs
@@ -12,7 +12,8 @@ const targetDir = join(webRoot, "content", "docs");
 
 // Version definitions — order matters (first = default/active tab)
 const versions = [
-  { slug: "v1.4", source: "current", title: "v1.4 (RC)" },
+  { slug: "v1.5", source: "current", title: "v1.5" },
+  { slug: "v1.4", source: "v1.4", title: "v1.4" },
   { slug: "v1.3", source: "v1.3", title: "v1.3" },
 ];
 
@@ -28,7 +29,7 @@ description: "All notable changes to this project will be documented in this fil
 
 const body = changelogMd.replace(/^# Changelog\n/, "");
 
-// Write changelog into the current (v1.4) source dir so it gets copied
+// Write changelog into the current (v1.5) source dir so it gets copied
 const changelogDir = join(repoRoot, "content", "docs", "current", "changelog");
 mkdirSync(changelogDir, { recursive: true });
 writeFileSync(join(changelogDir, "index.mdx"), `${frontmatter}\n${body}`);
diff --git a/content/docs/README.md b/content/docs/README.md
index d811b104b..39142bafa 100644
--- a/content/docs/README.md
+++ b/content/docs/README.md
@@ -1,6 +1,9 @@
 # Versioned docs content
 
-- `current/`: docs for the `1.4` release (stable)
+- `current/`: docs for the in-development `1.5` release (next stable)
+- `v1.4/`: stable `1.4` docs
 - `v1.3/`: previous stable `1.3` docs
 
+Each directory contains `meta.json` files that define navigation titles and page ordering.
+
 `apps/web` reads from `content/docs/current`.
diff --git a/content/docs/current/api/agent.mdx b/content/docs/current/api/agent.mdx
index ef3e00076..8065e653d 100644
--- a/content/docs/current/api/agent.mdx
+++ b/content/docs/current/api/agent.mdx
@@ -1,8 +1,77 @@
 ---
 title: "Agent API"
-description: "The Agent exposes specific endpoints for the Controller to synchronize state and receive events."
+description: "Controller endpoints for remote agent status and logs, plus the Agent's own internal API."
 ---
 
+## Controller endpoints
+
+These endpoints are served by the Controller and provide read-only access to connected remote agents.
+
+### List all agents
+
+Returns all configured agents with connection status, system info, and container stats.
+
+```bash
+curl http://drydock:3000/api/v1/agents
+
+{
+  "data": [
+    {
+      "name": "agent1",
+      "host": "192.168.1.50",
+      "port": 3000,
+      "connected": true,
+      "version": "1.5.0",
+      "os": "linux",
+      "arch": "amd64",
+      "cpus": 4,
+      "memoryGb": 8,
+      "uptimeSeconds": 86400,
+      "lastSeen": "2026-03-28T10:00:00.000Z",
+      "logLevel": "info",
+      "pollInterval": "0 * * * *",
+      "containers": { "total": 5, "running": 4, "stopped": 1 },
+      "images": 5
+    }
+  ],
+  "total": 1
+}
+```
+
+### Response fields
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `data[].name` | string | Agent name |
+| `data[].host` | string | Agent hostname or IP |
+| `data[].port` | integer | Agent port |
+| `data[].connected` | boolean | Whether the agent is currently connected |
+| `data[].version` | string | Agent drydock version |
+| `data[].os` | string | Operating system |
+| `data[].arch` | string | CPU architecture |
+| `data[].cpus` | integer | Number of CPU cores |
+| `data[].memoryGb` | number | Total memory in GB |
+| `data[].uptimeSeconds` | number | Agent process uptime |
+| `data[].lastSeen` | string | ISO 8601 timestamp of last heartbeat |
+| `data[].logLevel` | string | Agent's configured log level |
+| `data[].pollInterval` | string | Agent's watcher cron schedule |
+| `data[].containers` | object | Container count summary (`total`, `running`, `stopped`) |
+| `data[].images` | integer | Number of distinct images across agent containers |
+
+### Get agent log entries
+
+Returns application log entries from a connected agent, proxied through the controller. See [Log API](/docs/api/log#get-agent-log-entries) for query parameters.
+
+```bash
+curl "http://drydock:3000/api/v1/agents/agent1/log/entries?level=warn&tail=50"
+```
+
+Returns 404 if the agent is not found, or 503 if the agent is not connected.
+
+---
+
+## Agent internal API
+
 The Agent exposes specific endpoints for the Controller to synchronize state and receive events. These are generally internal APIs used by the Controller but are documented here for reference or advanced debugging.
 
 Authentication is required for all endpoints via the `X-Dd-Agent-Secret` header.
@@ -82,7 +151,7 @@ Sent immediately upon connection to confirm the handshake.
 {
   "type": "dd:ack",
   "data": {
-    "version": "1.0.0"
+    "version": "1.5.0"
   }
 }
 ```
@@ -131,7 +200,7 @@ curl -H "X-Dd-Agent-Secret: <SECRET>" \
   "http://agent:3000/api/containers/:id/logs?tail=100"
 ```
 
-Query parameters are the same as the [controller container logs endpoint](/docs/api/container#get-container-logs).
+Query parameters are the same as the [controller container logs endpoint](/docs/api/container#download-container-logs).
 
 ## Application Log Entries
 
diff --git a/content/docs/current/api/app.mdx b/content/docs/current/api/app.mdx
index 075f6c11f..ee5010c16 100644
--- a/content/docs/current/api/app.mdx
+++ b/content/docs/current/api/app.mdx
@@ -1,6 +1,6 @@
 ---
 title: "App API"
-description: "Application info and server configuration endpoints."
+description: "Application info, server configuration, and diagnostic endpoints."
 ---
 
 ## Get App information
@@ -8,11 +8,11 @@ description: "Application info and server configuration endpoints."
 Returns application name and version.
 
 ```bash
-curl http://drydock:3000/api/app
+curl http://drydock:3000/api/v1/app
 
 {
   "name":"drydock",
-  "version":"1.4.0"
+  "version":"1.5.0"
 }
 ```
 
@@ -21,7 +21,7 @@ curl http://drydock:3000/api/app
 Returns the server configuration, webhook status, and legacy input compatibility summary.
 
 ```bash
-curl http://drydock:3000/api/server
+curl http://drydock:3000/api/v1/server
 
 {
   "configuration": {
@@ -40,7 +40,7 @@ curl http://drydock:3000/api/server
 Returns the availability status of security tools (Trivy scanner, Cosign signature verification) and SBOM configuration. Use this to check whether the runtime environment has the required binaries before triggering scans.
 
 ```bash
-curl http://drydock:3000/api/server/security/runtime
+curl http://drydock:3000/api/v1/server/security/runtime
 
 {
   "checkedAt": "2024-12-01T10:00:00.000Z",
@@ -89,3 +89,36 @@ curl http://drydock:3000/api/server/security/runtime
 | `requirements` | string[] | Human-readable list of missing dependencies (empty when everything is ready) |
 
 Returns 200 on success, or 500 if the runtime check fails.
+
+## Download diagnostic debug dump
+
+Downloads a comprehensive, redacted diagnostic dump of the running drydock instance as a JSON file. Useful for troubleshooting and support requests.
+
+The dump includes runtime metadata, component state (watchers, registries, triggers, agents, containers), Docker API diagnostics, MQTT Home Assistant sensor definitions, recent Docker events, store statistics, and `DD_*` environment variable names. All values matching `password|token|secret|key|hash` are automatically redacted.
+
+```bash
+curl -O -J "http://drydock:3000/api/v1/debug/dump?minutes=30"
+```
+
+The response is a JSON attachment with a timestamped filename (e.g. `drydock-debug-dump-2026-03-18T19-33-00-000Z.json`).
+
+### Query parameters
+
+| Parameter | Type | Default | Description |
+| --- | --- | --- | --- |
+| `minutes` | integer | `30` | How many recent minutes of event history to include (min: 1) |
+
+### Dump sections
+
+| Section | Contents |
+| --- | --- |
+| `metadata` | Generated timestamp, drydock version, Node.js version, uptime |
+| `state` | All registered components: containers, watchers, triggers, registries, authentications, agents |
+| `mqttHomeAssistant` | Home Assistant MQTT sensor discovery topics and definitions |
+| `dockerEvents` | Active Docker event subscriptions and recent events within the time window |
+| `aliasFiltering` | Recent container alias filter decisions |
+| `store` | LokiJS collection statistics |
+| `dockerApi` | Docker daemon version and info per watcher (connection errors captured gracefully) |
+| `environment` | All `DD_*` environment variable names with values redacted |
+
+Returns 200 with the JSON attachment on success, 401 if not authenticated, or 500 if the dump cannot be generated.
diff --git a/content/docs/current/api/container.mdx b/content/docs/current/api/container.mdx
index 3521e6eb8..a46e41003 100644
--- a/content/docs/current/api/container.mdx
+++ b/content/docs/current/api/container.mdx
@@ -10,7 +10,7 @@ This API allows to query the state of the watched containers.
 This operation lets you get all the watched containers.
 
 ```bash
-curl "http://drydock:3000/api/containers?limit=25&offset=0"
+curl "http://drydock:3000/api/v1/containers?limit=25&offset=0"
 
 {
   "data": [
@@ -35,13 +35,19 @@ curl "http://drydock:3000/api/containers?limit=25&offset=0"
 | `limit` | integer | `0` | Maximum number of containers to return (`0` means unbounded; max `200`) |
 | `offset` | integer | `0` | Number of matching containers to skip |
 | `includeVulnerabilities` | boolean | `false` | Include full vulnerability arrays in `data` |
+| `sort` | string | | Sort order: `name`, `-name`, `status`, `-status`, `age`, `-age`, `created`, `-created` (prefix `-` for descending) |
+| `order` | string | | Optional sort direction override: `asc` or `desc` |
+| `status` | string | | Filter by update/runtime status: `update-available`, `up-to-date`, `running`, `stopped`, `exited`, `paused`, `restarting`, `dead`, `created` |
+| `kind` | string | | Filter by update kind or watched state: `major`, `minor`, `patch`, `digest`, `watched`, `unwatched`, `all` |
+| `watcher` | string | | Filter by watcher name |
+| `maturity` | string | | Filter by update maturity: `hot`, `mature`, `established` |
 
 ## Get container summary
 
 Returns a lightweight summary of container and security counts, used by the dashboard sidebar.
 
 ```bash
-curl http://drydock:3000/api/containers/summary
+curl http://drydock:3000/api/v1/containers/summary
 
 {
   "containers": {
@@ -63,13 +69,15 @@ curl http://drydock:3000/api/containers/summary
 | `containers.running` | integer | Number of running containers |
 | `containers.stopped` | integer | Number of stopped containers |
 | `security.issues` | integer | Number of containers with critical or high vulnerabilities |
+| `hotUpdates` | integer | Number of containers with updates less than 24 hours old |
+| `matureUpdates` | integer | Number of containers with updates between 24 hours and 7 days old |
 
 ## Get recent container status
 
 Returns a map of container names to their most recent update status, derived from the last 100 audit log entries. Used by the dashboard to show status badges on containers.
 
 ```bash
-curl http://drydock:3000/api/containers/recent-status
+curl http://drydock:3000/api/v1/containers/recent-status
 
 {
   "statuses": {
@@ -92,7 +100,7 @@ curl http://drydock:3000/api/containers/recent-status
 This operation triggers a manual watch on all containers.
 
 ```bash
-curl -X POST http://drydock:3000/api/containers/watch
+curl -X POST http://drydock:3000/api/v1/containers/watch
 
 {
   "data": [{
@@ -135,7 +143,7 @@ curl -X POST http://drydock:3000/api/containers/watch
 This operation lets you get a container by id.
 
 ```bash
-curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816
+curl http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816
 
 {
   "id":"31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816",
@@ -172,7 +180,7 @@ curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32
 This operation lets you get the list of triggers associated to the container.
 
 ```bash
-curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/triggers
+curl http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/triggers
 
 {
   "data": [
@@ -201,7 +209,7 @@ curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32
 This operation triggers a manual watch on a container.
 
 ```bash
-curl -X POST http://drydock:3000/api/containers/ca0edc3fb0b4647963629bdfccbb3ccfa352184b45a9b4145832000c2878dd72/watch
+curl -X POST http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/watch
 
 {
   "id":"31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816",
@@ -238,13 +246,13 @@ curl -X POST http://drydock:3000/api/containers/ca0edc3fb0b4647963629bdfccbb3ccf
 This operation lets you manually run a trigger on the container.
 
 ```bash
-curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/triggers/ntfy/one
+curl -X POST http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/triggers/ntfy/one
 ```
 
 For containers managed by a remote agent, use the 4-segment variant to route the trigger through the agent:
 
 ```bash
-curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/triggers/ntfy/one/agent1
+curl -X POST http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/triggers/ntfy/one/agent1
 ```
 
 ## Update a container
@@ -254,7 +262,7 @@ This operation triggers a direct container update — pulling the new image, sto
 Returns 200 with the updated container on success, 400 if no update is available, 403 if container actions are disabled, 404 if the container or Docker trigger is not found, or 500 on update failure.
 
 ```bash
-curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update
+curl -X POST http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update
 ```
 
 ## Update container update policy (skip/snooze)
@@ -267,40 +275,56 @@ This operation lets you control per-container update suppression policy (stored
 - `snooze`: suppress update notifications until a date (supports `days` or explicit `snoozeUntil`)
 - `unsnooze`: remove `snoozeUntil`
 - `clear`: remove all update policy
+- `set-maturity-policy`: require updates to be at least N days old before triggering (requires `mode` and optionally `minAgeDays`)
+- `clear-maturity-policy`: remove `maturityMode` and `maturityMinAgeDays`
 
 ```bash
-curl -X PATCH http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
+curl -X PATCH http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
   -H 'Content-Type: application/json' \
   -d '{"action":"skip-current"}'
 ```
 
 ```bash
 # Remove a single skipped tag
-curl -X PATCH http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
+curl -X PATCH http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
   -H 'Content-Type: application/json' \
   -d '{"action":"remove-skip","kind":"tag","value":"1.2.3"}'
 ```
 
 ```bash
 # Remove a single skipped digest
-curl -X PATCH http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
+curl -X PATCH http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
   -H 'Content-Type: application/json' \
   -d '{"action":"remove-skip","kind":"digest","value":"sha256:abc123..."}'
 ```
 
 ```bash
-curl -X PATCH http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
+curl -X PATCH http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
   -H 'Content-Type: application/json' \
   -d '{"action":"snooze","days":7}'
 ```
 
+```bash
+# Require updates to be at least 14 days old before triggering
+curl -X PATCH http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
+  -H 'Content-Type: application/json' \
+  -d '{"action":"set-maturity-policy","mode":"mature","minAgeDays":14}'
+```
+
+```bash
+# Remove maturity policy (allow all updates regardless of age)
+curl -X PATCH http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
+  -H 'Content-Type: application/json' \
+  -d '{"action":"clear-maturity-policy"}'
+```
+
 ## Get security vulnerability overview
 
 This operation returns pre-aggregated vulnerability data grouped by image across all scanned containers.
 Used by the Security view to display vulnerability summaries without loading every container individually.
 
 ```bash
-curl http://drydock:3000/api/containers/security/vulnerabilities
+curl http://drydock:3000/api/v1/containers/security/vulnerabilities
 ```
 
 The response includes total and scanned container counts, the latest scan timestamp, and an `images` array where each entry groups vulnerabilities by image name with container IDs and an optional update severity summary.
@@ -311,7 +335,7 @@ This operation returns the latest persisted vulnerability scan (safe-pull gate r
 When no scan was run yet, it returns `status: "not-scanned"` with an empty result set.
 
 ```bash
-curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/vulnerabilities
+curl http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/vulnerabilities
 ```
 
 ## Run an on-demand security scan
@@ -321,9 +345,11 @@ This operation triggers a vulnerability scan, optional signature verification, a
 Requires `DD_SECURITY_SCANNER=trivy` to be configured.
 
 ```bash
-curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/scan
+curl -X POST http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/scan
 ```
 
+Rate-limited to 30 requests per minute.
+
 Returns 200 with the updated container on success, 400 if security scanner is not configured, 404 if the container is not found, or 500 on scan failure.
 
 ## Get SBOM for a container
@@ -331,26 +357,81 @@ Returns 200 with the updated container on success, 400 if security scanner is no
 This operation returns the latest SBOM document for a container in the requested format.
 
 ```bash
-curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/sbom?format=spdx-json
+curl http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/sbom?format=spdx-json
 ```
 
-## Get container logs
+## Download container logs
 
-Returns stdout/stderr output from a container. For agent-managed containers, the request is proxied through the agent connection.
+Returns stdout/stderr output from a container as a downloadable text file. Supports gzip compression via `Accept-Encoding: gzip` header. For agent-managed containers, the request is proxied through the agent connection.
 
 ```bash
-curl "http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/logs?tail=100"
+curl "http://drydock:3000/api/v1/containers/{id}/logs?tail=1000&stdout=true&stderr=true"
+```
+
+### Query parameters
+
+| Parameter | Type | Default | Description |
+| --- | --- | --- | --- |
+| `stdout` | boolean | `true` | Include stdout output |
+| `stderr` | boolean | `true` | Include stderr output |
+| `tail` | integer | `1000` | Number of lines to return from the end of the log |
+| `since` | string | `0` | Unix timestamp (seconds) or ISO 8601 string — only return logs after this time |
+| `timestamps` | boolean | `true` | Include timestamps in output |
+
+Returns 200 with the log text (Content-Disposition: attachment), 404 if the container is not found, or 500 on failure.
+
+## Stream container logs (WebSocket)
+
+Opens a WebSocket connection for real-time container log streaming. The server demultiplexes Docker's binary stream format and sends individual JSON frames.
+
+```text
+ws://drydock:3000/api/v1/containers/{id}/logs/stream?follow=true&tail=100
 ```
 
 ### Query parameters
 
 | Parameter | Type | Default | Description |
 | --- | --- | --- | --- |
-| `tail` | integer | 100 | Number of lines to return from the end of the log |
-| `since` | integer | 0 | Unix timestamp (seconds) — only return logs after this time |
-| `timestamps` | boolean | true | Include timestamps in output |
+| `stdout` | boolean | `true` | Include stdout output |
+| `stderr` | boolean | `true` | Include stderr output |
+| `tail` | integer | `100` | Number of initial lines to load |
+| `since` | string | `0` | Unix timestamp (seconds) or ISO 8601 string — only stream logs after this time |
+| `follow` | boolean | `true` | Continue streaming new output (set `false` for one-shot fetch) |
 
-Returns 200 with `{ "logs": "..." }` on success, 404 if the container is not found, or 500 on failure.
+### Message format
+
+Each WebSocket message is a JSON object:
+
+```json
+{
+  "type": "stdout",
+  "ts": "2026-03-18T19:18:38.485902360Z",
+  "line": "Server started on port 3000"
+}
+```
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `type` | string | `stdout` or `stderr` |
+| `ts` | string | ISO 8601 timestamp from Docker |
+| `line` | string | Log line content (may contain ANSI escape codes) |
+
+### Close codes
+
+| Code | Meaning |
+| --- | --- |
+| `1000` | Normal close (stream ended or client disconnect) |
+| `4001` | Container is not running |
+| `4004` | Container not found |
+| `1011` | Watcher unavailable or stream error |
+
+### Authentication
+
+WebSocket upgrade requests require a valid session cookie. Unauthenticated requests receive HTTP 401 during the upgrade handshake.
+
+### Rate limiting
+
+WebSocket connections are rate-limited to 1,000 connections per 15-minute window per client IP (or per authenticated user when identity-aware rate limiting is enabled).
 
 ## Reveal container environment variables
 
@@ -359,7 +440,7 @@ Returns the full (unredacted) runtime environment variables for a container. Env
 Rate-limited to 10 requests per minute.
 
 ```bash
-curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/env/reveal
+curl -X POST http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/env/reveal
 
 {
   "env": [
@@ -386,7 +467,7 @@ Container action auth model: `/start`, `/stop`, `/restart`, and `/update` are au
 This operation starts a stopped container. Requires `DD_SERVER_FEATURE_CONTAINERACTIONS` to be enabled.
 
 ```bash
-curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/start
+curl -X POST http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/start
 ```
 
 ## Stop a container
@@ -394,7 +475,7 @@ curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec
 This operation stops a running container. Requires `DD_SERVER_FEATURE_CONTAINERACTIONS` to be enabled.
 
 ```bash
-curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/stop
+curl -X POST http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/stop
 ```
 
 ## Restart a container
@@ -402,7 +483,7 @@ curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec
 This operation restarts a container. Requires `DD_SERVER_FEATURE_CONTAINERACTIONS` to be enabled.
 
 ```bash
-curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/restart
+curl -X POST http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/restart
 ```
 
 ## Preview an update
@@ -410,15 +491,45 @@ curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec
 This operation returns a dry-run preview of what an update would change, without executing it.
 
 ```bash
-curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/preview
+curl -X POST http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/preview
+```
+
+## List all backups
+
+Returns all image backups across all containers, optionally filtered by container name.
+
+```bash
+curl "http://drydock:3000/api/v1/containers/backups?containerName=homeassistant"
+
+{
+  "data": [
+    {
+      "id": "abc123",
+      "containerId": "31a61a8305ef...",
+      "containerName": "homeassistant",
+      "imageName": "homeassistant/home-assistant",
+      "imageTag": "2024.11.3",
+      "imageDigest": "sha256:...",
+      "timestamp": "2024-12-01T10:00:00.000Z",
+      "triggerName": "docker.local"
+    }
+  ],
+  "total": 1
+}
 ```
 
+### Query parameters
+
+| Parameter | Type | Description |
+| --- | --- | --- |
+| `containerName` | string | Filter backups by container name |
+
 ## Get container backups
 
 This operation returns all image backups for a container, sorted by most recent first.
 
 ```bash
-curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/backups
+curl http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/backups
 
 {
   "data": [
@@ -443,7 +554,7 @@ This operation rolls back a container to a previously backed-up image. If no `ba
 Rollback is destructive and requires explicit confirmation via `X-DD-Confirm-Action: container-rollback`.
 
 ```bash
-curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/rollback \
+curl -X POST http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/rollback \
   -H 'X-DD-Confirm-Action: container-rollback' \
   -H 'Content-Type: application/json' \
   -d '{"backupId": "abc123"}'
@@ -456,7 +567,7 @@ Returns 200 on success, 404 if the container/backup/trigger is not found, or 428
 Returns the persisted update and rollback operation history for a container, sorted by most recent first. Each entry tracks the full lifecycle of an update (phases, status, versions, rollback reason if applicable).
 
 ```bash
-curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-operations
+curl http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-operations
 
 {
   "data": [
@@ -513,13 +624,60 @@ curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32
 
 Returns 200 with the operations array on success, or 404 if the container is not found.
 
+## Get container stats
+
+`GET /api/v1/containers/stats`
+
+Returns CPU and memory usage stats for all monitored containers.
+
+### Response
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `data` | array | Array of container stat objects |
+| `data[].id` | string | Container ID |
+| `data[].name` | string | Container name |
+| `data[].stats` | object | Latest stats snapshot |
+| `data[].stats.cpuPercent` | number | CPU usage percentage |
+| `data[].stats.memoryUsageBytes` | number | Memory usage in bytes |
+| `data[].stats.memoryLimitBytes` | number | Memory limit in bytes |
+| `data[].stats.memoryPercent` | number | Memory usage percentage |
+| `data[].stats.networkRxBytes` | number | Network bytes received |
+| `data[].stats.networkTxBytes` | number | Network bytes transmitted |
+| `data[].stats.timestamp` | string | ISO 8601 timestamp |
+
+## Get single container stats
+
+`GET /api/v1/containers/:id/stats`
+
+Returns the latest stats snapshot and history for a single container.
+
+### Response
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `data` | object | Latest stats snapshot |
+| `history` | array | Array of historical snapshots |
+
+## Stream container stats (SSE)
+
+`GET /api/v1/containers/:id/stats/stream`
+
+Server-Sent Events stream for real-time container stats. Sends `dd:container-stats` events with the latest snapshot and `dd:heartbeat` events every 15 seconds.
+
+## Get container release notes
+
+`GET /api/v1/containers/:id/release-notes`
+
+Returns GitHub release notes for the container's available update, if available.
+
 ## Delete a Container
 
 This operation lets you delete a container by id. Requires `DD_SERVER_FEATURE_DELETE` to be enabled.
 Delete is destructive and requires explicit confirmation via `X-DD-Confirm-Action: container-delete`.
 
 ```bash
-curl -X DELETE http://drydock:3000/api/containers/ca0edc3fb0b4647963629bdfccbb3ccfa352184b45a9b4145832000c2878dd72 \
+curl -X DELETE http://drydock:3000/api/v1/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816 \
   -H 'X-DD-Confirm-Action: container-delete'
 ```
 
diff --git a/content/docs/current/api/index.mdx b/content/docs/current/api/index.mdx
index d9cf62d71..e965dce97 100644
--- a/content/docs/current/api/index.mdx
+++ b/content/docs/current/api/index.mdx
@@ -52,39 +52,48 @@ If the header is missing or does not match the expected token, the API responds
 
 | Endpoint | Method | Required header |
 | --- | --- | --- |
-| `/api/containers/:id/rollback` | `POST` | `X-DD-Confirm-Action: container-rollback` |
-| `/api/containers/:id` | `DELETE` | `X-DD-Confirm-Action: container-delete` |
+| `/api/v1/containers/:id/rollback` | `POST` | `X-DD-Confirm-Action: container-rollback` |
+| `/api/v1/containers/:id` | `DELETE` | `X-DD-Confirm-Action: container-delete` |
 
 ## Endpoint overview
 
 | Category | Endpoints | Description |
 | --- | --- | --- |
-| [App](/docs/api/app) | `GET /api/app`, `GET /api/server` | Application info, server configuration, security runtime |
-| [Containers](/docs/api/container) | `GET /api/containers`, `POST`, `PATCH`, `DELETE` | Container state, actions, update policy, security |
-| [Agents](/docs/api/agent) | `GET /api/agents` | Remote agent status and logs |
-| [Logs](/docs/api/log) | `GET /api/log` | Application log entries |
-| [Registries](/docs/api/registry) | `GET /api/registries` | Registry configurations |
-| [Store](/docs/api/store) | `GET /api/store` | Data store info |
-| [Triggers](/docs/api/trigger) | `GET /api/triggers` | Trigger configurations |
-| [Watchers](/docs/api/watcher) | `GET /api/watchers` | Watcher configurations |
+| [App](/docs/api/app) | `GET /api/v1/app`, `GET /api/v1/server` | Application info, server configuration, security runtime |
+| [Containers](/docs/api/container) | `GET /api/v1/containers`, `POST`, `PATCH`, `DELETE` | Container state, actions, update policy, security |
+| [Agents](/docs/api/agent) | `GET /api/v1/agents` | Remote agent status and logs |
+| [Logs](/docs/api/log) | `GET /api/v1/log`, `GET /api/v1/log/entries`, `WS /api/v1/log/stream` | Application logger config, buffered entries, and live stream |
+| [Registries](/docs/api/registry) | `GET /api/v1/registries` | Registry configurations |
+| [Store](/docs/api/store) | `GET /api/v1/store` | Data store info |
+| [Triggers](/docs/api/trigger) | `GET /api/v1/triggers` | Trigger configurations |
+| [Watchers](/docs/api/watcher) | `GET /api/v1/watchers` | Watcher configurations |
 
 ### Additional endpoints
 
 | Endpoint | Method | Description |
 | --- | --- | --- |
-| `/api/openapi.json` | `GET` | [OpenAPI 3.1.0 specification](#openapi) (machine-readable API docs) |
+| `/api/v1/openapi.json` | `GET` | [OpenAPI 3.1.0 specification](#openapi) (machine-readable API docs) |
 | `/health` | `GET` | Health check (returns 200 when healthy) |
-| `/metrics` | `GET` | Prometheus metrics (optional auth via `DD_SERVER_METRICS_AUTH`) |
-| `/api/events/ui` | `GET` | [Server-Sent Events](#server-sent-events-sse) for real-time UI updates |
-| `/api/audit` | `GET` | [Audit trail](#audit-trail) (paginated, filterable by action/container/date) |
-| `/api/notifications` | `GET`, `PATCH /:id` | [Notification rules](#notification-rules) (per-event enable/disable and trigger assignments) |
-| `/api/settings` | `GET`, `PATCH` | [UI settings](#settings) (internetless mode; `PUT` compatibility alias is deprecated) |
-| `/api/server` | `GET` | Server configuration and compatibility info (see [App API](/docs/api/app)) |
-| `/api/server/security/runtime` | `GET` | Security tools availability (see [App API](/docs/api/app)) |
-| `/api/containers/groups` | `GET` | [Container groups](#container-groups) (by stack/compose project) |
-| `/api/webhook/watch` | `POST` | [Webhook](/docs/configuration/webhooks) — trigger watch on all containers |
-| `/api/webhook/watch/:containerName` | `POST` | [Webhook](/docs/configuration/webhooks) — watch specific container |
-| `/api/webhook/update/:containerName` | `POST` | [Webhook](/docs/configuration/webhooks) — update specific container |
+| `/metrics` | `GET` | Prometheus metrics (bearer token via `DD_SERVER_METRICS_TOKEN`, session auth fallback, or no auth via `DD_SERVER_METRICS_AUTH=false`) |
+| `/api/v1/events/ui` | `GET` | [Server-Sent Events](#server-sent-events-sse) for real-time UI updates |
+| `/api/v1/audit` | `GET` | [Audit trail](#audit-trail) (paginated, filterable by action/container/date) |
+| `/api/v1/notifications` | `GET`, `PATCH /:id` | [Notification rules](#notification-rules) (per-event enable/disable and trigger assignments) |
+| `/api/v1/settings` | `GET`, `PATCH` | [UI settings](#settings) (internetless mode; `PUT` compatibility alias is deprecated) |
+| `/api/v1/log/stream` | `WS` | [System log stream](/docs/api/log#stream-application-logs-websocket) with level/component filters |
+| `/api/v1/server` | `GET` | Server configuration and compatibility info (see [App API](/docs/api/app)) |
+| `/api/v1/server/security/runtime` | `GET` | Security tools availability (see [App API](/docs/api/app)) |
+| `/api/v1/containers/groups` | `GET` | [Container groups](#container-groups) (by stack/compose project) |
+| `/api/v1/containers/stats` | `GET` | Container CPU and memory usage stats (see [Container API](/docs/api/container)) |
+| `/api/v1/containers/:id/stats` | `GET` | Single container stats snapshot and history (see [Container API](/docs/api/container)) |
+| `/api/v1/containers/:id/stats/stream` | `GET` | SSE stream for real-time container stats (see [Container API](/docs/api/container)) |
+| `/api/v1/containers/:id/release-notes` | `GET` | GitHub release notes for a container's available update (see [Container API](/docs/api/container)) |
+| `/api/v1/containers/backups` | `GET` | [All image backups](/docs/api/container#list-all-backups) (optionally filter by `containerName`) |
+| `/api/v1/icons/:source/:name` | `GET` | Proxy and cache registry icon images |
+| `/api/v1/auth/status` | `GET` | Authentication status check |
+| `/api/v1/webhook/watch` | `POST` | [Webhook](/docs/configuration/webhooks) — trigger watch on all containers |
+| `/api/v1/webhook/watch/:containerName` | `POST` | [Webhook](/docs/configuration/webhooks) — watch specific container |
+| `/api/v1/webhook/update/:containerName` | `POST` | [Webhook](/docs/configuration/webhooks) — update specific container |
+| `/api/v1/debug/dump` | `GET` | Download a debug dump JSON file for troubleshooting |
 
 <Callout type="info">See each sub-page for detailed request/response examples.</Callout>
 
@@ -99,7 +108,7 @@ Notification rules control which events trigger notifications and which triggers
 ### Get all notification rules
 
 ```bash
-curl http://drydock:3000/api/notifications
+curl http://drydock:3000/api/v1/notifications
 
 {
   "data": [
@@ -160,7 +169,7 @@ curl http://drydock:3000/api/notifications
 Update the `enabled` status and/or `triggers` list for a rule. Only the fields you include are changed.
 
 ```bash
-curl -X PATCH http://drydock:3000/api/notifications/update-available \
+curl -X PATCH http://drydock:3000/api/v1/notifications/update-available \
   -H 'Content-Type: application/json' \
   -d '{"enabled": true, "triggers": ["slack.alerts", "ntfy.one"]}'
 ```
@@ -174,7 +183,7 @@ Returns paginated audit log entries for container lifecycle events, updates, rol
 ### Get audit entries
 
 ```bash
-curl "http://drydock:3000/api/audit?offset=0&limit=25&action=update-applied&container=homeassistant"
+curl "http://drydock:3000/api/v1/audit?offset=0&limit=25&action=update-applied&container=homeassistant"
 
 {
   "data": [
@@ -204,7 +213,8 @@ curl "http://drydock:3000/api/audit?offset=0&limit=25&action=update-applied&cont
 | --- | --- | --- | --- |
 | `offset` | integer | `0` | Number of entries to skip |
 | `limit` | integer | `50` | Results per page (max 200) |
-| `action` | string | | Filter by action type |
+| `action` | string | | Filter by a single action type |
+| `actions` | string | | Comma-separated list of action types (e.g. `update-applied,update-failed`) |
 | `container` | string | | Filter by container name |
 | `from` | string | | ISO 8601 date -- only entries on or after this timestamp |
 | `to` | string | | ISO 8601 date -- only entries on or before this timestamp |
@@ -215,12 +225,12 @@ curl "http://drydock:3000/api/audit?offset=0&limit=25&action=update-applied&cont
 
 ## Server-Sent Events (SSE)
 
-The `/api/events/ui` endpoint provides real-time push notifications to the UI via Server-Sent Events.
+The `/api/v1/events/ui` endpoint provides real-time push notifications to the UI via Server-Sent Events.
 
 ### Connect
 
 ```bash
-curl -N -H "Accept: text/event-stream" http://drydock:3000/api/events/ui
+curl -N -H "Accept: text/event-stream" http://drydock:3000/api/v1/events/ui
 ```
 
 Connection limits: max 10 per IP, max 10 per session. Returns 429 when exceeded.
@@ -245,7 +255,7 @@ Connection limits: max 10 per IP, max 10 per session. Returns 429 when exceeded.
 When a `dd:self-update` event has `requiresAck: true`, the UI must POST an acknowledgment before the timeout expires. The `clientId` and `clientToken` are provided in the initial `dd:connected` event.
 
 ```bash
-curl -X POST http://drydock:3000/api/events/ui/self-update/op-abc123/ack \
+curl -X POST http://drydock:3000/api/v1/events/ui/self-update/op-abc123/ack \
   -H 'Content-Type: application/json' \
   -d '{"clientId": "client-1", "clientToken": "tok-xyz"}'
 ```
@@ -271,7 +281,7 @@ Persistent UI preferences stored in the drydock database.
 ### Get settings
 
 ```bash
-curl http://drydock:3000/api/settings
+curl http://drydock:3000/api/v1/settings
 
 {
   "internetlessMode": false
@@ -281,7 +291,7 @@ curl http://drydock:3000/api/settings
 ### Update settings
 
 ```bash
-curl -X PATCH http://drydock:3000/api/settings \
+curl -X PATCH http://drydock:3000/api/v1/settings \
   -H 'Content-Type: application/json' \
   -d '{"internetlessMode": true}'
 
@@ -294,14 +304,14 @@ curl -X PATCH http://drydock:3000/api/settings \
 | --- | --- | --- | --- |
 | `internetlessMode` | boolean | `false` | When enabled, disables registry icon lookups and other external requests |
 
-Returns 200 with the updated settings, or 400 if the body is invalid. `PUT /api/settings` is still accepted as a temporary compatibility alias but is deprecated.
+Returns 200 with the updated settings, or 400 if the body is invalid. `PUT /api/v1/settings` is still accepted as a temporary compatibility alias but is deprecated.
 
 ## Container groups
 
 Returns containers grouped by stack or group label. Group priority: `dd.group` > `wud.group` > `com.docker.compose.project` > ungrouped.
 
 ```bash
-curl http://drydock:3000/api/containers/groups
+curl http://drydock:3000/api/v1/containers/groups
 
 {
   "data": [
@@ -410,7 +420,7 @@ curl -X POST http://drydock:3000/auth/remember \
 Machine-readable API documentation is available as an OpenAPI 3.1.0 specification.
 
 ```bash
-curl http://drydock:3000/api/openapi.json
+curl http://drydock:3000/api/v1/openapi.json
 ```
 
 The spec covers all API endpoints with request/response schemas. You can import the URL into tools like Swagger UI, Redoc, or Postman for interactive exploration.
diff --git a/content/docs/current/api/log.mdx b/content/docs/current/api/log.mdx
index ef8111da8..40ea22550 100644
--- a/content/docs/current/api/log.mdx
+++ b/content/docs/current/api/log.mdx
@@ -1,6 +1,6 @@
 ---
 title: "Log API"
-description: "API endpoints for log configuration and log entries."
+description: "API endpoints for application log configuration, buffered log entries, and real-time system log streaming."
 ---
 
 ## Get Log configuration
@@ -8,7 +8,7 @@ description: "API endpoints for log configuration and log entries."
 Returns the current logger configuration.
 
 ```bash
-curl http://drydock:3000/api/log
+curl http://drydock:3000/api/v1/log
 
 {
   "level":"debug"
@@ -21,7 +21,7 @@ Returns log entries from the in-memory ring buffer (last 1,000 entries).
 If `DD_LOG_BUFFER_ENABLED=false`, this endpoint returns an empty array.
 
 ```bash
-curl http://drydock:3000/api/log/entries
+curl http://drydock:3000/api/v1/log/entries
 ```
 
 ### Query parameters
@@ -31,16 +31,18 @@ curl http://drydock:3000/api/log/entries
 | `level` | string | Filter by log level (`trace`, `debug`, `info`, `warn`, `error`, `fatal`) |
 | `component` | string | Filter by component name |
 | `tail` | integer | Number of most recent entries to return |
-| `since` | integer | Unix timestamp (seconds) — only return entries after this time |
+| `since` | integer | Unix timestamp (milliseconds) — only return entries after this time |
+
+Invalid `level` or `component` values return `400 Bad Request`.
 
 ### Example
 
 ```bash
-curl "http://drydock:3000/api/log/entries?level=error&tail=50"
+curl "http://drydock:3000/api/v1/log/entries?level=error&tail=50"
 
 [
   {
-    "timestamp": "2026-02-16T12:00:00.000Z",
+    "timestamp": 1771243200000,
     "level": "error",
     "component": "registry:hub",
     "msg": "Rate limit exceeded"
@@ -48,12 +50,50 @@ curl "http://drydock:3000/api/log/entries?level=error&tail=50"
 ]
 ```
 
+## Stream application logs (WebSocket)
+
+Streams system log entries over WebSocket. The server first sends a filtered backfill from the in-memory buffer, then pushes new entries in real time.
+
+- Canonical endpoint: `WS /api/v1/log/stream`
+- Compatibility alias: `WS /api/log/stream`
+
+### Query parameters
+
+| Parameter | Type | Description |
+| --- | --- | --- |
+| `level` | string | Minimum level filter (`debug`, `trace`, `info`, `warn`, `error`, `fatal`) |
+| `component` | string | Substring filter for component name |
+| `tail` | integer | Number of historical entries to backfill on connect (default: `100`) |
+
+### Example
+
+```text
+ws://drydock:3000/api/v1/log/stream?tail=100&level=warn&component=api
+```
+
+Example frame payload:
+
+```json
+{
+  "timestamp": 1771262400000,
+  "level": "warn",
+  "component": "api:websocket",
+  "msg": "Client disconnected"
+}
+```
+
+### Authentication and limits
+
+- Requires an authenticated session (cookie-based auth).
+- WebSocket upgrade origin checks must pass.
+- Connection attempts are rate-limited (1,000 upgrades per 15-minute window per identity/IP key).
+
 ## Get agent log entries
 
 Returns log entries from a connected agent, proxied through the controller.
 
 ```bash
-curl http://drydock:3000/api/agents/:name/log/entries
+curl http://drydock:3000/api/v1/agents/:name/log/entries
 ```
 
 Accepts the same query parameters as the application log entries endpoint above.
diff --git a/content/docs/current/api/registry.mdx b/content/docs/current/api/registry.mdx
index 077bddd78..0a868e783 100644
--- a/content/docs/current/api/registry.mdx
+++ b/content/docs/current/api/registry.mdx
@@ -14,7 +14,7 @@ This API allows to query the state of the registries.
 This operation lets you get all the configured registries.
 
 ```bash
-curl http://drydock:3000/api/registries
+curl http://drydock:3000/api/v1/registries
 
 {
     "data": [
@@ -49,7 +49,7 @@ curl http://drydock:3000/api/registries
 This operation lets you get a specific Registry.
 
 ```bash
-curl http://drydock:3000/api/registries/hub/private
+curl http://drydock:3000/api/v1/registries/hub/private
 
 {
     "id": "hub.private",
@@ -60,3 +60,11 @@ curl http://drydock:3000/api/registries/hub/private
     }
 }
 ```
+
+### Agent-scoped lookup
+
+To fetch a registry registered on a specific agent, append the agent name:
+
+```bash
+curl http://drydock:3000/api/v1/registries/hub/private/agent1
+```
diff --git a/content/docs/current/api/store.mdx b/content/docs/current/api/store.mdx
index 2e4b250fc..a079b8fa6 100644
--- a/content/docs/current/api/store.mdx
+++ b/content/docs/current/api/store.mdx
@@ -10,11 +10,11 @@ This API allows to query the configuration of the Store.
 This operation lets you get the state of the Store.
 
 ```bash
-curl http://drydock:3000/api/store
+curl http://drydock:3000/api/v1/store
 
 {
    "configuration":{
-      "path":".store",
+      "path":"/store",
       "file":"dd.json"
    }
 }
diff --git a/content/docs/current/api/trigger.mdx b/content/docs/current/api/trigger.mdx
index f19c33004..f7059ffe9 100644
--- a/content/docs/current/api/trigger.mdx
+++ b/content/docs/current/api/trigger.mdx
@@ -14,7 +14,7 @@ This API allows to query the state of the triggers.
 This operation lets you get all the configured triggers.
 
 ```bash
-curl http://drydock:3000/api/triggers
+curl http://drydock:3000/api/v1/triggers
 
 {
     "data": [
@@ -44,7 +44,7 @@ curl http://drydock:3000/api/triggers
 This operation lets you get a specific Trigger.
 
 ```bash
-curl http://drydock:3000/api/triggers/smtp/gmail
+curl http://drydock:3000/api/v1/triggers/smtp/gmail
 
 {
   "id":"smtp.gmail",
@@ -61,13 +61,21 @@ curl http://drydock:3000/api/triggers/smtp/gmail
 }
 ```
 
+### Agent-scoped lookup
+
+To fetch a trigger registered on a specific agent, append the agent name:
+
+```bash
+curl http://drydock:3000/api/v1/triggers/smtp/gmail/agent1
+```
+
 ## Running a trigger
 
 This operation lets you run a specific Trigger with simulated data.
 
 ```bash
 export CONTAINER='{"id":"123456789","name":"container_test","watcher":"watcher_test","updateKind":{"kind":"tag","semverDiff":"patch","localValue":"1.2.3","remoteValue":"1.2.4","result":{"link":"https://my-container/release-notes/"}}}'
-curl -X POST -H "Content-Type: application/json" -d $CONTAINER http://drydock:3000/api/triggers/smtp/gmail
+curl -X POST -H "Content-Type: application/json" -d $CONTAINER http://drydock:3000/api/v1/triggers/smtp/gmail
 ```
 
 ## Running a remote trigger (agent-scoped)
@@ -77,5 +85,5 @@ The path order is `/:type/:name/:agent` (agent is the final segment).
 
 ```bash
 export CONTAINER='{"id":"123456789","name":"container_test","agent":"agent1","watcher":"remote"}'
-curl -X POST -H "Content-Type: application/json" -d $CONTAINER http://drydock:3000/api/triggers/smtp/gmail/agent1
+curl -X POST -H "Content-Type: application/json" -d $CONTAINER http://drydock:3000/api/v1/triggers/smtp/gmail/agent1
 ```
diff --git a/content/docs/current/api/watcher.mdx b/content/docs/current/api/watcher.mdx
index 6f044707e..521ec9017 100644
--- a/content/docs/current/api/watcher.mdx
+++ b/content/docs/current/api/watcher.mdx
@@ -14,7 +14,7 @@ This API allows to query the state of the watchers.
 This operation lets you get all the configured watchers.
 
 ```bash
-curl http://drydock:3000/api/watchers
+curl http://drydock:3000/api/v1/watchers
 
 {
    "data": [
@@ -27,6 +27,9 @@ curl http://drydock:3000/api/watchers
          "port":2375,
          "cron":"0 * * * *",
          "watchbydefault":true
+      },
+      "metadata": {
+         "lastRunAt": "2026-03-20T21:44:11.782Z"
       }
       }
    ],
@@ -37,12 +40,25 @@ curl http://drydock:3000/api/watchers
 }
 ```
 
+### Response fields
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `id` | string | Fully qualified watcher ID (for example `docker.local`) |
+| `type` | string | Watcher provider type |
+| `name` | string | Watcher name |
+| `configuration` | object | Watcher configuration (masked/safe for API output) |
+| `agent` | string \| undefined | Agent name when watcher is agent-scoped |
+| `metadata.lastRunAt` | string \| undefined | ISO-8601 timestamp of the most recent completed watch cycle |
+
+`metadata.lastRunAt` is populated after at least one watch run has completed.
+
 ## Get a Watcher by id
 
 This operation lets you get a specific Watcher.
 
 ```bash
-curl http://drydock:3000/api/watchers/docker/local
+curl http://drydock:3000/api/v1/watchers/docker/local
 
 {
    "id":"docker.local",
@@ -53,6 +69,17 @@ curl http://drydock:3000/api/watchers/docker/local
       "port":2375,
       "cron":"0 * * * *",
       "watchbydefault":true
+   },
+   "metadata":{
+      "lastRunAt":"2026-03-20T21:44:11.782Z"
    }
 }
 ```
+
+### Agent-scoped lookup
+
+To fetch a watcher registered on a specific agent, append the agent name:
+
+```bash
+curl http://drydock:3000/api/v1/watchers/docker/local/agent1
+```
diff --git a/content/docs/current/changelog/index.mdx b/content/docs/current/changelog/index.mdx
index 6792c5feb..dfa2c2a12 100644
--- a/content/docs/current/changelog/index.mdx
+++ b/content/docs/current/changelog/index.mdx
@@ -13,13 +13,146 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- **AppIconButton size tiers bumped for WCAG 2.5.8** — Default `sm` size now meets the 44px minimum touch target. All tiers increased: `toolbar` 28→32px, `xs` 36→40px, `sm` 40→44px, `md` 44→48px, `lg` 48→56px. Migrated remaining raw icon buttons on the containers page (view mode switcher, stop/start/restart, detail panel close/expand, split button icons, column picker). ([Discussion #199](https://github.com/CodesWhat/drydock/discussions/199))
+
+### Dependencies
+
+- **`fast-xml-parser` patched for CVE-2026-33349** — Additional patch on top of the v1.5.0 upgrade.
+
+## [1.5.0] — 2026-03-19
+
+### Added
+
+- **Real-time container log viewer** — WebSocket-based live log streaming from Docker containers directly in the UI. Features ANSI color rendering, automatic JSON log detection with syntax-highlighted pretty-printing, free-text and regex search with match navigation, stdout/stderr stream filtering, log level filtering for structured logs, copy to clipboard, and gzip-compressed download. Available in both the container detail panel and a dedicated full-page view at `/containers/:id/logs`. ([Phase 4.2](https://getdrydock.com/docs/configuration/logs))
+- **Diagnostic debug dump** — One-click export of redacted system state from Configuration > Diagnostics. Collects runtime metadata, component state (watchers, registries, triggers, agents), Docker API diagnostics, MQTT Home Assistant sensors, recent Docker events, store stats, and `DD_*` environment variables. Sensitive values matching `password|token|secret|key|hash` are automatically redacted. Configurable time window (1–1440 minutes). ([Phase 4.14](https://getdrydock.com/docs/api/container))
+- **Container log streaming API** — `WS /api/v1/containers/:id/logs/stream` endpoint with Docker binary stream demultiplexing, session-based authentication on WebSocket upgrade, and fixed-window rate limiting (1,000 connections per 15 minutes).
+- **Container log download API** — `GET /api/v1/containers/:id/logs` endpoint with gzip compression support, stdout/stderr filtering, configurable tail size, and timestamp-based `since` filtering.
+- **Debug dump API** — `GET /api/v1/debug/dump` endpoint with configurable `minutes` query parameter for time-windowed event collection.
+- **Copy logs to clipboard** — Copy button in the container log viewer copies all visible log entries to clipboard with timestamp, stream type, and content.
+- **Dashboard customization** — Customizable grid layout with drag-to-reorder, resize, and per-widget visibility toggles using `grid-layout-plus`. Edit mode via pencil icon in breadcrumb header. Customize panel with checkboxes and S/M/L size badges. All widgets progressively collapse content based on container height.
+- **Resource usage dashboard widget** — CPU and memory usage bars with top-N resource consumers, progressive detail at different widget sizes.
+- **Trigger environment variable aliases** — Triggers can now be configured with `DD_ACTION_*` or `DD_NOTIFICATION_*` prefixes in addition to `DD_TRIGGER_*`. All three prefixes resolve identically at startup.
+- **Digest notification mode** — New `MODE=digest` trigger option that accumulates update events over a configurable time window and sends a single batch notification on a cron schedule. Configure with `DD_TRIGGER_{type}_{name}_MODE=digest` and `DD_TRIGGER_{type}_{name}_DIGESTCRON=0 8 * * *` (default: daily at 8am). Works with all notification triggers (SMTP, Telegram, Slack, Pushover, etc.). ([Discussion #185](https://github.com/CodesWhat/drydock/discussions/185))
+- **Toast notifications for all container actions** — Every container action (update, start, stop, restart, scan, delete, group update, rollback, trigger run) now shows a success toast. Error toasts for failures. Toasts auto-dismiss after 6 seconds. ([#183](https://github.com/CodesWhat/drydock/issues/183), [#193](https://github.com/CodesWhat/drydock/discussions/193))
+- **"View containers" navigation from Watchers and Agents** — Detail panels now include a button that navigates directly to the container list filtered by the selected host. ([#194](https://github.com/CodesWhat/drydock/discussions/194))
+- **Podman API version negotiation** — Docker watcher probes the daemon's `/version` endpoint over the Unix socket and pins Dockerode to the reported API version. Prevents `EAI_AGAIN` crashes caused by `docker-modem`'s redirect-following bug when Podman returns HTTP 301 for unversioned API paths. ([#182](https://github.com/CodesWhat/drydock/issues/182))
+- **System log live streaming in UI** — Added end-to-end WebSocket support for system logs (`/api/v1/log/stream`) with new UI service/composable and live log view integration.
+- **Watcher run-time visibility in UI** — Watcher metadata now exposes `lastRunAt`, and UI surfaces it as a relative timestamp.
+- **Shared log viewer primitives** — Added reusable `AppLogViewer` building blocks, JSON tokenizer/search utilities, and full-page container detail tab components for consistent log UX.
+- **Bearer token auth for `/metrics` endpoint** — Set `DD_SERVER_METRICS_TOKEN` to authenticate Prometheus scrapers via `Authorization: Bearer <token>` without requiring session/basic auth. Uses SHA-256 hashing with timing-safe comparison. Three auth modes: (1) bearer token when token is set, (2) session/basic auth fallback, (3) no auth when `DD_SERVER_METRICS_AUTH=false`.
+- **Design system components** — Added shared UI building blocks: `AppIconButton` (icon-only button with WCAG 2.5.8 touch targets), `AppBadge` (tone-based badge with size/uppercase/dot props), `StatusDot` (semantic status indicator), `DetailField` (label+value pair), and `AppTabBar` (v-model tab bar with icons, counts, compact mode). Migrated dashboard, container, settings, layout, and config views to use the new components. ([Discussion #199](https://github.com/CodesWhat/drydock/discussions/199))
+- **Floating tag detection and UI indicator** — New `tagPrecision` classifier (`specific` | `floating`) detects mutable version aliases (e.g. `v3`, `1.4`) and auto-enables digest watching on non-Docker Hub registries. Container detail views show a caution badge when a floating tag is detected without digest watching enabled. ([Discussion #178](https://github.com/CodesWhat/drydock/discussions/178))
+- **Notification bell action filtering** — Audit log endpoint now supports an `actions` query parameter for comma-separated event type filtering. `NotificationBell` uses this to fetch only actionable alert types instead of the full audit log.
+- **Semantic typography utility classes** — Added `dd-text-label`, `dd-text-body`, `dd-text-heading-panel`, and related Tailwind utility classes for consistent text sizing across views.
+- **Disable default local watcher** — Set `DD_LOCAL_WATCHER=false` to prevent the built-in Docker watcher from starting, useful for controller-only nodes that manage remote agents exclusively.
+- **Container row dimming during actions** — Container table rows dim with reduced opacity while an action (update, restart, etc.) is in progress, providing clear visual feedback. ([#227](https://github.com/CodesWhat/drydock/issues/227))
+
+### Changed
+
+- **Container log viewer upgraded to WebSocket streaming** — Replaced the previous HTTP polling-based log viewer with real-time WebSocket streaming. Logs now appear instantly as containers produce them, with no polling interval needed. The viewer retains up to 5,000 lines in a ring buffer.
+- **Container detail panel log tab sizing** — Log viewer in the slide-in detail panel and full-page view now fills the available viewport height without causing outer scrollbars. Uses proper flex layout containment instead of fixed `calc()` heights.
+- **Search match navigation** — Prev/Next search navigation buttons are now hidden by default and only appear when a search query is active, reducing toolbar clutter.
+- **UI text and margin standardization** — Consistent text sizing, view margins, and scroll container padding across all views and components.
+- **Connection lost overlay z-index** — Overlay now covers entire viewport including sidebar using CSS custom property `--z-modal`.
+- **Deprecation banner composable** — Reusable `useDeprecationBanner` composable for session and permanent dismissal of deprecation notices.
+- **Debug dump redaction patterns expanded** — Sensitive key detection now covers 14+ token patterns including `passwd`, `credential`, `apikey`, `accesskey`, `privatekey`, `bearer`, `auth`, and `login` (env-style keys only for auth/bearer/login to avoid false positives).
+- **Lefthook pre-push Playwright gate** — Added `e2e-playwright` to the root pre-push pipeline so local hooks now run Cucumber E2E and Playwright QA before push.
+- **Trigger rename migration CLI support** — `config migrate` now supports `--source trigger` and rewrites legacy trigger prefixes (`DD_TRIGGER_*`, `dd.trigger.include`, `dd.trigger.exclude`) to action-prefixed aliases.
+- **Centralized rollback container guard** — `-old-{timestamp}` container rejection moved from Docker trigger to base Trigger class, covering all trigger types.
+- **Container list query internals modularized** — Extracted query-validation logic and split tests by concern.
+- **Container list filtering performance** — Status/kind filters avoid unnecessary full-collection loads; age/created sorting precomputes values.
+- **Healthcheck execution path optimized** — The built-in Docker `HEALTHCHECK` now uses a static C binary (`/bin/healthcheck`) instead of curl. Custom `curl`-based healthcheck overrides in compose files continue to work but are deprecated — `curl` will be removed from the image in v1.6.0. Remove custom `healthcheck:` blocks to use the built-in probe, or switch to `/bin/healthcheck ${DD_SERVER_PORT:-3000}`. ([#215](https://github.com/CodesWhat/drydock/issues/215))
+- **Watcher event logging noise reduced** — First event-stream reconnect downgraded from `warn` to `info`.
+- **CI workflows renamed** — Dropped numeric prefixes from workflow filenames for clarity.
+- **Smoke load test profile removed** — Replaced with the ci profile for meaningful regression detection.
+- **Container-update event deduplication** — Added `hasContainerChanged()` to detect meaningful state differences between existing and incoming container records. Suppresses redundant SSE `container-updated` events when a poll cycle returns identical data.
+- **Log viewer layout improvements** — Log entries now use `white-space: nowrap` for single-line scannable output (horizontal scroll for overflow), row alignment changed to `items-center` for consistent baselines, and the terminal has a `min-h-[300px]` floor. Log viewer fills container height with `flex-1`, removed line separators, and added dark background on search input.
+- **AppIconButton toolbar size** — Added `toolbar` size variant (w-8 h-8, 15px icon) for dense filter bars.
+- **Deprecation banner actions layout** — Migration guide link, Dismiss button, and "Don't show again" checkbox stacked vertically with checkbox-gated permanent dismiss.
+- **Dashboard customize panel responsive on mobile** — Panel is opt-in on mobile (sliders icon to open), full-screen overlay with backdrop dismiss. Desktop behavior unchanged. ([#222](https://github.com/CodesWhat/drydock/issues/222))
+- **Socket version probe hardened** — Added 64KB body cap on socket probe response, timer cleanup via `onScopeDispose`/`onUnmounted`, and typed `gridLayout` as `PersistedLayoutItem[]`.
+- **Action trigger default mode** — Action triggers (`docker`, `dockercompose`, `command`) now default to `auto=oninclude` instead of `auto=all`, requiring an explicit `dd.trigger.include` label before auto-updating containers. ([#213](https://github.com/CodesWhat/drydock/issues/213))
+
+### Fixed
+
+- **TypeScript type safety in watcher registry lookups** — Replaced unsafe `as unknown as` casts with `isDockerWatcher()` type guard for Docker watcher state lookups.
+- **Container alias name canonicalization** — `getContainerName()` now strips Docker recreate alias prefixes (e.g. `8bf70beac570_termix` → `termix`) before the name enters the store, so all triggers (Telegram, Slack, Pushover, etc.) receive canonical names. MQTT was already fixed in v1.4.5; this extends the fix to the source. ([#156](https://github.com/CodesWhat/drydock/issues/156))
+- **Cascading -old container updates** — "Update All" batch no longer triggers updates on containers renamed with `-old-{timestamp}` suffix during a prior update. Guard added to base Trigger class (`mustTrigger`), all API endpoints (container-actions, webhook, trigger proxy), and UI batch freezes container IDs at start. ([#183](https://github.com/CodesWhat/drydock/issues/183))
+- **Remote trigger error reporting** — Agent-side trigger endpoints now return structured error details with reason field. Controller extracts and logs the actual failure message instead of bare "Request failed with status code 500". Original Axios error preserved for proxy forwarding. ([#183](https://github.com/CodesWhat/drydock/issues/183))
+- **Dashboard confirm dialog** — `ConfirmDialog` moved to global app shell so update prompts from the dashboard "Updates Available" widget appear immediately instead of requiring navigation to the Containers page. ([#184](https://github.com/CodesWhat/drydock/issues/184))
+- **Registry failures in Updates Available widget** — Containers with "check failed" status (registry errors) no longer appear in the dashboard "Updates Available" section. They remain visible on the Containers page with error indicators. ([#186](https://github.com/CodesWhat/drydock/issues/186))
+- **Digest buffer stale entry eviction** — Containers evicted from digest buffer when update-applied events fire, preventing already-updated containers from appearing in the next digest flush.
+- **Rate-limiter memory safety** — Fixed-window limiter now enforces a hard `maxEntries` cap to prevent unbounded growth.
+- **UI interaction polish** — Fixed agent column picker positioning ([#187](https://github.com/CodesWhat/drydock/issues/187)), dashboard mobile stacking, Escape-key dashboard edit exit, popover z-index/positioning.
+- **Watcher "Last Run" display** — Watchers page now shows relative timestamps for last run. ([#189](https://github.com/CodesWhat/drydock/issues/189))
+- **Duplicate containers after recreate** — Three-layer deduplication filtering prevents alias containers from entering the store during Docker recreate cycles. ([#180](https://github.com/CodesWhat/drydock/issues/180))
+- **Agent disconnect notification template** — Agent disconnect events now use a dedicated notification template instead of being rendered as container updates. ([#195](https://github.com/CodesWhat/drydock/issues/195))
+- **Digest-only image visibility** — Watchers no longer silently drop containers with digest-only image references (e.g. Portainer agent). ([#192](https://github.com/CodesWhat/drydock/issues/192))
+- **Digest cron validation** — `DIGESTCRON` config validated with `cron.validate()` at registration time, failing with a clear error instead of a runtime crash.
+- **Container list runtime status filtering** — Container list API now accepts Docker runtime statuses (`running`, `stopped`, `paused`, etc.) in `status` filtering.
+- **Debug dump filename normalization** — Debug exports now use date-only `.json` filenames.
+- **Dashboard widget mobile scroll** — Added `overscroll-contain` to all scrollable dashboard widgets so touch scrolling stays within the widget instead of scrolling the page. ([#200](https://github.com/CodesWhat/drydock/issues/200))
+- **WebSocket robustness fixes** — Prevented writes on closed sockets, fixed non-matching upgrade URL pass-through behavior, and eliminated stats-collector listener leaks across restart cycles.
+- **Official image pretty logs restored by default** — The release Docker image now defaults back to `DD_LOG_FORMAT=text`, restoring the human-readable `docker logs` experience from v1.4.5. Set `DD_LOG_FORMAT=json` explicitly if you want structured log output. ([Discussion #221](https://github.com/CodesWhat/drydock/discussions/221))
+- **CalVer zero-padded month in strict family filter** — Tags like `2026.02.0` were rejected when the current tag was `2025.11.1` because zero-padded single digits (`01`–`09`) were treated as a family mismatch. Normal in CalVer month fields. ([#202](https://github.com/CodesWhat/drydock/issues/202))
+- **Dashboard updates widget 6-item cap** — Removed hard-coded `RECENT_UPDATES_LIMIT` that silently dropped entries beyond 6 in the Updates Available widget. The scroll container was already in place. ([#208](https://github.com/CodesWhat/drydock/issues/208))
+- **Disabled tooltip regression** — Restored pointer events on disabled `AppIconButton` so tooltips still explain why actions are unavailable (regressed lock button explanations in grouped views).
+- **AppTabBar accessibility** — Added `aria-label` in `iconOnly` mode so tabs are identifiable to assistive technology when visible labels are hidden.
+- **OpenAPI `/metrics` security spec** — Removed anonymous `{}` from security alternatives; runtime requires auth by default, spec should not advertise otherwise.
+- **Missing filter icon in DataFilterBar** — Restored `AppIconButton` import that was silently swallowed by Vue, making the filter icon invisible on all pages.
+- **Missing component imports** — Added missing imports in `SecurityEmptyState` and `AgentsView` that were silently dropped.
+- **tagPrecision mapper type safety** — Removed `as any` cast from tagPrecision container mapper.
+- **AppIconButton tooltip type** — Widened tooltip prop type and fixed ThemeToggle dead branch.
+- **Docker recreate alias prefix stripping unconditional** — Container names are now unconditionally stripped of `hex12_` prefixes at both watcher and trigger level, preventing alias names like `fcdb966987a0_termix` from leaking into notifications. ([#156](https://github.com/CodesWhat/drydock/issues/156))
+- **Banner checkbox label text invisible** — "Don't show again" text on deprecation banners was unreadable because `dd-text-muted` was used on a `color-mix` background. Switched to tone color.
+- **Dashboard updates list not refreshing after container update** — Backend now clears `updateAvailable` flag after manual trigger; frontend SSE `container-changed` event triggers full data refresh instead of summary-only. ([#229](https://github.com/CodesWhat/drydock/issues/229))
+- **Dashboard layout customizations lost on page reload** — Added `gridLayout` to `PreferencesSchema`; reorder now uses `loadPersistedLayout` instead of `createLayoutFromOrder`. ([#223](https://github.com/CodesWhat/drydock/issues/223))
+- **Mobile vertical scroll on containers page** — Restored vertical scrolling on the containers page when viewed on mobile devices. ([#231](https://github.com/CodesWhat/drydock/issues/231))
+- **Podman pod infra containers skipped** — Watchers now skip Podman pod infrastructure containers that have an empty `Image` field instead of failing during version comparison. ([#182](https://github.com/CodesWhat/drydock/issues/182))
+- **Dashboard scroll and layout fixes** — Removed scroll trap from Security Overview widget ([#216](https://github.com/CodesWhat/drydock/issues/216)), prevented dashboard widget scroll layout shift ([#217](https://github.com/CodesWhat/drydock/issues/217)), stopped table resize handles from bleeding through modals, and discarded corrupted single-column grid layouts on load.
+- **Stale updateAvailable overwrite after remote trigger** — Agent controller no longer overwrites cleared `updateAvailable` flags with stale snapshot data after a remote trigger completes. ([#229](https://github.com/CodesWhat/drydock/issues/229))
+
+### Accessibility
+
+- **Tooltip audit** — Added `v-tooltip` to interactive elements and status indicators missing tooltip hints: status dots (watchers, registries, triggers, audit, security), drag handles on dashboard widgets, icon-only badges (registry private/public), NotificationBell button, pagination and test buttons, and spinner/action-in-progress indicators. ([Discussion #199](https://github.com/CodesWhat/drydock/discussions/199))
+
+### Security
+
+- **WebSocket origin and lockout hardening** — Added stricter WebSocket origin validation and safer lockout file-permission handling.
+- **Trivy supply chain advisory** — Published advisory page and site banner for Trivy supply chain compromise. Pinned Trivy versions and corrected advisory details.
+- **Security bouncer enforcement on container updates** — Update and Update All actions now enforce the security bouncer gate, surfacing blocked-update reasons in the UI instead of silently failing.
+
+### Dependencies
+
+- **`fast-xml-parser` upgraded to 5.5.8** — Addresses CVE-2026-33349 (numeric entity expansion bypass). Updated app/e2e dependency versions.
+- **Vite 7.3 upgraded to 8.0** — Migrated to Vite 8.0 with Rolldown bundler.
+- **Patch/minor dependency bumps** — Updated all patch/minor dependencies and upgraded knip to v6.
+- **Vulnerable transitive dependency patches** — nodemailer 8.0.3→8.0.4, picomatch→4.0.4, brace-expansion→5.0.5, smol-toml→1.6.1, yaml→2.8.3.
+
+### Testing
+
+- **Coverage and stability expansion** — Added/updated tests for WebSocket log streaming, auth lockout flows, registry provider error paths, webhook payload bounds, release-notes/digest lifecycle, and dashboard layout defaults; refactored large trigger/watcher suites for clearer ownership and lower flake risk.
+
+### Documentation
+
+- **Guide/API endpoint synchronization** — Updated current docs and guides to consistently use canonical `/api/v1/*` paths, expanded container list API docs, and added dashboard customization guide.
+
 ## [1.4.5] — 2026-03-17
 
+### Added
+
+- **Dashboard Update buttons** — Per-row update buttons and "Update all" button in the Updates Available dashboard widget. ([#173](https://github.com/CodesWhat/drydock/discussions/173))
+- **Getting Started guide** — New step-by-step onboarding guide covering watchers, tag filters, registries, notifications, auto-updates, safety features, and multi-host setup. ([#153](https://github.com/CodesWhat/drydock/discussions/153))
+
 ### Fixed
 
 - **Container recreate alias filtering** — Hardened Docker watcher timestamp parsing, added event handler early return for transient aliases, canonical MQTT topic naming, and stale topic cleanup for recreated containers. ([#156](https://github.com/CodesWhat/drydock/issues/156))
 - **About modal version display** — Version is now fetched dynamically from the API instead of being hardcoded, ensuring the modal always reflects the running server version. ([#167](https://github.com/CodesWhat/drydock/issues/167))
 - **Version resolution fallback** — `DD_VERSION=unknown` is now skipped so the version is correctly read from `package.json` at startup.
+- **Theme circle transition origin** — The theme toggle circle animation now originates from the click point instead of the viewport center.
+- **Trigger code bugs** — Gotify URL and Apprise URL now correctly enforce `.required()` validation; Kafka `clientId` casing normalized with `clientId` kept as a deprecated compatibility alias until v1.6.0.
 
 ### Security
 
@@ -32,12 +165,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **API versioning** — All UI fetch calls migrated from `/api/` to `/api/v1/` paths.
 - **OIDC empty bearer token log level** — Downgraded empty bearer token log from `warn` to `debug`. ([#169](https://github.com/CodesWhat/drydock/issues/169))
 
+### Documentation
+
+- **Docs audit (78 files)** — Fixed 18 doc accuracy issues, 3 code bugs, 22+ broken links, and restructured 8 pages (90 callouts → 36). Triggers overview reduced from 17 callouts to 3 with threshold reference table. Template variables expanded from 12 to 30 with example values. Docker Compose trigger now linked from triggers overview. ([#153](https://github.com/CodesWhat/drydock/discussions/153), [#172](https://github.com/CodesWhat/drydock/discussions/172))
+
+### Dependencies
+
+- **Security** — `fast-xml-parser` 5.3.8 → 5.5.6 (CVE: numeric entity expansion bypass), `next` 16.1.6 → 16.1.7 (HTTP smuggling, CSRF bypass, DoS)
+- **CI** — `step-security/harden-runner` v2.15.1 → v2.16.0, `github/codeql-action` v4.32.6 → v4.33.0
+- **App** — `@aws-sdk/client-ecr`, `@slack/web-api`, `express-rate-limit`, `fast-check`, `knip`, `nodemailer`, `undici`, `@types/node`
+- **UI** — `@iconify-json/lucide`, `knip`, `jsdom` 28 → 29
+- **Website** — `fumadocs-core`, `fumadocs-mdx`, `fumadocs-ui`, `lucide-react`, `lefthook`, `@vercel/analytics` v1 → v2, `@vercel/speed-insights` v1 → v2
+- **Demo** — `@iconify-json/lucide`, `@vitejs/plugin-vue`, `msw` 2.10 → 2.12
+- **E2E** — `@dotenvx/dotenvx`, `fast-xml-parser`, `minimatch`
+
 ### Chore
 
 - **QA infrastructure** — Added Portainer, slow-shutdown container, and watchevents service for end-to-end container recreate testing. ([#156](https://github.com/CodesWhat/drydock/issues/156))
 - **Coverage and types cleanup** — Coverage read retry, OpenAPI re-export, and auth types cleanup.
-- **Demo version bump** — Bumped demo package version.
+- **Demo version bump** — Bumped demo package version to 1.4.5.
 - **Alias filtering test coverage** — Added timestamp edge-case tests for Docker watcher alias filtering. ([#156](https://github.com/CodesWhat/drydock/issues/156))
+- **msw worker regenerated** — Updated `mockServiceWorker.js` for msw 2.12 (origin-based → clientId-based validation).
 
 ## [1.4.4] — 2026-03-16
 
@@ -86,6 +234,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - **Update-operations pagination** — `GET /api/containers/:id/update-operations` now supports `limit` and `offset` query parameters with `_links` navigation, matching the existing container list pagination pattern.
 - **Periodic audit log pruning** — Audit store now runs a background timer (hourly, unref'd) to prune stale entries even with low insert volume, in addition to the existing insert-count-based pruning.
+- **Container release notes enrichment** — Watch cycles now enrich update candidates with GitHub release metadata (`result.releaseNotes` and `result.releaseLink`), and full notes are available via `GET /api/containers/:id/release-notes`.
+- **Container list sort and filter query params** — `GET /api/containers` now supports `sort` (`name`, `status`, `age`, `created`, with optional `-` prefix for descending), plus `status`, `kind`, `watcher`, and `maturity` filters.
+- **Update age and maturity API signals** — Container payloads now track `updateAge` and support maturity states (`hot`, `mature`, `established`) for filtering and policy workflows.
+- **Suggested semver tag hints** — Containers tracked on non-semver tags such as `latest` now expose `result.suggestedTag` to surface the best semver target.
+- **`oninclude` trigger auto mode** — Trigger `auto` now supports `oninclude`, which only auto-runs for containers explicitly matched by include labels. ([#160](https://github.com/CodesWhat/drydock/issues/160))
+- **Container runtime observability APIs** — Added `/api/containers/stats`, `/api/containers/:id/stats`, and `/api/containers/:id/stats/stream` for resource telemetry, plus richer per-container runtime snapshots.
+- **Real-time container log streaming** — Added WebSocket streaming at `/api/v1/containers/:id/logs/stream` with `stdout`/`stderr`, `tail`, `since`, and `follow` controls.
+- **Container logs and runtime stats panels** — Container detail views now include dedicated live Logs and Runtime Stats tabs (including full-page logs route support).
+- **Signed registry webhook receiver** — Added `POST /api/webhooks/registry` with HMAC signature verification and provider-specific payload parsing for registry push events.
+- **Auth lockout Prometheus observability** — Added Prometheus metrics for login success/failure and lockout activity.
 
 ### Changed
 
@@ -95,11 +253,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Decompose useContainerActions** — Split the 1200-line composable into focused modules: `useContainerBackups`, `useContainerPolicy`, `useContainerPreview`, and `useContainerTriggers`.
 - **Registry error handling** — Replaced `catch (e: any)` with `catch (e: unknown)` and `getErrorMessage(e)` in component registration and trigger/watcher startup.
 - **E2E test resilience** — Container row count assertions now use `toBeGreaterThan(0)` instead of hardcoded counts, preventing false failures when the QA environment has a different number of containers.
+- **Registry digest cache dedup per poll cycle** — Digest cache lookups now deduplicate repeated requests within a single poll cycle, reducing redundant registry calls and improving metric accuracy.
 - **Extract runtime config evaluation context type** — Consolidated scattered runtime field evaluation parameters into a typed `ClonedRuntimeFieldEvaluationContext` interface for trigger providers.
 - **Argon2 hash parsing type safety** — Extracted `Argon2Parameters` interface, parameter key type guard, and PHC parameter parsing into a reusable function for improved type safety.
 - **Extract agent client initialization methods** — Extracted URL parsing, HTTPS detection, protocol validation, and TLS configuration from monolithic constructor into focused private methods.
 - **Extract shared self-hosted registry config schema** — Deduplicated the registry configuration schema (url, login, password, auth, cafile, insecure, clientcert, clientkey) into a reusable helper shared by Custom and SelfHostedBasic registry providers.
 
+### Documentation
+
+- **Podman docs expansion** — Added Podman setup/compatibility guidance plus SELinux, `podman-compose`, and production notes in watcher and FAQ docs.
+- **Docs site URL rebrand** — Replaced `drydock.codeswhat.com` links with `getdrydock.com` across docs pages, sitemap/robots metadata, and website copy.
+
 ### Fixed
 
 - **CSRF validation behind reverse proxies** — Same-origin mutation checks now honor `X-Forwarded-Proto` and `X-Forwarded-Host` when present before falling back to direct request protocol/host, preventing false `403 CSRF validation failed` responses in TLS-terminating proxy setups. ([#146](https://github.com/CodesWhat/drydock/issues/146))
@@ -895,7 +1059,12 @@ Remaining upstream-only changes (not ported — not applicable to drydock):
 | Fix codeberg tests | Covered by drydock's own tests |
 | Update changelog | Upstream-specific |
 
-[Unreleased]: https://github.com/CodesWhat/drydock/compare/v1.4.1...HEAD
+[Unreleased]: https://github.com/CodesWhat/drydock/compare/v1.5.0...HEAD
+[1.5.0]: https://github.com/CodesWhat/drydock/compare/v1.4.5...v1.5.0
+[1.4.5]: https://github.com/CodesWhat/drydock/compare/v1.4.4...v1.4.5
+[1.4.4]: https://github.com/CodesWhat/drydock/compare/v1.4.3...v1.4.4
+[1.4.3]: https://github.com/CodesWhat/drydock/compare/v1.4.2...v1.4.3
+[1.4.2]: https://github.com/CodesWhat/drydock/compare/v1.4.1...v1.4.2
 [1.4.1]: https://github.com/CodesWhat/drydock/compare/v1.4.0...v1.4.1
 [1.4.0]: https://github.com/CodesWhat/drydock/compare/v1.3.9...v1.4.0
 [1.3.9]: https://github.com/CodesWhat/drydock/compare/v1.3.8...v1.3.9
diff --git a/content/docs/current/configuration/actions/index.mdx b/content/docs/current/configuration/actions/index.mdx
index d6dd70008..96ed82b49 100644
--- a/content/docs/current/configuration/actions/index.mdx
+++ b/content/docs/current/configuration/actions/index.mdx
@@ -13,11 +13,11 @@ Drydock provides direct container management actions through both the UI and API
 
 | Action | API endpoint | Description |
 | --- | --- | --- |
-| **Start** | `POST /api/containers/:id/start` | Start a stopped container |
-| **Stop** | `POST /api/containers/:id/stop` | Stop a running container |
-| **Restart** | `POST /api/containers/:id/restart` | Restart a container |
-| **Update** | `POST /api/containers/:id/update` | Pull new image and recreate container |
-| **Delete** | `DELETE /api/containers/:id` | Remove container from drydock tracking |
+| **Start** | `POST /api/v1/containers/:id/start` | Start a stopped container |
+| **Stop** | `POST /api/v1/containers/:id/stop` | Stop a running container |
+| **Restart** | `POST /api/v1/containers/:id/restart` | Restart a container |
+| **Update** | `POST /api/v1/containers/:id/update` | Pull new image and recreate container |
+| **Delete** | `DELETE /api/v1/containers/:id` | Remove container from drydock tracking |
 
 ## Feature flags
 
@@ -31,6 +31,24 @@ Container actions can be individually toggled with environment variables:
 <Callout type="info">When a feature flag is disabled, the corresponding buttons are hidden in the UI and the API endpoints return `403 Forbidden`.</Callout>
 <Callout type="warn">Container action endpoints currently use an authentication-only, single-operator trust model. Any authenticated user can start, stop, restart, update, or delete any container. Run drydock behind trusted SSO/access controls until fine-grained RBAC is available.</Callout>
 
+## Trigger configuration aliases
+
+Container updates are executed by action triggers (Docker, Docker Compose, Command). These triggers can be configured with three environment variable prefixes that are treated identically:
+
+| Prefix | Status |
+| --- | --- |
+| `DD_ACTION_*` | Current — recommended for action triggers |
+| `DD_NOTIFICATION_*` | Current — recommended for notification triggers |
+| `DD_TRIGGER_*` | Deprecated — removal in v1.7.0 |
+
+When the same trigger is defined under multiple prefixes, the merge priority is: `DD_NOTIFICATION_*` > `DD_ACTION_*` > `DD_TRIGGER_*`.
+
+Container labels follow the same pattern: `dd.action.include` / `dd.action.exclude` replace the deprecated `dd.trigger.include` / `dd.trigger.exclude`.
+
+<Callout type="info">Action triggers (Docker, Docker Compose, Command) default to `AUTO=oninclude`, meaning they only auto-update containers that have an explicit `dd.action.include` label matching the trigger name. Notification triggers default to `AUTO=true`.</Callout>
+
+See [Triggers](/docs/configuration/triggers) for full trigger configuration reference and the [migration CLI](/docs/configuration/triggers#migration) for automated prefix rewriting.
+
 ## Update action
 
 The update action triggers the Docker or Docker Compose trigger for the selected container. It will:
@@ -48,7 +66,7 @@ See [Lifecycle Hooks](/docs/configuration/hooks) and [Backup & Rollback](/docs/c
 
 Before updating, you can preview what will change using the dry-run endpoint:
 
-`POST /api/containers/:id/preview`
+`POST /api/v1/containers/:id/preview`
 
 This returns the proposed changes without executing them.
 
diff --git a/content/docs/current/configuration/agents/index.mdx b/content/docs/current/configuration/agents/index.mdx
index 3dfe0ed3f..0df466ae8 100644
--- a/content/docs/current/configuration/agents/index.mdx
+++ b/content/docs/current/configuration/agents/index.mdx
@@ -27,23 +27,54 @@ To run drydock in Agent mode, start the application with the `--agent` command l
 | `DD_SERVER_PORT` | ⚪ | Port to listen on | `3000` |
 | `DD_SERVER_TLS_*` | ⚪ | Standard [Server](/docs/configuration/server) TLS options | |
 | `DD_WATCHER_{name}_*` | 🔴 | [Watcher](/docs/configuration/watchers) configuration (At least one is required) | |
+| `DD_TRIGGER_DOCKER_{name}_*` | ⚪ | [Docker trigger](/docs/configuration/triggers/docker) for container updates (required to update containers from UI/API) | |
 | `DD_REGISTRY_{name}_*` | ⚪ | [Registry](/docs/configuration/registries) configuration (For update checks) | |
 
+<Callout type="warn">**Watcher and trigger env vars use different naming patterns.** Watchers are `DD_WATCHER_{name}_{option}` (no provider segment — Docker is the only watcher type). Triggers are `DD_TRIGGER_DOCKER_{name}_{option}` (provider segment required). A common mistake is writing `DD_TRIGGER_DOCKER_PRUNE=true` (missing the name) — this creates a broken trigger named "prune" instead of a trigger with `PRUNE=true`. Use `DD_TRIGGER_DOCKER_{name}_PRUNE=true` instead.</Callout>
+
 ### Agent Example (Docker Compose)
 
-<Callout type="info">This example uses a direct socket mount for simplicity. Agents also support [socket proxy](/docs/configuration/watchers#option-1-socket-proxy-recommended) and [remote TLS](/docs/configuration/watchers#option-2-remote-docker-over-tls) connections — configure the agent's watcher with `DD_WATCHER_LOCAL_HOST` and `DD_WATCHER_LOCAL_PORT` instead of a socket mount.</Callout>
+<Callout type="info">This example uses a [socket proxy](/docs/configuration/watchers#option-1-socket-proxy-recommended) for secure Docker socket access. Agents also support [direct socket mount](/docs/configuration/watchers#option-4-direct-socket-mount-default) and [remote TLS](/docs/configuration/watchers#option-2-remote-docker-over-tls) connections.</Callout>
 
 ```yaml
 services:
+  drydock-socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:latest
+    container_name: drydock-socket-proxy
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - CONTAINERS=1
+      - IMAGES=1
+      - EVENTS=1
+      - POST=1
+      - DELETE=1
+      - NETWORKS=1
+      - VOLUMES=1
+    healthcheck:
+      test: wget --spider http://localhost:2375/version || exit 1
+      interval: 5s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+
   drydock-agent:
     image: codeswhat/drydock
     command: --agent
+    depends_on:
+      drydock-socket-proxy:
+        condition: service_healthy
+    ports:
+      - "3000:3000"
     environment:
+      # Shared secret (must match controller's DD_AGENT_{name}_SECRET)
       - DD_AGENT_SECRET=mysecretkey
-      - DD_WATCHER_LOCAL_SOCKET=/var/run/docker.sock
-      - DD_LOG_LEVEL=debug
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
+      # Watcher — discovers containers on this host
+      - DD_WATCHER_LOCAL_HOST=drydock-socket-proxy
+      - DD_WATCHER_LOCAL_PORT=2375
+      # Docker trigger — allows updating containers from UI/API
+      - DD_TRIGGER_DOCKER_LOCAL_PRUNE=true
 ```
 
 ## Controller Configuration
@@ -75,10 +106,116 @@ services:
       - 3000:3000
 ```
 
+<Callout type="info">By default, the controller also watches its own local Docker socket. If you're running the controller as a pure aggregator with no local containers to monitor, set `DD_LOCAL_WATCHER=false` to disable the default local watcher.</Callout>
+
+## Complete Multi-Host Example
+
+This example shows a controller watching its own containers and connecting to one remote agent. The controller handles notifications (Slack, SMTP, etc.); each agent handles its own container updates.
+
+### Controller
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ports:
+      - "3000:3000"
+    depends_on:
+      socket-proxy:
+        condition: service_healthy
+    volumes:
+      - /path/to/store:/store
+    environment:
+      # --- Local watcher (controller's own containers) ---
+      - DD_WATCHER_LOCAL_HOST=drydock-socket-proxy
+      - DD_WATCHER_LOCAL_PORT=2375
+      - DD_WATCHER_LOCAL_WATCHBYDEFAULT=true
+
+      # --- Local docker trigger (update controller's own containers) ---
+      - DD_TRIGGER_DOCKER_LOCAL_PRUNE=true
+
+      # --- Remote agent connection ---
+      - DD_AGENT_REMOTE1_HOST=192.168.1.50
+      - DD_AGENT_REMOTE1_PORT=3000
+      - DD_AGENT_REMOTE1_SECRET=mysecretkey
+
+      # --- Notifications (run on controller only) ---
+      - DD_TRIGGER_SMTP_ALERTS_HOST=smtp.example.com
+      - DD_TRIGGER_SMTP_ALERTS_PORT=587
+      - DD_TRIGGER_SMTP_ALERTS_USER=user@example.com
+      - DD_TRIGGER_SMTP_ALERTS_PASS=password
+      - DD_TRIGGER_SMTP_ALERTS_FROM=drydock@example.com
+      - DD_TRIGGER_SMTP_ALERTS_TO=admin@example.com
+
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:latest
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - CONTAINERS=1
+      - IMAGES=1
+      - EVENTS=1
+      - POST=1
+      - DELETE=1
+      - NETWORKS=1
+      - VOLUMES=1
+    healthcheck:
+      test: wget --spider http://localhost:2375/version || exit 1
+      interval: 5s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+```
+
+### Agent (on 192.168.1.50)
+
+```yaml
+services:
+  drydock-socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:latest
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - CONTAINERS=1
+      - IMAGES=1
+      - EVENTS=1
+      - POST=1
+      - DELETE=1
+      - NETWORKS=1
+      - VOLUMES=1
+    healthcheck:
+      test: wget --spider http://localhost:2375/version || exit 1
+      interval: 5s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+
+  drydock-agent:
+    image: codeswhat/drydock
+    command: --agent
+    depends_on:
+      drydock-socket-proxy:
+        condition: service_healthy
+    ports:
+      - "3000:3000"
+    environment:
+      # Must match controller's DD_AGENT_REMOTE1_SECRET
+      - DD_AGENT_SECRET=mysecretkey
+      # Watcher — discovers containers on this host
+      - DD_WATCHER_LOCAL_HOST=drydock-socket-proxy
+      - DD_WATCHER_LOCAL_PORT=2375
+      # Docker trigger — required to update containers via UI/API
+      - DD_TRIGGER_DOCKER_LOCAL_PRUNE=true
+```
+
+<Callout type="warn">**Do not configure notification triggers (Slack, SMTP, etc.) on agents.** Only `docker` and `dockercompose` triggers are supported in agent mode. Notification triggers must be configured on the controller.</Callout>
+
+<Callout type="info">**You do not need to define `DD_TRIGGER_DOCKER_*` on the controller for each agent.** During the handshake, the controller automatically discovers the agent's triggers and creates internal proxies. The controller only needs its own `DD_TRIGGER_DOCKER_*` for updating containers on its local host.</Callout>
+
 ## Features in Agent Mode
 
 - **Watchers**: Run on the Agent to discover containers.
 - **Registries**: Configured on the Agent to check for updates.
 - **Triggers**:
-  - `docker` and `dockercompose` triggers are executed **on the Agent** (allowing update of remote containers).
-  - Notification triggers (e.g. `smtp`, `discord`) are executed **on the Controller**.
+  - `docker` and `dockercompose` triggers are configured and executed **on the Agent** (allowing update of remote containers). The controller automatically proxies update requests to the correct agent.
+  - Notification triggers (e.g. `smtp`, `discord`) are configured and executed **on the Controller**.
diff --git a/content/docs/current/configuration/authentications/oidc/index.mdx b/content/docs/current/configuration/authentications/oidc/index.mdx
index 4212d20cf..8b483f85a 100644
--- a/content/docs/current/configuration/authentications/oidc/index.mdx
+++ b/content/docs/current/configuration/authentications/oidc/index.mdx
@@ -26,11 +26,13 @@ The `oidc` authentication lets you protect drydock access using the [Openid Conn
 
 The callback URL (to configure in the IDP) is built as `${DD_PUBLIC_URL}/auth/oidc/${auth_name}/cb`.
 
-<Callout type="warn">`DD_PUBLIC_URL` is **required** when OIDC is configured. Without it, the OIDC provider will fail to register at startup and the login page will show "No authentication methods configured". Check startup logs for the exact error.</Callout>
+<Callout type="warn">
+**OIDC configuration requirements:**
 
-<Callout type="warn">`http://` OIDC discovery URLs are deprecated and will be removed in v1.6.0. When the discovery URL uses `http:`, drydock passes `allowInsecureRequests` to the OIDC client. Migrate your IdP to HTTPS before upgrading.</Callout>
-
-<Callout type="warn">`DD_AUTH_OIDC_{auth_name}_INSECURE=true` disables TLS certificate verification for OIDC HTTPS calls (discovery, token, userinfo, JWKS). Use only for local/dev troubleshooting.</Callout>
+- **`DD_PUBLIC_URL` is required** — Without it, the OIDC provider will fail to register at startup and the login page will show "No authentication methods configured". Check startup logs for the exact error.
+- **HTTP discovery is deprecated** — `http://` OIDC discovery URLs will be removed in v1.6.0. When the discovery URL uses `http:`, drydock passes `allowInsecureRequests` to the OIDC client. Migrate your IdP to HTTPS before upgrading.
+- **`INSECURE` is for dev only** — `DD_AUTH_OIDC_{auth_name}_INSECURE=true` disables TLS certificate verification for OIDC HTTPS calls (discovery, token, userinfo, JWKS). Use only for local/dev troubleshooting.
+</Callout>
 
 **Notes:**
 
diff --git a/content/docs/current/configuration/dashboard/index.mdx b/content/docs/current/configuration/dashboard/index.mdx
new file mode 100644
index 000000000..4429a66bb
--- /dev/null
+++ b/content/docs/current/configuration/dashboard/index.mdx
@@ -0,0 +1,97 @@
+---
+title: "Dashboard"
+description: "Customize the Drydock dashboard layout, widgets, and real-time monitoring views."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+The dashboard is the landing page after login. It provides a real-time overview of your containers, updates, security posture, and host status through a customizable grid of widgets.
+
+## Widgets
+
+The dashboard contains **9 widgets** in two categories:
+
+### Stat cards
+
+Compact single-metric tiles displayed across the top row.
+
+| Widget | Shows | Click navigates to |
+| --- | --- | --- |
+| **Containers** | Total count with running / stopped breakdown | `/containers` |
+| **Updates Available** | Pending updates with new / mature split | `/containers?filterKind=any` |
+| **Security Issues** | Vulnerability count across scanned images | `/security` |
+| **Registries** | Number of configured registries | `/registries` |
+
+Stat cards are color-coded — green when healthy, amber or red as the severity ratio increases.
+
+### Detail widgets
+
+Larger panels that visualize trends and breakdowns.
+
+| Widget | Shows |
+| --- | --- |
+| **Recent Updates** | Pending container updates with update/skip action buttons in a scrollable list. Includes an "Update All" batch button when pending updates exist. Registry failures are excluded. |
+| **Security Overview** | Donut chart of clean / issues / not-scanned images, a 2×2 severity grid (critical / high / medium / low), and a list of the top 5 vulnerabilities. |
+| **Resource Usage** | Live CPU and memory utilization. Aggregate progress bars (green < 60%, amber 60–85%, red > 85%) plus ranked lists of the top 5 consumers by CPU and memory. |
+| **Host Status** | Agent and watcher connectivity. Shows each host's connection status (green = connected, red = disconnected), address, and running / total container count. |
+| **Update Breakdown** | Four-column grid showing major, minor, patch, and digest update counts with color-coded pills and proportional progress bars. |
+
+All detail widgets use a `ResizeObserver` to detect their rendered height and progressively collapse content as the widget shrinks — headers hide below ~200 px, list items reduce from 5 to 3 to 1, and charts switch between full and compact layouts. This means a widget resized to a compact size still displays meaningful data instead of overflowing.
+
+## Customizing the layout
+
+### Edit mode
+
+Click the **pencil icon** in the breadcrumb header to enter edit mode. Press **Escape** or click the **check icon** to exit.
+
+While in edit mode, interactive widget content is disabled and three controls become available:
+
+- **Drag to reorder** — grab the 6-dot drag handle on any widget and move it to a new position.
+- **Resize** — drag the handle at the bottom-right corner of a widget. Each widget enforces minimum and maximum size constraints.
+- **Widget visibility** — a sidebar panel slides in from the right listing every widget with a checkbox. Toggle any widget on or off. Size capability badges (S / M / L) indicate how each widget can be resized. On mobile, the panel is opt-in — tap the **sliders icon** to open it.
+- **Reset to Default** — a button at the bottom of the sidebar restores the original layout, order, and visibility.
+
+All changes are saved automatically to `localStorage` and persist across page reloads.
+
+### Default layout
+
+Out of the box the dashboard arranges widgets in this order:
+
+| Row | Widgets |
+| --- | --- |
+| Top | Containers, Updates Available, Security Issues, Registries (stat cards, 3 columns each) |
+| Middle | Resource Usage (4 col), Security Overview (4 col), Host Status (4 col) |
+| Middle–lower | Update Breakdown (below Host Status) |
+| Bottom | Recent Updates (full 12-column width) |
+
+### Responsive breakpoints
+
+The grid adapts to the viewport width:
+
+| Breakpoint | Min width | Columns |
+| --- | --- | --- |
+| `lg` | 1024 px | 12 |
+| `md` | 640 px | 12 |
+| `sm` | 0 px | 1 |
+
+On narrow screens stat cards stack vertically and detail widgets fill the full width.
+
+## Real-time updates
+
+The dashboard refreshes automatically via SSE events from the server:
+
+- **Container change** — triggers a quick summary refresh (debounced to 1 second).
+- **Security scan completed** — triggers a full data refresh.
+- **SSE reconnected** — triggers a full data refresh after a connection drop.
+
+No polling is required. When the browser tab is hidden, refresh events are deferred until the tab becomes visible again.
+
+## Persistence
+
+Dashboard preferences are stored under the `dd-preferences` key in the browser's `localStorage`:
+
+- **Widget order** — the sequence widgets appear in the grid.
+- **Hidden widgets** — which widgets are toggled off.
+- **Grid layout** — each widget's position (x, y) and size (width, height).
+
+<Callout type="info">Dashboard preferences are per-browser. They are not synced across devices or shared between users.</Callout>
diff --git a/content/docs/current/configuration/dashboard/meta.json b/content/docs/current/configuration/dashboard/meta.json
new file mode 100644
index 000000000..2198591fd
--- /dev/null
+++ b/content/docs/current/configuration/dashboard/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Dashboard",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/configuration/dns/meta.json b/content/docs/current/configuration/dns/meta.json
new file mode 100644
index 000000000..2ac14b0b0
--- /dev/null
+++ b/content/docs/current/configuration/dns/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "DNS",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/configuration/index.mdx b/content/docs/current/configuration/index.mdx
index 6721ba363..b3792f592 100644
--- a/content/docs/current/configuration/index.mdx
+++ b/content/docs/current/configuration/index.mdx
@@ -23,6 +23,7 @@ Please find below the documentation for each of them:
 - [**Authentication**](/docs/configuration/authentications)
 - [**Backup & Rollback**](/docs/configuration/rollback) — automatic image backup and one-click restore
 - [**Container Actions**](/docs/configuration/actions) — start, stop, restart, update, and delete
+- [**Dashboard**](/docs/configuration/dashboard) — widget layout, customization, and trigger aliases
 - [**DNS**](/docs/configuration/dns) — DNS result ordering for Alpine/musl compatibility
 - [**Lifecycle Hooks**](/docs/configuration/hooks) — pre/post-update commands
 - [**Logs**](/docs/configuration/logs)
@@ -90,8 +91,10 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - /opt/drydock/store:/store
+    # The image includes a built-in HEALTHCHECK — no override needed.
+    # If you need custom intervals, use the built-in binary:
     healthcheck:
-      test: curl --fail http://localhost:${DD_SERVER_PORT:-3000}/health || exit 1
+      test: /bin/healthcheck ${DD_SERVER_PORT:-3000}
       interval: 10s
       timeout: 10s
       retries: 3
diff --git a/content/docs/current/configuration/logs/index.mdx b/content/docs/current/configuration/logs/index.mdx
index 1fd6bd0f5..6b415f5b6 100644
--- a/content/docs/current/configuration/logs/index.mdx
+++ b/content/docs/current/configuration/logs/index.mdx
@@ -14,10 +14,10 @@ Control drydock's own log output with environment variables.
 | Env var | Required | Description | Supported values | Default in official Docker image |
 | ---------------- | :--------------: | ----------- | --------------------------- | --------------------------- |
 | `DD_LOG_LEVEL` | ⚪ | Log level | `fatal`, `error`, `warn`, `info`, `debug`, `trace` | `info` |
-| `DD_LOG_FORMAT` | ⚪ | Log format | text json | `json` |
+| `DD_LOG_FORMAT` | ⚪ | Log format | text json | `text` |
 | `DD_LOG_BUFFER_ENABLED` | ⚪ | Enable in-memory log ring buffer used by UI/API log viewer | `true`, `false` | `true` |
 
-The official image sets `DD_LOG_FORMAT=json` by default for structured production logs. Override with `DD_LOG_FORMAT=text` for pretty logs.
+The official image sets `DD_LOG_FORMAT=text` by default for pretty, human-readable logs. Set `DD_LOG_FORMAT=json` when you want structured output for log aggregators.
 Set `DD_LOG_BUFFER_ENABLED=false` to disable the in-memory ring buffer (reduces per-log processing overhead).
 
 ### Examples
@@ -70,39 +70,74 @@ services:
 
 The **Configuration > Logs** page provides a terminal-style viewer for drydock's own runtime logs — startup events, polling cycles, registry checks, trigger executions, and errors.
 
-When enabled, logs are stored in an in-memory ring buffer (last 1,000 entries). They are not persisted to disk.
-If `DD_LOG_BUFFER_ENABLED=false`, the viewer returns no application log entries.
+By default, this view opens a live WebSocket stream to `WS /api/v1/log/stream` and backfills the selected `tail` size on connect.
+
+When enabled, logs are stored in an in-memory ring buffer (last 1,000 entries) and are not persisted to disk.  
+If `DD_LOG_BUFFER_ENABLED=false`, buffered-entry API responses are empty.
 
 ### Toolbar controls
 
 | Control | Description |
 | --- | --- |
-| **Level** | Filter by log level: `all`, `debug`, `info`, `warn`, `error`. Note: entries below your configured `DD_LOG_LEVEL` are never captured, so they won't appear regardless of this filter. |
-| **Lines** | Number of entries to fetch: 50, 100, 500, or 1,000. |
-| **Auto fetch** | Automatically poll for new entries at a chosen interval: Off, 2s, 5s, 10s, or 30s. |
-| **Refresh** | Manual one-shot fetch. |
+| **Live** | Toggle real-time WebSocket streaming on/off. Shows `Live`, `Offline`, or `Paused` status. |
+| **Level** | Filter by log level: `all`, `debug`, `info`, `warn`, `error`. |
+| **Tail** | Backfill size on connect/filter apply: 50, 100, 500, or 1,000 entries. |
+| **Component filter** | Substring filter for component name (for example `api`, `watcher`). |
+| **Apply** | Reapply filters. In live mode this reconnects the stream with the new query. |
+| **Reset** | Reset filters to defaults (`all`, `tail=100`, empty component). |
+
+When **Live** is disabled, the view falls back to one-shot API fetches from `GET /api/v1/log/entries` using the same filters.
 
-### Scroll lock
+### Scroll behavior
 
-When auto fetch is active, the viewer auto-scrolls to the newest entry after each fetch. If you scroll up to read earlier entries, **scroll lock** activates automatically — a warning chip appears and auto-scroll pauses so your reading position is preserved. Click **Resume** to jump back to the bottom and re-enable auto-scroll.
+The log viewport is pinned to the newest entries by default. If you scroll up, it automatically unpins so your reading position is preserved. Use **Pin / Unpin** to control this behavior explicitly.
 
 ## Container Log Viewer
 
-Each container has a **Logs** tab in its detail expansion panel. This shows the container's stdout/stderr output directly in the UI — no need to shell into the host.
+The container log viewer provides real-time log streaming via WebSocket — logs appear instantly as the container produces them, with no polling delay. The viewer is available in two modes:
+
+- **Full-page viewer** at `/containers/:id/logs`, with a header showing the container name, image, and status.
+- **Compact mode** inside the slide-in container detail panel.
+
+A maximum of 5,000 lines are retained in the viewport buffer. Older lines are discarded as new ones arrive.
 
 ### Toolbar controls
 
 | Control | Description |
 | --- | --- |
-| **Lines** | Number of tail lines to fetch: 50, 100, or 500. |
-| **Auto fetch** | Poll for new log output at a chosen interval: Off, 2s, 5s, 10s, or 30s. |
-| **Refresh** | Manual one-shot fetch. |
+| **Pause / Resume** | Pause the live WebSocket stream; resume reconnects and continues streaming. |
+| **Unpin / Pin** | Toggle auto-scroll to newest entries. |
+| **Copy** | Copy all visible log lines to clipboard. |
+| **Download** | Download container logs as a `.log` text file (gzip-compressed if the browser supports it). |
+| **Search** | Free-text search across visible log entries. |
+| **.* Regex** | Toggle regex mode for the search field. |
+| **stdout** | Show or hide the stdout stream. |
+| **stderr** | Show or hide the stderr stream. |
+| **Tail** | Number of initial historical lines to load when the viewer opens: 100, 500, 1,000, or All. |
+| **Level** | Filter by log level. Only shown when the container emits JSON-structured logs (see below). |
+| **Prev / Next** | Navigate between search matches. Only shown when a search is active, with a match counter. |
+
+### ANSI color rendering
+
+Terminal ANSI color codes are rendered correctly in the viewer — colored build output, test runners, and CLI tools display as they would in a real terminal.
+
+### JSON log detection
+
+When the viewer detects JSON-structured log lines, it automatically pretty-prints them with syntax highlighting. Keys, strings, numbers, booleans, and `null` are each distinctly colored for readability.
+
+JSON-structured logs also enable the **Level** filter in the toolbar. The viewer auto-detects the level field from common conventions: `level`, `severity`, `logLevel`, `log_level`, and `lvl`.
+
+### Stream filtering
+
+Each log line is tagged with a color-coded **stdout** or **stderr** badge. Use the stream toggle buttons in the toolbar to show or hide either stream independently.
+
+### Scroll behavior
 
-Scroll lock and resume work the same way as the application log viewer.
+Auto-scroll follows new entries by default. Scrolling up automatically pauses auto-scroll so your reading position is preserved. Click **Pin** to jump back to the bottom and re-enable auto-scroll.
 
 ### Agent containers
 
-Container logs work for both local and remote agent containers. For agent-managed containers, drydock proxies the log request through the agent connection automatically.
+Container log streaming is available for local containers. For agent-managed containers, HTTP-based log download is available.
 
 ## Agent Log Viewer
 
diff --git a/content/docs/current/configuration/meta.json b/content/docs/current/configuration/meta.json
index 684020a86..1beec3f0d 100644
--- a/content/docs/current/configuration/meta.json
+++ b/content/docs/current/configuration/meta.json
@@ -4,6 +4,7 @@
     "index",
     "actions",
     "agents",
+    "dashboard",
     "authentications",
     "dns",
     "hooks",
diff --git a/content/docs/current/configuration/registries/alicr/meta.json b/content/docs/current/configuration/registries/alicr/meta.json
new file mode 100644
index 000000000..ba50cac1f
--- /dev/null
+++ b/content/docs/current/configuration/registries/alicr/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "ALICR",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/configuration/registries/artifactory/meta.json b/content/docs/current/configuration/registries/artifactory/meta.json
new file mode 100644
index 000000000..a576383ac
--- /dev/null
+++ b/content/docs/current/configuration/registries/artifactory/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Artifactory",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/configuration/registries/codeberg/meta.json b/content/docs/current/configuration/registries/codeberg/meta.json
new file mode 100644
index 000000000..ddb593e6b
--- /dev/null
+++ b/content/docs/current/configuration/registries/codeberg/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Codeberg",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/configuration/registries/gar/meta.json b/content/docs/current/configuration/registries/gar/meta.json
new file mode 100644
index 000000000..b6c225166
--- /dev/null
+++ b/content/docs/current/configuration/registries/gar/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "GAR",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/configuration/registries/harbor/meta.json b/content/docs/current/configuration/registries/harbor/meta.json
new file mode 100644
index 000000000..5adb592e8
--- /dev/null
+++ b/content/docs/current/configuration/registries/harbor/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Harbor",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/configuration/registries/ibmcr/meta.json b/content/docs/current/configuration/registries/ibmcr/meta.json
new file mode 100644
index 000000000..572202425
--- /dev/null
+++ b/content/docs/current/configuration/registries/ibmcr/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "IBMCR",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/configuration/registries/index.mdx b/content/docs/current/configuration/registries/index.mdx
index 0da40d646..f5eb7f44b 100644
--- a/content/docs/current/configuration/registries/index.mdx
+++ b/content/docs/current/configuration/registries/index.mdx
@@ -12,8 +12,8 @@ drydock supports 23 registries:
 - [**Artifactory** (JFrog Artifactory)](/docs/configuration/registries/artifactory)
 - [**Codeberg** (Codeberg Container Registry)](/docs/configuration/registries/codeberg)
 - [**CUSTOM** (Self-hosted Registry)](/docs/configuration/registries/custom)
-- [**DOCR** (DigitalOcean Container Registry)](/docs/configuration/registries/docr)
 - [**DHI** (Docker Hardened Images)](/docs/configuration/registries/dhi)
+- [**DOCR** (DigitalOcean Container Registry)](/docs/configuration/registries/docr)
 - [**ECR** (Amazon Elastic Container Registry)](/docs/configuration/registries/ecr)
 - [**FORGEJO** (Forgejo Container Registry)](/docs/configuration/registries/forgejo)
 - [**GAR** (Google Artifact Registry)](/docs/configuration/registries/gar)
@@ -32,4 +32,4 @@ drydock supports 23 registries:
 - [**TrueForge** (TrueForge OCI Registry)](/docs/configuration/registries/trueforge)
 
 <Callout type="info">By default, without any further configuration, drydock handles _out-of-the-box_ public images hosted on
-ALICR, Codeberg, DOCR, DHI, ECR (public.ecr.aws), GAR, GCR, GHCR, HUB, IBMCR, LSCR, MAU, OCIR, QUAY, TrueForge</Callout>
+ALICR, Codeberg, DHI, DOCR, ECR (public.ecr.aws), GAR, GCR, GHCR, HUB, IBMCR, LSCR, MAU, OCIR, QUAY, TrueForge</Callout>
diff --git a/content/docs/current/configuration/registries/meta.json b/content/docs/current/configuration/registries/meta.json
index 5f60280a7..6876c213b 100644
--- a/content/docs/current/configuration/registries/meta.json
+++ b/content/docs/current/configuration/registries/meta.json
@@ -7,8 +7,8 @@
     "artifactory",
     "codeberg",
     "custom",
-    "docr",
     "dhi",
+    "docr",
     "ecr",
     "forgejo",
     "gar",
@@ -23,7 +23,7 @@
     "mau",
     "nexus",
     "ocir",
-    "trueforge",
-    "quay"
+    "quay",
+    "trueforge"
   ]
 }
diff --git a/content/docs/current/configuration/registries/nexus/meta.json b/content/docs/current/configuration/registries/nexus/meta.json
new file mode 100644
index 000000000..a4964e905
--- /dev/null
+++ b/content/docs/current/configuration/registries/nexus/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Nexus",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/configuration/registries/ocir/meta.json b/content/docs/current/configuration/registries/ocir/meta.json
new file mode 100644
index 000000000..4fe0bdd0e
--- /dev/null
+++ b/content/docs/current/configuration/registries/ocir/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "OCIR",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/configuration/rollback/index.mdx b/content/docs/current/configuration/rollback/index.mdx
index 991cee336..3904e471e 100644
--- a/content/docs/current/configuration/rollback/index.mdx
+++ b/content/docs/current/configuration/rollback/index.mdx
@@ -27,7 +27,7 @@ The number of backups retained per container is configurable via a trigger envir
 Rollback is available in two ways:
 
 - **UI** -- on the container detail page, select a previous backup and click **Rollback**.
-- **API** -- send a `POST` request to `/api/containers/:id/rollback`, where `:id` is the container ID.
+- **API** -- send a `POST` request to `/api/v1/containers/:id/rollback`, where `:id` is the container ID.
 
 Rollback uses a stop-remove-recreate strategy: drydock stops the current container, removes it, and creates a new container with the original name using the backup image.
 
@@ -37,10 +37,12 @@ You can optionally pass a `backupId` in the request body to target a specific ba
 
 ```bash
 # Roll back to the most recent backup
-curl -X POST http://localhost:3000/api/containers/my-container-id/rollback
+curl -X POST http://localhost:3000/api/v1/containers/my-container-id/rollback \
+  -H 'X-DD-Confirm-Action: container-rollback'
 
 # Roll back to a specific backup
-curl -X POST http://localhost:3000/api/containers/my-container-id/rollback \
+curl -X POST http://localhost:3000/api/v1/containers/my-container-id/rollback \
+  -H 'X-DD-Confirm-Action: container-rollback' \
   -H "Content-Type: application/json" \
   -d '{"backupId": "abc123"}'
 ```
diff --git a/content/docs/current/configuration/security/index.mdx b/content/docs/current/configuration/security/index.mdx
index 69040832a..d3650ea8e 100644
--- a/content/docs/current/configuration/security/index.mdx
+++ b/content/docs/current/configuration/security/index.mdx
@@ -129,7 +129,7 @@ services:
     environment:
       - DD_SECURITY_SCANNER=trivy
       - DD_SECURITY_VERIFY_SIGNATURES=true
-      - DD_SECURITY_COSIGN_IDENTITY=https://github.com/CodesWhat/drydock/.github/workflows/release.yml@refs/tags/*
+      - DD_SECURITY_COSIGN_IDENTITY=https://github.com/CodesWhat/drydock/.github/workflows/release-from-tag.yml@refs/tags/*
       - DD_SECURITY_COSIGN_ISSUER=https://token.actions.githubusercontent.com
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
@@ -156,7 +156,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
 ```
 
-<Callout type="info">SBOM documents are retrievable per-container via `GET /api/containers/:id/sbom?format=\{format\}` where `format` is one of `spdx-json` or `cyclonedx-json`.</Callout>
+<Callout type="info">SBOM documents are retrievable per-container via `GET /api/v1/containers/:id/sbom?format=\{format\}` where `format` is one of `spdx-json` or `cyclonedx-json`.</Callout>
 
 ## Scheduled scanning
 
@@ -185,13 +185,13 @@ services:
 You can trigger a security scan for any individual container without waiting for the next watch cycle or scheduled scan.
 
 - **UI:** Click the shield button on a container row to start a scan.
-- **API:** `POST /api/containers/:id/scan` runs vulnerability scanning, signature verification (if configured), and SBOM generation (if configured) on demand.
+- **API:** `POST /api/v1/containers/:id/scan` runs vulnerability scanning, signature verification (if configured), and SBOM generation (if configured) on demand.
 
 The endpoint is rate-limited to 30 requests per minute. Real-time progress is broadcast via SSE events `dd:scan-started` and `dd:scan-completed` so the UI updates automatically.
 
 ## Dual-slot scanning
 
-When a container has an available update, clicking **Scan Now** (or calling `POST /api/containers/:id/scan`) scans both the current running image and the available update image in a single operation.
+When a container has an available update, clicking **Scan Now** (or calling `POST /api/v1/containers/:id/scan`) scans both the current running image and the available update image in a single operation.
 
 - Results for the current image are stored in `container.security.scan`
 - Results for the update image are stored in `container.security.updateScan`
@@ -216,7 +216,7 @@ services:
       - DD_SECURITY_BLOCK_SEVERITY=CRITICAL,HIGH
       - DD_SECURITY_TRIVY_SERVER=http://trivy:4954
       - DD_SECURITY_VERIFY_SIGNATURES=true
-      - DD_SECURITY_COSIGN_IDENTITY=https://github.com/CodesWhat/drydock/.github/workflows/release.yml@refs/tags/*
+      - DD_SECURITY_COSIGN_IDENTITY=https://github.com/CodesWhat/drydock/.github/workflows/release-from-tag.yml@refs/tags/*
       - DD_SECURITY_COSIGN_ISSUER=https://token.actions.githubusercontent.com
       - DD_SECURITY_SBOM_ENABLED=true
       - DD_SECURITY_SBOM_FORMATS=spdx-json,cyclonedx-json
diff --git a/content/docs/current/configuration/self-update/index.mdx b/content/docs/current/configuration/self-update/index.mdx
index 7b455bf11..0f2aa0e0b 100644
--- a/content/docs/current/configuration/self-update/index.mdx
+++ b/content/docs/current/configuration/self-update/index.mdx
@@ -46,9 +46,9 @@ If any step fails, drydock attempts to restore the previous state:
 
 When the self-update begins, the server needs to ensure that connected browsers have received the update notification and displayed the overlay before the container is replaced. This is handled by an ack flow:
 
-1. Each SSE client receives a `clientId` and `clientToken` when it connects to the `/api/events/ui` endpoint (via a `dd:connected` event).
+1. Each SSE client receives a `clientId` and `clientToken` when it connects to the `/api/v1/events/ui` endpoint (via a `dd:connected` event).
 2. When the `dd:self-update` event is broadcast, the server records which client tokens were connected at that moment.
-3. Browsers acknowledge the event by sending `POST /api/events/ui/self-update/:operationId/ack` with their `clientId` and `clientToken`.
+3. Browsers acknowledge the event by sending `POST /api/v1/events/ui/self-update/:operationId/ack` with their `clientId` and `clientToken`.
 4. Once at least one acknowledgment is received (or the timeout expires), the update proceeds.
 
 The ack timeout defaults to 3 seconds. If no browsers are connected, the update proceeds immediately without waiting.
diff --git a/content/docs/current/configuration/server/index.mdx b/content/docs/current/configuration/server/index.mdx
index f84498e30..72acc04d7 100644
--- a/content/docs/current/configuration/server/index.mdx
+++ b/content/docs/current/configuration/server/index.mdx
@@ -27,6 +27,7 @@ You can adjust the server configuration with the following environment variables
 | `DD_SERVER_FEATURE_CONTAINERACTIONS` | ⚪ | Enable start, stop, restart, and update actions via API and UI | `true`, `false` | `true` |
 | `DD_SERVER_FEATURE_DELETE` | ⚪ | If deleting operations are enabled through API & UI | `true`, `false` | `true` |
 | `DD_SERVER_METRICS_AUTH` | ⚪ | Require authentication on `/metrics` endpoint | `true`, `false` | `true` |
+| `DD_SERVER_METRICS_TOKEN` | ⚪ | Bearer token for `/metrics` Prometheus scraping (takes priority over session auth when set) | String (minimum 16 characters) | |
 | `DD_SESSION_SECRET` | ⚪ | Override the auto-generated session secret for cookie signing | Any string | auto-generated |
 | `DD_SERVER_COOKIE_SAMESITE` | ⚪ | Session cookie SameSite policy for auth flows (`none` requires HTTPS) | `strict`, `lax`, `none` | `lax` |
 | `DD_SERVER_SESSION_MAXCONCURRENTSESSIONS` | ⚪ | Maximum concurrent authenticated sessions per user (oldest sessions are revoked first at login when limit is reached) | integer (`>=1`) | `5` |
@@ -47,7 +48,9 @@ For production deployments, set an explicit trusted origin:
 
 ## Container Healthcheck
 
-The official Docker image includes a built-in `HEALTHCHECK` that polls the `/health` endpoint. When `DD_SERVER_TLS_ENABLED=true`, the healthcheck automatically switches to HTTPS (with `--insecure` for self-signed certificates). No additional configuration is needed.
+The official Docker image includes a built-in `HEALTHCHECK` that polls the `/health` endpoint using a lightweight static binary. When `DD_SERVER_TLS_ENABLED=true`, the healthcheck automatically switches to HTTPS (with `--insecure` for self-signed certificates). No additional configuration is needed — remove any custom `healthcheck:` blocks from your compose file.
+
+<Callout type="warn">**Deprecated:** Custom `curl`-based healthcheck overrides (e.g. `test: curl --fail http://localhost:3000/health`) are deprecated. `curl` will be removed from the image in v1.6.0. Use the built-in probe or switch to `/bin/healthcheck ${DD_SERVER_PORT:-3000}` for custom intervals.</Callout>
 
 ## Plain HTTP Deployments
 
diff --git a/content/docs/current/configuration/triggers/command/index.mdx b/content/docs/current/configuration/triggers/command/index.mdx
index a331c1c13..9dd294585 100644
--- a/content/docs/current/configuration/triggers/command/index.mdx
+++ b/content/docs/current/configuration/triggers/command/index.mdx
@@ -131,7 +131,7 @@ services:
 <Tab value="Docker (Bash Script)">
 ```bash
 docker run \
-  -e DD_TRIGGER_COMMAND_LOCAL_CMD=DD_TRIGGER_COMMAND_LOCAL_CMD=bash -c /drydock/trigger.sh \
+  -e DD_TRIGGER_COMMAND_LOCAL_CMD="bash -c /drydock/trigger.sh" \
   -v ${PWD}/drydock/trigger.sh:/drydock/trigger.sh
   ...
   codeswhat/drydock
diff --git a/content/docs/current/configuration/triggers/docker-compose/index.mdx b/content/docs/current/configuration/triggers/docker-compose/index.mdx
index 2f3a9865f..08c195c50 100644
--- a/content/docs/current/configuration/triggers/docker-compose/index.mdx
+++ b/content/docs/current/configuration/triggers/docker-compose/index.mdx
@@ -91,6 +91,32 @@ Before lifecycle execution, Drydock checks the running container image against t
 
 When `COMPOSEFILEONCE=true` and multiple services in the same compose stack/file require runtime refresh, Drydock performs one runtime refresh per unique service and skips repeated refreshes for subsequent containers sharing the same service in that batch.
 
+## Inherited Docker Trigger Features
+
+The Docker Compose trigger extends the [Docker trigger](/docs/configuration/triggers/docker) and inherits the following features:
+
+### Lifecycle Hooks
+
+Container lifecycle hooks (`dd.hook.pre`, `dd.hook.post`, `dd.hook.pre.abort`, `dd.hook.timeout`) work identically to the Docker trigger. Hooks execute before and after each container update in the batch. See [Docker trigger — Lifecycle Hooks](/docs/configuration/triggers/docker#lifecycle-hooks) for full details.
+
+<Callout type="warn">Hook labels are ignored unless `DD_HOOKS_ENABLED=true` is set on the Drydock container.</Callout>
+
+### Auto-Rollback
+
+Auto-rollback labels (`dd.rollback.auto`, `dd.rollback.window`, `dd.rollback.interval`) are supported. When a container becomes unhealthy after a compose-based update, Drydock automatically rolls back to the previous image. See [Docker trigger — Auto-Rollback](/docs/configuration/triggers/docker#auto-rollback).
+
+### Image Backup & Rollback
+
+Image backups are retained per container (controlled by the `BACKUPCOUNT` variable). You can roll back to any retained backup via the API. See [Docker trigger — Image Backup & Rollback](/docs/configuration/triggers/docker#image-backup--rollback).
+
+### Security Gate (Update Bouncer)
+
+When [Update Bouncer](/docs/configuration/security) is configured, candidate images are scanned for vulnerabilities before the compose update proceeds. If blocking issues are found, the update is aborted and a `security-alert` notification is sent.
+
+### Self-Update
+
+The Docker Compose trigger supports self-updates — when Drydock detects that its own container has an available update, it performs the same safe self-replacement sequence described in [Docker trigger — Self-Update](/docs/configuration/triggers/docker#self-update), with the additional step of updating the compose file first.
+
 ## Multi-file compose chains
 
 When a container was started with multiple compose files (e.g. `docker-compose.yml` + `docker-compose.override.yml`), Drydock detects the full file chain from the `com.docker.compose.project.config_files` label.
diff --git a/content/docs/current/configuration/triggers/docker/index.mdx b/content/docs/current/configuration/triggers/docker/index.mdx
index 6d2f2ed3c..569d75218 100644
--- a/content/docs/current/configuration/triggers/docker/index.mdx
+++ b/content/docs/current/configuration/triggers/docker/index.mdx
@@ -39,6 +39,10 @@ If Drydock restarts while an update is in progress, it automatically reconciles
 
 This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration). It picks up the Docker configuration from the [configured Docker watchers](/docs/configuration/watchers) so it can handle updates on Local **and** Remote Docker hosts.
 
+<Callout type="info">**Opt-in by default:** The Docker trigger defaults to `AUTO=oninclude`, meaning it only updates containers that explicitly opt in with a `dd.action.include` label (e.g., `dd.action.include=docker`). To auto-update all watched containers, set `DD_TRIGGER_DOCKER_{trigger_name}_AUTO=true`.</Callout>
+
+<Callout type="warn">**Agent mode:** When using [distributed agents](/docs/configuration/agents), each agent needs its own Docker trigger configured (e.g., `DD_TRIGGER_DOCKER_LOCAL_PRUNE=true`). The `{trigger_name}` segment is required — `DD_TRIGGER_DOCKER_PRUNE=true` without a name is invalid and will not create a working trigger. The controller does **not** need Docker triggers for remote agents; agent triggers are discovered automatically during the handshake.</Callout>
+
 ## Image Backup & Rollback
 
 Every time a container is updated, Drydock automatically backs up the previous image metadata. Backups are retained per container up to the `BACKUPCOUNT` limit (default: 3), with older backups pruned automatically.
@@ -46,7 +50,7 @@ Every time a container is updated, Drydock automatically backs up the previous i
 You can roll back to any retained backup via the API:
 
 ```text
-POST /api/containers/{id}/rollback
+POST /api/v1/containers/{id}/rollback
 ```
 
 Optionally pass a specific backup ID in the request body:
@@ -100,6 +104,14 @@ A non-zero exit code or timeout is treated as failure. When `dd.hook.pre.abort`
 
 Lifecycle hooks are **not** executed during self-updates. When hook labels are present, Drydock records `hook-configured` in the audit log before execution, then `hook-pre-*` / `hook-post-*` based on outcomes.
 
+## Compose File Sync
+
+When the Docker trigger updates a container that was originally started via Docker Compose, Drydock automatically patches the image tag in the compose file so that subsequent `docker compose up` commands do not revert the update. The compose file path is resolved from the `com.docker.compose.project.config_files` label that Docker Compose sets on every container it creates.
+
+This is a best-effort operation — if the compose file is not writable or cannot be resolved, the container update still succeeds and a warning is logged.
+
+<Callout type="info">If you manage compose-based containers with the [Docker Compose trigger](/docs/configuration/triggers/docker-compose) instead, that trigger handles compose file updates natively and this sync is not needed.</Callout>
+
 ## Self-Update
 
 Drydock can update itself. When it detects that its own container has an available update, it performs a safe self-replacement sequence:
diff --git a/content/docs/current/configuration/triggers/google-chat/meta.json b/content/docs/current/configuration/triggers/google-chat/meta.json
new file mode 100644
index 000000000..d5cc4a4a2
--- /dev/null
+++ b/content/docs/current/configuration/triggers/google-chat/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Google Chat",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/configuration/triggers/gotify/index.mdx b/content/docs/current/configuration/triggers/gotify/index.mdx
index 02c38f7e2..ea8ad42af 100644
--- a/content/docs/current/configuration/triggers/gotify/index.mdx
+++ b/content/docs/current/configuration/triggers/gotify/index.mdx
@@ -20,6 +20,8 @@ The `gotify` trigger lets you send container update notifications via [Gotify](h
 
 <Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
 
+<Callout type="info">Gotify supports `RESOLVENOTIFICATIONS=true`. When enabled, Gotify notification messages are automatically deleted after the container is successfully updated.</Callout>
+
 ## Examples
 
 ### Create an app on Gotify
diff --git a/content/docs/current/configuration/triggers/http/index.mdx b/content/docs/current/configuration/triggers/http/index.mdx
index dea38ec1f..9609efed1 100644
--- a/content/docs/current/configuration/triggers/http/index.mdx
+++ b/content/docs/current/configuration/triggers/http/index.mdx
@@ -53,7 +53,7 @@ docker run \
 </Tab>
 </Tabs>
 
-#### Example of payload (POST request)
+#### Example of payload (POST request, simple mode)
 
 ```json
 {
@@ -85,3 +85,14 @@ docker run \
   "updateAvailable": true
 }
 ```
+
+#### Batch mode payload
+
+When `MODE=batch`, the POST body is an array of all containers with available updates:
+
+```json
+[
+  { "id": "...", "name": "app1", "image": { ... }, "result": { "tag": "2.0.0" }, "updateAvailable": true },
+  { "id": "...", "name": "app2", "image": { ... }, "result": { "tag": "3.1.0" }, "updateAvailable": true }
+]
+```
diff --git a/content/docs/current/configuration/triggers/ifttt/index.mdx b/content/docs/current/configuration/triggers/ifttt/index.mdx
index 046d2bfe8..de5317909 100644
--- a/content/docs/current/configuration/triggers/ifttt/index.mdx
+++ b/content/docs/current/configuration/triggers/ifttt/index.mdx
@@ -21,6 +21,8 @@ The `ifttt` trigger lets you send container update notifications to Ifttt via th
 
 ## Ifttt ingredients
 
+### Simple mode
+
 On Webhook call, Ifttt captures the following ingredients:
 
 - eventName
@@ -29,6 +31,10 @@ On Webhook call, Ifttt captures the following ingredients:
 - value2 (the new version)
 - value3 (the image notification JSON message)
 
+### Batch mode
+
+When `MODE=batch`, the webhook sends only `value1` containing the full JSON array of all containers with available updates. `value2` and `value3` are not sent in batch mode.
+
 ## Examples
 
 ### Configuration
diff --git a/content/docs/current/configuration/triggers/index.mdx b/content/docs/current/configuration/triggers/index.mdx
index 21fad0545..a8e8a0624 100644
--- a/content/docs/current/configuration/triggers/index.mdx
+++ b/content/docs/current/configuration/triggers/index.mdx
@@ -7,16 +7,33 @@ import { Callout } from 'fumadocs-ui/components/callout';
 import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
 
 Triggers are responsible for performing actions when a new container version is found.
-  
+
 Triggers are enabled using environment variables.
 
 ```bash
-DD_TRIGGER_{{ trigger_type }}_{{trigger_name }}_{{ trigger_configuration_item }}=XXX
+DD_ACTION_{{ trigger_type }}_{{ trigger_name }}_{{ trigger_configuration_item }}=XXX
+DD_NOTIFICATION_{{ trigger_type }}_{{ trigger_name }}_{{ trigger_configuration_item }}=XXX
 ```
 
 <Callout type="warn">Multiple triggers of the same type can be configured (for example multiple Smtp addresses).
 You just need to give them different names.</Callout>
 
+## Environment variable prefixes
+
+Three prefixes are supported for trigger configuration:
+
+| Prefix | Status | Example |
+| --- | --- | --- |
+| `DD_ACTION_*` | **Current** | `DD_ACTION_SLACK_MYSLACK_URL=https://...` |
+| `DD_NOTIFICATION_*` | **Current** | `DD_NOTIFICATION_SMTP_GMAIL_HOST=smtp.gmail.com` |
+| `DD_TRIGGER_*` | **Deprecated** (removal in v1.7.0) | `DD_TRIGGER_SLACK_MYSLACK_URL=https://...` |
+
+All three prefixes are interchangeable -- they configure the same triggers. Use whichever reads best for your use case: `DD_ACTION_*` for update-action triggers (Docker, Docker Compose) and `DD_NOTIFICATION_*` for messaging triggers (Slack, SMTP, Discord, etc.), or use either for any trigger type.
+
+When the same trigger property is set under multiple prefixes, the merge priority is `DD_NOTIFICATION_*` > `DD_ACTION_*` > `DD_TRIGGER_*` (highest wins).
+
+<Callout type="info">A built-in migration CLI can rewrite your config files from `DD_TRIGGER_*` to `DD_ACTION_*` automatically: `drydock config migrate --source trigger`. Use `--dry-run` to preview changes before applying.</Callout>
+
 ## Available triggers
 
 **Update actions:**
@@ -47,13 +64,14 @@ You just need to give them different names.</Callout>
 
 ## Common trigger configuration
 
-All implemented triggers, in addition to their specific configuration, also support the following common configuration variables.
+All implemented triggers, in addition to their specific configuration, also support the following common configuration variables. The table uses the `DD_TRIGGER_*` prefix for brevity, but `DD_ACTION_*` and `DD_NOTIFICATION_*` work identically (see [Environment variable prefixes](#environment-variable-prefixes) above).
 
 | Env var | Required | Description | Supported values | Default value when missing |
 | --------------------------------------------------------- | :--------------: | ----------------------------------------------------------------------------------------------- | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `DD_TRIGGER_{trigger_type}_{trigger_name}_AUTO` | ⚪ | `true` to automatically execute the trigger. `false` to manually execute it (from UI, API...) | `true`, `false` | `true` |
+| `DD_TRIGGER_{trigger_type}_{trigger_name}_AUTO` | ⚪ | Controls automatic execution. `true` — auto-execute for all watched containers. `oninclude` — auto-execute only for containers with an explicit `dd.action.include` or `dd.notification.include` label. `false` — manual only (from UI, API...) | `true`, `false`, `oninclude` | `oninclude` for action triggers (docker, dockercompose, command); `true` for notification triggers |
 | `DD_TRIGGER_{trigger_type}_{trigger_name}_BATCHTITLE` | ⚪ | The template to use to render the title of the notification (batch mode) | String template with placeholders `${count}` | `${containers.length} updates available` |
-| `DD_TRIGGER_{trigger_type}_{trigger_name}_MODE` | ⚪ | Trigger for each container update or trigger once with all available updates as a list | `simple`, `batch` | `simple` |
+| `DD_TRIGGER_{trigger_type}_{trigger_name}_MODE` | ⚪ | Trigger for each container update, trigger once with all available updates as a list, or accumulate updates and send on a schedule | `simple`, `batch`, `digest` | `simple` |
+| `DD_TRIGGER_{trigger_type}_{trigger_name}_DIGESTCRON` | ⚪ | Cron schedule for digest mode flush (only used when `MODE=digest`) | Cron expression | `0 8 * * *` |
 | `DD_TRIGGER_{trigger_type}_{trigger_name}_ONCE` | ⚪ | Run trigger once (do not repeat previous results) | `true`, `false` | `true` |
 | `DD_TRIGGER_{trigger_type}_{trigger_name}_ORDER` | ⚪ | Trigger execution order (lower runs first) | Number | `100` |
 | `DD_TRIGGER_{trigger_type}_{trigger_name}_SIMPLEBODY` | ⚪ | The template to use to render the body of the notification | JS string template with vars `container` | `Container ${container.name} running with ${container.updateKind.kind} ${container.updateKind.localValue} can be updated to ${container.updateKind.kind} ${container.updateKind.remoteValue}${container.result && container.result.link ? "\\n" + container.result.link : ""}` |
@@ -83,6 +101,7 @@ Any threshold can be suffixed with `-no-digest` to exclude digest-only updates (
 - Triggers are executed by ascending `ORDER`; when two triggers have the same `ORDER`, they are sorted by trigger id.
 - Triggers sharing the same trigger name (e.g. `docker.update` and `discord.update`) can share `THRESHOLD`; if exactly one threshold value is defined among them, that value is used for the others unless they override it explicitly.
 - Setting `ONCE=false` with `MODE=batch` gives a report with all pending updates on every run.
+- `MODE=digest` accumulates update events in an in-memory buffer and flushes them as a single batch notification on the `DIGESTCRON` schedule. If the same container has multiple updates within the window, only the latest is included. Containers that are updated before the digest fires are automatically evicted from the buffer. Useful for daily email digests: `DD_TRIGGER_SMTP_GMAIL_MODE=digest` + `DD_TRIGGER_SMTP_GMAIL_DIGESTCRON=0 8 * * *`.
 
 ## Notification Rules
 
@@ -102,7 +121,7 @@ Notification rules control which events fire which triggers. Each rule correspon
 - **`update-applied`**, **`update-failed`**, **`security-alert`** -- these require explicit trigger assignments. They are enabled by default but will not fire any trigger until you add trigger IDs to their rules.
 - **`agent-disconnect`** -- disabled by default. Enable it and assign triggers to receive disconnect alerts. This event always fires regardless of the threshold setting.
 
-Rules are managed via `GET /api/notifications` and `PATCH /api/notifications/:id` (update `enabled` and/or `triggers` fields), or through the **Notifications** view in the UI.
+Rules are managed via `GET /api/v1/notifications` and `PATCH /api/v1/notifications/:id` (update `enabled` and/or `triggers` fields), or through the **Notifications** view in the UI.
 
 <Callout type="warn">Docker and Docker Compose triggers cannot be assigned to notification rules. These are update-action triggers (they perform container updates), not notification triggers. Only messaging/alerting triggers (Slack, SMTP, Discord, ntfy, etc.) can be assigned to rules.</Callout>
 
diff --git a/content/docs/current/configuration/triggers/kafka/index.mdx b/content/docs/current/configuration/triggers/kafka/index.mdx
index f18679773..0493b66f5 100644
--- a/content/docs/current/configuration/triggers/kafka/index.mdx
+++ b/content/docs/current/configuration/triggers/kafka/index.mdx
@@ -63,7 +63,7 @@ docker run \
 </Tab>
 </Tabs>
 
-### Example of published record
+### Example of published record (simple mode)
 
 ```json
 {
@@ -95,3 +95,7 @@ docker run \
   "updateAvailable": true
 }
 ```
+
+### Batch mode
+
+When `MODE=batch`, each container in the batch is sent as a separate Kafka message in a single `send()` call. The message key is the container name and the value is the JSON-serialized container object.
diff --git a/content/docs/current/configuration/triggers/matrix/meta.json b/content/docs/current/configuration/triggers/matrix/meta.json
new file mode 100644
index 000000000..227ab71ea
--- /dev/null
+++ b/content/docs/current/configuration/triggers/matrix/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Matrix",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/configuration/triggers/mqtt/index.mdx b/content/docs/current/configuration/triggers/mqtt/index.mdx
index 0d7b663c0..aa8100865 100644
--- a/content/docs/current/configuration/triggers/mqtt/index.mdx
+++ b/content/docs/current/configuration/triggers/mqtt/index.mdx
@@ -20,7 +20,7 @@ The `mqtt` trigger lets you send container update notifications to an MQTT broke
 | `DD_TRIGGER_MQTT_{trigger_name}_CLIENTID` | ⚪ | The Mqtt client Id to use | | `dd_$random` |
 | `DD_TRIGGER_MQTT_{trigger_name}_TOPIC` | ⚪ | The base topic where the updates are published to | | `dd/container` |
 | `DD_TRIGGER_MQTT_{trigger_name}_HASS_ENABLED` | ⚪ | Enable [Home-assistant](https://www.home-assistant.io/) integration and deliver additional topics | `true`, `false` | `false` |
-| `DD_TRIGGER_MQTT_{trigger_name}_HASS_DISCOVERY` | ⚪ | Enable [Home-assistant](https://www.home-assistant.io/) integration including discovery | `true`, `false` | `false` |
+| `DD_TRIGGER_MQTT_{trigger_name}_HASS_DISCOVERY` | ⚪ | Enable [Home-assistant](https://www.home-assistant.io/) integration including discovery. When omitted, defaults to the value of `HASS_ENABLED`. | `true`, `false` | Same as `HASS_ENABLED` |
 | `DD_TRIGGER_MQTT_{trigger_name}_HASS_PREFIX` | ⚪ | Base topic for hass entity discovery | | `homeassistant` |
 | `DD_TRIGGER_MQTT_{trigger_name}_HASS_ATTRIBUTES` | ⚪ | Attribute preset controlling which container fields are included in MQTT payloads. `full` sends everything; `short` excludes large fields like SBOM documents, scan vulnerabilities, details, and labels. | `full`, `short` | `short` |
 | `DD_TRIGGER_MQTT_{trigger_name}_HASS_FILTER_INCLUDE` | ⚪ | Comma-separated list of flattened MQTT attribute keys to keep (include-mode). When set, only these keys are published. | Comma-separated flattened keys | |
diff --git a/content/docs/current/configuration/triggers/pushover/index.mdx b/content/docs/current/configuration/triggers/pushover/index.mdx
index 9ac711fbf..036c70950 100644
--- a/content/docs/current/configuration/triggers/pushover/index.mdx
+++ b/content/docs/current/configuration/triggers/pushover/index.mdx
@@ -75,6 +75,8 @@ services:
         - DD_TRIGGER_PUSHOVER_1_PRIORITY=2
         - DD_TRIGGER_PUSHOVER_1_EXPIRE=600
         - DD_TRIGGER_PUSHOVER_1_RETRY=60
+        - DD_TRIGGER_PUSHOVER_1_HTML=1
+        - DD_TRIGGER_PUSHOVER_1_TTL=3600
 ```
 
 </Tab>
@@ -88,6 +90,8 @@ docker run \
     -e DD_TRIGGER_PUSHOVER_1_PRIORITY="2" \
     -e DD_TRIGGER_PUSHOVER_1_EXPIRE="600" \
     -e DD_TRIGGER_PUSHOVER_1_RETRY="60" \
+    -e DD_TRIGGER_PUSHOVER_1_HTML="1" \
+    -e DD_TRIGGER_PUSHOVER_1_TTL="3600" \
   ...
   codeswhat/drydock
 ```
diff --git a/content/docs/current/configuration/triggers/smtp/index.mdx b/content/docs/current/configuration/triggers/smtp/index.mdx
index f6363ec9a..c92d9674f 100644
--- a/content/docs/current/configuration/triggers/smtp/index.mdx
+++ b/content/docs/current/configuration/triggers/smtp/index.mdx
@@ -22,7 +22,7 @@ The `smtp` trigger lets you send emails with smtp.
 | `DD_TRIGGER_SMTP_{trigger_name}_TLS_VERIFY` | ⚪ | Verify server TLS certificate | `true`, `false` | `true` |
 | `DD_TRIGGER_SMTP_{trigger_name}_ALLOWCUSTOMTLD` | ⚪ | Allow custom tlds for the email addresses | `true`, `false` | `false` |
 
-<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration). In `batch` or `digest` mode, the email subject and body are rendered using the `BATCHTITLE` and common batch template variables.</Callout>
 
 ## Examples
 
diff --git a/content/docs/current/configuration/triggers/teams/meta.json b/content/docs/current/configuration/triggers/teams/meta.json
new file mode 100644
index 000000000..01146f950
--- /dev/null
+++ b/content/docs/current/configuration/triggers/teams/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Teams",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/configuration/triggers/telegram/index.mdx b/content/docs/current/configuration/triggers/telegram/index.mdx
index 8535bd7b5..4d848f2be 100644
--- a/content/docs/current/configuration/triggers/telegram/index.mdx
+++ b/content/docs/current/configuration/triggers/telegram/index.mdx
@@ -17,7 +17,7 @@ The `telegram` trigger lets you send realtime notifications using [Telegram](htt
 | `DD_TRIGGER_TELEGRAM_{trigger_name}_BOTTOKEN` | 🔴 | The Bot token | | |
 | `DD_TRIGGER_TELEGRAM_{trigger_name}_CHATID` | 🔴 | The Chat ID | | |
 | `DD_TRIGGER_TELEGRAM_{trigger_name}_DISABLETITLE` | ⚪ | Disable title to have full control over the message formatting | `true`, `false` | `false` |
-| `DD_TRIGGER_TELEGRAM_{trigger_name}_MESSAGEFORMAT` | ⚪ | Send the message as markdown or as html (useful for custom message formatting) | `Markdown`, `HTML` | `Markdown` |
+| `DD_TRIGGER_TELEGRAM_{trigger_name}_MESSAGEFORMAT` | ⚪ | Send the message as markdown or as html (useful for custom message formatting). `Markdown` uses Telegram's [MarkdownV2](https://core.telegram.org/bots/api#markdownv2-style) parse mode, which requires escaping special characters. Case-insensitive. | `Markdown`, `HTML` | `Markdown` |
 
 <Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
 
diff --git a/content/docs/current/configuration/ui/index.mdx b/content/docs/current/configuration/ui/index.mdx
index 9df2e2456..a00d0d869 100644
--- a/content/docs/current/configuration/ui/index.mdx
+++ b/content/docs/current/configuration/ui/index.mdx
@@ -68,7 +68,7 @@ Type a prefix character to filter results:
 | Prefix | Scope | Includes |
 | --- | --- | --- |
 | `/` | Pages | Pages and settings navigation |
-| `@` | Runtime | Agents, triggers, watchers |
+| `@` | Runtime | Containers, agents, triggers, watchers |
 | `#` | Config | Registries, auth providers, notification rules |
 
 Use arrow keys to navigate results, **Enter** to select, and **Escape** to close. Recent search history is persisted across sessions.
@@ -89,9 +89,7 @@ Select a preset in **Config > Appearance**. The choice is persisted in localStor
 
 ## Dashboard
 
-The dashboard displays 4 stat cards: **Containers**, **Updates**, **Security**, and **Registries**. Cards are drag-reorderable and the layout is persisted in localStorage.
-
-Update and security stats are color-coded based on severity ratio.
+The dashboard is a customizable grid of 9 widgets — 4 stat cards and 5 detail widgets — with drag-to-reorder, resize, and per-widget visibility controls. See the dedicated [Dashboard guide](/docs/configuration/dashboard) for full details on widgets, edit mode, responsive breakpoints, and real-time updates.
 
 ## View Modes
 
diff --git a/content/docs/current/configuration/watchers/index.mdx b/content/docs/current/configuration/watchers/index.mdx
index 58c20f790..a527ff8d9 100644
--- a/content/docs/current/configuration/watchers/index.mdx
+++ b/content/docs/current/configuration/watchers/index.mdx
@@ -44,21 +44,20 @@ The `docker` watcher lets you configure the Docker hosts you want to watch.
 
 **Notes:**
 
-- If no watcher is configured, a default one named `local` will be automatically created (reading the Docker socket).
+- If no watcher is configured, a default one named `local` will be automatically created (reading the Docker socket). To suppress this default watcher (e.g. when running as a controller-only node for remote agents), set `DD_LOCAL_WATCHER=false`.
 - Multiple watchers can be configured (if you have multiple Docker hosts to watch). Just give them different names.
 - Socket configuration and host/port configuration are mutually exclusive.
 - When `MAINTENANCE_WINDOW` is configured and a check is skipped outside the allowed schedule, drydock queues one pending check and runs it automatically when the next maintenance window opens.
 - Legacy compatibility: `wud.*` labels are still accepted as fallback to `dd.*`. When a fallback is used, drydock emits a one-time warning for that key and increments `dd_legacy_input_total{source="label",key="<legacy_key>"}`. To rewrite configs in place, run `node dist/index.js config migrate --dry-run` then `node dist/index.js config migrate --file <path>`.
 - If watcher logger initialization fails, drydock automatically falls back to structured stderr JSON logs and increments `dd_watcher_logger_init_failures_total{type,name}`. Alert on non-zero increases to catch degraded logging early.
 
-<Callout type="warn">When using socket configuration, mount the Docker socket on your drydock container. When using host/port configuration, enable the [Docker remote API](https://docs.docker.com/reference/cli/dockerd/). If the remote API is secured with TLS, mount and configure the [TLS certificates](https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket).</Callout>
+<Callout type="warn">
+**Before you start — important watcher caveats:**
 
-<Callout type="warn">Remote watcher auth (`AUTH_*`) is fail-closed by default and requires HTTPS (`PROTOCOL=https`) or TLS certificate-based connections. Set `AUTH_INSECURE=true` only if you intentionally need legacy fail-open behavior.</Callout>
-
-<Callout type="warn">Watching image digests causes an extensive usage of _Docker Registry Pull API_ which is restricted by [**Quotas on the Docker Hub**](https://docs.docker.com/docker-hub/usage/).
-By default, drydock enables it only for **non semver** image tags.
-You can tune this behavior per container using the `dd.watch.digest` label.
-If you face [quota related errors](https://docs.docker.com/docker-hub/usage/#how-do-i-know-my-pull-requests-are-being-limited), consider slowing down the watcher rate by adjusting the `DD_WATCHER_{watcher_name}_CRON` variable.</Callout>
+- **Socket vs remote API** — When using socket configuration, mount the Docker socket on your drydock container. When using host/port configuration, enable the [Docker remote API](https://docs.docker.com/reference/cli/dockerd/). If the remote API is secured with TLS, mount and configure the [TLS certificates](https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket).
+- **Remote auth is fail-closed** — Remote watcher auth (`AUTH_*`) requires HTTPS (`PROTOCOL=https`) or TLS certificate-based connections by default. Set `AUTH_INSECURE=true` only if you intentionally need legacy fail-open behavior.
+- **Digest watching and Hub quotas** — Watching image digests causes extensive usage of the _Docker Registry Pull API_, which is restricted by [**Quotas on the Docker Hub**](https://docs.docker.com/docker-hub/usage/). By default, drydock enables it only for **non semver** image tags. You can tune this behavior per container using the `dd.watch.digest` label. If you face [quota related errors](https://docs.docker.com/docker-hub/usage/#how-do-i-know-my-pull-requests-are-being-limited), consider slowing down the watcher rate by adjusting the `DD_WATCHER_{watcher_name}_CRON` variable.
+</Callout>
 
 ## Variable examples
 
@@ -204,8 +203,8 @@ services:
         - DD_WATCHER_MYREMOTEHOST_KEYFILE=/certs/key.pem
     volumes:
         - /my-host/my-certs/ca.pem:/certs/ca.pem:ro
-        - /my-host/my-certs/ca.pem:/certs/cert.pem:ro
-        - /my-host/my-certs/ca.pem:/certs/key.pem:ro
+        - /my-host/my-certs/cert.pem:/certs/cert.pem:ro
+        - /my-host/my-certs/key.pem:/certs/key.pem:ro
 ```
 
 </Tab>
@@ -218,8 +217,8 @@ docker run \
     -e DD_WATCHER_MYREMOTEHOST_CERTFILE="/certs/cert.pem" \
     -e DD_WATCHER_MYREMOTEHOST_KEYFILE="/certs/key.pem" \
     -v /my-host/my-certs/ca.pem:/certs/ca.pem:ro \
-    -v /my-host/my-certs/ca.pem:/certs/cert.pem:ro \
-    -v /my-host/my-certs/ca.pem:/certs/key.pem:ro \
+    -v /my-host/my-certs/cert.pem:/certs/cert.pem:ro \
+    -v /my-host/my-certs/key.pem:/certs/key.pem:ro \
   ...
   codeswhat/drydock
 ```
@@ -228,6 +227,33 @@ docker run \
 
 <Callout type="warn">Don't forget to mount the certificates into the container!</Callout>
 
+### Connecting via SSH
+
+Drydock does not currently support the `ssh://` protocol for remote Docker connections. The `PROTOCOL` variable only accepts `http` or `https`.
+
+If your remote Docker host is only reachable over SSH, you can use an **SSH tunnel** to forward the remote Docker socket to a local TCP port or Unix socket, then point Drydock at that forwarded endpoint:
+
+```bash
+# Forward the remote Docker socket to a local TCP port
+ssh -nNT -L 2375:/var/run/docker.sock user@remote-host
+```
+
+Then configure Drydock to connect to the forwarded port:
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_WATCHER_MYREMOTEHOST_HOST=host.docker.internal
+      - DD_WATCHER_MYREMOTEHOST_PORT=2375
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+```
+
+<Callout type="info">For production SSH tunneling, consider using [autossh](https://www.harding.motd.ca/autossh/) to automatically restart the tunnel if the connection drops.</Callout>
+
 ## Docker Socket Security
 
 Drydock needs to communicate with the Docker Engine API to monitor containers and (optionally) perform updates. By default this means mounting the Docker socket — which grants broad access to the host. This section covers all available approaches to secure that access, from the recommended socket proxy to remote TLS connections.
@@ -248,6 +274,8 @@ A socket proxy runs as a separate container with access to the Docker socket and
 
 This is the **recommended approach** for all deployments. It provides a strict security boundary with minimal setup.
 
+<Callout type="info">Running Drydock with Podman? See [Podman Quick Start](#podman-quick-start) for rootless/rootful socket paths and proxy setup details.</Callout>
+
 ```yaml
 services:
   drydock:
@@ -442,6 +470,129 @@ Understanding exactly what Drydock accesses helps you configure socket proxies a
 
 If you only need monitoring (no auto-updates), a read-only socket proxy configuration is sufficient.
 
+### Podman Quick Start
+
+Podman works with Drydock through Podman's Docker-compatible API socket.
+
+<Callout type="info">Podman compatibility is supported in current releases. Drydock negotiates against the daemon API version and is most reliable with direct socket mounts.</Callout>
+
+<Callout type="info">Background and user reports: [GitHub issue #152](https://github.com/CodesWhat/drydock/issues/152).</Callout>
+
+#### Socket path mapping (`podman.sock` vs `docker.sock`)
+
+Use Podman's host socket path, but mount it inside the Drydock container at `/var/run/docker.sock` so existing Drydock defaults still work.
+
+| Runtime mode | Host socket path | Path inside Drydock container | Drydock watcher variable |
+| --- | --- | --- | --- |
+| Docker | `/var/run/docker.sock` | `/var/run/docker.sock` | `DD_WATCHER_LOCAL_SOCKET=/var/run/docker.sock` |
+| Podman rootful | `/run/podman/podman.sock` | `/var/run/docker.sock` | `DD_WATCHER_LOCAL_SOCKET=/var/run/docker.sock` |
+| Podman rootless | `/run/user/<uid>/podman/podman.sock` | `/var/run/docker.sock` | `DD_WATCHER_LOCAL_SOCKET=/var/run/docker.sock` |
+
+#### Rootful vs rootless setup
+
+- **Rootful Podman socket:** `sudo systemctl enable --now podman.socket`
+- **Rootless Podman socket:** `systemctl --user enable --now podman.socket`
+
+<Callout type="warn">
+**Choosing rootful vs rootless:**
+
+- **Rootless is recommended** for production because it runs the entire container stack without root privileges. Use rootful only when you need privileged ports (&lt;1024) or specific kernel features.
+- **Rootless requires lingering sessions** — You **must** run `loginctl enable-linger <user>` so the user systemd instance (and all rootless containers) survives logout. Without it, Podman containers stop when the user session ends.
+</Callout>
+
+<Tabs items={["Podman Rootful (Direct Socket)", "Podman Rootless (Direct Socket)", "Podman + Socket Proxy"]}>
+<Tab value="Podman Rootful (Direct Socket)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    volumes:
+      - /run/podman/podman.sock:/var/run/docker.sock
+    environment:
+      - DD_WATCHER_LOCAL_SOCKET=/var/run/docker.sock
+      - DD_TRIGGER_DOCKER_LOCAL_AUTO=false
+    ports:
+      - 3000:3000
+```
+
+</Tab>
+<Tab value="Podman Rootless (Direct Socket)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    volumes:
+      - ${XDG_RUNTIME_DIR}/podman/podman.sock:/var/run/docker.sock
+    environment:
+      - DD_WATCHER_LOCAL_SOCKET=/var/run/docker.sock
+      - DD_TRIGGER_DOCKER_LOCAL_AUTO=false
+    ports:
+      - 3000:3000
+```
+
+</Tab>
+<Tab value="Podman + Socket Proxy">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    depends_on:
+      socket-proxy:
+        condition: service_healthy
+    environment:
+      - DD_WATCHER_LOCAL_HOST=socket-proxy
+      - DD_WATCHER_LOCAL_PORT=2375
+      - DD_TRIGGER_DOCKER_LOCAL_AUTO=false
+    ports:
+      - 3000:3000
+
+  socket-proxy:
+    image: tecnativa/docker-socket-proxy
+    environment:
+      - SOCKET_PATH=/run/podman/podman.sock
+      - CONTAINERS=1
+      - IMAGES=1
+      - EVENTS=1
+      - SERVICES=1
+      - POST=1
+      - NETWORKS=1
+    volumes:
+      - /run/podman/podman.sock:/run/podman/podman.sock
+    healthcheck:
+      test: wget --spider http://localhost:2375/version || exit 1
+      interval: 5s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+```
+
+</Tab>
+</Tabs>
+
+<Callout type="warn">
+**Podman socket proxy notes:**
+
+- **Rootless proxy path** — For rootless Podman with socket proxy, set `SOCKET_PATH=${XDG_RUNTIME_DIR}/podman/podman.sock` and mount the same host path into the proxy container.
+- **503 errors** — Some users have reported intermittent `503` errors when using `tecnativa/docker-socket-proxy` with Podman ([tecnativa/docker-socket-proxy#66](https://github.com/Tecnativa/docker-socket-proxy/issues/66)). If you experience this, prefer direct socket mount over the proxy — the direct mount examples above are the most reliable option with Podman.
+- **Docker Compose trigger compatibility** — The Docker Compose trigger (`DD_TRIGGER_DOCKERCOMPOSE_*`) works with Podman — it inherits the socket connection from your watcher configuration. No additional Podman-specific trigger settings are needed.
+</Callout>
+
+#### Known limitations and tested versions
+
+| Topic | Status |
+| --- | --- |
+| Tested Podman version | `5.6.0` on Rocky Linux `9.7` (issue [#152](https://github.com/CodesWhat/drydock/issues/152)) |
+| API version handling | Drydock probes daemon compatibility and pins client API behavior for Podman/Docker socket endpoints |
+| CI coverage | No dedicated Podman CI matrix yet |
+| Rootless networking | Can differ from Docker bridge behavior; see [Podman FAQ](/docs/faq#podman-rootless-networking-limitations) |
+| SELinux (RHEL/Rocky/Fedora) | Socket mounts need `:Z` flag; see [SELinux FAQ](/docs/faq#selinux-blocks-podman-socket-access-permission-denied) |
+| `podman-compose` networking | Pod-based networking breaks service-name DNS; use `podman compose` instead; see [FAQ](/docs/faq#podman-compose-vs-podman-compose-networking) |
+
+For common Podman troubleshooting, see [FAQ Podman entries](/docs/faq#selinux-blocks-podman-socket-access-permission-denied).
+
 ### Watch 1 local Docker host and 2 remote docker hosts at the same time
 
 <Tabs items={["Docker Compose (Multiple Hosts)", "Docker (Multiple Hosts)"]}>
@@ -561,14 +712,24 @@ To fine-tune the behaviour of drydock _per container_, you can add labels on the
 | `dd.tag.include` | ⚪ | Regex to include specific tags only | Valid JavaScript Regex | |
 | `dd.tag.transform` | ⚪ | Transform function to apply to the tag | `$valid_regex => $valid_string_with_placeholders` (see below) | |
 | `dd.tag.family` | ⚪ | Tag family policy for semver updates | `strict` (default) or `loose` | `strict` |
-| `dd.trigger.exclude` | ⚪ | Optional list of triggers to exclude | `$trigger_1_id_or_name,$trigger_2_id_or_name:$threshold` | |
-| `dd.trigger.include` | ⚪ | Optional list of triggers to include | `$trigger_1_id_or_name,$trigger_2_id_or_name:$threshold` | |
+| `dd.action.exclude` | ⚪ | Exclude specific action triggers from automatic execution for this container | `$trigger_1_id_or_name,$trigger_2_id_or_name:$threshold` | |
+| `dd.action.include` | ⚪ | Only allow specific action triggers to automatically execute for this container | `$trigger_1_id_or_name,$trigger_2_id_or_name:$threshold` | |
+| `dd.notification.exclude` | ⚪ | Exclude specific notification triggers from this container | `$trigger_1_id_or_name,$trigger_2_id_or_name:$threshold` | |
+| `dd.notification.include` | ⚪ | Only allow specific notification triggers for this container | `$trigger_1_id_or_name,$trigger_2_id_or_name:$threshold` | |
+| `dd.trigger.exclude` | ⚪ | **Deprecated** — use `dd.action.exclude` or `dd.notification.exclude` instead | `$trigger_1_id_or_name,$trigger_2_id_or_name:$threshold` | |
+| `dd.trigger.include` | ⚪ | **Deprecated** — use `dd.action.include` or `dd.notification.include` instead | `$trigger_1_id_or_name,$trigger_2_id_or_name:$threshold` | |
 | `dd.watch.digest` | ⚪ | Watch this container digest | Valid Boolean | `false` |
 | `dd.watch` | ⚪ | Explicitly include or exclude this container from monitoring (overrides `WATCHBYDEFAULT`) | Valid Boolean | Inherits from `WATCHBYDEFAULT` (`true` by default) |
 | `dd.compose.file` | ⚪ | Path to the docker-compose.yml file for compose-native updates (also configurable via trigger `COMPOSEFILELABEL`) | file path | |
+| `dd.source.repo` | ⚪ | Source repository override for release-notes lookup (e.g. `owner/repo`) | Valid `owner/repo` string | |
 | `dd.webhook.enabled` | ⚪ | Allow or block [webhook API](/docs/configuration/webhooks) calls targeting this container | `true`, `false` | `true` |
-| `dd.updatePolicy.maturityMode` | ⚪ | Update maturity policy — `all` allows any update, `mature` blocks updates detected less than `maturityMinAgeDays` ago | `all`, `mature` | `all` |
-| `dd.updatePolicy.maturityMinAgeDays` | ⚪ | Minimum age in days before an update is considered mature (only applies when `maturityMode` is `mature`) | integer (`>=1`) | `7` |
+| `dd.hook.pre` | ⚪ | Shell command to run before a container update | Valid shell command | |
+| `dd.hook.post` | ⚪ | Shell command to run after a container update | Valid shell command | |
+| `dd.hook.pre.abort` | ⚪ | Abort the update if the pre-hook exits non-zero | Valid Boolean | `true` |
+| `dd.hook.timeout` | ⚪ | Timeout in milliseconds for hook execution | integer | `60000` |
+| `dd.rollback.auto` | ⚪ | Automatically rollback the container if the health check fails after an update | Valid Boolean | `false` |
+| `dd.rollback.window` | ⚪ | Health monitoring window in milliseconds after an update (how long to watch for failures) | integer | `300000` |
+| `dd.rollback.interval` | ⚪ | Health polling interval in milliseconds during the rollback window | integer | `10000` |
 | `dd.runtime.entrypoint.origin` | ⚪ | Tracks whether the container's entrypoint was explicitly set or inherited from the image. Used during updates to decide whether to preserve the current entrypoint or let the new image defaults apply. | `explicit`, `inherited`, `unknown` | auto-detected |
 | `dd.runtime.cmd.origin` | ⚪ | Tracks whether the container's cmd was explicitly set or inherited from the image. Used during updates to decide whether to preserve the current cmd or let the new image defaults apply. | `explicit`, `inherited`, `unknown` | auto-detected |
 
@@ -576,6 +737,12 @@ To fine-tune the behaviour of drydock _per container_, you can add labels on the
 
 <Callout type="warn">`dd.inspect.tag.path` is optional and opt-in. Use it only when your image metadata tracks the running app version reliably; some images set unrelated values. Also note that legacy alias `dd.registry.lookup.url` is still accepted for compatibility, but prefer `dd.registry.lookup.image`.</Callout>
 
+<Callout type="info">**`dd.action.include` / `dd.notification.include` (and their `.exclude` counterparts) control automatic trigger dispatch.** These labels filter which triggers fire automatically when an update is detected (e.g., route notifications to specific Slack channels or restrict which docker trigger auto-updates this container). They match against the trigger **name** (e.g., `alerts`) or **full ID** (e.g., `smtp.alerts`). Manual updates from the UI use [agent-based matching](/docs/configuration/agents) instead — the update is routed to the agent that discovered the container. The legacy `dd.trigger.include` / `dd.trigger.exclude` labels still work but are deprecated — see [Deprecation Schedule](/docs/deprecations#ddtriggerinclude--ddtriggerexclude-container-labels).</Callout>
+
+<Callout type="info">**Update hooks** (`dd.hook.pre` / `dd.hook.post`) let you run arbitrary shell commands before and after a container update. If `dd.hook.pre.abort` is `true` (the default) and the pre-hook exits non-zero, the update is cancelled. Use `dd.hook.timeout` to control how long the hook is allowed to run before being killed.</Callout>
+
+<Callout type="info">**Automatic rollback** (`dd.rollback.auto`) monitors the container's health check after an update. If the health check fails within the `dd.rollback.window` (default 5 minutes, polled every `dd.rollback.interval` = 10 seconds), drydock automatically rolls the container back to its previous image.</Callout>
+
 ## Label examples
 
 ### Include specific containers to watch
@@ -895,19 +1062,20 @@ services:
   my_important_service:
     image: my_important_service:1.0.0
     labels:
-      - dd.trigger.include=smtp.gmail,dockercompose.local:minor
+      - dd.notification.include=smtp.gmail
+      - dd.action.include=dockercompose.local:minor
 ```
 
 </Tab>
 <Tab value="Docker (Trigger Include)">
 ```bash
-docker run -d --name my_important_service --label 'dd.trigger.include=smtp.gmail,dockercompose.local:minor' my_important_service:1.0.0
+docker run -d --name my_important_service --label 'dd.notification.include=smtp.gmail' --label 'dd.action.include=dockercompose.local:minor' my_important_service:1.0.0
 ```
 </Tab>
 </Tabs>
 
-- `dd.trigger.include=smtp.gmail` is a shorthand for `dd.trigger.include=smtp.gmail:all`
-- `dd.trigger.include=update` (or `dd.trigger.exclude=update`) targets all triggers named `update`, for example `docker.update` and `discord.update`
+- `dd.notification.include=smtp.gmail` is a shorthand for `dd.notification.include=smtp.gmail:all`
+- `dd.action.include=update` (or `dd.action.exclude=update`) targets all triggers named `update`, for example `docker.update` and `dockercompose.update`
 
 **Threshold values:**
 
@@ -941,4 +1109,33 @@ The container model includes additional fields useful for understanding update s
 
 ## Docker Event Stream
 
-The watcher monitors Docker events (container create, destroy, start, stop, etc.) in real time. If the event stream disconnects, drydock automatically reconnects with exponential backoff starting at 1 second and capping at 30 seconds.
+The watcher monitors Docker events (container create, destroy, start, stop, etc.) in real time. If the event stream disconnects, Drydock automatically reconnects with exponential backoff starting at 1 second and capping at 30 seconds.
+
+When using third-party socket proxies, periodic reconnects are expected: many proxies close idle long-lived HTTP connections after their configured timeout. In logs this appears as:
+
+`Docker event stream error (aborted); reconnect attempt #1 in 1000ms`
+
+followed by:
+
+`Listening to docker events`
+
+The first reconnect attempt is logged at **info** level since it is expected behavior (proxy timeout or network blip). If the first attempt fails and subsequent reconnects are needed, those are logged at **warn** level to flag a potential real problem.
+
+### Event gap during reconnect
+
+Container lifecycle events (create, start, stop, destroy) that occur during the brief reconnect window are not captured until the next scheduled poll cycle. The reconnect window is typically ~1 second under normal conditions. In practice this is rarely noticeable because the next cron poll will pick up the current container state, but it means Drydock does not guarantee zero missed events across a reconnect.
+
+A future release will wire the reconnect path to request events from the last-seen timestamp, closing this gap entirely.
+
+### Native socket proxy (roadmap)
+
+The root cause of proxy-timeout reconnects is that Drydock cannot control idle timeout behavior on third-party proxies. A purpose-built Drydock socket proxy is planned (see [roadmap](/docs/roadmap)) that will exempt event stream connections from idle timeouts, eliminating the reconnect cycle entirely.
+
+### Reduce proxy-timeout reconnect churn
+
+Until the native proxy ships, you can reduce reconnect noise:
+
+1. Increase your proxy idle timeout (for example, linuxserver socket-proxy `TIMEOUT=86400s`).
+2. Prefer direct socket mount when your environment allows it.
+3. If your proxy supports endpoint-specific behavior, exempt Docker `/events` streams from idle timeout.
+4. As a workaround, run a lightweight heartbeat container (e.g. `alpine:latest` with `command: sh -c "sleep 300"` and `restart: always`) to keep the proxy connection path active.
diff --git a/content/docs/current/configuration/webhooks/index.mdx b/content/docs/current/configuration/webhooks/index.mdx
index 4381fdf67..62e78c180 100644
--- a/content/docs/current/configuration/webhooks/index.mdx
+++ b/content/docs/current/configuration/webhooks/index.mdx
@@ -16,9 +16,10 @@ The webhook API lets external systems trigger container watches and updates. Thi
 | --- | :---: | --- | --- | --- |
 | `DD_SERVER_WEBHOOK_ENABLED` | ⚪ | Enable webhook endpoints | `true`, `false` | `false` |
 | `DD_SERVER_WEBHOOK_TOKEN` | ⚪ | Shared Bearer token used by all webhook endpoints (fallback token) | Any string | — |
-| `DD_SERVER_WEBHOOK_TOKENS_WATCHALL` | ⚪ | Endpoint-specific token for `POST /api/webhook/watch` | Any string | — |
-| `DD_SERVER_WEBHOOK_TOKENS_WATCH` | ⚪ | Endpoint-specific token for `POST /api/webhook/watch/:containerName` | Any string | — |
-| `DD_SERVER_WEBHOOK_TOKENS_UPDATE` | ⚪ | Endpoint-specific token for `POST /api/webhook/update/:containerName` | Any string | — |
+| `DD_SERVER_WEBHOOK_TOKENS_WATCHALL` | ⚪ | Endpoint-specific token for `POST /api/v1/webhook/watch` | Any string | — |
+| `DD_SERVER_WEBHOOK_TOKENS_WATCH` | ⚪ | Endpoint-specific token for `POST /api/v1/webhook/watch/:containerName` | Any string | — |
+| `DD_SERVER_WEBHOOK_TOKENS_UPDATE` | ⚪ | Endpoint-specific token for `POST /api/v1/webhook/update/:containerName` | Any string | — |
+| `DD_SERVER_WEBHOOK_SECRET` | ⚪ | HMAC signing secret for verifying registry webhook signatures. Required when receiving push notifications from container registries. | Any string | — |
 
 <Callout type="warn">Webhooks are disabled by default. Set `DD_SERVER_WEBHOOK_ENABLED=true` and provide at least one webhook token (`DD_SERVER_WEBHOOK_TOKEN` or any `DD_SERVER_WEBHOOK_TOKENS_*` value). Requests to endpoints without a configured token are rejected.</Callout>
 
@@ -26,9 +27,10 @@ The webhook API lets external systems trigger container watches and updates. Thi
 
 | Method | Endpoint | Description |
 | --- | --- | --- |
-| `POST` | `/api/webhook/watch` | Trigger a watch cycle on all watchers |
-| `POST` | `/api/webhook/watch/:containerName` | Watch a specific container by name |
-| `POST` | `/api/webhook/update/:containerName` | Trigger an update on a specific container |
+| `POST` | `/api/v1/webhook/watch` | Trigger a watch cycle on all watchers |
+| `POST` | `/api/v1/webhook/watch/:containerName` | Watch a specific container by name |
+| `POST` | `/api/v1/webhook/update/:containerName` | Trigger an update on a specific container |
+| `POST` | `/api/v1/webhooks/registry` | Receive signed registry push events and trigger targeted checks |
 
 ## Authentication
 
@@ -43,13 +45,18 @@ Token selection rules:
 - If an endpoint-specific token (`DD_SERVER_WEBHOOK_TOKENS_*`) is set for that endpoint, it is required.
 - Otherwise, drydock falls back to `DD_SERVER_WEBHOOK_TOKEN`.
 
+<Callout type="info">`/api/v1/webhooks/registry` uses HMAC signature validation (not Bearer token auth). Supported signature headers include `x-registry-signature`, `x-hub-signature-256`, `x-quay-signature`, `x-harbor-signature`, `x-ms-signature`, and `x-drydock-signature`.</Callout>
+
 ## Rate limiting
 
-Webhook endpoints are rate-limited to **30 requests per 15-minute window** per client IP.
+Webhook endpoints are rate-limited per client IP:
+
+- `POST /api/v1/webhook/*`: **30 requests per 15-minute window**
+- `POST /api/v1/webhooks/registry`: **60 requests per 15-minute window**
 
 ## Per-container opt-out
 
-Individual containers can be excluded from webhook API calls using the `dd.webhook.enabled` label. When set to `false`, the `/api/webhook/watch/:containerName` and `/api/webhook/update/:containerName` endpoints return **403 Forbidden** for that container.
+Individual containers can be excluded from webhook API calls using the `dd.webhook.enabled` label. When set to `false`, the `/api/v1/webhook/watch/:containerName` and `/api/v1/webhook/update/:containerName` endpoints return **403 Forbidden** for that container.
 
 ```yaml
 services:
@@ -60,7 +67,7 @@ services:
       - dd.webhook.enabled=false  # blocks webhook watch/update for this container
 ```
 
-<Callout type="info">The `dd.webhook.enabled` label only affects per-container webhook endpoints. The global `POST /api/webhook/watch` endpoint (which triggers all watchers) is not affected.</Callout>
+<Callout type="info">The `dd.webhook.enabled` label only affects per-container webhook endpoints. The global `POST /api/v1/webhook/watch` endpoint (which triggers all watchers) and `POST /api/v1/webhooks/registry` are not affected.</Callout>
 
 <Callout type="info">Containers without this label default to `dd.webhook.enabled=true` — webhooks are allowed unless explicitly disabled.</Callout>
 
@@ -73,24 +80,33 @@ All webhook calls are recorded in the [audit trail](/docs/monitoring) with actio
 ### Watch all containers
 
 ```bash
-curl -X POST https://drydock.example.com/api/webhook/watch \
+curl -X POST https://drydock.example.com/api/v1/webhook/watch \
   -H "Authorization: Bearer your-token-here"
 ```
 
 ### Watch a specific container
 
 ```bash
-curl -X POST https://drydock.example.com/api/webhook/watch/myapp \
+curl -X POST https://drydock.example.com/api/v1/webhook/watch/myapp \
   -H "Authorization: Bearer your-token-here"
 ```
 
 ### Update a specific container
 
 ```bash
-curl -X POST https://drydock.example.com/api/webhook/update/myapp \
+curl -X POST https://drydock.example.com/api/v1/webhook/update/myapp \
   -H "Authorization: Bearer your-token-here"
 ```
 
+### Registry push webhook (signed)
+
+```bash
+curl -X POST https://drydock.example.com/api/v1/webhooks/registry \
+  -H "Content-Type: application/json" \
+  -H "x-registry-signature: sha256=<hmac-of-raw-body>" \
+  -d '{"events":[{"action":"push"}]}'
+```
+
 ## CI/CD integration
 
 ### GitHub Actions
@@ -98,7 +114,7 @@ curl -X POST https://drydock.example.com/api/webhook/update/myapp \
 ```yaml
 - name: Notify drydock
   run: |
-    curl -X POST https://drydock.example.com/api/webhook/watch/myapp \
+    curl -X POST https://drydock.example.com/api/v1/webhook/watch/myapp \
       -H "Authorization: Bearer ${{ secrets.DRYDOCK_WEBHOOK_TOKEN }}"
 ```
 
@@ -108,8 +124,8 @@ curl -X POST https://drydock.example.com/api/webhook/update/myapp \
 notify_drydock:
   stage: deploy
   script:
-    - curl -X POST https://drydock.example.com/api/webhook/watch/myapp
-        -H "Authorization: Bearer $DRYDOCK_WEBHOOK_TOKEN"
+    - curl -X POST https://drydock.example.com/api/v1/webhook/watch/myapp \
+      -H "Authorization: Bearer $DRYDOCK_WEBHOOK_TOKEN"
 ```
 
 ## Docker Compose example
diff --git a/content/docs/current/deprecations/index.mdx b/content/docs/current/deprecations/index.mdx
new file mode 100644
index 000000000..c3c31d7d2
--- /dev/null
+++ b/content/docs/current/deprecations/index.mdx
@@ -0,0 +1,176 @@
+---
+title: "Deprecation Schedule"
+description: "Features scheduled for removal in upcoming drydock releases, with migration guidance."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+This page lists every deprecated feature, the version it will be removed in, and how to migrate. Deprecated features continue to work until their removal version but emit warnings at startup or in the UI.
+
+<Callout type="warn">Features listed under a removal version will **stop working** in that release. Migrate before upgrading.</Callout>
+
+## Removal in v1.6.0
+
+### Unversioned API paths (`/api/*`)
+
+The unversioned `/api/*` path is a backward-compatible alias for `/api/v1/*`. Both return identical responses.
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.4.0 |
+| **Detection** | Startup log warning; UI deprecation banner when legacy API paths are detected |
+| **Migration** | Replace `/api/` with `/api/v1/` in all integrations |
+
+### Implicit wildcard CORS origin
+
+When `DD_SERVER_CORS_ENABLED=true` and `DD_SERVER_CORS_ORIGIN` is not set, drydock defaults to `*` (all origins). This implicit wildcard is deprecated.
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.4.0 |
+| **Detection** | Startup log warning when CORS is enabled without an explicit origin |
+| **Migration** | Set `DD_SERVER_CORS_ORIGIN` to your trusted origin(s), e.g. `DD_SERVER_CORS_ORIGIN=https://drydock.example.com` |
+
+### Legacy `WUD_*` environment variables
+
+`WUD_*` prefixed environment variables (from the upstream WUD project) are accepted as fallbacks for their `DD_*` equivalents.
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.4.0 |
+| **Detection** | Startup console warning; Prometheus counter `dd_legacy_input_total{source="env"}`; UI deprecation banner |
+| **Migration** | Rename all `WUD_*` vars to `DD_*`. Run `drydock config migrate --dry-run` to preview changes |
+
+### Legacy `wud.*` container labels
+
+`wud.*` prefixed Docker labels are accepted as fallbacks for their `dd.*` equivalents (20 labels total including `wud.watch`, `wud.tag.include`, `wud.tag.exclude`, etc.).
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.4.0 |
+| **Detection** | Per-label log warning on container init; Prometheus counter `dd_legacy_input_total{source="label"}`; UI deprecation banner |
+| **Migration** | Rename all `wud.*` labels to `dd.*` in your compose files. Run `drydock config migrate --file /path/to/compose.yml` |
+
+### Legacy template variable aliases
+
+Simple template variables (`id`, `name`, `watcher`, `kind`, `semver`, `local`, `remote`, `link`) and batch variable `count` resolve to single container properties.
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.4.0 |
+| **Detection** | Log warning when `${variable}` syntax is used in trigger templates |
+| **Migration** | Replace with `container.*` equivalents: `id` &rarr; `container.id`, `name` &rarr; `container.name`, `count` &rarr; `containers.length`, etc. See [Trigger templates](/docs/configuration/triggers#template-variables) |
+
+### `PUT /api/settings`
+
+The `PUT` method on `/api/settings` is a compatibility alias for `PATCH`. Responses include `Deprecation` and `Sunset` HTTP headers.
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.4.0 |
+| **Detection** | Log warning on each `PUT` request; `Deprecation` and `Sunset` response headers |
+| **Migration** | Change `PUT /api/settings` to `PATCH /api/settings` |
+
+### HTTP OIDC discovery URLs
+
+OIDC providers configured with `http://` discovery URLs are deprecated. Identity Providers must support HTTPS.
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.4.0 |
+| **Detection** | Startup log warning; UI deprecation banner |
+| **Migration** | Update your IdP discovery URL to use `https://`. If your IdP uses a self-signed certificate, set `DD_AUTH_OIDC_{name}_INSECURE=true` |
+
+### Legacy password hash formats
+
+SHA-1, APR1/MD5 (Apache), crypt, and plain text password hashes from v1.3.9 are deprecated.
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.4.0 |
+| **Detection** | Startup log warning; UI deprecation banner |
+| **Migration** | Regenerate your password hash with argon2id. See [Basic authentication](/docs/configuration/authentications/basic) |
+
+### Kafka `clientId` configuration key
+
+The camelCase `clientId` key in Kafka trigger configuration is deprecated.
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.4.5 |
+| **Detection** | Startup log warning |
+| **Migration** | Rename `clientId` to `clientid` (lowercase) in your Kafka trigger configuration |
+
+### `DD_WATCHER_*_WATCHDIGEST` environment variable
+
+Per-watcher digest watching via environment variable is deprecated.
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.4.0 |
+| **Detection** | Startup log warning |
+| **Migration** | Use the `dd.watch.digest=true` label on individual containers instead |
+
+### `DD_WATCHER_*_WATCHATSTART` environment variable
+
+This variable is a no-op — watching at startup has been the default since v1.3.
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.4.0 |
+| **Detection** | Startup log warning |
+| **Migration** | Remove the variable from your configuration |
+
+### `curl` in Docker image
+
+The official Docker image previously included `curl` for custom healthcheck overrides. The built-in `HEALTHCHECK` now uses a lightweight static binary (`/bin/healthcheck`).
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.5.0 |
+| **Detection** | Not runtime-detectable (Docker executes healthchecks outside the application) |
+| **Migration** | Remove custom `healthcheck:` blocks from your drydock compose service — the image handles it automatically. If you need custom intervals, use `test: /bin/healthcheck ${DD_SERVER_PORT:-3000}`. See [Monitoring](/docs/monitoring) |
+
+### Registry `PUBLIC_TOKEN` configuration
+
+Token-based authentication for public registries has been replaced by password-based authentication for consistency.
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.4.0 |
+| **Detection** | Startup log warning when fallback to anonymous is triggered |
+| **Migration** | Replace `DD_REGISTRY_HUB_PUBLIC_TOKEN` with `DD_REGISTRY_HUB_PUBLIC_PASSWORD`. Replace `DD_REGISTRY_DHI_TOKEN` with `DD_REGISTRY_DHI_PASSWORD` |
+
+## Removal in v1.7.0
+
+### `DD_TRIGGER_*` environment variable prefix
+
+The `DD_TRIGGER_*` prefix is being replaced by semantic prefixes that distinguish action triggers from notification triggers.
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.5.0 |
+| **Detection** | Startup log warning; Prometheus counter `dd_legacy_input_total`; UI deprecation banner |
+| **Migration** | Rename `DD_TRIGGER_*` to `DD_ACTION_*` (for Docker/Compose/Command triggers) or `DD_NOTIFICATION_*` (for Slack/email/Pushover/etc.). Run `drydock config migrate --source trigger` to auto-rewrite. See [Triggers](/docs/configuration/triggers) |
+
+### `dd.trigger.include` / `dd.trigger.exclude` container labels
+
+These labels are being replaced by semantic equivalents.
+
+| | |
+| --- | --- |
+| **Deprecated since** | v1.5.0 |
+| **Detection** | Log warning during container initialization |
+| **Migration** | Replace `dd.trigger.include` with `dd.action.include` or `dd.notification.include`. Replace `dd.trigger.exclude` with `dd.action.exclude` or `dd.notification.exclude` |
+
+## Detection summary
+
+Drydock provides multiple channels for discovering deprecated feature usage:
+
+| Channel | Covers |
+| --- | --- |
+| **Startup log warnings** | All runtime-detectable deprecations |
+| **UI deprecation banners** | Legacy config, legacy API paths, OIDC HTTP, legacy password hashes |
+| **Prometheus counters** | `dd_legacy_input_total{source,key}` for env vars, labels, and API paths |
+| **HTTP response headers** | `Deprecation` and `Sunset` on `PUT /api/settings` |
+| **Migration CLI** | `drydock config migrate --dry-run` previews all env var and label renames |
diff --git a/content/docs/current/deprecations/meta.json b/content/docs/current/deprecations/meta.json
new file mode 100644
index 000000000..6ac1759d3
--- /dev/null
+++ b/content/docs/current/deprecations/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Deprecations",
+  "pages": ["index"]
+}
diff --git a/content/docs/current/faq/index.mdx b/content/docs/current/faq/index.mdx
index 5ae48d76d..5bfa0b91d 100644
--- a/content/docs/current/faq/index.mdx
+++ b/content/docs/current/faq/index.mdx
@@ -47,6 +47,106 @@ services:
 
 Drydock automatically retries with exponential backoff (1s → 30s max) and will recover once the proxy becomes available, but the health check prevents unnecessary retries during startup.
 
+## Docker event stream "aborted" reconnects every few minutes
+
+If you see periodic messages like:
+
+`Docker event stream error (aborted); reconnect attempt #1 in 1000ms`
+
+followed by:
+
+`Listening to docker events`
+
+this is commonly caused by proxy idle timeout, not a hard failure. Docker events use a long-lived stream, and third-party socket proxies often close idle streams after `TIMEOUT`.
+
+Common fixes:
+
+1. Increase proxy timeout (for example `TIMEOUT=86400s` on linuxserver socket-proxy).
+2. Prefer direct socket mount over proxy where possible.
+3. Use a proxy that supports exempting `/events` from idle timeout.
+4. Optional workaround: run a lightweight heartbeat container/job to reduce idle disconnects.
+
+<Callout type="info">A single reconnect that immediately recovers is expected in many proxy setups. Repeated reconnect failures (not recovering) indicate a real connectivity issue.</Callout>
+
+## SELinux blocks Podman socket access (Permission denied)
+
+On RHEL, Rocky Linux, Fedora, and CentOS with SELinux enforcing, you may see `permission denied` or `EACCES` when Drydock tries to connect to the Podman socket. This is caused by SELinux denying the container access to the host socket file.
+
+**Fix:** Add the `:Z` flag to your socket volume mount so SELinux relabels the socket for the container:
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    volumes:
+      - /run/podman/podman.sock:/var/run/docker.sock:Z
+```
+
+<Callout type="info">The `:Z` flag applies a private SELinux label, granting exclusive access to this container. If multiple containers need the same socket, use `:z` (lowercase) for a shared label instead. Check `ausearch -m avc -ts recent` to confirm SELinux denials are the cause.</Callout>
+
+## `podman-compose` vs `podman compose` networking
+
+If service-name DNS (e.g. `socket-proxy`) fails between containers, check which compose tool you are using:
+
+- **`podman-compose`** (third-party Python tool) groups containers into a single **pod** where all containers share `localhost`. Service names are not resolvable — containers communicate via `localhost:<port>` instead.
+- **`podman compose`** (Podman 4.0+ built-in) uses proper container networking with service-name DNS, matching Docker Compose behavior.
+
+**Recommendation:** Use `podman compose` (built-in, Podman 4.0+) or Docker Compose with the Podman socket for proper service-name DNS resolution. If you must use `podman-compose`, replace hostname references like `socket-proxy` with `localhost` and ensure port mappings are correct.
+
+## Podman socket proxy DNS resolution fails (ENOTFOUND)
+
+If you see `getaddrinfo ENOTFOUND socket-proxy` with Podman, this is usually service-name DNS, not an API compatibility problem.
+
+Checklist:
+
+1. Run `drydock` and `socket-proxy` on the same Compose network (same compose file is simplest).
+2. Keep `DD_WATCHER_LOCAL_HOST=socket-proxy` only when that hostname is resolvable from the drydock container.
+3. If running containers separately, use a resolvable hostname or IP instead of `socket-proxy`.
+
+See [Podman Quick Start](/docs/configuration/watchers#podman-quick-start) and [GitHub issue #152](https://github.com/CodesWhat/drydock/issues/152).
+
+## Podman rootless networking limitations
+
+Rootless Podman networking can behave differently from Docker bridge networking:
+
+- Service-name DNS works only inside the same rootless Podman network/project.
+- Port publishing uses user-mode networking, which may differ in latency and behavior from rootful bridge networking.
+- Host networking and cross-project name resolution are more limited than rootful setups.
+
+If socket-proxy hostname resolution is unstable in rootless mode, prefer:
+
+1. Running both services in one compose project/network.
+2. Or mounting the Podman socket directly and using `DD_WATCHER_LOCAL_SOCKET=/var/run/docker.sock`.
+
+Reference examples: [Podman Quick Start](/docs/configuration/watchers#podman-quick-start).
+
+## Podman `podman.sock` vs `docker.sock` path
+
+Use Podman's host socket path, then map it to `/var/run/docker.sock` inside Drydock.
+
+- Rootful Podman host path: `/run/podman/podman.sock`
+- Rootless Podman host path: `/run/user/<uid>/podman/podman.sock`
+- Inside Drydock: `/var/run/docker.sock` (mapped target)
+
+Then set:
+
+```yaml
+environment:
+  - DD_WATCHER_LOCAL_SOCKET=/var/run/docker.sock
+```
+
+See the full mapping table in [Podman Quick Start](/docs/configuration/watchers#podman-quick-start).
+
+## Podman trigger configuration differences
+
+There are no Podman-specific trigger variables in v1.5. Trigger setup is the same as Docker:
+
+- Add a Docker trigger (`DD_TRIGGER_DOCKER_{name}_AUTO=false` or `true`).
+- If using socket proxy, include `POST=1` and `NETWORKS=1` on the proxy.
+
+Without a Docker trigger, UI actions show `No docker trigger found for this container`.
+See [Socket proxy permissions](/docs/configuration/watchers#proxy-permissions-by-feature) for the required proxy env vars.
+
 ## CSRF validation failed (403) behind a reverse proxy
 
 If you see `403 {"error":"CSRF validation failed"}` when clicking buttons like **Recheck for updates**, **Scan**, or any action that sends a POST/PUT/DELETE request, your reverse proxy setup is missing the `DD_SERVER_TRUSTPROXY` configuration.
@@ -183,11 +283,11 @@ Drydock log behavior is controlled by environment variables:
 | Variable | Values | Default |
 | --- | --- | --- |
 | `DD_LOG_LEVEL` | `fatal`, `error`, `warn`, `info`, `debug`, `trace` | `info` |
-| `DD_LOG_FORMAT` | `text`, `json` | `json` |
+| `DD_LOG_FORMAT` | `text`, `json` | `text` |
 | `DD_LOG_BUFFER_ENABLED` | `true`, `false` | `true` |
 
-The official image defaults to `DD_LOG_FORMAT=json` for structured output suitable for log aggregators like Elasticsearch or Loki. Set `DD_LOG_FORMAT=text` if you prefer pretty logs.
-Set `DD_LOG_BUFFER_ENABLED=false` to disable the in-memory application log ring buffer used by `/api/log/entries` and the UI log viewer.
+The official image defaults to `DD_LOG_FORMAT=text` for pretty, human-readable logs. Set `DD_LOG_FORMAT=json` if you want structured output for log aggregators like Elasticsearch or Loki.
+Set `DD_LOG_BUFFER_ENABLED=false` to disable the in-memory application log ring buffer used by `/api/v1/log/entries` and the UI log viewer.
 See [Logs](/docs/configuration/logs) for examples.
 
 ## Trivy or Cosign not found errors
@@ -197,11 +297,19 @@ Since v1.4.0, drydock ships a **single image** that bundles both Trivy and Cosig
 Verify tool availability at runtime via the API:
 
 ```bash
-curl http://drydock:3000/api/server/security/runtime
+curl http://drydock:3000/api/v1/server/security/runtime
 ```
 
 If you build a custom image, ensure Trivy and Cosign are installed in your Dockerfile. See [Security](/docs/configuration/security) for scanning configuration.
 
+## Temporary container names during recreation (hex prefix aliases)
+
+When Docker recreates a container — for example via Portainer, Docker Compose `up --force-recreate`, or a Drydock Docker trigger — Docker temporarily renames the old container to a name like `fcdb966987a0_myapp` (a 12-character hex prefix matching the container ID, followed by an underscore and the original name). This alias is transient and disappears once the recreation completes.
+
+Drydock automatically detects and filters these temporary alias names. They will never appear in notifications, MQTT topics, the UI, or any trigger output. No configuration is needed — this is handled unconditionally.
+
+<Callout type="info">If you previously saw garbled container names in notifications during container updates, this was caused by the temporary alias leaking through. This is resolved as of v1.5.0.</Callout>
+
 ## Self-update leaves container stopped
 
 Drydock updates itself using a **helper container pattern**: it renames the old container, creates a new one with the updated image, then spawns a short-lived helper container that stops the old container, starts the new one, and removes the old one on success. If the new container fails to start, the helper restarts the old container as a fallback.
diff --git a/content/docs/current/getting-started/index.mdx b/content/docs/current/getting-started/index.mdx
index 3dc70bb25..faa64bcb7 100644
--- a/content/docs/current/getting-started/index.mdx
+++ b/content/docs/current/getting-started/index.mdx
@@ -91,7 +91,7 @@ labels:
 
 All patterns use [RE2 syntax](https://github.com/google/re2/wiki/Syntax) (linear-time, immune to ReDoS).
 
-**Docs:** [Tag filtering](/docs/configuration/watchers#tag-filtering)
+**Docs:** [Tag filtering](/docs/configuration/watchers#labels)
 
 </Step>
 <Step>
diff --git a/content/docs/current/index.mdx b/content/docs/current/index.mdx
index 0792752ef..42dfc2ae9 100644
--- a/content/docs/current/index.mdx
+++ b/content/docs/current/index.mdx
@@ -47,6 +47,7 @@ Direct socket access grants the container full control over the Docker daemon. S
 ## 📚 Next steps
 
 - [Getting started guide](/docs/getting-started) — step-by-step walkthrough from watching to notifications to auto-updates
+- [Latest release highlights](/docs/updates) — recent features and where each one is documented
 - [Configure registries](/docs/configuration/registries) — set up private image access
 - [Set up triggers](/docs/configuration/triggers) — enable notifications and auto-updates
 - [Configure webhooks](/docs/configuration/webhooks) — integrate with CI/CD pipelines
@@ -54,3 +55,5 @@ Direct socket access grants the container full control over the Docker daemon. S
 - [Backup & rollback](/docs/configuration/rollback) — automatic backups and one-click restore
 - [Enable authentication](/docs/configuration/authentications) — secure your instance
 - [Monitor with Prometheus](/docs/monitoring) — add observability
+- [Container log viewer](/docs/configuration/logs) — stream and search container logs
+- [Debug dump](/docs/api/app#diagnostic-debug-dump) — export diagnostic snapshots for troubleshooting
diff --git a/content/docs/current/meta.json b/content/docs/current/meta.json
index 737e13f5a..e17bad3d6 100644
--- a/content/docs/current/meta.json
+++ b/content/docs/current/meta.json
@@ -8,6 +8,7 @@
     "updates",
     "api",
     "monitoring",
+    "deprecations",
     "faq",
     "changelog"
   ]
diff --git a/content/docs/current/monitoring/index.mdx b/content/docs/current/monitoring/index.mdx
index bc1551477..2be38e95c 100644
--- a/content/docs/current/monitoring/index.mdx
+++ b/content/docs/current/monitoring/index.mdx
@@ -1,8 +1,10 @@
 ---
 title: "Monitoring"
-description: "drydock exposes an endpoint to check the service healthiness."
+description: "Health check, Prometheus metrics, auth abuse observability, and Grafana dashboards for drydock."
 ---
 
+import { Callout } from 'fumadocs-ui/components/callout';
+
 ## HealthCheck
 
 drydock exposes an endpoint to check the service healthiness.
@@ -21,7 +23,11 @@ If the application is healthy, the Http Response Status Code is `200` (`500` oth
 }
 ```
 
-You can use it to configure health checks performed by your container orchestrator, for example:
+The official Docker image includes a built-in `HEALTHCHECK` that polls `/health` automatically — no additional configuration is needed in your compose file. The built-in probe uses a lightweight static binary (`/bin/healthcheck`) and handles TLS backends automatically.
+
+<Callout type="warn">**Deprecated:** Custom `curl`-based healthcheck overrides in compose files (e.g. `test: curl --fail http://localhost:3000/health`) are deprecated and will stop working in v1.6.0 when `curl` is removed from the image. Remove custom `healthcheck:` blocks from your drydock service to use the built-in probe.</Callout>
+
+If you need a custom healthcheck (for example, to change the interval), use the built-in binary:
 
 ```yaml
 services:
@@ -30,7 +36,7 @@ services:
     image: codeswhat/drydock:latest
     ...
     healthcheck:
-      test: curl --fail http://localhost:${DD_SERVER_PORT:-3000}/health || exit 1
+      test: /bin/healthcheck ${DD_SERVER_PORT:-3000}
       interval: 10s
       timeout: 10s
       retries: 3
@@ -53,13 +59,35 @@ drydock exposes various metrics that [Prometheus](https://prometheus.io/) can sc
 
 The metrics are exposed at [/metrics](http://localhost:3000/metrics).
 
-By default, `/metrics` requires authentication when API auth is enabled.  
-To expose metrics without app authentication (for local Prometheus scrapes), set:
+#### Authentication modes
 
-```yaml
-environment:
-  - DD_SERVER_METRICS_AUTH=false
-```
+The `/metrics` endpoint supports three authentication modes, evaluated in order:
+
+1. **Bearer token (recommended for Prometheus)** — Set `DD_SERVER_METRICS_TOKEN` to a secret string. Prometheus sends it via `Authorization: Bearer <token>`. This is the recommended approach because it decouples metrics scraping from session/login auth.
+
+   ```yaml
+   environment:
+     - DD_SERVER_METRICS_TOKEN=my-secret-metrics-token
+   ```
+
+   Configure your Prometheus scrape job:
+
+   ```yaml
+   scrape_configs:
+     - job_name: drydock
+       bearer_token: my-secret-metrics-token
+       static_configs:
+         - targets: ['drydock:3000']
+   ```
+
+2. **Session / basic auth fallback** — When no `DD_SERVER_METRICS_TOKEN` is set and `DD_SERVER_METRICS_AUTH` is not `false`, the endpoint falls back to the same session/basic auth used by the rest of the API.
+
+3. **No auth** — Set `DD_SERVER_METRICS_AUTH=false` to expose metrics without any authentication (suitable for isolated networks):
+
+   ```yaml
+   environment:
+     - DD_SERVER_METRICS_AUTH=false
+   ```
 
 ### Metrics
 
@@ -126,17 +154,143 @@ dd_container_actions_total{action="start"} 1
 dd_trigger_rollback_total{type="docker",name="local",outcome="success",reason="manual"} 1
 ```
 
+#### Digest cache metrics
+
+```bash
+# HELP drydock_digest_cache_hits_total Total number of digest cache hits
+# TYPE drydock_digest_cache_hits_total counter
+drydock_digest_cache_hits_total 12
+
+# HELP drydock_digest_cache_misses_total Total number of digest cache misses
+# TYPE drydock_digest_cache_misses_total counter
+drydock_digest_cache_misses_total 3
+```
+
 When a watcher logger cannot be initialized, drydock falls back to structured stderr JSON logs and increments `dd_watcher_logger_init_failures_total`.
 
 `dd_legacy_input_total` tracks local fallback usage of legacy `WUD_*` env vars and `wud.*` labels so you can monitor migration progress in your own Prometheus/Grafana stack. No data is sent to external services.
 
+### Auth Abuse Observability
+
+Use the auth metrics below to detect brute-force and username-enumeration activity:
+
+- `drydock_auth_login_total{outcome,provider}` where `outcome` is `success|invalid|locked|error` and `provider` is `basic|oidc`
+- `drydock_auth_login_duration_seconds{outcome,provider}` histogram
+- `drydock_auth_username_mismatch_total` counter
+- `drydock_auth_account_locked_total` gauge
+- `drydock_auth_ip_locked_total` gauge
+
+#### Prometheus alerting rules
+
+Drop the following into your Prometheus rules directory (e.g. `/etc/prometheus/rules/drydock-auth.yml`):
+
+```yaml
+groups:
+  - name: drydock-auth
+    rules:
+      # High login failure rate — more than 10 failed attempts in 5 minutes
+      - alert: DrydockHighLoginFailureRate
+        expr: increase(drydock_auth_login_total{outcome=~"invalid|locked|error"}[5m]) > 10
+        for: 1m
+        labels:
+          severity: warning
+        annotations:
+          summary: "High login failure rate on Drydock"
+          description: >-
+            {{ $value | printf "%.0f" }} failed login attempts in the last 5 minutes
+            (provider={{ $labels.provider }}, outcome={{ $labels.outcome }}).
+
+      # Brute-force / username-enumeration detection
+      - alert: DrydockBruteForceDetected
+        expr: increase(drydock_auth_username_mismatch_total[5m]) > 5
+        for: 1m
+        labels:
+          severity: warning
+        annotations:
+          summary: "Possible brute-force or username enumeration"
+          description: >-
+            {{ $value | printf "%.0f" }} username mismatches in 5 minutes.
+            Attackers may be probing valid usernames.
+
+      # Active account or IP lockouts
+      - alert: DrydockActiveLockouts
+        expr: drydock_auth_account_locked_total > 0 or drydock_auth_ip_locked_total > 0
+        for: 5m
+        labels:
+          severity: critical
+        annotations:
+          summary: "Active auth lockouts on Drydock"
+          description: >-
+            Locked accounts={{ $value }} (drydock_auth_account_locked_total),
+            locked IPs (drydock_auth_ip_locked_total).
+            Verify whether this is a legitimate operator lockout or an ongoing attack.
+
+      # Login latency degradation — p95 exceeds 2 seconds
+      - alert: DrydockAuthLatencyHigh
+        expr: >-
+          histogram_quantile(0.95,
+            sum by (le, provider) (rate(drydock_auth_login_duration_seconds_bucket[5m]))
+          ) > 2
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "Auth verification p95 latency exceeds 2 s"
+          description: >-
+            p95 login duration is {{ $value | printf "%.2f" }}s for provider={{ $labels.provider }}.
+            Possible causes: slow OIDC IdP, high bcrypt cost, resource contention.
+```
+
+Tune thresholds to match your baseline traffic. A single-operator instance will rarely see 10 failures in 5 minutes under normal use; busier multi-user deployments may need higher values.
+
+#### Grafana dashboard panels
+
+Use these PromQL queries as a starting point for a Grafana dashboard row dedicated to auth observability.
+
+| Panel | Type | PromQL |
+| --- | --- | --- |
+| Login outcomes over time | Time series (stacked) | `sum by (outcome) (rate(drydock_auth_login_total[5m]))` |
+| Login failure rate by provider | Time series | `sum by (provider) (rate(drydock_auth_login_total{outcome!="success"}[5m]))` |
+| Username mismatch rate | Time series | `rate(drydock_auth_username_mismatch_total[5m])` |
+| Active lockouts | Stat / gauge | `drydock_auth_account_locked_total` and `drydock_auth_ip_locked_total` (separate stats or combined bar gauge) |
+| Login latency p50 / p95 / p99 | Time series | `histogram_quantile(0.50, sum by (le) (rate(drydock_auth_login_duration_seconds_bucket[5m])))` (repeat for `0.95` and `0.99`) |
+| Success ratio | Gauge (percent) | `sum(rate(drydock_auth_login_total{outcome="success"}[5m])) / sum(rate(drydock_auth_login_total[5m]))` |
+
+Set the "Login outcomes" panel to use the `outcome` label as the legend and color `success` green, `invalid` yellow, `locked` orange, `error` red for quick visual scanning.
+
+#### Lockout tuning guidance
+
+| Env var | Start with | Increase when | Decrease when |
+| --- | --- | --- | --- |
+| `DD_AUTH_ACCOUNT_LOCKOUT_MAX_ATTEMPTS` | `5` | frequent false-positive lockouts | repeated credential stuffing succeeds before lock |
+| `DD_AUTH_IP_LOCKOUT_MAX_ATTEMPTS` | `25` | many users share one egress IP (NAT, VPN, office proxy) | concentrated brute-force from single IPs |
+| `DD_AUTH_LOCKOUT_WINDOW_MS` | `900000` (15 min) | bursty legitimate retries should not accumulate | attackers spread attempts over time to bypass lockouts |
+| `DD_AUTH_LOCKOUT_DURATION_MS` | `900000` (15 min) | lockouts are too disruptive for operators | attackers resume immediately after lock expires |
+
+Operational notes:
+
+- Change one variable at a time and compare `drydock_auth_login_total` + lock gauges for at least one full work cycle.
+- If `drydock_auth_username_mismatch_total` rises while `success` stays flat, lower attempt thresholds and tighten upstream rate limits.
+- If lock gauges stay non-zero for long periods, consider a longer window with slightly higher thresholds to reduce operator churn.
+
+#### Reverse proxy / WAF recommendations for `/auth/login`
+
+- Enforce per-IP rate limits before Drydock (example: burst `10`, sustained `1-2 req/s`).
+- Add stricter failed-login controls (for example, block/challenge after `20` failed attempts in `5m` per IP).
+- Apply limits on username + IP tuples when your proxy supports composite keys.
+- Trust only known upstream proxies so source IP extraction cannot be spoofed.
+- Log and alert on WAF blocks/challenges so they correlate with `drydock_auth_*` spikes.
+- Keep `/metrics` protected unless your monitoring network is strictly isolated.
+
 ### Audit timeline event coverage
 
-Use the audit API (`/api/audit`) and Audit UI view to track runtime events alongside metrics. Current event coverage includes:
+Use the audit API (`/api/v1/audit`) and Audit UI view to track runtime events alongside metrics. Current event coverage includes:
 
 - `security-alert` when security scans detect high/critical issues.
 - `agent-disconnect` when a connected agent transitions to disconnected state.
 
+See the [Audit trail API](/docs/api#audit-trail) for the complete list of action types.
+
 #### Standard process metrics
 
 ```bash
diff --git a/content/docs/current/quickstart/index.mdx b/content/docs/current/quickstart/index.mdx
index 29bb55be6..bad79839d 100644
--- a/content/docs/current/quickstart/index.mdx
+++ b/content/docs/current/quickstart/index.mdx
@@ -90,7 +90,7 @@ docker run -d --name drydock \
 </Tab>
 </Tabs>
 
-The official image is published on Github Container Registry: `codeswhat/drydock`.
+The official image is published on Docker Hub and GitHub Container Registry.
 
 <Callout type="warn">Authentication is **required by default** on fresh installs. The examples above use Basic auth with username `admin` and password `password`. See the [auth docs](/docs/configuration/authentications) for OIDC, anonymous access, and other options.</Callout>
 
diff --git a/content/docs/current/updates/index.mdx b/content/docs/current/updates/index.mdx
index 381149192..9c79923b6 100644
--- a/content/docs/current/updates/index.mdx
+++ b/content/docs/current/updates/index.mdx
@@ -1,8 +1,25 @@
 ---
 title: "Updates"
-description: "This update adds skip/snooze controls per container to reduce noisy repeated notifications for known-bad versions."
+description: "Release update notes and feature highlights, with direct links to current configuration and API docs."
 ---
 
+## Release Highlights (March 2026)
+
+- **System log live streaming** — The Configuration Logs view now supports live WebSocket system logs with level/component filtering and tail backfill.  
+  Docs: [Logs configuration](/docs/configuration/logs), [Log API stream endpoint](/docs/api/log#stream-application-logs-websocket).
+- **Watcher run-time visibility** — Watchers expose `metadata.lastRunAt`, and the UI surfaces this in the Watchers list as **Last run**.  
+  Docs: [Watcher API](/docs/api/watcher).
+- **Container list query enhancements** — Container list now supports `order`, runtime `status` filters (`running`, `paused`, etc.), and watched-state `kind` filters (`watched`, `unwatched`, `all`).  
+  Docs: [Container API query parameters](/docs/api/container#get-all-containers).
+- **Digest notification mode** — Triggers can accumulate updates and flush on schedule with `MODE=digest` + `DIGESTCRON`.  
+  Docs: [Trigger modes](/docs/configuration/triggers#notes).
+- **Signed registry webhooks** — Added HMAC-verified registry push webhook endpoint for targeted checks.  
+  Docs: [Webhooks](/docs/configuration/webhooks).
+- **Podman API compatibility improvements** — Watchers now handle Podman API-version differences more reliably (including redirect-prone unversioned API paths).  
+  Docs: [Watchers Podman setup](/docs/configuration/watchers#podman-quick-start), [Podman FAQ](/docs/faq).
+- **Container-action failure toasts** — UI now surfaces update/delete failures as visible toast notifications instead of silent failures.  
+  Docs: [Container actions](/docs/configuration/actions).
+
 ## Per-container Update Policy (February 9, 2026)
 
 This update adds skip/snooze controls per container to reduce noisy repeated notifications for known-bad versions.
@@ -14,7 +31,7 @@ This update adds skip/snooze controls per container to reduce noisy repeated not
   - `skipDigests`
   - `snoozeUntil`
 - Added API endpoint:
-  - `PATCH /api/containers/:id/update-policy`
+  - `PATCH /api/v1/containers/:id/update-policy`
   - Actions: `skip-current`, `clear-skips`, `snooze`, `unsnooze`, `clear`
 - Added UI controls on container cards:
   - Skip current update
diff --git a/content/docs/v1.3/configuration/actions/meta.json b/content/docs/v1.3/configuration/actions/meta.json
new file mode 100644
index 000000000..6b2ae90ac
--- /dev/null
+++ b/content/docs/v1.3/configuration/actions/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Container Actions",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/hooks/meta.json b/content/docs/v1.3/configuration/hooks/meta.json
new file mode 100644
index 000000000..8f8e1c0b9
--- /dev/null
+++ b/content/docs/v1.3/configuration/hooks/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Lifecycle Hooks",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/meta.json b/content/docs/v1.3/configuration/meta.json
index e7574d8f0..31570f402 100644
--- a/content/docs/v1.3/configuration/meta.json
+++ b/content/docs/v1.3/configuration/meta.json
@@ -2,15 +2,20 @@
   "title": "Configuration",
   "pages": [
     "index",
+    "actions",
     "agents",
     "authentications",
+    "hooks",
     "logs",
     "registries",
+    "rollback",
     "security",
+    "self-update",
     "server",
     "storage",
     "timezone",
     "triggers",
-    "watchers"
+    "watchers",
+    "webhooks"
   ]
 }
diff --git a/content/docs/v1.3/configuration/registries/alicr/meta.json b/content/docs/v1.3/configuration/registries/alicr/meta.json
new file mode 100644
index 000000000..ba50cac1f
--- /dev/null
+++ b/content/docs/v1.3/configuration/registries/alicr/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "ALICR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/registries/artifactory/meta.json b/content/docs/v1.3/configuration/registries/artifactory/meta.json
new file mode 100644
index 000000000..a576383ac
--- /dev/null
+++ b/content/docs/v1.3/configuration/registries/artifactory/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Artifactory",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/registries/codeberg/meta.json b/content/docs/v1.3/configuration/registries/codeberg/meta.json
new file mode 100644
index 000000000..ddb593e6b
--- /dev/null
+++ b/content/docs/v1.3/configuration/registries/codeberg/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Codeberg",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/registries/gar/meta.json b/content/docs/v1.3/configuration/registries/gar/meta.json
new file mode 100644
index 000000000..b6c225166
--- /dev/null
+++ b/content/docs/v1.3/configuration/registries/gar/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "GAR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/registries/harbor/meta.json b/content/docs/v1.3/configuration/registries/harbor/meta.json
new file mode 100644
index 000000000..5adb592e8
--- /dev/null
+++ b/content/docs/v1.3/configuration/registries/harbor/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Harbor",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/registries/ibmcr/meta.json b/content/docs/v1.3/configuration/registries/ibmcr/meta.json
new file mode 100644
index 000000000..572202425
--- /dev/null
+++ b/content/docs/v1.3/configuration/registries/ibmcr/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "IBMCR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/registries/meta.json b/content/docs/v1.3/configuration/registries/meta.json
index 875a17aba..6e9824a26 100644
--- a/content/docs/v1.3/configuration/registries/meta.json
+++ b/content/docs/v1.3/configuration/registries/meta.json
@@ -5,9 +5,10 @@
     "acr",
     "alicr",
     "artifactory",
+    "codeberg",
     "custom",
-    "docr",
     "dhi",
+    "docr",
     "ecr",
     "forgejo",
     "gar",
@@ -21,7 +22,7 @@
     "lscr",
     "nexus",
     "ocir",
-    "trueforge",
-    "quay"
+    "quay",
+    "trueforge"
   ]
 }
diff --git a/content/docs/v1.3/configuration/registries/nexus/meta.json b/content/docs/v1.3/configuration/registries/nexus/meta.json
new file mode 100644
index 000000000..a4964e905
--- /dev/null
+++ b/content/docs/v1.3/configuration/registries/nexus/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Nexus",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/registries/ocir/meta.json b/content/docs/v1.3/configuration/registries/ocir/meta.json
new file mode 100644
index 000000000..4fe0bdd0e
--- /dev/null
+++ b/content/docs/v1.3/configuration/registries/ocir/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "OCIR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/rollback/meta.json b/content/docs/v1.3/configuration/rollback/meta.json
new file mode 100644
index 000000000..db8e5e801
--- /dev/null
+++ b/content/docs/v1.3/configuration/rollback/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Backup & Rollback",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/self-update/meta.json b/content/docs/v1.3/configuration/self-update/meta.json
new file mode 100644
index 000000000..e95afc02e
--- /dev/null
+++ b/content/docs/v1.3/configuration/self-update/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Self-Update",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/triggers/google-chat/meta.json b/content/docs/v1.3/configuration/triggers/google-chat/meta.json
new file mode 100644
index 000000000..d5cc4a4a2
--- /dev/null
+++ b/content/docs/v1.3/configuration/triggers/google-chat/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Google Chat",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/triggers/matrix/meta.json b/content/docs/v1.3/configuration/triggers/matrix/meta.json
new file mode 100644
index 000000000..227ab71ea
--- /dev/null
+++ b/content/docs/v1.3/configuration/triggers/matrix/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Matrix",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/triggers/teams/meta.json b/content/docs/v1.3/configuration/triggers/teams/meta.json
new file mode 100644
index 000000000..01146f950
--- /dev/null
+++ b/content/docs/v1.3/configuration/triggers/teams/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Teams",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/configuration/webhooks/meta.json b/content/docs/v1.3/configuration/webhooks/meta.json
new file mode 100644
index 000000000..c7994cc96
--- /dev/null
+++ b/content/docs/v1.3/configuration/webhooks/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Webhooks",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.3/quickstart/cosign.mdx b/content/docs/v1.3/quickstart/cosign.mdx
new file mode 100644
index 000000000..4e8495059
--- /dev/null
+++ b/content/docs/v1.3/quickstart/cosign.mdx
@@ -0,0 +1,56 @@
+---
+title: "Verify Packages with Cosign"
+description: "Verify official Drydock container images and release archives before deployment."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+Cosign signing is performed during release publishing. Consumers should verify signatures before deployment.
+
+## Verify container images
+
+Use the same verification policy that release CI enforces:
+
+```bash
+IMAGE="quay.io/codeswhat/drydock:1.3.9"
+IDENTITY_REGEX='^https://github.com/CodesWhat/drydock/.github/workflows/release.yml@refs/(heads/main|tags/.+)$'
+OIDC_ISSUER='https://token.actions.githubusercontent.com'
+
+cosign verify \
+  --certificate-identity-regexp "${IDENTITY_REGEX}" \
+  --certificate-oidc-issuer "${OIDC_ISSUER}" \
+  "${IMAGE}"
+```
+
+You can run the same command for:
+
+- `docker.io/codeswhat/drydock:<tag>`
+- `ghcr.io/codeswhat/drydock:<tag>`
+- `quay.io/codeswhat/drydock:<tag>`
+
+## Verify GitHub release archives
+
+```bash
+TAG="v1.3.9"
+BASE_URL="https://github.com/CodesWhat/drydock/releases/download/${TAG}"
+ARCHIVE="drydock-${TAG}.tar.gz"
+IDENTITY_REGEX='^https://github.com/CodesWhat/drydock/.github/workflows/release.yml@refs/(heads/main|tags/.+)$'
+OIDC_ISSUER='https://token.actions.githubusercontent.com'
+
+curl -fsSLO "${BASE_URL}/${ARCHIVE}"
+curl -fsSLO "${BASE_URL}/${ARCHIVE}.sig"
+curl -fsSLO "${BASE_URL}/${ARCHIVE}.pem"
+
+cosign verify-blob \
+  --signature "${ARCHIVE}.sig" \
+  --certificate "${ARCHIVE}.pem" \
+  --certificate-identity-regexp "${IDENTITY_REGEX}" \
+  --certificate-oidc-issuer "${OIDC_ISSUER}" \
+  "${ARCHIVE}"
+```
+
+## Why old tags may look different
+
+Some older releases expose legacy `sha256-<digest>.sig` tags in registries. Newer releases may store signatures via OCI referrers instead, which means you might not see a `.sig` tag even though `cosign verify` succeeds.
+
+<Callout type="warn">If verification fails, do not deploy the artifact.</Callout>
diff --git a/content/docs/v1.3/quickstart/index.mdx b/content/docs/v1.3/quickstart/index.mdx
index 7e25097f7..db1863ad2 100644
--- a/content/docs/v1.3/quickstart/index.mdx
+++ b/content/docs/v1.3/quickstart/index.mdx
@@ -79,6 +79,12 @@ docker run -d --name drydock \
 
 <Callout type="info">The official image is published on Github Container Registry: `codeswhat/drydock`</Callout>
 
+## Verify package signatures (recommended)
+
+Before production use, verify signatures for the image or release archive you deploy.
+
+<Callout type="info">Use the [Cosign verification guide](/docs/quickstart/cosign) for exact commands.</Callout>
+
 ## Open the UI
 
 [Open the UI](http://localhost:3000) in a browser and check that everything is working as expected.
diff --git a/content/docs/v1.3/quickstart/meta.json b/content/docs/v1.3/quickstart/meta.json
index 0e67cc95f..eb66a57a3 100644
--- a/content/docs/v1.3/quickstart/meta.json
+++ b/content/docs/v1.3/quickstart/meta.json
@@ -1,4 +1,4 @@
 {
   "title": "Quick Start",
-  "pages": ["index"]
+  "pages": ["index", "cosign"]
 }
diff --git a/content/docs/v1.4/api/agent.mdx b/content/docs/v1.4/api/agent.mdx
new file mode 100644
index 000000000..ef3e00076
--- /dev/null
+++ b/content/docs/v1.4/api/agent.mdx
@@ -0,0 +1,188 @@
+---
+title: "Agent API"
+description: "The Agent exposes specific endpoints for the Controller to synchronize state and receive events."
+---
+
+The Agent exposes specific endpoints for the Controller to synchronize state and receive events. These are generally internal APIs used by the Controller but are documented here for reference or advanced debugging.
+
+Authentication is required for all endpoints via the `X-Dd-Agent-Secret` header.
+
+## Get State
+
+Returns a snapshot of the Agent's current state (containers, watchers, triggers).
+
+```bash
+# Get Containers
+curl -H "X-Dd-Agent-Secret: <SECRET>" http://agent:3000/api/containers
+
+# Get Watchers
+curl -H "X-Dd-Agent-Secret: <SECRET>" http://agent:3000/api/watchers
+
+# Get Triggers
+curl -H "X-Dd-Agent-Secret: <SECRET>" http://agent:3000/api/triggers
+```
+
+## Watch Resources
+
+Trigger a manual watch on a specific watcher or container hosted by the Agent.
+
+```bash
+# Watch a specific watcher (discovery)
+curl -X POST \
+  -H "X-Dd-Agent-Secret: <SECRET>" \
+  http://agent:3000/api/watchers/:type/:name
+
+# Watch a specific container (discovery)
+curl -X POST \
+  -H "X-Dd-Agent-Secret: <SECRET>" \
+  http://agent:3000/api/watchers/:type/:name/container/:id
+```
+
+## Delete a Container
+
+Delete a container from the Agent's state.
+> **Note**: This operation requires `DD_SERVER_FEATURE_DELETE` to be enabled on the Agent.
+
+```bash
+curl -X DELETE \
+  -H "X-Dd-Agent-Secret: <SECRET>" \
+  http://agent:3000/api/containers/:id
+```
+
+## Real-time Events (SSE)
+
+Subscribes to real-time updates from the Agent using Server-Sent Events (SSE).
+
+The Agent pushes events when containers are added, updated, or removed.
+
+### Endpoint
+
+```bash
+curl -N -H "X-Dd-Agent-Secret: <SECRET>" -H "Accept: text/event-stream" http://agent:3000/api/events
+```
+
+### Protocol
+
+Events are sent as JSON objects with the following structure:
+
+```json
+data: {
+  "type": "event_type",
+  "data": { ...payload... }
+}
+```
+
+### Supported Events
+
+#### `dd:ack`
+
+Sent immediately upon connection to confirm the handshake.
+
+```json
+{
+  "type": "dd:ack",
+  "data": {
+    "version": "1.0.0"
+  }
+}
+```
+
+#### `dd:container-added`
+
+Sent when a new container is discovered.
+
+```json
+{
+  "type": "dd:container-added",
+  "data": { ...container_object... }
+}
+```
+
+#### `dd:container-updated`
+
+Sent when an existing container is updated (e.g. status change, new image tag).
+
+```json
+{
+  "type": "dd:container-updated",
+  "data": { ...container_object... }
+}
+```
+
+#### `dd:container-removed`
+
+Sent when a container is removed (e.g. stopped and pruned).
+
+```json
+{
+  "type": "dd:container-removed",
+  "data": {
+    "id": "container_id"
+  }
+}
+```
+
+## Container Logs
+
+Returns stdout/stderr output from a container running on the Agent.
+
+```bash
+curl -H "X-Dd-Agent-Secret: <SECRET>" \
+  "http://agent:3000/api/containers/:id/logs?tail=100"
+```
+
+Query parameters are the same as the [controller container logs endpoint](/docs/api/container#get-container-logs).
+
+## Application Log Entries
+
+Returns application log entries from the Agent's in-memory ring buffer.
+
+```bash
+curl -H "X-Dd-Agent-Secret: <SECRET>" \
+  "http://agent:3000/api/log/entries?level=warn&tail=50"
+```
+
+### Query parameters
+
+| Parameter | Type | Description |
+| --- | --- | --- |
+| `level` | string | Filter by minimum log level |
+| `component` | string | Filter by component name |
+| `tail` | integer | Number of entries to return from the end |
+| `since` | integer | Unix timestamp (seconds) -- only entries after this time |
+
+## Execute Remote Trigger
+
+Executes a specific trigger on the Agent (e.g., to update a container).
+
+```bash
+curl -X POST \
+  -H "X-Dd-Agent-Secret: <SECRET>" \
+  -H "Content-Type: application/json" \
+  -d '{ ...container_json... }' \
+  http://agent:3000/api/triggers/:type/:name
+```
+
+### Batch execution
+
+Execute a trigger for multiple containers in a single request.
+
+```bash
+curl -X POST \
+  -H "X-Dd-Agent-Secret: <SECRET>" \
+  -H "Content-Type: application/json" \
+  -d '[{ ...container_json... }, { ...container_json... }]' \
+  http://agent:3000/api/triggers/:type/:name/batch
+```
+
+## Health Check
+
+Returns the Agent's uptime. This endpoint is unauthenticated and intended for Docker `HEALTHCHECK` directives.
+
+```bash
+curl http://agent:3000/health
+
+{
+  "uptime": 3600.123
+}
+```
diff --git a/content/docs/v1.4/api/app.mdx b/content/docs/v1.4/api/app.mdx
new file mode 100644
index 000000000..075f6c11f
--- /dev/null
+++ b/content/docs/v1.4/api/app.mdx
@@ -0,0 +1,91 @@
+---
+title: "App API"
+description: "Application info and server configuration endpoints."
+---
+
+## Get App information
+
+Returns application name and version.
+
+```bash
+curl http://drydock:3000/api/app
+
+{
+  "name":"drydock",
+  "version":"1.4.0"
+}
+```
+
+## Get server configuration
+
+Returns the server configuration, webhook status, and legacy input compatibility summary.
+
+```bash
+curl http://drydock:3000/api/server
+
+{
+  "configuration": {
+    "port": 3000,
+    "feature": { "delete": false },
+    "webhook": { "enabled": true }
+  },
+  "compatibility": {
+    "legacyInputs": {}
+  }
+}
+```
+
+## Get security runtime status
+
+Returns the availability status of security tools (Trivy scanner, Cosign signature verification) and SBOM configuration. Use this to check whether the runtime environment has the required binaries before triggering scans.
+
+```bash
+curl http://drydock:3000/api/server/security/runtime
+
+{
+  "checkedAt": "2024-12-01T10:00:00.000Z",
+  "ready": true,
+  "scanner": {
+    "enabled": true,
+    "command": "trivy",
+    "commandAvailable": true,
+    "status": "ready",
+    "message": "Trivy client is ready",
+    "scanner": "trivy",
+    "server": ""
+  },
+  "signature": {
+    "enabled": false,
+    "command": "",
+    "commandAvailable": null,
+    "status": "disabled",
+    "message": "Signature verification is disabled"
+  },
+  "sbom": {
+    "enabled": true,
+    "formats": ["spdx-json", "cyclonedx-json"]
+  },
+  "requirements": []
+}
+```
+
+### Response fields
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `checkedAt` | string | ISO 8601 timestamp of the check |
+| `ready` | boolean | `true` when the scanner is enabled and its command is available |
+| `scanner.enabled` | boolean | Whether vulnerability scanning is configured |
+| `scanner.command` | string | Scanner command (e.g. `trivy`) |
+| `scanner.commandAvailable` | boolean \| null | Whether the command was found in the runtime; `null` when disabled |
+| `scanner.status` | string | `ready`, `missing`, or `disabled` |
+| `scanner.server` | string | Trivy server URL (empty when using local mode) |
+| `signature.enabled` | boolean | Whether signature verification is configured |
+| `signature.command` | string | Cosign command |
+| `signature.commandAvailable` | boolean \| null | Whether cosign was found in the runtime |
+| `signature.status` | string | `ready`, `missing`, or `disabled` |
+| `sbom.enabled` | boolean | Whether SBOM generation is enabled |
+| `sbom.formats` | string[] | Configured SBOM output formats |
+| `requirements` | string[] | Human-readable list of missing dependencies (empty when everything is ready) |
+
+Returns 200 on success, or 500 if the runtime check fails.
diff --git a/content/docs/v1.4/api/container.mdx b/content/docs/v1.4/api/container.mdx
new file mode 100644
index 000000000..3521e6eb8
--- /dev/null
+++ b/content/docs/v1.4/api/container.mdx
@@ -0,0 +1,526 @@
+---
+title: "Container API"
+description: "This API allows to query the state of the watched containers."
+---
+
+This API allows to query the state of the watched containers.
+
+## Get all containers
+
+This operation lets you get all the watched containers.
+
+```bash
+curl "http://drydock:3000/api/containers?limit=25&offset=0"
+
+{
+  "data": [
+    {
+      "id": "31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816",
+      "name": "homeassistant",
+      "watcher": "local",
+      "status": "running"
+    }
+  ],
+  "total": 42,
+  "limit": 25,
+  "offset": 0,
+  "hasMore": true
+}
+```
+
+### Query parameters
+
+| Parameter | Type | Default | Description |
+| --- | --- | --- | --- |
+| `limit` | integer | `0` | Maximum number of containers to return (`0` means unbounded; max `200`) |
+| `offset` | integer | `0` | Number of matching containers to skip |
+| `includeVulnerabilities` | boolean | `false` | Include full vulnerability arrays in `data` |
+
+## Get container summary
+
+Returns a lightweight summary of container and security counts, used by the dashboard sidebar.
+
+```bash
+curl http://drydock:3000/api/containers/summary
+
+{
+  "containers": {
+    "total": 12,
+    "running": 10,
+    "stopped": 2
+  },
+  "security": {
+    "issues": 3
+  }
+}
+```
+
+### Response fields
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `containers.total` | integer | Total number of watched containers |
+| `containers.running` | integer | Number of running containers |
+| `containers.stopped` | integer | Number of stopped containers |
+| `security.issues` | integer | Number of containers with critical or high vulnerabilities |
+
+## Get recent container status
+
+Returns a map of container names to their most recent update status, derived from the last 100 audit log entries. Used by the dashboard to show status badges on containers.
+
+```bash
+curl http://drydock:3000/api/containers/recent-status
+
+{
+  "statuses": {
+    "homeassistant": "updated",
+    "nginx": "pending",
+    "postgres": "failed"
+  }
+}
+```
+
+### Response fields
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `statuses` | object | Map of container name to status |
+| `statuses[name]` | string | `updated` (update applied), `pending` (update available), or `failed` (update failed) |
+
+## Watch all Containers
+
+This operation triggers a manual watch on all containers.
+
+```bash
+curl -X POST http://drydock:3000/api/containers/watch
+
+{
+  "data": [{
+  "id":"31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816",
+  "name":"homeassistant",
+  "watcher":"local",
+  "includeTags":"^\\d+\\.\\d+.\\d+$",
+  "image":{
+    "id":"sha256:d4a6fafb7d4da37495e5c9be3242590be24a87d7edcc4f79761098889c54fca6",
+    "registry":{
+      "url":"123456789.dkr.ecr.eu-west-1.amazonaws.com"
+    },
+    "name":"test",
+    "tag":{
+      "value":"2021.6.4",
+      "semver":true
+    },
+    "digest":{
+      "watch":false,
+      "repo":"sha256:ca0edc3fb0b4647963629bdfccbb3ccfa352184b45a9b4145832000c2878dd72"
+    },
+    "architecture":"amd64",
+    "os":"linux",
+    "created":"2021-06-12T05:33:38.440Z"
+  },
+  "result":{
+    "tag":"2021.6.5"
+  },
+  "updateAvailable": true
+  }],
+  "total": 42,
+  "limit": 0,
+  "offset": 0,
+  "hasMore": false
+}
+```
+
+## Get a Container by id
+
+This operation lets you get a container by id.
+
+```bash
+curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816
+
+{
+  "id":"31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816",
+  "name":"homeassistant",
+  "watcher":"local",
+  "includeTags":"^\\d+\\.\\d+.\\d+$",
+  "image":{
+    "id":"sha256:d4a6fafb7d4da37495e5c9be3242590be24a87d7edcc4f79761098889c54fca6",
+    "registry":{
+      "url":"123456789.dkr.ecr.eu-west-1.amazonaws.com"
+    },
+    "name":"test",
+    "tag":{
+      "value":"2021.6.4",
+      "semver":true
+    },
+    "digest":{
+      "watch":false,
+      "repo":"sha256:ca0edc3fb0b4647963629bdfccbb3ccfa352184b45a9b4145832000c2878dd72"
+    },
+    "architecture":"amd64",
+    "os":"linux",
+    "created":"2021-06-12T05:33:38.440Z"
+  },
+  "result":{
+    "tag":"2021.6.5"
+  },
+  "updateAvailable": true
+}
+```
+
+## Get all triggers associated to the container
+
+This operation lets you get the list of triggers associated to the container.
+
+```bash
+curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/triggers
+
+{
+  "data": [
+    {
+      "id": "ntfy.one",
+      "type": "ntfy",
+      "name": "one",
+      "configuration": {
+        "topic": "235ef38e-f1db-414a-964f-ce3f2cc8094d",
+        "url": "https://ntfy.sh",
+        "threshold": "major",
+        "mode": "simple",
+        "once": true,
+        "simpletitle": "New ${kind} found for container ${name}",
+        "simplebody": "Container ${container.name} running with ${container.updateKind.kind} ${container.updateKind.localValue} can be updated to ${container.updateKind.kind} ${container.updateKind.remoteValue}${container.result && container.result.link ? "\\n" + container.result.link : ""}",
+        "batchtitle": "${containers.length} updates available",
+      }
+    }
+  ],
+  "total": 1
+}
+```
+
+## Watch a Container
+
+This operation triggers a manual watch on a container.
+
+```bash
+curl -X POST http://drydock:3000/api/containers/ca0edc3fb0b4647963629bdfccbb3ccfa352184b45a9b4145832000c2878dd72/watch
+
+{
+  "id":"31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816",
+  "name":"homeassistant",
+  "watcher":"local",
+  "includeTags":"^\\d+\\.\\d+.\\d+$",
+  "image":{
+    "id":"sha256:d4a6fafb7d4da37495e5c9be3242590be24a87d7edcc4f79761098889c54fca6",
+    "registry":{
+      "url":"123456789.dkr.ecr.eu-west-1.amazonaws.com"
+    },
+    "name":"test",
+    "tag":{
+      "value":"2021.6.4",
+      "semver":true
+    },
+    "digest":{
+      "watch":false,
+      "repo":"sha256:ca0edc3fb0b4647963629bdfccbb3ccfa352184b45a9b4145832000c2878dd72"
+    },
+    "architecture":"amd64",
+    "os":"linux",
+    "created":"2021-06-12T05:33:38.440Z"
+  },
+  "result":{
+    "tag":"2021.6.5"
+  },
+  "updateAvailable": true
+}
+```
+
+## Run a trigger on the container
+
+This operation lets you manually run a trigger on the container.
+
+```bash
+curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/triggers/ntfy/one
+```
+
+For containers managed by a remote agent, use the 4-segment variant to route the trigger through the agent:
+
+```bash
+curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/triggers/ntfy/one/agent1
+```
+
+## Update a container
+
+This operation triggers a direct container update — pulling the new image, stopping the old container, and recreating it with the updated image. This is equivalent to clicking "Update now" in the UI. Requires the Docker trigger to be configured for the container's watcher and `DD_SERVER_FEATURE_CONTAINERACTIONS` to be enabled.
+
+Returns 200 with the updated container on success, 400 if no update is available, 403 if container actions are disabled, 404 if the container or Docker trigger is not found, or 500 on update failure.
+
+```bash
+curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update
+```
+
+## Update container update policy (skip/snooze)
+
+This operation lets you control per-container update suppression policy (stored in drydock DB):
+
+- `skip-current`: skip the currently detected remote tag or digest
+- `remove-skip`: remove a single previously skipped tag or digest (requires `kind` and `value`)
+- `clear-skips`: remove `skipTags` and `skipDigests`
+- `snooze`: suppress update notifications until a date (supports `days` or explicit `snoozeUntil`)
+- `unsnooze`: remove `snoozeUntil`
+- `clear`: remove all update policy
+
+```bash
+curl -X PATCH http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
+  -H 'Content-Type: application/json' \
+  -d '{"action":"skip-current"}'
+```
+
+```bash
+# Remove a single skipped tag
+curl -X PATCH http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
+  -H 'Content-Type: application/json' \
+  -d '{"action":"remove-skip","kind":"tag","value":"1.2.3"}'
+```
+
+```bash
+# Remove a single skipped digest
+curl -X PATCH http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
+  -H 'Content-Type: application/json' \
+  -d '{"action":"remove-skip","kind":"digest","value":"sha256:abc123..."}'
+```
+
+```bash
+curl -X PATCH http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-policy \
+  -H 'Content-Type: application/json' \
+  -d '{"action":"snooze","days":7}'
+```
+
+## Get security vulnerability overview
+
+This operation returns pre-aggregated vulnerability data grouped by image across all scanned containers.
+Used by the Security view to display vulnerability summaries without loading every container individually.
+
+```bash
+curl http://drydock:3000/api/containers/security/vulnerabilities
+```
+
+The response includes total and scanned container counts, the latest scan timestamp, and an `images` array where each entry groups vulnerabilities by image name with container IDs and an optional update severity summary.
+
+## Get latest vulnerability scan result
+
+This operation returns the latest persisted vulnerability scan (safe-pull gate result) for a container.
+When no scan was run yet, it returns `status: "not-scanned"` with an empty result set.
+
+```bash
+curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/vulnerabilities
+```
+
+## Run an on-demand security scan
+
+This operation triggers a vulnerability scan, optional signature verification, and optional SBOM generation for a container. The scan targets the update candidate image when available, falling back to the current image tag. Results are persisted to `container.security` and the updated container is returned.
+
+Requires `DD_SECURITY_SCANNER=trivy` to be configured.
+
+```bash
+curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/scan
+```
+
+Returns 200 with the updated container on success, 400 if security scanner is not configured, 404 if the container is not found, or 500 on scan failure.
+
+## Get SBOM for a container
+
+This operation returns the latest SBOM document for a container in the requested format.
+
+```bash
+curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/sbom?format=spdx-json
+```
+
+## Get container logs
+
+Returns stdout/stderr output from a container. For agent-managed containers, the request is proxied through the agent connection.
+
+```bash
+curl "http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/logs?tail=100"
+```
+
+### Query parameters
+
+| Parameter | Type | Default | Description |
+| --- | --- | --- | --- |
+| `tail` | integer | 100 | Number of lines to return from the end of the log |
+| `since` | integer | 0 | Unix timestamp (seconds) — only return logs after this time |
+| `timestamps` | boolean | true | Include timestamps in output |
+
+Returns 200 with `{ "logs": "..." }` on success, 404 if the container is not found, or 500 on failure.
+
+## Reveal container environment variables
+
+Returns the full (unredacted) runtime environment variables for a container. Environment values in the standard container response are redacted to `***` for sensitive keys. This endpoint reveals the actual values and creates an audit trail entry.
+
+Rate-limited to 10 requests per minute.
+
+```bash
+curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/env/reveal
+
+{
+  "env": [
+    { "key": "TZ", "value": "America/New_York", "sensitive": false },
+    { "key": "DATABASE_PASSWORD", "value": "s3cret", "sensitive": true }
+  ]
+}
+```
+
+### Response fields
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `env[].key` | string | Environment variable name |
+| `env[].value` | string | Unredacted value |
+| `env[].sensitive` | boolean | Whether the key matches known sensitive patterns (passwords, tokens, secrets) |
+
+Returns 200 with the env array on success, 404 if the container is not found, or 429 if rate-limited.
+
+Container action auth model: `/start`, `/stop`, `/restart`, and `/update` are authentication-gated only. In current single-operator deployments, any authenticated user can execute these actions for any container.
+
+## Start a container
+
+This operation starts a stopped container. Requires `DD_SERVER_FEATURE_CONTAINERACTIONS` to be enabled.
+
+```bash
+curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/start
+```
+
+## Stop a container
+
+This operation stops a running container. Requires `DD_SERVER_FEATURE_CONTAINERACTIONS` to be enabled.
+
+```bash
+curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/stop
+```
+
+## Restart a container
+
+This operation restarts a container. Requires `DD_SERVER_FEATURE_CONTAINERACTIONS` to be enabled.
+
+```bash
+curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/restart
+```
+
+## Preview an update
+
+This operation returns a dry-run preview of what an update would change, without executing it.
+
+```bash
+curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/preview
+```
+
+## Get container backups
+
+This operation returns all image backups for a container, sorted by most recent first.
+
+```bash
+curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/backups
+
+{
+  "data": [
+    {
+      "id": "abc123",
+      "containerId": "31a61a8305ef...",
+      "containerName": "homeassistant",
+      "imageName": "homeassistant/home-assistant",
+      "imageTag": "2021.6.4",
+      "imageDigest": "sha256:...",
+      "timestamp": "2021-06-15T10:30:00.000Z",
+      "triggerName": "docker.local"
+    }
+  ],
+  "total": 1
+}
+```
+
+## Rollback a container
+
+This operation rolls back a container to a previously backed-up image. If no `backupId` is provided, the most recent backup is used.
+Rollback is destructive and requires explicit confirmation via `X-DD-Confirm-Action: container-rollback`.
+
+```bash
+curl -X POST http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/rollback \
+  -H 'X-DD-Confirm-Action: container-rollback' \
+  -H 'Content-Type: application/json' \
+  -d '{"backupId": "abc123"}'
+```
+
+Returns 200 on success, 404 if the container/backup/trigger is not found, or 428 if confirmation is missing.
+
+## Get update/rollback history
+
+Returns the persisted update and rollback operation history for a container, sorted by most recent first. Each entry tracks the full lifecycle of an update (phases, status, versions, rollback reason if applicable).
+
+```bash
+curl http://drydock:3000/api/containers/31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816/update-operations
+
+{
+  "data": [
+    {
+      "id": "a1b2c3d4-...",
+      "containerName": "homeassistant",
+      "status": "succeeded",
+      "phase": "succeeded",
+      "createdAt": "2024-12-01T10:00:00.000Z",
+      "updatedAt": "2024-12-01T10:01:30.000Z",
+      "containerId": "31a61a8305ef...",
+      "triggerName": "docker.local",
+      "fromVersion": "2024.11.3",
+      "toVersion": "2024.12.0",
+      "targetImage": "homeassistant/home-assistant:2024.12.0"
+    },
+    {
+      "id": "e5f6a7b8-...",
+      "containerName": "homeassistant",
+      "status": "rolled-back",
+      "phase": "rolled-back",
+      "createdAt": "2024-11-20T08:00:00.000Z",
+      "updatedAt": "2024-11-20T08:02:00.000Z",
+      "containerId": "31a61a8305ef...",
+      "fromVersion": "2024.11.2",
+      "toVersion": "2024.11.3",
+      "rollbackReason": "Health check failed"
+    }
+  ],
+  "total": 2,
+  "limit": 0,
+  "offset": 0,
+  "hasMore": false
+}
+```
+
+### Response fields
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `id` | string | Unique operation ID |
+| `containerName` | string | Container name |
+| `status` | string | `in-progress`, `succeeded`, `rolled-back`, or `failed` |
+| `phase` | string | Current phase: `prepare`, `renamed`, `new-created`, `old-stopped`, `new-started`, `health-gate`, `health-gate-passed`, `succeeded`, `rollback-started`, `rolled-back`, `rollback-failed` |
+| `createdAt` | string | ISO 8601 timestamp when the operation started |
+| `updatedAt` | string | ISO 8601 timestamp of the last phase transition |
+| `containerId` | string | Container ID |
+| `triggerName` | string | Trigger that initiated the update |
+| `fromVersion` | string | Previous image tag or digest |
+| `toVersion` | string | Target image tag or digest |
+| `targetImage` | string | Full target image reference |
+| `rollbackReason` | string | Reason for rollback (only present on rolled-back operations) |
+| `lastError` | string | Error message (only present on failed operations) |
+
+Returns 200 with the operations array on success, or 404 if the container is not found.
+
+## Delete a Container
+
+This operation lets you delete a container by id. Requires `DD_SERVER_FEATURE_DELETE` to be enabled.
+Delete is destructive and requires explicit confirmation via `X-DD-Confirm-Action: container-delete`.
+
+```bash
+curl -X DELETE http://drydock:3000/api/containers/ca0edc3fb0b4647963629bdfccbb3ccfa352184b45a9b4145832000c2878dd72 \
+  -H 'X-DD-Confirm-Action: container-delete'
+```
+
+Returns 204 on success, 403 if delete is disabled, 404 if the container does not exist, or 428 if confirmation is missing.
diff --git a/content/docs/v1.4/api/index.mdx b/content/docs/v1.4/api/index.mdx
new file mode 100644
index 000000000..d9cf62d71
--- /dev/null
+++ b/content/docs/v1.4/api/index.mdx
@@ -0,0 +1,416 @@
+---
+title: "REST API"
+description: "Access Drydock state and trigger actions using the HTTP REST API."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+You can access drydock state and trigger actions using the HTTP REST API.
+
+By default, the API is enabled and exposed on port `3000`. You can override this behaviour [using environment variables](/docs/configuration/server).
+
+## API Versioning
+
+Starting in v1.4.0, the canonical API base path is `/api/v1/*`. The unversioned `/api/*` path remains as a backward-compatible alias during migration.
+
+| Path | Status | Description |
+| --- | --- | --- |
+| `/api/v1/*` | **Canonical** | Versioned API path — use this for new integrations |
+| `/api/*` | Deprecated alias | Planned for removal in v1.6.0 |
+
+Both paths return identical responses. Third-party integrations should migrate to `/api/v1/*` at their convenience.
+
+## Error Contract
+
+All error responses (HTTP 4xx/5xx) return a consistent JSON structure:
+
+```json
+{
+  "error": "Container not found"
+}
+```
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `error` | string | Human-readable error message (derived from the HTTP status when not explicitly set) |
+| `details` | object | Optional contextual metadata (present only when additional context is available) |
+
+## Authentication
+
+When [authentication](/docs/configuration/authentications) is enabled, all API endpoints require a valid session (cookie-based via Basic or OIDC login).
+For cross-domain OIDC providers, keep `DD_SERVER_COOKIE_SAMESITE=lax` (default) unless you have a specific same-site policy requirement.
+
+The [webhook endpoints](/docs/configuration/webhooks) use a separate Bearer token authentication.
+
+## Destructive action confirmation
+
+Some destructive endpoints require an explicit confirmation header:
+
+`X-DD-Confirm-Action: <token>`
+
+If the header is missing or does not match the expected token, the API responds with `428 Precondition Required`.
+
+| Endpoint | Method | Required header |
+| --- | --- | --- |
+| `/api/containers/:id/rollback` | `POST` | `X-DD-Confirm-Action: container-rollback` |
+| `/api/containers/:id` | `DELETE` | `X-DD-Confirm-Action: container-delete` |
+
+## Endpoint overview
+
+| Category | Endpoints | Description |
+| --- | --- | --- |
+| [App](/docs/api/app) | `GET /api/app`, `GET /api/server` | Application info, server configuration, security runtime |
+| [Containers](/docs/api/container) | `GET /api/containers`, `POST`, `PATCH`, `DELETE` | Container state, actions, update policy, security |
+| [Agents](/docs/api/agent) | `GET /api/agents` | Remote agent status and logs |
+| [Logs](/docs/api/log) | `GET /api/log` | Application log entries |
+| [Registries](/docs/api/registry) | `GET /api/registries` | Registry configurations |
+| [Store](/docs/api/store) | `GET /api/store` | Data store info |
+| [Triggers](/docs/api/trigger) | `GET /api/triggers` | Trigger configurations |
+| [Watchers](/docs/api/watcher) | `GET /api/watchers` | Watcher configurations |
+
+### Additional endpoints
+
+| Endpoint | Method | Description |
+| --- | --- | --- |
+| `/api/openapi.json` | `GET` | [OpenAPI 3.1.0 specification](#openapi) (machine-readable API docs) |
+| `/health` | `GET` | Health check (returns 200 when healthy) |
+| `/metrics` | `GET` | Prometheus metrics (optional auth via `DD_SERVER_METRICS_AUTH`) |
+| `/api/events/ui` | `GET` | [Server-Sent Events](#server-sent-events-sse) for real-time UI updates |
+| `/api/audit` | `GET` | [Audit trail](#audit-trail) (paginated, filterable by action/container/date) |
+| `/api/notifications` | `GET`, `PATCH /:id` | [Notification rules](#notification-rules) (per-event enable/disable and trigger assignments) |
+| `/api/settings` | `GET`, `PATCH` | [UI settings](#settings) (internetless mode; `PUT` compatibility alias is deprecated) |
+| `/api/server` | `GET` | Server configuration and compatibility info (see [App API](/docs/api/app)) |
+| `/api/server/security/runtime` | `GET` | Security tools availability (see [App API](/docs/api/app)) |
+| `/api/containers/groups` | `GET` | [Container groups](#container-groups) (by stack/compose project) |
+| `/api/webhook/watch` | `POST` | [Webhook](/docs/configuration/webhooks) — trigger watch on all containers |
+| `/api/webhook/watch/:containerName` | `POST` | [Webhook](/docs/configuration/webhooks) — watch specific container |
+| `/api/webhook/update/:containerName` | `POST` | [Webhook](/docs/configuration/webhooks) — update specific container |
+
+<Callout type="info">See each sub-page for detailed request/response examples.</Callout>
+
+### Command endpoint convention
+
+Some endpoints are intentional action commands and use `POST` under a resource path (for example container watch/scan/reveal). These are RPC-style operations rather than CRUD updates.
+
+## Notification rules
+
+Notification rules control which events trigger notifications and which triggers receive them. Five default rules are created automatically.
+
+### Get all notification rules
+
+```bash
+curl http://drydock:3000/api/notifications
+
+{
+  "data": [
+    {
+      "id": "update-available",
+      "name": "Update Available",
+      "description": "When a container has a new version",
+      "enabled": true,
+      "triggers": []
+    },
+    {
+      "id": "update-applied",
+      "name": "Update Applied",
+      "description": "After a container is successfully updated",
+      "enabled": true,
+      "triggers": []
+    },
+    {
+      "id": "update-failed",
+      "name": "Update Failed",
+      "description": "When an update fails or is rolled back",
+      "enabled": true,
+      "triggers": []
+    },
+    {
+      "id": "security-alert",
+      "name": "Security Alert",
+      "description": "Critical/High vulnerability detected",
+      "enabled": true,
+      "triggers": []
+    },
+    {
+      "id": "agent-disconnect",
+      "name": "Agent Disconnected",
+      "description": "When a remote agent loses connection",
+      "enabled": false,
+      "triggers": []
+    }
+  ],
+  "total": 5
+}
+```
+
+### Response fields
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `data` | array | List of notification rules |
+| `total` | integer | Number of rules returned |
+| `data[].id` | string | Rule identifier (e.g. `update-available`, `security-alert`) |
+| `data[].name` | string | Human-readable rule name |
+| `data[].description` | string | What this rule covers |
+| `data[].enabled` | boolean | Whether the rule is active |
+| `data[].triggers` | string[] | Trigger IDs that receive this notification (empty = all triggers) |
+
+### Update a notification rule
+
+Update the `enabled` status and/or `triggers` list for a rule. Only the fields you include are changed.
+
+```bash
+curl -X PATCH http://drydock:3000/api/notifications/update-available \
+  -H 'Content-Type: application/json' \
+  -d '{"enabled": true, "triggers": ["slack.alerts", "ntfy.one"]}'
+```
+
+Returns 200 with the updated rule, 400 if the body is invalid or a trigger ID is not recognized, or 404 if the rule ID does not exist.
+
+## Audit trail
+
+Returns paginated audit log entries for container lifecycle events, updates, rollbacks, webhooks, and more.
+
+### Get audit entries
+
+```bash
+curl "http://drydock:3000/api/audit?offset=0&limit=25&action=update-applied&container=homeassistant"
+
+{
+  "data": [
+    {
+      "id": "a1b2c3d4-...",
+      "timestamp": "2024-12-01T10:01:30.000Z",
+      "action": "update-applied",
+      "containerName": "homeassistant",
+      "containerImage": "homeassistant/home-assistant",
+      "fromVersion": "2024.11.3",
+      "toVersion": "2024.12.0",
+      "triggerName": "docker.local",
+      "status": "success",
+      "details": ""
+    }
+  ],
+  "total": 42,
+  "limit": 25,
+  "offset": 0,
+  "hasMore": true
+}
+```
+
+### Query parameters
+
+| Parameter | Type | Default | Description |
+| --- | --- | --- | --- |
+| `offset` | integer | `0` | Number of entries to skip |
+| `limit` | integer | `50` | Results per page (max 200) |
+| `action` | string | | Filter by action type |
+| `container` | string | | Filter by container name |
+| `from` | string | | ISO 8601 date -- only entries on or after this timestamp |
+| `to` | string | | ISO 8601 date -- only entries on or before this timestamp |
+
+### Action types
+
+`update-available`, `update-applied`, `update-failed`, `container-update`, `security-alert`, `agent-disconnect`, `container-added`, `container-removed`, `rollback`, `preview`, `container-start`, `container-stop`, `container-restart`, `webhook-watch`, `webhook-watch-container`, `webhook-update`, `hook-configured`, `hook-pre-success`, `hook-pre-failed`, `hook-post-success`, `hook-post-failed`, `auto-rollback`, `auth-login`
+
+## Server-Sent Events (SSE)
+
+The `/api/events/ui` endpoint provides real-time push notifications to the UI via Server-Sent Events.
+
+### Connect
+
+```bash
+curl -N -H "Accept: text/event-stream" http://drydock:3000/api/events/ui
+```
+
+Connection limits: max 10 per IP, max 10 per session. Returns 429 when exceeded.
+
+### Event types
+
+| Event | Payload | Description |
+| --- | --- | --- |
+| `dd:connected` | `{ "clientId": "...", "clientToken": "..." }` | Sent immediately on connection. The `clientToken` is used for self-update acknowledgment. |
+| `dd:heartbeat` | `{}` | Sent every 15 seconds to keep the connection alive |
+| `dd:container-added` | Container object | A new container was discovered by a watcher |
+| `dd:container-updated` | Container object | An existing container's state changed (new tag, status, scan result) |
+| `dd:container-removed` | Container object | A container was removed |
+| `dd:scan-started` | `{ "containerId": "..." }` | A security scan started for a container |
+| `dd:scan-completed` | `{ "containerId": "...", "status": "..." }` | A security scan finished |
+| `dd:self-update` | `{ "opId": "...", "requiresAck": bool, "ackTimeoutMs": int, "startedAt": "..." }` | Drydock is updating its own container. If `requiresAck` is true, the UI should POST an acknowledgment before the timeout. |
+| `dd:agent-connected` | Agent payload | A remote agent connected to the controller |
+| `dd:agent-disconnected` | Agent payload | A remote agent disconnected |
+
+### Self-update acknowledgment
+
+When a `dd:self-update` event has `requiresAck: true`, the UI must POST an acknowledgment before the timeout expires. The `clientId` and `clientToken` are provided in the initial `dd:connected` event.
+
+```bash
+curl -X POST http://drydock:3000/api/events/ui/self-update/op-abc123/ack \
+  -H 'Content-Type: application/json' \
+  -d '{"clientId": "client-1", "clientToken": "tok-xyz"}'
+```
+
+| Status | Response | Description |
+| --- | --- | --- |
+| 202 | `{ "status": "accepted", "operationId": "..." }` | Acknowledgment recorded |
+| 202 | `{ "status": "ignored", "operationId": "..." }` | No pending ack for this operation |
+| 400 | `{ "error": "..." }` | Missing required field (`operationId`, `clientId`, or `clientToken`) |
+| 403 | `{ "status": "rejected", "operationId": "..." }` | Invalid token, mismatched client, or client not bound to operation |
+
+### SSE message format
+
+```text
+event: dd:container-updated
+data: { "id": "31a61a...", "name": "homeassistant", ... }
+```
+
+## Settings
+
+Persistent UI preferences stored in the drydock database.
+
+### Get settings
+
+```bash
+curl http://drydock:3000/api/settings
+
+{
+  "internetlessMode": false
+}
+```
+
+### Update settings
+
+```bash
+curl -X PATCH http://drydock:3000/api/settings \
+  -H 'Content-Type: application/json' \
+  -d '{"internetlessMode": true}'
+
+{
+  "internetlessMode": true
+}
+```
+
+| Field | Type | Default | Description |
+| --- | --- | --- | --- |
+| `internetlessMode` | boolean | `false` | When enabled, disables registry icon lookups and other external requests |
+
+Returns 200 with the updated settings, or 400 if the body is invalid. `PUT /api/settings` is still accepted as a temporary compatibility alias but is deprecated.
+
+## Container groups
+
+Returns containers grouped by stack or group label. Group priority: `dd.group` > `wud.group` > `com.docker.compose.project` > ungrouped.
+
+```bash
+curl http://drydock:3000/api/containers/groups
+
+{
+  "data": [
+    {
+      "name": "monitoring",
+      "containers": [
+        {
+          "id": "31a61a...",
+          "name": "prometheus",
+          "displayName": "Prometheus",
+          "updateAvailable": false
+        },
+        {
+          "id": "e5f6a7...",
+          "name": "grafana",
+          "displayName": "Grafana",
+          "updateAvailable": true
+        }
+      ],
+      "containerCount": 2,
+      "updatesAvailable": 1
+    },
+    {
+      "name": null,
+      "containers": [
+        {
+          "id": "abc123...",
+          "name": "standalone-app",
+          "displayName": "standalone-app",
+          "updateAvailable": false
+        }
+      ],
+      "containerCount": 1,
+      "updatesAvailable": 0
+    }
+  ],
+  "total": 2
+}
+```
+
+### Response fields
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `data` | array | List of container groups |
+| `total` | integer | Number of groups returned |
+| `data[].name` | string \| null | Group name (`null` for ungrouped containers) |
+| `data[].containers` | array | List of containers with `id`, `name`, `displayName`, `updateAvailable` |
+| `data[].containerCount` | integer | Number of containers in the group |
+| `data[].updatesAvailable` | integer | Number of containers with a pending update |
+
+## Authentication routes
+
+When [authentication](/docs/configuration/authentications) is enabled, these endpoints manage the login flow. Auth routes are mounted at `/auth` (not `/api/auth`).
+
+### Get available strategies
+
+Returns the list of configured authentication strategies. This endpoint is unauthenticated so the login screen can render.
+
+```bash
+curl http://drydock:3000/auth/strategies
+```
+
+A legacy alias is available at `GET /api/auth/methods` (rate-limited).
+
+### Login
+
+Authenticate with credentials. The response sets a session cookie.
+
+```bash
+curl -X POST http://drydock:3000/auth/login \
+  -H 'Content-Type: application/json' \
+  -d '{"username": "admin", "password": "..."}'
+```
+
+### Get current user
+
+Returns the currently authenticated user. Requires a valid session.
+
+```bash
+curl http://drydock:3000/auth/user
+```
+
+### Logout
+
+End the current session.
+
+```bash
+curl -X POST http://drydock:3000/auth/logout
+```
+
+When the active auth strategy exposes an OIDC end-session URL, the response includes `logoutUrl` so the UI can complete IdP logout. If `logoutUrl` is missing, logout is local-session-only.
+
+### Remember me
+
+Store a remember-me preference for the current authenticated session.
+
+```bash
+curl -X POST http://drydock:3000/auth/remember \
+  -H 'Content-Type: application/json' \
+  -d '{"remember": true}'
+```
+
+## OpenAPI
+
+Machine-readable API documentation is available as an OpenAPI 3.1.0 specification.
+
+```bash
+curl http://drydock:3000/api/openapi.json
+```
+
+The spec covers all API endpoints with request/response schemas. You can import the URL into tools like Swagger UI, Redoc, or Postman for interactive exploration.
diff --git a/content/docs/v1.4/api/log.mdx b/content/docs/v1.4/api/log.mdx
new file mode 100644
index 000000000..ef8111da8
--- /dev/null
+++ b/content/docs/v1.4/api/log.mdx
@@ -0,0 +1,59 @@
+---
+title: "Log API"
+description: "API endpoints for log configuration and log entries."
+---
+
+## Get Log configuration
+
+Returns the current logger configuration.
+
+```bash
+curl http://drydock:3000/api/log
+
+{
+  "level":"debug"
+}
+```
+
+## Get application log entries
+
+Returns log entries from the in-memory ring buffer (last 1,000 entries).
+If `DD_LOG_BUFFER_ENABLED=false`, this endpoint returns an empty array.
+
+```bash
+curl http://drydock:3000/api/log/entries
+```
+
+### Query parameters
+
+| Parameter | Type | Description |
+| --- | --- | --- |
+| `level` | string | Filter by log level (`trace`, `debug`, `info`, `warn`, `error`, `fatal`) |
+| `component` | string | Filter by component name |
+| `tail` | integer | Number of most recent entries to return |
+| `since` | integer | Unix timestamp (seconds) — only return entries after this time |
+
+### Example
+
+```bash
+curl "http://drydock:3000/api/log/entries?level=error&tail=50"
+
+[
+  {
+    "timestamp": "2026-02-16T12:00:00.000Z",
+    "level": "error",
+    "component": "registry:hub",
+    "msg": "Rate limit exceeded"
+  }
+]
+```
+
+## Get agent log entries
+
+Returns log entries from a connected agent, proxied through the controller.
+
+```bash
+curl http://drydock:3000/api/agents/:name/log/entries
+```
+
+Accepts the same query parameters as the application log entries endpoint above.
diff --git a/content/docs/v1.4/api/meta.json b/content/docs/v1.4/api/meta.json
new file mode 100644
index 000000000..5a18ecf13
--- /dev/null
+++ b/content/docs/v1.4/api/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "API",
+  "pages": ["index", "agent", "app", "container", "log", "registry", "store", "trigger", "watcher"]
+}
diff --git a/content/docs/v1.4/api/registry.mdx b/content/docs/v1.4/api/registry.mdx
new file mode 100644
index 000000000..077bddd78
--- /dev/null
+++ b/content/docs/v1.4/api/registry.mdx
@@ -0,0 +1,62 @@
+---
+title: "Registry API"
+description: "This API allows to query the state of the registries."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+This API allows to query the state of the registries.
+
+<Callout type="info">[Need to add a new Registry?](/docs/configuration/registries)</Callout>
+
+## Get all Registries
+
+This operation lets you get all the configured registries.
+
+```bash
+curl http://drydock:3000/api/registries
+
+{
+    "data": [
+      {
+        "id":"ecr.private",
+        "type":"ecr",
+        "name":"private",
+        "configuration":{
+            "region":"eu-west-1",
+            "accesskeyid":"A******************D",
+            "secretaccesskey":"T**************************************D"
+        }
+      },
+      {
+        "id":"hub.private",
+        "type":"hub",
+        "name":"private",
+        "configuration":{
+            "auth": "dXNlcm5hbWU6cGFzc3dvcmQ="
+        }
+      }
+    ],
+    "total": 2,
+    "limit": 0,
+    "offset": 0,
+    "hasMore": false
+}
+```
+
+## Get a Registry by id
+
+This operation lets you get a specific Registry.
+
+```bash
+curl http://drydock:3000/api/registries/hub/private
+
+{
+    "id": "hub.private",
+    "type": "hub",
+    "name": "private",
+    "configuration": {
+        "auth": "dXNlcm5hbWU6cGFzc3dvcmQ="
+    }
+}
+```
diff --git a/content/docs/v1.4/api/store.mdx b/content/docs/v1.4/api/store.mdx
new file mode 100644
index 000000000..2e4b250fc
--- /dev/null
+++ b/content/docs/v1.4/api/store.mdx
@@ -0,0 +1,21 @@
+---
+title: "Store API"
+description: "This API allows to query the configuration of the Store."
+---
+
+This API allows to query the configuration of the Store.
+
+## Get Store configuration
+
+This operation lets you get the state of the Store.
+
+```bash
+curl http://drydock:3000/api/store
+
+{
+   "configuration":{
+      "path":".store",
+      "file":"dd.json"
+   }
+}
+```
diff --git a/content/docs/v1.4/api/trigger.mdx b/content/docs/v1.4/api/trigger.mdx
new file mode 100644
index 000000000..f19c33004
--- /dev/null
+++ b/content/docs/v1.4/api/trigger.mdx
@@ -0,0 +1,81 @@
+---
+title: "Trigger API"
+description: "This API allows to query the state of the triggers."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+This API allows to query the state of the triggers.
+
+<Callout type="info">[Need to add a new Trigger?](/docs/configuration/triggers)</Callout>
+
+## Get all Triggers
+
+This operation lets you get all the configured triggers.
+
+```bash
+curl http://drydock:3000/api/triggers
+
+{
+    "data": [
+      {
+        "id":"smtp.gmail",
+        "type":"smtp",
+        "name":"gmail",
+        "configuration":{
+           "host":"smtp.gmail.com",
+           "port":465,
+           "user":"xxx@gmail.com",
+           "pass":"secret",
+           "from":"admin@dd.com",
+           "to":"xxx@gmail.com"
+        }
+      }
+    ],
+    "total": 1,
+    "limit": 0,
+    "offset": 0,
+    "hasMore": false
+}
+```
+
+## Get a Trigger by id
+
+This operation lets you get a specific Trigger.
+
+```bash
+curl http://drydock:3000/api/triggers/smtp/gmail
+
+{
+  "id":"smtp.gmail",
+  "type":"smtp",
+  "name":"gmail",
+  "configuration":{
+     "host":"smtp.gmail.com",
+     "port":465,
+     "user":"xxx@gmail.com",
+     "pass":"secret",
+     "from":"admin@dd.com",
+     "to":"xxx@gmail.com"
+  }
+}
+```
+
+## Running a trigger
+
+This operation lets you run a specific Trigger with simulated data.
+
+```bash
+export CONTAINER='{"id":"123456789","name":"container_test","watcher":"watcher_test","updateKind":{"kind":"tag","semverDiff":"patch","localValue":"1.2.3","remoteValue":"1.2.4","result":{"link":"https://my-container/release-notes/"}}}'
+curl -X POST -H "Content-Type: application/json" -d $CONTAINER http://drydock:3000/api/triggers/smtp/gmail
+```
+
+## Running a remote trigger (agent-scoped)
+
+Use the agent-scoped route when the target container is managed by a connected remote agent.
+The path order is `/:type/:name/:agent` (agent is the final segment).
+
+```bash
+export CONTAINER='{"id":"123456789","name":"container_test","agent":"agent1","watcher":"remote"}'
+curl -X POST -H "Content-Type: application/json" -d $CONTAINER http://drydock:3000/api/triggers/smtp/gmail/agent1
+```
diff --git a/content/docs/v1.4/api/watcher.mdx b/content/docs/v1.4/api/watcher.mdx
new file mode 100644
index 000000000..6f044707e
--- /dev/null
+++ b/content/docs/v1.4/api/watcher.mdx
@@ -0,0 +1,58 @@
+---
+title: "Watcher API"
+description: "This API allows to query the state of the watchers."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+This API allows to query the state of the watchers.
+
+<Callout type="info">[Need to add a new Watcher?](/docs/configuration/watchers)</Callout>
+
+## Get all Watchers
+
+This operation lets you get all the configured watchers.
+
+```bash
+curl http://drydock:3000/api/watchers
+
+{
+   "data": [
+      {
+      "id":"docker.local",
+      "type":"docker",
+      "name":"local",
+      "configuration":{
+         "socket":"/var/run/docker.sock",
+         "port":2375,
+         "cron":"0 * * * *",
+         "watchbydefault":true
+      }
+      }
+   ],
+   "total": 1,
+   "limit": 0,
+   "offset": 0,
+   "hasMore": false
+}
+```
+
+## Get a Watcher by id
+
+This operation lets you get a specific Watcher.
+
+```bash
+curl http://drydock:3000/api/watchers/docker/local
+
+{
+   "id":"docker.local",
+   "type":"docker",
+   "name":"local",
+   "configuration":{
+      "socket":"/var/run/docker.sock",
+      "port":2375,
+      "cron":"0 * * * *",
+      "watchbydefault":true
+   }
+}
+```
diff --git a/content/docs/v1.4/changelog/index.mdx b/content/docs/v1.4/changelog/index.mdx
new file mode 100644
index 000000000..37e6b46bf
--- /dev/null
+++ b/content/docs/v1.4/changelog/index.mdx
@@ -0,0 +1,963 @@
+---
+title: "Changelog"
+description: "All notable changes to this project will be documented in this file."
+---
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+> **Fork point:** upstream post-8.1.1 (2025-11-27)
+> **Upstream baseline:** WUD 8.1.1 + 65 merged PRs on `main` (Vue 3 migration, Alpine base image, Rocket.Chat trigger, threshold system, semver improvements, request→axios migration, and more)
+
+## [Unreleased]
+
+## [1.4.5] — 2026-03-17
+
+### Added
+
+- **Dashboard Update buttons** — Per-row update buttons and "Update all" button in the Updates Available dashboard widget. ([#173](https://github.com/CodesWhat/drydock/discussions/173))
+- **Getting Started guide** — New step-by-step onboarding guide covering watchers, tag filters, registries, notifications, auto-updates, safety features, and multi-host setup. ([#153](https://github.com/CodesWhat/drydock/discussions/153))
+
+### Fixed
+
+- **Container recreate alias filtering** — Hardened Docker watcher timestamp parsing, added event handler early return for transient aliases, canonical MQTT topic naming, and stale topic cleanup for recreated containers. ([#156](https://github.com/CodesWhat/drydock/issues/156))
+- **About modal version display** — Version is now fetched dynamically from the API instead of being hardcoded, ensuring the modal always reflects the running server version. ([#167](https://github.com/CodesWhat/drydock/issues/167))
+- **Version resolution fallback** — `DD_VERSION=unknown` is now skipped so the version is correctly read from `package.json` at startup.
+- **Theme circle transition origin** — The theme toggle circle animation now originates from the click point instead of the viewport center.
+- **Trigger code bugs** — Gotify URL and Apprise URL now correctly enforce `.required()` validation; Kafka `clientId` casing normalized with `clientId` kept as a deprecated compatibility alias until v1.6.0.
+
+### Security
+
+- **OIDC debug log redaction** — Sensitive OIDC parameters (`client_id`, `code_challenge`, `state`, etc.) are now redacted in debug logs. ([#168](https://github.com/CodesWhat/drydock/issues/168))
+- **Agent API error sanitization** — Error logs and responses in the agent API are sanitized to prevent leaking internal details.
+- **Registry config value redaction** — Trigger group configuration now logs keys only, not values, to prevent secret leakage.
+
+### Changed
+
+- **API versioning** — All UI fetch calls migrated from `/api/` to `/api/v1/` paths.
+- **OIDC empty bearer token log level** — Downgraded empty bearer token log from `warn` to `debug`. ([#169](https://github.com/CodesWhat/drydock/issues/169))
+
+### Documentation
+
+- **Docs audit (78 files)** — Fixed 18 doc accuracy issues, 3 code bugs, 22+ broken links, and restructured 8 pages (90 callouts → 36). Triggers overview reduced from 17 callouts to 3 with threshold reference table. Template variables expanded from 12 to 30 with example values. Docker Compose trigger now linked from triggers overview. ([#153](https://github.com/CodesWhat/drydock/discussions/153), [#172](https://github.com/CodesWhat/drydock/discussions/172))
+
+### Dependencies
+
+- **Security** — `fast-xml-parser` 5.3.8 → 5.5.6 (CVE: numeric entity expansion bypass), `next` 16.1.6 → 16.1.7 (HTTP smuggling, CSRF bypass, DoS)
+- **CI** — `step-security/harden-runner` v2.15.1 → v2.16.0, `github/codeql-action` v4.32.6 → v4.33.0
+- **App** — `@aws-sdk/client-ecr`, `@slack/web-api`, `express-rate-limit`, `fast-check`, `knip`, `nodemailer`, `undici`, `@types/node`
+- **UI** — `@iconify-json/lucide`, `knip`, `jsdom` 28 → 29
+- **Website** — `fumadocs-core`, `fumadocs-mdx`, `fumadocs-ui`, `lucide-react`, `lefthook`, `@vercel/analytics` v1 → v2, `@vercel/speed-insights` v1 → v2
+- **Demo** — `@iconify-json/lucide`, `@vitejs/plugin-vue`, `msw` 2.10 → 2.12
+- **E2E** — `@dotenvx/dotenvx`, `fast-xml-parser`, `minimatch`
+
+### Chore
+
+- **QA infrastructure** — Added Portainer, slow-shutdown container, and watchevents service for end-to-end container recreate testing. ([#156](https://github.com/CodesWhat/drydock/issues/156))
+- **Coverage and types cleanup** — Coverage read retry, OpenAPI re-export, and auth types cleanup.
+- **Demo version bump** — Bumped demo package version to 1.4.5.
+- **Alias filtering test coverage** — Added timestamp edge-case tests for Docker watcher alias filtering. ([#156](https://github.com/CodesWhat/drydock/issues/156))
+- **msw worker regenerated** — Updated `mockServiceWorker.js` for msw 2.12 (origin-based → clientId-based validation).
+
+## [1.4.4] — 2026-03-16
+
+### Added
+
+- **Click-to-copy on version tags** — CopyableTag component with clipboard feedback on all version displays (dashboard, container list, detail panels). ([#164](https://github.com/CodesWhat/drydock/issues/164))
+- **Dark mode icon inversion** — Simple Icons (`si:` prefix) auto-invert in dark mode via Tailwind dark variant.
+- **Tailwind v4 class-based dark mode** — `@custom-variant dark` directive for proper `.dark` class detection.
+
+### Changed
+
+- **Dashboard Updates Available version column centered.**
+- **Sidebar search button border removed** — `⌘K` badge improved dark mode contrast.
+- **URL rebrand** — All URLs updated from `drydock.codeswhat.com` to `getdrydock.com`.
+
+### Fixed
+
+- **Dashboard host-status widget showing 0 for non-agent remote watchers** — Dashboard host-status widget incorrectly showed zero container counts for non-agent remote watchers by using `watcher.id` instead of `watcher.name` as the lookup key. ([#155](https://github.com/CodesWhat/drydock/issues/155))
+- **Container recreate alias duplicates** — Unconditional 30s transient window skip, single inspect per event, event path guard prevent Docker's transient `<id-prefix>_<name>` aliases from producing duplicate container entries in triggers. ([#156](https://github.com/CodesWhat/drydock/issues/156))
+- **Tooltip viewport overflow** — Replaced CSS pseudo-element tooltips with body-appended popup using `position:fixed` and auto-flip. ([#165](https://github.com/CodesWhat/drydock/issues/165))
+- **Theme switcher broken** — Restored document binding for `startViewTransition` API.
+
+## [1.4.3] — 2026-03-16
+
+### Fixed
+
+- **DNS resolution failures on Alpine (EAI_AGAIN)** — Node.js 24 defaults to `verbatim` DNS ordering, which on Alpine's musl libc can cause `getaddrinfo EAI_AGAIN` errors when IPv6 records are returned first on dual-stack networks. Drydock now defaults to IPv4-first DNS ordering at startup, configurable via `DD_DNS_MODE` (`ipv4first` | `ipv6first` | `verbatim`, default: `ipv4first`). ([#161](https://github.com/CodesWhat/drydock/issues/161))
+- **Multi-platform Docker build validation** — CI now validates multi-platform Docker builds to catch architecture-specific failures early.
+
+### Security
+
+- **Zizmor findings blocking in CI and lefthook** — GitHub Actions security findings from zizmor are now blocking in both CI and local pre-push hooks.
+- **Secrets scoped to dedicated GitHub environments** — CI secrets are now scoped to dedicated GitHub environments instead of repository-level access.
+
+### Documentation
+
+- **Docker socket security guide** — Expanded watcher docs with comprehensive security section: comparison table of all access methods, socket proxy setup (recommended), remote Docker over TLS with cert generation walkthrough, rootless Docker guide, full Docker API endpoint reference showing exactly which endpoints Drydock uses for read-only monitoring vs write operations (updates).
+
+### Dependencies
+
+- **CI actions** — Bumped upload-artifact to v7 and replaced nick-fields/retry.
+
+## [1.4.2] — 2026-03-15
+
+### Added
+
+- **Update-operations pagination** — `GET /api/containers/:id/update-operations` now supports `limit` and `offset` query parameters with `_links` navigation, matching the existing container list pagination pattern.
+- **Periodic audit log pruning** — Audit store now runs a background timer (hourly, unref'd) to prune stale entries even with low insert volume, in addition to the existing insert-count-based pruning.
+- **Container release notes enrichment** — Watch cycles now enrich update candidates with GitHub release metadata (`result.releaseNotes` and `result.releaseLink`), and full notes are available via `GET /api/containers/:id/release-notes`.
+- **Container list sort and filter query params** — `GET /api/containers` now supports `sort` (`name`, `status`, `age`, `created`, with optional `-` prefix for descending), plus `status`, `kind`, `watcher`, and `maturity` filters.
+- **Update age and maturity API signals** — Container payloads now track `updateAge` and support maturity states (`hot`, `mature`, `established`) for filtering and policy workflows.
+- **Suggested semver tag hints** — Containers tracked on non-semver tags such as `latest` now expose `result.suggestedTag` to surface the best semver target.
+- **`oninclude` trigger auto mode** — Trigger `auto` now supports `oninclude`, which only auto-runs for containers explicitly matched by include labels. ([#160](https://github.com/CodesWhat/drydock/issues/160))
+- **Container runtime observability APIs** — Added `/api/containers/stats`, `/api/containers/:id/stats`, and `/api/containers/:id/stats/stream` for resource telemetry, plus richer per-container runtime snapshots.
+- **Real-time container log streaming** — Added WebSocket streaming at `/api/v1/containers/:id/logs/stream` with `stdout`/`stderr`, `tail`, `since`, and `follow` controls.
+- **Container logs and runtime stats panels** — Container detail views now include dedicated live Logs and Runtime Stats tabs (including full-page logs route support).
+- **Signed registry webhook receiver** — Added `POST /api/webhooks/registry` with HMAC signature verification and provider-specific payload parsing for registry push events.
+- **Auth lockout Prometheus observability** — Added Prometheus metrics for login success/failure and lockout activity.
+
+### Changed
+
+- **Extract maturity-policy module** — Consolidated scattered day-to-millisecond conversions and maturity policy constants into `app/model/maturity-policy.ts`, shared by backend, UI, and demo app.
+- **Extract security-overview module** — Moved security vulnerability aggregation and pagination logic from `crud.ts` into dedicated `app/api/container/security-overview.ts` for improved readability and testability.
+- **Refactor Docker Compose trigger** — Extracted YAML parsing/editing into `ComposeFileParser` and post-start hook execution into `PostStartExecutor`, reducing the monolithic `Dockercompose.ts` by ~400 lines.
+- **Decompose useContainerActions** — Split the 1200-line composable into focused modules: `useContainerBackups`, `useContainerPolicy`, `useContainerPreview`, and `useContainerTriggers`.
+- **Registry error handling** — Replaced `catch (e: any)` with `catch (e: unknown)` and `getErrorMessage(e)` in component registration and trigger/watcher startup.
+- **E2E test resilience** — Container row count assertions now use `toBeGreaterThan(0)` instead of hardcoded counts, preventing false failures when the QA environment has a different number of containers.
+- **Registry digest cache dedup per poll cycle** — Digest cache lookups now deduplicate repeated requests within a single poll cycle, reducing redundant registry calls and improving metric accuracy.
+- **Extract runtime config evaluation context type** — Consolidated scattered runtime field evaluation parameters into a typed `ClonedRuntimeFieldEvaluationContext` interface for trigger providers.
+- **Argon2 hash parsing type safety** — Extracted `Argon2Parameters` interface, parameter key type guard, and PHC parameter parsing into a reusable function for improved type safety.
+- **Extract agent client initialization methods** — Extracted URL parsing, HTTPS detection, protocol validation, and TLS configuration from monolithic constructor into focused private methods.
+- **Extract shared self-hosted registry config schema** — Deduplicated the registry configuration schema (url, login, password, auth, cafile, insecure, clientcert, clientkey) into a reusable helper shared by Custom and SelfHostedBasic registry providers.
+
+### Documentation
+
+- **Podman docs expansion** — Added Podman setup/compatibility guidance plus SELinux, `podman-compose`, and production notes in watcher and FAQ docs.
+- **Docs site URL rebrand** — Replaced `drydock.codeswhat.com` links with `getdrydock.com` across docs pages, sitemap/robots metadata, and website copy.
+
+### Fixed
+
+- **CSRF validation behind reverse proxies** — Same-origin mutation checks now honor `X-Forwarded-Proto` and `X-Forwarded-Host` when present before falling back to direct request protocol/host, preventing false `403 CSRF validation failed` responses in TLS-terminating proxy setups. ([#146](https://github.com/CodesWhat/drydock/issues/146))
+- **Hosts page missing env-var-configured watchers** — The Hosts page hardcoded a single "Local" entry and only added agent-based hosts. Watchers configured via `DD_WATCHER_*` environment variables (e.g. remote Docker hosts) were never displayed, even though their containers appeared correctly on the Containers page. The page now fetches all watchers from the API and displays each local watcher with its actual name and connection address. ([#151](https://github.com/CodesWhat/drydock/issues/151))
+- **Docker events reconnect with malformed errors** — Reconnect failure logging no longer crashes when the error object has no `message` property.
+- **Security overview container count** — The security vulnerability overview now uses the lightweight store count instead of loading all container objects just to count them.
+- **Compose path deduplication** — Replaced `indexOf`-based dedup with `Set` for compose file path detection in container security view.
+- **Build provenance attestation** — CI attestation step now runs with `if: always()` so provenance is attested even when prior optional steps are skipped.
+- **Container recreate alias duplicates in triggers** — When containers were recreated externally (via Portainer or `docker compose up`), Docker's transient `<id-prefix>_<name>` aliases were treated as new containers, producing duplicate entries in MQTT Home Assistant discovery sensors and Telegram notifications. Added alias deduplication filtering and force-removal of stale container IDs on recreate detection. ([#156](https://github.com/CodesWhat/drydock/issues/156))
+- **Stale store data after external container recreation** — Watch-at-start scan was suppressed when the store already had container data, leaving stale records from the previous run after external container recreation. Removed the suppression so every startup runs a full scan with alias filtering. ([#157](https://github.com/CodesWhat/drydock/issues/157))
+- **Watcher container counts on Hosts page** — Per-watcher container counts on the Hosts page used `watcher.id` (e.g. `docker.esk83`) as the lookup key instead of `watcher.name` (e.g. `esk83`), causing counts to display as zero for env-var-configured watchers. ([#155](https://github.com/CodesWhat/drydock/issues/155))
+- **Docker images tagged `:main` with no version** — CI release workflow triggered on both main branch pushes and version tags, producing Docker images tagged `:main` that showed `DD_VERSION=main` instead of a real version number. Release workflow now only triggers on version tags (`v*`). ([#154](https://github.com/CodesWhat/drydock/issues/154))
+- **Maturity badge sizing and tooltip clipping** — Fixed maturity badge height mismatch with other text badges and removed `overflow-hidden` from DataListAccordion that clipped tooltips in list view.
+
+### Security
+
+- **Agent secret over plaintext HTTP warning** — Agent clients now log a warning when a shared secret is configured over unencrypted HTTP, advising HTTPS configuration.
+- **Auth audit log injection** — Login identity values are now sanitized with `sanitizeLogParam()` before inclusion in audit log details, preventing log injection via crafted usernames.
+- **SSE self-update ack hardening** — Added validation for empty `clientId`/`clientToken`, non-ack broadcast mode, and client-not-bound-to-operation rejection.
+- **FAQ: removed insecure seccomp advice** — Removed the "Core dumped on Raspberry PI" FAQ entry that recommended `--security-opt seccomp=unconfined`, which completely disables the kernel's syscall sandbox. The underlying libseccomp2 bug was fixed in all supported OS versions since 2021.
+
+### Dependencies
+
+- **biome** — Bumped to 2.4.7 with import ordering fixes for new lint rules.
+- **vitest** — Bumped to 4.1.0 in app workspace with fast-check/vitest 0.3.0 and knip 5.86.0.
+- **UI packages** — Bumped vue, vitest, storybook, and icon packages.
+- **CI actions** — Bumped zizmor-action to v0.5.2 and cosign-installer to v4.1.0.
+
+## [1.4.1] — 2026-03-14
+
+### Added
+
+- **Headless mode (`DD_SERVER_UI_ENABLED`)** — Run drydock as an API-only service by setting `DD_SERVER_UI_ENABLED=false`. The REST API, SSE, and healthcheck endpoints remain fully functional while the UI is not served. Useful for controller nodes that only manage agents.
+- **Maturity-based update policy** — Per-container update maturity policy via `dd.updatePolicy.maturityMode` (`all` or `mature`) and `dd.updatePolicy.maturityMinAgeDays` (default 7). When set to `mature`, containers with updates detected less than the configured age threshold are blocked from triggering until the update has settled. UI shows NEW/MATURE badges with flame/clock icons on containers with available updates. ([#120](https://github.com/CodesWhat/drydock/discussions/120))
+- **`?groupByStack=true` URL parameter** — Bookmarkable URL parameter to enable stack grouping on the containers page. Also accepts `?groupByStack=1`. ([#145](https://github.com/CodesWhat/drydock/issues/145))
+
+### Changed
+
+- **Connection-lost overlay animation** — The connection-lost and reconnecting overlays now use a bounce animation for improved visual feedback.
+- **Watch target resolution refactored to discriminated union** — Internal refactor of the watch target resolution logic for improved type safety and maintainability.
+
+### Fixed
+
+- **Agent handshake and SSE validation failure** — Fixed agent API returning redacted container data (with `sensitive` field on env entries) instead of raw data, causing controller-side Joi validation to reject the handshake and crash on real-time SSE container events. SSE payloads now prefer canonical raw store data with sanitization fallback. ([#141](https://github.com/CodesWhat/drydock/issues/141))
+- **Mangled argon2 hash detection** — Docker Compose `$` interpolation can strip `$` delimiters from argon2 PHC hashes, producing an invalid hash that silently failed registration. Drydock now detects mangled hashes at startup and surfaces an actionable error message. ([#147](https://github.com/CodesWhat/drydock/issues/147))
+- **Anonymous auth fallback** — When all configured auth providers fail to register (e.g. due to a mangled hash), Drydock now falls back to anonymous mode if `DD_ANONYMOUS_AUTH_CONFIRM=true` is set, instead of leaving the user with no way to log in. ([#147](https://github.com/CodesWhat/drydock/issues/147))
+- **Auth registration errors on login page** — Registration warnings (e.g. invalid hash format) are now surfaced on the login page so users can see exactly what went wrong instead of a generic "No authentication methods configured" message. ([#147](https://github.com/CodesWhat/drydock/issues/147))
+- **CSP inline style violations** — Replaced runtime `element.style` mutations (DataTable column resize, tooltip directive, theme transitions, preference restore) with CSS custom properties and class-based styling. Relaxed `style-src` to include `'unsafe-inline'` for vendor libraries (iconify-icon, Vue Transition) that set `element.style` programmatically.
+- **Compose trigger affinity across remapped roots** — Compose trigger file-path matching now uses suffix-based comparison as a fallback when the container's compose label path (host mount) differs from the trigger's configured path (container-internal), preventing missed trigger associations in bind-mount setups.
+- **Compose trigger association** — Enforce compose-file affinity when associating triggers with containers, preventing incorrect trigger-container matching. ([#139](https://github.com/CodesWhat/drydock/issues/139))
+- **Update All button icon centering** — Fixed icon-text alignment in the Update All group header button to match the split button pattern used elsewhere.
+- **Selected card border clipping** — Fixed card border clipping on the first grid column in card view.
+
+### Security
+
+- **Username enumeration timing side-channel** — Eliminated timing difference between valid and invalid usernames during authentication.
+- **LokiJS metadata exposure** — Stripped internal LokiJS fields (`$loki`, `meta`) from settings API responses, agent API container responses, and `/app` endpoint.
+- **Permissions-Policy header** — Added `Permissions-Policy` header to restrict browser feature access (camera, microphone, geolocation, etc.).
+- **CSP and Cross-Origin-Embedder-Policy** — Tightened Content Security Policy and added COEP header.
+- **Production image hardening** — Removed `wget`, `nc`, and `npm` from the production Docker image; upgraded zlib.
+
+### Dependencies
+
+- **undici** — Bumped to 7.24.1 (fixes 12 CVEs including WebSocket memory consumption, CRLF injection, and request smuggling).
+
+## [1.4.0] — 2026-02-28
+
+### Breaking Changes
+
+- **MQTT `HASS_ATTRIBUTES` default changed from `full` to `short`** — This changes Home Assistant entity payloads by default, excluding large SBOM documents, scan vulnerabilities, details, and labels. To retain the previous payload behavior, set `DD_TRIGGER_MQTT_{name}_HASS_ATTRIBUTES=full` explicitly.
+
+### Added
+
+- **Audit log for container state changes** — External container lifecycle events (start, stop, restart via Portainer or CLI) now generate `container-update` audit entries with the new status, so the audit log reflects all state changes, not just Drydock-initiated actions. ([#120](https://github.com/CodesWhat/drydock/discussions/120))
+- **mTLS client certificate support** — Registry providers now accept `CLIENTCERT` and `CLIENTKEY` options for mutual TLS authentication with private registries that require client certificates.
+
+#### Backend / Core
+
+- **Container recent-status API** — `GET /api/containers/recent-status` returns pre-computed update status (`updated`/`pending`/`failed`) per container, replacing the client-side audit log scan and reducing dashboard fetch payload size.
+- **Dual-slot security scanning** — "Scan Now" automatically scans both the current running image and the available update image when an update exists. Results are stored in separate slots (`scan`/`updateScan`) and the Security page shows a delta comparison badge (+N fixed, -N new) next to each image that has both scans.
+- **`DD_LOG_BUFFER_ENABLED` toggle** — Disable the in-memory log ring buffer via `DD_LOG_BUFFER_ENABLED=false` to reduce per-log processing overhead. When disabled, `/api/log/entries` returns an empty array. Defaults to `true`.
+- **Scheduled security scanning** — Set `DD_SECURITY_SCAN_CRON` to automatically scan all watched containers on a cron schedule. `DD_SECURITY_SCAN_JITTER` (default 60s) spreads load with random delay before each cycle.
+- **Security scheduler shutdown on exit** — Security scan scheduler is now explicitly shut down during graceful exit, preventing orphan timers from delaying process termination.
+- **On-demand sensitive env value reveal** — Container environment variables are redacted by default in API responses. Individual values can be revealed on-demand via `/api/containers/:id/env/reveal` with audit logging.
+- **On-demand scans populate digest cache** — Manual container scans now populate the digest-based dedup cache, preventing redundant rescans of the same image digest.
+- **Per-container webhook opt-out** — New `dd.webhook.enabled=false` container label to exclude individual containers from webhook triggers without disabling the webhook API globally.
+- **Scan cancellation and mobile scan progress** — Security batch scans can now be cancelled mid-flight. Mobile scan progress UI improved with responsive layout.
+- **Security scan coverage counts** — Security view header shows scanned/total container counts for at-a-glance scan coverage.
+- **Notification rule management API and persistence** — `/api/notifications` CRUD endpoints backed by LokiJS-persisted notification rules for `update-available`, `update-applied`, `update-failed`, `security-alert`, and `agent-disconnect` event types.
+- **Rule-aware runtime dispatch** — Trigger event dispatch resolves notification rules at runtime so per-event enable/disable and trigger assignments actively control which triggers fire.
+- **Security-alert and agent-disconnect events** — New event types with audit logging and configurable deduplication windows. Security alerts fire automatically on critical/high vulnerability scan results.
+- **Compose-native container updates** — Compose-managed containers now update via `docker compose up -d` lifecycle instead of Docker API recreate, preserving compose ownership and YAML formatting.
+- **Rename-first rollback with health gates** — Non-self container updates use a rename-first strategy (rename old → create new → health-gate → remove old) with crash-recoverable state persisted in a new `update-operation` store collection. Rollback telemetry via `dd_trigger_rollback_total{type,name,outcome,reason}` counter.
+- **Tag-family aware semver selection** — Docker watcher infers the current tag family (prefix/suffix/segment style) and keeps semver updates within that family by default, preventing cross-family downgrades like `5.1.4` → `20.04.1`. Added `dd.tag.family` label (`strict` default, `loose` opt-out) and imgset support. ([#104](https://github.com/CodesWhat/drydock/issues/104))
+- **Entrypoint/cmd drift detection** — Docker trigger detects whether entrypoint/cmd were inherited from the source image vs user-set, replacing inherited values with target image defaults during update. Adds `dd.runtime.entrypoint.origin` and `dd.runtime.cmd.origin` labels.
+- **Self-update controller with SSE ack flow** — Dedicated controller container for self-update replaces the shell helper pattern. UI acknowledgment via SSE with operation ID tracking.
+- **Server-issued SSE client identity** — Replaced client-generated UUIDs with server-issued `clientId`/`clientToken` pairs for self-update ack validation, preventing spoofed acknowledgments.
+- **`config migrate` CLI** — `node dist/index.js config migrate` converts legacy `WUD_*` and Watchtower env vars/labels to `DD_*`/`dd.*` format across `.env` and compose files. Supports `--dry-run` preview and `--source` / `--file` selection.
+- **Legacy compatibility usage metric** — Prometheus counter `dd_legacy_input_total{source,key}` tracks local runtime consumption of legacy inputs (`WUD_*` env vars, `wud.*` labels) without external telemetry. Startup warns when legacy env vars are detected; watcher/trigger paths emit one-time deprecation warnings on `wud.*` label fallback.
+- **Bundled selfhst icons for offline startup** — Common container icons (Docker, Grafana, Nextcloud, etc.) bundled in the image so the UI works without internet on first boot.
+- **Runtime tool status endpoint** — `/api/server/security/runtime` reports Trivy/Cosign availability for the Security view.
+- **Gzip response compression** — Configurable via `DD_SERVER_COMPRESSION_ENABLED` and `DD_SERVER_COMPRESSION_THRESHOLD` (default 1024 bytes), with automatic SSE exclusion.
+- **Container runtime details** — Ports, volumes, and environment exposed in the container model and API for the detail panel.
+- **Update detected timestamp** — `updateDetectedAt` field tracks when an update was first seen, preserved across refresh cycles.
+- **No-update reason tracking** — `result.noUpdateReason` field surfaces why tag-family or semver filtering suppressed an available update.
+- **Remove individual skip entries** — `remove-skip` policy action allows removing a single skipped tag or digest without clearing all skips.
+- **Update-operation history API** — `GET /api/containers/:id/update-operations` returns persisted update/rollback history for a container.
+- **Settings backend** — `/api/settings` endpoints with LokiJS collection for persistent UI preferences (internetless mode). Icon proxy cache with atomic file writes and manual cache clear.
+- **SSE real-time updates** — Server-Sent Events push container state changes to the UI without polling.
+- **Remember-me authentication** — Persistent login sessions via remember-me checkbox on the login form.
+- **Docker Compose trigger** — Refresh compose services via Docker Compose CLI when updates are detected.
+- **Advisory-only security scanning** — `DD_SECURITY_BLOCK_SEVERITY=NONE` runs vulnerability scans without blocking updates. Scan results remain visible in the Security view and audit log.
+- **OpenAPI 3.1.0 specification and endpoint** — Machine-readable API documentation available at `GET /api/openapi.json`, covering all v1.4 endpoints with request/response schemas.
+- **Watcher agent support initialization** — Watchers now initialize agent support on startup for distributed monitoring readiness.
+- **Security vulnerability overview endpoint** — New `GET /api/containers/security/vulnerabilities` returns pre-aggregated vulnerability data grouped by image with severity summaries, so the Security view no longer needs to load all containers.
+- **MQTT attribute filtering for Home Assistant** — MQTT trigger supports attribute-based filtering for Home Assistant integration, allowing selective publishing based on container attributes.
+- **Docker Compose post_start env validation** — Docker Compose trigger validates environment variables in `post_start` hooks before execution, preventing runtime errors from missing or invalid env var references.
+- **MQTT HASS entity_picture from container icons** — When Home Assistant HASS discovery is enabled, `entity_picture` is now automatically resolved from the container's `dd.display.icon` label. Icons with `sh:`, `hl:`, or `si:` prefixes map to jsDelivr CDN URLs for selfhst, homarr-labs, and simple-icons respectively. Direct HTTP/HTTPS URLs pass through unchanged. ([#138](https://github.com/CodesWhat/drydock/issues/138))
+- **`dd.display.picture` container label** — New label to override the MQTT HASS `entity_picture` URL directly. Takes precedence over icon-derived pictures when set to an HTTP/HTTPS URL.
+
+#### UI / Dashboard
+
+- **Tailwind CSS 4 UI stack** — Complete frontend migration from Vuetify 3 to Tailwind CSS 4 with custom shared components. All 13 views rebuilt with Composition API.
+- **Shared data components** — Reusable DataTable, DataCardGrid, DataListAccordion, DataFilterBar, DetailPanel, DataViewLayout, and EmptyState components used consistently across all views with table/cards/list view modes.
+- **6 color themes** — One Dark (clean/balanced), GitHub (clean/familiar), Dracula (bold purple), Catppuccin (warm pastels), Gruvbox (retro earthy warmth), and Ayu (soft golden tones). Each with dark and light variants. Circle-reveal transition animation between themes.
+- **7 icon libraries** — Phosphor Duotone (default), Phosphor, Lucide, Tabler, Heroicons, Iconoir, and Font Awesome. Switchable in Config > Appearance with icon size slider.
+- **6 font families** — IBM Plex Mono (default/bundled), JetBrains Mono, Source Code Pro, Inconsolata, Commit Mono, and Comic Mono. Lazy-loaded from local `/fonts/` directory with internetless fallback.
+- **Command palette** — Global Cmd/Ctrl+K search with scope filtering (`/` pages, `@` runtime, `#` config), keyboard navigation, grouped sections, and recent history.
+- **Notification rules management view** — View, toggle, and assign triggers to notification rules with direct save through `/api/notifications`.
+- **Audit history view** — Paginated audit log with filtering by container, event text, and action type. Includes security-alert and agent-disconnect event type icons.
+- **Container grouping by stack** — Collapsible sections grouping containers by compose stack with count and update badges.
+- **Container actions tab** — Detail panel tab with update preview, trigger list, backup/rollback management, and update policy controls (skip tags, skip digests, snooze).
+- **Container delete action** — Remove a container from tracking via table row or detail panel.
+- **Container ghost state during updates** — When a container is updated, stopped, or restarted, its position is held in the UI with a spinner overlay while polling for the recreated container, preventing the "disappearing container" UX issue. ([#80](https://github.com/CodesWhat/drydock/issues/80))
+- **Skip update action** — Containers with pending updates can be individually skipped, hiding the update badge for the current session without requiring a backend endpoint.
+- **Slide-in detail panels on all views** — Row-click detail panels for Watchers, Auth, Triggers, Registries, Agents, and Security views.
+- **Interactive column resizing** — Drag-to-resize column handles on all DataTable instances.
+- **Dashboard live data and drag-reorder** — Stat cards (containers, updates, security, registries) computed from real container data with drag-reorderable layout and localStorage persistence. Security donut chart, host status, and update breakdown widgets.
+- **Log viewer auto-fetch and scroll lock** — Configurable auto-fetch intervals (2s/5s/10s/30s) with scroll lock detection and resume for both ConfigView logs and container logs.
+- **Keyboard shortcuts** — Enter/Escape for confirm dialogs, Escape to close detail panels.
+- **SSE connectivity overlay** — Connection-lost overlay with self-update awareness and auto-recovery.
+- **Login page connectivity monitor** — Polls server availability and shows connection status on the login screen.
+- **Server name badge for remote watchers** — Shows the watcher name instead of "Local" for multi-host setups.
+- **Dynamic dashboard stat colors** — Color-coded update and security stats based on severity ratio.
+- **About Drydock modal** — Version info and links accessible from sidebar.
+- **View wiring** — Watcher container counts, trigger Test buttons with success/failure feedback, host images count, and registry self-hosted port matching all wired to live API data.
+- **Font size preference** — Adjustable font size slider in Config > Appearance for UI-wide text scaling.
+- **Announcement banner** — Dismissible banner component for surfacing release notes and important notices in the dashboard.
+- **Dashboard vulnerability sort by severity** — Top-5 vulnerability list on the dashboard now sorted by total count descending with critical count as tiebreaker, so the most severe containers appear first.
+- **Rollback confirmation dialog** — Container rollback actions now require explicit confirmation through a danger-severity dialog before restoring from backup.
+- **Update confirmation dialog** — Container update actions now require explicit confirmation through a dialog before triggering an update.
+- **SHA-1 hash deprecation banner** — Dashboard shows a dismissible deprecation banner when legacy SHA-1 password hashes are detected, prompting migration to argon2id.
+- **Config tab URL deep-linking** — Config view tab selection syncs to the URL query parameter, enabling shareable direct links to specific config tabs.
+
+### Changed
+
+- **Compose trigger uses Docker Engine API** — Compose-managed container updates now use the Docker Engine API directly (pull, stop, recreate) instead of shelling out to `docker compose` / `docker-compose` CLI. Eliminates `spawn docker ENOENT` errors in environments without Docker CLI binaries installed.
+- **Compose self-update delegates to parent orchestrator** — Self-update for compose-managed Drydock containers now uses the parent Docker trigger's helper-container transition with health gates and rollback, instead of direct stop/recreate.
+- **Compose runtime refresh extracted** — Shared `refreshComposeServiceWithDockerApi()` helper eliminates the recursive `recreateContainer` → `updateContainerWithCompose` call chain. Both code paths now converge on the same explicit, non-recursive method.
+- **Compose-file-once batch mode re-enabled** — `COMPOSEFILEONCE=true` now works with the Docker Engine API runtime. First container per service gets a full runtime refresh; subsequent containers sharing the same service skip the refresh.
+- **Self-update controller testable entrypoint** — Extracted process-level entry logic to a separate entrypoint module, making the controller independently testable without triggering process-exit side effects.
+- **Dockercompose YAML patching simplified** — Removed redundant type guards and dead-code branches from compose file patching helpers, reducing code paths and improving maintainability.
+- **Dashboard fetches recent-status from backend** — Dashboard now fetches pre-computed container statuses from `/api/containers/recent-status` instead of scanning the raw audit log client-side.
+- **Prometheus collect() callback pattern** — Switched container gauge from interval-based polling to the Prometheus `collect()` callback, letting Prometheus control collection timing and eliminating the background 5s timer.
+- **Container security API refactored** — Container security routes refactored into a dedicated module with type-safe SecurityGate integration, concurrent scan limiting (max 1), and trivy DB status-based cache invalidation.
+- **DashboardView composable extraction** — Extracted 700+ line monolith into `useDashboardData`, `useDashboardComputed`, `useDashboardWidgetOrder`, and shared `dashboardTypes` for better testability and separation of concerns.
+- **Event-driven connectivity polling** — AppLayout SSE connectivity monitoring now starts on disconnect and stops on reconnect instead of running a fixed interval, reducing unnecessary network requests.
+- **Vulnerability loading optimized** — Vulnerability data loaded from the container list API payload (`includeVulnerabilities` flag) instead of separate per-container fetches, reducing API calls on the Security view.
+- **Default log format is JSON** — Official Docker image now defaults to `DD_LOG_FORMAT=json` for structured production logs. Override with `DD_LOG_FORMAT=text` for pretty logs.
+- **Scan endpoint rate limit reduced** — `POST /api/containers/:id/scan` rate limit lowered from 100 to 30 requests/min to prevent resource exhaustion during aggressive scanning.
+- **Single Docker image** — Removed thin/heavy image variants; all images now bundle Trivy and Cosign.
+- **Removed Vuetify dependency** — All Vuetify imports, components, and archived test files removed. Zero Vuetify references remain.
+- **Fail-closed auth enforcement** — Registry bearer-token flows error on token endpoint failures instead of falling through to anonymous. HTTP trigger auth errors on unsupported types. Docker entrypoint requires explicit `DD_RUN_AS_ROOT` + `DD_ALLOW_INSECURE_ROOT` for root mode.
+- **Fail-closed anonymous auth on fresh installs** — New installs with no authentication configured and no `DD_ANONYMOUS_AUTH_CONFIRM=true` fail closed at startup (all API calls return 401). Users upgrading from a previous version are allowed anonymous access with a startup warning. Set `DD_AUTH_BASIC_<name>_USER` / `DD_AUTH_BASIC_<name>_HASH` to configure authentication, or set `DD_ANONYMOUS_AUTH_CONFIRM=true` to explicitly allow anonymous access.
+- **Dashboard streamlined** — Stat cards reduced from 7 to 4 (Containers, Updates, Security, Registries). Recent Activity widget removed to fit on single viewport. Background refresh prevents loading flicker on SSE events.
+- **Notifications view is full rule management** — Editable notification rules (enable/disable and trigger assignments) that save directly through `/api/notifications`.
+- **Standardized API responses with collection pattern** — All collection endpoints (`/api/containers`, `/api/registries`, `/api/watchers`, `/api/authentications`, `/api/audit`) now return `{ data: [...], total }` instead of raw arrays. Supports pagination via `offset`/`limit` query parameters.
+- **Paginated API discoverability links** — Paginated collection responses now include `_links.self` and `_links.next` where applicable (for example `/api/containers` and `/api/audit`) to make page traversal explicit for API consumers.
+- **Versioned API base path with transition alias** — `/api/v1/*` is now the canonical API path for integrations. `/api/*` remains as a backward-compatible alias during migration and is planned for removal in a future major release (target: v2.0.0).
+- **Agent-scoped path order normalized** — Agent-qualified component and trigger routes now use `/:type/:name/:agent` (for example `/api/triggers/:type/:name/:agent` and `/api/containers/:id/triggers/:triggerType/:triggerName/:triggerAgent`) instead of the old agent-first order. This is a breaking change for external API clients using the old path shape.
+- **Machine-readable API error contract** — All error responses return a consistent `{ "error": "..." }` JSON structure with an optional `details` object for contextual metadata.
+- **6 color themes** — Replaced original Drydock theme with popular editor palettes: One Dark, GitHub, Dracula, Catppuccin, Gruvbox, and Ayu. Each with dark and light variants.
+- **Argon2id password hashing** — Basic auth now uses argon2id (OWASP recommended) via Node.js built-in `crypto.argon2Sync()` instead of scrypt for password hashing. Default parameters: 64 MiB memory, 3 passes, parallelism 4.
+- **PUT `/api/settings` deprecated** — `PUT /api/settings` now returns RFC 9745 `Deprecation` and RFC 8594 `Sunset` headers. Use `PATCH /api/settings` for partial updates. PUT alias removal targeted for v1.5.0.
+- **Basic auth argon2id PHC compatibility** — Basic authentication now accepts PHC-format argon2id hashes (`$argon2id$v=19$m=...,t=...,p=...$salt$hash`) in addition to the existing Drydock `argon2id$memory$passes$parallelism$salt$hash` format. Hash-generation guidance now recommends the standard `argon2` CLI command first, with Node.js as a secondary option.
+- **Borderless UI redesign** — Removed borders from all views, config tabs, detail panels, and shared data components for a cleaner visual appearance.
+- **Dashboard version column alignment** — Version column in the dashboard updates table is now left-aligned for better readability.
+- **Detail panel expand button redesigned** — Full-page expand button in the detail panel now uses a frame-corners icon instead of the previous maximize icon.
+- **Sidebar active indicator removed** — Removed the blue active indicator bar from sidebar navigation items for a cleaner look.
+
+### Fixed
+
+- **Log level setting had no effect** — `DD_LOG_LEVEL=debug` was correctly parsed but debug messages were silently dropped because pino's multistream destinations defaulted to `info` level. Stream destinations now inherit the configured log level. ([#134](https://github.com/CodesWhat/drydock/issues/134))
+- **Server feature flags not loaded after login** — Feature flags (`containeractions`, `delete`) were permanently stuck as disabled when authentication was required, because the pre-login bootstrap fetch failure marked the flags as "loaded" and never retried. Now failed fetches allow automatic retry after login. ([#120](https://github.com/CodesWhat/drydock/discussions/120))
+- **Compose trigger silently skips containers** — Multiple failure paths in the compose trigger were logged at `debug` level, making it nearly impossible to diagnose why a trigger reports success but containers don't update. Key diagnostic messages (compose file mismatch, label inspect failure, no containers matched) promoted to `warn` level, and the "already up to date" message now includes container names. ([#84](https://github.com/CodesWhat/drydock/discussions/84))
+- **Fallback icon cached permanently** — The Docker placeholder icon was served with `immutable` cache headers, causing browsers to cache it permanently even after the real provider icon becomes available. Fallback responses now use `no-store`.
+- **Basic auth upgrade compatibility restored** — Basic auth now accepts legacy v1.3.9 Basic auth hashes (`{SHA}`, `$apr1$`/`$1$`, `crypt`, and plain fallback) to preserve smooth upgrades. Legacy formats remain deprecated and continue showing a migration banner, with removal still planned for v1.6.0.
+- **Compose trigger rejects lowercase env var keys** — Configuration keys like `COMPOSEFILEONCE`, `DIGESTPINNING`, and `RECONCILIATIONMODE` were lowercased by the env parser but the Joi schema expected camelCase. Schema now maps lowercase keys to their camelCase equivalents. ([#120](https://github.com/CodesWhat/drydock/discussions/120))
+- **Compose trigger strips docker.io prefix** — When a compose file uses an explicit `docker.io/` registry prefix, compose mutations now preserve it instead of stripping it to a bare library path. ([#120](https://github.com/CodesWhat/drydock/discussions/120))
+- **Compose trigger fails when FILE points to directory** — `DD_TRIGGER_DOCKERCOMPOSE_{name}_FILE` now accepts directories, automatically probing for `compose.yaml`, `compose.yml`, `docker-compose.yaml`, or `docker-compose.yml` inside the directory. ([#84](https://github.com/CodesWhat/drydock/discussions/84))
+- **Container healthcheck fails with TLS backend** — The Dockerfile healthcheck now detects `DD_SERVER_TLS_ENABLED=true` and switches to `curl --insecure https://` for self-signed certificates. Also skips the healthcheck entirely when `DD_SERVER_ENABLED=false`. ([#120](https://github.com/CodesWhat/drydock/discussions/120))
+- **Agent CAFILE ignored without CERTFILE** — The agent subsystem now loads the CA certificate from `CAFILE` even when `CERTFILE` is not provided, fixing TLS verification for agents behind reverse proxies with custom CA chains.
+- **Service worker accepts cross-origin postMessage** — The demo service worker now validates `postMessage` origins against the current host, preventing potential cross-origin message injection.
+
+- **Action buttons disable and show spinner during in-progress actions** — Container action buttons (Stop, Start, Restart, Update, Delete) now show a disabled state with a spinner while the action runs in the background, providing clear visual feedback. The confirm dialog closes immediately on accept instead of blocking the UI.
+- **Command palette clears stale filter on navigation** — Navigating to a container via Ctrl+K search now clears the active `filterKind`, preventing stale filter state from hiding the navigated container.
+- **Manual update button works with compose triggers** — The update container endpoint now searches for both `docker` and `dockercompose` trigger types, matching the existing preview endpoint behavior. Previously, users with only a compose trigger saw "No docker trigger found for this container".
+- **CI: qlty retry on timeout** — Changed `retry_on` from `error` to `any` so qlty timeouts trigger retries. Increased timeout from 5 to 8 minutes.
+- **OIDC docs clarified `DD_PUBLIC_URL` requirement** — OIDC documentation now explicitly marks `DD_PUBLIC_URL` as required and includes it in all provider example configurations (Authelia, Auth0, Authentik, Dex). Without this variable, the OIDC provider fails to register at startup.
+- **Compose trigger docs updated for Engine API** — Removed stale references to `docker compose config --quiet` CLI validation and `docker compose pull`/`up` commands. Docs now reflect in-process YAML validation and Docker Engine API runtime. Added callout that Docker Compose CLI is not required.
+- **Container actions docs updated for compose triggers** — Update action documentation now mentions both Docker and Docker Compose trigger support.
+- **Compose trigger rejects compose files mounted outside app directory** — Removed overly strict working-directory boundary enforcement from `runComposeCommand` that rejected compose files bind-mounted outside `/home/node/app`, breaking documented mount patterns like `/drydock/docker-compose.yml`. Compose file paths are operator-configured and already validated during resolution.
+- **Compose trigger uses host paths instead of container paths** — Docker label auto-detection (`com.docker.compose.project.config_files`) now remaps host-side paths to container-internal paths using Drydock's own bind mount information. Previously, host paths like `/mnt/volume1/docker/stacks/monitoring/compose.yaml` were used directly inside the container where they don't exist, causing "does not exist" errors even when the file was properly mounted.
+- **Compose trigger logs spurious warnings for unrelated containers** — When multiple compose triggers are configured, each trigger now silently skips containers whose resolved compose files don't match the trigger's configured `FILE` path, eliminating noisy cross-stack "does not exist" warnings.
+- **Silent error on recheck failure** — "Recheck for Updates" button now displays an error banner when the backend request fails instead of silently stopping the spinner with no feedback.
+- **Silent error on env reveal failure** — Environment variable reveal in the container detail panel now shows an inline error message when the API call fails instead of silently failing.
+- **Security scans persist across navigation** — Navigating away from the Security view no longer cancels in-flight batch scans. Module-scoped scan state survives unmount and the progress banner reappears on return.
+- **SSE stale sweep timer on re-initialization** — Stale client sweep interval now starts even when `init()` is called after a hot reload, preventing leaked SSE connections.
+- **About modal documentation icon** — Documentation link in the about modal now shows a book icon instead of the expand/maximize icon.
+- **Log auto-fetch pauses in background tabs** — `useAutoFetchLogs` now stops polling when the browser tab is hidden and automatically resumes when it becomes visible again.
+- **SBOM download DOM isolation** — Isolated DOM element creation and `URL.createObjectURL` references in the SBOM download composable, fixing potential memory leaks and test failures from uncleared object URLs. JSON serialization skipped when SBOM panel is hidden.
+- **Dashboard resource fetch error propagation** — Dashboard API fetch errors are now propagated consistently to the UI error state instead of being silently swallowed.
+- **Docker image "latest" tag restricted to stable releases** — CI release workflow no longer tags prerelease versions as `latest`, preventing unstable images from being pulled by default.
+- **Security table refreshes progressively during batch scan** — Security view table updates incrementally as each container scan completes instead of waiting for the entire batch to finish.
+- **Vulnerability data fetched from per-container endpoint** — Security view now fetches vulnerability data from the correct per-container endpoint instead of a missing bulk endpoint.
+- **OIDC callback session loss with cross-site IdPs** — Session cookies now default to `SameSite=Lax` for auth compatibility, fixing callback flows that could fail under `SameSite=Strict`. Added `DD_SERVER_COOKIE_SAMESITE` (`strict|lax|none`) for explicit control. ([#52](https://github.com/CodesWhat/drydock/issues/52))
+- **Compose trigger handles unknown update kinds** — Containers with `updateKind.kind === 'unknown'` now trigger `docker compose pull` instead of silently skipping. ([#91](https://github.com/CodesWhat/drydock/issues/91))
+- **Compose image patching uses structured YAML edits** — Replaced regex/indent heuristics with YAML parser targeting only `services.<name>.image`, preserving comments and formatting.
+- **Hub/DHI public registries preserved with legacy token envs** — Public registry fallback no longer lost when a private token is configured. Fail-closed behavior remains for private registry auth and runtime token exchange failures.
+- **GHCR retries anonymously on credential rejection** — Public image checks continue when configured credentials are rejected by GHCR/LSCR.
+- **Partial registry registration failures isolated** — `Promise.allSettled` prevents a single bad registry from taking down all registries including the public fallback.
+- **Auth-blocked remote watchers stay registered** — Remote watchers that fail auth now show as degraded instead of crashing watcher init.
+- **Docker event stream reconnects with exponential backoff** — Watcher reconnects automatically (1s doubling to 30s max) instead of staying disconnected after Docker socket interruption.
+- **SSE frames flushed immediately** — Added `X-Accel-Buffering: no` and explicit `flush()` to prevent nginx/traefik from buffering real-time events.
+- **Store flushed on graceful shutdown** — Explicit `save()` call on SIGTERM/SIGINT prevents data loss between autosave intervals.
+- **Digest value populated on registration and refresh** — Digest-watch containers no longer show undefined digest in the UI.
+- **Icon fallback for missing upstream** — Icon proxy returns bundled Docker fallback instead of 404 when upstream providers return 403/404. Fixes registry port parsing in icon URLs.
+- **Container groups route no longer shadowed** — `/containers/groups` mounted before `/containers/:id` to prevent Express treating group requests as container ID lookups.
+- **Runtime env values redacted in API responses** — Container environment variable values no longer exposed through the API.
+- **Logger init failure produces structured stderr** — Falls back to structured JSON on stderr instead of silent no-op when logger init fails.
+- **Mobile sidebar closes on route change** — Safety-net watcher ensures mobile menu closes on any navigation.
+- **Security badge counts only scan vulnerabilities** — No longer inflated by major version updates.
+- **Trigger test failure shows parsed error message** — Actionable error reason displayed below trigger card on test failure.
+- **Viewport scrollbar eliminated** — Fixed double-nested scroll contexts; long tags truncated with tooltips.
+- **Self-hosted registries ignore port when matching** — Registry matching now respects port numbers in self-hosted registry URLs, preventing mismatches between registries on different ports of the same host.
+- **Socket proxy ECONNREFUSED with `:ro` mount** — Removed `:ro` flag from Docker socket mount in all socket proxy compose examples. The read-only flag can prevent the proxy from connecting to the Docker daemon on some Linux kernels; the proxy's environment variable filtering (`CONTAINERS=1`, `EVENTS=1`, etc.) is the actual security boundary. Added health check and `depends_on: condition: service_healthy` to all socket proxy examples for proper startup ordering. Added FAQ entry for troubleshooting ECONNREFUSED with socket proxies.
+- **Apprise trigger missing Content-Type header** — Apprise notify requests now set explicit `Content-Type: application/json` header, fixing failures with Apprise servers that require it.
+- **Toggle switch contrast** — Improved toggle thumb contrast across all themes for better visibility.
+- **Empty env var values rejected during container validation** — Joi schema on `details.env[].value` used `.string().required()` which implicitly disallows empty strings. Containers with empty environment variable values (e.g. `FOO=`) were silently skipped during watch cycles. Fixed with `.allow('')`. ([#120](https://github.com/CodesWhat/drydock/discussions/120))
+- **OIDC login broken by same-origin redirect check** — `LoginView.vue` restricted OIDC redirects to same-origin URLs, but OIDC Identity Provider URLs are always cross-origin (Authentik, Keycloak, etc.). Removed the same-origin check, keeping only HTTP/HTTPS protocol validation.
+- **Blank white screen on plain HTTP deployments** — Helmet.js defaults enabled HSTS and `upgrade-insecure-requests` CSP even when TLS was not configured, causing browsers to block sub-resource loads on plain HTTP. Now conditionally omits `upgrade-insecure-requests` and HSTS when TLS is off. Strict boolean check on `tls.enabled` prevents string coercion. ([#120](https://github.com/CodesWhat/drydock/discussions/120))
+- **Stale theme preferences after upgrade from v1.3** — Preferences migration `deepMerge` overwrote defaults with persisted values unconditionally, so invalid enum values (e.g. removed `drydock` theme family) survived migration and caused rendering failures. Added `sanitize()` pass that strips invalid theme families, variants, font families, icon libraries, scales, radius presets, view modes, and table actions before merge.
+- **OIDC discovery fails on HTTP IdP URLs** — openid-client v6 enforces HTTPS by default for all OIDC requests. Users running IdPs behind reverse proxies or on private networks with HTTP discovery URLs got "only requests to HTTPS are allowed" errors. Now passes `allowInsecureRequests` when the discovery URL protocol is `http:`.
+- **Docker Compose trigger fails with EBUSY on bind-mounted stacks** — `writeComposeFileAtomic()` used a single `fs.rename()` call that failed permanently when another process (e.g. Dockge) held the file or when Docker bind-mount overlay contention blocked the rename. Now retries up to 5 times with 200ms backoff, then falls back to a direct `writeFile` if rename remains blocked. ([#84](https://github.com/CodesWhat/drydock/discussions/84))
+- **Drydock container display name hardcoded** — The Docker watcher hardcoded `drydock` as the display name for drydock's own container instead of using the actual container name like every other container.
+- **Non-existent DD_OIDC_ALLOW_HTTP env var referenced in UI** — The UI OIDC HTTP banner referenced a `DD_OIDC_ALLOW_HTTP` env var that does not exist — the backend auto-detects `http://` discovery URLs and passes `allowInsecureRequests` automatically. Removed the misleading reference.
+- **Load test and start scripts broken by standardized API responses** — `jq` queries in `run-load-test.sh` and `start-drydock.sh` used raw array syntax instead of `.data[]` to match the new collection response pattern.
+- **Container status not reconciled on cron poll** — Containers that changed state between Docker event stream updates (e.g. stopped externally) were not reconciled during periodic cron polls. Now reconciles container status on each poll cycle.
+- **DD_AUTH_ANONYMOUS_CONFIRM env var alias rejected** — `DD_AUTH_ANONYMOUS_CONFIRM` was not accepted as an alias for the canonical `DD_ANONYMOUS_AUTH_CONFIRM` env var, forcing users to use only the non-prefixed form.
+- **LSCR cross-host auth failure** — LinuxServer Container Registry (lscr.io) token exchange failed because the auth flow required cross-host authentication via the ghcr.io token endpoint. Now allows cross-host auth for lscr.io.
+- **iPad sidebar clipping** — Used `dvh` (dynamic viewport height) instead of `vh` for sidebar height to fix clipping on iPad and other mobile browsers where the toolbar reduces available viewport height.
+- **Mobile dashboard scroll clipping** — Dashboard content was clipped on mobile viewports when scrolling, preventing users from reaching all content.
+- **Lockout counter reset on failed login** — Brute-force lockout counter could reset prematurely, and strategy IDs were not protected from enumeration. Fixed counter persistence and added strategy ID protection.
+- **Stale vulnerability data on fetch error** — Security view retained stale vulnerability data when a fetch error occurred instead of clearing it, showing outdated information.
+- **Audit service missing limit parameter** — Audit service requests did not always send the `limit` query parameter, causing inconsistent pagination behavior.
+- **Backup retention on failed updates** — Backup entries are now pruned on the failure path, not just after successful updates, preventing indefinite accumulation of stale backups.
+- **Backup pruning with undefined maxCount** — `pruneOldBackups()` no longer deletes all backups when `maxCount` is `undefined` (e.g. when `DD_BACKUPCOUNT` is not configured). Now correctly no-ops on invalid or non-finite values.
+- **Auto-rollback audit fromVersion accuracy** — Rollback audit entries now correctly record `fromVersion` as the failing new image tag (via `updateKind.remoteValue`) instead of the pre-update old tag.
+- **HASS entity_picture URL broken after logo rename** — MQTT HASS discovery payload referenced a renamed logo file (`drydock.png` instead of `whale-logo.png`), causing missing entity pictures in Home Assistant. ([#138](https://github.com/CodesWhat/drydock/issues/138))
+- **Watcher crashes on containers with empty names** — Docker watcher's same-name deduplication filter threw errors when containers had empty or missing names. Now skips deduplication for unnamed containers.
+- **Container names not reconciled after external recreate** — Containers recreated externally (via Portainer or `docker compose up`) retained stale names in the store until the next full poll cycle. Now reconciles container names immediately on detection.
+- **Nested icon prefixes fail proxy request** — Icon proxy rejected icons with doubled prefixes like `mdi:mdi-docker`. Now normalizes nested prefixes before proxying.
+- **Colon-separated icon prefixes rejected** — `dd.display.icon` labels using colon separators (e.g., `sh:nextcloud`) were rejected by the API validation pattern. Validation now accepts colon-prefixed icon identifiers.
+- **Bouncer-blocked state missing from container details** — Container detail views didn't reflect bouncer-blocked status. Now correctly wires the blocked state into detail panel display.
+
+### Security
+
+- **Security API error sanitization** — SBOM and scan error responses now return generic messages (`Error generating SBOM`, `Security scan failed`) instead of leaking internal error details. Detailed errors logged server-side only.
+- **Agent log query parameter validation** — Agent log level and component query parameters are validated against an allowlist and safe-character pattern, returning 400 for invalid values.
+- **TLS key/cert paths stripped from config response** — Server configuration API response no longer includes filesystem paths for TLS private key and certificate files.
+- **Type-safe store and auth modules** — Settings, notification, and auth store modules upgraded from `any` to explicit typed interfaces, preventing implicit type coercion vulnerabilities.
+- **Fail-closed auth enforcement across registries and triggers** — Bearer token, OIDC, and credential flows use `failClosedAuth` with typed `RequestOptions`, rejecting requests when required credentials are missing.
+- **Input validation hardened** — Additional input validation and error redaction across auth, API, and configuration modules.
+- **Mutation-only JSON body parser** — Express JSON body parsing restricted to mutation methods (POST/PUT/PATCH) only on both API and auth routers, reducing attack surface on read requests.
+- **CSRF Sec-Fetch-Site validation** — CSRF middleware now rejects requests with `Sec-Fetch-Site: cross-site` header, blocking cross-site state-changing requests even when the Origin header is absent.
+- **HTTPS enforcement for SameSite=none cookies** — `DD_SERVER_COOKIE_SAMESITE=none` now requires HTTPS configuration (`DD_SERVER_TLS_ENABLED=true` or `DD_SERVER_TRUSTPROXY`) and throws at startup if neither is set.
+- **Remember-me endpoint requires authentication** — `/auth/remember` POST moved after `requireAuthentication` middleware, preventing unauthenticated access.
+- **Env reveal rate limit tightened** — `/api/containers/:id/env` rate limit reduced from 100/min to 10/min to prevent credential enumeration. Server error responses return generic messages instead of internal details.
+- **Trivy command path validation** — Trivy binary paths are validated against shell metacharacters and path traversal before execution.
+- **Digest scan cache LRU eviction** — Scan result cache uses LRU eviction (max 500 entries, configurable via `DD_SECURITY_SCAN_DIGEST_CACHE_MAX_ENTRIES`) to prevent unbounded memory growth. Trivy DB status lookups are deduplicated across concurrent calls.
+- **CSP configured for Iconify CDN** — Content-Security-Policy updated to allow `connect-src` for the Iconify CDN origin, preventing blocked icon fetches in the browser.
+- **CSP connect-src restricted in internetless mode** — Content-Security-Policy `connect-src` directive tightened to `'self'` when running in internetless mode, blocking outbound connections from the browser.
+- **Legacy auth methods endpoint rate-limited** — `/api/auth/methods` rate-limited to prevent enumeration of available authentication providers.
+- **Removed plaintext credentials from login request body** — The Basic auth login was redundantly sending username and password in both the Authorization header and the JSON body. The backend only reads the Authorization header via Passport, so the body credentials were unnecessary exposure.
+- **Server-issued SSE client identity** — Self-update ack requests validated against server-issued tokens, preventing spoofed acknowledgments.
+- **Fail-closed auth across watchers, registries, and triggers** — Token exchange failures no longer fall through to anonymous access.
+- **Runtime env values redacted** — Container environment variable values stripped from API responses to prevent credential leakage.
+- **OIDC authorization redirect URL validation** — Added allowlist-based validation for OIDC authorization redirect URLs, preventing open redirect attacks through crafted callback parameters.
+- **Auth, registry token, and log sanitization hardening** — Consolidated security pass hardening authentication flows, registry token validation, and log output sanitization.
+- **Command trigger shell execution warning** — Command trigger now logs a one-time security warning on first execution, reminding operators that commands run with drydock process privileges.
+- **Login brute-force lockout** — Per-account and per-IP lockout after configurable failed login attempts (`DD_AUTH_ACCOUNT_LOCKOUT_MAX_ATTEMPTS`, `DD_AUTH_IP_LOCKOUT_MAX_ATTEMPTS`) with configurable window and duration.
+- **Concurrent session limits** — Maximum authenticated sessions per user (default 5, configurable via `DD_SERVER_SESSION_MAXCONCURRENTSESSIONS`). Oldest sessions are revoked first when the limit is reached.
+- **Destructive action confirmation header** — Dangerous operations (delete container, restore backup, delete all containers) now require an `X-DD-Confirm-Action` header, returning 428 when missing.
+- **Native argon2id password hashing** — Replaced abandoned `pass` package with `node:crypto` argon2Sync for Basic auth. OWASP-aligned parameters with timing-safe comparison. Legacy `{SHA}` hashes accepted with deprecation warnings.
+- **Full credential redaction** — `Component.mask()` now returns `[REDACTED]` instead of leaking prefix/suffix characters in logs and API responses.
+- **Trigger infrastructure config redaction** — Webhook URLs, hostnames, channels, and usernames are redacted from trigger configuration in API responses.
+- **Website SRI integrity hashes** — Post-build script injects subresource integrity hashes for static assets on the documentation website.
+- **Fail-closed webhook token enforcement** — Per-endpoint webhook tokens now fail closed when a token is configured but the request provides no token or a mismatched token, preventing bypass through missing headers.
+- **API error message sanitization** — API routes no longer expose raw Joi validation or exception messages to clients. New `sanitizeApiError()` helper returns generic messages while logging real details server-side.
+- **Trigger request body schema validation** — `POST /api/triggers/:type/:name` and remote trigger endpoints now validate request bodies with Joi (require `id` string, reject type coercion via `convert: false`).
+- **HTTP trigger auth schema enforcement at startup** — HTTP trigger Joi schema now conditionally requires `user`+`password` for BASIC auth and `bearer` for BEARER auth at registration time, catching misconfigurations before first trigger execution.
+- **CORS implicit wildcard origin deprecation warning** — Startup warning when `DD_SERVER_CORS_ENABLED=true` without explicit `DD_SERVER_CORS_ORIGIN`. Default wildcard will require explicit opt-in in v1.5.0.
+- **Identity-aware rate limit keying** — Opt-in `DD_SERVER_RATELIMIT_IDENTITYKEYING=true` keys authenticated route rate limits by session/username instead of IP, preventing collisions for multiple users behind shared proxies. Unauthenticated routes remain IP-keyed. Disabled by default.
+- **Reactive server feature flags in UI** — Container action buttons (update, rollback, scan, triggers) are now gated by server-side feature flags via a `useServerFeatures` composable. When features like `DD_SERVER_FEATURE_CONTAINERACTIONS` are disabled, buttons show a disabled state with tooltip explaining why instead of silently failing at runtime.
+- **Compose trigger hardening** — Auto compose file detection from container labels (`com.docker.compose.project.config_files`) with Docker inspect fallback, pre-commit `docker compose config --quiet` validation before writes, compose file reconciliation (warn/block modes for runtime vs compose image drift), optional digest pinning (`DIGESTPINNING` trigger config), compose-file-once batch mode for multi-service stacks, multi-file compose chain awareness with deterministic writable target selection, compose metadata in update preview API, and compose file path display in container detail UI.
+- **Unsupported hash formats fail closed** — Basic auth now rejects unsupported hash formats instead of falling through to plaintext comparison, preventing accidental plaintext password acceptance.
+
+### Performance
+
+- **Production source maps disabled** — UI production builds now exclude source maps, reducing bundle size and improving deployment efficiency.
+- **Audit store indexed date-range queries** — Audit entries now store a pre-parsed `timestampMs` index for numeric comparisons. Date-range queries use the LokiJS chain API with indexed filtering instead of full-collection scans. Automatic 30-day retention with periodic pruning.
+- **Backup store indexed lookups** — Backup collection adds indices on `data.containerName` and `data.id`, using `findOne()` for single-document lookups and indexed `find()` for name-filtered queries instead of full scans.
+- **LokiJS autosave interval set to 60 seconds** — Fixed autosave interval at 60s instead of the LokiJS default, reducing disk I/O while maintaining acceptable data durability.
+- **SSE shared heartbeat interval** — Deduplicated per-client SSE heartbeat timers into a single shared interval that starts on first connection and stops when all clients disconnect.
+- **LoginView exponential backoff** — Login page connectivity retry uses exponential backoff (5s doubling to 30s max) instead of fixed intervals, reducing server load during outages.
+- **Gzip response compression** — API responses compressed above configurable threshold with automatic SSE exclusion.
+- **Skip connectivity polling when SSE connection is active** — Eliminates unnecessary `/auth/user` fetches every 10s during normal operation.
+- **Set-based lookups replace linear scans** — Repeated array lookups converted to Set operations in core paths.
+- **Vite chunk splitting** — Production build now splits vendor code into `framework`, `icons`, and `vendor` chunks for better browser cache efficiency across deployments.
+- **Session index cache with atomic login locks** — Auth session lookups use an indexed cache for O(1) access. Login operations use atomic locks to prevent race conditions during concurrent authentication attempts.
+- **Proactive store cache eviction** — LokiJS store proactively evicts stale cache entries before insertion, reducing memory pressure during high-throughput container watch cycles.
+- **Async secret file loading** — Secret file loading (`DD_*__FILE` env vars) uses `fs/promises` for non-blocking reads during startup configuration, improving initialization time with many secret files.
+
+### Dependencies
+
+- **cron-parser v2 to v5** — Upgraded `cron-parser` from v2 to v5 (`CronExpressionParser` API). Note: `joi-cron-expression` still uses cron-parser v2 internally as its own dependency.
+- **Removed `pass` package** — Replaced abandoned `pass` password hashing with native `node:crypto` (covered under Security below).
+- **Trivy upgraded to 0.69.3** — Bumped Trivy version in qlty configuration for latest vulnerability database and scanner improvements.
+
+### Deprecated
+
+- **SHA-1 basic auth password hashes** — Legacy `{SHA}<base64>` password hashes are accepted with deprecation warnings. SHA-1 support will be removed in v1.6.0. Migrate to argon2id hashing.
+
+## [1.3.9] — 2026-02-22
+
+### Fixed
+
+- **Release signing broken by cosign v3 API change** — `cosign sign-blob` v3 silently ignores `--output-signature` and `--output-certificate` in keyless OIDC mode, producing an empty `.sig` file that fails upload. Release workflow now extracts signature and certificate from the cosign `.bundle` JSON as a fallback, handling both old (`base64Signature`/`cert`) and new (`messageSignature.signature`/`verificationMaterial.certificate.rawBytes`) bundle formats.
+- **Shellcheck SC2086 in release signing step** — Unquoted `${TAGS}` expansion in container image signing replaced with `read`-loop into array to eliminate word-splitting/globbing risk.
+
+### Changed
+
+- **CI and lefthook now run identical lint checks** — CI lint job previously ran `qlty check --filter biome` (1 plugin) while lefthook ran `qlty check` (17 plugins). Both now run `qlty check --all` from the repo root, ensuring local pre-push catches exactly what CI catches.
+- **Pre-commit hook auto-fixes lint issues** — `qlty check --fix` runs on staged files at commit time, followed by a verify step. Lint drift no longer accumulates until push time.
+- **Lefthook pre-push is sequential fail-fast** — Switched from `piped: false` (parallel) to `piped: true` with priority ordering so failures surface immediately with clear output.
+
+## [1.3.8] — 2026-02-22
+
+### Fixed
+
+- **Docker Compose trigger silently no-ops for `updateKind: unknown`** — When the update model classifies a change as `unknown` (e.g. created-date-only updates, unrecognized tag formats), `getNewImageFullName` resolved the update image identically to the current image, causing both compose-update and runtime-update filters to return empty arrays and log "All containers already up to date". The runtime-update filter now also triggers when `container.updateAvailable === true`, ensuring containers with confirmed updates are recreated regardless of `updateKind` classification. Compose file rewrites remain gated on explicit tag deltas. ([#91](https://github.com/CodesWhat/drydock/issues/91))
+- **Digest watch masks tag updates, pulling old image** — When digest watch was enabled on a container with both a tag change and a digest change (e.g. `v2.59.0-s6` → `v2.60.0-s6`), the update model gave digest unconditional priority, returning `kind: 'digest'` instead of `kind: 'tag'`. The trigger then resolved the image to the current tag (correct for digest-only updates) instead of the new tag, pulling the old image. Tag updates now take priority over digest when both are present. This bug was inherited from the upstream project (WUD). ([#91](https://github.com/CodesWhat/drydock/issues/91))
+- **Database not persisted on container shutdown** — LokiJS relies on its autosave interval to flush data to disk, but the graceful shutdown handler called `process.exit()` before the next autosave tick could fire, causing any in-memory changes since the last autosave to be lost. This manifested as stale version numbers, lost update policies, and missing audit log entries after restarting the drydock container. Now explicitly saves the database during shutdown before exiting. This bug was inherited from the upstream project (WUD) but made deterministic by our graceful shutdown changes. ([#96](https://github.com/CodesWhat/drydock/issues/96))
+
+## [1.3.7] — 2026-02-21
+
+### Fixed
+
+- **Tag regex OOM crash with re2-wasm** — Replaced `re2-wasm` with `re2js` (pure JavaScript RE2 port). The WASM binary had a hard 16 MB memory ceiling with no growth allowed, causing `abort()` crashes on valid regex patterns like `^v(\d+\.\d+\.\d+)-ls\d+$`. Since `re2-wasm` is abandoned (last npm publish Sep 2021) with no path to a fix, `re2js` provides the same linear-time ReDoS protection without WASM memory limits or native compilation requirements. ([#89](https://github.com/CodesWhat/drydock/issues/89))
+- **Self-signed/private CA support for self-hosted registries** — Added optional `CAFILE` and `INSECURE` TLS options for self-hosted registry providers (Custom, Gitea, Forgejo, Harbor, Artifactory, Nexus). This allows private registries with internal or self-signed certificates to pass TLS validation via a mounted CA bundle, or to explicitly disable verification for trusted internal networks. ([#88](https://github.com/CodesWhat/drydock/issues/88))
+- **Docker Compose trigger silently no-ops on digest updates** — Digest-only updates (same tag, new image hash) were filtered out entirely because the compose image string didn't change, causing the trigger to report success without recreating the container. Now digest updates skip the compose file write (correct — tag hasn't changed) but still trigger container recreation to pull the new image. ([#91](https://github.com/CodesWhat/drydock/issues/91))
+
+### Changed
+
+- **Gitea refactored to shared base class** — Gitea now extends `SelfHostedBasic` directly instead of duplicating its logic from `Custom`, reducing code and ensuring consistent behavior with Harbor, Nexus, and Artifactory.
+- **Lint tooling migrated from biome CLI to qlty** — Removed `@biomejs/biome` as a direct devDependency from all workspaces; biome is now managed centrally via qlty. Lint and format scripts updated to use `qlty check`/`qlty fmt`.
+- **Dependabot replaced with Renovate** — Switched dependency update bot for better monorepo grouping, auto-merge of patch updates, and pinned GitHub Actions digests.
+- **Socket Firewall switched to free mode** — The CI supply chain scan now uses `firewall-free` (blocks known malware, no token required) instead of `firewall-enterprise`.
+- **CI pipeline improvements** — Added npm and Docker layer caching, parallelized e2e/load-test jobs, reordered job dependencies for faster feedback, added harden-runner to all workflow jobs.
+- **CI credential hardening** — Bumped `harden-runner` v2.11.1 → v2.14.2 (fixes GHSA-cpmj-h4f6-r6pq) and added `persist-credentials: false` to all `actions/checkout` steps across all workflows to prevent credential leakage through artifacts.
+- **Zizmor added to local pre-push checks** — GitHub Actions security linter now runs via qlty alongside biome, catching workflow misconfigurations before push.
+- **Lefthook pre-push runs piped** — Commands now run sequentially with fail-fast instead of parallel, so failures surface immediately instead of hanging while other commands complete.
+
+## [1.3.6] — 2026-02-20
+
+### Fixed
+
+- **GHCR anonymous auth returns 401 on public repos** — The v1.3.3 fix for anonymous bearer tokens (`Og==`) removed the auth header entirely, but GHCR requires a token exchange even for unauthenticated pulls. Replaced direct bearer auth with proper token exchange via `https://ghcr.io/token`, matching the Hub/Quay pattern. Authenticated requests add Basic credentials to the token request; anonymous requests omit them. LSCR inherits the fix automatically. ([#85](https://github.com/CodesWhat/drydock/issues/85), [#86](https://github.com/CodesWhat/drydock/issues/86))
+
+## [1.3.5] — 2026-02-19
+
+### Fixed
+
+- **Container exits immediately when socket GID has no named group** — `Docker.entrypoint.sh` treated `getent group <gid>` failures as fatal under `set -e -o pipefail`, so mounts where `/var/run/docker.sock` had a numeric GID not present in `/etc/group` caused an immediate exit (`status=exited`, `exit=2`) before app startup. The group lookup is now tolerant and falls back to creating a matching group as intended. ([#82](https://github.com/CodesWhat/drydock/issues/82))
+- **Log pretty-printing no longer depends on shell pipes** — Moved human-readable formatting from the entrypoint pipeline (`node | pino-pretty`) into the app logger configuration. This preserves proper `exec`/signal behavior under `tini` while keeping `DD_LOG_FORMAT=json` support.
+
+## [1.3.4] — 2026-02-19
+
+### Fixed
+
+- **Backup lookup broken after container update** — Backups were keyed by Docker container ID, which changes on every recreate (e.g. after an update). Switched all backup queries to use the stable container name, so backups are always found regardless of container ID changes. ([#79](https://github.com/CodesWhat/drydock/issues/79))
+- **Image prune deletes backup image** — `cleanupOldImages` removed the previous image tag after updates, making rollback impossible. Now checks retained backup tags before pruning and skips images that are needed for rollback.
+- **Auto-rollback monitor uses stale container ID** — After an update recreates the container, `maybeStartAutoRollbackMonitor` passed the old (now-deleted) container ID to the health monitor. Now looks up the new container by name and passes the correct ID.
+- **Backup stores internal registry name instead of Docker-pullable name** — Backup `imageName` was stored as the internal registry-prefixed name (e.g. `hub.public/library/nginx`) which is not a valid Docker image reference. Rollback would fail with DNS lookup errors. Now stores the Docker-pullable base name (e.g. `nginx`) using the registry's `getImageFullName` method.
+- **Rollback API docs incorrect endpoint** — Fixed documentation showing `/api/backup/:id/rollback` instead of the correct `/api/containers/:id/rollback`.
+
+## [1.3.3] — 2026-02-18
+
+### Fixed
+
+- **Self-update leaves container stopped** — When drydock updated its own container, stopping the old container killed the Node process before the new one could be created, leaving the UI stuck on "Restarting..." indefinitely. Now uses a helper container pattern: renames old container, creates new container, then spawns a short-lived helper that curls the Docker socket to stop old → start new → remove old. ([#76](https://github.com/CodesWhat/drydock/issues/76))
+- **Stale digest after container updates** — After a container was updated (new image pulled, container recreated), the next watch cycle still showed the old digest because the early-return path in `addImageDetailsToContainer` skipped re-inspecting the Docker image. Now re-inspects the local image on each watch cycle to refresh digest, image ID, and created date. ([#76](https://github.com/CodesWhat/drydock/issues/76))
+- **express-rate-limit IPv6 key generation warning** — Removed custom `keyGenerator` from the container scan rate-limiter that bypassed built-in IPv6 normalization, causing `ERR_ERL_KEY_GEN_IPV6` validation errors.
+- **express-rate-limit X-Forwarded-For warning** — Added `validate: { xForwardedForHeader: false }` to all 6 rate-limiters to suppress noisy `ERR_ERL_UNEXPECTED_X_FORWARDED_FOR` warnings when running without `trust proxy` (e.g. direct Docker port mapping).
+- **Quay auth token extraction broken** — Fixed `authenticate()` reading `response.token` instead of `response.data.token`, causing authenticated pulls to silently run unauthenticated. Also affects Trueforge via inheritance.
+- **GHCR anonymous bearer token** — Fixed anonymous configurations sending `Authorization: Bearer Og==` (base64 of `:`) instead of no auth header, which could break public image access.
+- **Created-date-only updates crash trigger execution** — Fixed `getNewImageFullName()` crashing on `.includes()` of `undefined` when a container had only a created-date change (no tag change). Now rejects `unknown` update kind in threshold logic.
+- **Compose write failure allows container updates** — Fixed `writeComposeFile()` swallowing errors, allowing `processComposeFile()` to proceed with container updates even when the file write failed, causing runtime/file state desynchronization.
+- **Self-update fallback removes running old container** — Fixed helper script running `removeOld` after the fallback path (`startOld`), which would delete the running old container. Now only removes old after successful new container start.
+- **Registry calls have no timeout** — Added 30-second timeout to all registry API calls via Axios. Previously a hung registry could stall the entire watch cycle indefinitely.
+- **HTTP trigger providers have no timeout** — Added 30-second timeout to all outbound HTTP trigger calls (Http, Apprise, Discord, Teams, Telegram). Previously a slow upstream could block trigger execution indefinitely.
+- **Kafka producer connection leak** — Fixed producer connections never being disconnected after send, leaking TCP connections to the broker over time. Now wraps send in try/finally with disconnect.
+- **Rollback timer labels not validated** — Invalid `dd.rollback.window` or `dd.rollback.interval` label values (NaN, negative, zero) could cause `setInterval` to fire continuously. Now validates with `Number.isFinite()` and falls back to defaults.
+- **Health monitor overlapping async checks** — Added in-flight guard to prevent overlapping health checks from triggering duplicate rollback executions when inspections take longer than the poll interval.
+- **Anonymous login double navigation guard** — Fixed `beforeRouteEnter` calling `next()` twice when anonymous auth was enabled, causing Vue Router errors and nondeterministic redirects.
+- **Container API response not validated** — Fixed `getAllContainers()` not checking `response.ok` before parsing, allowing error payloads to be treated as container arrays and crash computed properties.
+
+### Security
+
+- **fast-xml-parser DoS via entity expansion** — Override `fast-xml-parser` 5.3.4→5.3.6 to fix CVE GHSA-jmr7-xgp7-cmfj (transitive dep via `@aws-sdk/client-ecr`, upstream hasn't released a fix yet).
+- **tar arbitrary file read/write** — Removed `tar` from dependency graph entirely by replacing native `re2` (which pulled in `node-gyp` → `tar`) with `re2-wasm` (v1.3.3), later replaced by `re2js` (v1.3.7) due to WASM memory limits. Previously affected by CVE GHSA-83g3-92jg-28cx.
+- **Unauthenticated SSE endpoint** — Moved `/api/events/ui` behind `requireAuthentication` middleware and added per-IP connection limits (max 10) to prevent connection exhaustion.
+- **Session cookie missing sameSite** — Set `sameSite: 'strict'` on session cookie to mitigate CSRF attacks.
+- **Predictable session secret** — Added `DD_SESSION_SECRET` environment variable override so deployments can provide proper entropy instead of the default deterministic UUIDv5.
+- **Global error handler leaks internal details** — Replaced `err.message` with generic `'Internal server error'` in the global error handler to prevent leaking hostnames, paths, and Docker socket info to unauthenticated callers.
+- **Entrypoint masks crash exit codes** — Enabled `pipefail` in `Docker.entrypoint.sh` so `node | pino-pretty` correctly propagates non-zero exit codes for restart policies.
+
+## [1.3.2] — 2026-02-16
+
+### Added
+
+- **Log viewer auto-fetch polling** — Configurable auto-fetch interval (Off / 2s / 5s / 10s / 30s) for both application and container log viewers, replacing manual-only refresh. Defaults to 5 seconds for a near-real-time tail experience. ([#57](https://github.com/CodesWhat/drydock/issues/57))
+- **Log viewer scroll lock** — Scrolling away from the bottom pauses auto-scroll, showing a "Scroll locked" indicator and "Resume" button. New log data continues to load in the background without yanking the user's scroll position. ([#57](https://github.com/CodesWhat/drydock/issues/57))
+- **Log viewer auto-scroll** — New log entries automatically scroll the view to the bottom when the user is near the end, providing a tail-like experience. ([#57](https://github.com/CodesWhat/drydock/issues/57))
+- **Shared log viewer composable** — Extracted `useLogViewerBehavior` composable with `useLogViewport` (scroll management) and `useAutoFetchLogs` (interval timer lifecycle) to eliminate duplication between application and container log views.
+- **7 new registry providers** — Added OCIR (Oracle Cloud), IBMCR (IBM Cloud), ALICR (Alibaba Cloud), GAR (Google Artifact Registry), Harbor, JFrog Artifactory, and Sonatype Nexus. Includes a shared `SelfHostedBasic` base class for self-hosted registries with basic auth.
+- **4 new trigger providers** — Added Mattermost, Microsoft Teams (Adaptive Cards), Matrix, and Google Chat notification triggers.
+
+### Fixed
+
+- **v1 manifest digest watch using image ID instead of repo digest** — Fixed `handleDigestWatch()` incorrectly reading `Config.Image` (the local image ID) as the digest for v1 manifest images, causing perpetual false "update available" notifications. Now uses the repo digest from `RepoDigests` instead. ([getwud/wud#934](https://github.com/getwud/wud/issues/934))
+- **Discord trigger broken after request→axios migration** — Fixed `sendMessage()` using `request`-style properties (`uri`, `body`) instead of axios properties (`url`, `data`), causing "Invalid URL" errors on all Discord webhook calls. ([getwud/wud#933](https://github.com/getwud/wud/issues/933))
+
+## [1.3.1] — 2026-02-15
+
+### Fixed
+
+- **Release SBOM generation for multi-arch images** — Replaced `anchore/sbom-action` (which fails on manifest list digests from multi-platform builds) with Docker buildx native SBOM generation (`sbom: true`), producing per-platform SBOMs embedded in image attestations.
+
+### Security
+
+- **Pin Trivy install script by commit hash** — Replaced mutable `main` branch reference in Dockerfile `curl | sh` with a pinned commit SHA to satisfy OpenSSF Scorecard pinned-dependencies check and prevent supply-chain risk from upstream changes.
+
+## [1.3.0] — 2026-02-15
+
+### Fixed
+
+- **OIDC session resilience for WUD migrations** — Corrupt or incompatible session data (e.g. from WUD's connect-loki store) no longer causes 500 errors. Sessions that fail to reload are automatically regenerated. All OIDC error responses now return JSON instead of plain text, preventing frontend parse errors. Added a global Express error handler to ensure unhandled exceptions return JSON.
+- **Disabled X-Powered-By header** — Removed the default Express `X-Powered-By` header from both the main API and agent API servers to reduce information exposure.
+- **Trivy scan queue** — Serialized concurrent Trivy invocations to prevent `"cache may be in use by another process"` errors when multiple containers are scanned simultaneously (batch triggers, on-demand scans, SBOM generation).
+- **Login error on wrong password** — `loginBasic()` attempted to parse the response body as JSON even on 401 failures, causing `Unexpected token 'U', "Unauthorized" is not valid JSON` errors instead of the friendly "Username or password error" message.
+- **Snackbar notification colors ignoring level** — The SnackBar component had a hardcoded `color="primary"` instead of binding to the `level` prop, causing error and warning notifications to display as blue instead of red/amber.
+- **SBOM format key mismatch** — Fixed container model schema validating SBOM formats against `cyclonedx` instead of the correct `cyclonedx-json` key.
+
+### Added
+
+- **Snyk vulnerability monitoring** — Integrated Snyk for continuous dependency scanning of `app/package.json` and `ui/package.json`. Added Snyk badge to README with `targetFile` parameter for monorepo support.
+- **Update Bouncer (Trivy safe-pull gate)** — Added pre-update vulnerability scanning for Docker-triggered updates. Candidate images are scanned before pull/restart, updates are blocked when vulnerabilities match configured blocking severities, and latest scan data is persisted on `container.security.scan`. Added `GET /api/containers/:id/vulnerabilities` endpoint for retrieving scan results.
+- **Update Bouncer signature verification (cosign)** — Added optional pre-update image signature verification. When enabled, Docker-triggered updates are blocked if candidate image signatures are missing/invalid or verification fails.
+- **Update Bouncer SBOM generation** — Added Trivy SBOM generation (`spdx-json`, `cyclonedx-json`) for candidate images with persistence in `container.security.sbom` and a new `GET /api/containers/:id/sbom` API endpoint (with `format` query support).
+- **Container card security status chip** — Added a vulnerability chip on container cards showing Update Bouncer scan status (`safe`, `blocked`, `scan error`) with severity summary tooltip data from `container.security.scan`.
+- **On-demand security scan** — Added `POST /api/containers/:id/scan` endpoint for triggering vulnerability scan, signature verification, and SBOM generation on demand. Broadcasts `dd:scan-started` and `dd:scan-completed` SSE events for real-time UI feedback. Added shield button to container card actions and mobile overflow menu.
+- **Direct container update from UI** — Added `POST /api/containers/:id/update` endpoint that triggers a Docker update directly without requiring trigger configuration. The "Update now" button in the UI now calls this single endpoint instead of looping through configured triggers.
+- **Trivy and cosign in official image** — The official drydock image now includes both `trivy` and `cosign` binaries, removing the need for custom images in local CLI mode.
+
+### Changed
+
+- **README badge layout** — Added line breaks to badge rows for a cleaner two-line layout across all three badge sections.
+- **Grafana dashboard overhaul** — Updated overview dashboard with standard datasource naming (`DS_PROMETHEUS`), added bar chart and pie chart panels, and restructured panel layout for better monitoring coverage.
+- **Mobile responsive dashboard** — Stat cards now stack full-width on small screens with tighter vertical spacing for a cleaner mobile layout.
+- **Self-update overlay rendering** — Switched logo images from `v-if` to `v-show` to avoid re-mount flicker during self-update phase transitions.
+- **Container sort simplification** — Simplified null-group sorting in ContainersView using sentinel value instead of multi-branch conditionals.
+- **Test coverage improvements** — Expanded app test coverage for API routes (backup, container-actions, preview, webhook), OIDC authentication, registry component resolution, tag parsing, and log sanitization. Expanded UI test coverage across 38 spec files with improved Vuetify stub fidelity (v-tooltip activator slot, v-list-item slots, app-bar-nav-icon events).
+- **Vitest coverage config** — Narrowed coverage to `.js`/`.ts` files only (excluding `.vue` SFCs) to avoid non-actionable template branch noise.
+- **Prometheus counter deduplication** — Extracted shared `createCounter` factory in `app/prometheus/counter-factory.ts`, reducing boilerplate across audit, webhook, trigger, and container-actions counter modules.
+- **API error handler deduplication** — Extracted shared `handleContainerActionError` helper in `app/api/helpers.ts`, consolidating duplicate catch-block logic across backup, preview, and container-actions routes.
+- **Lint and code quality fixes** — Fixed biome `noPrototypeBuiltins` warning in OIDC tests, added `id` attributes to README HTML headings to resolve markdownlint MD051, and tuned qlty smell thresholds.
+
+### Security
+
+- **CodeQL alert fixes** — Fixed log injection vulnerabilities by sanitizing user-controlled input before logging. Removed unused variables flagged by static analysis. Added rate limiting to the on-demand scan endpoint.
+- **Build provenance and SBOM attestations** — Added supply chain attestations to release workflow for verifiable build provenance.
+
+## [1.2.0]
+
+### Added
+
+- **Grafana dashboard template** — Importable Grafana JSON dashboard with panels for overview stats, watcher activity, trigger execution, registry response times, and audit entries. Uses datasource templating for portable Prometheus configuration.
+- **Audit log backend** — `AuditEntry` model, LokiJS-backed store with pagination and pruning, `GET /api/audit` endpoint with filtering, `dd_audit_entries_total` Prometheus counter, and automatic logging of container lifecycle events (update-available, update-applied, update-failed, rollback, preview, container-added, container-removed).
+- **Font Awesome 6 migration** — Replaced all Material Design Icons (`mdi-*`) with Font Awesome 6 equivalents. Configured Vuetify FA icon set, updated all service icon getters, component templates, and 54 test files.
+- **Dry-run preview API** — `POST /api/containers/:id/preview` returns what an update would do (current/new image, update kind, running state, networks) without performing it.
+- **Pre-update image backup and rollback** — LokiJS-backed backup store records container image state before each Docker trigger update. `GET /api/backups`, `GET /api/:id/backups`, and `POST /api/:id/rollback` endpoints. Configurable retention via `DD_TRIGGER_DOCKER_{name}_BACKUP_COUNT` (default 3).
+- **Frontend wiring** — Preview dialog with loading/error/success states wired to dry-run API. Full audit log table with filtering, pagination, and responsive column hiding replacing the MonitoringHistory placeholder. Recent Activity dashboard card showing latest 5 audit entries.
+- **Container action bar refactor** — Replaced 3-column text button layout with compact icon-button toolbar and tooltips (desktop) or overflow menu (mobile).
+- **Dashboard second row** — Added Recent Activity and stats cards as a second row on the dashboard.
+- **UI modernization** — Consistent `pa-4` padding, outlined/rounded cards, tonal chips, styled empty states, and Font Awesome icons across all views and components.
+- **Container actions (start/stop/restart)** — New API endpoints and UI buttons to start, stop, and restart Docker containers directly from the dashboard. Gated by `DD_SERVER_FEATURE_CONTAINERACTIONS` (default: enabled). Includes audit logging, Prometheus counter (`dd_container_actions_total`), desktop toolbar buttons with disabled-state awareness, and mobile overflow menu integration.
+- **Webhook API for on-demand triggers** — Token-authenticated HTTP endpoints (`POST /api/webhook/watch`, `/watch/:name`, `/update/:name`) for CI/CD integration. Gated by `DD_SERVER_WEBHOOK_ENABLED` and `DD_SERVER_WEBHOOK_TOKEN`. Includes rate limiting (30 req/15min), audit logging, Prometheus counter (`dd_webhook_total`), and a configuration info panel on the Server settings page.
+- **Container grouping / stack views** — New `GET /api/containers/groups` endpoint returns containers grouped by stack. Supports explicit group assignment via `dd.group` / `wud.group` labels with automatic fallback to `com.docker.compose.project`. Collapsible `ContainerGroup` component with group header showing name, container count, and update badges. "Smart group" filter option for automatic stack detection (`dd.group` > `wud.group` > compose project). "Update all in group" action to batch-update all containers in a group.
+- **Graceful self-update UI** — Self-update detection when drydock updates its own container. Server-Sent Events (SSE) endpoint at `/api/events/ui` for real-time browser push. Full-screen DVD-style bouncing whale logo overlay during self-updates with smooth phase transitions (updating, restarting, reconnecting, ready). Automatic health polling and page reload after restart.
+- **Lifecycle hooks (pre/post-update commands)** — Execute shell commands before and after container updates via `dd.hook.pre` and `dd.hook.post` labels. Pre-hook failures abort the update by default (`dd.hook.pre.abort=true`). Configurable timeout via `dd.hook.timeout` (default 60s). Environment variables exposed: `DD_CONTAINER_NAME`, `DD_IMAGE_NAME`, `DD_TAG_OLD`, `DD_TAG_NEW`, etc. Includes audit logging for hook success/failure and UI display in ContainerDetail panel.
+- **Automatic rollback on health check failure** — Monitors container health after updates and automatically rolls back to the previous image if the container becomes unhealthy. Configured via `dd.rollback.auto=true`, `dd.rollback.window` (default 300s), and `dd.rollback.interval` (default 10s). Requires Docker HEALTHCHECK on the container. Uses existing backup store for rollback images. Includes audit logging and UI display in ContainerDetail panel.
+- **selfhst/icons as primary icon CDN** — Switched to selfhst/icons as the primary icon CDN with homarr-labs as fallback, improving icon availability and coverage.
+
+### Fixed
+
+- **Navigation drawer not visible** — Used computed model for permanent/temporary modes; passing `model-value=undefined` caused Vuetify to treat the drawer as closed.
+- **Dark theme missing colors** — Added `info`, `success`, and `warning` color definitions to the dark theme.
+- **ContainerPreview updateKind display** — Fixed structured `updateKind` object rendering with semver-diff color coding.
+- **Invalid `text-body-3` CSS class** — Replaced with valid `text-body-2` in ConfigurationItem and TriggerDetail.
+- **404 catch-all route** — Added catch-all redirect to home for unknown routes.
+- **False downgrade suggestion for multi-segment tags** — Fixed semver parsing/comparison for numeric tags like `25.04.2.1.1` so newer major tags are no longer suggested as downgrades. ([#47](https://github.com/CodesWhat/drydock/issues/47))
+- **Configured path hardening for filesystem reads** — Added validated path resolution helpers and applied them to store paths, watcher TLS files, and MQTT TLS files before filesystem access.
+
+### Changed
+
+- **Audit event wiring** — Wired audit log entries and Prometheus counter increments for rollback, preview, container-added, container-removed, update-applied, and update-failed events. Registered `ContainerUpdateFailed` event with try/catch in Docker trigger.
+- **Test updates** — 20+ test files updated for v1.2.0 icon changes, CSS selectors, HomeView data model, theme toggle relocation, and audit module wiring. Removed obsolete specs.
+- **Updated doc icon examples** — Switched icon examples to prefer `hl:` and `si:` prefixes over deprecated `mdi:`.
+- **Code quality tooling consolidation** — Replaced Codacy + SonarCloud with Qlty + Snyk. Rewrote `lefthook.yml` pre-push hooks to run `qlty check`, `snyk test`, `snyk code test` (informational), builds, and tests. Added `scripts/snyk-code-gate.sh` wrapper.
+- **Biome formatting** — Applied `biome format` across entire codebase for consistent code style.
+- **README badges** — Replaced Codacy/SonarCloud badges with CI status, Qlty maintainability, and Snyk badges.
+- **ConfigurationItem redesign** — Icon moved to the left with name as prominent text and type as subtitle, replacing the old badge/chip pattern across all configuration pages.
+- **TriggerDetail redesign** — Same modern layout treatment as ConfigurationItem (icon left, name prominent, type subtitle).
+- **Registry page brand colors** — Added brand-colored icon backgrounds for each registry provider (Docker blue, GitHub purple, AWS orange, Google blue, etc.) via `getRegistryProviderColor()` helper and new `iconColor` prop on ConfigurationItem.
+- **Consistent card styling** — Unified `variant="outlined" rounded="lg"` across ContainerItem, ContainerGroup, ContainerTrigger, and WebhookInfo cards for a cohesive look.
+- **Home page severity badges removed** — Removed redundant MAJOR/MINOR severity badges from the container updates list; version chip color already indicates severity.
+- **History page filter bar** — Removed redundant "Update History" heading (already in app bar) and added a collapsible filter bar with active filter chips.
+- **Logs page spacing** — Fixed spacing between the config item and logs card.
+- **Self-update overlay responsive** — Mobile-responsive self-update overlay uses static top-center positioning with fade-in animation on small screens instead of DVD bounce.
+- **QA compose enhancements** — Added HTTP trigger, basic auth, and webhook configuration to `test/qa-compose.yml` for integration testing.
+- **Login page redesign** — Redesigned login page with new font, icon colors, and layout polish.
+- **Docker Hub and Quay.io multi-registry publishing** — Container images now published to Docker Hub and Quay.io alongside GHCR for broader registry availability.
+- **Mobile responsive dashboard** — Per-type colored update badges (major=red, minor=warning, patch=success, digest=info) and icon-only tabs on mobile viewports.
+- **Dark mode app bar logo inversion** — App bar logo now inverts correctly in dark mode for improved visibility.
+- **History page mobile improvements** — Shorter timestamps, hidden status column, and truncated container names on mobile viewports.
+- **Container filter mobile labels** — Short labels ("Updates", "Time") on mobile breakpoint for compact filter display.
+- **Biome and Qlty config alignment** — Aligned Biome and Qlty configurations for consistent code quality enforcement.
+
+### Security
+
+- **RE2 regex engine** — Replaced native `RegExp` with Google's RE2 (`re2` npm package) for all user-supplied regex patterns (includeTags, excludeTags, transformTags). RE2 uses a linear-time matching algorithm that is inherently immune to ReDoS catastrophic backtracking.
+- **Docs dependency vulnerability fixes** — Fixed 9 CVEs in docs/ transitive dependencies via npm overrides (dompurify 2→3, marked 1→4, got 9→11).
+
+### Removed
+
+- **Dead code removal** — Deleted unused `AppFooter` and `ConfigurationStateView` components, dead computed props (`filteredUpdates`, `upToDateCount`), duplicate `isTriggering` reset, dead `mdi:` prefix replacement in IconRenderer, dead `container-deleted` listener, and Maintenance Windows placeholder.
+- **Removed `@mdi/font` dependency** — Dropped unused Material Design Icons package.
+- **Removed Codacy and SonarCloud** — Replaced with Qlty (local code quality) and Snyk (dependency + SAST scanning) for a unified local-first quality gate.
+- **Removed stale tracking docs** — Deleted `SONARQUBE-ISSUES.md`, `docs/sonar-smells-tracking.md`, and `docs/codacy-high-findings-tracking.md`.
+
+### Documentation
+
+- **Popular imgset presets** — Added a curated preset guide at `docs/configuration/watchers/popular-imgsets.md` and linked it from watcher docs.
+
+## [1.1.3]
+
+### Fixed
+
+- **ERR_ERL_PERMISSIVE_TRUST_PROXY on startup** — Express `trust proxy` was hard-coded to `true`, which triggers a validation error in `express-rate-limit` v8+ when the default key generator infers client IP from `X-Forwarded-For`. Replaced with a configurable `DD_SERVER_TRUSTPROXY` env var (default: `false`). Set to `1` (hop count) when behind a single reverse proxy, or a specific IP/CIDR for tighter control. ([#43](https://github.com/CodesWhat/drydock/issues/43))
+
+---
+
+## [1.1.2]
+
+### Fixed
+
+- **Misleading docker-compose file error messages** — When a compose file had a permission error (EACCES), the log incorrectly reported "does not exist" instead of "permission denied". Now distinguishes between missing files and permission issues with actionable guidance. ([#42](https://github.com/CodesWhat/drydock/issues/42))
+- **Agent watcher registration fails on startup** — Agent component path resolved outside the runtime root (`../agent/components` instead of `agent/components`), causing "Unknown watcher provider: 'docker'" errors and preventing agent watchers/triggers from registering. ([#42](https://github.com/CodesWhat/drydock/issues/42))
+
+### Changed
+
+- **Debug logging for component registration** — Added debug-level logging showing resolved module paths during component registration and agent component registration attempts, making path resolution issues easier to diagnose.
+
+---
+
+## [1.1.1] - 2026-02-11
+
+### Fixed
+
+- **Read-only Docker socket support** — Drydock's privilege drop prevented non-root users from connecting to `:ro` socket mounts. Added `DD_RUN_AS_ROOT=true` env var to skip the drop, improved EACCES error messages with actionable guidance, and documented socket proxy as the recommended secure alternative. ([#38](https://github.com/CodesWhat/drydock/issues/38))
+- **Prometheus container gauge crash with agent containers** — The container gauge used a blacklist filter that let unknown properties (like `agent`) slip through and crash prom-client. Switched to a whitelist of known label names so unknown properties are silently ignored. ([#39](https://github.com/CodesWhat/drydock/issues/39))
+- **Snackbar toast transparency** — Used `flat` variant for solid background on toast notifications.
+- **Container filter layout broken on narrow viewports** — Filter columns rendered text vertically when the nav drawer was open because all 8 `v-col` elements had no width constraints. Added responsive breakpoints (`cols`/`sm`/`md`) so filters wrap properly across screen sizes. ([#40](https://github.com/CodesWhat/drydock/issues/40))
+
+## [1.1.0] - 2026-02-10
+
+### Added
+
+- **Application log viewer** — New Configuration > Logs page with a terminal-style viewer for drydock's own runtime logs (startup, polling, registry checks, trigger events, errors). Backed by an in-memory ring buffer (last 1,000 entries) exposed via `GET /api/log/entries`. Supports level filtering (debug/info/warn/error), configurable tail count (50/100/500/1,000), color-coded output, and auto-scroll to newest entries. An info tooltip shows the configured server log level.
+- **Agent log source selector** — When agents are configured, a "Source" dropdown appears in the log viewer to switch between the controller's own logs and any connected agent's logs. Disconnected agents are shown but disabled. Agent logs are proxied via `GET /api/agents/:name/log/entries`.
+- **Container log viewer** — New "Logs" tab in the container detail expansion panel to view container stdout/stderr output directly in the UI with tail control and refresh.
+
+## [1.0.2] - 2026-02-10
+
+### Fixed
+
+- **Registry and trigger crashes in agent mode** — `getSummaryTags()` and `getTriggerCounter()` also return `undefined` in agent mode. Added optional chaining to all remaining Prometheus call sites so agent mode doesn't crash when processing containers or firing triggers. (Fixes #33)
+
+## [1.0.1] - 2026-02-10
+
+### Fixed
+
+- **Prometheus gauge crash in agent mode** — `getWatchContainerGauge()` returns `undefined` in agent mode since Prometheus is not initialized. Added optional chaining so the `.set()` call is safely skipped. This was the root cause of containers not being discovered in agent mode. (Fixes #23, #31)
+
+### Changed
+
+- **su-exec privilege dropping** — Entrypoint detects the docker socket GID and drops from root to the `node` user via `su-exec` when possible. Stays root only for GID 0 sockets (Docker Desktop / OrbStack). (Refs #25)
+- **tini init system** — Added `tini` as PID 1 for proper signal forwarding to the Node process.
+- **Graceful shutdown** — `SIGINT`/`SIGTERM` handlers now call `process.exit()` after cleanup so the container actually stops.
+
+## [1.0.0] - 2026-02-10
+
+First semver release. Drydock adopts semantic versioning starting with this release, replacing the previous CalVer (YYYY.MM.PATCH) scheme.
+
+### Security
+
+- **ReDoS prevention** — Replaced vulnerable regexes in trigger template evaluation (`Trigger.ts`) with linear-time string parsing (`parseMethodCall`, `isValidPropertyPath`). Added `MAX_PATTERN_LENGTH` guards in tag transform (`tag/index.ts`) and Docker watcher (`Docker.ts`) to reject oversized user-supplied regex patterns.
+- **XSS prevention** — Added `escapeHtml()` sanitizer to Telegram trigger `bold()` method, preventing HTML injection via container names or tag values.
+- **Workflow hardening** — Set top-level `permissions: read-all` in `release.yml` and `codeql.yml`. Pinned all CodeQL action refs to commit hashes. Added CodeQL config to exclude `js/clear-text-logging` false positives.
+- **CVE-2026-24001** — Updated `diff` dependency in e2e tests (4.0.2 → 4.0.4).
+
+### Changed
+
+- **+285 UI tests** — 15 new spec files and 7 expanded existing specs covering configuration views, container components, trigger detail, services, router, and app shell. UI test count: 163 → 285.
+- **+59 app tests** — New edge-case tests for ReDoS guard branches, `parseMethodCall` parsing, and Docker watcher label resolution. App test count: 1,254 → 1,313.
+- **Complexity refactors** — Extracted helpers from high-complexity functions: `parseTriggerList`/`applyPolicyAction` (`container.ts`), `resolveLabelsFromContainer`/`mergeConfigWithImgset` (`Docker.ts`).
+- **Biome lint fixes** — `import type` corrections and unused variable cleanup across 17 files.
+- **Fixed doc links** — Corrected broken fragment links in `docs/_coverpage.md`.
+
+### Removed
+
+- **Removed legacy `vue.config.js`** — Dead Vue CLI config file; project uses Vite.
+
+## [2026.2.3] - 2026-02-10
+
+### Fixed
+
+- **NTFY trigger auth 401** — Bearer token auth used unsupported `axios.auth.bearer` property; now sends `Authorization: Bearer <token>` header. Basic auth property names corrected to `username`/`password`. (#27)
+- **Agent mode missing /health** — Added unauthenticated `/health` endpoint to the agent server, mounted before the auth middleware so Docker healthchecks work without the agent secret. (#27)
+
+### Changed
+
+- **Lefthook pre-push hooks** — Added `lefthook.yml` with pre-push checks (lint + build + test).
+- **Removed startup warning** — Removed "Known Issue" notice from README now that container startup issues are resolved.
+
+## [2026.2.2] - 2026-02-10
+
+### Security
+
+- **Cosign keyless signing** — Container image releases are now signed with Sigstore cosign keyless signing for supply chain integrity.
+- **Least-privilege workflow permissions** — Replaced overly broad `read-all` with minimum specific permissions across all CI/CD workflows.
+- **CodeQL and Scorecard fixes** — Resolved all high-severity CodeQL and OpenSSF Scorecard security alerts.
+- **Pinned CI actions** — All CI action references pinned to commit hashes with Dockerfile base image digest.
+
+### Added
+
+- **Auto-dismiss notifications after container update** — New `resolvenotifications` option for triggers (default: `false`). When enabled, notification triggers automatically delete the sent message after the Docker trigger successfully updates the container. Implemented for Gotify via its `deleteMessage` API. Other providers (Slack, Discord, ntfy) can add support by overriding the new `dismiss()` method on the base Trigger class. New `containerUpdateApplied` event emitted by the Docker trigger on successful update.
+
+### Fixed
+
+- **Agent mode Prometheus crash** — Guard `getWatchContainerGauge().set()` against undefined in Agent mode where Prometheus is not initialized, fixing "Cannot read properties of undefined (reading 'set')" crash (#23)
+- **Sanitize version logging** — Sanitize version strings from env vars before logging to resolve CodeQL clear-text-logging alerts in `index.ts` and `store/migrate.ts`
+- **Broken event test assertion** — Fix `expect()` without matcher in event test
+
+### Changed
+
+- **97% test coverage** — Boosted from 76% to 97% with 449 new tests (1,254 total across 95 test files).
+- **Fuzz testing** — Added property-based fuzz tests with fast-check for Docker image name parsing.
+- **Static analysis fixes** — Optional chaining, `String#replaceAll()`, `readonly` modifiers, `Number.NaN`, concise regex syntax, removed unused imports, moved functions to outer scope.
+- **Reduced code duplication** — Refactored duplicated code in registries, triggers, and store test files flagged by SonarCloud.
+- **Pino logging** — Replaced bunyan with pino to eliminate vulnerable transitive dependencies. Added pino-pretty for human-readable log output.
+- **Renamed wud to drydock** — Project references updated from upstream naming across Dockerfile, entrypoint, package files, scripts, and test fixtures.
+- **CONTRIBUTING.md** — Added contributor guidelines.
+- **OpenSSF Best Practices badge** — Added to README.
+- **SonarCloud integration** — Added project configuration.
+- **Multi-arch container images** — Docker images now built for both `linux/amd64` and `linux/arm64` architectures, published to GHCR.
+- **Lefthook pre-push hooks** — Added lefthook config with pre-push checks (lint + build + test) and `npm run check` convenience script.
+- **CodeQL query exclusion** — Exclude `js/clear-text-logging` query (false positives on DD_VERSION env var).
+
+## [2026.1.0]
+
+### Added
+
+- **Agent mode** — Distributed monitoring with remote agent architecture. Agent components, SSE-based communication, dedicated API routes.
+- **OIDC token lifecycle** — Remote watcher HTTPS auth with `Basic` + `Bearer` token support. TLS/mTLS compatibility for `DD_WATCHER_{name}_HOST`.
+- **OIDC device-flow (Phase 2)** — RFC 8628 Device Authorization Grant for headless remote watcher auth. Auto-detection, polling with backoff, and refresh token rotation.
+- **Per-image config presets** — `imgset` defaults for per-image configuration. Added `watchDigest` and `inspectTagPath` imgset properties.
+- **Hybrid triggers** — Trigger group defaults (`DD_TRIGGER_{name}_THRESHOLD`) shared across providers. Name-only include/exclude for multi-provider trigger management.
+- **Container update policy** — Skip/snooze specific update versions. Per-container policy stored in DB, exposed via API and UI.
+- **Metrics auth toggle** — `DD_SERVER_METRICS_AUTH` env var to disable auth on `/metrics` endpoint.
+- **Trigger thresholds** — Digest and no-digest thresholds for triggers.
+- **NTFY provider-level threshold** — Provider-level threshold support for ntfy trigger.
+- **Docker pull progress logging** — Rate-limited pull progress output during docker-compose updates.
+- **Registry lookup image override** — `lookupImage` field on registry config to override the image used for tag lookups.
+- **Docker inspect tag path** — Support custom tag path in Docker inspect output.
+- **Anonymous LSCR and TrueForge registries** — Allow anonymous access to LSCR (LinuxServer) and Quay-backed TrueForge.
+- **DHI registry** — New `dhi.io` registry provider with matcher, auth flow, and docs.
+- **Custom URL icons** — Support URL-based icons via `dd.display.icon` label.
+- **Version skip** — Skip specific versions in the UI.
+- **Log viewer** — In-app container log viewer. View Docker container stdout/stderr output directly in the UI via a new "Logs" tab on each container. Supports configurable tail line count (50/100/500), manual refresh, and Docker stream demultiplexing. Works for both local and remote agent containers.
+- **Semver tag recovery** — Recover include-filter mismatched semver tags from watchers. Extended to advise best semver tag when current tag is non-semver (e.g., `latest`).
+- **Dashboard update chips** — Replaced verbose update status text with compact colored chips: green "up to date" or warning "N update(s)" (clickable).
+
+### Fixed
+
+- **eval() code injection** — Replaced `eval()` in trigger template rendering with safe expression evaluator supporting property paths, method allowlist, ternaries, and string concatenation.
+- **Digest-only update prune crash** — Docker trigger prune logic now correctly excludes current image during digest-only updates and handles post-prune errors gracefully.
+- **Swarm deploy-label debug logging** — Added warn-level logging when Swarm service inspect fails, and debug logging showing which label sources contain `dd.*` labels.
+- **OIDC session state races** — Serialized redirect session checks, multiple pending callback states per session.
+- **semverDiff undefined** — Normalized `semverDiff` for non-tag (digest-only/created-date-only) updates.
+- **Docker event stream crash** — Buffered and parsed split Docker event stream payloads.
+- **Multi-network container recreate** — Reconnects additional networks after container recreation.
+- **Remote watcher delayed first scan** — `watchatstart` now checks watcher-local store for new remote watchers.
+- **docker-compose post_start hooks** — Hooks now execute after updates.
+- **docker-compose image-only triggers** — Only trigger on compose services with actual image changes.
+- **docker-compose imageless services** — Skip compose services without an `image` field.
+- **docker-compose implicit latest tag** — Normalize `image: nginx` to `image: nginx:latest` so compose triggers don't treat implicit latest as a version mismatch.
+- **Express 5 wildcard routes** — Named wildcard route params for express 5 compatibility.
+- **Semver filtering** — Fixed semver part filtering and prefix handling.
+- **SMTP TLS_VERIFY inverted** — `rejectUnauthorized` was inverted; `TLS_VERIFY=false` now correctly allows self-signed certificates.
+- **HA MQTT deprecated object_id** — Replaced `object_id` with `default_entity_id` for Home Assistant 2025.10+ compatibility.
+- **Open redirect on authenticated pages** — Validate `next` query parameter to only allow internal routes.
+- **Trigger test updateKind crash** — Test-button triggers no longer crash with "Cannot read properties of undefined (reading 'updateKind')" on unvalidated containers.
+- **Docker rename event not captured** — Added `rename` to Docker event listener so container name updates are captured after compose recreates.
+- **UI duplicate drawer logo** — Removed duplicate logo in navigation drawer.
+
+### Changed
+
+- **TypeScript migration (app)** — Entire backend converted from JavaScript to TypeScript with ES Modules (`NodeNext`). 232 `.ts` files added/renamed, all `.js` source files removed.
+- **TypeScript migration (UI)** — Vue 3 frontend migrated from JS to TS. 29 `.vue` files updated, component props/emits typed.
+- **Jest → Vitest (app)** — All 64 app test files (664 tests) migrated from Jest to Vitest. Test runner unified across app and UI.
+- **Jest → Vitest (UI)** — UI unit tests migrated from Jest to Vitest with improved coverage.
+- **Vitest 4 + modern deps** — Upgraded vitest 3→4, uuid 11→13, flat 5→6, snake-case 3→4. Fixed vitest 4 mock constructor breaking change.
+- **ESM baseline** — Cut over to `NodeNext` module resolution. Removed Babel, added `tsconfig.json`.
+- **Biome linter** — Replaced ESLint with Biome for formatting and linting.
+- **CI cleanup** — Removed Code Climate config, renamed Travis config to `ci.config.yml`.
+
+### Dependencies
+
+| Package | Upstream (8.1.1) | drydock |
+| --- | --- | --- |
+| vitest | 3.x (Jest) | 4.x |
+| uuid | 9.x | 13.x |
+| flat | 5.x | 6.x |
+| snake-case | 3.x | 4.x |
+| express | 4.x | 5.x |
+| typescript | — | 5.9 |
+| biome | — | 2.3 |
+
+> **Stats:** 392 files changed, +25,725 insertions, -25,995 deletions, 872 total tests (709 app + 163 UI).
+
+## Upstream Backports
+
+The following changes from `upstream/main` (post-fork) have been ported to drydock:
+
+| Description | Status |
+| --- | --- |
+| Add Codeberg to default registries | Ported (new TS provider) |
+| Increase `maxAliasCount` in YAML parsing | Ported |
+| Fix authentication for private ECR registry (async `getAuthPull`) | Ported across all registries |
+| Prometheus: add `DD_PROMETHEUS_ENABLED` config | Ported |
+| Fix Authelia OIDC docs (field names) | Ported |
+| Buffer Docker event stream before JSON parse | Already fixed independently |
+| SMTP trigger: allow display name in from address ([#908](https://github.com/getwud/wud/pull/908)) | Ported |
+
+Remaining upstream-only changes (not ported — not applicable to drydock):
+
+| Description | Reason |
+| --- | --- |
+| Fix e2e tests (x2) | JS-based, drydock tests are TS |
+| Fix prettier | drydock uses Biome |
+| Fix codeberg tests | Covered by drydock's own tests |
+| Update changelog | Upstream-specific |
+
+[Unreleased]: https://github.com/CodesWhat/drydock/compare/v1.4.5...HEAD
+[1.4.5]: https://github.com/CodesWhat/drydock/compare/v1.4.4...v1.4.5
+[1.4.4]: https://github.com/CodesWhat/drydock/compare/v1.4.3...v1.4.4
+[1.4.3]: https://github.com/CodesWhat/drydock/compare/v1.4.2...v1.4.3
+[1.4.2]: https://github.com/CodesWhat/drydock/compare/v1.4.1...v1.4.2
+[1.4.1]: https://github.com/CodesWhat/drydock/compare/v1.4.0...v1.4.1
+[1.4.0]: https://github.com/CodesWhat/drydock/compare/v1.3.9...v1.4.0
+[1.3.9]: https://github.com/CodesWhat/drydock/compare/v1.3.8...v1.3.9
+[1.3.8]: https://github.com/CodesWhat/drydock/compare/v1.3.7...v1.3.8
+[1.3.7]: https://github.com/CodesWhat/drydock/compare/v1.3.6...v1.3.7
+[1.3.6]: https://github.com/CodesWhat/drydock/compare/v1.3.5...v1.3.6
+[1.3.5]: https://github.com/CodesWhat/drydock/compare/v1.3.4...v1.3.5
+[1.3.4]: https://github.com/CodesWhat/drydock/compare/v1.3.3...v1.3.4
+[1.3.3]: https://github.com/CodesWhat/drydock/compare/v1.3.2...v1.3.3
+[1.3.2]: https://github.com/CodesWhat/drydock/compare/v1.3.1...v1.3.2
+[1.3.1]: https://github.com/CodesWhat/drydock/compare/v1.3.0...v1.3.1
+[1.3.0]: https://github.com/CodesWhat/drydock/compare/v1.2.0...v1.3.0
+[1.2.0]: https://github.com/CodesWhat/drydock/compare/1.1.3...v1.2.0
+[1.1.3]: https://github.com/CodesWhat/drydock/compare/1.1.2...1.1.3
+[1.1.2]: https://github.com/CodesWhat/drydock/compare/v1.1.1...1.1.2
+[1.1.1]: https://github.com/CodesWhat/drydock/compare/v1.1.0...1.1.1
+[1.1.0]: https://github.com/CodesWhat/drydock/compare/v1.0.2...v1.1.0
+[1.0.2]: https://github.com/CodesWhat/drydock/compare/v1.0.1...v1.0.2
+[1.0.1]: https://github.com/CodesWhat/drydock/compare/v1.0.0...v1.0.1
+[1.0.0]: https://github.com/CodesWhat/drydock/releases/tag/v1.0.0
+[2026.2.3]: https://github.com/CodesWhat/drydock/compare/2026.2.2...2026.2.3
+[2026.2.2]: https://github.com/CodesWhat/drydock/compare/2026.1.0...2026.2.2
+[2026.1.0]: https://github.com/CodesWhat/drydock/releases/tag/2026.1.0
diff --git a/content/docs/v1.4/changelog/meta.json b/content/docs/v1.4/changelog/meta.json
new file mode 100644
index 000000000..0a4eb57fc
--- /dev/null
+++ b/content/docs/v1.4/changelog/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Changelog",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/actions/index.mdx b/content/docs/v1.4/configuration/actions/index.mdx
new file mode 100644
index 000000000..d6dd70008
--- /dev/null
+++ b/content/docs/v1.4/configuration/actions/index.mdx
@@ -0,0 +1,68 @@
+---
+title: "Container Actions"
+description: "Start, stop, restart, update, and delete containers directly from drydock."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+## Overview
+
+Drydock provides direct container management actions through both the UI and API. These actions let you control containers without leaving the drydock interface.
+
+## Available actions
+
+| Action | API endpoint | Description |
+| --- | --- | --- |
+| **Start** | `POST /api/containers/:id/start` | Start a stopped container |
+| **Stop** | `POST /api/containers/:id/stop` | Stop a running container |
+| **Restart** | `POST /api/containers/:id/restart` | Restart a container |
+| **Update** | `POST /api/containers/:id/update` | Pull new image and recreate container |
+| **Delete** | `DELETE /api/containers/:id` | Remove container from drydock tracking |
+
+## Feature flags
+
+Container actions can be individually toggled with environment variables:
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_SERVER_FEATURE_CONTAINERACTIONS` | ⚪ | Enable start, stop, restart, and update actions | `true`, `false` | `true` |
+| `DD_SERVER_FEATURE_DELETE` | ⚪ | Enable container deletion | `true`, `false` | `true` |
+
+<Callout type="info">When a feature flag is disabled, the corresponding buttons are hidden in the UI and the API endpoints return `403 Forbidden`.</Callout>
+<Callout type="warn">Container action endpoints currently use an authentication-only, single-operator trust model. Any authenticated user can start, stop, restart, update, or delete any container. Run drydock behind trusted SSO/access controls until fine-grained RBAC is available.</Callout>
+
+## Update action
+
+The update action triggers the Docker or Docker Compose trigger for the selected container. It will:
+
+1. Pull the latest image
+2. Backup the current image
+3. Run lifecycle hooks (if configured)
+4. Stop and remove the current container
+5. Create and start the new container
+6. Monitor health (if auto-rollback is enabled)
+
+See [Lifecycle Hooks](/docs/configuration/hooks) and [Backup & Rollback](/docs/configuration/rollback) for related configuration.
+
+## Preview
+
+Before updating, you can preview what will change using the dry-run endpoint:
+
+`POST /api/containers/:id/preview`
+
+This returns the proposed changes without executing them.
+
+## Metrics
+
+All container actions are tracked via Prometheus counters. See [Monitoring](/docs/monitoring) for details.
+
+## Example — disable all actions
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    environment:
+      - DD_SERVER_FEATURE_CONTAINERACTIONS=false
+      - DD_SERVER_FEATURE_DELETE=false
+```
diff --git a/content/docs/v1.4/configuration/actions/meta.json b/content/docs/v1.4/configuration/actions/meta.json
new file mode 100644
index 000000000..6b2ae90ac
--- /dev/null
+++ b/content/docs/v1.4/configuration/actions/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Container Actions",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/agents/index.mdx b/content/docs/v1.4/configuration/agents/index.mdx
new file mode 100644
index 000000000..2364c9153
--- /dev/null
+++ b/content/docs/v1.4/configuration/agents/index.mdx
@@ -0,0 +1,219 @@
+---
+title: "Agents"
+description: "Agent Mode allows running Drydock in a distributed manner across multiple Docker hosts."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+The **Agent Mode** allows running drydock in a distributed manner.
+
+- **Agent Node**: Runs near the Docker socket (or other container sources). It performs discovery and update checks.
+- **Controller Node**: The central instance. It manages its own local watchers AND connects to remote Agents. It aggregates containers from Agents, and handles persistence, UI, and Notifications.
+
+## Architecture
+
+The Controller connects to one or more Agents via HTTP/HTTPS. The Agent pushes real-time updates (container changes, new versions found) to the Controller using Server-Sent Events (SSE).
+
+## Agent Configuration
+
+To run drydock in Agent mode, start the application with the `--agent` command line flag.
+
+### Agent Environment Variables
+
+| Env var | Required | Description | Default |
+| :--- | :---: | :--- | :--- |
+| `DD_AGENT_SECRET` | 🔴 | Secret token for authentication (must match Controller configuration) | |
+| `DD_AGENT_SECRET_FILE` | ⚪ | Path to file containing the secret token | |
+| `DD_SERVER_PORT` | ⚪ | Port to listen on | `3000` |
+| `DD_SERVER_TLS_*` | ⚪ | Standard [Server](/docs/configuration/server) TLS options | |
+| `DD_WATCHER_{name}_*` | 🔴 | [Watcher](/docs/configuration/watchers) configuration (At least one is required) | |
+| `DD_TRIGGER_DOCKER_{name}_*` | ⚪ | [Docker trigger](/docs/configuration/triggers/docker) for container updates (required to update containers from UI/API) | |
+| `DD_REGISTRY_{name}_*` | ⚪ | [Registry](/docs/configuration/registries) configuration (For update checks) | |
+
+<Callout type="warn">**Watcher and trigger env vars use different naming patterns.** Watchers are `DD_WATCHER_{name}_{option}` (no provider segment — Docker is the only watcher type). Triggers are `DD_TRIGGER_DOCKER_{name}_{option}` (provider segment required). A common mistake is writing `DD_TRIGGER_DOCKER_PRUNE=true` (missing the name) — this creates a broken trigger named "prune" instead of a trigger with `PRUNE=true`. Use `DD_TRIGGER_DOCKER_{name}_PRUNE=true` instead.</Callout>
+
+### Agent Example (Docker Compose)
+
+<Callout type="info">This example uses a [socket proxy](/docs/configuration/watchers#option-1-socket-proxy-recommended) for secure Docker socket access. Agents also support [direct socket mount](/docs/configuration/watchers#option-4-direct-socket-mount-default) and [remote TLS](/docs/configuration/watchers#option-2-remote-docker-over-tls) connections.</Callout>
+
+```yaml
+services:
+  drydock-socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:latest
+    container_name: drydock-socket-proxy
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - CONTAINERS=1
+      - IMAGES=1
+      - EVENTS=1
+      - POST=1
+      - DELETE=1
+      - NETWORKS=1
+      - VOLUMES=1
+    healthcheck:
+      test: wget --spider http://localhost:2375/version || exit 1
+      interval: 5s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+
+  drydock-agent:
+    image: codeswhat/drydock
+    command: --agent
+    depends_on:
+      drydock-socket-proxy:
+        condition: service_healthy
+    ports:
+      - "3000:3000"
+    environment:
+      # Shared secret (must match controller's DD_AGENT_{name}_SECRET)
+      - DD_AGENT_SECRET=mysecretkey
+      # Watcher — discovers containers on this host
+      - DD_WATCHER_LOCAL_HOST=drydock-socket-proxy
+      - DD_WATCHER_LOCAL_PORT=2375
+      # Docker trigger — allows updating containers from UI/API
+      - DD_TRIGGER_DOCKER_LOCAL_PRUNE=true
+```
+
+## Controller Configuration
+
+To connect a Controller to an Agent, use the `DD_AGENT_{name}_*` environment variables.
+
+### Controller Environment Variables
+
+| Env var | Required | Description | Default |
+| :--- | :---: | :--- | :--- |
+| `DD_AGENT_{name}_SECRET` | 🔴 | Secret token to authenticate with the Agent | |
+| `DD_AGENT_{name}_SECRET_FILE` | ⚪ | Path to file containing the secret token | |
+| `DD_AGENT_{name}_HOST` | 🔴 | Hostname or IP of the Agent | |
+| `DD_AGENT_{name}_PORT` | ⚪ | Port of the Agent | `3000` |
+| `DD_AGENT_{name}_CAFILE` | ⚪ | CA certificate path for TLS connection | |
+| `DD_AGENT_{name}_CERTFILE` | ⚪ | Client certificate path for TLS connection | |
+| `DD_AGENT_{name}_KEYFILE` | ⚪ | Client key path for TLS connection | |
+
+### Controller Example (Docker Compose)
+
+```yaml
+services:
+  drydock-controller:
+    image: codeswhat/drydock
+    environment:
+      - DD_AGENT_REMOTE1_HOST=192.168.1.50
+      - DD_AGENT_REMOTE1_SECRET=mysecretkey
+    ports:
+      - 3000:3000
+```
+
+## Complete Multi-Host Example
+
+This example shows a controller watching its own containers and connecting to one remote agent. The controller handles notifications (Slack, SMTP, etc.); each agent handles its own container updates.
+
+### Controller
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ports:
+      - "3000:3000"
+    depends_on:
+      socket-proxy:
+        condition: service_healthy
+    volumes:
+      - /path/to/store:/store
+    environment:
+      # --- Local watcher (controller's own containers) ---
+      - DD_WATCHER_LOCAL_HOST=drydock-socket-proxy
+      - DD_WATCHER_LOCAL_PORT=2375
+      - DD_WATCHER_LOCAL_WATCHBYDEFAULT=true
+
+      # --- Local docker trigger (update controller's own containers) ---
+      - DD_TRIGGER_DOCKER_LOCAL_PRUNE=true
+
+      # --- Remote agent connection ---
+      - DD_AGENT_REMOTE1_HOST=192.168.1.50
+      - DD_AGENT_REMOTE1_PORT=3000
+      - DD_AGENT_REMOTE1_SECRET=mysecretkey
+
+      # --- Notifications (run on controller only) ---
+      - DD_TRIGGER_SMTP_ALERTS_HOST=smtp.example.com
+      - DD_TRIGGER_SMTP_ALERTS_PORT=587
+      - DD_TRIGGER_SMTP_ALERTS_USER=user@example.com
+      - DD_TRIGGER_SMTP_ALERTS_PASS=password
+      - DD_TRIGGER_SMTP_ALERTS_FROM=drydock@example.com
+      - DD_TRIGGER_SMTP_ALERTS_TO=admin@example.com
+
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:latest
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - CONTAINERS=1
+      - IMAGES=1
+      - EVENTS=1
+      - POST=1
+      - DELETE=1
+      - NETWORKS=1
+      - VOLUMES=1
+    healthcheck:
+      test: wget --spider http://localhost:2375/version || exit 1
+      interval: 5s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+```
+
+### Agent (on 192.168.1.50)
+
+```yaml
+services:
+  drydock-socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:latest
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - CONTAINERS=1
+      - IMAGES=1
+      - EVENTS=1
+      - POST=1
+      - DELETE=1
+      - NETWORKS=1
+      - VOLUMES=1
+    healthcheck:
+      test: wget --spider http://localhost:2375/version || exit 1
+      interval: 5s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+
+  drydock-agent:
+    image: codeswhat/drydock
+    command: --agent
+    depends_on:
+      drydock-socket-proxy:
+        condition: service_healthy
+    ports:
+      - "3000:3000"
+    environment:
+      # Must match controller's DD_AGENT_REMOTE1_SECRET
+      - DD_AGENT_SECRET=mysecretkey
+      # Watcher — discovers containers on this host
+      - DD_WATCHER_LOCAL_HOST=drydock-socket-proxy
+      - DD_WATCHER_LOCAL_PORT=2375
+      # Docker trigger — required to update containers via UI/API
+      - DD_TRIGGER_DOCKER_LOCAL_PRUNE=true
+```
+
+<Callout type="warn">**Do not configure notification triggers (Slack, SMTP, etc.) on agents.** Only `docker` and `dockercompose` triggers are supported in agent mode. Notification triggers must be configured on the controller.</Callout>
+
+<Callout type="info">**You do not need to define `DD_TRIGGER_DOCKER_*` on the controller for each agent.** During the handshake, the controller automatically discovers the agent's triggers and creates internal proxies. The controller only needs its own `DD_TRIGGER_DOCKER_*` for updating containers on its local host.</Callout>
+
+## Features in Agent Mode
+
+- **Watchers**: Run on the Agent to discover containers.
+- **Registries**: Configured on the Agent to check for updates.
+- **Triggers**:
+  - `docker` and `dockercompose` triggers are configured and executed **on the Agent** (allowing update of remote containers). The controller automatically proxies update requests to the correct agent.
+  - Notification triggers (e.g. `smtp`, `discord`) are configured and executed **on the Controller**.
diff --git a/content/docs/v1.4/configuration/agents/meta.json b/content/docs/v1.4/configuration/agents/meta.json
new file mode 100644
index 000000000..1e773ce14
--- /dev/null
+++ b/content/docs/v1.4/configuration/agents/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Agents",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/authentications/basic/index.mdx b/content/docs/v1.4/configuration/authentications/basic/index.mdx
new file mode 100644
index 000000000..960908ad1
--- /dev/null
+++ b/content/docs/v1.4/configuration/authentications/basic/index.mdx
@@ -0,0 +1,79 @@
+---
+title: "Basic Authentication"
+description: "The basic authentication lets you protect drydock access using the Http Basic auth standard."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `basic` authentication lets you protect drydock access using the [Http Basic auth standard](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication).
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_AUTH_BASIC_{auth_name}_USER` | 🔴 | Username | | |
+| `DD_AUTH_BASIC_{auth_name}_HASH` | 🔴 | Argon2id password hash | `$argon2id$v=19$m=65536,t=3,p=4$salt$hash` (preferred) or `argon2id$memory$passes$parallelism$salt$hash` (compatible) | |
+
+<Callout type="warn">Hash values contain `$` characters. In Docker Compose YAML, double each `$` as `$$`. In Bash, use single quotes around the value.</Callout>
+
+<Callout type="warn">**Known limitation:** Passwords containing colon characters (`:`) are not supported due to a bug in the underlying `passport-http` library. Authentication will fail if your password contains a colon. Use passwords without colons until this is resolved.</Callout>
+
+<Callout type="info">Argon2id verification uses asynchronous `crypto.argon2` so authentication does not block the Node.js event loop. The hash work still runs on libuv worker threads; for very high authentication concurrency, tune `UV_THREADPOOL_SIZE` or move verification into dedicated worker threads/services.</Callout>
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_AUTH_BASIC_JOHN_USER=john
+      - "DD_AUTH_BASIC_JOHN_HASH=argon2id$$65536$$3$$4$$/Y21uoNfTJ/Bv+t7Msz6XABip7tBOI55ZgjeCXyhGc0=$$MHhv8Tc/0TCnhAeoNQRHII3sbOLIQ+1lMlHk+Ifyv3IUAxT6NkVt+OXT03kJTn8JRzmD24L+qCjcqk2+Ad1dTw=="
+      - DD_AUTH_BASIC_JANE_USER=jane
+      - "DD_AUTH_BASIC_JANE_HASH=argon2id$$65536$$3$$4$$r6d4/pX/7fLvpz3xw7qvEZok4KSYwMRm71TjBlujwPI=$$OmI2vv0GCpP12SC0u6dL6Lz1OpRyBjTQGe+bBvF84hhQJB1iTaFd/S1NRQafvAHL02U61E5/eqvOaQ81vPzxvw=="
+      - DD_AUTH_BASIC_BOB_USER=bob
+      - "DD_AUTH_BASIC_BOB_HASH=argon2id$$65536$$3$$4$$shoWJqA1qg1Zen08/XIocsJUEFKgox8Glw0/EAkY5SY=$$toyn5NwytBXDTqQN94wJzjUT0tocDzhvvYii4YK279pDTbMDGoyqOhxxDi7lS0xEJAC7fRKfMAaZFfxmzD4GNw=="
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_AUTH_BASIC_JOHN_USER="john" \
+  -e 'DD_AUTH_BASIC_JOHN_HASH=argon2id$65536$3$4$/Y21uoNfTJ/Bv+t7Msz6XABip7tBOI55ZgjeCXyhGc0=$MHhv8Tc/0TCnhAeoNQRHII3sbOLIQ+1lMlHk+Ifyv3IUAxT6NkVt+OXT03kJTn8JRzmD24L+qCjcqk2+Ad1dTw==' \
+  -e DD_AUTH_BASIC_JANE_USER="jane" \
+  -e 'DD_AUTH_BASIC_JANE_HASH=argon2id$65536$3$4$r6d4/pX/7fLvpz3xw7qvEZok4KSYwMRm71TjBlujwPI=$OmI2vv0GCpP12SC0u6dL6Lz1OpRyBjTQGe+bBvF84hhQJB1iTaFd/S1NRQafvAHL02U61E5/eqvOaQ81vPzxvw==' \
+  -e DD_AUTH_BASIC_BOB_USER="bob" \
+  -e 'DD_AUTH_BASIC_BOB_HASH=argon2id$65536$3$4$shoWJqA1qg1Zen08/XIocsJUEFKgox8Glw0/EAkY5SY=$toyn5NwytBXDTqQN94wJzjUT0tocDzhvvYii4YK279pDTbMDGoyqOhxxDi7lS0xEJAC7fRKfMAaZFfxmzD4GNw==' \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to create a password hash
+
+### Using argon2 CLI (recommended)
+
+```bash
+echo -n "yourpassword" | argon2 $(openssl rand -base64 32) -id -m 16 -t 3 -p 4 -l 64 -e
+```
+
+### Alternative: using Node.js locally (requires Node 24+, no argon2 CLI install)
+
+```bash
+node -e '
+  const c = require("node:crypto");
+  const toPhc = (b) => b.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  const s = c.randomBytes(32);
+  const h = c.argon2Sync("argon2id", { message: process.argv[1], nonce: s, memory: 65536, passes: 3, parallelism: 4, tagLength: 64 });
+  console.log("$argon2id$v=19$m=65536,t=3,p=4$" + toPhc(s) + "$" + toPhc(h));
+' "yourpassword"
+```
+
+<Callout type="info">Legacy htpasswd hash formats from WUD/v1.3.x — `{SHA}` (SHA-1), `$apr1$` (Apache APR1-MD5), `$1$` (MD5-crypt), DES crypt, and plain text — are still accepted at runtime but deprecated. They will be removed in v1.6.0. Use the commands above to generate an argon2id hash and update your `DD_AUTH_BASIC_*_HASH` values.</Callout>
diff --git a/content/docs/v1.4/configuration/authentications/basic/meta.json b/content/docs/v1.4/configuration/authentications/basic/meta.json
new file mode 100644
index 000000000..00b25467d
--- /dev/null
+++ b/content/docs/v1.4/configuration/authentications/basic/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Basic",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/authentications/index.mdx b/content/docs/v1.4/configuration/authentications/index.mdx
new file mode 100644
index 000000000..5da46c65a
--- /dev/null
+++ b/content/docs/v1.4/configuration/authentications/index.mdx
@@ -0,0 +1,84 @@
+---
+title: "Authentication"
+description: "drydock requires authentication by default on fresh installs."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+Since v1.4.0, drydock **requires authentication on fresh installs**. If no auth strategy is configured and no explicit anonymous opt-in is present, all API calls return `401 Unauthorized`.
+
+You can enable 1 or multiple authentication strategies using `DD_AUTH_*` env vars.
+
+<Callout type="warn">Please pay attention that all API routes & all UI views will be authenticated.</Callout>
+<Callout type="info">For OIDC setups, session-cookie policy is controlled by `DD_SERVER_COOKIE_SAMESITE` in [server configuration](/docs/configuration/server). Default `lax` works for most IdP callback flows.</Callout>
+
+## Login lockout controls
+
+To limit brute-force attempts on `POST /auth/login`, drydock tracks failed logins per account and per client IP and can temporarily lock access when thresholds are exceeded. Per-account controls use `DD_AUTH_ACCOUNT_LOCKOUT_*`; per-IP controls use `DD_AUTH_IP_LOCKOUT_*`.
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_AUTH_ACCOUNT_LOCKOUT_MAX_ATTEMPTS` | ⚪ | Max failed login attempts per account before temporary lockout | Positive integer (`> 0`) | `5` |
+| `DD_AUTH_IP_LOCKOUT_MAX_ATTEMPTS` | ⚪ | Max failed login attempts per client IP before temporary lockout | Positive integer (`> 0`) | `25` |
+| `DD_AUTH_LOCKOUT_WINDOW_MS` | ⚪ | Rolling window (milliseconds) used to count failed login attempts | Positive integer (`> 0`) | `900000` |
+| `DD_AUTH_LOCKOUT_DURATION_MS` | ⚪ | Lockout duration (milliseconds) once a threshold is reached | Positive integer (`> 0`) | `900000` |
+
+If a lockout value is missing or invalid, drydock falls back to the corresponding default.
+
+Currently, the following strategies are supported:
+
+- [**Basic**](/docs/configuration/authentications/basic)
+- [**Openid Connect**](/docs/configuration/authentications/oidc)
+
+## Anonymous access
+
+On previous versions of drydock (and upstream WUD), the dashboard was accessible without any login. Starting with v1.4.0, anonymous access must be explicitly opted into on fresh installs.
+
+### `DD_ANONYMOUS_AUTH_CONFIRM`
+
+Set `DD_ANONYMOUS_AUTH_CONFIRM=true` to explicitly allow anonymous (unauthenticated) access to the dashboard and API.
+
+`DD_AUTH_ANONYMOUS_CONFIRM=true` is also accepted as an alias. `DD_ANONYMOUS_AUTH_CONFIRM` is the canonical name.
+
+```yaml
+environment:
+  - DD_ANONYMOUS_AUTH_CONFIRM=true
+```
+
+### Behavior matrix
+
+| Scenario | Result |
+| --- | --- |
+| Fresh install, no auth configured, no `DD_ANONYMOUS_AUTH_CONFIRM` | Fails closed — all API calls return `401` |
+| Fresh install, `DD_ANONYMOUS_AUTH_CONFIRM=true` | Anonymous access allowed |
+| Upgrade from v1.3.x, no auth configured | Anonymous access allowed with a warning logged at startup |
+| Upgrade from v1.3.x, `DD_ANONYMOUS_AUTH_CONFIRM=true` | Anonymous access allowed, no warning |
+
+Drydock detects an upgrade by the presence of an existing store file (`/store/dd.json`). If the file exists, the install is treated as an upgrade; if it does not, it is treated as a fresh install.
+
+### Upgrading from v1.3.x
+
+<Callout type="warn">If you are upgrading from v1.3.x and have no authentication configured, drydock will **not** lock you out. Anonymous access continues to work, but a warning is logged at startup urging you to configure authentication or set `DD_ANONYMOUS_AUTH_CONFIRM=true` to acknowledge the risk and silence the warning.</Callout>
+
+To resolve the warning, either:
+
+1. **Configure authentication** — set `DD_AUTH_BASIC_<name>_USER` and `DD_AUTH_BASIC_<name>_HASH` (or use [OIDC](/docs/configuration/authentications/oidc)).
+2. **Explicitly opt in to anonymous access** — set `DD_ANONYMOUS_AUTH_CONFIRM=true`.
+
+## Fail-closed auth enforcement
+
+<Callout type="warn">Since v1.4.0, drydock enforces **fail-closed** authentication across registries, triggers, and the Docker entrypoint. If auth is configured and fails, drydock raises an error instead of silently falling back to anonymous or unauthenticated access.</Callout>
+
+This affects three areas:
+
+- **Registry bearer-token flows** — When a token exchange endpoint returns an error (network failure, invalid credentials, expired token), the registry call fails immediately. In older versions (and upstream WUD), this would silently fall through to anonymous access, which could cause missed updates on private images or confusing inconsistencies between authenticated and unauthenticated results.
+- **HTTP trigger auth** — If an HTTP trigger specifies an unsupported auth type, the trigger errors instead of sending an unauthenticated request.
+- **Docker entrypoint root mode** — Running as root requires both `DD_RUN_AS_ROOT=true` **and** `DD_ALLOW_INSECURE_ROOT=true`. Setting only one flag fails closed at startup. See [Docker Socket Security](/docs/configuration/watchers#docker-socket-security).
+
+If you are upgrading from WUD or an earlier drydock version and see new auth errors, verify that your credentials are valid and that outbound HTTPS to the token endpoint is not blocked. The errors are intentional — they surface problems that were previously hidden.
+
+## Remember me
+
+The login form includes a **Remember me** checkbox. When checked, the session cookie is extended to **30 days** so the browser stays logged in across restarts. When unchecked, the cookie expires when the browser is closed (default session lifetime is 7 days).
+
+Remember-me works with both Basic and OIDC authentication strategies. The preference is stored server-side in the authenticated session via `POST /auth/remember`.
diff --git a/content/docs/v1.4/configuration/authentications/meta.json b/content/docs/v1.4/configuration/authentications/meta.json
new file mode 100644
index 000000000..b6cb6c814
--- /dev/null
+++ b/content/docs/v1.4/configuration/authentications/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Authentication",
+  "pages": ["index", "basic", "oidc"]
+}
diff --git a/content/docs/v1.4/configuration/authentications/oidc/index.mdx b/content/docs/v1.4/configuration/authentications/oidc/index.mdx
new file mode 100644
index 000000000..4212d20cf
--- /dev/null
+++ b/content/docs/v1.4/configuration/authentications/oidc/index.mdx
@@ -0,0 +1,260 @@
+---
+title: "Openid Connect Authentication"
+description: "The oidc authentication lets you protect drydock access using the Openid Connect standard."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/authentications/oidc/oidc.png)
+
+The `oidc` authentication lets you protect drydock access using the [Openid Connect standard](https://openid.net/).
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_AUTH_OIDC_{auth_name}_CLIENTID` | 🔴 | Client ID | | |
+| `DD_AUTH_OIDC_{auth_name}_CLIENTSECRET` | 🔴 | Client Secret | | |
+| `DD_AUTH_OIDC_{auth_name}_DISCOVERY` | 🔴 | Oidc discovery URL | | |
+| `DD_AUTH_OIDC_{auth_name}_CAFILE` | ⚪ | Path to a PEM CA certificate (or chain) used for OIDC HTTPS requests | File path | empty |
+| `DD_AUTH_OIDC_{auth_name}_INSECURE` | ⚪ | Disable TLS certificate verification for OIDC HTTPS requests (development only) | `true`, `false` | `false` |
+| `DD_AUTH_OIDC_{auth_name}_REDIRECT` | ⚪ | Skip internal login page & automatically redirect to the OIDC provider | `true`, `false` | `false` |
+| `DD_AUTH_OIDC_{auth_name}_LOGOUTURL` | ⚪ | Explicit IdP logout URL fallback when discovery metadata has no `end_session_endpoint` | URL | empty |
+| `DD_AUTH_OIDC_{auth_name}_TIMEOUT` | ⚪ | Timeout (in ms) when calling the OIDC provider | Must be greater than 500 | `5000` |
+| `DD_PUBLIC_URL` | 🔴 | Public URL of your drydock instance (used to build the OIDC callback URL) | URL | |
+
+The callback URL (to configure in the IDP) is built as `${DD_PUBLIC_URL}/auth/oidc/${auth_name}/cb`.
+
+<Callout type="warn">`DD_PUBLIC_URL` is **required** when OIDC is configured. Without it, the OIDC provider will fail to register at startup and the login page will show "No authentication methods configured". Check startup logs for the exact error.</Callout>
+
+<Callout type="warn">`http://` OIDC discovery URLs are deprecated and will be removed in v1.6.0. When the discovery URL uses `http:`, drydock passes `allowInsecureRequests` to the OIDC client. Migrate your IdP to HTTPS before upgrading.</Callout>
+
+<Callout type="warn">`DD_AUTH_OIDC_{auth_name}_INSECURE=true` disables TLS certificate verification for OIDC HTTPS calls (discovery, token, userinfo, JWKS). Use only for local/dev troubleshooting.</Callout>
+
+**Notes:**
+
+- If your IdP is on a different domain and callback fails with `OIDC session is missing or expired`, check `DD_SERVER_COOKIE_SAMESITE` (server config). Default is `lax` for OIDC compatibility; `strict` can break cross-site callbacks. Use `none` only for explicit cross-site/embed cases over HTTPS.
+- If your provider uses a private/self-signed CA, the quickest container-level workaround is `NODE_EXTRA_CA_CERTS=/path/to/ca.pem`. Drydock also supports OIDC-scoped TLS settings with `DD_AUTH_OIDC_{auth_name}_CAFILE` and `DD_AUTH_OIDC_{auth_name}_INSECURE`.
+- **Redirect URL validation** — Drydock validates all OIDC authorization redirect URLs against an allowlist derived from the configured callback URL origin. This prevents open redirect attacks through crafted callback parameters. No configuration is needed.
+- **OIDC logout URL resolution** — drydock first tries the provider discovery `end_session_endpoint`. If it is missing, you can set `DD_AUTH_OIDC_{auth_name}_LOGOUTURL` when your provider (or proxy) exposes a logout URL outside discovery metadata. If neither is available, `POST /auth/logout` only destroys the local drydock session.
+
+## How to integrate with&nbsp;[Authelia](https://www.authelia.com)
+
+![logo](/docs/assets/configuration/authentications/oidc/authelia.png)
+
+### Configure an Openid Client for drydock in Authelia configuration.yml ([see official authelia documentation](https://www.authelia.com/configuration/identity-providers/openid-connect/provider/))
+
+```yaml
+identity_providers:
+  oidc:
+    hmac_secret: <a-very-long-string>
+    issuer_private_key: |
+      -----BEGIN RSA PRIVATE KEY-----
+      # <Generate & paste here an RSA private key>
+      -----END RSA PRIVATE KEY-----    
+    access_token_lifespan: 1h
+    authorize_code_lifespan: 1m
+    id_token_lifespan: 1h
+    refresh_token_lifespan: 90m
+    clients:
+      - client_id: my-drydock-client-id
+        client_name: drydock openid client
+        client_secret: this-is-a-very-secure-secret
+        public: false
+        authorization_policy: one_factor
+        audience: []
+        scopes:
+          - openid
+          - profile
+          - email
+        redirect_uris:
+          - https://<your_drydock_public_domain>/auth/oidc/authelia/cb
+        grant_types:
+          - refresh_token
+          - authorization_code
+        response_types:
+          - code
+        response_modes:
+          - form_post
+          - query
+          - fragment
+        userinfo_signing_algorithm: none
+```
+
+### Configure drydock
+
+<Tabs items={["Docker Compose (Authelia)", "Docker (Authelia)"]}>
+<Tab value="Docker Compose (Authelia)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_PUBLIC_URL=https://<your_drydock_public_domain>
+      - DD_AUTH_OIDC_AUTHELIA_CLIENTID=my-drydock-client-id
+      - DD_AUTH_OIDC_AUTHELIA_CLIENTSECRET=this-is-a-very-secure-secret
+      - DD_AUTH_OIDC_AUTHELIA_DISCOVERY=https://<your_authelia_public_domain>/.well-known/openid-configuration
+```
+
+</Tab>
+<Tab value="Docker (Authelia)">
+```bash
+docker run \
+  -e DD_PUBLIC_URL="https://<your_drydock_public_domain>" \
+  -e DD_AUTH_OIDC_AUTHELIA_CLIENTID="my-drydock-client-id" \
+  -e DD_AUTH_OIDC_AUTHELIA_CLIENTSECRET="this-is-a-very-secure-secret" \
+  -e DD_AUTH_OIDC_AUTHELIA_DISCOVERY="https://<your_authelia_public_domain>/.well-known/openid-configuration" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+![image](/docs/assets/configuration/authentications/oidc/authelia_00.png)
+
+![image](/docs/assets/configuration/authentications/oidc/authelia_01.png)
+
+## How to integrate with&nbsp;[Auth0](https://auth0.com)
+
+![logo](/docs/assets/configuration/authentications/oidc/auth0.png)
+
+### Create an application (Regular Web Application)
+
+- `Allowed Callback URLs`: `https://<your_drydock_public_domain>/auth/oidc/auth0/cb`
+
+### Configure drydock
+
+<Tabs items={["Docker Compose (Auth0)", "Docker (Auth0)"]}>
+<Tab value="Docker Compose (Auth0)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_PUBLIC_URL=https://<your_drydock_public_domain>
+      - DD_AUTH_OIDC_AUTH0_CLIENTID=<paste the Client ID from auth0 application settings>
+      - DD_AUTH_OIDC_AUTH0_CLIENTSECRET=<paste the Client Secret from auth0 application settings>
+      - DD_AUTH_OIDC_AUTH0_DISCOVERY=https://<paste the domain from auth0 application settings>/.well-known/openid-configuration
+```
+
+</Tab>
+<Tab value="Docker (Auth0)">
+```bash
+docker run \
+  -e DD_PUBLIC_URL="https://<your_drydock_public_domain>" \
+  -e DD_AUTH_OIDC_AUTH0_CLIENTID="<paste the Client ID from auth0 application settings>" \
+  -e DD_AUTH_OIDC_AUTH0_CLIENTSECRET="<paste the Client Secret from auth0 application settings>" \
+  -e DD_AUTH_OIDC_AUTH0_DISCOVERY="https://<paste the domain from auth0 application settings>/.well-known/openid-configuration" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+![image](/docs/assets/configuration/authentications/oidc/auth0_00.png)
+
+![image](/docs/assets/configuration/authentications/oidc/auth0_01.png)
+
+## How to integrate with&nbsp;[Authentik](https://goauthentik.io/)
+
+![logo](/docs/assets/configuration/authentications/oidc/authentik.png)
+
+### On Authentik, create a provider with type `Oauth2/OpenID` (or configure an existing one)
+
+![image](/docs/assets/configuration/authentications/oidc/authentik_00.png)
+
+### Important values
+
+- Client Type: `Confidential`
+- Client ID: `<generated value>`
+- Client Secret: `<generated value>`
+- Redirect URIs/Origins: `https://<your_drydock_public_domain>/auth/oidc/authentik/cb`
+- Scopes: `email`, `openid`, `profile`
+
+### On Authentik, create an application associated to the previously created provider
+
+![image](/docs/assets/configuration/authentications/oidc/authentik_01.png)
+
+### Configure drydock
+
+<Tabs items={["Docker Compose (Authentik)", "Docker (Authentik)"]}>
+<Tab value="Docker Compose (Authentik)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_PUBLIC_URL=https://<your_drydock_public_domain>
+      - DD_AUTH_OIDC_AUTHENTIK_CLIENTID=<paste the Client ID from authentik drydock_oidc provider>
+      - DD_AUTH_OIDC_AUTHENTIK_CLIENTSECRET=<paste the Client Secret from authentik drydock_oidc provider>
+      - DD_AUTH_OIDC_AUTHENTIK_DISCOVERY=<authentik_url>/application/o/<authentik_application_name>/.well-known/openid-configuration
+      - DD_AUTH_OIDC_AUTHENTIK_REDIRECT=true # optional (to skip internal login page)
+```
+
+</Tab>
+<Tab value="Docker (Authentik)">
+```bash
+docker run \
+  -e DD_PUBLIC_URL="https://<your_drydock_public_domain>" \
+  -e DD_AUTH_OIDC_AUTHENTIK_CLIENTID="<paste the Client ID from authentik drydock_oidc provider>" \
+  -e DD_AUTH_OIDC_AUTHENTIK_CLIENTSECRET="<paste the Client Secret from authentik drydock_oidc provider>" \
+  -e DD_AUTH_OIDC_AUTHENTIK_DISCOVERY="<authentik_url>/application/o/<authentik_application_name>/.well-known/openid-configuration" \
+  -e DD_AUTH_OIDC_AUTHENTIK_REDIRECT=true # optional (to skip internal login page) \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+<Callout type="warn">**Authentik token encryption** — In the Authentik provider's **Advanced protocol settings**, ensure the **Encryption Key** is unset ("Select an encryption key..."). Drydock does not support JWE (encrypted) tokens. If an encryption key is selected, Authentik will encrypt the ID token and Drydock will fail to validate it.</Callout>
+
+<Callout type="info">**Self-signed certificates** — If your Authentik instance uses a self-signed certificate, use `DD_AUTH_OIDC_AUTHENTIK_INSECURE=true` to skip TLS verification for OIDC calls only (does not affect registry or webhook TLS). Alternatively, mount the CA certificate and use `DD_AUTH_OIDC_AUTHENTIK_CAFILE=/path/to/ca.pem`. For the CAFILE approach, ensure the PEM file contains the **full certificate chain** (not just the leaf certificate).</Callout>
+
+## How to integrate with Dex
+
+<Callout type="warn">Dex does not currently advertise `end_session_endpoint` in discovery metadata. Without an explicit `DD_AUTH_OIDC_DEX_LOGOUTURL`, `POST /auth/logout` clears only the local drydock session. Set `DD_AUTH_OIDC_DEX_LOGOUTURL` only if you have a real IdP logout endpoint in front of Dex (for example, via your auth proxy/portal).</Callout>
+
+<Tabs items={["Docker Compose (Dex)", "Docker (Dex)"]}>
+<Tab value="Docker Compose (Dex)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_PUBLIC_URL=https://<your_drydock_public_domain>
+      - DD_AUTH_OIDC_DEX_CLIENTID=<dex_client_id>
+      - DD_AUTH_OIDC_DEX_CLIENTSECRET=<dex_client_secret>
+      - DD_AUTH_OIDC_DEX_DISCOVERY=https://<your_dex_public_domain>/dex/.well-known/openid-configuration
+      # Optional: only when a real IdP logout endpoint exists
+      # - DD_AUTH_OIDC_DEX_LOGOUTURL=https://<your_logout_endpoint>
+```
+
+</Tab>
+<Tab value="Docker (Dex)">
+```bash
+docker run \
+  -e DD_PUBLIC_URL="https://<your_drydock_public_domain>" \
+  -e DD_AUTH_OIDC_DEX_CLIENTID="<dex_client_id>" \
+  -e DD_AUTH_OIDC_DEX_CLIENTSECRET="<dex_client_secret>" \
+  -e DD_AUTH_OIDC_DEX_DISCOVERY="https://<your_dex_public_domain>/dex/.well-known/openid-configuration" \
+  ...
+  codeswhat/drydock
+```
+
+Optional (only when a real IdP logout endpoint exists):
+
+```bash
+-e DD_AUTH_OIDC_DEX_LOGOUTURL="https://<your_logout_endpoint>"
+```
+
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/authentications/oidc/meta.json b/content/docs/v1.4/configuration/authentications/oidc/meta.json
new file mode 100644
index 000000000..8e7e813a0
--- /dev/null
+++ b/content/docs/v1.4/configuration/authentications/oidc/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "OIDC",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/dns/index.mdx b/content/docs/v1.4/configuration/dns/index.mdx
new file mode 100644
index 000000000..58c8d8e46
--- /dev/null
+++ b/content/docs/v1.4/configuration/dns/index.mdx
@@ -0,0 +1,58 @@
+---
+title: "DNS"
+description: "Configure DNS resolution behavior for registry checks, trigger webhooks, and agent communication."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+## DNS Result Ordering
+
+Drydock runs on Alpine Linux, which uses musl libc. Musl's DNS resolver can return `getaddrinfo EAI_AGAIN` errors on dual-stack (IPv4/IPv6) networks when IPv6 records are returned first but IPv6 connectivity is unavailable.
+
+To prevent this, drydock defaults to **IPv4-first** DNS ordering at startup. This matches the behavior of Node.js versions prior to v17 and works correctly on the vast majority of networks.
+
+### Variables
+
+| Env var | Required | Description | Supported values | Default |
+| --- | :-: | --- | --- | --- |
+| `DD_DNS_MODE` | - | DNS result ordering mode | `ipv4first`, `ipv6first`, `verbatim` | `ipv4first` |
+
+### Values
+
+| Value | Behavior |
+| --- | --- |
+| `ipv4first` | IPv4 addresses are resolved before IPv6 (default). Prevents `EAI_AGAIN` errors on most networks. |
+| `ipv6first` | IPv6 addresses are resolved before IPv4. Use only in IPv6-preferred environments. |
+| `verbatim` | Addresses are returned in the order the OS DNS resolver provides them. This is the Node.js default but can trigger musl DNS issues on Alpine. |
+
+<Callout type="info">This setting calls `dns.setDefaultResultOrder()` at process startup and affects **all** outbound connections: registry checks, trigger webhooks, agent communication, and OIDC token exchange.</Callout>
+
+### Examples
+
+Most users do not need to set this variable. The default `ipv4first` works on all IPv4 and dual-stack networks.
+
+#### IPv6-only network
+
+If drydock runs in a pure IPv6 environment with no IPv4 connectivity:
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    environment:
+      - DD_DNS_MODE=ipv6first
+```
+
+#### Restore Node.js default behavior
+
+To use the OS resolver's native ordering (not recommended on Alpine):
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    environment:
+      - DD_DNS_MODE=verbatim
+```
+
+<Callout type="warn">Setting `DD_DNS_MODE=verbatim` on Alpine may cause intermittent `getaddrinfo EAI_AGAIN` errors on dual-stack networks. Only use this if you have a specific reason to preserve OS-native DNS ordering.</Callout>
diff --git a/content/docs/v1.4/configuration/dns/meta.json b/content/docs/v1.4/configuration/dns/meta.json
new file mode 100644
index 000000000..2ac14b0b0
--- /dev/null
+++ b/content/docs/v1.4/configuration/dns/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "DNS",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/hooks/index.mdx b/content/docs/v1.4/configuration/hooks/index.mdx
new file mode 100644
index 000000000..05da86647
--- /dev/null
+++ b/content/docs/v1.4/configuration/hooks/index.mdx
@@ -0,0 +1,101 @@
+---
+title: "Lifecycle Hooks"
+description: "Run custom commands before or after container updates."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+## Overview
+
+Lifecycle hooks let you run shell commands before or after a container is updated. Common use cases:
+
+- Stop dependent services before updating
+- Run database migrations after updating
+- Send custom notifications
+- Create network resources or volumes
+
+## Container labels
+
+| Label | Type | Default | Description |
+| --- | --- | --- | --- |
+| `dd.hook.pre` | string | — | Shell command to execute before the update |
+| `dd.hook.post` | string | — | Shell command to execute after the update |
+| `dd.hook.pre.abort` | boolean | `true` | Abort the update if the pre-hook exits with a non-zero code |
+| `dd.hook.timeout` | number (ms) | `60000` | Maximum execution time for each hook |
+
+<Callout type="info">Legacy `wud.hook.*` labels are still supported for backward compatibility. When used, drydock logs a one-time deprecation warning and records the fallback in `dd_legacy_input_total`. You can rewrite labels with `node dist/index.js config migrate`.</Callout>
+
+## Hook enablement
+
+| Env var | Required | Description | Supported values | Default |
+| --- | --- | --- | --- | --- |
+| `DD_HOOKS_ENABLED` | ⚪ | Enable execution of lifecycle hook labels (`dd.hook.*` / `wud.hook.*`) | `true`, `false` | `false` |
+
+<Callout type="warn">Hooks sourced from labels are skipped by default. Set `DD_HOOKS_ENABLED=true` to opt in.</Callout>
+
+## Hook environment variables
+
+When a hook runs, drydock injects environment variables describing the update:
+
+| Variable | Description | Example |
+| --- | --- | --- |
+| `DD_CONTAINER_NAME` | Container name | `myapp` |
+| `DD_CONTAINER_ID` | Container ID | `abc123def456` |
+| `DD_IMAGE_NAME` | Image name (without registry prefix) | `myorg/myapp` |
+| `DD_IMAGE_TAG` | Current image tag | `1.2.3` |
+| `DD_UPDATE_KIND` | Update type | `tag` or `digest` |
+| `DD_UPDATE_FROM` | Current tag or digest | `1.2.3` |
+| `DD_UPDATE_TO` | New tag or digest | `1.3.0` |
+
+## Execution details
+
+- Hooks run inside the drydock container using `/bin/sh -c` only when `DD_HOOKS_ENABLED=true`
+- Combined stdout and stderr output is capped at **10 KB**
+- An exit code of `0` is treated as success; any non-zero code is a failure
+- If a hook exceeds its timeout, it is killed and treated as a failure (exit code 1)
+- Hooks are NOT executed during [self-update](/docs/configuration/self-update)
+
+## Threat model (label-sourced commands)
+
+Hooks are sourced from container labels and then executed by drydock. Treat hook labels as a code-execution boundary.
+
+- Trust boundary: Container labels (`dd.hook.*` / `wud.hook.*`) cross into the drydock runtime command executor.
+- Trust boundary: Hook execution can cross from drydock into Docker host control when the socket is mounted.
+- High-value assets: Docker socket access, mounted credentials/secrets, and network-reachable internal services.
+- Attacker capability: Anyone who can modify deployed container labels (Compose manifests, swarm specs, API-driven container creation) can inject hook commands.
+- Abuse path: A malicious label can execute arbitrary shell via `/bin/sh -c`, including secret exfiltration or unauthorized Docker API actions.
+- Abuse path: Expensive hooks can degrade availability (for example long-running or fork-heavy commands), bounded by `dd.hook.timeout`.
+- Mitigation: Restrict who can modify container specs/labels and protect deployment pipelines.
+- Mitigation: Run drydock with least privilege; mount `/var/run/docker.sock` only when required.
+- Mitigation: Keep `dd.hook.pre.abort=true` when you want fail-closed behavior on pre-hook errors.
+- Mitigation: Monitor audit events (`hook-configured`, `hook-pre-*`, `hook-post-*`) for unauthorized hook changes and executions.
+
+## Pre-hook abort behavior
+
+When `dd.hook.pre.abort` is `true` (the default), a failed pre-hook cancels the update entirely. Set it to `false` if you want the update to proceed regardless of hook outcome.
+
+## Audit events
+
+| Event | Description |
+| --- | --- |
+| `hook-configured` | Hook labels were detected for the update lifecycle |
+| `hook-pre-success` | Pre-hook completed successfully |
+| `hook-pre-failed` | Pre-hook exited non-zero or timed out |
+| `hook-post-success` | Post-hook completed successfully |
+| `hook-post-failed` | Post-hook exited non-zero or timed out |
+
+## Example
+
+```yaml
+services:
+  myapp:
+    image: myapp:latest
+    labels:
+      - dd.watch=true
+      - dd.hook.pre=docker exec mydb pg_dump -U postgres mydb > /backup/pre-update.sql
+      - dd.hook.post=curl -X POST https://hooks.slack.com/services/xxx -d '{"text":"myapp updated"}'
+      - dd.hook.pre.abort=true
+      - dd.hook.timeout=120000
+```
+
+<Callout type="warn">Hooks run with the permissions of the drydock process. Ensure the Docker socket is mounted if your hooks need to interact with Docker.</Callout>
diff --git a/content/docs/v1.4/configuration/hooks/meta.json b/content/docs/v1.4/configuration/hooks/meta.json
new file mode 100644
index 000000000..8f8e1c0b9
--- /dev/null
+++ b/content/docs/v1.4/configuration/hooks/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Lifecycle Hooks",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/index.mdx b/content/docs/v1.4/configuration/index.mdx
new file mode 100644
index 000000000..6721ba363
--- /dev/null
+++ b/content/docs/v1.4/configuration/index.mdx
@@ -0,0 +1,121 @@
+---
+title: "Configuration"
+description: "Drydock is configured via environment variables and Docker labels."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+drydock is configured via **Environment Variables** and **[Docker labels](https://docs.docker.com/engine/manage-resources/labels/)**.
+
+## Prefix convention
+
+All environment variables use the `DD_` prefix. All Docker labels use the `dd.` prefix.
+
+| Context | Prefix | Example |
+| --------- | -------- | --------- |
+| Environment variables | `DD_` | `DD_SERVER_PORT` |
+| Docker labels | `dd.` | `dd.watch` |
+| Secret files | `DD_` + `__FILE` | `DD_AUTH_BASIC_JOHN_HASH__FILE` |
+
+Please find below the documentation for each of them:
+
+- [**Agents**](/docs/configuration/agents) — distributed multi-host architecture
+- [**Authentication**](/docs/configuration/authentications)
+- [**Backup & Rollback**](/docs/configuration/rollback) — automatic image backup and one-click restore
+- [**Container Actions**](/docs/configuration/actions) — start, stop, restart, update, and delete
+- [**DNS**](/docs/configuration/dns) — DNS result ordering for Alpine/musl compatibility
+- [**Lifecycle Hooks**](/docs/configuration/hooks) — pre/post-update commands
+- [**Logs**](/docs/configuration/logs)
+- [**Registries**](/docs/configuration/registries)
+- [**Self-Update**](/docs/configuration/self-update) — graceful drydock self-update
+- [**Server**](/docs/configuration/server)
+- [**Storage**](/docs/configuration/storage)
+- [**Timezone**](/docs/configuration/timezone)
+- [**Triggers**](/docs/configuration/triggers)
+- [**UI / Appearance**](/docs/configuration/ui) — themes, icons, fonts, command palette
+- [**Update Bouncer**](/docs/configuration/security) — vulnerability scanning, signatures, and SBOM
+- [**Watchers**](/docs/configuration/watchers)
+- [**Webhooks**](/docs/configuration/webhooks) — CI/CD integration
+
+## Complete example
+
+<Callout type="warn">This example uses a direct Docker socket mount for brevity. For production deployments, use a [socket proxy](/docs/configuration/watchers#option-1-socket-proxy-recommended) or [remote TLS connection](/docs/configuration/watchers#option-2-remote-docker-over-tls) instead.</Callout>
+
+```yaml
+services:
+
+  # Valid semver following by os name
+  vaultwarden:
+    image: vaultwarden/server:1.22.1-alpine
+    container_name: bitwarden
+    labels:
+      - 'dd.tag.include=^\d+\.\d+\.\d+-alpine$$'
+      - 'dd.link.template=https://github.com/dani-garcia/vaultwarden/releases/tag/$${major}.$${minor}.$${patch}'
+
+  # Valid semver following by an build number (linux server style)
+  duplicati:
+    image: linuxserver/duplicati:v2.0.6.3-2.0.6.3_beta_2021-06-17-ls104
+    container_name: duplicati
+    labels:
+      - 'dd.tag.include=^v\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d+.*$$'
+
+  # Valid calver
+  homeassistant:
+    image: homeassistant/home-assistant:2021.7.1
+    container_name: homeassistant
+    labels:
+      - 'dd.tag.include=^\d+\.\d+\.\d+$$'
+      - 'dd.link.template=https://github.com/home-assistant/core/releases/tag/$${major}.$${minor}.$${patch}'
+
+  # Valid semver with a leading v
+  pihole:
+    image: pihole/pihole:v5.8.1
+    container_name: pihole
+    labels:
+      - 'dd.tag.include=^v\d+\.\d+\.\d+$$'
+      - 'dd.link.template=https://github.com/pi-hole/FTL/releases/tag/v$${major}.$${minor}.$${patch}'
+
+  # Mutable tag (latest) with digest tracking
+  pyload:
+    image: writl/pyload:latest
+    container_name: pyload
+    labels:
+      - 'dd.tag.include=latest'
+      - 'dd.watch.digest=true'
+
+  # drydock self tracking :)
+  drydock:
+    image: codeswhat/drydock:latest
+    container_name: drydock
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /opt/drydock/store:/store
+    healthcheck:
+      test: curl --fail http://localhost:${DD_SERVER_PORT:-3000}/health || exit 1
+      interval: 10s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    labels:
+      - 'dd.tag.include=^latest$$'
+      - 'dd.link.template=https://github.com/orgs/CodesWhat/packages/container/package/drydock'
+```
+
+## Secret management
+
+<Callout type="warn">If you don't want to expose your secret values as environment variables, you can externalize them in external files and reference them by suffixing the original env var name with `__FILE`.</Callout>
+
+For example, instead of providing the Basic auth details as
+
+```bash
+DD_AUTH_BASIC_JOHN_HASH=argon2id$65536$3$4$/Y21uoNfTJ/Bv+t7Msz6XABip7tBOI55ZgjeCXyhGc0=$MHhv8Tc/0TCnhAeoNQRHII3sbOLIQ+1lMlHk+Ifyv3IUAxT6NkVt+OXT03kJTn8JRzmD24L+qCjcqk2+Ad1dTw==
+```
+
+You can create an external file with the appropriate permissions (let's say `/tmp/john_hash`) containing the secret value (`argon2id$65536$3$4$/Y21uoNfTJ/Bv+t7Msz6XABip7tBOI55ZgjeCXyhGc0=$MHhv8Tc/0TCnhAeoNQRHII3sbOLIQ+1lMlHk+Ifyv3IUAxT6NkVt+OXT03kJTn8JRzmD24L+qCjcqk2+Ad1dTw==`).
+Then you need to reference this file by using the following env var
+
+```bash
+DD_AUTH_BASIC_JOHN_HASH__FILE=/tmp/john_hash
+```
+
+<Callout type="info">This feature can be used for any `DD_` env var (no restrictions).</Callout>
diff --git a/content/docs/v1.4/configuration/logs/index.mdx b/content/docs/v1.4/configuration/logs/index.mdx
new file mode 100644
index 000000000..1fd6bd0f5
--- /dev/null
+++ b/content/docs/v1.4/configuration/logs/index.mdx
@@ -0,0 +1,109 @@
+---
+title: "Logs"
+description: "Configure drydock log output and use the built-in log viewers to monitor application and container activity."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+## Server Log Configuration
+
+Control drydock's own log output with environment variables.
+
+### Variables
+
+| Env var | Required | Description | Supported values | Default in official Docker image |
+| ---------------- | :--------------: | ----------- | --------------------------- | --------------------------- |
+| `DD_LOG_LEVEL` | ⚪ | Log level | `fatal`, `error`, `warn`, `info`, `debug`, `trace` | `info` |
+| `DD_LOG_FORMAT` | ⚪ | Log format | text json | `json` |
+| `DD_LOG_BUFFER_ENABLED` | ⚪ | Enable in-memory log ring buffer used by UI/API log viewer | `true`, `false` | `true` |
+
+The official image sets `DD_LOG_FORMAT=json` by default for structured production logs. Override with `DD_LOG_FORMAT=text` for pretty logs.
+Set `DD_LOG_BUFFER_ENABLED=false` to disable the in-memory ring buffer (reduces per-log processing overhead).
+
+### Examples
+
+#### Set debug level
+
+<Tabs items={["Docker Compose (Debug Level)", "Docker (Debug Level)"]}>
+<Tab value="Docker Compose (Debug Level)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_LOG_LEVEL=debug
+```
+
+</Tab>
+<Tab value="Docker (Debug Level)">
+```bash
+docker run -e DD_LOG_LEVEL=debug ... codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+#### Set json format (for ElasticSearch ingestion for example)
+
+<Tabs items={["Docker (JSON Format)", "Docker Compose (JSON Format)"]}>
+<Tab value="Docker (JSON Format)">
+
+```bash
+docker run -e DD_LOG_FORMAT=json ... codeswhat/drydock
+```
+
+</Tab>
+<Tab value="Docker Compose (JSON Format)">
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_LOG_FORMAT=json
+```
+</Tab>
+</Tabs>
+
+## Application Log Viewer
+
+The **Configuration > Logs** page provides a terminal-style viewer for drydock's own runtime logs — startup events, polling cycles, registry checks, trigger executions, and errors.
+
+When enabled, logs are stored in an in-memory ring buffer (last 1,000 entries). They are not persisted to disk.
+If `DD_LOG_BUFFER_ENABLED=false`, the viewer returns no application log entries.
+
+### Toolbar controls
+
+| Control | Description |
+| --- | --- |
+| **Level** | Filter by log level: `all`, `debug`, `info`, `warn`, `error`. Note: entries below your configured `DD_LOG_LEVEL` are never captured, so they won't appear regardless of this filter. |
+| **Lines** | Number of entries to fetch: 50, 100, 500, or 1,000. |
+| **Auto fetch** | Automatically poll for new entries at a chosen interval: Off, 2s, 5s, 10s, or 30s. |
+| **Refresh** | Manual one-shot fetch. |
+
+### Scroll lock
+
+When auto fetch is active, the viewer auto-scrolls to the newest entry after each fetch. If you scroll up to read earlier entries, **scroll lock** activates automatically — a warning chip appears and auto-scroll pauses so your reading position is preserved. Click **Resume** to jump back to the bottom and re-enable auto-scroll.
+
+## Container Log Viewer
+
+Each container has a **Logs** tab in its detail expansion panel. This shows the container's stdout/stderr output directly in the UI — no need to shell into the host.
+
+### Toolbar controls
+
+| Control | Description |
+| --- | --- |
+| **Lines** | Number of tail lines to fetch: 50, 100, or 500. |
+| **Auto fetch** | Poll for new log output at a chosen interval: Off, 2s, 5s, 10s, or 30s. |
+| **Refresh** | Manual one-shot fetch. |
+
+Scroll lock and resume work the same way as the application log viewer.
+
+### Agent containers
+
+Container logs work for both local and remote agent containers. For agent-managed containers, drydock proxies the log request through the agent connection automatically.
+
+## Agent Log Viewer
+
+Agent runtime logs are available from the **Agents** page. Open an agent's detail slide-in panel and switch to the **Logs** tab.
diff --git a/content/docs/v1.4/configuration/logs/meta.json b/content/docs/v1.4/configuration/logs/meta.json
new file mode 100644
index 000000000..f2235fb53
--- /dev/null
+++ b/content/docs/v1.4/configuration/logs/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Logs",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/meta.json b/content/docs/v1.4/configuration/meta.json
new file mode 100644
index 000000000..684020a86
--- /dev/null
+++ b/content/docs/v1.4/configuration/meta.json
@@ -0,0 +1,23 @@
+{
+  "title": "Configuration",
+  "pages": [
+    "index",
+    "actions",
+    "agents",
+    "authentications",
+    "dns",
+    "hooks",
+    "logs",
+    "registries",
+    "rollback",
+    "security",
+    "self-update",
+    "server",
+    "storage",
+    "timezone",
+    "triggers",
+    "ui",
+    "watchers",
+    "webhooks"
+  ]
+}
diff --git a/content/docs/v1.4/configuration/registries/acr/index.mdx b/content/docs/v1.4/configuration/registries/acr/index.mdx
new file mode 100644
index 000000000..8c6170df1
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/acr/index.mdx
@@ -0,0 +1,63 @@
+---
+title: "ACR (Azure Container Registry)"
+description: "The acr registry lets you configure ACR integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/acr/azure.png)
+
+The `acr` registry lets you configure [ACR](https://azure.microsoft.com/services/container-registry/) integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_ACR_{REGISTRY_NAME}_CLIENTID` | 🔴 | Service Principal Client ID | See [Service Principal Auth](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal) | |
+| `DD_REGISTRY_ACR_{REGISTRY_NAME}_CLIENTSECRET` | 🔴 | Service Principal Secret | See [Service Principal Auth](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal) | |
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_ACR_PRIVATE_CLIENTID=7c0195aa-112d-4ac3-be24-6664a13f3d2b
+      - DD_REGISTRY_ACR_PRIVATE_CLIENTSECRET=SBgHNi3zA5K.f9.f9ft~_hpqbS~.pk.t_i
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_REGISTRY_ACR_PRIVATE_CLIENTID=7c0195aa-112d-4ac3-be24-6664a13f3d2b \
+  -e DD_REGISTRY_ACR_PRIVATE_CLIENTSECRET=SBgHNi3zA5K.f9.f9ft~_hpqbS~.pk.t_i \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to create Registry credentials on Microsoft Azure Platform
+
+### Create a Service Principal
+
+Follow the [official Azure documentation](https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal).
+
+### Get the Client Id and the Client Secret of the created Service Principal
+
+![image](/docs/assets/configuration/registries/acr/acr_01.png)
+
+### Go to your Container Registry and click on the Access Control (IAM) Menu
+
+![image](/docs/assets/configuration/registries/acr/acr_02.png)
+
+### Click to Add a role assignment
+
+Select the `AcrPull` role and assign to your Service Principal
+![image](/docs/assets/configuration/registries/acr/acr_03.png)
diff --git a/content/docs/v1.4/configuration/registries/acr/meta.json b/content/docs/v1.4/configuration/registries/acr/meta.json
new file mode 100644
index 000000000..3e6e51d59
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/acr/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "ACR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/alicr/index.mdx b/content/docs/v1.4/configuration/registries/alicr/index.mdx
new file mode 100644
index 000000000..1146c1986
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/alicr/index.mdx
@@ -0,0 +1,82 @@
+---
+title: "ALICR (Alibaba Cloud Container Registry)"
+description: "The alicr registry lets you configure Alibaba Cloud Container Registry integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `alicr` registry lets you configure [Alibaba Cloud Container Registry](https://www.alibabacloud.com/product/container-registry) integration.
+
+Drydock automatically detects Alibaba Cloud registries by matching `registry[-intl].*.aliyuncs.com` and `*.cr.aliyuncs.com` hostnames.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_ALICR_{REGISTRY_NAME}_LOGIN` | ⚪ | Alibaba Cloud username | DD_REGISTRY_ALICR_\{REGISTRY_NAME\}_PASSWORD must be defined | |
+| `DD_REGISTRY_ALICR_{REGISTRY_NAME}_PASSWORD` | ⚪ | Registry password | DD_REGISTRY_ALICR_\{REGISTRY_NAME\}_LOGIN must be defined | |
+| `DD_REGISTRY_ALICR_{REGISTRY_NAME}_AUTH` | ⚪ | Base64-encoded `login:password` string | DD_REGISTRY_ALICR_\{REGISTRY_NAME\}_LOGIN/PASSWORD must not be defined | |
+
+## Examples
+
+### Configure with login and password
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_ALICR_PRIVATE_LOGIN=user@example.com
+      - DD_REGISTRY_ALICR_PRIVATE_PASSWORD=xxxxx
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e "DD_REGISTRY_ALICR_PRIVATE_LOGIN=user@example.com" \
+  -e "DD_REGISTRY_ALICR_PRIVATE_PASSWORD=xxxxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure with base64 auth
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_ALICR_PRIVATE_AUTH=dXNlckBleGFtcGxlLmNvbTp4eHh4eA==
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e "DD_REGISTRY_ALICR_PRIVATE_AUTH=dXNlckBleGFtcGxlLmNvbTp4eHh4eA==" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to configure registry credentials on Alibaba Cloud
+
+### Go to your Alibaba Cloud Console
+
+Navigate to **Container Registry > Instances > Access Credential**.
+
+### Set a fixed password
+
+Click **Set Password** to create a fixed password for your registry login. Use your Alibaba Cloud account or RAM user as the login and the fixed password as the password.
diff --git a/content/docs/v1.4/configuration/registries/alicr/meta.json b/content/docs/v1.4/configuration/registries/alicr/meta.json
new file mode 100644
index 000000000..ba50cac1f
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/alicr/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "ALICR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/artifactory/index.mdx b/content/docs/v1.4/configuration/registries/artifactory/index.mdx
new file mode 100644
index 000000000..3c41a628d
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/artifactory/index.mdx
@@ -0,0 +1,54 @@
+---
+title: "ARTIFACTORY (JFrog Artifactory)"
+description: "The artifactory registry lets you configure a JFrog Artifactory integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/artifactory/artifactory.png)
+
+The `artifactory` registry lets you configure a [JFrog Artifactory](https://jfrog.com/artifactory/) Docker Registry integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_ARTIFACTORY_{REGISTRY_NAME}_URL` | 🔴 | Registry URL (e.g. `https://artifactory.acme.com`) | | |
+| `DD_REGISTRY_ARTIFACTORY_{REGISTRY_NAME}_LOGIN` | ⚪ | Artifactory username | DD_REGISTRY_ARTIFACTORY_\{REGISTRY_NAME\}_PASSWORD must be defined | |
+| `DD_REGISTRY_ARTIFACTORY_{REGISTRY_NAME}_PASSWORD` | ⚪ | Artifactory password or API key | DD_REGISTRY_ARTIFACTORY_\{REGISTRY_NAME\}_LOGIN must be defined | |
+| `DD_REGISTRY_ARTIFACTORY_{REGISTRY_NAME}_AUTH` | ⚪ | Base64 encoded `login:password` string | DD_REGISTRY_ARTIFACTORY_\{REGISTRY_NAME\}_LOGIN/PASSWORD must not be defined | |
+| `DD_REGISTRY_ARTIFACTORY_{REGISTRY_NAME}_CAFILE` | ⚪ | Path to custom CA certificate file | | |
+| `DD_REGISTRY_ARTIFACTORY_{REGISTRY_NAME}_INSECURE` | ⚪ | Allow insecure (non-TLS) connections | `true`, `false` | `false` |
+| `DD_REGISTRY_ARTIFACTORY_{REGISTRY_NAME}_CLIENTCERT` | ⚪ | Path to client certificate file for mTLS | | |
+| `DD_REGISTRY_ARTIFACTORY_{REGISTRY_NAME}_CLIENTKEY` | ⚪ | Path to client key file for mTLS | DD_REGISTRY_ARTIFACTORY_\{REGISTRY_NAME\}_CLIENTCERT must be defined | |
+
+## Examples
+
+### Configure with credentials
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_ARTIFACTORY_PRIVATE_URL=https://artifactory.acme.com
+      - DD_REGISTRY_ARTIFACTORY_PRIVATE_LOGIN=john
+      - DD_REGISTRY_ARTIFACTORY_PRIVATE_PASSWORD=doe
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e "DD_REGISTRY_ARTIFACTORY_PRIVATE_URL=https://artifactory.acme.com" \
+  -e "DD_REGISTRY_ARTIFACTORY_PRIVATE_LOGIN=john" \
+  -e "DD_REGISTRY_ARTIFACTORY_PRIVATE_PASSWORD=doe" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/registries/artifactory/meta.json b/content/docs/v1.4/configuration/registries/artifactory/meta.json
new file mode 100644
index 000000000..a576383ac
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/artifactory/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Artifactory",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/codeberg/index.mdx b/content/docs/v1.4/configuration/registries/codeberg/index.mdx
new file mode 100644
index 000000000..7c73c87ef
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/codeberg/index.mdx
@@ -0,0 +1,50 @@
+---
+title: "Codeberg"
+description: "The codeberg registry lets you configure Codeberg Container Registry integration."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `codeberg` registry lets you configure [Codeberg Container Registry](https://codeberg.org/) integration.
+
+Drydock automatically detects Codeberg registries by matching `codeberg.org` hostnames. Public images work out of the box with no configuration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_CODEBERG_{REGISTRY_NAME}_LOGIN` | ⚪ | Codeberg username | DD_REGISTRY_CODEBERG_\{REGISTRY_NAME\}_PASSWORD must be defined | |
+| `DD_REGISTRY_CODEBERG_{REGISTRY_NAME}_PASSWORD` | ⚪ | Codeberg password or personal access token | DD_REGISTRY_CODEBERG_\{REGISTRY_NAME\}_LOGIN must be defined | |
+| `DD_REGISTRY_CODEBERG_{REGISTRY_NAME}_AUTH` | ⚪ | Base64-encoded `login:password` string | DD_REGISTRY_CODEBERG_\{REGISTRY_NAME\}_LOGIN/PASSWORD must not be defined | |
+
+<Callout type="info">Codeberg public images are supported without any authentication configuration.</Callout>
+
+## Examples
+
+### Configure for private images
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_CODEBERG_PRIVATE_LOGIN=john
+      - DD_REGISTRY_CODEBERG_PRIVATE_PASSWORD=xxxxx
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e "DD_REGISTRY_CODEBERG_PRIVATE_LOGIN=john" \
+  -e "DD_REGISTRY_CODEBERG_PRIVATE_PASSWORD=xxxxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/registries/codeberg/meta.json b/content/docs/v1.4/configuration/registries/codeberg/meta.json
new file mode 100644
index 000000000..ddb593e6b
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/codeberg/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Codeberg",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/custom/index.mdx b/content/docs/v1.4/configuration/registries/custom/index.mdx
new file mode 100644
index 000000000..cb34f5f63
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/custom/index.mdx
@@ -0,0 +1,114 @@
+---
+title: "CUSTOM (Self-hosted Docker Registry)"
+description: "The custom registry lets you configure a self-hosted Docker Registry integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/custom/custom.png)
+
+The `custom` registry lets you configure a self-hosted [Docker Registry](https://distribution.github.io/distribution/) integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_CUSTOM_{REGISTRY_NAME}_URL` | 🔴 | Registry URL (e.g. `http://localhost:5000`) | | |
+| `DD_REGISTRY_CUSTOM_{REGISTRY_NAME}_LOGIN` | ⚪ | Login (when htpasswd auth is enabled on the registry) | DD_REGISTRY_CUSTOM_\{REGISTRY_NAME\}_PASSWORD must be defined | |
+| `DD_REGISTRY_CUSTOM_{REGISTRY_NAME}_PASSWORD` | ⚪ | Password (when htpasswd auth is enabled on the registry) | DD_REGISTRY_CUSTOM_\{REGISTRY_NAME\}_LOGIN must be defined | |
+| `DD_REGISTRY_CUSTOM_{REGISTRY_NAME}_AUTH` | ⚪ | Base64-encoded `login:password` string | DD_REGISTRY_CUSTOM_\{REGISTRY_NAME\}_LOGIN/PASSWORD must not be defined | |
+| `DD_REGISTRY_CUSTOM_{REGISTRY_NAME}_CAFILE` | ⚪ | Path to custom CA certificate file | | |
+| `DD_REGISTRY_CUSTOM_{REGISTRY_NAME}_INSECURE` | ⚪ | Allow insecure (non-TLS) connections | `true`, `false` | `false` |
+| `DD_REGISTRY_CUSTOM_{REGISTRY_NAME}_CLIENTCERT` | ⚪ | Path to client certificate file for mTLS | | |
+| `DD_REGISTRY_CUSTOM_{REGISTRY_NAME}_CLIENTKEY` | ⚪ | Path to client key file for mTLS | DD_REGISTRY_CUSTOM_\{REGISTRY_NAME\}_CLIENTCERT must be defined | |
+
+## Examples
+
+### Configure for anonymous access
+
+<Tabs items={["Docker Compose (Anonymous)", "Docker (Anonymous)"]}>
+<Tab value="Docker Compose (Anonymous)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_CUSTOM_PRIVATE_URL=http://localhost:5000
+```
+
+</Tab>
+<Tab value="Docker (Anonymous)">
+```bash
+docker run \
+  -e "DD_REGISTRY_CUSTOM_PRIVATE_URL=http://localhost:5000" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure [for Basic Auth](https://distribution.github.io/distribution/about/configuration/#htpasswd)
+
+<Tabs items={["Docker Compose (Basic Auth)", "Docker (Basic Auth)"]}>
+<Tab value="Docker Compose (Basic Auth)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_CUSTOM_PRIVATE_URL=http://localhost:5000
+      - DD_REGISTRY_CUSTOM_PRIVATE_LOGIN=john
+      - DD_REGISTRY_CUSTOM_PRIVATE_PASSWORD=doe
+```
+
+</Tab>
+<Tab value="Docker (Basic Auth)">
+```bash
+docker run \
+  -e "DD_REGISTRY_CUSTOM_PRIVATE_URL=http://localhost:5000" \
+  -e "DD_REGISTRY_CUSTOM_PRIVATE_LOGIN=john" \
+  -e "DD_REGISTRY_CUSTOM_PRIVATE_PASSWORD=doe" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure multiple custom registries
+
+<Tabs items={["Docker Compose (Multiple Registries)", "Docker (Multiple Registries)"]}>
+<Tab value="Docker Compose (Multiple Registries)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_CUSTOM_PRIVATE1_URL=http://localhost:5000
+      - DD_REGISTRY_CUSTOM_PRIVATE1_LOGIN=john
+      - DD_REGISTRY_CUSTOM_PRIVATE1_PASSWORD=doe
+      - DD_REGISTRY_CUSTOM_PRIVATE2_URL=http://localhost:5001
+      - DD_REGISTRY_CUSTOM_PRIVATE2_LOGIN=jane
+      - DD_REGISTRY_CUSTOM_PRIVATE2_PASSWORD=doe
+```
+
+</Tab>
+<Tab value="Docker (Multiple Registries)">
+```bash
+docker run \
+  -e "DD_REGISTRY_CUSTOM_PRIVATE1_URL=http://localhost:5000" \
+  -e "DD_REGISTRY_CUSTOM_PRIVATE1_LOGIN=john" \
+  -e "DD_REGISTRY_CUSTOM_PRIVATE1_PASSWORD=doe" \
+  -e "DD_REGISTRY_CUSTOM_PRIVATE2_URL=http://localhost:5001" \
+  -e "DD_REGISTRY_CUSTOM_PRIVATE2_LOGIN=jane" \
+  -e "DD_REGISTRY_CUSTOM_PRIVATE2_PASSWORD=doe" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/registries/custom/meta.json b/content/docs/v1.4/configuration/registries/custom/meta.json
new file mode 100644
index 000000000..b277c1516
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/custom/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Custom",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/dhi/index.mdx b/content/docs/v1.4/configuration/registries/dhi/index.mdx
new file mode 100644
index 000000000..5dc5670f1
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/dhi/index.mdx
@@ -0,0 +1,79 @@
+---
+title: "DHI (Docker Hardened Images)"
+description: "The dhi registry lets you configure Docker Hardened Images integration."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `dhi` registry lets you configure [Docker Hardened Images](https://docs.docker.com/dhi/get-started/) integration.
+
+Supported credentials:
+
+- Docker ID login + password/access token
+- Base64 auth string (`login:password`), like `.docker/config.json`
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_DHI_{REGISTRY_NAME}_LOGIN` | ⚪ | Docker ID login | Required with `PASSWORD` or `TOKEN` | |
+| `DD_REGISTRY_DHI_{REGISTRY_NAME}_PASSWORD` | ⚪ | Docker ID password or access token | `DD_REGISTRY_DHI_{REGISTRY_NAME}_LOGIN` must be defined | |
+| `DD_REGISTRY_DHI_{REGISTRY_NAME}_TOKEN` | ⚪ | Access token (alternative to `PASSWORD`) | `DD_REGISTRY_DHI_{REGISTRY_NAME}_LOGIN` must be defined | |
+| `DD_REGISTRY_DHI_{REGISTRY_NAME}_AUTH` | ⚪ | Base64 auth string (`login:password`) | Cannot be combined with `LOGIN`/`PASSWORD`/`TOKEN` | |
+
+<Callout type="warn">Registry auth now fails closed for invalid combinations. `LOGIN` must be paired with `PASSWORD` (or `TOKEN` alias), and `AUTH` cannot be combined with `LOGIN`/`PASSWORD`/`TOKEN`.</Callout>
+
+## Examples
+
+### Configure with login/password
+
+<Tabs items={["Docker Compose (Login/Password)", "Docker (Login/Password)"]}>
+<Tab value="Docker Compose (Login/Password)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_DHI_PUBLIC_LOGIN=mydockerid
+      - DD_REGISTRY_DHI_PUBLIC_PASSWORD=my-token-or-password
+```
+
+</Tab>
+<Tab value="Docker (Login/Password)">
+```bash
+docker run \
+  -e DD_REGISTRY_DHI_PUBLIC_LOGIN="mydockerid" \
+  -e DD_REGISTRY_DHI_PUBLIC_PASSWORD="my-token-or-password" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure with base64 auth string
+
+<Tabs items={["Docker Compose (Base64 Auth)", "Docker (Base64 Auth)"]}>
+<Tab value="Docker Compose (Base64 Auth)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_DHI_PUBLIC_AUTH=bXlkb2NrZXJpZDpteS10b2tlbi1vci1wYXNzd29yZA==
+```
+
+</Tab>
+<Tab value="Docker (Base64 Auth)">
+```bash
+docker run \
+  -e DD_REGISTRY_DHI_PUBLIC_AUTH="bXlkb2NrZXJpZDpteS10b2tlbi1vci1wYXNzd29yZA==" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/registries/dhi/meta.json b/content/docs/v1.4/configuration/registries/dhi/meta.json
new file mode 100644
index 000000000..daa8ecec6
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/dhi/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "DHI",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/docr/index.mdx b/content/docs/v1.4/configuration/registries/docr/index.mdx
new file mode 100644
index 000000000..c519f710a
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/docr/index.mdx
@@ -0,0 +1,98 @@
+---
+title: "DOCR (DigitalOcean Container Registry)"
+description: "The docr registry lets you configure DigitalOcean Container Registry integration."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `docr` registry lets you configure [DigitalOcean Container Registry](https://docs.digitalocean.com/products/container-registry/) integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_DOCR_{REGISTRY_NAME}_TOKEN` | ⚪ | DigitalOcean API token (recommended) | | |
+| `DD_REGISTRY_DOCR_{REGISTRY_NAME}_LOGIN` | ⚪ | Registry username for basic auth | | `doctl` when `TOKEN` is set |
+| `DD_REGISTRY_DOCR_{REGISTRY_NAME}_PASSWORD` | ⚪ | Registry password for basic auth | | |
+| `DD_REGISTRY_DOCR_{REGISTRY_NAME}_AUTH` | ⚪ | Base64 encoded `login:password` credential | Valid base64 string | |
+
+<Callout type="info">`TOKEN` is a convenience alias. drydock maps it to basic auth automatically.</Callout>
+<Callout type="info">The DOCR endpoint is fixed to `https://registry.digitalocean.com`.</Callout>
+
+## Examples
+
+### Configure with API token
+
+<Tabs items={["Docker Compose (API Token)", "Docker (API Token)"]}>
+<Tab value="Docker Compose (API Token)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_DOCR_PRIVATE_TOKEN=dop_v1_xxxxxxxxxxxxx
+```
+
+</Tab>
+<Tab value="Docker (API Token)">
+```bash
+docker run \
+  -e "DD_REGISTRY_DOCR_PRIVATE_TOKEN=dop_v1_xxxxxxxxxxxxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure with explicit basic auth
+
+<Tabs items={["Docker Compose (Basic Auth)", "Docker (Basic Auth)"]}>
+<Tab value="Docker Compose (Basic Auth)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_DOCR_PRIVATE_LOGIN=doctl
+      - DD_REGISTRY_DOCR_PRIVATE_PASSWORD=dop_v1_xxxxxxxxxxxxx
+```
+
+</Tab>
+<Tab value="Docker (Basic Auth)">
+```bash
+docker run \
+  -e "DD_REGISTRY_DOCR_PRIVATE_LOGIN=doctl" \
+  -e "DD_REGISTRY_DOCR_PRIVATE_PASSWORD=dop_v1_xxxxxxxxxxxxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure with `AUTH` from `~/.docker/config.json`
+
+If your Docker config has:
+
+```json
+{
+  "auths": {
+    "registry.digitalocean.com": {
+      "auth": "ZG9jdGw6ZG9wX3YxX3h4eHh4eHh4eHh4"
+    }
+  }
+}
+```
+
+use:
+
+```bash
+docker run \
+  -e "DD_REGISTRY_DOCR_PRIVATE_AUTH=ZG9jdGw6ZG9wX3YxX3h4eHh4eHh4eHh4" \
+  ...
+  codeswhat/drydock
+```
diff --git a/content/docs/v1.4/configuration/registries/docr/meta.json b/content/docs/v1.4/configuration/registries/docr/meta.json
new file mode 100644
index 000000000..6ba2fad39
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/docr/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "DOCR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/ecr/index.mdx b/content/docs/v1.4/configuration/registries/ecr/index.mdx
new file mode 100644
index 000000000..38faf181b
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/ecr/index.mdx
@@ -0,0 +1,64 @@
+---
+title: "ECR (Amazon Elastic Container Registry)"
+description: "The ecr registry lets you configure ECR integration."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/ecr/ecr.png)
+
+The `ecr` registry lets you configure [ECR](https://aws.amazon.com/ecr/) integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_ECR_{REGISTRY_NAME}_ACCESSKEYID` | ⚪ | A valid AWS Access Key Id (required for private images) | [Standard AWS Credentials](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html) | |
+| `DD_REGISTRY_ECR_{REGISTRY_NAME}_SECRETACCESSKEY` | ⚪ | A valid AWS Secret Access Key (required for private images) | [Standard AWS Credentials](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html) | |
+| `DD_REGISTRY_ECR_{REGISTRY_NAME}_REGION` | ⚪ | A valid AWS Region Code (required for private images) | [AWS Region list](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints) | |
+
+<Callout type="warn">The AmazonEC2ContainerRegistryReadOnly Policy (or higher) must be attached to the AWS IAM User.</Callout>
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_ECR_PRIVATE_ACCESSKEYID=xxx
+      - DD_REGISTRY_ECR_PRIVATE_SECRETACCESSKEY=xxx
+      - DD_REGISTRY_ECR_PRIVATE_REGION=eu-west-1 
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_REGISTRY_ECR_PRIVATE_ACCESSKEYID="xxx" \
+  -e DD_REGISTRY_ECR_PRIVATE_SECRETACCESSKEY="xxx" \
+  -e DD_REGISTRY_ECR_PRIVATE_REGION="eu-west-1" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to create an AWS IAM user and get programmatic access
+
+### 1. Login to your&nbsp;[Go to the IAM Service from your AWS Console](https://console.aws.amazon.com/iam) and create a new user
+
+![image](/docs/assets/configuration/registries/ecr/ecr_01.png)
+
+### 2. Attach the AmazonEC2ContainerRegistryReadOnly policy to the user
+
+![image](/docs/assets/configuration/registries/ecr/ecr_02.png)
+
+### 3. Get your AccessKeyId and your Secret Access Key and configure drydock with them
+
+![image](/docs/assets/configuration/registries/ecr/ecr_03.png)
diff --git a/content/docs/v1.4/configuration/registries/ecr/meta.json b/content/docs/v1.4/configuration/registries/ecr/meta.json
new file mode 100644
index 000000000..b4e4a3563
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/ecr/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "ECR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/forgejo/index.mdx b/content/docs/v1.4/configuration/registries/forgejo/index.mdx
new file mode 100644
index 000000000..8323e77fc
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/forgejo/index.mdx
@@ -0,0 +1,54 @@
+---
+title: "FORGEJO"
+description: "The forgejo registry lets you configure a self-hosted Forgejo integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/forgejo/forgejo.png)
+
+The `forgejo` registry lets you configure a self-hosted [Forgejo](https://forgejo.org/) integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_FORGEJO_{REGISTRY_NAME}_URL` | 🔴 | Registry URL (e.g. `https://forgejo.acme.com`) | | |
+| `DD_REGISTRY_FORGEJO_{REGISTRY_NAME}_LOGIN` | ⚪ | Forgejo username | DD_REGISTRY_FORGEJO_\{REGISTRY_NAME\}_PASSWORD must be defined | |
+| `DD_REGISTRY_FORGEJO_{REGISTRY_NAME}_PASSWORD` | ⚪ | Forgejo password or personal access token | DD_REGISTRY_FORGEJO_\{REGISTRY_NAME\}_LOGIN must be defined | |
+| `DD_REGISTRY_FORGEJO_{REGISTRY_NAME}_AUTH` | ⚪ | Base64-encoded `login:password` string | DD_REGISTRY_FORGEJO_\{REGISTRY_NAME\}_LOGIN/PASSWORD must not be defined | |
+| `DD_REGISTRY_FORGEJO_{REGISTRY_NAME}_CAFILE` | ⚪ | Path to custom CA certificate file | | |
+| `DD_REGISTRY_FORGEJO_{REGISTRY_NAME}_INSECURE` | ⚪ | Allow insecure (non-TLS) connections | `true`, `false` | `false` |
+| `DD_REGISTRY_FORGEJO_{REGISTRY_NAME}_CLIENTCERT` | ⚪ | Path to client certificate file for mTLS | | |
+| `DD_REGISTRY_FORGEJO_{REGISTRY_NAME}_CLIENTKEY` | ⚪ | Path to client key file for mTLS | DD_REGISTRY_FORGEJO_\{REGISTRY_NAME\}_CLIENTCERT must be defined | |
+
+## Examples
+
+### Configure
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_FORGEJO_PRIVATE_URL=https://forgejo.acme.com
+      - DD_REGISTRY_FORGEJO_PRIVATE_LOGIN=john
+      - DD_REGISTRY_FORGEJO_PRIVATE_PASSWORD=doe
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e "DD_REGISTRY_FORGEJO_PRIVATE_URL=https://forgejo.acme.com" \
+  -e "DD_REGISTRY_FORGEJO_PRIVATE_LOGIN=john" \
+  -e "DD_REGISTRY_FORGEJO_PRIVATE_PASSWORD=doe" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/registries/forgejo/meta.json b/content/docs/v1.4/configuration/registries/forgejo/meta.json
new file mode 100644
index 000000000..aef60d773
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/forgejo/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Forgejo",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/gar/index.mdx b/content/docs/v1.4/configuration/registries/gar/index.mdx
new file mode 100644
index 000000000..57cc348ef
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/gar/index.mdx
@@ -0,0 +1,44 @@
+---
+title: "GAR (Google Artifact Registry)"
+description: "The gar registry lets you configure Google Artifact Registry integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `gar` registry lets you configure [Google Artifact Registry](https://cloud.google.com/artifact-registry) integration for container registries under `*-docker.pkg.dev`.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_GAR_{REGISTRY_NAME}_CLIENTEMAIL` | ⚪ | Service Account Client Email (required for private images access) | See [Service Account credentials](https://cloud.google.com/iam/docs/keys-create-delete) | |
+| `DD_REGISTRY_GAR_{REGISTRY_NAME}_PRIVATEKEY` | ⚪ | Service Account Private Key (required for private images access) | See [Service Account credentials](https://cloud.google.com/iam/docs/keys-create-delete) | |
+
+## Examples
+
+### Configure for authenticated access
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_GAR_PRIVATE_CLIENTEMAIL=johndoe@myproject.iam.gserviceaccount.com
+      - DD_REGISTRY_GAR_PRIVATE_PRIVATEKEY=-----BEGIN PRIVATE KEY-----xxxxxxxxxxx\n-----END PRIVATE KEY-----\n
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_REGISTRY_GAR_PRIVATE_CLIENTEMAIL="johndoe@myproject.iam.gserviceaccount.com" \
+  -e DD_REGISTRY_GAR_PRIVATE_PRIVATEKEY="-----BEGIN PRIVATE KEY-----xxxxxxxxxxx\n-----END PRIVATE KEY-----\n" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/registries/gar/meta.json b/content/docs/v1.4/configuration/registries/gar/meta.json
new file mode 100644
index 000000000..b6c225166
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/gar/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "GAR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/gcr/index.mdx b/content/docs/v1.4/configuration/registries/gcr/index.mdx
new file mode 100644
index 000000000..cda87d5d5
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/gcr/index.mdx
@@ -0,0 +1,67 @@
+---
+title: "GCR (Google Container Registry)"
+description: "The gcr registry lets you configure GCR integration. GCR was shut down by Google in 2025 — consider using GAR instead."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+import { Callout } from 'fumadocs-ui/components/callout';
+
+![logo](/docs/assets/configuration/registries/gcr/gcr.png)
+
+<Callout type="warn">
+**Google Container Registry was shut down in 2025.** All `gcr.io` traffic is now transparently served by [Google Artifact Registry (GAR)](/docs/configuration/registries/gar). The drydock GCR provider still functions because `gcr.io` endpoints redirect to Artifact Registry, but new projects should use the [GAR provider](/docs/configuration/registries/gar) instead.
+</Callout>
+
+The `gcr` registry lets you configure [GCR](https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr) integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_GCR_{REGISTRY_NAME}_CLIENTEMAIL` | ⚪ | Service Account Client Email (required for private images access) | See [Service Account credentials](https://cloud.google.com/container-registry/docs/advanced-authentication#json-key) | |
+| `DD_REGISTRY_GCR_{REGISTRY_NAME}_PRIVATEKEY` | ⚪ | Service Account Private Key (required for private images access) | See [Service Account credentials](https://cloud.google.com/container-registry/docs/advanced-authentication#json-key) | |
+
+## Examples
+
+### Configure for authenticated access
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_GCR_PRIVATE_CLIENTEMAIL=johndoe@mysuperproject.iam.gserviceaccount.com
+      - DD_REGISTRY_GCR_PRIVATE_PRIVATEKEY=-----BEGIN PRIVATE KEY-----xxxxxxxxxxx\n-----END PRIVATE KEY-----\n 
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_REGISTRY_GCR_PRIVATE_CLIENTEMAIL="johndoe@mysuperproject.iam.gserviceaccount.com" \
+  -e DD_REGISTRY_GCR_PRIVATE_PRIVATEKEY="-----BEGIN PRIVATE KEY-----xxxxxxxxxxx\n-----END PRIVATE KEY-----\n" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to create a Service Account on Google Cloud Platform
+
+### 1. Go to the&nbsp;[Service Account page](https://console.cloud.google.com/iam-admin/serviceaccounts)
+
+### 2. Create a new Service Account
+
+### 3. Add the Container Registry Service Role
+
+### 4. Save the Service Account
+
+### 5. Create a new key for the newly created Service Account
+
+### 6. Download the keyfile JSON file and store it securely
+
+### 7. Open the JSON file, get the client_email and private_key values and configure drydock with them
diff --git a/content/docs/v1.4/configuration/registries/gcr/meta.json b/content/docs/v1.4/configuration/registries/gcr/meta.json
new file mode 100644
index 000000000..1a4bbed84
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/gcr/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "GCR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/ghcr/index.mdx b/content/docs/v1.4/configuration/registries/ghcr/index.mdx
new file mode 100644
index 000000000..e8cb976d7
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/ghcr/index.mdx
@@ -0,0 +1,67 @@
+---
+title: "GHCR (Github Container Registry)"
+description: "The ghcr registry lets you configure GitHub Container Registry integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/ghcr/github.png)
+
+The `ghcr` registry lets you configure [GHCR](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-docker-registry) integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_GHCR_{REGISTRY_NAME}_USERNAME` | ⚪ | Github username | | |
+| `DD_REGISTRY_GHCR_{REGISTRY_NAME}_TOKEN` | ⚪ | Github token | Github password or Github Personal Token | |
+
+## Auth behavior
+
+- Public images work without credentials.
+- If credentials are configured but GHCR rejects them (`401`/`403`), drydock retries the token exchange anonymously for public image checks and logs a warning.
+- Private images still require valid credentials and continue to fail closed when anonymous access is not allowed.
+
+## Examples
+
+### Configure to access private images
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_GHCR_PRIVATE_USERNAME=john@doe
+      - DD_REGISTRY_GHCR_PRIVATE_TOKEN=xxxxx 
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_REGISTRY_GHCR_PRIVATE_USERNAME="john@doe" \
+  -e DD_REGISTRY_GHCR_PRIVATE_TOKEN="xxxxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to create a Github Personal Token
+
+### Go to your Github settings and open the Personal Access Token tab
+
+[Open GitHub Personal Access Tokens](https://github.com/settings/tokens)
+
+### Click on `Generate new token`
+
+Choose an expiration time & appropriate scopes (`read:packages` is only needed for drydock) and generate.
+![image](/docs/assets/configuration/registries/ghcr/ghcr_01.png)
+
+### Copy the token & use it as the DD_REGISTRY_GHCR_\{REGISTRY_NAME\}_TOKEN value
+
+![image](/docs/assets/configuration/registries/ghcr/ghcr_02.png)
diff --git a/content/docs/v1.4/configuration/registries/ghcr/meta.json b/content/docs/v1.4/configuration/registries/ghcr/meta.json
new file mode 100644
index 000000000..1607e0b84
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/ghcr/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "GHCR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/gitea/index.mdx b/content/docs/v1.4/configuration/registries/gitea/index.mdx
new file mode 100644
index 000000000..762292d1b
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/gitea/index.mdx
@@ -0,0 +1,54 @@
+---
+title: "GITEA"
+description: "The gitea registry lets you configure a self-hosted Gitea integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/gitea/gitea.png)
+
+The `gitea` registry lets you configure a self-hosted [Gitea](https://gitea.com) integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_GITEA_{REGISTRY_NAME}_URL` | 🔴 | Registry URL (e.g. `https://gitea.acme.com`) | | |
+| `DD_REGISTRY_GITEA_{REGISTRY_NAME}_LOGIN` | ⚪ | Gitea username | DD_REGISTRY_GITEA_\{REGISTRY_NAME\}_PASSWORD must be defined | |
+| `DD_REGISTRY_GITEA_{REGISTRY_NAME}_PASSWORD` | ⚪ | Gitea password or personal access token | DD_REGISTRY_GITEA_\{REGISTRY_NAME\}_LOGIN must be defined | |
+| `DD_REGISTRY_GITEA_{REGISTRY_NAME}_AUTH` | ⚪ | Base64-encoded `login:password` string | DD_REGISTRY_GITEA_\{REGISTRY_NAME\}_LOGIN/PASSWORD must not be defined | |
+| `DD_REGISTRY_GITEA_{REGISTRY_NAME}_CAFILE` | ⚪ | Path to custom CA certificate file | | |
+| `DD_REGISTRY_GITEA_{REGISTRY_NAME}_INSECURE` | ⚪ | Allow insecure (non-TLS) connections | `true`, `false` | `false` |
+| `DD_REGISTRY_GITEA_{REGISTRY_NAME}_CLIENTCERT` | ⚪ | Path to client certificate file for mTLS | | |
+| `DD_REGISTRY_GITEA_{REGISTRY_NAME}_CLIENTKEY` | ⚪ | Path to client key file for mTLS | DD_REGISTRY_GITEA_\{REGISTRY_NAME\}_CLIENTCERT must be defined | |
+
+## Examples
+
+### Configure
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_GITEA_PRIVATE_URL=https://gitea.acme.com
+      - DD_REGISTRY_GITEA_PRIVATE_LOGIN=john
+      - DD_REGISTRY_GITEA_PRIVATE_PASSWORD=doe
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e "DD_REGISTRY_GITEA_PRIVATE_URL=https://gitea.acme.com/" \
+  -e "DD_REGISTRY_GITEA_PRIVATE_LOGIN=john" \
+  -e "DD_REGISTRY_GITEA_PRIVATE_PASSWORD=doe" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/registries/gitea/meta.json b/content/docs/v1.4/configuration/registries/gitea/meta.json
new file mode 100644
index 000000000..5565655c5
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/gitea/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Gitea",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/gitlab/index.mdx b/content/docs/v1.4/configuration/registries/gitlab/index.mdx
new file mode 100644
index 000000000..49decb9b2
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/gitlab/index.mdx
@@ -0,0 +1,89 @@
+---
+title: "GITLAB (Gitlab Container Registry)"
+description: "The gitlab registry lets you configure GITLAB integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/gitlab/gitlab.png)
+
+The `gitlab` registry lets you configure [GITLAB](https://docs.gitlab.com/ee/user/packages/container_registry/) integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_GITLAB_{REGISTRY_NAME}_TOKEN` | 🔴 | Gitlab Personal Access Token | | |
+| `DD_REGISTRY_GITLAB_{REGISTRY_NAME}_URL` | ⚪ | Gitlab Registry base url | | `https://registry.gitlab.com` |
+| `DD_REGISTRY_GITLAB_{REGISTRY_NAME}_AUTHURL` | ⚪ | Gitlab Authentication base url | | `https://gitlab.com` |
+
+## Examples
+
+### Configure to access images from gitlab.com
+
+<Tabs items={["Docker Compose (gitlab.com)", "Docker (gitlab.com)"]}>
+<Tab value="Docker Compose (gitlab.com)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_GITLAB_PUBLIC_TOKEN=xxxxx
+```
+
+</Tab>
+<Tab value="Docker (gitlab.com)">
+```bash
+docker run \
+  -e DD_REGISTRY_GITLAB_PUBLIC_TOKEN="xxxxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure to access images from self hosted gitlab instance
+
+<Tabs items={["Docker Compose (Self-Hosted)", "Docker (Self-Hosted)"]}>
+<Tab value="Docker Compose (Self-Hosted)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_GITLAB_PRIVATE_URL=https://registry.mygitlab.acme.com
+      - DD_REGISTRY_GITLAB_PRIVATE_AUTHURL=https://mygitlab.acme.com
+      - DD_REGISTRY_GITLAB_PRIVATE_TOKEN=xxxxx
+```
+
+</Tab>
+<Tab value="Docker (Self-Hosted)">
+```bash
+docker run \
+  -e DD_REGISTRY_GITLAB_PRIVATE_URL="https://registry.mygitlab.acme.com"
+  -e DD_REGISTRY_GITLAB_PRIVATE_AUTHURL="https://mygitlab.acme.com"
+  -e DD_REGISTRY_GITLAB_PRIVATE_TOKEN="xxxxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to create a Gitlab Personal Access Token
+
+### Go to your Gitlab settings and open the Personal Access Token page
+
+[Open GitLab Personal Access Tokens](https://gitlab.com/-/profile/personal_access_tokens)
+
+### Enter the details of the token to be created
+
+Choose an expiration time & appropriate scopes (`read_registry` is only needed for drydock) and generate.
+![image](/docs/assets/configuration/registries/gitlab/gitlab_01.png)
+
+### Copy the token & use it as the DD_REGISTRY_GITLAB_TOKEN value
+
+![image](/docs/assets/configuration/registries/gitlab/gitlab_02.png)
diff --git a/content/docs/v1.4/configuration/registries/gitlab/meta.json b/content/docs/v1.4/configuration/registries/gitlab/meta.json
new file mode 100644
index 000000000..4df57afe8
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/gitlab/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "GitLab",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/harbor/index.mdx b/content/docs/v1.4/configuration/registries/harbor/index.mdx
new file mode 100644
index 000000000..5b0cec3d0
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/harbor/index.mdx
@@ -0,0 +1,79 @@
+---
+title: "HARBOR"
+description: "The harbor registry lets you configure a self-hosted Harbor integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/harbor/harbor.png)
+
+The `harbor` registry lets you configure a self-hosted [Harbor](https://goharbor.io/) integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_HARBOR_{REGISTRY_NAME}_URL` | 🔴 | Registry URL (e.g. `https://harbor.acme.com`) | | |
+| `DD_REGISTRY_HARBOR_{REGISTRY_NAME}_LOGIN` | ⚪ | Harbor username | DD_REGISTRY_HARBOR_\{REGISTRY_NAME\}_PASSWORD must be defined | |
+| `DD_REGISTRY_HARBOR_{REGISTRY_NAME}_PASSWORD` | ⚪ | Harbor password | DD_REGISTRY_HARBOR_\{REGISTRY_NAME\}_LOGIN must be defined | |
+| `DD_REGISTRY_HARBOR_{REGISTRY_NAME}_AUTH` | ⚪ | Base64 encoded `login:password` string | DD_REGISTRY_HARBOR_\{REGISTRY_NAME\}_LOGIN/PASSWORD must not be defined | |
+| `DD_REGISTRY_HARBOR_{REGISTRY_NAME}_CAFILE` | ⚪ | Path to custom CA certificate file | | |
+| `DD_REGISTRY_HARBOR_{REGISTRY_NAME}_INSECURE` | ⚪ | Allow insecure (non-TLS) connections | `true`, `false` | `false` |
+| `DD_REGISTRY_HARBOR_{REGISTRY_NAME}_CLIENTCERT` | ⚪ | Path to client certificate file for mTLS | | |
+| `DD_REGISTRY_HARBOR_{REGISTRY_NAME}_CLIENTKEY` | ⚪ | Path to client key file for mTLS | DD_REGISTRY_HARBOR_\{REGISTRY_NAME\}_CLIENTCERT must be defined | |
+
+## Examples
+
+### Configure for anonymous access
+
+<Tabs items={["Docker Compose (Anonymous)", "Docker (Anonymous)"]}>
+<Tab value="Docker Compose (Anonymous)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_HARBOR_PRIVATE_URL=https://harbor.acme.com
+```
+
+</Tab>
+<Tab value="Docker (Anonymous)">
+```bash
+docker run \
+  -e "DD_REGISTRY_HARBOR_PRIVATE_URL=https://harbor.acme.com" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure with credentials
+
+<Tabs items={["Docker Compose (Basic Auth)", "Docker (Basic Auth)"]}>
+<Tab value="Docker Compose (Basic Auth)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_HARBOR_PRIVATE_URL=https://harbor.acme.com
+      - DD_REGISTRY_HARBOR_PRIVATE_LOGIN=john
+      - DD_REGISTRY_HARBOR_PRIVATE_PASSWORD=doe
+```
+
+</Tab>
+<Tab value="Docker (Basic Auth)">
+```bash
+docker run \
+  -e "DD_REGISTRY_HARBOR_PRIVATE_URL=https://harbor.acme.com" \
+  -e "DD_REGISTRY_HARBOR_PRIVATE_LOGIN=john" \
+  -e "DD_REGISTRY_HARBOR_PRIVATE_PASSWORD=doe" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/registries/harbor/meta.json b/content/docs/v1.4/configuration/registries/harbor/meta.json
new file mode 100644
index 000000000..5adb592e8
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/harbor/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Harbor",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/hub/index.mdx b/content/docs/v1.4/configuration/registries/hub/index.mdx
new file mode 100644
index 000000000..a3dfa3610
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/hub/index.mdx
@@ -0,0 +1,110 @@
+---
+title: "HUB (Docker Hub incl private repositories)"
+description: "The hub registry lets you configure Docker Hub integration."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/hub/docker.png)
+
+The `hub` registry lets you configure [Docker Hub](https://hub.docker.com/) integration.
+
+Currently, the supported credentials are:
+
+- Docker Hub auth + Docker Hub Access Token
+- Docker Base64 credentials (like in [.docker/config.json](https://docs.docker.com/reference/cli/docker/login/))
+- Docker Hub auth + Docker Hub password (not recommended)
+
+<Callout type="warn">By default, if you don't configure any registries, drydock will configure a default one with anonymous access.
+Don't forget to configure authentication if you're using [Docker Hub Private Repositories](https://docs.docker.com/docker-hub/repos/#private-repositories).</Callout>
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_HUB_{REGISTRY_NAME}_LOGIN` | ⚪ | A valid Docker Hub Login (required with `PASSWORD` or `TOKEN`) | Docker Hub username | |
+| `DD_REGISTRY_HUB_{REGISTRY_NAME}_PASSWORD` | ⚪ | A valid Docker Hub password or access token (`LOGIN` must be defined) | Docker Hub password or [access token](https://docs.docker.com/security/access-tokens/) | |
+| `DD_REGISTRY_HUB_{REGISTRY_NAME}_TOKEN` | ⚪ | A valid Docker Hub access token, alternative to `PASSWORD` (`LOGIN` must be defined) | Docker Hub [access token](https://docs.docker.com/security/access-tokens/) | |
+| `DD_REGISTRY_HUB_{REGISTRY_NAME}_AUTH` | ⚪ | A valid Docker Hub Base64 Auth String (cannot be combined with `LOGIN`/`PASSWORD`/`TOKEN`) | Base64 encoded `username:password` string | |
+
+<Callout type="warn">Registry auth now fails closed for invalid combinations. `LOGIN` must be paired with `PASSWORD` (or `TOKEN` alias), and `AUTH` cannot be combined with `LOGIN`/`PASSWORD`/`TOKEN`.</Callout>
+
+## Examples
+
+### Configure Authentication using Login/Token
+
+#### 1. Login to your&nbsp;[Docker Hub Account](https://hub.docker.com/)
+
+![image](/docs/assets/configuration/registries/hub/hub_login.png)
+
+#### 2. Go to your&nbsp;[Security Settings](https://hub.docker.com/settings/security)
+
+- Create a new Access Token
+- Copy it and use it as the `DD_REGISTRY_HUB_PUBLIC_TOKEN` value
+
+![image](/docs/assets/configuration/registries/hub/hub_token.png)
+
+<Tabs items={["Docker Compose (Login/Token)", "Docker (Login/Token)"]}>
+<Tab value="Docker Compose (Login/Token)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_HUB_PUBLIC_LOGIN=mylogin
+      - DD_REGISTRY_HUB_PUBLIC_PASSWORD=fb4d5db9-e64d-3648-8846-74d0846e55de
+```
+
+</Tab>
+<Tab value="Docker (Login/Token)">
+```bash
+docker run \
+  -e DD_REGISTRY_HUB_PUBLIC_LOGIN="mylogin"
+  -e DD_REGISTRY_HUB_PUBLIC_PASSWORD="fb4d5db9-e64d-3648-8846-74d0846e55de"
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure Authentication using Base64 encoded credentials
+
+#### 1. Create an Access Token
+
+[See above](/docs/configuration/registries/hub/#configure-authentication-using-logintoken)
+
+#### 2. Encode with Base64
+
+Concatenate `$auth:$password` and [encode with Base64](https://www.base64encode.org/).
+
+For example,
+
+- if your auth is `johndoe`
+- and your password is `2c1bd872-efb6-4f3a-81aa-724518a0a592`
+- the resulting encoded string would be `am9obmRvZToyYzFiZDg3Mi1lZmI2LTRmM2EtODFhYS03MjQ1MThhMGE1OTI=`
+
+<Tabs items={["Docker Compose (Base64 Auth)", "Docker (Base64 Auth)"]}>
+<Tab value="Docker Compose (Base64 Auth)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_HUB_PUBLIC_AUTH=am9obmRvZToyYzFiZDg3Mi1lZmI2LTRmM2EtODFhYS03MjQ1MThhMGE1OTI=
+```
+
+</Tab>
+<Tab value="Docker (Base64 Auth)">
+```bash
+docker run \
+  -e DD_REGISTRY_HUB_PUBLIC_AUTH="am9obmRvZToyYzFiZDg3Mi1lZmI2LTRmM2EtODFhYS03MjQ1MThhMGE1OTI="
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/registries/hub/meta.json b/content/docs/v1.4/configuration/registries/hub/meta.json
new file mode 100644
index 000000000..4aa008493
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/hub/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Docker Hub",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/ibmcr/index.mdx b/content/docs/v1.4/configuration/registries/ibmcr/index.mdx
new file mode 100644
index 000000000..f285092e1
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/ibmcr/index.mdx
@@ -0,0 +1,110 @@
+---
+title: "IBMCR (IBM Cloud Container Registry)"
+description: "The ibmcr registry lets you configure IBM Cloud Container Registry integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `ibmcr` registry lets you configure [IBM Cloud Container Registry](https://cloud.ibm.com/docs/Registry) integration.
+
+Drydock automatically detects IBMCR registries by matching `*.icr.io` hostnames.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_IBMCR_{REGISTRY_NAME}_APIKEY` | ⚪ | IBM Cloud API key | Automatically sets login to `iamapikey` | |
+| `DD_REGISTRY_IBMCR_{REGISTRY_NAME}_LOGIN` | ⚪ | Registry username | DD_REGISTRY_IBMCR_\{REGISTRY_NAME\}_PASSWORD must be defined | |
+| `DD_REGISTRY_IBMCR_{REGISTRY_NAME}_PASSWORD` | ⚪ | Registry password | DD_REGISTRY_IBMCR_\{REGISTRY_NAME\}_LOGIN must be defined | |
+| `DD_REGISTRY_IBMCR_{REGISTRY_NAME}_AUTH` | ⚪ | Base64-encoded `login:password` string | DD_REGISTRY_IBMCR_\{REGISTRY_NAME\}_LOGIN/PASSWORD/APIKEY must not be defined | |
+
+## Examples
+
+### Configure with an IBM Cloud API key (recommended)
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_IBMCR_PRIVATE_APIKEY=xxxxx
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e "DD_REGISTRY_IBMCR_PRIVATE_APIKEY=xxxxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure with login and password
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_IBMCR_PRIVATE_LOGIN=iamapikey
+      - DD_REGISTRY_IBMCR_PRIVATE_PASSWORD=xxxxx
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e "DD_REGISTRY_IBMCR_PRIVATE_LOGIN=iamapikey" \
+  -e "DD_REGISTRY_IBMCR_PRIVATE_PASSWORD=xxxxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure with base64 auth
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_IBMCR_PRIVATE_AUTH=aWFtYXBpa2V5Onh4eHh4
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e "DD_REGISTRY_IBMCR_PRIVATE_AUTH=aWFtYXBpa2V5Onh4eHh4" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to create an API key on IBM Cloud
+
+### Go to your IBM Cloud Console
+
+Navigate to **Manage > Access (IAM) > API keys**.
+
+### Create an API key
+
+Click **Create an IBM Cloud API key**, give it a name and description, then copy the generated key.
+
+The API key is the simplest authentication method. When provided, drydock automatically uses `iamapikey` as the login and the API key as the password.
diff --git a/content/docs/v1.4/configuration/registries/ibmcr/meta.json b/content/docs/v1.4/configuration/registries/ibmcr/meta.json
new file mode 100644
index 000000000..572202425
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/ibmcr/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "IBMCR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/index.mdx b/content/docs/v1.4/configuration/registries/index.mdx
new file mode 100644
index 000000000..0da40d646
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/index.mdx
@@ -0,0 +1,35 @@
+---
+title: "Registries"
+description: "drydock supports most registries:"
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+drydock supports 23 registries:
+
+- [**ACR** (Azure Container Registry)](/docs/configuration/registries/acr)
+- [**ALICR** (Alibaba Cloud Container Registry)](/docs/configuration/registries/alicr)
+- [**Artifactory** (JFrog Artifactory)](/docs/configuration/registries/artifactory)
+- [**Codeberg** (Codeberg Container Registry)](/docs/configuration/registries/codeberg)
+- [**CUSTOM** (Self-hosted Registry)](/docs/configuration/registries/custom)
+- [**DOCR** (DigitalOcean Container Registry)](/docs/configuration/registries/docr)
+- [**DHI** (Docker Hardened Images)](/docs/configuration/registries/dhi)
+- [**ECR** (Amazon Elastic Container Registry)](/docs/configuration/registries/ecr)
+- [**FORGEJO** (Forgejo Container Registry)](/docs/configuration/registries/forgejo)
+- [**GAR** (Google Artifact Registry)](/docs/configuration/registries/gar)
+- [**GCR** (Google Container Registry)](/docs/configuration/registries/gcr)
+- [**GHCR** (Github Container Registry)](/docs/configuration/registries/ghcr)
+- [**GITEA** (Gitea Container Registry)](/docs/configuration/registries/gitea)
+- [**GITLAB** (Gitlab Container Registry)](/docs/configuration/registries/gitlab)
+- [**Harbor**](/docs/configuration/registries/harbor)
+- [**HUB** (Docker Hub)](/docs/configuration/registries/hub)
+- [**IBMCR** (IBM Cloud Container Registry)](/docs/configuration/registries/ibmcr)
+- [**LSCR** (LinuxServer Container Registry)](/docs/configuration/registries/lscr)
+- [**MAU** (dock.mau.dev Registry)](/docs/configuration/registries/mau)
+- [**Nexus** (Sonatype Nexus)](/docs/configuration/registries/nexus)
+- [**OCIR** (Oracle Cloud Infrastructure Registry)](/docs/configuration/registries/ocir)
+- [**Quay**](/docs/configuration/registries/quay)
+- [**TrueForge** (TrueForge OCI Registry)](/docs/configuration/registries/trueforge)
+
+<Callout type="info">By default, without any further configuration, drydock handles _out-of-the-box_ public images hosted on
+ALICR, Codeberg, DOCR, DHI, ECR (public.ecr.aws), GAR, GCR, GHCR, HUB, IBMCR, LSCR, MAU, OCIR, QUAY, TrueForge</Callout>
diff --git a/content/docs/v1.4/configuration/registries/lscr/index.mdx b/content/docs/v1.4/configuration/registries/lscr/index.mdx
new file mode 100644
index 000000000..849a51eca
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/lscr/index.mdx
@@ -0,0 +1,59 @@
+---
+title: "LSCR (LinuxServer Container Registry)"
+description: "The lscr registry lets you configure LSCR integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/lscr/linuxserver.png)
+
+The `lscr` registry lets you configure [LSCR](https://www.linuxserver.io/our-images) integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_LSCR_{REGISTRY_NAME}_USERNAME` | ⚪ | Github username (required for private images) | | |
+| `DD_REGISTRY_LSCR_{REGISTRY_NAME}_TOKEN` | ⚪ | Github token (required for private images) | Github password or Github Personal Token | |
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_LSCR_PRIVATE_USERNAME=johndoe
+      - DD_REGISTRY_LSCR_PRIVATE_TOKEN=xxxxx 
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_REGISTRY_LSCR_PRIVATE_USERNAME="johndoe" \
+  -e DD_REGISTRY_LSCR_PRIVATE_TOKEN="xxxxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to create a Github Personal Token
+
+### Go to your Github settings and open the Personal Access Token tab
+
+[Open GitHub Personal Access Tokens](https://github.com/settings/tokens)
+
+### Click on `Generate new token`
+
+Choose an expiration time & appropriate scopes (`read:packages` is only needed for drydock) and generate.
+![image](/docs/assets/configuration/registries/lscr/lscr_01.png)
+
+### Copy the token & use it as the DD_REGISTRY_LSCR_\{REGISTRY_NAME\}_TOKEN value
+
+![image](/docs/assets/configuration/registries/lscr/lscr_02.png)
diff --git a/content/docs/v1.4/configuration/registries/lscr/meta.json b/content/docs/v1.4/configuration/registries/lscr/meta.json
new file mode 100644
index 000000000..be8930086
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/lscr/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "LSCR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/mau/index.mdx b/content/docs/v1.4/configuration/registries/mau/index.mdx
new file mode 100644
index 000000000..390cb8a8c
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/mau/index.mdx
@@ -0,0 +1,70 @@
+---
+title: "MAU (dock.mau.dev)"
+description: "The mau registry lets you configure dock.mau.dev (GitLab-based) integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `mau` registry lets you configure [dock.mau.dev](https://dock.mau.dev) integration. Public images are supported out-of-the-box; add a token for private image access.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_MAU_{REGISTRY_NAME}_TOKEN` | ⚪ | Personal access token for private images | | |
+| `DD_REGISTRY_MAU_{REGISTRY_NAME}_URL` | ⚪ | Registry base URL | | `https://dock.mau.dev` |
+| `DD_REGISTRY_MAU_{REGISTRY_NAME}_AUTHURL` | ⚪ | Authentication base URL | | `https://dock.mau.dev` |
+
+## Examples
+
+### Configure for public images
+
+Public images on dock.mau.dev work without any configuration. Simply add an empty registry entry:
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_MAU_PUBLIC=
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_REGISTRY_MAU_PUBLIC="" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure for private images
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_MAU_PRIVATE_TOKEN=xxxxx
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_REGISTRY_MAU_PRIVATE_TOKEN="xxxxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/registries/mau/meta.json b/content/docs/v1.4/configuration/registries/mau/meta.json
new file mode 100644
index 000000000..b9baac16d
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/mau/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "MAU",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/meta.json b/content/docs/v1.4/configuration/registries/meta.json
new file mode 100644
index 000000000..6876c213b
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/meta.json
@@ -0,0 +1,29 @@
+{
+  "title": "Registries",
+  "pages": [
+    "index",
+    "acr",
+    "alicr",
+    "artifactory",
+    "codeberg",
+    "custom",
+    "dhi",
+    "docr",
+    "ecr",
+    "forgejo",
+    "gar",
+    "gcr",
+    "ghcr",
+    "gitea",
+    "gitlab",
+    "harbor",
+    "hub",
+    "ibmcr",
+    "lscr",
+    "mau",
+    "nexus",
+    "ocir",
+    "quay",
+    "trueforge"
+  ]
+}
diff --git a/content/docs/v1.4/configuration/registries/nexus/index.mdx b/content/docs/v1.4/configuration/registries/nexus/index.mdx
new file mode 100644
index 000000000..2a61489fa
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/nexus/index.mdx
@@ -0,0 +1,54 @@
+---
+title: "NEXUS (Sonatype Nexus)"
+description: "The nexus registry lets you configure a Sonatype Nexus Docker Registry integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/nexus/nexus.png)
+
+The `nexus` registry lets you configure a [Sonatype Nexus](https://www.sonatype.com/products/sonatype-nexus-repository) Docker Registry integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_NEXUS_{REGISTRY_NAME}_URL` | 🔴 | Registry URL (e.g. `https://nexus.acme.com`) | | |
+| `DD_REGISTRY_NEXUS_{REGISTRY_NAME}_LOGIN` | ⚪ | Nexus username | DD_REGISTRY_NEXUS_\{REGISTRY_NAME\}_PASSWORD must be defined | |
+| `DD_REGISTRY_NEXUS_{REGISTRY_NAME}_PASSWORD` | ⚪ | Nexus password | DD_REGISTRY_NEXUS_\{REGISTRY_NAME\}_LOGIN must be defined | |
+| `DD_REGISTRY_NEXUS_{REGISTRY_NAME}_AUTH` | ⚪ | Base64 encoded `login:password` string | DD_REGISTRY_NEXUS_\{REGISTRY_NAME\}_LOGIN/PASSWORD must not be defined | |
+| `DD_REGISTRY_NEXUS_{REGISTRY_NAME}_CAFILE` | ⚪ | Path to custom CA certificate file | | |
+| `DD_REGISTRY_NEXUS_{REGISTRY_NAME}_INSECURE` | ⚪ | Allow insecure (non-TLS) connections | `true`, `false` | `false` |
+| `DD_REGISTRY_NEXUS_{REGISTRY_NAME}_CLIENTCERT` | ⚪ | Path to client certificate file for mTLS | | |
+| `DD_REGISTRY_NEXUS_{REGISTRY_NAME}_CLIENTKEY` | ⚪ | Path to client key file for mTLS | DD_REGISTRY_NEXUS_\{REGISTRY_NAME\}_CLIENTCERT must be defined | |
+
+## Examples
+
+### Configure with credentials
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_NEXUS_PRIVATE_URL=https://nexus.acme.com
+      - DD_REGISTRY_NEXUS_PRIVATE_LOGIN=john
+      - DD_REGISTRY_NEXUS_PRIVATE_PASSWORD=doe
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e "DD_REGISTRY_NEXUS_PRIVATE_URL=https://nexus.acme.com" \
+  -e "DD_REGISTRY_NEXUS_PRIVATE_LOGIN=john" \
+  -e "DD_REGISTRY_NEXUS_PRIVATE_PASSWORD=doe" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/registries/nexus/meta.json b/content/docs/v1.4/configuration/registries/nexus/meta.json
new file mode 100644
index 000000000..a4964e905
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/nexus/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Nexus",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/ocir/index.mdx b/content/docs/v1.4/configuration/registries/ocir/index.mdx
new file mode 100644
index 000000000..404071c70
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/ocir/index.mdx
@@ -0,0 +1,84 @@
+---
+title: "OCIR (Oracle Cloud Infrastructure Registry)"
+description: "The ocir registry lets you configure Oracle Cloud Infrastructure Registry integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `ocir` registry lets you configure [OCIR](https://docs.oracle.com/en-us/iaas/Content/Registry/Concepts/registryoverview.htm) integration.
+
+Drydock automatically detects OCIR registries by matching `*.ocir.io` hostnames.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_OCIR_{REGISTRY_NAME}_LOGIN` | ⚪ | OCI username (e.g. `tenancy/user`) | DD_REGISTRY_OCIR_\{REGISTRY_NAME\}_PASSWORD must be defined | |
+| `DD_REGISTRY_OCIR_{REGISTRY_NAME}_PASSWORD` | ⚪ | Auth token | DD_REGISTRY_OCIR_\{REGISTRY_NAME\}_LOGIN must be defined | |
+| `DD_REGISTRY_OCIR_{REGISTRY_NAME}_AUTH` | ⚪ | Base64-encoded `login:password` string | DD_REGISTRY_OCIR_\{REGISTRY_NAME\}_LOGIN/PASSWORD must not be defined | |
+
+## Examples
+
+### Configure with login and password
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_OCIR_PRIVATE_LOGIN=tenancy/oracleidentitycloudservice/user@example.com
+      - DD_REGISTRY_OCIR_PRIVATE_PASSWORD=xxxxx
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e "DD_REGISTRY_OCIR_PRIVATE_LOGIN=tenancy/oracleidentitycloudservice/user@example.com" \
+  -e "DD_REGISTRY_OCIR_PRIVATE_PASSWORD=xxxxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure with base64 auth
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_OCIR_PRIVATE_AUTH=dGVuYW5jeS91c2VyOnh4eHh4
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e "DD_REGISTRY_OCIR_PRIVATE_AUTH=dGVuYW5jeS91c2VyOnh4eHh4" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to create an Auth Token on Oracle Cloud
+
+### Go to your OCI Console and open the Auth Tokens page
+
+Navigate to **Identity & Security > Users > Your User > Auth Tokens**.
+
+### Generate token
+
+Click **Generate Token**, give it a description, and copy the generated token value.
+
+Use your full OCI username (e.g. `tenancy/oracleidentitycloudservice/user@example.com`) as the login and the generated token as the password.
diff --git a/content/docs/v1.4/configuration/registries/ocir/meta.json b/content/docs/v1.4/configuration/registries/ocir/meta.json
new file mode 100644
index 000000000..4fe0bdd0e
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/ocir/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "OCIR",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/quay/index.mdx b/content/docs/v1.4/configuration/registries/quay/index.mdx
new file mode 100644
index 000000000..1419a32d4
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/quay/index.mdx
@@ -0,0 +1,66 @@
+---
+title: "Quay"
+description: "The quay registry lets you configure QUAY integration."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/quay/quay.png)
+
+The `quay` registry lets you configure [QUAY](https://quay.io/) integration.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_QUAY_{REGISTRY_NAME}_NAMESPACE` | ⚪ | Quay namespace (required for private images) | | |
+| `DD_REGISTRY_QUAY_{REGISTRY_NAME}_ACCOUNT` | ⚪ | Quay account (required for private images) | | |
+| `DD_REGISTRY_QUAY_{REGISTRY_NAME}_TOKEN` | ⚪ | Quay token (required for private images) | | |
+
+## Examples
+
+### Configure to access private images
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_QUAY_PRIVATE_NAMESPACE=mynamespace
+      - DD_REGISTRY_QUAY_PRIVATE_ACCOUNT=myaccount
+      - DD_REGISTRY_QUAY_PRIVATE_TOKEN=BA8JI3Y2BWQDH849RYT3YD5J0J6CYEORYTQMMJK364B4P88VPTJIAI704L0BBP8D6CYE4P88V 
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_REGISTRY_QUAY_PRIVATE_NAMESPACE="mynamespace" \
+  -e DD_REGISTRY_QUAY_PRIVATE_ACCOUNT="myaccount" \
+  -e DD_REGISTRY_QUAY_PRIVATE_TOKEN="BA8JI3Y2BWQDH849RYT3YD5J0J6CYEORYTQMMJK364B4P88VPTJIAI704L0BBP8D6CYE4P88V" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to create a Quay.io robot account
+
+### Go to your Quay.io settings and open the Robot Accounts tab
+
+### Click on `Create Robot Account`
+
+Choose a name & create it
+![image](/docs/assets/configuration/registries/quay/quay_01.png)
+
+### Copy the part before the `+` sign and set it as the `namespace` env var
+
+### Copy the part after  the `+` sign and set it as the `account` env var
+
+### Copy the token value and set it as the `token` env var
+
+![image](/docs/assets/configuration/registries/quay/quay_02.png)
diff --git a/content/docs/v1.4/configuration/registries/quay/meta.json b/content/docs/v1.4/configuration/registries/quay/meta.json
new file mode 100644
index 000000000..170ae78fa
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/quay/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Quay",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/registries/trueforge/index.mdx b/content/docs/v1.4/configuration/registries/trueforge/index.mdx
new file mode 100644
index 000000000..0618c8728
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/trueforge/index.mdx
@@ -0,0 +1,48 @@
+---
+title: "TrueForge (TrueForge OCI Registry)"
+description: "The TrueForge registry lets you configure integration for ContainerForge-project containers."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/registries/trueforge/trueforge.png)
+
+The [TrueForge](https://trueforge.org/) registry lets you configure integration for [ContainerForge](https://trueforge.org/truetech/containerforge/)-project containers.
+
+Drydock automatically detects TrueForge registries by matching `oci.trueforge.org` hostnames.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_REGISTRY_TRUEFORGE_{REGISTRY_NAME}_USERNAME` | ⚪ | TrueForge username (required for private images) | | |
+| `DD_REGISTRY_TRUEFORGE_{REGISTRY_NAME}_TOKEN` | ⚪ | TrueForge token (required for private images) | | |
+
+## Examples
+
+### Configure to access private images
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_REGISTRY_TRUEFORGE_PRIVATE_USERNAME=myusername
+      - DD_REGISTRY_TRUEFORGE_PRIVATE_TOKEN=xxxxx
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_REGISTRY_TRUEFORGE_PRIVATE_USERNAME="myusername" \
+  -e DD_REGISTRY_TRUEFORGE_PRIVATE_TOKEN="xxxxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/registries/trueforge/meta.json b/content/docs/v1.4/configuration/registries/trueforge/meta.json
new file mode 100644
index 000000000..9c47ceeb5
--- /dev/null
+++ b/content/docs/v1.4/configuration/registries/trueforge/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "TrueForge",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/rollback/index.mdx b/content/docs/v1.4/configuration/rollback/index.mdx
new file mode 100644
index 000000000..991cee336
--- /dev/null
+++ b/content/docs/v1.4/configuration/rollback/index.mdx
@@ -0,0 +1,104 @@
+---
+title: "Backup & Rollback"
+description: "Automatic image backup before updates and one-click rollback to any previous version."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+## How It Works
+
+Before every container update, drydock automatically backs up the current image metadata including the image name, tag, digest, and timestamp. This ensures you always have a record of exactly which image was running prior to each update.
+
+Backups are stored in the LokiJS data store, which is persisted to the `/store` volume. Each container retains its N most recent backups, with older entries pruned automatically when the limit is exceeded.
+
+## Backup Retention
+
+The number of backups retained per container is configurable via a trigger environment variable.
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| -------------------------------------------------- | :--------------: | ---------------------------------------- | ---------------- | -------------------------- |
+| `DD_TRIGGER_DOCKER_{trigger_name}_BACKUPCOUNT` | ⚪ | Number of backups to retain per container | integer | `3` |
+
+<Callout type="info">This variable is set on the [Docker trigger](/docs/configuration/triggers/docker), not on the target container.</Callout>
+
+## Manual Rollback
+
+Rollback is available in two ways:
+
+- **UI** -- on the container detail page, select a previous backup and click **Rollback**.
+- **API** -- send a `POST` request to `/api/containers/:id/rollback`, where `:id` is the container ID.
+
+Rollback uses a stop-remove-recreate strategy: drydock stops the current container, removes it, and creates a new container with the original name using the backup image.
+
+<Callout type="info">Automatic updates (via Docker trigger) use a more sophisticated rename-first strategy with health gates — see [Updates](/docs/updates) for details. Manual rollback uses the simpler approach described here.</Callout>
+
+You can optionally pass a `backupId` in the request body to target a specific backup. If omitted, the most recent backup is used.
+
+```bash
+# Roll back to the most recent backup
+curl -X POST http://localhost:3000/api/containers/my-container-id/rollback
+
+# Roll back to a specific backup
+curl -X POST http://localhost:3000/api/containers/my-container-id/rollback \
+  -H "Content-Type: application/json" \
+  -d '{"backupId": "abc123"}'
+```
+
+## Auto-Rollback on Health Failure
+
+Containers with a Docker `HEALTHCHECK` can automatically roll back if they become unhealthy after an update.
+
+### Container Labels
+
+| Label | Type | Default | Description |
+| ----------------------- | ------------- | ---------- | -------------------------------------------------------- |
+| `dd.rollback.auto` | boolean | `false` | Enable auto-rollback when health check fails after update |
+| `dd.rollback.window` | number (ms) | `300000` | Duration to monitor health after update (5 minutes) |
+| `dd.rollback.interval` | number (ms) | `10000` | Frequency of health status checks (10 seconds) |
+
+### How It Works
+
+1. An update completes successfully
+2. If `dd.rollback.auto=true` **and** the container has a `HEALTHCHECK`, monitoring starts
+3. Health status is polled every `dd.rollback.interval` for the duration of `dd.rollback.window`
+4. If the status becomes `unhealthy`, rollback is triggered automatically
+5. If the window expires without failure, the container is considered stable
+
+<Callout type="warn">Auto-rollback requires a `HEALTHCHECK` instruction in your Dockerfile. Without one, monitoring is skipped.</Callout>
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  myapp:
+    image: myapp:latest
+    labels:
+      - dd.rollback.auto=true
+      - dd.rollback.window=600000
+      - dd.rollback.interval=5000
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  --label "dd.rollback.auto=true" \
+  --label "dd.rollback.window=600000" \
+  --label "dd.rollback.interval=5000" \
+  --health-cmd "curl -f http://localhost:8080/health" \
+  --health-interval 10s \
+  --health-timeout 5s \
+  --health-retries 3 \
+  myapp:latest
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/rollback/meta.json b/content/docs/v1.4/configuration/rollback/meta.json
new file mode 100644
index 000000000..db8e5e801
--- /dev/null
+++ b/content/docs/v1.4/configuration/rollback/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Backup & Rollback",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/security/index.mdx b/content/docs/v1.4/configuration/security/index.mdx
new file mode 100644
index 000000000..69040832a
--- /dev/null
+++ b/content/docs/v1.4/configuration/security/index.mdx
@@ -0,0 +1,225 @@
+---
+title: "Update Bouncer"
+description: "Run security scanning, signature verification, and SBOM generation before applying container updates."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+Update Bouncer runs security scanning in a safe-pull flow:
+
+1. Candidate image is scanned before update
+2. Update is blocked when CVEs match configured blocking severities
+3. Scan result is stored in `container.security.scan` and exposed in API/UI
+
+## Enablement
+
+Security scanning is disabled by default.
+To enable it, set:
+
+```bash
+DD_SECURITY_SCANNER=trivy
+```
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_SECURITY_SCANNER` | 🔴 | Enable scanner provider | `trivy` | disabled |
+| `DD_SECURITY_BLOCK_SEVERITY` | ⚪ | Blocking severities (comma-separated). Set to `NONE` for advisory-only mode (scan without blocking updates) | `NONE`, or any of `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | `CRITICAL,HIGH` |
+| `DD_SECURITY_TRIVY_SERVER` | ⚪ | Trivy server URL (enables client/server mode) | URL | empty (local CLI mode) |
+| `DD_SECURITY_TRIVY_COMMAND` | ⚪ | Trivy command path for local CLI mode (must not contain shell metacharacters or `..` path traversal) | executable path | `trivy` |
+| `DD_SECURITY_TRIVY_TIMEOUT` | ⚪ | Trivy command timeout in milliseconds | integer (`>=1000`) | `120000` |
+| `DD_SECURITY_SCAN_CRON` | ⚪ | Cron expression for scheduled background security scans | cron expression | disabled |
+| `DD_SECURITY_SCAN_JITTER` | ⚪ | Random jitter delay (ms) before each scheduled scan starts | integer (`>=0`) | `60000` |
+| `DD_SECURITY_SCAN_CONCURRENCY` | ⚪ | Max digest scans processed in parallel during scheduled scans | integer (`>=1`) | `4` |
+| `DD_SECURITY_SCAN_BATCH_TIMEOUT` | ⚪ | Total scheduled scan batch timeout in milliseconds (`0` disables timeout) | integer (`>=0`) | `1800000` |
+| `DD_SECURITY_SCAN_DIGEST_CACHE_MAX_ENTRIES` | ⚪ | Max in-memory digest scan cache entries (LRU eviction -- least recently used entries are removed when the limit is reached) | integer (`>0`) | `500` |
+
+## Trivy modes
+
+### Client mode (local CLI)
+
+Use this mode when the `trivy` binary is available inside the drydock runtime.
+
+<Callout type="info">As of v1.3.0, the official drydock image includes both `trivy` and `cosign`. No custom image is needed for local CLI mode.</Callout>
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock:latest
+    environment:
+      - DD_SECURITY_SCANNER=trivy
+      - DD_SECURITY_BLOCK_SEVERITY=CRITICAL,HIGH
+      - DD_SECURITY_TRIVY_COMMAND=trivy
+      - DD_SECURITY_TRIVY_TIMEOUT=120000
+```
+
+### Server mode (Trivy server)
+
+Use this mode when running a separate Trivy server and letting drydock call it.
+
+```yaml
+services:
+  trivy:
+    image: aquasec/trivy:latest
+    command: server --listen 0.0.0.0:4954
+
+  drydock:
+    image: codeswhat/drydock:latest
+    depends_on:
+      - trivy
+    environment:
+      - DD_SECURITY_SCANNER=trivy
+      - DD_SECURITY_BLOCK_SEVERITY=CRITICAL,HIGH
+      - DD_SECURITY_TRIVY_SERVER=http://trivy:4954
+      - DD_SECURITY_TRIVY_TIMEOUT=120000
+```
+
+## Advisory-Only Mode
+
+Set `DD_SECURITY_BLOCK_SEVERITY=NONE` to run vulnerability scans without blocking updates. Scan results remain visible in the Security view and audit log, but no update is ever rejected due to detected vulnerabilities.
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock:latest
+    environment:
+      - DD_SECURITY_SCANNER=trivy
+      - DD_SECURITY_BLOCK_SEVERITY=NONE
+```
+
+## Signature Verification (cosign)
+
+When enabled, candidate images are verified with [cosign](https://docs.sigstore.dev/cosign/) before the update proceeds. Updates are blocked if signatures are missing, invalid, or verification fails.
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_SECURITY_VERIFY_SIGNATURES` | ⚪ | Enable signature verification gate | `true` / `false` | `false` |
+| `DD_SECURITY_COSIGN_KEY` | ⚪ | Path to cosign public key file | file path | empty (keyless / Sigstore) |
+| `DD_SECURITY_COSIGN_COMMAND` | ⚪ | Cosign command path | executable path | `cosign` |
+| `DD_SECURITY_COSIGN_TIMEOUT` | ⚪ | Cosign command timeout in milliseconds | integer (`>=1000`) | `60000` |
+| `DD_SECURITY_COSIGN_IDENTITY` | ⚪ | Certificate identity for keyless verification | string | empty |
+| `DD_SECURITY_COSIGN_ISSUER` | ⚪ | OIDC issuer for keyless verification | string | empty |
+
+<Callout type="info">When `DD_SECURITY_COSIGN_KEY` is empty, cosign runs in keyless mode using Sigstore's public transparency log. Set `DD_SECURITY_COSIGN_IDENTITY` and `DD_SECURITY_COSIGN_ISSUER` to constrain keyless verification to a specific signer.</Callout>
+
+<Callout type="info">The examples below use a direct Docker socket mount for brevity. For production deployments, use a [socket proxy](/docs/configuration/watchers#option-1-socket-proxy-recommended) instead — all security features work identically with proxy-based connections.</Callout>
+
+### Key-based verification
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock:latest
+    environment:
+      - DD_SECURITY_SCANNER=trivy
+      - DD_SECURITY_VERIFY_SIGNATURES=true
+      - DD_SECURITY_COSIGN_KEY=/keys/cosign.pub
+    volumes:
+      - ./cosign.pub:/keys/cosign.pub:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+```
+
+### Keyless verification (Sigstore)
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock:latest
+    environment:
+      - DD_SECURITY_SCANNER=trivy
+      - DD_SECURITY_VERIFY_SIGNATURES=true
+      - DD_SECURITY_COSIGN_IDENTITY=https://github.com/CodesWhat/drydock/.github/workflows/release.yml@refs/tags/*
+      - DD_SECURITY_COSIGN_ISSUER=https://token.actions.githubusercontent.com
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+```
+
+## SBOM Generation
+
+When enabled, Trivy generates Software Bill of Materials (SBOM) documents for candidate images during the Update Bouncer flow. SBOMs are persisted in `container.security.sbom` and available via the API.
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_SECURITY_SBOM_ENABLED` | ⚪ | Enable SBOM generation | `true` / `false` | `false` |
+| `DD_SECURITY_SBOM_FORMATS` | ⚪ | Comma-separated list of SBOM formats | `spdx-json`, `cyclonedx-json` | `spdx-json` |
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock:latest
+    environment:
+      - DD_SECURITY_SCANNER=trivy
+      - DD_SECURITY_SBOM_ENABLED=true
+      - DD_SECURITY_SBOM_FORMATS=spdx-json,cyclonedx-json
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+```
+
+<Callout type="info">SBOM documents are retrievable per-container via `GET /api/containers/:id/sbom?format=\{format\}` where `format` is one of `spdx-json` or `cyclonedx-json`.</Callout>
+
+## Scheduled scanning
+
+Set `DD_SECURITY_SCAN_CRON` to automatically scan all watched containers on a schedule. A random jitter delay (`DD_SECURITY_SCAN_JITTER`, default 60 seconds) is applied before each cycle to spread load. You can tune parallelism with `DD_SECURITY_SCAN_CONCURRENCY` (default `4`) and cap total batch runtime with `DD_SECURITY_SCAN_BATCH_TIMEOUT` (default `1800000`, set `0` to disable).
+
+Digest-level scan dedup caching uses an interval derived from the cron schedule:
+
+- drydock parses `DD_SECURITY_SCAN_CRON` and uses the **shortest upcoming gap** between scheduled runs as cache TTL.
+- For irregular schedules (for example `0 3,9 * * *`), cache TTL is based on the shortest gap (`6h` in this case), not a fixed daily fallback.
+- If interval derivation fails, drydock falls back to `24h`.
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock:latest
+    environment:
+      - DD_SECURITY_SCANNER=trivy
+      - DD_SECURITY_SCAN_CRON=0 3 * * *   # every day at 3 AM
+      - DD_SECURITY_SCAN_JITTER=60000      # up to 60s random delay
+      - DD_SECURITY_SCAN_CONCURRENCY=4     # scan up to 4 digests in parallel
+      - DD_SECURITY_SCAN_BATCH_TIMEOUT=1800000 # abort remaining digest queue after 30m
+```
+
+## On-demand scanning
+
+You can trigger a security scan for any individual container without waiting for the next watch cycle or scheduled scan.
+
+- **UI:** Click the shield button on a container row to start a scan.
+- **API:** `POST /api/containers/:id/scan` runs vulnerability scanning, signature verification (if configured), and SBOM generation (if configured) on demand.
+
+The endpoint is rate-limited to 30 requests per minute. Real-time progress is broadcast via SSE events `dd:scan-started` and `dd:scan-completed` so the UI updates automatically.
+
+## Dual-slot scanning
+
+When a container has an available update, clicking **Scan Now** (or calling `POST /api/containers/:id/scan`) scans both the current running image and the available update image in a single operation.
+
+- Results for the current image are stored in `container.security.scan`
+- Results for the update image are stored in `container.security.updateScan`
+- The UI shows delta comparison badges indicating how vulnerabilities change between versions (e.g. +3 fixed, -1 new)
+
+This differs from the pre-update Update Bouncer flow, which only scans the candidate image as a gate before applying an update. Dual-slot scanning is informational and does not block updates.
+
+## Full example (scanning + signatures + SBOM)
+
+```yaml
+services:
+  trivy:
+    image: aquasec/trivy:latest
+    command: server --listen 0.0.0.0:4954
+
+  drydock:
+    image: codeswhat/drydock:latest
+    depends_on:
+      - trivy
+    environment:
+      - DD_SECURITY_SCANNER=trivy
+      - DD_SECURITY_BLOCK_SEVERITY=CRITICAL,HIGH
+      - DD_SECURITY_TRIVY_SERVER=http://trivy:4954
+      - DD_SECURITY_VERIFY_SIGNATURES=true
+      - DD_SECURITY_COSIGN_IDENTITY=https://github.com/CodesWhat/drydock/.github/workflows/release.yml@refs/tags/*
+      - DD_SECURITY_COSIGN_ISSUER=https://token.actions.githubusercontent.com
+      - DD_SECURITY_SBOM_ENABLED=true
+      - DD_SECURITY_SBOM_FORMATS=spdx-json,cyclonedx-json
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+```
diff --git a/content/docs/v1.4/configuration/security/meta.json b/content/docs/v1.4/configuration/security/meta.json
new file mode 100644
index 000000000..bc9bff9a1
--- /dev/null
+++ b/content/docs/v1.4/configuration/security/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Update Bouncer",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/self-update/index.mdx b/content/docs/v1.4/configuration/self-update/index.mdx
new file mode 100644
index 000000000..7b455bf11
--- /dev/null
+++ b/content/docs/v1.4/configuration/self-update/index.mdx
@@ -0,0 +1,87 @@
+---
+title: "Self-Update"
+description: "Drydock can gracefully update itself when a new version is available."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+Drydock can gracefully update itself when a new version is available, using a safe rollback-capable process that ensures zero downtime.
+
+## How it works
+
+Drydock detects when its own container image has an update available, just like any other monitored container. When the Docker trigger runs for the drydock container, it uses a special self-update flow that ensures zero downtime and safe rollback.
+
+## Requirements
+
+- The Docker socket must be bind-mounted at `/var/run/docker.sock`
+- The Docker trigger must be enabled
+- Drydock must be able to create temporary helper containers
+
+<Callout type="warn">Lifecycle hooks (`dd.hook.pre` / `dd.hook.post`) are NOT executed during self-update.</Callout>
+
+## Update sequence
+
+1. **Notify UI** — A `dd:self-update` SSE event is broadcast to all connected browsers, displaying an animated full-screen overlay. The server waits for at least one browser to acknowledge receipt before proceeding (see [SSE acknowledgment](#sse-acknowledgment) below)
+2. **Backup current image** — The running image is backed up before proceeding
+3. **Pull new image** — The updated image is pulled while the current container is still running
+4. **Rename old container** — The current container is renamed to `drydock-old-{timestamp}` to free the original name
+5. **Create new container** — A new container is created with the original name and updated image (not started yet)
+6. **Helper container** — A temporary container is spawned with the Docker socket mounted. It:
+   - Stops the old container
+   - Starts the new container
+   - Deletes the old container on success
+   - If the new container fails to start, restarts the old container as a fallback
+7. **Reconnect** — The UI automatically reconnects to the new container
+
+## Error recovery
+
+If any step fails, drydock attempts to restore the previous state:
+
+- If new container creation fails, the old container is renamed back to its original name
+- If the helper container fails to spawn, the new container is removed and the old container is renamed back
+- If the new container fails to start, the helper restarts the old container
+
+## SSE acknowledgment
+
+When the self-update begins, the server needs to ensure that connected browsers have received the update notification and displayed the overlay before the container is replaced. This is handled by an ack flow:
+
+1. Each SSE client receives a `clientId` and `clientToken` when it connects to the `/api/events/ui` endpoint (via a `dd:connected` event).
+2. When the `dd:self-update` event is broadcast, the server records which client tokens were connected at that moment.
+3. Browsers acknowledge the event by sending `POST /api/events/ui/self-update/:operationId/ack` with their `clientId` and `clientToken`.
+4. Once at least one acknowledgment is received (or the timeout expires), the update proceeds.
+
+The ack timeout defaults to 3 seconds. If no browsers are connected, the update proceeds immediately without waiting.
+
+## Dry-run mode
+
+When `DD_TRIGGER_DOCKER_{trigger_name}_DRYRUN=true`, the self-update is logged but not executed. The new image is pulled ahead of time but no container replacement occurs.
+
+## Example
+
+<Tabs items={["Docker Compose"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock:latest
+    container_name: drydock
+    labels:
+      - dd.watch=true
+    environment:
+      - DD_TRIGGER_DOCKER_LOCAL_PRUNE=true
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - drydock-data:/store
+    ports:
+      - "3000:3000"
+
+volumes:
+  drydock-data:
+```
+
+</Tab>
+</Tabs>
+
+<Callout type="info">The self-update overlay includes an animated visual indicator and auto-reconnect. No manual refresh is needed.</Callout>
diff --git a/content/docs/v1.4/configuration/self-update/meta.json b/content/docs/v1.4/configuration/self-update/meta.json
new file mode 100644
index 000000000..e95afc02e
--- /dev/null
+++ b/content/docs/v1.4/configuration/self-update/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Self-Update",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/server/index.mdx b/content/docs/v1.4/configuration/server/index.mdx
new file mode 100644
index 000000000..f84498e30
--- /dev/null
+++ b/content/docs/v1.4/configuration/server/index.mdx
@@ -0,0 +1,235 @@
+---
+title: "Server"
+description: "You can adjust the server configuration with the following environment variables."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+You can adjust the server configuration with the following environment variables.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_PUBLIC_URL` | ⚪ | Public-facing URL for OIDC callbacks and links (auto-detected from request if not set) | URL (e.g., `https://drydock.example.com`) | auto-detected |
+| `DD_SERVER_ENABLED` | ⚪ | If REST API must be exposed | `true`, `false` | `true` |
+| `DD_SERVER_UI_ENABLED` | ⚪ | Serve the web UI (set to `false` for headless/API-only mode) | `true`, `false` | `true` |
+| `DD_SERVER_PORT` | ⚪ | Http listener port | from `0` to `65535` | `3000` |
+| `DD_SERVER_TRUSTPROXY` | ⚪ | Trust X-Forwarded-For headers when behind a reverse proxy | `true`, `false`, or hop count (`1`, `2`, etc.) | `false` |
+| `DD_SERVER_TLS_ENABLED` | ⚪ | Enable HTTPS+TLS | `true`, `false` | `false` |
+| `DD_SERVER_TLS_KEY` | ⚪ | TLS server key (required when `DD_SERVER_TLS_ENABLED` is enabled) | File path to the key file | |
+| `DD_SERVER_TLS_CERT` | ⚪ | TLS server certificate (required when `DD_SERVER_TLS_ENABLED` is enabled) | File path to the cert file | |
+| `DD_SERVER_CORS_ENABLED` | ⚪ | Enable [CORS](https://developer.mozilla.org/fr/docs/Web/HTTP/CORS) Requests | `true`, `false` | `false` |
+| `DD_SERVER_CORS_ORIGIN` | ⚪ | Allowed CORS origin (prefer an explicit origin in production) | `*` or a single origin URL (for example `https://drydock.example.com`) | `*` |
+| `DD_SERVER_CORS_METHODS` | ⚪ | Supported CORS methods | Comma separated list of valid HTTP verbs | `GET,HEAD,PUT,PATCH,POST,DELETE` |
+| `DD_SERVER_COMPRESSION_ENABLED` | ⚪ | Enable gzip response compression (SSE responses are excluded automatically) | `true`, `false` | `true` |
+| `DD_SERVER_COMPRESSION_THRESHOLD` | ⚪ | Minimum response size in bytes before compression is applied | integer (`>=0`) | `1024` |
+| `DD_SERVER_FEATURE_CONTAINERACTIONS` | ⚪ | Enable start, stop, restart, and update actions via API and UI | `true`, `false` | `true` |
+| `DD_SERVER_FEATURE_DELETE` | ⚪ | If deleting operations are enabled through API & UI | `true`, `false` | `true` |
+| `DD_SERVER_METRICS_AUTH` | ⚪ | Require authentication on `/metrics` endpoint | `true`, `false` | `true` |
+| `DD_SESSION_SECRET` | ⚪ | Override the auto-generated session secret for cookie signing | Any string | auto-generated |
+| `DD_SERVER_COOKIE_SAMESITE` | ⚪ | Session cookie SameSite policy for auth flows (`none` requires HTTPS) | `strict`, `lax`, `none` | `lax` |
+| `DD_SERVER_SESSION_MAXCONCURRENTSESSIONS` | ⚪ | Maximum concurrent authenticated sessions per user (oldest sessions are revoked first at login when limit is reached) | integer (`>=1`) | `5` |
+| `DD_SERVER_RATELIMIT_IDENTITYKEYING` | ⚪ | Key authenticated-route rate limits by session/username instead of IP (prevents collisions for multiple users behind shared proxies) | `true`, `false` | `false` |
+| `DD_RUN_AS_ROOT` | ⚪ | Request break-glass root mode (requires `DD_ALLOW_INSECURE_ROOT=true`) | `true`, `false` | `false` |
+| `DD_ALLOW_INSECURE_ROOT` | ⚪ | Explicit acknowledgment for break-glass root mode | `true`, `false` | `false` |
+
+For log output configuration (`DD_LOG_LEVEL`, `DD_LOG_FORMAT`), see [Logs configuration](/docs/configuration/logs).
+
+## CORS Security Guidance
+
+When `DD_SERVER_CORS_ENABLED=true` and `DD_SERVER_CORS_ORIGIN` is not set, drydock uses `*` (all origins). This is convenient for local testing, but broad for production. A startup warning is emitted when the wildcard is implicit. In a future release, an explicit `DD_SERVER_CORS_ORIGIN=*` will be required to intentionally allow all origins.
+
+For production deployments, set an explicit trusted origin:
+
+- `DD_SERVER_CORS_ORIGIN=https://drydock.example.com`
+- `DD_SERVER_CORS_ORIGIN=https://ops.example.com`
+
+## Container Healthcheck
+
+The official Docker image includes a built-in `HEALTHCHECK` that polls the `/health` endpoint. When `DD_SERVER_TLS_ENABLED=true`, the healthcheck automatically switches to HTTPS (with `--insecure` for self-signed certificates). No additional configuration is needed.
+
+## Plain HTTP Deployments
+
+When `DD_SERVER_TLS_ENABLED` is not set or is `false`, drydock automatically adjusts its security headers for plain HTTP:
+
+- **HSTS** is omitted (since the browser is not on HTTPS)
+- **`upgrade-insecure-requests`** CSP directive is omitted (prevents browsers from blocking sub-resource loads)
+
+No additional configuration is required — drydock detects the TLS state and adapts automatically. If you run drydock behind a TLS-terminating reverse proxy, set `DD_SERVER_TRUSTPROXY=true` (or a hop count) so drydock sees the correct protocol from `X-Forwarded-Proto`.
+
+## Session Cookie SameSite Guidance
+
+- Use `lax` (default) for typical web + OIDC setups.
+- Use `strict` only when drydock and IdP are same-site and you want the strictest cookie policy.
+- Use `none` only when you explicitly need cross-site cookies (for example embedded UI), and only over HTTPS. Setting `DD_SERVER_COOKIE_SAMESITE=none` causes a startup validation check -- drydock will refuse to start unless `DD_SERVER_TLS_ENABLED=true` or `DD_SERVER_TRUSTPROXY` is set, ensuring cookies are only sent over a secure transport.
+
+## Concurrent Session Guidance
+
+`DD_SERVER_SESSION_MAXCONCURRENTSESSIONS` controls how many authenticated sessions each user may keep active at once. When a login would exceed the cap, drydock revokes that user's oldest existing sessions first.
+
+## Examples
+
+### Disable http listener
+
+<Tabs items={["Docker Compose (Disable Listener)", "Docker (Disable Listener)"]}>
+<Tab value="Docker Compose (Disable Listener)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_SERVER_ENABLED=false
+```
+
+</Tab>
+<Tab value="Docker (Disable Listener)">
+```bash
+docker run \
+  -e DD_SERVER_ENABLED=false \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Set http listener port to 8080
+
+<Tabs items={["Docker Compose (Custom Port)", "Docker (Custom Port)"]}>
+<Tab value="Docker Compose (Custom Port)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_SERVER_PORT=8080
+```
+
+</Tab>
+<Tab value="Docker (Custom Port)">
+```bash
+docker run \
+  -e DD_SERVER_PORT=8080 \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Enable HTTPS
+
+<Tabs items={["Docker Compose (HTTPS)", "Docker (HTTPS)"]}>
+<Tab value="Docker Compose (HTTPS)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_SERVER_TLS_ENABLED=true
+      - DD_SERVER_TLS_KEY=/drydock_certs/server.key
+      - DD_SERVER_TLS_CERT=/drydock_certs/server.crt
+```
+
+</Tab>
+<Tab value="Docker (HTTPS)">
+```bash
+docker run \
+  -e "DD_SERVER_TLS_ENABLED=true" \
+  -e "DD_SERVER_TLS_KEY=/drydock_certs/server.key" \
+  -e "DD_SERVER_TLS_CERT=/drydock_certs/server.crt" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Reverse proxy (trust proxy)
+
+**Required when drydock runs behind a TLS-terminating reverse proxy** (Traefik, Nginx, Caddy, HAProxy, etc.). Without this setting, drydock cannot determine the real protocol or client IP from forwarded headers, which causes:
+
+- **CSRF validation failures** (403 errors on POST/PUT/DELETE requests) — drydock sees `http://` internally while the browser sends `Origin: https://...`
+- **Incorrect security headers** — HSTS and secure cookie flags may not be applied
+- **Wrong client IPs in logs and rate limiting** — drydock sees the proxy's IP instead of the real client
+
+Set `DD_SERVER_TRUSTPROXY=1` to trust one proxy hop. Use a higher number if you have chained proxies (e.g. CDN → load balancer → app proxy = `3`).
+
+<Tabs items={["Docker Compose (Trust Proxy)", "Docker (Trust Proxy)"]}>
+<Tab value="Docker Compose (Trust Proxy)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_SERVER_TRUSTPROXY=1
+```
+
+</Tab>
+<Tab value="Docker (Trust Proxy)">
+```bash
+docker run \
+  -e DD_SERVER_TRUSTPROXY=1 \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+Your proxy must forward the `X-Forwarded-Proto` header so drydock knows whether the original request used HTTPS. Most proxies (Traefik, Caddy) do this by default. For Nginx, add `proxy_set_header X-Forwarded-Proto $scheme;` to your location block. See the [FAQ](/docs/faq#csrf-validation-failed-403-behind-a-reverse-proxy) for complete Traefik and Nginx examples.
+
+## Advanced Tuning
+
+These variables control the icon proxy cache used to serve container icons. Defaults are suitable for most deployments.
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_ICON_CACHE_TTL_MS` | ⚪ | TTL for cached icon files on disk | integer (ms) | `2592000000` (30 days) |
+| `DD_ICON_CACHE_MAX_FILES` | ⚪ | Maximum number of icon files in cache | integer (`>0`) | `5000` |
+| `DD_ICON_CACHE_MAX_BYTES` | ⚪ | Maximum total size of icon cache in bytes | integer (`>0`) | `104857600` (100 MB) |
+
+### Secrets from files
+
+Any `DD_*` environment variable can be loaded from a file by appending `__FILE` to the variable name and setting the value to the file path. This is useful for Docker secrets and other secret management tools.
+
+<Tabs items={["Docker Compose (Secrets from Files)", "Docker (Secrets from Files)"]}>
+<Tab value="Docker Compose (Secrets from Files)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_SERVER_WEBHOOK_TOKEN__FILE=/run/secrets/webhook_token
+      - DD_SERVER_WEBHOOK_TOKENS_UPDATE__FILE=/run/secrets/webhook_update_token
+    secrets:
+      - webhook_token
+      - webhook_update_token
+
+secrets:
+  webhook_token:
+    file: ./webhook_token.txt
+  webhook_update_token:
+    file: ./webhook_update_token.txt
+```
+
+</Tab>
+<Tab value="Docker (Secrets from Files)">
+```bash
+docker run \
+  -e DD_SERVER_WEBHOOK_TOKEN__FILE=/run/secrets/webhook_token \
+  -e DD_SERVER_WEBHOOK_TOKENS_UPDATE__FILE=/run/secrets/webhook_update_token \
+  -v ./webhook_token.txt:/run/secrets/webhook_token:ro \
+  -v ./webhook_update_token.txt:/run/secrets/webhook_update_token:ro \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/server/meta.json b/content/docs/v1.4/configuration/server/meta.json
new file mode 100644
index 000000000..4404bfdcc
--- /dev/null
+++ b/content/docs/v1.4/configuration/server/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Server",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/storage/index.mdx b/content/docs/v1.4/configuration/storage/index.mdx
new file mode 100644
index 000000000..9858eb73c
--- /dev/null
+++ b/content/docs/v1.4/configuration/storage/index.mdx
@@ -0,0 +1,42 @@
+---
+title: "Storage"
+description: "Persist drydock state by mounting /store as a volume."
+---
+
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+If you want the state to persist after the container removal, you need to mount  ```/store``` as a volume.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_STORE_PATH` | ⚪ | Directory where the database file is stored | directory path | `/store` |
+| `DD_STORE_FILE` | ⚪ | Database filename | filename | `dd.json` |
+| `DD_UPDATE_OPERATION_MAX_ENTRIES` | ⚪ | Max update/rollback operation records to retain (oldest pruned when exceeded) | integer (`>0`) | `500` |
+| `DD_UPDATE_OPERATION_RETENTION_DAYS` | ⚪ | Days to retain update operation records before pruning | integer (`>0`) | `30` |
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    volumes:
+      - /path-on-my-host:/store
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -v /path-on-my-host:/store
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/storage/meta.json b/content/docs/v1.4/configuration/storage/meta.json
new file mode 100644
index 000000000..e2378756b
--- /dev/null
+++ b/content/docs/v1.4/configuration/storage/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Storage",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/timezone/index.mdx b/content/docs/v1.4/configuration/timezone/index.mdx
new file mode 100644
index 000000000..340f3628c
--- /dev/null
+++ b/content/docs/v1.4/configuration/timezone/index.mdx
@@ -0,0 +1,56 @@
+---
+title: "Timezone"
+description: "drydock is running in UTC by default."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+drydock is running in UTC by default. \
+If you prefer using a local timezone, you have 2 solutions:
+
+## Solution 1: use the local time of your host machine
+
+<Tabs items={["Docker Compose (Host Localtime)", "Docker (Host Localtime)"]}>
+<Tab value="Docker Compose (Host Localtime)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+```
+
+</Tab>
+<Tab value="Docker (Host Localtime)">
+```bash
+docker run -v /etc/localtime:/etc/localtime:ro ... codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## Solution 2: use the standard `TZ` environment variable
+
+<Tabs items={["Docker Compose (TZ Variable)", "Docker (TZ Variable)"]}>
+<Tab value="Docker Compose (TZ Variable)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - TZ=Europe/Paris
+```
+
+</Tab>
+<Tab value="Docker (TZ Variable)">
+```bash
+docker run -e "TZ=Europe/Paris" ... codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+<Callout type="info">You can find the [list of the supported values here](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones).</Callout>
diff --git a/content/docs/v1.4/configuration/timezone/meta.json b/content/docs/v1.4/configuration/timezone/meta.json
new file mode 100644
index 000000000..bc85b6002
--- /dev/null
+++ b/content/docs/v1.4/configuration/timezone/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Timezone",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/apprise/index.mdx b/content/docs/v1.4/configuration/triggers/apprise/index.mdx
new file mode 100644
index 000000000..655882963
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/apprise/index.mdx
@@ -0,0 +1,115 @@
+---
+title: "Apprise"
+description: "The apprise trigger lets you send container update notifications via the Apprise API."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/apprise/apprise.png)
+
+The `apprise` trigger lets you send container update notifications via the [Apprise API](https://github.com/caronc/apprise-api).
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --------------------------------------------- | :--------------: | ------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
+| `DD_TRIGGER_APPRISE_{trigger_name}_URL` | 🔴 | The Base URL of the Apprise API | | |
+| `DD_TRIGGER_APPRISE_{trigger_name}_URLS` | ⚪ | The comma separated list of Apprise service urls | [See the list of the supported Apprise notification URLs](https://github.com/caronc/apprise#popular-notification-services) | |
+| `DD_TRIGGER_APPRISE_{trigger_name}_CONFIG` | ⚪ | The name of an Apprise yaml configuration | [See Apprise persistent configuration documentation](https://appriseit.com/getting-started/configuration/) | |
+| `DD_TRIGGER_APPRISE_{trigger_name}_TAG` | ⚪ | The optional tags(s) to expand when using an Apprise yaml configuration | [See Apprise persistent configuration documentation](https://appriseit.com/getting-started/configuration/) | |
+
+<Callout type="warn">Either `URLS` or `CONFIG` must be set, but not both. These options are mutually exclusive.</Callout>
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+## Examples
+
+### Send a Mail & an SMS
+
+<Tabs items={["Docker Compose (Mail & SMS)", "Docker (Mail & SMS)"]}>
+<Tab value="Docker Compose (Mail & SMS)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_APPRISE_LOCAL_URL=http://apprise:8000
+      - DD_TRIGGER_APPRISE_LOCAL_URLS=mailto://john.doe:secret@gmail.com,sns://AHIAJGNT76XIMXDBIJYA/bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9/us-east-2/+1(800)555-1223
+```
+
+</Tab>
+<Tab value="Docker (Mail & SMS)">
+```bash
+docker run \
+  -e DD_TRIGGER_APPRISE_LOCAL_URL="http://apprise:8000" \
+  -e DD_TRIGGER_APPRISE_LOCAL_URLS="mailto://john.doe:secret@gmail.com,sns://AHIAJGNT76XIMXDBIJYA/bu1dHSdO22pfaaVy/wmNsdljF4C07D3bndi9PQJ9/us-east-2/+1(800)555-1223" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Use a persistent YAML configuration
+
+Declare a YAML Apprise configuration ([see here](https://appriseit.com/getting-started/configuration/)) ; let's call it `dd.yml` for example.
+
+```yaml
+# dd.yml example
+urls:
+  - tgram://{bot_token}/{chat_id}:
+    - tag: devops
+```
+
+<Tabs items={["Docker Compose (YAML Config)", "Docker (YAML Config)"]}>
+<Tab value="Docker Compose (YAML Config)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_APPRISE_LOCAL_URL=http://apprise:8000
+      - DD_TRIGGER_APPRISE_LOCAL_CONFIG=drydock # the name of the yaml config file
+      - DD_TRIGGER_APPRISE_LOCAL_TAG=devops # the tags to use with the config (optional)
+```
+
+</Tab>
+<Tab value="Docker (YAML Config)">
+```bash
+docker run \
+  -e DD_TRIGGER_APPRISE_LOCAL_URL="http://apprise:8000" \
+  -e DD_TRIGGER_APPRISE_LOCAL_CONFIG="drydock" \
+  -e DD_TRIGGER_APPRISE_LOCAL_TAG="devops" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to run the Apprise API?
+
+Just run the official [Apprise Docker image](https://hub.docker.com/r/caronc/apprise).
+
+For more information, check out the [official Apprise API documentation](https://github.com/caronc/apprise-api).
+
+<Tabs items={["Docker Compose (Apprise API)", "Docker (Apprise API)"]}>
+<Tab value="Docker Compose (Apprise API)">
+
+```yaml
+services:
+  apprise:
+    image: caronc/apprise
+    container_name: apprise
+```
+
+</Tab>
+<Tab value="Docker (Apprise API)">
+```bash
+docker run caronc/apprise
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/triggers/apprise/meta.json b/content/docs/v1.4/configuration/triggers/apprise/meta.json
new file mode 100644
index 000000000..de0e60460
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/apprise/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Apprise",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/command/index.mdx b/content/docs/v1.4/configuration/triggers/command/index.mdx
new file mode 100644
index 000000000..a331c1c13
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/command/index.mdx
@@ -0,0 +1,140 @@
+---
+title: "Command"
+description: "The command trigger lets you run arbitrary commands upon container update notifications."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/command/command.png)
+
+The `command` trigger lets you run arbitrary commands upon container update notifications.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_COMMAND_{trigger_name}_CMD` | 🔴 | The command to run | | |
+| `DD_TRIGGER_COMMAND_{trigger_name}_SHELL` | ⚪ | The shell to use | Any valid installed shell path | `/bin/sh` |
+| `DD_TRIGGER_COMMAND_{trigger_name}_TIMEOUT` | ⚪ | The command timeout (in ms) | Any positive integer (`0` means no timeout) | `60000` |
+
+This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration). Update information is passed as environment variables (see below).
+
+<Callout type="warn">Security: `DD_TRIGGER_COMMAND_{trigger_name}_CMD` is executed as `{shell} -c {cmd}` with drydock process privileges. This is an intentional admin-only feature configured through environment variables (not API-exposed). Use only trusted command strings and validate any interpolated values.</Callout>
+
+## Environment variables passed to the executed command
+
+### In simple mode (execution per container to update)
+
+- display_icon
+- display_name
+- id
+- image_architecture
+- image_created
+- image_digest_repo
+- image_digest_watch
+- image_id
+- image_name
+- image_os
+- image_registry_name
+- image_registry_url
+- image_tag_semver
+- image_tag_value
+- name
+- result_tag
+- status
+- update_available
+- update_kind_kind
+- update_kind_local_value
+- update_kind_remote_value
+- update_kind_semver_diff
+- watcher
+
+#### Example
+
+```bash
+display_icon='mdi:docker'
+display_name='test-nginx-1'
+id='94f9f845de0fc4f8ad17c0ee1aaeaf495669de229edf41cdcd14d2af7157e47e'
+image_architecture='amd64'
+image_created='2023-06-13T07:15:33.483Z'
+image_digest_repo='sha256:b997b0db9c2bc0a2fb803ced5fb9ff3a757e54903a28ada3e50412cc3ab7822f'
+image_digest_watch=false
+image_id='sha256:7d3c40f240e18f6b440bf06b1dfd8a9c48a49c1dfe3400772c3b378739cbdc47'
+image_name='library/nginx'
+image_os='linux'
+image_registry_name='hub.public'
+image_registry_url='https://registry-1.docker.io/v2'
+image_tag_semver=true
+image_tag_value='1.25.0'
+name='test-nginx-1'
+result_tag='stable-alpine3.20-slim'
+status='running'
+update_available=true
+update_kind_kind='tag'
+update_kind_local_value='1.25.0'
+update_kind_remote_value='stable-alpine3.20-slim'
+update_kind_semver_diff='major'
+watcher='local'
+```
+
+<Callout type="info">In addition, a `container_json` environment variable is passed containing the full `container` entity as a JSON string.</Callout>
+
+### In batch mode (execution for a batch of containers to update)
+
+<Callout type="info">A `containers_json` environment variable is passed containing the array of all the containers to update as a JSON string.</Callout>
+
+## Examples
+
+### Running an arbitrary command
+
+<Tabs items={["Docker Compose (Arbitrary Command)", "Docker (Arbitrary Command)"]}>
+<Tab value="Docker Compose (Arbitrary Command)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_COMMAND_LOCAL_CMD=echo $${display_name} can be updated to $${update_kind_remote_value}
+```
+
+</Tab>
+<Tab value="Docker (Arbitrary Command)">
+```bash
+docker run \
+  -e DD_TRIGGER_COMMAND_LOCAL_CMD=echo ${display_name} can be updated to ${update_kind_remote_value} \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Running a custom bash script
+
+<Tabs items={["Docker Compose (Bash Script)", "Docker (Bash Script)"]}>
+<Tab value="Docker Compose (Bash Script)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_COMMAND_LOCAL_CMD=bash -c /drydock/trigger.sh
+    volumes:
+      - ${PWD}/drydock/trigger.sh:/drydock/trigger.sh
+```
+
+</Tab>
+<Tab value="Docker (Bash Script)">
+```bash
+docker run \
+  -e DD_TRIGGER_COMMAND_LOCAL_CMD=DD_TRIGGER_COMMAND_LOCAL_CMD=bash -c /drydock/trigger.sh \
+  -v ${PWD}/drydock/trigger.sh:/drydock/trigger.sh
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/triggers/command/meta.json b/content/docs/v1.4/configuration/triggers/command/meta.json
new file mode 100644
index 000000000..fdd26d486
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/command/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Command",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/discord/index.mdx b/content/docs/v1.4/configuration/triggers/discord/index.mdx
new file mode 100644
index 000000000..d00285dd4
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/discord/index.mdx
@@ -0,0 +1,55 @@
+---
+title: "Discord"
+description: "The discord trigger lets you send realtime notifications using Discord bots."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/discord/discord.png)
+
+The `discord` trigger lets you send realtime notifications using [Discord](https://discord.com/) bots.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_DISCORD_{trigger_name}_URL` | 🔴 | The Discord webhook URL | HTTPS URL | |
+| `DD_TRIGGER_DISCORD_{trigger_name}_BOTUSERNAME` | ⚪ | The bot username | | drydock |
+| `DD_TRIGGER_DISCORD_{trigger_name}_CARDCOLOR` | ⚪ | Color of the message card | Color in decimal base | 65280 |
+| `DD_TRIGGER_DISCORD_{trigger_name}_CARDLABEL` | ⚪ | Optional label to display in the message | String | |
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+## Examples
+
+### Configuration
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_DISCORD_1_URL=https://discord.com/api/webhooks/123/456
+      - DD_TRIGGER_DISCORD_1_BOTUSERNAME=drydock
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_TRIGGER_DISCORD_1_URL="https://discord.com/api/webhooks/123/456" \
+  -e DD_TRIGGER_DISCORD_1_BOTUSERNAME="drydock" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to create a Discord webhook
+
+[Follow this tutorial](https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks)
diff --git a/content/docs/v1.4/configuration/triggers/discord/meta.json b/content/docs/v1.4/configuration/triggers/discord/meta.json
new file mode 100644
index 000000000..19ab6cbb3
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/discord/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Discord",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/docker-compose/index.mdx b/content/docs/v1.4/configuration/triggers/docker-compose/index.mdx
new file mode 100644
index 000000000..2f3a9865f
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/docker-compose/index.mdx
@@ -0,0 +1,174 @@
+---
+title: "Docker-Compose"
+description: "The dockercompose trigger lets you update docker-compose.yml files & replace existing containers with their updated versions."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/docker-compose/docker-compose.png)
+
+The `dockercompose` trigger lets you update docker-compose.yml files & replace existing containers with their updated versions.
+
+The trigger will:
+
+- Update the related docker-compose.yml file
+- Clone the existing container specification
+- Pull the new image
+- Stop the existing container
+- Remove the existing container
+- Create the new container
+- Start the new container (if the previous one was running)
+- Run `post_start` hooks declared on the updated service (if any)
+- Remove the previous image (optionally)
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_DOCKERCOMPOSE_{trigger_name}_FILE` | ⚪ | The docker-compose.yml file location or directory (can also be set per container via the `dd.compose.file` label). When a directory is given, Drydock probes for `compose.yaml`, `compose.yml`, `docker-compose.yaml`, and `docker-compose.yml` in order. | | |
+| `DD_TRIGGER_DOCKERCOMPOSE_{trigger_name}_BACKUP` | ⚪ | Backup the docker-compose.yml file as `.back` before updating? | `true`, `false` | `false` |
+| `DD_TRIGGER_DOCKERCOMPOSE_{trigger_name}_PRUNE` | ⚪ | If the old image must be pruned after upgrade | `true`, `false` | `false` |
+| `DD_TRIGGER_DOCKERCOMPOSE_{trigger_name}_DRYRUN` | ⚪ | When enabled, only pull the new image ahead of time | `true`, `false` | `false` |
+| `DD_TRIGGER_DOCKERCOMPOSE_{trigger_name}_BACKUPCOUNT` | ⚪ | Number of image backups to retain per container | Integer | `3` |
+| `DD_TRIGGER_DOCKERCOMPOSE_{trigger_name}_AUTOREMOVETIMEOUT` | ⚪ | Wait timeout for container auto-removal (ms) | Integer | `10000` |
+| `DD_TRIGGER_DOCKERCOMPOSE_{trigger_name}_COMPOSEFILELABEL` | ⚪ | Container label name used to locate the compose file per container | Label name | `dd.compose.file` |
+| `DD_TRIGGER_DOCKERCOMPOSE_{trigger_name}_RECONCILIATIONMODE` | ⚪ | Compose/runtime reconciliation mode before lifecycle (`warn`, `block`, or `off`) | `warn`, `block`, `off` | `warn` |
+| `DD_TRIGGER_DOCKERCOMPOSE_{trigger_name}_DIGESTPINNING` | ⚪ | Write digest-pinned compose image references when a digest is available | `true`, `false` | `false` |
+| `DD_TRIGGER_DOCKERCOMPOSE_{trigger_name}_COMPOSEFILEONCE` | ⚪ | Batch compose runtime refresh to one grouped pull/up pass per compose stack/file | `true`, `false` | `false` |
+
+This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration), but only supports the `batch` mode.
+
+**Notes:**
+
+- The env var keys for `COMPOSEFILEONCE`, `COMPOSEFILELABEL`, `RECONCILIATIONMODE`, and `DIGESTPINNING` are case-insensitive — both the lowercased form (e.g. `composefileonce`) and the camelCase form (e.g. `composeFileOnce`) are accepted.
+- Legacy compatibility: compose file label fallback `wud.compose.file` is still accepted when `dd.compose.file` is not present. Prefer `dd.compose.file` for new configs, and use `node dist/index.js config migrate` to rewrite existing labels.
+
+## Auto-detection
+
+When no explicit `FILE` env var or `dd.compose.file` label is set, Drydock auto-detects the compose file path for each container. The detection chain is evaluated in order, and the first match wins:
+
+1. **`dd.compose.file` label** (or legacy `wud.compose.file`) on the container.
+2. **`com.docker.compose.project.config_files`** Docker label — set automatically by Docker Compose on every container it creates.
+3. **Docker inspect fallback** — re-reads the `config_files` label from the Docker inspect API (covers containers whose labels were not available at watcher sync time).
+4. **Trigger-level `FILE` configuration** — the `DD_TRIGGER_DOCKERCOMPOSE_{trigger_name}_FILE` env var, used as a last resort default.
+
+Most Docker Compose users do not need to configure the file path at all. As long as containers were started with `docker compose up`, the `config_files` label is present and Drydock resolves the path automatically.
+
+<Callout type="warn">This trigger will only work with locally watched containers.</Callout>
+
+<Callout type="warn">Do not forget to mount the docker-compose.yml file in the drydock container.</Callout>
+
+The Docker Compose trigger uses the Docker Engine API directly for all runtime operations (pull, stop, recreate). The `docker compose` / `docker-compose` CLI binary is **not required** inside the drydock container.
+
+## Tag vs digest updates
+
+For **tag-based updates**, the trigger patches the compose file with the new tag and then recreates the container. For **digest-only updates** (same tag, new digest), the compose file is left unchanged and only the container runtime is refreshed (pull new image, stop/remove old container, recreate with new image).
+
+When `DIGESTPINNING=true`, compose mutations use digest references (`image@sha256:...`) when a digest is available.
+
+## Compose file patch behavior
+
+When a tag-based update requires a compose file change, Drydock patches Compose content in a service-scoped way:
+
+- Only the target `services.<service>.image` value is edited.
+- Comments and surrounding formatting are preserved outside that scalar value.
+- Drydock does not use global string replacement for image tags, so matching strings in other fields (for example environment values) are not rewritten.
+
+If a service uses flow-style mapping without an `image` key (for example `nginx: { restart: always }`), Drydock will not auto-insert `image`. Convert that service to block-style YAML first.
+
+Before persisting a compose mutation, Drydock validates the candidate file by parsing the full compose chain in-process. Invalid candidate configs are not written.
+
+## Reconciliation behavior
+
+Before lifecycle execution, Drydock checks the running container image against the compose-declared image for the target service.
+
+- `RECONCILIATIONMODE=warn` (default): log a reconciliation warning and continue.
+- `RECONCILIATIONMODE=block`: fail the update before write/runtime steps.
+- `RECONCILIATIONMODE=off`: skip reconciliation checks.
+
+## Compose-file-once mode
+
+When `COMPOSEFILEONCE=true` and multiple services in the same compose stack/file require runtime refresh, Drydock performs one runtime refresh per unique service and skips repeated refreshes for subsequent containers sharing the same service in that batch.
+
+## Multi-file compose chains
+
+When a container was started with multiple compose files (e.g. `docker-compose.yml` + `docker-compose.override.yml`), Drydock detects the full file chain from the `com.docker.compose.project.config_files` label.
+
+During an update:
+
+1. Drydock searches every file in the chain to find which one declares the target service's `image` key.
+2. The last file in the chain that contains the service definition and is writable is selected as the update target. This matches Docker Compose override semantics where later files take precedence.
+3. All files in the chain are parsed in-process for validation before and after any mutation.
+
+The compose file chain for each container is visible in the container detail view of the UI.
+
+If only one compose file is used, the chain is a single entry and the behavior is identical to the single-file case.
+
+## Troubleshooting: `permission denied` (`EACCES`)
+
+If logs show an error like:
+
+```text
+EACCES: permission denied, access '/drydock/.../docker-compose.yml'
+```
+
+the mounted compose file (or parent directory) is not writable by the Drydock process. This trigger needs read and write access to update image tags in the compose file.
+
+Ways to fix:
+
+- Grant read and write access on the mounted path for the user/group used by the Drydock container.
+- Add the host group that owns the compose files with `group_add` so Drydock can read and write them.
+- Break-glass workaround (less secure): set both `DD_RUN_AS_ROOT=true` and `DD_ALLOW_INSECURE_ROOT=true`; setting only `DD_RUN_AS_ROOT=true` fails closed at startup.
+
+Example using `group_add`:
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    group_add:
+      - "${COMPOSE_FILES_GID}"
+    volumes:
+      - /var/lib/docker/volumes/portainer_data/_data/compose:/drydock
+    environment:
+      - DD_TRIGGER_DOCKERCOMPOSE_EXAMPLE_FILE=/drydock/5/docker-compose.yml
+```
+
+`COMPOSE_FILES_GID` should match the GID that owns the mounted compose files on the host.
+
+<Callout type="warn">Do **not** mount the compose file as read-only (`:ro`) — the trigger must write updated image tags back to the file.</Callout>
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker", "Label"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    volumes:
+    - /etc/my-services/docker-compose.yml:/drydock/docker-compose.yml
+    environment:
+      - DD_TRIGGER_DOCKERCOMPOSE_EXAMPLE_FILE=/drydock/docker-compose.yml
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -v /etc/my-services/docker-compose.yml:/drydock/docker-compose.yml
+  -e "DD_TRIGGER_DOCKERCOMPOSE_EXAMPLE_FILE=/drydock/docker-compose.yml" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+<Tab value="Label">
+```yaml
+labels:
+  dd.compose.file: "/my/path/docker-compose.yaml"
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/triggers/docker-compose/meta.json b/content/docs/v1.4/configuration/triggers/docker-compose/meta.json
new file mode 100644
index 000000000..d2c0c0daf
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/docker-compose/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Docker Compose",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/docker/index.mdx b/content/docs/v1.4/configuration/triggers/docker/index.mdx
new file mode 100644
index 000000000..273b3ef18
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/docker/index.mdx
@@ -0,0 +1,179 @@
+---
+title: "Docker"
+description: "The docker trigger lets you replace existing containers with their updated versions."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/docker/docker.png)
+
+The `docker` trigger lets you replace existing containers with their updated versions.
+
+The trigger uses a **rename-first** strategy that keeps the original container name available as briefly as possible and supports automatic rollback on failure:
+
+1. Pull the new image
+2. Rename the current container to a temporary name (`{name}-old-{timestamp}`)
+3. Create a new container with the **original name** and the new image
+4. Stop the old (renamed) container (if it was running)
+5. Start the new container (if the old one was running)
+6. Wait for the new container to become healthy (if a `HEALTHCHECK` is configured)
+7. Remove the old container
+
+If **any step fails**, the trigger automatically rolls back:
+
+1. Stop and remove the new container (best-effort)
+2. Rename the old container back to the original name
+3. Restart the old container (if it was previously running)
+
+If Drydock restarts while an update is in progress, it automatically reconciles the interrupted operation on startup — restoring the old container or cleaning up stale temporaries as needed. When [Update Bouncer](/docs/configuration/security) is configured, candidate images are scanned for vulnerabilities before the update proceeds. If the scan finds blocking issues, the update is aborted and a `security-alert` notification is sent.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| ------------------------------------------ | :--------------: | ----------------------------------------------------- | ---------------- | -------------------------- |
+| `DD_TRIGGER_DOCKER_{trigger_name}_PRUNE` | ⚪ | If old image versions must be pruned | `true`, `false` | `false` |
+| `DD_TRIGGER_DOCKER_{trigger_name}_DRYRUN` | ⚪ | When enabled, only pull the new image ahead of time | `true`, `false` | `false` |
+| `DD_TRIGGER_DOCKER_{trigger_name}_BACKUPCOUNT` | ⚪ | Number of image backups to retain per container | Integer | `3` |
+| `DD_TRIGGER_DOCKER_{trigger_name}_AUTOREMOVETIMEOUT` | ⚪ | Wait timeout for container auto-removal (ms) | Integer | `10000` |
+
+This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration). It picks up the Docker configuration from the [configured Docker watchers](/docs/configuration/watchers) so it can handle updates on Local **and** Remote Docker hosts.
+
+<Callout type="warn">**Agent mode:** When using [distributed agents](/docs/configuration/agents), each agent needs its own Docker trigger configured (e.g., `DD_TRIGGER_DOCKER_LOCAL_PRUNE=true`). The `{trigger_name}` segment is required — `DD_TRIGGER_DOCKER_PRUNE=true` without a name is invalid and will not create a working trigger. The controller does **not** need Docker triggers for remote agents; agent triggers are discovered automatically during the handshake.</Callout>
+
+## Image Backup & Rollback
+
+Every time a container is updated, Drydock automatically backs up the previous image metadata. Backups are retained per container up to the `BACKUPCOUNT` limit (default: 3), with older backups pruned automatically.
+
+You can roll back to any retained backup via the API:
+
+```text
+POST /api/containers/{id}/rollback
+```
+
+Optionally pass a specific backup ID in the request body:
+
+```json
+{ "backupId": "uuid" }
+```
+
+If omitted, the most recent backup is used. Rollback pulls the backup image, stops the current container, recreates it with the backup image, and starts it.
+
+## Auto-Rollback
+
+Drydock can automatically roll back a container update if the container becomes unhealthy. This requires the container to have a Docker `HEALTHCHECK` defined.
+
+Configure auto-rollback using container labels:
+
+| Label | Description | Default |
+| --- | --- | --- |
+| `dd.rollback.auto` | Enable auto-rollback on health failure | `false` |
+| `dd.rollback.window` | Monitoring window in milliseconds | `300000` (5 min) |
+| `dd.rollback.interval` | Health check poll interval in milliseconds | `10000` (10 sec) |
+
+After a successful update, if `dd.rollback.auto` is enabled, Drydock polls the container health status at the configured interval. If the container becomes `unhealthy` within the monitoring window, an automatic rollback is triggered. If the window expires without failure, the container is considered stable.
+
+## Lifecycle Hooks
+
+You can run commands before and after a container update using container labels:
+
+| Label | Description | Default |
+| --- | --- | --- |
+| `dd.hook.pre` | Command to run before the update | |
+| `dd.hook.post` | Command to run after the update | |
+| `dd.hook.pre.abort` | Abort the update if the pre-hook fails | `true` |
+| `dd.hook.timeout` | Hook timeout in milliseconds | `60000` (1 min) |
+
+Hooks execute via `/bin/sh -c` inside the Drydock container. The following environment variables are available to hook commands:
+
+| Variable | Description |
+| --- | --- |
+| `DD_CONTAINER_NAME` | Container name |
+| `DD_CONTAINER_ID` | Container ID |
+| `DD_IMAGE_NAME` | Image name (without registry) |
+| `DD_IMAGE_TAG` | Current image tag |
+| `DD_UPDATE_KIND` | `tag` or `digest` |
+| `DD_UPDATE_FROM` | Current tag or digest |
+| `DD_UPDATE_TO` | New tag or digest |
+
+A non-zero exit code or timeout is treated as failure. When `dd.hook.pre.abort` is `true` (the default), a failed pre-hook prevents the update from proceeding.
+
+<Callout type="warn">Hook labels are ignored unless `DD_HOOKS_ENABLED=true` is set on the Drydock container.</Callout>
+
+Lifecycle hooks are **not** executed during self-updates. When hook labels are present, Drydock records `hook-configured` in the audit log before execution, then `hook-pre-*` / `hook-post-*` based on outcomes.
+
+## Self-Update
+
+Drydock can update itself. When it detects that its own container has an available update, it performs a safe self-replacement sequence:
+
+1. Notifies connected UI clients (full-screen overlay)
+2. Backs up the current image metadata
+3. Pulls the new image while the current container is still running
+4. Renames the old container to `drydock-old-{timestamp}`
+5. Creates a new container with the original name and new image
+6. Spawns a temporary helper container (with the Docker socket) that stops the old container and starts the new one
+7. The UI auto-reconnects to the new instance
+
+If any step fails, Drydock falls back to the previous container automatically.
+
+<Callout type="warn">Self-update requires the Docker socket to be bind-mounted at `/var/run/docker.sock` and a Docker trigger to be enabled.</Callout>
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_DOCKER_EXAMPLE_PRUNE=true
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e "DD_TRIGGER_DOCKER_EXAMPLE_PRUNE=true" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Auto-rollback with health checks
+
+Add these labels to a container to enable automatic rollback if it becomes unhealthy after an update:
+
+```yaml
+services:
+  myapp:
+    image: myapp:latest
+    labels:
+      - dd.watch=true
+      - dd.rollback.auto=true
+      - dd.rollback.window=300000
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+```
+
+### Lifecycle hooks
+
+Run a database migration before updating and a cache clear after:
+
+```yaml
+services:
+  myapp:
+    image: myapp:latest
+    labels:
+      - dd.watch=true
+      - dd.hook.pre=curl -X POST http://myapp:8080/prepare-update
+      - dd.hook.post=curl -X POST http://myapp:8080/clear-cache
+      - dd.hook.pre.abort=true
+      - dd.hook.timeout=30000
+```
diff --git a/content/docs/v1.4/configuration/triggers/docker/meta.json b/content/docs/v1.4/configuration/triggers/docker/meta.json
new file mode 100644
index 000000000..e33252891
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/docker/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Docker",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/google-chat/index.mdx b/content/docs/v1.4/configuration/triggers/google-chat/index.mdx
new file mode 100644
index 000000000..11a1dbc6e
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/google-chat/index.mdx
@@ -0,0 +1,47 @@
+---
+title: "Google Chat"
+description: "The googlechat trigger posts container update notifications to a Google Chat space via an incoming webhook."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `googlechat` trigger posts container update notifications to a Google Chat space via an incoming webhook.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_GOOGLECHAT_{trigger_name}_URL` | 🔴 | Incoming webhook URL | `https` URL | |
+| `DD_TRIGGER_GOOGLECHAT_{trigger_name}_THREADKEY` | ⚪ | Thread key for grouping messages into a thread | String | |
+| `DD_TRIGGER_GOOGLECHAT_{trigger_name}_MESSAGEREPLYOPTION` | ⚪ | Reply behavior when `threadkey` is set | `REPLY_MESSAGE_FALLBACK_TO_NEW_THREAD`, `REPLY_MESSAGE_OR_FAIL` | |
+| `DD_TRIGGER_GOOGLECHAT_{trigger_name}_DISABLETITLE` | ⚪ | Disable title to keep full message-body control | `true`, `false` | `false` |
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+<Callout type="info">See the [Google Chat incoming webhooks documentation](https://developers.google.com/workspace/chat/quickstart/webhooks) for endpoint setup details.</Callout>
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_GOOGLECHAT_LOCAL_URL=https://chat.googleapis.com/v1/spaces/xxx/messages?key=abc&token=xyz
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_TRIGGER_GOOGLECHAT_LOCAL_URL="https://chat.googleapis.com/v1/spaces/xxx/messages?key=abc&token=xyz" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/triggers/google-chat/meta.json b/content/docs/v1.4/configuration/triggers/google-chat/meta.json
new file mode 100644
index 000000000..d5cc4a4a2
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/google-chat/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Google Chat",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/gotify/index.mdx b/content/docs/v1.4/configuration/triggers/gotify/index.mdx
new file mode 100644
index 000000000..02c38f7e2
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/gotify/index.mdx
@@ -0,0 +1,58 @@
+---
+title: "Gotify"
+description: "The gotify trigger lets you send container update notifications via Gotify."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/gotify/gotify.png)
+
+The `gotify` trigger lets you send container update notifications via [Gotify](https://gotify.net/).
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_GOTIFY_{trigger_name}_PRIORITY` | ⚪ | The Gotify message priority | Integer greater or equal than `0` | |
+| `DD_TRIGGER_GOTIFY_{trigger_name}_TOKEN` | 🔴 | The Gotify app token url | A valid gotify app token | |
+| `DD_TRIGGER_GOTIFY_{trigger_name}_URL` | 🔴 | The Gotify server url | The `http` or `https` gotify server address | |
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+## Examples
+
+### Create an app on Gotify
+
+![image](/docs/assets/configuration/triggers/gotify/gotify_01.png)
+
+### Get the Gotify app token
+
+![image](/docs/assets/configuration/triggers/gotify/gotify_02.png)
+
+### Configure the trigger
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_GOTIFY_LOCAL_URL=http://gotify.localhost
+      - DD_TRIGGER_GOTIFY_LOCAL_TOKEN=AWp8A.TbBO3xpn4
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_TRIGGER_GOTIFY_LOCAL_URL="http://gotify.localhost" \
+  -e DD_TRIGGER_GOTIFY_LOCAL_TOKEN="AWp8A.TbBO3xpn4" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/triggers/gotify/meta.json b/content/docs/v1.4/configuration/triggers/gotify/meta.json
new file mode 100644
index 000000000..fedfa34a8
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/gotify/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Gotify",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/http/index.mdx b/content/docs/v1.4/configuration/triggers/http/index.mdx
new file mode 100644
index 000000000..dea38ec1f
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/http/index.mdx
@@ -0,0 +1,87 @@
+---
+title: "Http"
+description: "The http trigger lets you send container update notifications via HTTP."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `http` trigger lets you send container update notifications via HTTP.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| ------------------------------------------------- | :--------------: | --------------------------------------------------- | ------------------------------ | ---------------------------- |
+| `DD_TRIGGER_HTTP_{trigger_name}_URL` | 🔴 | The URL of the webhook | Valid http or https endpoint | |
+| `DD_TRIGGER_HTTP_{trigger_name}_METHOD` | ⚪ | The HTTP method to use | `GET`, `POST` | `POST` |
+| `DD_TRIGGER_HTTP_{trigger_name}_AUTH_TYPE` | ⚪ | The auth type | `BASIC`, `BEARER` | `BASIC` |
+| `DD_TRIGGER_HTTP_{trigger_name}_AUTH_USER` | ⚪ | The Auth user if BASIC Auth is enabled | | |
+| `DD_TRIGGER_HTTP_{trigger_name}_AUTH_PASSWORD` | ⚪ | The Auth user password if `BASIC` Auth is enabled | | |
+| `DD_TRIGGER_HTTP_{trigger_name}_AUTH_BEARER` | ⚪ | The Auth bearer token if `BEARER` Auth is enabled | | |
+| `DD_TRIGGER_HTTP_{trigger_name}_PROXY` | ⚪ | The HTTP Proxy | | |
+
+<Callout type="warn">HTTP trigger auth now fails closed. If `AUTH_TYPE=BASIC`, both `AUTH_USER` and `AUTH_PASSWORD` are required. If `AUTH_TYPE=BEARER`, `AUTH_BEARER` is required.</Callout>
+
+<Callout type="info">HTTP requests have a 30-second timeout. If the remote server does not respond within 30 seconds, the trigger will fail.</Callout>
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+### Examples
+
+#### Post an HTTP request to an existing server
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_HTTP_MYREMOTEHOST_URL=https://my-remote-host/new-version
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_TRIGGER_HTTP_MYREMOTEHOST_URL="https://my-remote-host/new-version" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+#### Example of payload (POST request)
+
+```json
+{
+  "id":"31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816",
+  "name":"homeassistant",
+  "watcher":"local",
+  "includeTags":"^\\d+\\.\\d+.\\d+$",
+  "image":{
+    "id":"sha256:d4a6fafb7d4da37495e5c9be3242590be24a87d7edcc4f79761098889c54fca6",
+    "registry":{
+      "url":"123456789.dkr.ecr.eu-west-1.amazonaws.com"
+    },
+    "name":"test",
+    "tag":{
+      "value":"2021.6.4",
+      "semver":true
+    },
+    "digest":{
+      "watch":false,
+      "repo":"sha256:ca0edc3fb0b4647963629bdfccbb3ccfa352184b45a9b4145832000c2878dd72"
+    },
+    "architecture":"amd64",
+    "os":"linux",
+    "created":"2021-06-12T05:33:38.440Z"
+  },
+  "result":{
+    "tag":"2021.6.5"
+  },
+  "updateAvailable": true
+}
+```
diff --git a/content/docs/v1.4/configuration/triggers/http/meta.json b/content/docs/v1.4/configuration/triggers/http/meta.json
new file mode 100644
index 000000000..0d5f56734
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/http/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "HTTP",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/ifttt/index.mdx b/content/docs/v1.4/configuration/triggers/ifttt/index.mdx
new file mode 100644
index 000000000..046d2bfe8
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/ifttt/index.mdx
@@ -0,0 +1,107 @@
+---
+title: "Ifttt"
+description: "The ifttt trigger lets you send container update notifications to Ifttt via the Maker Webhook applet."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/ifttt/ifttt.png)
+
+The `ifttt` trigger lets you send container update notifications to Ifttt via the [Maker Webhook applet](https://ifttt.com/maker_webhooks/).
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_IFTTT_{trigger_name}_KEY` | 🔴 | The Webhook key | | |
+| `DD_TRIGGER_IFTTT_{trigger_name}_EVENT` | ⚪ | The event name | | `dd-image` |
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+## Ifttt ingredients
+
+On Webhook call, Ifttt captures the following ingredients:
+
+- eventName
+- occuredAt
+- value1 (the image which can be updated)
+- value2 (the new version)
+- value3 (the image notification JSON message)
+
+## Examples
+
+### Configuration
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_IFTTT_PROD_KEY=*******************************************
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_TRIGGER_IFTTT_PROD_KEY="*******************************************" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Ifttt captured ingredients
+
+- EventName: `dd-image`
+- OccuredAt: `August 30, 2019 at 06:51PM`
+- Value1: `homeassistant`
+- Value2: `2021.6.5`
+- Value3: `{"id":"31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816","name":"homeassistant","watcher":"local","includeTags":"^\\d+\\.\\d+.\\d+$","image":{"id":"sha256:d4a6fafb7d4da37495e5c9be3242590be24a87d7edcc4f79761098889c54fca6","registry":{"url":"123456789.dkr.ecr.eu-west-1.amazonaws.com"},"name":"test","tag":{"value":"2021.6.4","semver":true},"digest":{"watch":false,"repo":"sha256:ca0edc3fb0b4647963629bdfccbb3ccfa352184b45a9b4145832000c2878dd72"},"architecture":"amd64","os":"linux","created":"2021-06-12T05:33:38.440Z"},"result":{"tag":"2021.6.5"},"updateAvailable":true}`
+
+## How to find the IFTTT key
+
+### Open the Webhook channel & Connect
+
+[Open IFTTT Webhooks](https://ifttt.com/maker_webhooks)
+
+And click on `Connect`
+![image](/docs/assets/configuration/triggers/ifttt/ifttt_connect.jpg)
+
+### Get the key from the settings
+
+[Open IFTTT Webhooks Settings](https://ifttt.com/maker_webhooks/settings)
+
+And copy the key from the URL
+![image](/docs/assets/configuration/triggers/ifttt/ifttt_key.png)
+
+## How to create an IFTTT receipt
+
+### Create a new receipt & add a "this" trigger
+
+[Click here to create a new receipt](https://ifttt.com/create)
+
+![image](/docs/assets/configuration/triggers/ifttt/ifttt_add_this.png)
+
+### Add the Webhook service
+
+![image](/docs/assets/configuration/triggers/ifttt/ifttt_search_webhook.png)
+
+### Select the 'Receive a web request' trigger
+
+![image](/docs/assets/configuration/triggers/ifttt/ifttt_request_trigger.png)
+
+### Enter the trigger event name (dd-image by default)
+
+![image](/docs/assets/configuration/triggers/ifttt/ifttt_event.png)
+
+### Define the 'then that' action
+
+![image](/docs/assets/configuration/triggers/ifttt/ifttt_then_that.png)
+
+It's up to you :) Send an email...
diff --git a/content/docs/v1.4/configuration/triggers/ifttt/meta.json b/content/docs/v1.4/configuration/triggers/ifttt/meta.json
new file mode 100644
index 000000000..03ea32604
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/ifttt/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "IFTTT",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/index.mdx b/content/docs/v1.4/configuration/triggers/index.mdx
new file mode 100644
index 000000000..757aa1ec5
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/index.mdx
@@ -0,0 +1,222 @@
+---
+title: "Triggers"
+description: "Triggers are responsible for performing actions when a new container version is found."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+Triggers are responsible for performing actions when a new container version is found.
+  
+Triggers are enabled using environment variables.
+
+```bash
+DD_TRIGGER_{{ trigger_type }}_{{trigger_name }}_{{ trigger_configuration_item }}=XXX
+```
+
+<Callout type="warn">Multiple triggers of the same type can be configured (for example multiple Smtp addresses).
+You just need to give them different names.</Callout>
+
+## Available triggers
+
+**Update actions:**
+
+- [**Docker**](/docs/configuration/triggers/docker) -- Update containers via the Docker Engine API
+- [**Docker Compose**](/docs/configuration/triggers/docker-compose) -- Update containers managed by Docker Compose
+
+**Messaging & notifications:**
+
+- [**Apprise**](/docs/configuration/triggers/apprise) -- Multi-provider notification relay
+- [**Command**](/docs/configuration/triggers/command) -- Execute a shell command
+- [**Discord**](/docs/configuration/triggers/discord) -- Discord webhook
+- [**Google Chat**](/docs/configuration/triggers/google-chat) -- Google Chat webhook
+- [**Gotify**](/docs/configuration/triggers/gotify) -- Gotify push notification
+- [**HTTP**](/docs/configuration/triggers/http) -- Generic HTTP request
+- [**IFTTT**](/docs/configuration/triggers/ifttt) -- IFTTT webhook
+- [**Kafka**](/docs/configuration/triggers/kafka) -- Apache Kafka topic
+- [**Matrix**](/docs/configuration/triggers/matrix) -- Matrix room message
+- [**Mattermost**](/docs/configuration/triggers/mattermost) -- Mattermost webhook
+- [**MQTT**](/docs/configuration/triggers/mqtt) -- MQTT topic
+- [**ntfy**](/docs/configuration/triggers/ntfy) -- ntfy push notification
+- [**Pushover**](/docs/configuration/triggers/pushover) -- Pushover notification
+- [**Rocket.Chat**](/docs/configuration/triggers/rocketchat) -- Rocket.Chat webhook
+- [**Slack**](/docs/configuration/triggers/slack) -- Slack webhook
+- [**SMTP**](/docs/configuration/triggers/smtp) -- Email notification
+- [**Teams**](/docs/configuration/triggers/teams) -- Microsoft Teams webhook
+- [**Telegram**](/docs/configuration/triggers/telegram) -- Telegram bot message
+
+## Common trigger configuration
+
+All implemented triggers, in addition to their specific configuration, also support the following common configuration variables.
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --------------------------------------------------------- | :--------------: | ----------------------------------------------------------------------------------------------- | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `DD_TRIGGER_{trigger_type}_{trigger_name}_AUTO` | ⚪ | `true` to automatically execute the trigger. `false` to manually execute it (from UI, API...) | `true`, `false` | `true` |
+| `DD_TRIGGER_{trigger_type}_{trigger_name}_BATCHTITLE` | ⚪ | The template to use to render the title of the notification (batch mode) | String template with placeholders `${count}` | `${containers.length} updates available` |
+| `DD_TRIGGER_{trigger_type}_{trigger_name}_MODE` | ⚪ | Trigger for each container update or trigger once with all available updates as a list | `simple`, `batch` | `simple` |
+| `DD_TRIGGER_{trigger_type}_{trigger_name}_ONCE` | ⚪ | Run trigger once (do not repeat previous results) | `true`, `false` | `true` |
+| `DD_TRIGGER_{trigger_type}_{trigger_name}_ORDER` | ⚪ | Trigger execution order (lower runs first) | Number | `100` |
+| `DD_TRIGGER_{trigger_type}_{trigger_name}_SIMPLEBODY` | ⚪ | The template to use to render the body of the notification | JS string template with vars `container` | `Container ${container.name} running with ${container.updateKind.kind} ${container.updateKind.localValue} can be updated to ${container.updateKind.kind} ${container.updateKind.remoteValue}${container.result && container.result.link ? "\\n" + container.result.link : ""}` |
+| `DD_TRIGGER_{trigger_type}_{trigger_name}_SIMPLETITLE` | ⚪ | The template to use to render the title of the notification (simple mode) | JS string template with vars `${containers}` | `New ${container.updateKind.kind} found for container ${container.name}` |
+| `DD_TRIGGER_{trigger_type}_{trigger_name}_THRESHOLD` | ⚪ | The threshold to reach to run the trigger | `all`, `major`, `major-only`, `minor`, `minor-only`, `patch`, `digest`, and `*-no-digest` variants (`major-no-digest`, `major-only-no-digest`, `minor-no-digest`, `minor-only-no-digest`, `patch-no-digest`) | `all` |
+| `DD_TRIGGER_{trigger_type}_{trigger_name}_RESOLVENOTIFICATIONS` | ⚪ | Auto-dismiss the notification after the container is successfully updated | `true`, `false` | `false` |
+
+### Threshold reference
+
+| Threshold | Fires on |
+|-----------|----------|
+| `all` | Any change (default) |
+| `major` | Major, minor, or patch semver change |
+| `major-only` | Major only |
+| `minor` | Any semver change that is not major (minor, patch, prerelease) |
+| `minor-only` | Minor only |
+| `patch` | Any semver change that is not major or minor (patch, prerelease) |
+| `digest` | Digest changes only |
+
+Any threshold can be suffixed with `-no-digest` to exclude digest-only updates (e.g. `major-no-digest`, `minor-only-no-digest`). Updates with an `unknown` update kind are always filtered out regardless of the threshold setting.
+
+### Notes
+
+- `RESOLVENOTIFICATIONS` is currently implemented for Gotify (auto-deletes the notification message after a successful update). Other providers can be extended to support it.
+- Some messaging triggers (Slack, Telegram, Teams, Matrix, Mattermost, Rocket.Chat, Google Chat) also support `DISABLETITLE` (default `false`) to send only the body without a title line.
+- You can set `DD_TRIGGER_{trigger_type}_THRESHOLD` to define a default threshold for all triggers of the same type, e.g. `DD_TRIGGER_NTFY_THRESHOLD=minor`.
+- Triggers are executed by ascending `ORDER`; when two triggers have the same `ORDER`, they are sorted by trigger id.
+- Triggers sharing the same trigger name (e.g. `docker.update` and `discord.update`) can share `THRESHOLD`; if exactly one threshold value is defined among them, that value is used for the others unless they override it explicitly.
+- Setting `ONCE=false` with `MODE=batch` gives a report with all pending updates on every run.
+
+## Notification Rules
+
+Notification rules control which events fire which triggers. Each rule corresponds to an event type and has an `enabled` flag and an optional list of trigger IDs.
+
+| Rule ID | Default enabled | Description |
+| --- | :---: | --- |
+| `update-available` | Yes | A container has a newer version available |
+| `update-applied` | Yes | A container was successfully updated |
+| `update-failed` | Yes | An update failed or was rolled back |
+| `security-alert` | Yes | Critical/high vulnerability detected during pre-update scan |
+| `agent-disconnect` | No | A remote agent lost its connection |
+
+**Dispatch behavior:**
+
+- **`update-available`** -- for backward compatibility, when its trigger list is empty all triggers fire (existing behavior is preserved). Once you assign specific triggers, only those fire.
+- **`update-applied`**, **`update-failed`**, **`security-alert`** -- these require explicit trigger assignments. They are enabled by default but will not fire any trigger until you add trigger IDs to their rules.
+- **`agent-disconnect`** -- disabled by default. Enable it and assign triggers to receive disconnect alerts. This event always fires regardless of the threshold setting.
+
+Rules are managed via `GET /api/notifications` and `PATCH /api/notifications/:id` (update `enabled` and/or `triggers` fields), or through the **Notifications** view in the UI.
+
+<Callout type="warn">Docker and Docker Compose triggers cannot be assigned to notification rules. These are update-action triggers (they perform container updates), not notification triggers. Only messaging/alerting triggers (Slack, SMTP, Discord, ntfy, etc.) can be assigned to rules.</Callout>
+
+## Event Types
+
+Beyond the classic `update-available` event, triggers can fire on additional events:
+
+- **`update-applied`** -- fires after a container is successfully updated by a Docker or Docker Compose trigger. Useful for audit or confirmation notifications.
+- **`update-failed`** -- fires when an update fails or is rolled back. Carries the container name and error message.
+- **`security-alert`** -- fires when the [Update Bouncer](/docs/configuration/security) detects critical or high vulnerabilities during a pre-update scan. Includes a vulnerability summary.
+- **`agent-disconnect`** -- fires when a remote agent loses its connection. This event **skips threshold checks** (always fires).
+
+<Callout type="info">To receive notifications for these events, add the desired trigger IDs to the corresponding notification rule via the API or UI.</Callout>
+
+## Template Variable Reference
+
+Template strings use `${expression}` placeholders. Drydock provides two sets of variables depending on the trigger mode.
+
+### Simple mode variables
+
+| Variable | Description | Example value |
+| --- | --- | --- |
+| `container` | The full container object | _(object)_ |
+| `container.id` | Container ID | `sha256:abc123...` |
+| `container.name` | Container name | `my-app` |
+| `container.displayName` | Display name (from `dd.display.name` label, defaults to name) | `My App` |
+| `container.displayIcon` | Display icon (from `dd.display.icon` label) | `mdi:docker` |
+| `container.status` | Container runtime status | `running` |
+| `container.watcher` | Watcher name | `local` |
+| `container.agent` | Agent name (when using distributed agents) | `remote-1` |
+| `container.image.name` | Image name | `library/nginx` |
+| `container.image.registry.name` | Registry provider name | `hub` |
+| `container.image.registry.url` | Registry URL | `https://registry-1.docker.io` |
+| `container.image.tag.value` | Current image tag | `1.24.0` |
+| `container.image.tag.semver` | Whether the tag is valid semver | `true` |
+| `container.image.digest.value` | Current image digest | `sha256:abc123...` |
+| `container.image.digest.watch` | Whether digest watching is enabled | `true` |
+| `container.image.architecture` | Image architecture | `amd64` |
+| `container.image.os` | Image OS | `linux` |
+| `container.image.created` | Image creation date | `2024-01-15T10:30:00Z` |
+| `container.updateKind.kind` | Update type: `tag`, `digest`, or `unknown` | `tag` |
+| `container.updateKind.localValue` | Current version (tag or digest) | `1.24.0` |
+| `container.updateKind.remoteValue` | New version (tag or digest) | `1.25.0` |
+| `container.updateKind.semverDiff` | Semver diff level: `major`, `minor`, `patch`, `prerelease`, or `unknown` | `minor` |
+| `container.result.tag` | New tag value from the registry | `1.25.0` |
+| `container.result.digest` | New digest value from the registry | `sha256:def456...` |
+| `container.result.created` | Creation date of the new image | `2024-02-01T08:00:00Z` |
+| `container.result.link` | Link to the release (when a link template is configured) | `https://github.com/org/repo/releases/tag/v1.25.0` |
+| `container.error.message` | Error message (when an error occurred) | `401 Unauthorized` |
+
+#### Legacy aliases (deprecated)
+
+These aliases resolve to a single container property and will be removed in v1.6.0. Use the `container.*` equivalents instead.
+
+| Legacy variable | Equivalent | Description |
+| --- | --- | --- |
+| `id` | `container.id` | Container ID |
+| `name` | `container.name` | Container name |
+| `watcher` | `container.watcher` | Watcher name |
+| `kind` | `container.updateKind.kind` | Update type |
+| `semver` | `container.updateKind.semverDiff` | Semver diff level |
+| `local` | `container.updateKind.localValue` | Current version |
+| `remote` | `container.updateKind.remoteValue` | New version |
+| `link` | `container.result.link` | Release link |
+
+### Batch mode variables
+
+| Variable | Description | Example value |
+| --- | --- | --- |
+| `containers` | Array of container objects (each with the same properties as above) | _(array)_ |
+| `containers.length` | Number of containers in the batch | `3` |
+
+#### Legacy alias (deprecated)
+
+| Legacy variable | Equivalent | Description |
+| --- | --- | --- |
+| `count` | `containers.length` | Number of containers in the batch |
+
+### Expression syntax
+
+Inside `${...}` you can use:
+
+- **Property paths** -- `container.updateKind.kind`
+- **Method calls** -- `local.substring(0, 15)` (see allowed methods below)
+- **Ternary** -- `container.result.link ? container.result.link : "no link"`
+- **Logical AND** -- `container.result && container.result.link`
+- **String concatenation** -- `"Version: " + container.updateKind.remoteValue`
+- **String and number literals** -- `"hello"`, `42`
+
+**Allowed string methods:** `substring`, `slice`, `toLowerCase`, `toUpperCase`, `trim`, `trimStart`, `trimEnd`, `replace`, `split`, `indexOf`, `lastIndexOf`, `startsWith`, `endsWith`, `includes`, `charAt`, `padStart`, `padEnd`, `repeat`, `toString`.
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_SMTP_GMAIL_SIMPLETITLE=Container $${container.name} can be updated
+      - DD_TRIGGER_SMTP_GMAIL_SIMPLEBODY=Container $${name} can be updated from $${local.substring(0, 15)} to $${remote.substring(0, 15)}
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e 'DD_TRIGGER_SMTP_GMAIL_SIMPLETITLE=Container ${container.name} can be updated' \
+  -e 'DD_TRIGGER_SMTP_GMAIL_SIMPLEBODY=Container ${name} can be updated from ${local.substring(0, 15)} to ${remote.substring(0, 15)}'
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/triggers/kafka/index.mdx b/content/docs/v1.4/configuration/triggers/kafka/index.mdx
new file mode 100644
index 000000000..f18679773
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/kafka/index.mdx
@@ -0,0 +1,97 @@
+---
+title: "Kafka"
+description: "The kafka trigger lets you publish container update notifications to a Kafka topic."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/kafka/kafka.png)
+
+The `kafka` trigger lets you publish container update notifications to a Kafka topic.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_KAFKA_{trigger_name}_BROKERS` | 🔴 | Comma separated list of Kafka brokers | | |
+| `DD_TRIGGER_KAFKA_{trigger_name}_CLIENTID` | ⚪ | The Kafka client ID | | `drydock` |
+| `DD_TRIGGER_KAFKA_{trigger_name}_SSL` | ⚪ | Is SSL enabled on the TLS connection | `true`, `false` | `false` |
+| `DD_TRIGGER_KAFKA_{trigger_name}_TOPIC` | ⚪ | The name of the topic to publish | | `drydock-container` |
+| `DD_TRIGGER_KAFKA_{trigger_name}_AUTHENTICATION_TYPE` | ⚪ | The type for authentication | `PLAIN`, `SCRAM-SHA-256`, `SCRAM-SHA-512` | `PLAIN` |
+| `DD_TRIGGER_KAFKA_{trigger_name}_AUTHENTICATION_USER` | ⚪ | The name of the user (required if authentication is enabled) | | |
+| `DD_TRIGGER_KAFKA_{trigger_name}_AUTHENTICATION_PASSWORD` | ⚪ | The password of the user (required if authentication is enabled) | | |
+
+<Callout type="warn">The topic must already exist on the broker (the trigger won't automatically create it)</Callout>
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+## Examples
+
+### Post a message to a&nbsp;[Cloud Karafka](https://www.cloudkarafka.com/) broker
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+        - DD_TRIGGER_KAFKA_KARAKFA_BROKERS=ark-01.srvs.cloudkafka.com:9094,ark-02.srvs.cloudkafka.com:9094,ark-03.srvs.cloudkafka.com:9094
+        - DD_TRIGGER_KAFKA_KARAKFA_SSL="true"
+        - DD_TRIGGER_KAFKA_KARAKFA_TOPIC=my-user-id-drydock-image
+        - DD_TRIGGER_KAFKA_KARAKFA_AUTHENTICATION_USER=my-user-id
+        - DD_TRIGGER_KAFKA_KARAKFA_AUTHENTICATION_PASSWORD=my-secret
+        - DD_TRIGGER_KAFKA_KARAKFA_AUTHENTICATION_TYPE=SCRAM-SHA-256
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+    -e DD_TRIGGER_KAFKA_KARAKFA_BROKERS="ark-01.srvs.cloudkafka.com:9094,ark-02.srvs.cloudkafka.com:9094,ark-03.srvs.cloudkafka.com:9094" \
+    -e DD_TRIGGER_KAFKA_KARAKFA_SSL="true" \
+    -e DD_TRIGGER_KAFKA_KARAKFA_TOPIC="my-user-id-drydock-image" \
+    -e DD_TRIGGER_KAFKA_KARAKFA_AUTHENTICATION_USER="my-user-id" \
+    -e DD_TRIGGER_KAFKA_KARAKFA_AUTHENTICATION_PASSWORD="my-secret" \
+    -e DD_TRIGGER_KAFKA_KARAKFA_AUTHENTICATION_TYPE="SCRAM-SHA-256" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Example of published record
+
+```json
+{
+  "id":"31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816",
+  "name":"homeassistant",
+  "watcher":"local",
+  "includeTags":"^\\d+\\.\\d+.\\d+$",
+  "image":{
+    "id":"sha256:d4a6fafb7d4da37495e5c9be3242590be24a87d7edcc4f79761098889c54fca6",
+    "registry":{
+      "url":"123456789.dkr.ecr.eu-west-1.amazonaws.com"
+    },
+    "name":"test",
+    "tag":{
+      "value":"2021.6.4",
+      "semver":true
+    },
+    "digest":{
+      "watch":false,
+      "repo":"sha256:ca0edc3fb0b4647963629bdfccbb3ccfa352184b45a9b4145832000c2878dd72"
+    },
+    "architecture":"amd64",
+    "os":"linux",
+    "created":"2021-06-12T05:33:38.440Z"
+  },
+  "result":{
+    "tag":"2021.6.5"
+  },
+  "updateAvailable": true
+}
+```
diff --git a/content/docs/v1.4/configuration/triggers/kafka/meta.json b/content/docs/v1.4/configuration/triggers/kafka/meta.json
new file mode 100644
index 000000000..4ce20c2fc
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/kafka/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Kafka",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/matrix/index.mdx b/content/docs/v1.4/configuration/triggers/matrix/index.mdx
new file mode 100644
index 000000000..e0256cda7
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/matrix/index.mdx
@@ -0,0 +1,52 @@
+---
+title: "Matrix"
+description: "The matrix trigger posts container update notifications to a Matrix room using the client-server API."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `matrix` trigger posts container update notifications to a Matrix room using the client-server API.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_MATRIX_{trigger_name}_URL` | 🔴 | Matrix homeserver URL | `http`, `https` URL | |
+| `DD_TRIGGER_MATRIX_{trigger_name}_ROOMID` | 🔴 | Target room ID | Room ID (for example `!abc123:matrix.org`) | |
+| `DD_TRIGGER_MATRIX_{trigger_name}_ACCESSTOKEN` | 🔴 | Access token for authentication | String | |
+| `DD_TRIGGER_MATRIX_{trigger_name}_MSGTYPE` | ⚪ | Message type | `m.notice`, `m.text` | `m.notice` |
+| `DD_TRIGGER_MATRIX_{trigger_name}_DISABLETITLE` | ⚪ | Disable title to keep full message-body control | `true`, `false` | `false` |
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+<Callout type="info">See the [Matrix client-server API documentation](https://spec.matrix.org/latest/client-server-api/#sending-events-to-a-room) for details on sending events.</Callout>
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_MATRIX_LOCAL_URL=https://matrix.example.com
+      - DD_TRIGGER_MATRIX_LOCAL_ROOMID=!abc123:matrix.example.com
+      - DD_TRIGGER_MATRIX_LOCAL_ACCESSTOKEN=syt_xxx
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_TRIGGER_MATRIX_LOCAL_URL="https://matrix.example.com" \
+  -e DD_TRIGGER_MATRIX_LOCAL_ROOMID="!abc123:matrix.example.com" \
+  -e DD_TRIGGER_MATRIX_LOCAL_ACCESSTOKEN="syt_xxx" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/triggers/matrix/meta.json b/content/docs/v1.4/configuration/triggers/matrix/meta.json
new file mode 100644
index 000000000..227ab71ea
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/matrix/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Matrix",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/mattermost/index.mdx b/content/docs/v1.4/configuration/triggers/mattermost/index.mdx
new file mode 100644
index 000000000..8a97d7a1c
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/mattermost/index.mdx
@@ -0,0 +1,53 @@
+---
+title: "Mattermost"
+description: "The mattermost trigger posts container update notifications to a Mattermost incoming webhook."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `mattermost` trigger posts container update notifications to a Mattermost incoming webhook.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_MATTERMOST_{trigger_name}_URL` | 🔴 | Incoming webhook URL | `http`, `https` URL | |
+| `DD_TRIGGER_MATTERMOST_{trigger_name}_CHANNEL` | ⚪ | Target channel override | Channel name (for example `town-square`) | |
+| `DD_TRIGGER_MATTERMOST_{trigger_name}_USERNAME` | ⚪ | Username shown in message | String | `drydock` |
+| `DD_TRIGGER_MATTERMOST_{trigger_name}_ICONEMOJI` | ⚪ | Emoji icon shown for sender | Emoji string (for example `:whale:`) | |
+| `DD_TRIGGER_MATTERMOST_{trigger_name}_ICONURL` | ⚪ | Avatar icon URL shown for sender | `http`, `https` URL | |
+| `DD_TRIGGER_MATTERMOST_{trigger_name}_DISABLETITLE` | ⚪ | Disable title to keep full message-body control | `true`, `false` | `false` |
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+<Callout type="info">See the [Mattermost incoming webhooks documentation](https://docs.mattermost.com/integrations-guide/incoming-webhooks.html) for endpoint setup details.</Callout>
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_MATTERMOST_LOCAL_URL=https://mattermost.example.com/hooks/abc123
+      - DD_TRIGGER_MATTERMOST_LOCAL_CHANNEL=town-square
+      - DD_TRIGGER_MATTERMOST_LOCAL_USERNAME=drydock
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_TRIGGER_MATTERMOST_LOCAL_URL="https://mattermost.example.com/hooks/abc123" \
+  -e DD_TRIGGER_MATTERMOST_LOCAL_CHANNEL="town-square" \
+  -e DD_TRIGGER_MATTERMOST_LOCAL_USERNAME="drydock" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/triggers/mattermost/meta.json b/content/docs/v1.4/configuration/triggers/mattermost/meta.json
new file mode 100644
index 000000000..3732c8885
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/mattermost/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Mattermost",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/meta.json b/content/docs/v1.4/configuration/triggers/meta.json
new file mode 100644
index 000000000..1359c06e3
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/meta.json
@@ -0,0 +1,26 @@
+{
+  "title": "Triggers",
+  "pages": [
+    "index",
+    "apprise",
+    "command",
+    "discord",
+    "docker",
+    "docker-compose",
+    "google-chat",
+    "gotify",
+    "http",
+    "ifttt",
+    "kafka",
+    "matrix",
+    "mattermost",
+    "mqtt",
+    "ntfy",
+    "pushover",
+    "rocketchat",
+    "slack",
+    "smtp",
+    "teams",
+    "telegram"
+  ]
+}
diff --git a/content/docs/v1.4/configuration/triggers/mqtt/index.mdx b/content/docs/v1.4/configuration/triggers/mqtt/index.mdx
new file mode 100644
index 000000000..0d7b663c0
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/mqtt/index.mdx
@@ -0,0 +1,261 @@
+---
+title: "Mqtt"
+description: "The mqtt trigger lets you send container update notifications to an MQTT broker."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/mqtt/mqtt.png)
+
+The `mqtt` trigger lets you send container update notifications to an MQTT broker.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_MQTT_{trigger_name}_URL` | 🔴 | The URL of the MQTT broker | Valid mqtt, mqtts, tcp, tls, ws, wss url | |
+| `DD_TRIGGER_MQTT_{trigger_name}_USER` | ⚪ | The username if broker authentication is enabled | | |
+| `DD_TRIGGER_MQTT_{trigger_name}_PASSWORD` | ⚪ | The password if broker authentication is enabled | | |
+| `DD_TRIGGER_MQTT_{trigger_name}_CLIENTID` | ⚪ | The Mqtt client Id to use | | `dd_$random` |
+| `DD_TRIGGER_MQTT_{trigger_name}_TOPIC` | ⚪ | The base topic where the updates are published to | | `dd/container` |
+| `DD_TRIGGER_MQTT_{trigger_name}_HASS_ENABLED` | ⚪ | Enable [Home-assistant](https://www.home-assistant.io/) integration and deliver additional topics | `true`, `false` | `false` |
+| `DD_TRIGGER_MQTT_{trigger_name}_HASS_DISCOVERY` | ⚪ | Enable [Home-assistant](https://www.home-assistant.io/) integration including discovery | `true`, `false` | `false` |
+| `DD_TRIGGER_MQTT_{trigger_name}_HASS_PREFIX` | ⚪ | Base topic for hass entity discovery | | `homeassistant` |
+| `DD_TRIGGER_MQTT_{trigger_name}_HASS_ATTRIBUTES` | ⚪ | Attribute preset controlling which container fields are included in MQTT payloads. `full` sends everything; `short` excludes large fields like SBOM documents, scan vulnerabilities, details, and labels. | `full`, `short` | `short` |
+| `DD_TRIGGER_MQTT_{trigger_name}_HASS_FILTER_INCLUDE` | ⚪ | Comma-separated list of flattened MQTT attribute keys to keep (include-mode). When set, only these keys are published. | Comma-separated flattened keys | |
+| `DD_TRIGGER_MQTT_{trigger_name}_HASS_FILTER_EXCLUDE` | ⚪ | Comma-separated list of flattened MQTT attribute keys to remove (exclude-mode). Used when `HASS_FILTER_INCLUDE` is empty. | Comma-separated flattened keys | |
+| `DD_TRIGGER_MQTT_{trigger_name}_EXCLUDE` | ⚪ | Legacy comma-separated dot-paths to exclude from the nested container object before flattening. Used only when both `HASS_FILTER_INCLUDE` and `HASS_FILTER_EXCLUDE` are empty. | Comma-separated dot-paths | |
+| `DD_TRIGGER_MQTT_{trigger_name}_TLS_CACHAIN` | ⚪ | The path to the file containing the server CA chain (when TLS with a private Certificate Authority) | Any valid file path | |
+| `DD_TRIGGER_MQTT_{trigger_name}_TLS_CLIENTCERT` | ⚪ | The path to the file containing the client public certificate (when TLS mutual authentication) | Any valid file path | |
+| `DD_TRIGGER_MQTT_{trigger_name}_TLS_CLIENTKEY` | ⚪ | The path to the file containing the client private key (when TLS mutual authentication) | Any valid file path | |
+| `DD_TRIGGER_MQTT_{trigger_name}_TLS_REJECTUNAUTHORIZED` | ⚪ | Accept or reject when the TLS server certificate cannot be trusted | `true`, `false` | `true` |
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration). but only supports the `simple` mode.</Callout>
+
+<Callout type="info">You want to customize the name & icon of the Home-Assistant entity?
+[Use the `dd.display.name` and `dd.display.icon` labels](/docs/configuration/watchers/#labels).</Callout>
+
+<Callout type="info">For Home Assistant, the `entity_picture` is automatically derived from the `dd.display.icon` label. Icons with `sh:`, `hl:`, or `si:` prefixes map to CDN image URLs. You can also set `dd.display.picture` to provide a direct URL override.</Callout>
+
+## Examples
+
+### Post a message to a local mosquitto broker
+
+<Tabs items={["Docker Compose (Mosquitto)", "Docker (Mosquitto)"]}>
+<Tab value="Docker Compose (Mosquitto)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_MQTT_MOSQUITTO_URL=mqtt://localhost:1883
+```
+
+</Tab>
+<Tab value="Docker (Mosquitto)">
+```bash
+docker run \
+    -e DD_TRIGGER_MQTT_MOSQUITTO_URL="mqtt://localhost:1883" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Post a message to a local mosquitto broker with mTLS enabled
+
+<Tabs items={["Docker Compose (Mosquitto mTLS)", "Docker (Mosquitto mTLS)"]}>
+<Tab value="Docker Compose (Mosquitto mTLS)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_MQTT_MOSQUITTO_URL=mqtts://localhost:8883
+      - DD_TRIGGER_MQTT_MOSQUITTO_TLS_CLIENTKEY=/drydock/mqtt/client-key.pem
+      - DD_TRIGGER_MQTT_MOSQUITTO_TLS_CLIENTCERT=/drydock/mqtt/client-cert.pem
+      - DD_TRIGGER_MQTT_MOSQUITTO_TLS_CACHAIN=/drydock/mqtt/ca.pem
+    volumes:
+      - /mosquitto/tls/client/client-key.pem:/drydock/mqtt/client-key.pem
+      - /mosquitto/tls/client/client-cert.pem:/drydock/mqtt/client-cert.pem
+      - /mosquitto/tls/ca.pem:/drydock/mqtt/ca.pem
+```
+
+</Tab>
+<Tab value="Docker (Mosquitto mTLS)">
+```bash
+docker run \
+    -e DD_TRIGGER_MQTT_MOSQUITTO_URL="mqtts://localhost:8883" \
+    -e DD_TRIGGER_MQTT_MOSQUITTO_TLS_CLIENTKEY="/drydock/mqtt/client-key.pem" \
+    -e DD_TRIGGER_MQTT_MOSQUITTO_TLS_CLIENTCERT="/drydock/mqtt/client-cert.pem" \
+    -e DD_TRIGGER_MQTT_MOSQUITTO_TLS_CACHAIN="/drydock/mqtt/ca.pem" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Post a message to a maqiatto broker
+
+<Tabs items={["Docker Compose (Maqiatto)", "Docker (Maqiatto)"]}>
+<Tab value="Docker Compose (Maqiatto)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_MQTT_MAQIATTO_URL=tcp://maqiatto.com:1883
+      - DD_TRIGGER_MQTT_MAQIATTO_USER=john@doe.com
+      - DD_TRIGGER_MQTT_MAQIATTO_PASSWORD=mysecretpassword
+      - DD_TRIGGER_MQTT_MAQIATTO_TOPIC=john@doe.com/drydock/image
+```
+
+</Tab>
+<Tab value="Docker (Maqiatto)">
+```bash
+docker run \
+    -e DD_TRIGGER_MQTT_MAQIATTO_URL="tcp://maqiatto.com:1883" \
+    -e DD_TRIGGER_MQTT_MAQIATTO_USER="john@doe.com" \
+    -e DD_TRIGGER_MQTT_MAQIATTO_PASSWORD="mysecretpassword" \
+    -e DD_TRIGGER_MQTT_MAQIATTO_TOPIC="john@doe.com/drydock/image" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Example of sent message
+
+```json
+{
+  "id": "31a61a8305ef1fc9a71fa4f20a68d7ec88b28e32303bbc4a5f192e851165b816",
+  "name": "homeassistant",
+  "watcher": "local",
+  "image_id": "sha256:d4a6fafb7d4da37495e5c9be3242590be24a87d7edcc4f79761098889c54fca6",
+  "image_registry_url": "123456789.dkr.ecr.eu-west-1.amazonaws.com",
+  "image_name": "test",
+  "image_tag_value": "2021.6.4",
+  "image_tag_semver": true,
+  "image_digest_watch": false,
+  "image_digest_repo": "sha256:ca0edc3fb0b4647963629bdfccbb3ccfa352184b45a9b4145832000c2878dd72",
+  "image_architecture": "amd64",
+  "image_os": "linux",
+  "image_created": "2021-06-12T05:33:38.440Z",
+  "display_name": "Home Assistant",
+  "display_icon": "sh:homeassistant",
+  "result_tag": "2021.6.5",
+  "update_available": true
+}
+```
+
+## Home-Assistant integration
+
+![logo](/docs/assets/configuration/triggers/mqtt/hass.png)
+
+drydock can be easily integrated into [Home-Assistant](https://www.home-assistant.io/) using [MQTT Discovery](https://www.home-assistant.io/docs/mqtt/discovery/).
+
+<Tabs items={["Docker Compose (Home-Assistant)", "Docker (Home-Assistant)"]}>
+<Tab value="Docker Compose (Home-Assistant)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_MQTT_MOSQUITTO_URL=mqtt://localhost:1883
+      - DD_TRIGGER_MQTT_MOSQUITTO_HASS_ENABLED=true
+      - DD_TRIGGER_MQTT_MOSQUITTO_HASS_DISCOVERY=true
+```
+
+</Tab>
+<Tab value="Docker (Home-Assistant)">
+```bash
+docker run \
+    -e DD_TRIGGER_MQTT_MOSQUITTO_URL="mqtt://localhost:1883" \
+    -e DD_TRIGGER_MQTT_MOSQUITTO_HASS_ENABLED="true" \
+    -e DD_TRIGGER_MQTT_MOSQUITTO_HASS_DISCOVERY="true" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Check that mqtt integration is properly configured
+
+![image](/docs/assets/configuration/triggers/mqtt/hass_01.png)
+
+### A drydock device is automatically added to the hass registry
+
+![image](/docs/assets/configuration/triggers/mqtt/hass_02.png)
+
+### Entities are automatically created (per Docker image)
+
+![image](/docs/assets/configuration/triggers/mqtt/hass_03.png)
+
+Entities are [binary_sensors](https://www.home-assistant.io/integrations/binary_sensor/) whose state is true when an update is available.
+
+### Entities
+
+![image](/docs/assets/configuration/triggers/mqtt/hass_04.png)
+
+Entities expose all the details of the container as attributes:
+
+- Current version
+- New version
+- Registry
+- Architecture
+- OS
+- Size
+- ...
+
+## Attribute filtering
+
+Container MQTT payloads can include large nested fields (SBOM documents, scan vulnerability arrays, environment details, labels) that exceed Home Assistant's `json_attributes_topic` size limits or clutter entity attributes.
+
+Filtering is applied in this precedence order:
+
+1. `HASS_FILTER_INCLUDE` (flattened key include list)
+2. `HASS_FILTER_EXCLUDE` (flattened key exclude list)
+3. `EXCLUDE` (legacy nested dot-path exclude list)
+4. `HASS_ATTRIBUTES` preset fallback
+
+### Include mode (`HASS_FILTER_INCLUDE`)
+
+Set `DD_TRIGGER_MQTT_{trigger_name}_HASS_FILTER_INCLUDE` to keep only selected flattened keys.
+
+```yaml
+environment:
+  - DD_TRIGGER_MQTT_MOSQUITTO_HASS_FILTER_INCLUDE=name,image_name,update_available,result_tag
+```
+
+### Exclude mode (`HASS_FILTER_EXCLUDE`)
+
+Set `DD_TRIGGER_MQTT_{trigger_name}_HASS_FILTER_EXCLUDE` to remove selected flattened keys.
+
+```yaml
+environment:
+  - DD_TRIGGER_MQTT_MOSQUITTO_HASS_FILTER_EXCLUDE=security_sbom_documents_0_spdx_version,security_scan_vulnerabilities_0_id
+```
+
+### Legacy nested exclude (`EXCLUDE`)
+
+`DD_TRIGGER_MQTT_{trigger_name}_EXCLUDE` still supports comma-separated nested dot-paths (for example `security.sbom.documents,labels`). This legacy filter is only used when `HASS_FILTER_INCLUDE` and `HASS_FILTER_EXCLUDE` are both empty.
+
+### Attribute preset fallback (`HASS_ATTRIBUTES`)
+
+When no explicit include/exclude list is configured, `HASS_ATTRIBUTES` is used:
+
+| Preset | Behavior |
+| --- | --- |
+| `full` | Sends the entire container object — no filtering |
+| `short` (default) | Excludes `security.sbom.documents`, `security.updateSbom.documents`, `security.scan.vulnerabilities`, `security.updateScan.vulnerabilities`, `details`, and `labels` |
+
+<Callout type="info">`HASS_FILTER_INCLUDE` and `HASS_FILTER_EXCLUDE` match flattened MQTT keys (snake_case + underscore delimiter), because filtering is applied after flattening to the payload shape Home Assistant receives.</Callout>
diff --git a/content/docs/v1.4/configuration/triggers/mqtt/meta.json b/content/docs/v1.4/configuration/triggers/mqtt/meta.json
new file mode 100644
index 000000000..a074cf9c1
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/mqtt/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "MQTT",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/ntfy/index.mdx b/content/docs/v1.4/configuration/triggers/ntfy/index.mdx
new file mode 100644
index 000000000..46f81d21f
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/ntfy/index.mdx
@@ -0,0 +1,84 @@
+---
+title: "Ntfy"
+description: "The ntfy trigger lets you send container update notifications via Ntfy."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/ntfy/ntfy.png)
+
+The `ntfy` trigger lets you send container update notifications via [Ntfy](https://ntfy.sh/).
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_NTFY_{trigger_name}_AUTH_PASSWORD` | ⚪ | Password (if basic auth is enabled) | | |
+| `DD_TRIGGER_NTFY_{trigger_name}_AUTH_TOKEN` | ⚪ | Bearer token (if bearer auth is enabled) | | |
+| `DD_TRIGGER_NTFY_{trigger_name}_AUTH_USER` | ⚪ | User (if basic auth is enabled) | | |
+| `DD_TRIGGER_NTFY_{trigger_name}_PRIORITY` | ⚪ | The Ntfy message priority | Integer between `0` and `5` [see here](https://docs.ntfy.sh/publish/#message-priority) | |
+| `DD_TRIGGER_NTFY_{trigger_name}_TOPIC` | ⚪ | The Ntfy topic name | | |
+| `DD_TRIGGER_NTFY_{trigger_name}_URL` | ⚪ | The Ntfy server url | The `http` or `https` ntfy server address | `https://ntfy.sh` |
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+## Examples
+
+### Configure the trigger to publish to the official public ntfy service
+
+<Tabs items={["Docker Compose (Public)", "Docker (Public)"]}>
+<Tab value="Docker Compose (Public)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_NTFY_THRESHOLD=minor
+      - DD_TRIGGER_NTFY_SH_TOPIC=xxxxyyyyzzzz
+```
+
+</Tab>
+<Tab value="Docker (Public)">
+```bash
+docker run \
+  -e DD_TRIGGER_NTFY_THRESHOLD="minor" \
+  -e DD_TRIGGER_NTFY_SH_TOPIC="xxxxyyyyzzzz" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Configure the trigger to publish to a private ntfy service with basic auth enabled
+
+<Tabs items={["Docker Compose (Private with Auth)", "Docker (Private with Auth)"]}>
+<Tab value="Docker Compose (Private with Auth)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_NTFY_PRIVATE_URL=http://ntfy.local
+      - DD_TRIGGER_NTFY_PRIVATE_TOPIC=xxxxyyyyzzzz
+      - DD_TRIGGER_NTFY_PRIVATE_AUTH_USER=john
+      - DD_TRIGGER_NTFY_PRIVATE_AUTH_PASSWORD=doe
+```
+
+</Tab>
+<Tab value="Docker (Private with Auth)">
+```bash
+docker run \
+  -e DD_TRIGGER_NTFY_PRIVATE_URL="http://ntfy.local" \
+  -e DD_TRIGGER_NTFY_PRIVATE_TOPIC="xxxxyyyyzzzz" \
+  -e DD_TRIGGER_NTFY_PRIVATE_AUTH_USER="john" \
+  -e DD_TRIGGER_NTFY_PRIVATE_AUTH_PASSWORD="doe" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/triggers/ntfy/meta.json b/content/docs/v1.4/configuration/triggers/ntfy/meta.json
new file mode 100644
index 000000000..97ba72ae5
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/ntfy/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Ntfy",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/pushover/index.mdx b/content/docs/v1.4/configuration/triggers/pushover/index.mdx
new file mode 100644
index 000000000..9ac711fbf
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/pushover/index.mdx
@@ -0,0 +1,113 @@
+---
+title: "Pushover"
+description: "The pushover trigger lets you send realtime notifications to your devices (Android, iPhone...) using the Pushover Service."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/pushover/pushover.png)
+
+The `pushover` trigger lets you send realtime notifications to your devices (Android, iPhone...) using the [Pushover Service](https://pushover.net/).
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_PUSHOVER_{trigger_name}_DEVICE` | ⚪ | Optional device(s) to notify | Coma separated list of devices (e.g. dev1,dev2) ([see here](https://pushover.net/api#identifiers)) | |
+| `DD_TRIGGER_PUSHOVER_{trigger_name}_EXPIRE` | ⚪ | Optional notification expire in seconds (only when priority=2) | [see here](https://pushover.net/api#priority) | |
+| `DD_TRIGGER_PUSHOVER_{trigger_name}_HTML` | ⚪ | Allow HTML formatting in message body (supported in Pushover 2.3+) | [see here](https://pushover.net/api#html) | `0` |
+| `DD_TRIGGER_PUSHOVER_{trigger_name}_PRIORITY` | ⚪ | The notification priority | [see here](https://pushover.net/api#priority) | `0` |
+| `DD_TRIGGER_PUSHOVER_{trigger_name}_RETRY` | ⚪ | Optional notification retry in seconds (only when priority=2) | [see here](https://pushover.net/api#priority) | |
+| `DD_TRIGGER_PUSHOVER_{trigger_name}_SOUND` | ⚪ | The notification sound | [see here](https://pushover.net/api#sounds) | `pushover` |
+| `DD_TRIGGER_PUSHOVER_{trigger_name}_TOKEN` | 🔴 | The API token | | |
+| `DD_TRIGGER_PUSHOVER_{trigger_name}_TTL` | ⚪ | Optional message time to live (in seconds) | [see here](https://pushover.net/api#ttl) | |
+| `DD_TRIGGER_PUSHOVER_{trigger_name}_USER` | 🔴 | The User key | | |
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+## Examples
+
+### Configuration
+
+#### Minimal
+
+<Tabs items={["Docker Compose (Minimal)", "Docker (Minimal)"]}>
+<Tab value="Docker Compose (Minimal)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_PUSHOVER_1_TOKEN=*****************************
+      - DD_TRIGGER_PUSHOVER_1_USER=******************************
+```
+
+</Tab>
+<Tab value="Docker (Minimal)">
+```bash
+docker run \
+  -e DD_TRIGGER_PUSHOVER_1_TOKEN="*****************************" \
+  -e DD_TRIGGER_PUSHOVER_1_USER="******************************" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+#### Full
+
+<Tabs items={["Docker Compose (Full)", "Docker (Full)"]}>
+<Tab value="Docker Compose (Full)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+        - DD_TRIGGER_PUSHOVER_1_TOKEN=*****************************
+        - DD_TRIGGER_PUSHOVER_1_USER=******************************
+        - DD_TRIGGER_PUSHOVER_1_DEVICE=myIphone,mySamsung
+        - DD_TRIGGER_PUSHOVER_1_SOUND=cosmic
+        - DD_TRIGGER_PUSHOVER_1_PRIORITY=2
+        - DD_TRIGGER_PUSHOVER_1_EXPIRE=600
+        - DD_TRIGGER_PUSHOVER_1_RETRY=60
+```
+
+</Tab>
+<Tab value="Docker (Full)">
+```bash
+docker run \
+    -e DD_TRIGGER_PUSHOVER_1_TOKEN="*****************************" \
+    -e DD_TRIGGER_PUSHOVER_1_USER="******************************" \
+    -e DD_TRIGGER_PUSHOVER_1_DEVICE="myIphone,mySamsung" \
+    -e DD_TRIGGER_PUSHOVER_1_SOUND="cosmic" \
+    -e DD_TRIGGER_PUSHOVER_1_PRIORITY="2" \
+    -e DD_TRIGGER_PUSHOVER_1_EXPIRE="600" \
+    -e DD_TRIGGER_PUSHOVER_1_RETRY="60" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to get the User key
+
+[Open Pushover Settings](https://pushover.net/settings)
+
+The key is printed under the section `Reset User Key`.
+
+## How to get an API token
+
+### Register a new application
+
+[Register a Pushover Application](https://pushover.net/apps/build)
+
+![image](/docs/assets/configuration/triggers/pushover/pushover_register.png)
+
+### Copy the API token
+
+![image](/docs/assets/configuration/triggers/pushover/pushover_api_token.png)
diff --git a/content/docs/v1.4/configuration/triggers/pushover/meta.json b/content/docs/v1.4/configuration/triggers/pushover/meta.json
new file mode 100644
index 000000000..4303e494b
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/pushover/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Pushover",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/rocketchat/index.mdx b/content/docs/v1.4/configuration/triggers/rocketchat/index.mdx
new file mode 100644
index 000000000..293049f53
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/rocketchat/index.mdx
@@ -0,0 +1,71 @@
+---
+title: "Rocket.Chat"
+description: "The rocketchat trigger lets you post image update notifications to a Rocket.Chat channel or user."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/rocketchat/rocketchat.png)
+
+The `rocketchat` trigger lets you post image update notifications to a Rocket.Chat channel or user.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_ROCKETCHAT_{trigger_name}_URL` | 🔴 | Rocket.Chat workspace URL, e.g. `https://example.com`. | | |
+| `DD_TRIGGER_ROCKETCHAT_{trigger_name}_USER_ID` | 🔴 | User id of the user sending the notification. Displayed when generating a personal access token (PAT). | | |
+| `DD_TRIGGER_ROCKETCHAT_{trigger_name}_AUTH_TOKEN` | 🔴 | PAT of the user sending the notification. | | |
+| `DD_TRIGGER_ROCKETCHAT_{trigger_name}_CHANNEL` | 🔴 | Where the message is sent to. | Channel ID (`6561ce603d237c33797650d7`), channel name (`#example`) or username (`@example`). | |
+| `DD_TRIGGER_ROCKETCHAT_{trigger_name}_ALIAS` | ⚪ | Alters the sender's name shown for the message, but keeps the username as is. Requires `message-impersonate` permission, typically only present on the `bot` role. | | |
+| `DD_TRIGGER_ROCKETCHAT_{trigger_name}_AVATAR` | ⚪ | Display the sender's avatar as the provided image URL. Requires `message-impersonate` permission, typically only on the `bot` role. | | |
+| `DD_TRIGGER_ROCKETCHAT_{trigger_name}_EMOJI` | ⚪ | Display the sender's avatar as an emoji, e.g. `:smile:`. | | |
+| `DD_TRIGGER_ROCKETCHAT_{trigger_name}_PARSE_URLS` | ⚪ | Whether Rocket.Chat should generate link previews when the message text contains URLs. Default is unset (defers to Rocket.Chat server default). | `true`, `false` | |
+| `DD_TRIGGER_ROCKETCHAT_{trigger_name}_DISABLETITLE` | ⚪ | Disable title to have full control over the message formatting. | `true`, `false` | `false` |
+
+<Callout type="warn">The Rocket.Chat channel must already exist on the workspace (the trigger won't automatically create it)</Callout>
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+<Callout type="info">See also the [Rocket.Chat API documentation](https://developer.rocket.chat/apidocs/post-message) for additional information.</Callout>
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+        - DD_TRIGGER_ROCKETCHAT_LOCAL_URL=https://example.com
+        - DD_TRIGGER_ROCKETCHAT_LOCAL_USER_ID=jDdn8oh9BfJKnWdDY
+        - DD_TRIGGER_ROCKETCHAT_LOCAL_AUTH_TOKEN=Rbqz90hnkRyVwRfcmE5PzkP5Pqwml_fo7ZUXzxv2_zx
+        - DD_TRIGGER_ROCKETCHAT_LOCAL_CHANNEL=#drydock
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+    -e DD_TRIGGER_ROCKETCHAT_LOCAL_URL="https://example.com" \
+    -e DD_TRIGGER_ROCKETCHAT_LOCAL_USER_ID="jDdn8oh9BfJKnWdDY" \
+    -e DD_TRIGGER_ROCKETCHAT_LOCAL_AUTH_TOKEN="Rbqz90hnkRyVwRfcmE5PzkP5Pqwml_fo7ZUXzxv2_zx" \
+    -e DD_TRIGGER_ROCKETCHAT_LOCAL_CHANNEL="#drydock" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to obtain the sender's user ID and auth token
+
+1. Log in to your Rocket.Chat workspace with the sender's account
+2. Click on your profile picture in the top left corner, then click on "Profile"
+3. Click on "Personal Access Tokens" in the left menu
+4. Type a name for the token, select "Ignore Two Factor Authentication" and click on "Add"
+5. Confirm your password or 2FA code
+6. Copy the user ID and auth token values
diff --git a/content/docs/v1.4/configuration/triggers/rocketchat/meta.json b/content/docs/v1.4/configuration/triggers/rocketchat/meta.json
new file mode 100644
index 000000000..c56588a5e
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/rocketchat/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Rocket.Chat",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/slack/index.mdx b/content/docs/v1.4/configuration/triggers/slack/index.mdx
new file mode 100644
index 000000000..10914197f
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/slack/index.mdx
@@ -0,0 +1,50 @@
+---
+title: "Slack"
+description: "The slack trigger lets you post image update notifications to a Slack channel."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/slack/slack.png)
+
+The `slack` trigger lets you post image update notifications to a Slack channel.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_SLACK_{trigger_name}_TOKEN` | 🔴 | The Oauth Token of the Slack app | | |
+| `DD_TRIGGER_SLACK_{trigger_name}_CHANNEL` | 🔴 | The name of the channel to post | | |
+| `DD_TRIGGER_SLACK_{trigger_name}_DISABLETITLE` | ⚪ | Disable title to have full control over the message formatting | `true`, `false` | `false` |
+
+<Callout type="warn">The Slack channel must already exist on the workspace (the trigger won't automatically create it)</Callout>
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+        - DD_TRIGGER_SLACK_TEST_TOKEN=xoxp-743817063446-xxx
+        - DD_TRIGGER_SLACK_TEST_CHANNEL=drydock
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+    -e DD_TRIGGER_SLACK_TEST_TOKEN="xoxp-743817063446-xxx" \
+    -e DD_TRIGGER_SLACK_TEST_CHANNEL="drydock" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/triggers/slack/meta.json b/content/docs/v1.4/configuration/triggers/slack/meta.json
new file mode 100644
index 000000000..ef07df498
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/slack/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Slack",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/smtp/index.mdx b/content/docs/v1.4/configuration/triggers/smtp/index.mdx
new file mode 100644
index 000000000..f6363ec9a
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/smtp/index.mdx
@@ -0,0 +1,66 @@
+---
+title: "Smtp"
+description: "The smtp trigger lets you send emails with smtp."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `smtp` trigger lets you send emails with smtp.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | :--- | --- | --- |
+| `DD_TRIGGER_SMTP_{trigger_name}_HOST` | 🔴 | Smtp server host | Valid hostname or IP address | |
+| `DD_TRIGGER_SMTP_{trigger_name}_PORT` | 🔴 | Smtp server port | Valid smtp port | |
+| `DD_TRIGGER_SMTP_{trigger_name}_FROM` | 🔴 | Email from address | Valid email address | |
+| `DD_TRIGGER_SMTP_{trigger_name}_TO` | 🔴 | Email to address | Valid email address | |
+| `DD_TRIGGER_SMTP_{trigger_name}_USER` | ⚪ | Smtp user | | |
+| `DD_TRIGGER_SMTP_{trigger_name}_PASS` | ⚪ | Smtp password | | |
+| `DD_TRIGGER_SMTP_{trigger_name}_TLS_ENABLED` | ⚪ | Use TLS | `true`, `false` | `false` |
+| `DD_TRIGGER_SMTP_{trigger_name}_TLS_VERIFY` | ⚪ | Verify server TLS certificate | `true`, `false` | `true` |
+| `DD_TRIGGER_SMTP_{trigger_name}_ALLOWCUSTOMTLD` | ⚪ | Allow custom tlds for the email addresses | `true`, `false` | `false` |
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+## Examples
+
+### Send an email with Gmail
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+        - DD_TRIGGER_SMTP_GMAIL_HOST=smtp.gmail.com
+        - DD_TRIGGER_SMTP_GMAIL_PORT=465
+        - DD_TRIGGER_SMTP_GMAIL_USER=john.doe@gmail.com
+        - DD_TRIGGER_SMTP_GMAIL_PASS=mysecretpass
+        - DD_TRIGGER_SMTP_GMAIL_FROM=john.doe@gmail.com
+        - DD_TRIGGER_SMTP_GMAIL_TO=jane.doe@gmail.com
+        - DD_TRIGGER_SMTP_GMAIL_TLS_ENABLED=true 
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+    -e DD_TRIGGER_SMTP_GMAIL_HOST="smtp.gmail.com" \
+    -e DD_TRIGGER_SMTP_GMAIL_PORT="465" \
+    -e DD_TRIGGER_SMTP_GMAIL_USER="john.doe@gmail.com" \
+    -e DD_TRIGGER_SMTP_GMAIL_PASS="mysecretpass" \
+    -e DD_TRIGGER_SMTP_GMAIL_FROM="john.doe@gmail.com" \
+    -e DD_TRIGGER_SMTP_GMAIL_TO="jane.doe@gmail.com" \
+    -e DD_TRIGGER_SMTP_GMAIL_TLS_ENABLED="true" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+<Callout type="warn">For Gmail, you need to create an application specific password first ([See gmail documentation](https://myaccount.google.com/apppasswords)).</Callout>
diff --git a/content/docs/v1.4/configuration/triggers/smtp/meta.json b/content/docs/v1.4/configuration/triggers/smtp/meta.json
new file mode 100644
index 000000000..2c5a29724
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/smtp/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "SMTP",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/teams/index.mdx b/content/docs/v1.4/configuration/triggers/teams/index.mdx
new file mode 100644
index 000000000..bcb12742e
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/teams/index.mdx
@@ -0,0 +1,46 @@
+---
+title: "Teams"
+description: "The teams trigger posts container update notifications to a Microsoft Teams incoming webhook using Adaptive Cards."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+The `teams` trigger posts container update notifications to a Microsoft Teams incoming webhook using Adaptive Cards.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_TEAMS_{trigger_name}_URL` | 🔴 | Incoming webhook URL | `https` URL | |
+| `DD_TRIGGER_TEAMS_{trigger_name}_CARDVERSION` | ⚪ | Adaptive Card schema version | Version string | `1.4` |
+| `DD_TRIGGER_TEAMS_{trigger_name}_DISABLETITLE` | ⚪ | Disable title to keep full message-body control | `true`, `false` | `false` |
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+<Callout type="info">See the [Microsoft Teams incoming webhooks documentation](https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/add-incoming-webhook) for endpoint setup details.</Callout>
+
+## Examples
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_TEAMS_LOCAL_URL=https://outlook.office.com/webhook/abc123
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_TRIGGER_TEAMS_LOCAL_URL="https://outlook.office.com/webhook/abc123" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/triggers/teams/meta.json b/content/docs/v1.4/configuration/triggers/teams/meta.json
new file mode 100644
index 000000000..01146f950
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/teams/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Teams",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/triggers/telegram/index.mdx b/content/docs/v1.4/configuration/triggers/telegram/index.mdx
new file mode 100644
index 000000000..8535bd7b5
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/telegram/index.mdx
@@ -0,0 +1,59 @@
+---
+title: "Telegram"
+description: "The telegram trigger lets you send realtime notifications using Telegram bots."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/triggers/telegram/telegram.png)
+
+The `telegram` trigger lets you send realtime notifications using [Telegram](https://telegram.org/) bots.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_TRIGGER_TELEGRAM_{trigger_name}_BOTTOKEN` | 🔴 | The Bot token | | |
+| `DD_TRIGGER_TELEGRAM_{trigger_name}_CHATID` | 🔴 | The Chat ID | | |
+| `DD_TRIGGER_TELEGRAM_{trigger_name}_DISABLETITLE` | ⚪ | Disable title to have full control over the message formatting | `true`, `false` | `false` |
+| `DD_TRIGGER_TELEGRAM_{trigger_name}_MESSAGEFORMAT` | ⚪ | Send the message as markdown or as html (useful for custom message formatting) | `Markdown`, `HTML` | `Markdown` |
+
+<Callout type="info">This trigger also supports the [common configuration variables](/docs/configuration/triggers/#common-trigger-configuration).</Callout>
+
+## Examples
+
+### Configuration
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_TRIGGER_TELEGRAM_1_BOTTOKEN=0123456789:AApFzFLD0g0NVg8l0bZf55ex3sajC4Aw84Q
+      - DD_TRIGGER_TELEGRAM_1_CHATID=9876543210
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run \
+  -e DD_TRIGGER_TELEGRAM_1_BOTTOKEN="0123456789:AApFzFLD0g0NVg8l0bZf55ex3sajC4Aw84Q" \
+  -e DD_TRIGGER_TELEGRAM_1_CHATID="9876543210" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## How to create a bot and get the bot token
+
+[Follow this tutorial](https://medium.com/geekculture/generate-telegram-token-for-bot-api-d26faf9bf064)
+
+## How to get the chat id
+
+[Follow this tutorial](https://www.alphr.com/find-chat-id-telegram/)
diff --git a/content/docs/v1.4/configuration/triggers/telegram/meta.json b/content/docs/v1.4/configuration/triggers/telegram/meta.json
new file mode 100644
index 000000000..dbb58a811
--- /dev/null
+++ b/content/docs/v1.4/configuration/triggers/telegram/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Telegram",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/ui/index.mdx b/content/docs/v1.4/configuration/ui/index.mdx
new file mode 100644
index 000000000..9df2e2456
--- /dev/null
+++ b/content/docs/v1.4/configuration/ui/index.mdx
@@ -0,0 +1,125 @@
+---
+title: "UI Customization"
+description: "Customize the drydock dashboard appearance with themes, icon libraries, fonts, and layout preferences."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+All UI preferences are configured in **Config > Appearance** and persisted in the browser's localStorage. No server-side environment variables are needed.
+
+## Themes
+
+Drydock ships with 6 color themes, each available in dark and light variants:
+
+| Theme | Style |
+| --- | --- |
+| **One Dark** (default) | Clean and balanced |
+| **GitHub** | Clean, familiar |
+| **Dracula** | Bold purple |
+| **Catppuccin** | Warm pastels |
+| **Gruvbox** | Retro earthy warmth |
+| **Ayu** | Soft golden tones |
+
+Switch themes in **Config > Appearance**. A circle-reveal transition animation plays when changing themes.
+
+## Icon Libraries
+
+7 icon libraries are available:
+
+| Library | Notes |
+| --- | --- |
+| **Phosphor Duotone** (default) | Two-tone style |
+| **Phosphor** | Solid style |
+| **Lucide** | |
+| **Tabler** | |
+| **Heroicons** | |
+| **Iconoir** | |
+| **Font Awesome** | |
+
+An icon size slider in **Config > Appearance** adjusts icon scale across the UI.
+
+## Font Families
+
+6 monospace fonts are supported:
+
+| Font | Notes |
+| --- | --- |
+| **IBM Plex Mono** (default) | Bundled offline |
+| **JetBrains Mono** | Lazy-loaded from local `/fonts/` |
+| **Source Code Pro** | Lazy-loaded from local `/fonts/` |
+| **Inconsolata** | Lazy-loaded from local `/fonts/` |
+| **Commit Mono** | Lazy-loaded from local `/fonts/` |
+| **Comic Mono** | Lazy-loaded from local `/fonts/` |
+
+All non-default fonts are served locally from the container's `/fonts/` directory — no external network requests are made. In internetless mode, all fonts fall back to IBM Plex Mono which is bundled in the image.
+
+## Font Size
+
+An adjustable font size slider in **Config > Appearance** scales text across the entire UI. The setting is persisted in localStorage.
+
+## Command Palette
+
+Open the command palette with **Cmd+K** (macOS) or **Ctrl+K** (Windows/Linux).
+
+### Scope prefixes
+
+Type a prefix character to filter results:
+
+| Prefix | Scope | Includes |
+| --- | --- | --- |
+| `/` | Pages | Pages and settings navigation |
+| `@` | Runtime | Agents, triggers, watchers |
+| `#` | Config | Registries, auth providers, notification rules |
+
+Use arrow keys to navigate results, **Enter** to select, and **Escape** to close. Recent search history is persisted across sessions.
+
+## Border Radius
+
+5 border radius presets control the roundness of UI elements:
+
+| Preset | Description |
+| --- | --- |
+| **None** | No rounding (0px) |
+| **Sharp** | Subtle rounding |
+| **Modern** | Balanced rounding |
+| **Soft** | Gentle rounding |
+| **Round** | Maximum rounding |
+
+Select a preset in **Config > Appearance**. The choice is persisted in localStorage.
+
+## Dashboard
+
+The dashboard displays 4 stat cards: **Containers**, **Updates**, **Security**, and **Registries**. Cards are drag-reorderable and the layout is persisted in localStorage.
+
+Update and security stats are color-coded based on severity ratio.
+
+## View Modes
+
+All data views (Containers, Watchers, Registries, Triggers, Auth, Agents, Security) support three display modes:
+
+| Mode | Description |
+| --- | --- |
+| **Table** (default) | Rows with interactive column resizing |
+| **Cards** | Grid layout |
+| **List** | Accordion-style |
+
+Toggle between modes using the view mode buttons in the toolbar.
+
+## Keyboard Shortcuts
+
+| Shortcut | Action |
+| --- | --- |
+| **Cmd/Ctrl+K** | Open command palette |
+| **Escape** | Close detail panel or dialog |
+| **Enter** | Confirm dialog action |
+| **Arrow keys** | Navigate command palette results |
+
+## Announcement Banner
+
+A dismissible banner appears at the top of the dashboard to surface release notes and important notices after upgrades. Once dismissed, the banner does not reappear until the next release. No configuration is needed — the banner is managed automatically by the UI.
+
+## Detail Panels
+
+Clicking any row in a data view opens a slide-in detail panel with contextual information and actions. Detail panels are available on all views: Containers, Watchers, Registries, Triggers, Auth, Agents, and Security.
+
+<Callout type="info">All UI preferences are stored in the browser's localStorage. They are not synced across devices or browsers.</Callout>
diff --git a/content/docs/v1.4/configuration/ui/meta.json b/content/docs/v1.4/configuration/ui/meta.json
new file mode 100644
index 000000000..104154a0e
--- /dev/null
+++ b/content/docs/v1.4/configuration/ui/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "UI Customization",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/configuration/watchers/index.mdx b/content/docs/v1.4/configuration/watchers/index.mdx
new file mode 100644
index 000000000..58c20f790
--- /dev/null
+++ b/content/docs/v1.4/configuration/watchers/index.mdx
@@ -0,0 +1,944 @@
+---
+title: "Docker Watchers"
+description: "Watchers are responsible for scanning Docker containers."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+![logo](/docs/assets/configuration/watchers/docker.png)
+
+Watchers are responsible for scanning Docker containers.
+
+The `docker` watcher lets you configure the Docker hosts you want to watch.
+
+## Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_WATCHER_{watcher_name}_CAFILE` | ⚪ | CA pem file path (only for TLS connection) | | |
+| `DD_WATCHER_{watcher_name}_AUTH_BEARER` | ⚪ | Bearer token for remote Docker API auth (HTTPS only) | | |
+| `DD_WATCHER_{watcher_name}_AUTH_INSECURE` | ⚪ | Allow fail-open remote auth fallback when auth is invalid or non-HTTPS | `true`, `false` | `false` |
+| `DD_WATCHER_{watcher_name}_AUTH_PASSWORD` | ⚪ | Password for remote Docker API basic auth (HTTPS only) | | |
+| `DD_WATCHER_{watcher_name}_AUTH_TYPE` | ⚪ | Auth mode for remote Docker API auth | `BASIC`, `BEARER`, `OIDC` | auto-detected from provided credentials |
+| `DD_WATCHER_{watcher_name}_AUTH_USER` | ⚪ | Username for remote Docker API basic auth (HTTPS only) | | |
+| `DD_WATCHER_{watcher_name}_CERTFILE` | ⚪ | Certificate pem file path (only for TLS connection) | | |
+| `DD_WATCHER_{watcher_name}_CRON` | ⚪ | Scheduling options | [Valid CRON expression](https://crontab.guru/) | `0 * * * *` (every hour) |
+| `DD_WATCHER_{watcher_name}_HOST` | ⚪ | Docker hostname or ip of the host to watch | | |
+| `DD_WATCHER_{watcher_name}_JITTER` | ⚪ | Jitter in ms applied to the CRON to better distribute the load on the registries (on the Hub at the first place) | > 0 | `60000` (1 minute) |
+| `DD_WATCHER_{watcher_name}_KEYFILE` | ⚪ | Key pem file path (only for TLS connection) | | |
+| `DD_WATCHER_{watcher_name}_MAINTENANCE_WINDOW` | ⚪ | Allowed update schedule (checks outside this window are skipped) | [Valid CRON expression](https://crontab.guru/) | |
+| `DD_WATCHER_{watcher_name}_MAINTENANCE_WINDOW_TZ` | ⚪ | Timezone used to evaluate `MAINTENANCE_WINDOW` | IANA timezone (e.g. `UTC`, `Europe/Paris`) | `UTC` |
+| `DD_WATCHER_{watcher_name}_PORT` | ⚪ | Docker port of the host to watch | | `2375` |
+| `DD_WATCHER_{watcher_name}_PROTOCOL` | ⚪ | Docker remote API protocol | `http`, `https` | `http` |
+| `DD_WATCHER_{watcher_name}_SOCKET` | ⚪ | Docker socket to watch | Valid unix socket | `/var/run/docker.sock` |
+| `DD_WATCHER_{watcher_name}_WATCHALL` | ⚪ | Include containers in **every** state (created, paused, exited, restarting, etc.) — not just running ones | `true`, `false` | `false` |
+| `DD_WATCHER_{watcher_name}_WATCHATSTART` (deprecated) | ⚪ | If drydock must check for image updates during startup | `true`, `false` | `true` if this watcher store is empty |
+| `DD_WATCHER_{watcher_name}_WATCHBYDEFAULT` | ⚪ | Watch containers that don't have an explicit `dd.watch` label | `true`, `false` | `true` |
+| `DD_WATCHER_{watcher_name}_WATCHEVENTS` | ⚪ | If drydock must monitor docker events | `true`, `false` | `true` |
+| `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_*` | ⚪ | Shared per-image defaults (image match + include/exclude/transform/link/display/trigger/lookup) | See **Image Set Presets** section below | |
+
+`WATCHALL` and `WATCHBYDEFAULT` are independent and operate at different stages. `WATCHALL` controls **which container states** Docker returns (running-only vs all states). `WATCHBYDEFAULT` controls **whether unlabeled containers are watched** — the `dd.watch` label always takes precedence when set. See the [behavior matrix](#watchall--watchbydefault-behavior-matrix) below for details.
+
+<Callout type="warn">`DD_WATCHER_{watcher_name}_WATCHDIGEST` is deprecated and will be removed in a future release. Use the `dd.watch.digest` container label instead.</Callout>
+
+**Notes:**
+
+- If no watcher is configured, a default one named `local` will be automatically created (reading the Docker socket).
+- Multiple watchers can be configured (if you have multiple Docker hosts to watch). Just give them different names.
+- Socket configuration and host/port configuration are mutually exclusive.
+- When `MAINTENANCE_WINDOW` is configured and a check is skipped outside the allowed schedule, drydock queues one pending check and runs it automatically when the next maintenance window opens.
+- Legacy compatibility: `wud.*` labels are still accepted as fallback to `dd.*`. When a fallback is used, drydock emits a one-time warning for that key and increments `dd_legacy_input_total{source="label",key="<legacy_key>"}`. To rewrite configs in place, run `node dist/index.js config migrate --dry-run` then `node dist/index.js config migrate --file <path>`.
+- If watcher logger initialization fails, drydock automatically falls back to structured stderr JSON logs and increments `dd_watcher_logger_init_failures_total{type,name}`. Alert on non-zero increases to catch degraded logging early.
+
+<Callout type="warn">When using socket configuration, mount the Docker socket on your drydock container. When using host/port configuration, enable the [Docker remote API](https://docs.docker.com/reference/cli/dockerd/). If the remote API is secured with TLS, mount and configure the [TLS certificates](https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket).</Callout>
+
+<Callout type="warn">Remote watcher auth (`AUTH_*`) is fail-closed by default and requires HTTPS (`PROTOCOL=https`) or TLS certificate-based connections. Set `AUTH_INSECURE=true` only if you intentionally need legacy fail-open behavior.</Callout>
+
+<Callout type="warn">Watching image digests causes an extensive usage of _Docker Registry Pull API_ which is restricted by [**Quotas on the Docker Hub**](https://docs.docker.com/docker-hub/usage/).
+By default, drydock enables it only for **non semver** image tags.
+You can tune this behavior per container using the `dd.watch.digest` label.
+If you face [quota related errors](https://docs.docker.com/docker-hub/usage/#how-do-i-know-my-pull-requests-are-being-limited), consider slowing down the watcher rate by adjusting the `DD_WATCHER_{watcher_name}_CRON` variable.</Callout>
+
+## Variable examples
+
+### Watch the local docker host every day at 1am
+
+<Tabs items={["Docker Compose (Daily CRON)", "Docker (Daily CRON)"]}>
+<Tab value="Docker Compose (Daily CRON)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+        - DD_WATCHER_LOCAL_CRON=0 1 * * *
+```
+
+</Tab>
+<Tab value="Docker (Daily CRON)">
+```bash
+docker run \
+    -e DD_WATCHER_LOCAL_CRON="0 1 * * *" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Watch all containers regardless of their status (created, paused, exited, restarting, running...)
+
+<Tabs items={["Docker Compose (Watch All)", "Docker (Watch All)"]}>
+<Tab value="Docker Compose (Watch All)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+        - DD_WATCHER_LOCAL_WATCHALL=true
+```
+
+</Tab>
+<Tab value="Docker (Watch All)">
+```bash
+docker run \
+    -e DD_WATCHER_LOCAL_WATCHALL="true" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### WATCHALL / WATCHBYDEFAULT behavior matrix
+
+These two variables are **orthogonal** — they filter at different stages of the container selection pipeline:
+
+1. **WATCHALL** (Docker API level) — decides which container **states** are fetched from Docker.
+2. **WATCHBYDEFAULT** (per-container level) — decides whether containers **without** a `dd.watch` label are watched. An explicit `dd.watch` label always takes precedence.
+
+| `WATCHALL` | `WATCHBYDEFAULT` | Containers fetched | Unlabeled containers | `dd.watch=true` | `dd.watch=false` |
+| :---: | :---: | --- | --- | --- | --- |
+| `false` (default) | `true` (default) | Running only | Watched | Watched | **Not** watched |
+| `false` | `false` | Running only | **Not** watched | Watched | **Not** watched |
+| `true` | `true` | All states | Watched | Watched | **Not** watched |
+| `true` | `false` | All states | **Not** watched | Watched | **Not** watched |
+
+<Callout type="warn">A stopped container with `dd.watch=true` will **not** be watched when `WATCHALL` is `false` because it is never returned by the Docker API in the first place. Set `WATCHALL=true` if you need to monitor non-running containers.</Callout>
+
+### Watch a remote docker host via TCP on 2375
+
+<Tabs items={["Docker Compose (Remote TCP)", "Docker (Remote TCP)"]}>
+<Tab value="Docker Compose (Remote TCP)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+        - DD_WATCHER_MYREMOTEHOST_HOST=myremotehost
+```
+
+</Tab>
+<Tab value="Docker (Remote TCP)">
+```bash
+docker run \
+    -e DD_WATCHER_MYREMOTEHOST_HOST="myremotehost" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Watch a remote docker host behind HTTPS with bearer auth
+
+<Tabs items={["Docker Compose (HTTPS Bearer)", "Docker (HTTPS Bearer)"]}>
+<Tab value="Docker Compose (HTTPS Bearer)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+        - DD_WATCHER_MYREMOTEHOST_HOST=myremotehost
+        - DD_WATCHER_MYREMOTEHOST_PORT=443
+        - DD_WATCHER_MYREMOTEHOST_PROTOCOL=https
+        - DD_WATCHER_MYREMOTEHOST_AUTH_TYPE=BEARER
+        - DD_WATCHER_MYREMOTEHOST_AUTH_BEARER=my-secret-token
+```
+
+</Tab>
+<Tab value="Docker (HTTPS Bearer)">
+```bash
+docker run \
+    -e DD_WATCHER_MYREMOTEHOST_HOST="myremotehost" \
+    -e DD_WATCHER_MYREMOTEHOST_PORT="443" \
+    -e DD_WATCHER_MYREMOTEHOST_PROTOCOL="https" \
+    -e DD_WATCHER_MYREMOTEHOST_AUTH_TYPE="BEARER" \
+    -e DD_WATCHER_MYREMOTEHOST_AUTH_BEARER="my-secret-token" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Watch a remote docker host via TCP with TLS enabled on 2376
+
+<Tabs items={["Docker Compose (TLS)", "Docker (TLS)"]}>
+<Tab value="Docker Compose (TLS)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+        - DD_WATCHER_MYREMOTEHOST_HOST=myremotehost
+        - DD_WATCHER_MYREMOTEHOST_PORT=2376
+        - DD_WATCHER_MYREMOTEHOST_CAFILE=/certs/ca.pem
+        - DD_WATCHER_MYREMOTEHOST_CERTFILE=/certs/cert.pem
+        - DD_WATCHER_MYREMOTEHOST_KEYFILE=/certs/key.pem
+    volumes:
+        - /my-host/my-certs/ca.pem:/certs/ca.pem:ro
+        - /my-host/my-certs/ca.pem:/certs/cert.pem:ro
+        - /my-host/my-certs/ca.pem:/certs/key.pem:ro
+```
+
+</Tab>
+<Tab value="Docker (TLS)">
+```bash
+docker run \
+    -e DD_WATCHER_MYREMOTEHOST_HOST="myremotehost" \
+    -e DD_WATCHER_MYREMOTEHOST_PORT="2376" \
+    -e DD_WATCHER_MYREMOTEHOST_CAFILE="/certs/ca.pem" \
+    -e DD_WATCHER_MYREMOTEHOST_CERTFILE="/certs/cert.pem" \
+    -e DD_WATCHER_MYREMOTEHOST_KEYFILE="/certs/key.pem" \
+    -v /my-host/my-certs/ca.pem:/certs/ca.pem:ro \
+    -v /my-host/my-certs/ca.pem:/certs/cert.pem:ro \
+    -v /my-host/my-certs/ca.pem:/certs/key.pem:ro \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+<Callout type="warn">Don't forget to mount the certificates into the container!</Callout>
+
+## Docker Socket Security
+
+Drydock needs to communicate with the Docker Engine API to monitor containers and (optionally) perform updates. By default this means mounting the Docker socket — which grants broad access to the host. This section covers all available approaches to secure that access, from the recommended socket proxy to remote TLS connections.
+
+### Security comparison
+
+| Approach | Attack surface | Privilege level | Setup complexity | Auto-updates? |
+| --- | --- | --- | --- | --- |
+| **Socket proxy** (recommended) | Filtered API only | Non-root | Low | Yes (with `POST=1`) |
+| **Remote Docker over TLS** | Network + TLS | Non-root | Medium | Yes |
+| **Rootless Docker** | Full API, unprivileged daemon | Non-root | Medium | Yes |
+| **Direct socket mount** | Full Docker API | Root | Trivial | Yes |
+| **Break-glass root mode** | Full Docker API + host root | Root | Trivial | Yes |
+
+### Option 1: Socket proxy (recommended)
+
+A socket proxy runs as a separate container with access to the Docker socket and exposes only the API endpoints Drydock needs. Drydock connects to the proxy over HTTP, so no socket mount is required at all.
+
+This is the **recommended approach** for all deployments. It provides a strict security boundary with minimal setup.
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    depends_on:
+      socket-proxy:
+        condition: service_healthy
+    environment:
+      - DD_WATCHER_LOCAL_HOST=socket-proxy
+      - DD_WATCHER_LOCAL_PORT=2375
+    ports:
+      - 3000:3000
+
+  socket-proxy:
+    image: tecnativa/docker-socket-proxy
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - CONTAINERS=1
+      - IMAGES=1
+      - EVENTS=1
+      - SERVICES=1
+    healthcheck:
+      test: wget --spider http://localhost:2375/version || exit 1
+      interval: 5s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+    restart: unless-stopped
+```
+
+The `:ro` (read-only) flag on the Docker socket mount is omitted intentionally. The proxy's environment variables (`CONTAINERS`, `EVENTS`, etc.) control which API endpoints are exposed — that is the actual security boundary. The `:ro` flag on Unix sockets does not prevent API communication and can cause connection failures on some Linux kernels.
+
+#### Proxy permissions by feature
+
+| Feature | Required proxy env vars |
+| --- | --- |
+| Watch containers (default) | `CONTAINERS=1`, `IMAGES=1`, `EVENTS=1`, `SERVICES=1` |
+| Container actions (start/stop/restart) | All of the above **plus** `POST=1` and a [Docker trigger](/docs/configuration/triggers/docker) |
+| Docker trigger (auto-updates) | All of the above **plus** `POST=1`, `NETWORKS=1` |
+
+<Callout type="warn">Container actions (start, stop, restart, update) require a Docker trigger to be configured. If you only want container actions without automatic updates, set `DD_TRIGGER_DOCKER_{name}_AUTO=false`. Without a Docker trigger, the UI will show "No docker trigger found for this container" when attempting actions.</Callout>
+
+#### Alternative socket proxies
+
+[Tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) is the most widely used option, but any HAProxy or nginx-based Docker socket proxy that filters by HTTP method and path will work. The key requirement is that the proxy exposes the Docker Engine API endpoints listed in the permissions table above and blocks everything else (especially `exec`, `build`, and `swarm` endpoints).
+
+Other compatible proxies include [linuxserver/docker-socket-proxy](https://github.com/linuxserver/docker-socket-proxy) (a fork with additional features).
+
+### Option 2: Remote Docker over TLS
+
+Instead of mounting the socket at all, Drydock can connect to a remote Docker host over the network using mutual TLS (mTLS). This is ideal for multi-host setups or when you want to completely avoid socket mounts.
+
+#### Step 1: Generate TLS certificates on the Docker host
+
+Follow the official [Docker TLS guide](https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket) to generate a CA, server certificate, and client certificate.
+
+#### Step 2: Configure the Docker daemon
+
+Configure the daemon to listen on a TLS port by adding this to `/etc/docker/daemon.json`:
+
+```json
+{
+  "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
+  "tls": true,
+  "tlscacert": "/etc/docker/ca.pem",
+  "tlscert": "/etc/docker/server-cert.pem",
+  "tlskey": "/etc/docker/server-key.pem",
+  "tlsverify": true
+}
+```
+
+#### Step 3: Configure Drydock
+
+Configure Drydock with the client certificates:
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    environment:
+      - DD_WATCHER_REMOTE_HOST=docker-host.example.com
+      - DD_WATCHER_REMOTE_PORT=2376
+      - DD_WATCHER_REMOTE_CAFILE=/certs/ca.pem
+      - DD_WATCHER_REMOTE_CERTFILE=/certs/client-cert.pem
+      - DD_WATCHER_REMOTE_KEYFILE=/certs/client-key.pem
+    volumes:
+      - ./certs/ca.pem:/certs/ca.pem:ro
+      - ./certs/client-cert.pem:/certs/client-cert.pem:ro
+      - ./certs/client-key.pem:/certs/client-key.pem:ro
+    ports:
+      - 3000:3000
+```
+
+When TLS certificates are provided (`CAFILE`, `CERTFILE`, `KEYFILE`), Drydock automatically uses HTTPS regardless of the `PROTOCOL` setting.
+
+<Callout type="warn">Keep your client certificates secure. Mount them read-only (`:ro`) and restrict file permissions to the Drydock user.</Callout>
+
+### Option 3: Rootless Docker
+
+[Rootless Docker](https://docs.docker.com/engine/security/rootless/) runs the Docker daemon entirely in user space without root privileges. Even full socket access does not grant host root because the daemon itself is unprivileged.
+
+**Step 1: Install rootless Docker** following the [official guide](https://docs.docker.com/engine/security/rootless/#install).
+
+**Step 2: Find your rootless socket path:**
+
+```bash
+echo $XDG_RUNTIME_DIR/docker.sock
+# Typically: /run/user/1000/docker.sock
+```
+
+**Step 3: Mount the rootless socket:**
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    volumes:
+      - /run/user/1000/docker.sock:/var/run/docker.sock
+    ports:
+      - 3000:3000
+```
+
+The rootless socket path varies by user. Replace `1000` with your user's UID (`id -u`).
+
+<Callout type="warn">Rootless Docker has some limitations: no `--privileged` containers, limited network configuration, and some storage drivers may not be available. Check the [official limitations list](https://docs.docker.com/engine/security/rootless/#known-limitations) for your use case.</Callout>
+
+You can combine rootless Docker with a socket proxy for defense in depth — even if the proxy is compromised, the attacker only gains unprivileged access.
+
+### Option 4: Direct socket mount (default)
+
+The simplest approach — mount the Docker socket directly. Drydock runs as a non-root user inside the container, but the socket grants access to the full Docker API.
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - 3000:3000
+```
+
+<Callout type="warn">Direct socket access grants the container full control over the Docker daemon, including the ability to create privileged containers, mount host filesystems, and effectively gain root access to the host. Use a socket proxy or remote TLS connection for production deployments.</Callout>
+
+### Option 5: Break-glass root mode (least secure)
+
+If the non-root user cannot connect to the socket (common with `:ro` mounts), you can explicitly opt into root mode. This is a break-glass path and should not be your default. Both flags are required; setting only `DD_RUN_AS_ROOT=true` fails closed at startup.
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - DD_RUN_AS_ROOT=true
+      - DD_ALLOW_INSECURE_ROOT=true
+    ports:
+      - 3000:3000
+```
+
+<Callout type="warn">Running as root trades away the privilege-drop security boundary. Use this only as a temporary break-glass fallback; prefer socket proxy mode for long-term deployments.</Callout>
+
+### Which Docker API endpoints does Drydock use?
+
+Understanding exactly what Drydock accesses helps you configure socket proxies and evaluate your security posture.
+
+**Read-only operations (watchers):**
+
+| Endpoint | Purpose |
+| --- | --- |
+| `GET /containers/json` | List running containers |
+| `GET /containers/{id}/json` | Inspect container details and labels |
+| `GET /images/json` | List images on the host |
+| `GET /images/{id}/json` | Inspect image metadata (tags, digests, architecture) |
+| `GET /events` | Stream real-time container lifecycle events |
+| `GET /services/{id}` | Inspect Docker Swarm service labels |
+
+**Write operations (triggers — only when performing updates):**
+
+| Endpoint | Purpose |
+| --- | --- |
+| `POST /images/create` | Pull new image versions |
+| `POST /containers/create` | Create replacement container |
+| `POST /containers/{id}/start` | Start the new container |
+| `POST /containers/{id}/stop` | Stop the old container |
+| `POST /containers/{id}/wait` | Wait for container removal |
+| `DELETE /containers/{id}` | Remove the old container |
+| `DELETE /images/{id}` | Prune old images (when enabled) |
+| `POST /networks/{id}/connect` | Connect container to additional networks |
+
+If you only need monitoring (no auto-updates), a read-only socket proxy configuration is sufficient.
+
+### Watch 1 local Docker host and 2 remote docker hosts at the same time
+
+<Tabs items={["Docker Compose (Multiple Hosts)", "Docker (Multiple Hosts)"]}>
+<Tab value="Docker Compose (Multiple Hosts)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+        -  DD_WATCHER_LOCAL_SOCKET=/var/run/docker.sock
+        -  DD_WATCHER_MYREMOTEHOST1_HOST=myremotehost1
+        -  DD_WATCHER_MYREMOTEHOST2_HOST=myremotehost2
+```
+
+</Tab>
+<Tab value="Docker (Multiple Hosts)">
+```bash
+docker run \
+    -e  DD_WATCHER_LOCAL_SOCKET="/var/run/docker.sock" \
+    -e  DD_WATCHER_MYREMOTEHOST1_HOST="myremotehost1" \
+    -e  DD_WATCHER_MYREMOTEHOST2_HOST="myremotehost2" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+### Maintenance window
+
+Only allow update checks between 2 AM and 4 AM in Europe/Berlin:
+
+<Tabs items={["Docker Compose (Maintenance Window)", "Docker (Maintenance Window)"]}>
+<Tab value="Docker Compose (Maintenance Window)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_WATCHER_LOCAL_CRON=0 * * * *
+      - DD_WATCHER_LOCAL_MAINTENANCE_WINDOW=0 2-3 * * *
+      - DD_WATCHER_LOCAL_MAINTENANCE_WINDOW_TZ=Europe/Berlin
+```
+
+</Tab>
+<Tab value="Docker (Maintenance Window)">
+```bash
+docker run \
+    -e DD_WATCHER_LOCAL_CRON="0 * * * *" \
+    -e DD_WATCHER_LOCAL_MAINTENANCE_WINDOW="0 2-3 * * *" \
+    -e DD_WATCHER_LOCAL_MAINTENANCE_WINDOW_TZ="Europe/Berlin" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+## Image Set Presets
+
+Use `IMGSET` to define reusable defaults by image reference. This is useful when many containers need the same tag filters, link template, icon, or trigger routing.
+
+Looking for ready-to-copy presets for common containers? See [Popular IMGSET Presets](/docs/configuration/watchers/popular-imgsets).
+
+### Supported imgset keys
+
+- `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_IMAGE`
+- `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_TAG_INCLUDE`
+- `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_TAG_EXCLUDE`
+- `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_TAG_TRANSFORM`
+- `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_LINK_TEMPLATE`
+- `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_DISPLAY_NAME`
+- `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_DISPLAY_ICON`
+- `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_TRIGGER_INCLUDE`
+- `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_TAG_FAMILY`
+- `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_WATCH_DIGEST`
+- `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_INSPECT_TAG_PATH`
+- `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_TRIGGER_EXCLUDE`
+- `DD_WATCHER_{watcher_name}_IMGSET_{imgset_name}_REGISTRY_LOOKUP_IMAGE`
+
+### Imgset precedence
+
+- `dd.*` labels on the container (or swarm service/container merged labels) are highest priority.
+- `IMGSET` values are defaults applied only when the corresponding label is not set.
+
+### Imgset example
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    environment:
+      - DD_WATCHER_LOCAL_IMGSET_HOMEASSISTANT_IMAGE=ghcr.io/home-assistant/home-assistant
+      - DD_WATCHER_LOCAL_IMGSET_HOMEASSISTANT_TAG_INCLUDE=^\\d+\\.\\d+\\.\\d+$$
+      - DD_WATCHER_LOCAL_IMGSET_HOMEASSISTANT_DISPLAY_NAME=Home Assistant
+      - DD_WATCHER_LOCAL_IMGSET_HOMEASSISTANT_DISPLAY_ICON=hl-home-assistant
+      - DD_WATCHER_LOCAL_IMGSET_HOMEASSISTANT_LINK_TEMPLATE=https://www.home-assistant.io/changelogs/core-$${major}$${minor}$${patch}
+      - DD_WATCHER_LOCAL_IMGSET_HOMEASSISTANT_TRIGGER_INCLUDE=ntfy.default:major
+```
+
+## Labels
+
+To fine-tune the behaviour of drydock _per container_, you can add labels on them.
+
+| Label | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `dd.display.icon` | ⚪ | Custom display icon for the container | Valid [Fontawesome Icon](https://fontawesome.com/), [Homarr Labs Icon](https://dashboardicons.com/), [Selfh.st Icon](https://selfh.st/icons/), or [Simple Icon](https://simpleicons.org/) (see details below). `mdi:` icons are auto-resolved but not recommended. | `fab fa-docker` |
+| `dd.display.picture` | ⚪ | Custom entity picture URL for Home Assistant MQTT integration. When set to an HTTP/HTTPS URL, overrides the icon-derived `entity_picture` in HASS discovery payloads. | Valid HTTP or HTTPS URL | |
+| `dd.display.name` | ⚪ | Custom display name for the container | Valid String | Container name |
+| `dd.group` | ⚪ | Group name for stack/group views in the UI (falls back to `com.docker.compose.project` if not set) | Valid String | |
+| `dd.inspect.tag.path` | ⚪ | Docker inspect path used to derive a local semver tag | Slash-separated path in `docker inspect` output | |
+| `dd.registry.lookup.image` | ⚪ | Alternative image reference used for update lookups | Full image path (for example `library/traefik` or `ghcr.io/traefik/traefik`) | |
+| `dd.link.template` | ⚪ | Browsable link associated to the container version | JS string template with vars `${raw}`, `${original}`, `${transformed}`, `${major}`, `${minor}`, `${patch}`, `${prerelease}` | |
+| `dd.tag.exclude` | ⚪ | Regex to exclude specific tags | Valid JavaScript Regex | |
+| `dd.tag.include` | ⚪ | Regex to include specific tags only | Valid JavaScript Regex | |
+| `dd.tag.transform` | ⚪ | Transform function to apply to the tag | `$valid_regex => $valid_string_with_placeholders` (see below) | |
+| `dd.tag.family` | ⚪ | Tag family policy for semver updates | `strict` (default) or `loose` | `strict` |
+| `dd.trigger.exclude` | ⚪ | Optional list of triggers to exclude | `$trigger_1_id_or_name,$trigger_2_id_or_name:$threshold` | |
+| `dd.trigger.include` | ⚪ | Optional list of triggers to include | `$trigger_1_id_or_name,$trigger_2_id_or_name:$threshold` | |
+| `dd.watch.digest` | ⚪ | Watch this container digest | Valid Boolean | `false` |
+| `dd.watch` | ⚪ | Explicitly include or exclude this container from monitoring (overrides `WATCHBYDEFAULT`) | Valid Boolean | Inherits from `WATCHBYDEFAULT` (`true` by default) |
+| `dd.compose.file` | ⚪ | Path to the docker-compose.yml file for compose-native updates (also configurable via trigger `COMPOSEFILELABEL`) | file path | |
+| `dd.webhook.enabled` | ⚪ | Allow or block [webhook API](/docs/configuration/webhooks) calls targeting this container | `true`, `false` | `true` |
+| `dd.updatePolicy.maturityMode` | ⚪ | Update maturity policy — `all` allows any update, `mature` blocks updates detected less than `maturityMinAgeDays` ago | `all`, `mature` | `all` |
+| `dd.updatePolicy.maturityMinAgeDays` | ⚪ | Minimum age in days before an update is considered mature (only applies when `maturityMode` is `mature`) | integer (`>=1`) | `7` |
+| `dd.runtime.entrypoint.origin` | ⚪ | Tracks whether the container's entrypoint was explicitly set or inherited from the image. Used during updates to decide whether to preserve the current entrypoint or let the new image defaults apply. | `explicit`, `inherited`, `unknown` | auto-detected |
+| `dd.runtime.cmd.origin` | ⚪ | Tracks whether the container's cmd was explicitly set or inherited from the image. Used during updates to decide whether to preserve the current cmd or let the new image defaults apply. | `explicit`, `inherited`, `unknown` | auto-detected |
+
+`dd.runtime.entrypoint.origin` and `dd.runtime.cmd.origin` are managed automatically by the Docker trigger during container updates. You only need to set them manually if drydock cannot detect the origin (shows `unknown`) and you want to explicitly pin or release a custom entrypoint/cmd.
+
+<Callout type="warn">`dd.inspect.tag.path` is optional and opt-in. Use it only when your image metadata tracks the running app version reliably; some images set unrelated values. Also note that legacy alias `dd.registry.lookup.url` is still accepted for compatibility, but prefer `dd.registry.lookup.image`.</Callout>
+
+## Label examples
+
+### Include specific containers to watch
+
+Set `WATCHBYDEFAULT=false` so that only containers with an explicit `dd.watch=true` label are monitored.
+<Tabs items={["Docker Compose (Disable Watch by Default)", "Docker (Disable Watch by Default)"]}>
+<Tab value="Docker Compose (Disable Watch by Default)">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    ...
+    environment:
+      - DD_WATCHER_LOCAL_WATCHBYDEFAULT=false
+```
+
+</Tab>
+<Tab value="Docker (Disable Watch by Default)">
+```bash
+docker run \
+    -e DD_WATCHER_LOCAL_WATCHBYDEFAULT="false" \
+  ...
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
+
+Then add the `dd.watch=true` label on the containers you want to watch.
+<Tabs items={["Docker Compose (Include Label)", "Docker (Include Label)"]}>
+<Tab value="Docker Compose (Include Label)">
+
+```yaml
+services:
+  mariadb:
+    image: mariadb:10.4.5
+    ...
+    labels:
+      - dd.watch=true
+```
+
+</Tab>
+<Tab value="Docker (Include Label)">
+```bash
+docker run -d --name mariadb --label dd.watch=true mariadb:10.4.5
+```
+</Tab>
+</Tabs>
+
+### Exclude specific containers to watch
+
+Ensure `DD_WATCHER_{watcher_name}_WATCHBYDEFAULT` is true (default value).
+
+Then add the `dd.watch=false` label on the containers you want to exclude from being watched.
+<Tabs items={["Docker Compose (Exclude Label)", "Docker (Exclude Label)"]}>
+<Tab value="Docker Compose (Exclude Label)">
+
+```yaml
+services:
+  mariadb:
+    image: mariadb:10.4.5
+    ...
+    labels:
+      - dd.watch=false
+```
+
+</Tab>
+<Tab value="Docker (Exclude Label)">
+```bash
+docker run -d --name mariadb --label dd.watch=false mariadb:10.4.5
+```
+</Tab>
+</Tabs>
+
+### Derive a semver from Docker inspect when image tag is `latest`
+
+Use this when the running container exposes a version label in `docker inspect`.
+
+<Tabs items={["Docker Compose (Inspect Tag Path)", "Docker (Inspect Tag Path)"]}>
+<Tab value="Docker Compose (Inspect Tag Path)">
+
+```yaml
+services:
+  myapp:
+    image: ghcr.io/example/myapp:latest
+    labels:
+      - dd.inspect.tag.path=Config/Labels/org.opencontainers.image.version
+```
+
+</Tab>
+<Tab value="Docker (Inspect Tag Path)">
+```bash
+docker run -d \
+  --name myapp \
+  --label dd.inspect.tag.path=Config/Labels/org.opencontainers.image.version \
+  ghcr.io/example/myapp:latest
+```
+</Tab>
+</Tabs>
+
+### Use an alternative image for update lookups
+
+Use this when your runtime image is pulled from a cache/proxy registry, but you want updates checked against an upstream image.
+
+<Tabs items={["Docker Compose (Lookup Image)", "Docker (Lookup Image)"]}>
+<Tab value="Docker Compose (Lookup Image)">
+
+```yaml
+services:
+  traefik:
+    image: harbor.example.com/dockerhub-proxy/traefik:v3.5.3
+    labels:
+      - dd.watch=true
+      - dd.registry.lookup.image=library/traefik
+```
+
+</Tab>
+<Tab value="Docker (Lookup Image)">
+```bash
+docker run -d \
+  --name traefik \
+  --label 'dd.watch=true' \
+  --label 'dd.registry.lookup.image=library/traefik' \
+  harbor.example.com/dockerhub-proxy/traefik:v3.5.3
+```
+</Tab>
+</Tabs>
+
+### Include only 3 digits semver tags
+
+You can filter (by inclusion or exclusion) which versions can be candidates for update.
+
+For example, you can indicate that you want to watch x.y.z versions only
+<Tabs items={["Docker Compose (Tag Include)", "Docker (Tag Include)"]}>
+<Tab value="Docker Compose (Tag Include)">
+
+```yaml
+services:
+
+  mariadb:
+    image: mariadb:10.4.5
+    labels:
+      - dd.tag.include=^\d+\.\d+\.\d+$$
+```
+
+</Tab>
+<Tab value="Docker (Tag Include)">
+```bash
+docker run -d --name mariadb --label 'dd.tag.include=^\d+\.\d+\.\d+$' mariadb:10.4.5
+```
+</Tab>
+</Tabs>
+
+### Transform the tags before performing the analysis
+
+In certain cases, tag values are so badly formatted that the resolution algorithm cannot find any valid update candidates or, worst, find bad positive matches.
+
+For example, you can encounter such an issue if you need to deal with tags looking like `1.0.0-99-7b368146`, `1.0.0-273-21d7efa6`...  
+By default, drydock will report bad positive matches because of the `sha-1` part at the end of the tag value (`-7b368146`...).  
+That's a shame because `1.0.0-99` and `1.0.0-273` would have been valid semver values (`$major.$minor.$patch-$prerelease`).
+
+You can get around this issue by providing a function that keeps only the part you are interested in.  
+
+How does it work?  
+The transform function must follow the following syntax:
+
+```text
+$valid_regex_with_capturing_groups => $valid_string_with_placeholders
+```
+
+For example:
+
+```bash
+^(\d+\.\d+\.\d+-\d+)-.*$ => $1
+```
+
+The capturing groups are accessible with the syntax `$1`, `$2`, `$3`....
+
+<Callout type="warn">The first capturing group is accessible as `$1`!</Callout>
+
+For example, you can indicate that you want to watch x.y.z versions only
+<Tabs items={["Docker Compose (Tag Transform)", "Docker (Tag Transform)"]}>
+<Tab value="Docker Compose (Tag Transform)">
+
+```yaml
+services:
+
+  searx:
+    image: searx/searx:1.0.0-269-7b368146
+    labels:
+      - dd.tag.include=^\d+\.\d+\.\d+-\d+-.*$$
+      - dd.tag.transform=^(\d+\.\d+\.\d+-\d+)-.*$$ => $$1
+```
+
+</Tab>
+<Tab value="Docker (Tag Transform)">
+```bash
+docker run -d --name searx \
+--label 'dd.tag.include=^\d+\.\d+\.\d+-\d+-.*$' \
+--label 'dd.tag.transform=^(\d+\.\d+\.\d+-\d+)-.*$ => $1' \
+searx/searx:1.0.0-269-7b368146
+```
+</Tab>
+</Tabs>
+
+### Enable digest watching
+
+Additionally to semver tag tracking, you can also track if the digest associated to the local tag has been updated.  
+It can be convenient to monitor image tags known to be overridden (`latest`, `10`, `10.6`...)
+
+<Tabs items={["Docker Compose (Digest Watch)", "Docker (Digest Watch)"]}>
+<Tab value="Docker Compose (Digest Watch)">
+
+```yaml
+services:
+
+  mariadb:
+    image: mariadb:10
+    labels:
+      - dd.tag.include=^\d+$$
+      - dd.watch.digest=true
+```
+
+</Tab>
+<Tab value="Docker (Digest Watch)">
+```bash
+docker run -d --name mariadb --label 'dd.tag.include=^\d+$' --label dd.watch.digest=true mariadb:10
+```
+</Tab>
+</Tabs>
+
+### Associate a link to the container version
+
+You can associate a browsable link to the container version using a templated string.
+For example, if you want to associate a mariadb version to a changelog (e.g. `https://mariadb.com/kb/en/mariadb-1064-changelog`),
+
+you would specify a template like `https://mariadb.com/kb/en/mariadb-${major}${minor}${patch}-changelog`
+
+The available variables are:
+
+- `${original}` the original unparsed tag
+- `${transformed}` the original unparsed tag transformed with the optional `dd.tag.transform` label option
+- `${major}` the major version (if tag value is semver)
+- `${minor}` the minor version (if tag value is semver)
+- `${patch}` the patch version (if tag value is semver)
+- `${prerelease}` the prerelease version (if tag value is semver)
+
+<Tabs items={["Docker Compose (Link Template)", "Docker (Link Template)"]}>
+<Tab value="Docker Compose (Link Template)">
+
+```yaml
+services:
+
+  mariadb:
+    image: mariadb:10.6.4
+    labels:
+      - dd.link.template=https://mariadb.com/kb/en/mariadb-$${major}$${minor}$${patch}-changelog
+```
+
+</Tab>
+<Tab value="Docker (Link Template)">
+```bash
+docker run -d --name mariadb --label 'dd.link.template=https://mariadb.com/kb/en/mariadb-${major}${minor}${patch}-changelog' mariadb:10
+```
+</Tab>
+</Tabs>
+
+### Customize the name and the icon to display
+
+You can customize the name & the icon of a container (displayed in the UI, in Home-Assistant...)
+
+Icons must be prefixed with:
+
+- `fab:` or `fab-` for [Fontawesome brand icons](https://fontawesome.com/) (`fab:github`, `fab-mailchimp`...)
+- `far:` or `far-` for [Fontawesome regular icons](https://fontawesome.com/) (`far:heart`, `far-house`...)
+- `fas:` or `fas-` for [Fontawesome solid icons](https://fontawesome.com/) (`fas:heart`, `fas-house`...)
+- `hl:` or `hl-` for [Homarr Labs icons](https://dashboardicons.com/) (`hl:plex`, `hl-authelia`...)
+- `mdi:` or `mdi-` icons are auto-resolved to Dashboard Icons but are **not recommended**; prefer `hl:` or `fa` prefixes instead
+- `sh:` or `sh-` for [Selfh.st](https://selfh.st/icons/) (`sh:authentik`, `sh-authelia-light`...) (only works for logo available as `png`)
+- `si:` or `si-` for [Simple icons](https://simpleicons.org/) (`si:mysql`, `si-plex`...)
+
+<Callout type="warn">The [HASS-fontawesome](https://github.com/thomasloven/hass-fontawesome) and [HASS-simpleicons](https://github.com/vigonotion/hass-simpleicons) Home Assistant integrations are deprecated and no longer maintained. Both projects recommend migrating to [hass-custom_icons](https://github.com/thomasloven/hass-custom_icons) instead.</Callout>
+
+<Tabs items={["Docker Compose (Display Name & Icon)", "Docker (Display Name & Icon)"]}>
+<Tab value="Docker Compose (Display Name & Icon)">
+
+```yaml
+services:
+
+  mariadb:
+    image: mariadb:10.6.4
+    labels:
+      - dd.display.name=Maria DB
+      - dd.display.icon=si:mariadb
+```
+
+</Tab>
+<Tab value="Docker (Display Name & Icon)">
+```bash
+docker run -d --name mariadb --label 'dd.display.name=Maria DB' --label 'dd.display.icon=si:mariadb' mariadb:10.6.4
+```
+</Tab>
+</Tabs>
+
+### Assign different triggers to containers
+
+You can assign different triggers and thresholds on a per container basis.
+
+#### Example send a mail notification for all updates but auto-update only if minor or patch
+
+<Tabs items={["Docker Compose (Trigger Include)", "Docker (Trigger Include)"]}>
+<Tab value="Docker Compose (Trigger Include)">
+
+```yaml
+services:
+
+  my_important_service:
+    image: my_important_service:1.0.0
+    labels:
+      - dd.trigger.include=smtp.gmail,dockercompose.local:minor
+```
+
+</Tab>
+<Tab value="Docker (Trigger Include)">
+```bash
+docker run -d --name my_important_service --label 'dd.trigger.include=smtp.gmail,dockercompose.local:minor' my_important_service:1.0.0
+```
+</Tab>
+</Tabs>
+
+- `dd.trigger.include=smtp.gmail` is a shorthand for `dd.trigger.include=smtp.gmail:all`
+- `dd.trigger.include=update` (or `dd.trigger.exclude=update`) targets all triggers named `update`, for example `docker.update` and `discord.update`
+
+**Threshold values:**
+
+| Threshold | Behavior |
+| --- | --- |
+| `all` | Trigger runs regardless of the nature of the change |
+| `major` | Trigger runs only for `major`, `minor`, or `patch` semver changes |
+| `minor` | Trigger runs only for `minor` or `patch` semver changes |
+| `patch` | Trigger runs only for `patch` semver changes |
+| `digest` | Trigger runs only on digest updates |
+| `*-no-digest` | Any threshold ending with `-no-digest` excludes digest updates for that threshold |
+
+## Container Runtime Details
+
+Each monitored container exposes runtime details sourced from Docker inspect and the container summary. These are visible in the API response and the UI:
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `details.ports` | `string[]` | Published port mappings (e.g. `8080->80/tcp`, `443/tcp`) |
+| `details.volumes` | `string[]` | Volume and bind mounts (e.g. `myvolume:/data`, `/host/path:/container/path:ro`) |
+| `details.env` | `{ key, value }[]` | Environment variables set on the container |
+
+## Container Status Fields
+
+The container model includes additional fields useful for understanding update state:
+
+| Field | Type | Description |
+| --- | --- | --- |
+| `result.noUpdateReason` | `string` | When no update is available, explains why (e.g. tag filtering, no newer version found) |
+| `updateDetectedAt` | `string (ISO 8601)` | Timestamp of when an update was first detected for this container |
+
+## Docker Event Stream
+
+The watcher monitors Docker events (container create, destroy, start, stop, etc.) in real time. If the event stream disconnects, drydock automatically reconnects with exponential backoff starting at 1 second and capping at 30 seconds.
diff --git a/content/docs/v1.4/configuration/watchers/meta.json b/content/docs/v1.4/configuration/watchers/meta.json
new file mode 100644
index 000000000..20c1597ac
--- /dev/null
+++ b/content/docs/v1.4/configuration/watchers/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Watchers",
+  "pages": ["index", "popular-imgsets"]
+}
diff --git a/content/docs/v1.4/configuration/watchers/popular-imgsets.mdx b/content/docs/v1.4/configuration/watchers/popular-imgsets.mdx
new file mode 100644
index 000000000..bd362e70d
--- /dev/null
+++ b/content/docs/v1.4/configuration/watchers/popular-imgsets.mdx
@@ -0,0 +1,128 @@
+---
+title: "Popular IMGSET Presets"
+description: "Copy/paste these YAML environment blocks into your drydock service."
+---
+
+Copy/paste these YAML `environment` blocks into your `drydock` service.
+
+Update `DD_WATCHER_LOCAL_...` if your watcher name is not `local`.
+
+## Home Assistant
+
+```yaml
+environment:
+  - DD_WATCHER_LOCAL_IMGSET_HOMEASSISTANT_IMAGE=ghcr.io/home-assistant/home-assistant
+  - DD_WATCHER_LOCAL_IMGSET_HOMEASSISTANT_TAG_INCLUDE=^\\d+\\.\\d+\\.\\d+$$
+  - DD_WATCHER_LOCAL_IMGSET_HOMEASSISTANT_TAG_EXCLUDE=(alpha|beta|rc)
+  - DD_WATCHER_LOCAL_IMGSET_HOMEASSISTANT_DISPLAY_NAME=Home Assistant
+  - DD_WATCHER_LOCAL_IMGSET_HOMEASSISTANT_DISPLAY_ICON=hl:home-assistant
+  - DD_WATCHER_LOCAL_IMGSET_HOMEASSISTANT_LINK_TEMPLATE=https://www.home-assistant.io/changelogs/core-$${major}$${minor}$${patch}
+```
+
+## Traefik
+
+```yaml
+environment:
+  - DD_WATCHER_LOCAL_IMGSET_TRAEFIK_IMAGE=traefik
+  - DD_WATCHER_LOCAL_IMGSET_TRAEFIK_TAG_INCLUDE=^\\d+\\.\\d+\\.\\d+$$
+  - DD_WATCHER_LOCAL_IMGSET_TRAEFIK_TAG_EXCLUDE=(alpha|beta|rc)
+  - DD_WATCHER_LOCAL_IMGSET_TRAEFIK_DISPLAY_NAME=Traefik
+  - DD_WATCHER_LOCAL_IMGSET_TRAEFIK_DISPLAY_ICON=hl:traefik
+  - DD_WATCHER_LOCAL_IMGSET_TRAEFIK_LINK_TEMPLATE=https://github.com/traefik/traefik/releases/tag/v$${major}.$${minor}.$${patch}
+```
+
+## Caddy
+
+```yaml
+environment:
+  - DD_WATCHER_LOCAL_IMGSET_CADDY_IMAGE=caddy
+  - DD_WATCHER_LOCAL_IMGSET_CADDY_TAG_INCLUDE=^\\d+\\.\\d+\\.\\d+$$
+  - DD_WATCHER_LOCAL_IMGSET_CADDY_TAG_EXCLUDE=(beta|rc)
+  - DD_WATCHER_LOCAL_IMGSET_CADDY_DISPLAY_NAME=Caddy
+  - DD_WATCHER_LOCAL_IMGSET_CADDY_DISPLAY_ICON=hl:caddy
+  - DD_WATCHER_LOCAL_IMGSET_CADDY_LINK_TEMPLATE=https://github.com/caddyserver/caddy/releases/tag/v$${major}.$${minor}.$${patch}
+```
+
+## Nginx
+
+Nginx publishes suffixed variants (`-alpine`, `-perl`). The TAG_EXCLUDE keeps them out, and TAG_FAMILY=strict (default) prevents cross-family matches if the exclude is loosened.
+
+```yaml
+environment:
+  - DD_WATCHER_LOCAL_IMGSET_NGINX_IMAGE=nginx
+  - DD_WATCHER_LOCAL_IMGSET_NGINX_TAG_INCLUDE=^\\d+\\.\\d+\\.\\d+$$
+  - DD_WATCHER_LOCAL_IMGSET_NGINX_TAG_EXCLUDE=(alpine|perl|rc)
+  - DD_WATCHER_LOCAL_IMGSET_NGINX_TAG_FAMILY=strict
+  - DD_WATCHER_LOCAL_IMGSET_NGINX_DISPLAY_NAME=Nginx
+  - DD_WATCHER_LOCAL_IMGSET_NGINX_DISPLAY_ICON=hl:nginx
+  - DD_WATCHER_LOCAL_IMGSET_NGINX_LINK_TEMPLATE=https://github.com/nginx/nginx/releases/tag/release-$${major}.$${minor}.$${patch}
+```
+
+## PostgreSQL
+
+PostgreSQL tags mix segment counts (`17` vs `17.2`) and `-alpine` suffixes. TAG_FAMILY=strict ensures drydock only proposes updates within the same segment/suffix family as your running tag.
+
+```yaml
+environment:
+  - DD_WATCHER_LOCAL_IMGSET_POSTGRES_IMAGE=postgres
+  - DD_WATCHER_LOCAL_IMGSET_POSTGRES_TAG_INCLUDE=^\\d+(\\.\\d+)?$$
+  - DD_WATCHER_LOCAL_IMGSET_POSTGRES_TAG_EXCLUDE=(alpine|beta|rc)
+  - DD_WATCHER_LOCAL_IMGSET_POSTGRES_TAG_FAMILY=strict
+  - DD_WATCHER_LOCAL_IMGSET_POSTGRES_DISPLAY_NAME=PostgreSQL
+  - DD_WATCHER_LOCAL_IMGSET_POSTGRES_DISPLAY_ICON=hl:postgresql
+  - DD_WATCHER_LOCAL_IMGSET_POSTGRES_LINK_TEMPLATE=https://www.postgresql.org/docs/release/$${major}.$${minor}/
+```
+
+## Redis
+
+Redis uses the same mixed-segment pattern as PostgreSQL (`7` vs `7.4`) with `-alpine` variants. TAG_FAMILY=strict keeps updates within your tag family.
+
+```yaml
+environment:
+  - DD_WATCHER_LOCAL_IMGSET_REDIS_IMAGE=redis
+  - DD_WATCHER_LOCAL_IMGSET_REDIS_TAG_INCLUDE=^\\d+(\\.\\d+)?$$
+  - DD_WATCHER_LOCAL_IMGSET_REDIS_TAG_EXCLUDE=(alpine|beta|rc)
+  - DD_WATCHER_LOCAL_IMGSET_REDIS_TAG_FAMILY=strict
+  - DD_WATCHER_LOCAL_IMGSET_REDIS_DISPLAY_NAME=Redis
+  - DD_WATCHER_LOCAL_IMGSET_REDIS_DISPLAY_ICON=hl:redis
+  - DD_WATCHER_LOCAL_IMGSET_REDIS_LINK_TEMPLATE=https://github.com/redis/redis/releases/tag/$${major}.$${minor}
+```
+
+## Node.js
+
+Node.js has extensive tag variants (`22.14.0`, `22-alpine`, `22-bookworm-slim`, `lts-iron`, etc.). TAG_INCLUDE restricts to bare semver tags and TAG_FAMILY=strict prevents cross-suffix false positives if you run a suffixed variant like `22.14.0-alpine`.
+
+```yaml
+environment:
+  - DD_WATCHER_LOCAL_IMGSET_NODE_IMAGE=node
+  - DD_WATCHER_LOCAL_IMGSET_NODE_TAG_INCLUDE=^\\d+\\.\\d+\\.\\d+(-alpine)?$$
+  - DD_WATCHER_LOCAL_IMGSET_NODE_TAG_EXCLUDE=(slim|bookworm|bullseye|rc)
+  - DD_WATCHER_LOCAL_IMGSET_NODE_TAG_FAMILY=strict
+  - DD_WATCHER_LOCAL_IMGSET_NODE_DISPLAY_NAME=Node.js
+  - DD_WATCHER_LOCAL_IMGSET_NODE_DISPLAY_ICON=hl:node-js
+  - DD_WATCHER_LOCAL_IMGSET_NODE_LINK_TEMPLATE=https://github.com/nodejs/node/releases/tag/v$${major}.$${minor}.$${patch}
+```
+
+## n8n
+
+```yaml
+environment:
+  - DD_WATCHER_LOCAL_IMGSET_N8N_IMAGE=n8nio/n8n
+  - DD_WATCHER_LOCAL_IMGSET_N8N_TAG_INCLUDE=^\\d+\\.\\d+\\.\\d+$$
+  - DD_WATCHER_LOCAL_IMGSET_N8N_TAG_EXCLUDE=(alpha|beta|rc)
+  - DD_WATCHER_LOCAL_IMGSET_N8N_DISPLAY_NAME=n8n
+  - DD_WATCHER_LOCAL_IMGSET_N8N_DISPLAY_ICON=hl:n8n
+  - DD_WATCHER_LOCAL_IMGSET_N8N_LINK_TEMPLATE=https://github.com/n8n-io/n8n/releases/tag/n8n@$${major}.$${minor}.$${patch}
+```
+
+## AdGuard Home
+
+```yaml
+environment:
+  - DD_WATCHER_LOCAL_IMGSET_ADGUARDHOME_IMAGE=adguard/adguardhome
+  - DD_WATCHER_LOCAL_IMGSET_ADGUARDHOME_TAG_INCLUDE=^v?\\d+\\.\\d+\\.\\d+$$
+  - DD_WATCHER_LOCAL_IMGSET_ADGUARDHOME_TAG_EXCLUDE=(beta|rc)
+  - DD_WATCHER_LOCAL_IMGSET_ADGUARDHOME_DISPLAY_NAME=AdGuard Home
+  - DD_WATCHER_LOCAL_IMGSET_ADGUARDHOME_DISPLAY_ICON=hl:adguard-home
+  - DD_WATCHER_LOCAL_IMGSET_ADGUARDHOME_LINK_TEMPLATE=https://github.com/AdguardTeam/AdGuardHome/releases/tag/v$${major}.$${minor}.$${patch}
+```
diff --git a/content/docs/v1.4/configuration/webhooks/index.mdx b/content/docs/v1.4/configuration/webhooks/index.mdx
new file mode 100644
index 000000000..4381fdf67
--- /dev/null
+++ b/content/docs/v1.4/configuration/webhooks/index.mdx
@@ -0,0 +1,148 @@
+---
+title: "Webhooks"
+description: "Trigger container watches and updates from external systems like CI/CD pipelines."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+## Overview
+
+The webhook API lets external systems trigger container watches and updates. This is useful for CI/CD integration — after pushing a new image, your pipeline can tell drydock to check for updates immediately instead of waiting for the next scheduled watch cycle.
+
+## Configuration
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_SERVER_WEBHOOK_ENABLED` | ⚪ | Enable webhook endpoints | `true`, `false` | `false` |
+| `DD_SERVER_WEBHOOK_TOKEN` | ⚪ | Shared Bearer token used by all webhook endpoints (fallback token) | Any string | — |
+| `DD_SERVER_WEBHOOK_TOKENS_WATCHALL` | ⚪ | Endpoint-specific token for `POST /api/webhook/watch` | Any string | — |
+| `DD_SERVER_WEBHOOK_TOKENS_WATCH` | ⚪ | Endpoint-specific token for `POST /api/webhook/watch/:containerName` | Any string | — |
+| `DD_SERVER_WEBHOOK_TOKENS_UPDATE` | ⚪ | Endpoint-specific token for `POST /api/webhook/update/:containerName` | Any string | — |
+
+<Callout type="warn">Webhooks are disabled by default. Set `DD_SERVER_WEBHOOK_ENABLED=true` and provide at least one webhook token (`DD_SERVER_WEBHOOK_TOKEN` or any `DD_SERVER_WEBHOOK_TOKENS_*` value). Requests to endpoints without a configured token are rejected.</Callout>
+
+## Endpoints
+
+| Method | Endpoint | Description |
+| --- | --- | --- |
+| `POST` | `/api/webhook/watch` | Trigger a watch cycle on all watchers |
+| `POST` | `/api/webhook/watch/:containerName` | Watch a specific container by name |
+| `POST` | `/api/webhook/update/:containerName` | Trigger an update on a specific container |
+
+## Authentication
+
+All webhook requests require a Bearer token in the `Authorization` header:
+
+```text
+Authorization: Bearer your-token-here
+```
+
+Token selection rules:
+
+- If an endpoint-specific token (`DD_SERVER_WEBHOOK_TOKENS_*`) is set for that endpoint, it is required.
+- Otherwise, drydock falls back to `DD_SERVER_WEBHOOK_TOKEN`.
+
+## Rate limiting
+
+Webhook endpoints are rate-limited to **30 requests per 15-minute window** per client IP.
+
+## Per-container opt-out
+
+Individual containers can be excluded from webhook API calls using the `dd.webhook.enabled` label. When set to `false`, the `/api/webhook/watch/:containerName` and `/api/webhook/update/:containerName` endpoints return **403 Forbidden** for that container.
+
+```yaml
+services:
+  myapp:
+    image: myapp:latest
+    labels:
+      - dd.watch=true
+      - dd.webhook.enabled=false  # blocks webhook watch/update for this container
+```
+
+<Callout type="info">The `dd.webhook.enabled` label only affects per-container webhook endpoints. The global `POST /api/webhook/watch` endpoint (which triggers all watchers) is not affected.</Callout>
+
+<Callout type="info">Containers without this label default to `dd.webhook.enabled=true` — webhooks are allowed unless explicitly disabled.</Callout>
+
+## Audit logging
+
+All webhook calls are recorded in the [audit trail](/docs/monitoring) with action types `webhook-watch`, `webhook-watch-container`, and `webhook-update`, including success/error status and container details. A `dd_webhook_total` Prometheus counter tracks invocations by action type.
+
+## Examples
+
+### Watch all containers
+
+```bash
+curl -X POST https://drydock.example.com/api/webhook/watch \
+  -H "Authorization: Bearer your-token-here"
+```
+
+### Watch a specific container
+
+```bash
+curl -X POST https://drydock.example.com/api/webhook/watch/myapp \
+  -H "Authorization: Bearer your-token-here"
+```
+
+### Update a specific container
+
+```bash
+curl -X POST https://drydock.example.com/api/webhook/update/myapp \
+  -H "Authorization: Bearer your-token-here"
+```
+
+## CI/CD integration
+
+### GitHub Actions
+
+```yaml
+- name: Notify drydock
+  run: |
+    curl -X POST https://drydock.example.com/api/webhook/watch/myapp \
+      -H "Authorization: Bearer ${{ secrets.DRYDOCK_WEBHOOK_TOKEN }}"
+```
+
+### GitLab CI
+
+```yaml
+notify_drydock:
+  stage: deploy
+  script:
+    - curl -X POST https://drydock.example.com/api/webhook/watch/myapp
+        -H "Authorization: Bearer $DRYDOCK_WEBHOOK_TOKEN"
+```
+
+## Docker Compose example
+
+<Tabs items={["Docker Compose", "Docker"]}>
+<Tab value="Docker Compose">
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    environment:
+      - DD_SERVER_WEBHOOK_ENABLED=true
+      - DD_SERVER_WEBHOOK_TOKENS_WATCHALL=my-watchall-token
+      - DD_SERVER_WEBHOOK_TOKENS_WATCH=my-watch-token
+      - DD_SERVER_WEBHOOK_TOKENS_UPDATE=my-update-token
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    ports:
+      - "3000:3000"
+```
+
+</Tab>
+<Tab value="Docker">
+```bash
+docker run -d \
+  -e DD_SERVER_WEBHOOK_ENABLED=true \
+  -e DD_SERVER_WEBHOOK_TOKENS_WATCHALL=my-watchall-token \
+  -e DD_SERVER_WEBHOOK_TOKENS_WATCH=my-watch-token \
+  -e DD_SERVER_WEBHOOK_TOKENS_UPDATE=my-update-token \
+  -v /var/run/docker.sock:/var/run/docker.sock \
+  -p 3000:3000 \
+  codeswhat/drydock
+```
+</Tab>
+</Tabs>
diff --git a/content/docs/v1.4/configuration/webhooks/meta.json b/content/docs/v1.4/configuration/webhooks/meta.json
new file mode 100644
index 000000000..c7994cc96
--- /dev/null
+++ b/content/docs/v1.4/configuration/webhooks/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Webhooks",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/faq/index.mdx b/content/docs/v1.4/faq/index.mdx
new file mode 100644
index 000000000..5ae48d76d
--- /dev/null
+++ b/content/docs/v1.4/faq/index.mdx
@@ -0,0 +1,231 @@
+---
+title: "FAQ"
+description: "Frequently asked questions and common troubleshooting tips for drydock."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+## Socket permission errors (EACCES)
+
+Drydock runs as a non-root user by default. The entrypoint automatically detects the Docker socket GID and adds the `node` user to the matching group. If the socket is owned by GID 0 (root), the entrypoint refuses to start implicitly as root.
+
+**Recommended fix:** Use a [Docker socket proxy](/docs/configuration/watchers#option-1-socket-proxy-recommended) so drydock never needs direct socket access.
+
+**Break-glass override:** If you cannot use a socket proxy, set **both** environment variables:
+
+```yaml
+environment:
+  - DD_RUN_AS_ROOT=true
+  - DD_ALLOW_INSECURE_ROOT=true
+```
+
+Setting only `DD_RUN_AS_ROOT=true` without `DD_ALLOW_INSECURE_ROOT=true` will fail closed at startup. See [Docker Socket Security](/docs/configuration/watchers#docker-socket-security) for details.
+
+## Socket proxy connection refused (ECONNREFUSED)
+
+If you see repeated `Docker event stream connection failure (connect ECONNREFUSED ...)` messages when using a socket proxy like `tecnativa/docker-socket-proxy`, the proxy is not accepting connections. Common causes:
+
+1. **Read-only socket mount (`:ro`)** — Remove the `:ro` flag from the proxy's Docker socket volume mount. The `:ro` flag can prevent the proxy from connecting to the Docker daemon on some Linux kernels. The proxy's environment variables (`CONTAINERS=1`, `EVENTS=1`, etc.) are the actual security boundary, not the mount flag.
+
+2. **Startup ordering** — The proxy may not be ready when drydock tries to connect. Add a health check and `depends_on` condition:
+
+```yaml
+services:
+  drydock:
+    depends_on:
+      socket-proxy:
+        condition: service_healthy
+
+  socket-proxy:
+    healthcheck:
+      test: wget --spider http://localhost:2375/version || exit 1
+      interval: 5s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+```
+
+Drydock automatically retries with exponential backoff (1s → 30s max) and will recover once the proxy becomes available, but the health check prevents unnecessary retries during startup.
+
+## CSRF validation failed (403) behind a reverse proxy
+
+If you see `403 {"error":"CSRF validation failed"}` when clicking buttons like **Recheck for updates**, **Scan**, or any action that sends a POST/PUT/DELETE request, your reverse proxy setup is missing the `DD_SERVER_TRUSTPROXY` configuration.
+
+**Why this happens:** Drydock validates that the `Origin` header sent by your browser matches the server's own origin. Behind a TLS-terminating reverse proxy (Traefik, Nginx, Caddy, HAProxy, etc.), the internal connection to drydock uses plain HTTP. Without trust-proxy enabled, drydock thinks it is running on `http://` while your browser sends `Origin: https://...` — the mismatch triggers CSRF protection.
+
+**Fix:** Add `DD_SERVER_TRUSTPROXY` to your drydock environment:
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    environment:
+      - DD_SERVER_TRUSTPROXY=1  # Trust one proxy hop (Traefik, Nginx, etc.)
+```
+
+This tells drydock to read the `X-Forwarded-Proto` header from your proxy, so it correctly sees `https` as the protocol.
+
+<Callout type="info">
+Most reverse proxies (Traefik, Nginx, Caddy) set `X-Forwarded-Proto` automatically. If yours does not, add the header explicitly in your proxy configuration — for example, in Nginx: `proxy_set_header X-Forwarded-Proto $scheme;`
+</Callout>
+
+**Traefik example (complete):**
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    environment:
+      - DD_SERVER_TRUSTPROXY=1
+      # ... other DD_ variables ...
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.drydock.rule=Host(`drydock.example.com`)
+      - traefik.http.routers.drydock.entrypoints=websecure
+      - traefik.http.services.drydock.loadbalancer.server.port=3000
+```
+
+**Nginx example (proxy block):**
+
+```nginx
+location / {
+    proxy_pass http://drydock:3000;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+}
+```
+
+See [Server configuration](/docs/configuration/server#reverse-proxy-trust-proxy) for additional trust-proxy options.
+
+## OIDC callback fails or session lost after login
+
+If your OIDC callback redirects back to the login page or loses the session, the session cookie is likely being blocked by the browser's `SameSite` policy during the cross-origin IdP redirect.
+
+**Fix:** Set `DD_SERVER_COOKIE_SAMESITE=lax` (this is the default since v1.4.0). If you previously set it to `strict`, change it to `lax`:
+
+```yaml
+environment:
+  - DD_SERVER_COOKIE_SAMESITE=lax
+```
+
+Use `strict` only when your IdP is on the same domain as drydock. Use `lax` (default) for all cross-site IdP callback flows. See [Authentication](/docs/configuration/authentications) and [Server configuration](/docs/configuration/server) for details.
+
+## Dex logout only clears local session
+
+If you use Dex as OIDC provider, clicking logout may only end the drydock session and not the upstream IdP session. This is expected when no OIDC end-session URL is available.
+
+**Why:** Dex discovery metadata does not advertise `end_session_endpoint`, so drydock cannot auto-build an IdP logout redirect.
+
+**Options:**
+
+1. Accept local-session-only logout (default behavior).
+2. If your auth stack exposes a real logout URL in front of Dex, set `DD_AUTH_OIDC_DEX_LOGOUTURL=https://<your_logout_endpoint>`.
+
+See the [OIDC configuration guide](/docs/configuration/authentications/oidc#how-to-integrate-with-dex) for examples.
+
+## Registry auth failures (401/403)
+
+Token exchange is required for most registries, even for public images. Common causes:
+
+- **GHCR/LSCR:** If configured credentials are rejected with 401 or 403, drydock automatically retries the token request without credentials for public image checks. If you only pull public images, you may not need credentials at all.
+- **Docker Hub:** Anonymous access requires a token exchange with `https://auth.docker.io`. Ensure outbound HTTPS is not blocked.
+- **Quay:** Similar token exchange flow. Check that your token has `repo:read` scope.
+
+<Callout type="warn">Since v1.4.0, auth is **fail-closed**: if credentials are configured and the token exchange fails, drydock does **not** fall back to anonymous. This prevents silent degradation but means bad credentials will cause errors instead of silently downgrading. See [Fail-closed auth enforcement](/docs/configuration/authentications#fail-closed-auth-enforcement).</Callout>
+
+Check the drydock logs at `debug` level for the exact token exchange URL and response status.
+
+## DNS resolution failures (getaddrinfo EAI_AGAIN)
+
+If drydock logs show errors like `getaddrinfo EAI_AGAIN auth.docker.io` or `token request failed (getaddrinfo EAI_AGAIN ghcr.io)`, DNS resolution is failing inside the container even though the hosts are reachable via `ping`.
+
+**Why this happens:** Drydock runs on Alpine Linux, which uses musl libc instead of glibc. Musl's DNS resolver handles dual-stack (IPv4/IPv6) networks less robustly than glibc. On some hosts — particularly NixOS, certain Kubernetes setups, or systems with IPv6 enabled but not fully routable — DNS lookups return IPv6 records first and time out before falling back to IPv4.
+
+**Fix (default since v1.4.3):** Drydock now defaults to IPv4-first DNS ordering, which resolves this for most users. No action is needed unless you run in an IPv6-only environment.
+
+If you need to change the DNS behavior, set `DD_DNS_MODE`:
+
+| Value | Behavior |
+| --- | --- |
+| `ipv4first` | IPv4 addresses tried first (default) |
+| `ipv6first` | IPv6 addresses tried first |
+| `verbatim` | Use OS resolver order (Node.js default, may trigger the bug on Alpine) |
+
+```yaml
+environment:
+  - DD_DNS_MODE=verbatim  # Only set this if you need IPv6-first or OS-native ordering
+```
+
+<Callout type="info">This setting calls Node.js `dns.setDefaultResultOrder()` at startup and affects all outbound connections (registry checks, trigger webhooks, agent communication).</Callout>
+
+## Container shows "update available" but it is wrong (tag family mismatch)
+
+This usually happens when the registry has tags from different naming families (e.g. `5.1.4` and `20.04.1` for Ubuntu, or `18-alpine` vs `18.20.1`). Drydock may pick a higher semver tag from a different family.
+
+Since v1.4.0, **tag family detection** (`dd.tag.family`) defaults to `strict`, which infers the current tag's prefix, suffix, and segment structure and only considers candidates within the same family.
+
+If you still see cross-family false positives, verify that your `dd.tag.include` regex is specific enough. If you intentionally want cross-family updates (e.g. you want to jump from one naming scheme to another), set:
+
+```yaml
+labels:
+  - dd.tag.family=loose
+```
+
+See [Docker Watchers](/docs/configuration/watchers#labels) for the full label reference.
+
+## Log output format (JSON vs pretty)
+
+Drydock log behavior is controlled by environment variables:
+
+| Variable | Values | Default |
+| --- | --- | --- |
+| `DD_LOG_LEVEL` | `fatal`, `error`, `warn`, `info`, `debug`, `trace` | `info` |
+| `DD_LOG_FORMAT` | `text`, `json` | `json` |
+| `DD_LOG_BUFFER_ENABLED` | `true`, `false` | `true` |
+
+The official image defaults to `DD_LOG_FORMAT=json` for structured output suitable for log aggregators like Elasticsearch or Loki. Set `DD_LOG_FORMAT=text` if you prefer pretty logs.
+Set `DD_LOG_BUFFER_ENABLED=false` to disable the in-memory application log ring buffer used by `/api/log/entries` and the UI log viewer.
+See [Logs](/docs/configuration/logs) for examples.
+
+## Trivy or Cosign not found errors
+
+Since v1.4.0, drydock ships a **single image** that bundles both Trivy and Cosign. If you see "not found" errors, you are likely running a custom or older image that does not include them.
+
+Verify tool availability at runtime via the API:
+
+```bash
+curl http://drydock:3000/api/server/security/runtime
+```
+
+If you build a custom image, ensure Trivy and Cosign are installed in your Dockerfile. See [Security](/docs/configuration/security) for scanning configuration.
+
+## Self-update leaves container stopped
+
+Drydock updates itself using a **helper container pattern**: it renames the old container, creates a new one with the updated image, then spawns a short-lived helper container that stops the old container, starts the new one, and removes the old one on success. If the new container fails to start, the helper restarts the old container as a fallback.
+
+For this to work:
+
+- The Docker socket must be bind-mounted at `/var/run/docker.sock`
+- The Docker trigger must be enabled
+- Drydock must be able to create temporary helper containers
+
+If the container ends up stopped, check `docker logs drydock-old-*` for the helper container output. See [Self-Update](/docs/configuration/self-update) for the full sequence.
+
+## Legacy WUD environment variables or labels
+
+Drydock accepts legacy `WUD_*` environment variables and `wud.*` container labels as fallback, but emits deprecation warnings when they are used. Each legacy fallback increments the `dd_legacy_input_total{source,key}` Prometheus counter.
+
+To convert your configuration in place, use the built-in migration CLI:
+
+```bash
+# Preview changes without writing
+docker exec drydock node dist/index.js config migrate --dry-run
+
+# Apply migration to a specific file
+docker exec drydock node dist/index.js config migrate --file /path/to/compose.yml
+```
+
+See the [Quick start](/docs/quickstart) for the recommended `DD_*` / `dd.*` configuration format.
diff --git a/content/docs/v1.4/faq/meta.json b/content/docs/v1.4/faq/meta.json
new file mode 100644
index 000000000..7f90a5533
--- /dev/null
+++ b/content/docs/v1.4/faq/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "FAQ",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/getting-started/index.mdx b/content/docs/v1.4/getting-started/index.mdx
new file mode 100644
index 000000000..58977e73c
--- /dev/null
+++ b/content/docs/v1.4/getting-started/index.mdx
@@ -0,0 +1,430 @@
+---
+title: "Getting started"
+description: "A step-by-step walkthrough for configuring Drydock after your first deploy — from watching containers to notifications and auto-updates."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+import { Step, Steps } from 'fumadocs-ui/components/steps';
+
+This guide picks up where the [Quick Start](/docs/quickstart) left off. You have Drydock running, you can see containers in the UI — now what?
+
+The guide walks through each decision in order, from "what should I watch?" to "notify me on Slack" to "auto-update my containers." Skip any section that doesn't apply to your setup.
+
+<Steps>
+<Step>
+
+## Decide what to watch
+
+By default, Drydock watches **every running container** on the Docker host. That's fine for small setups, but you'll probably want to narrow it down.
+
+### Option A: Watch everything, exclude a few
+
+Add `dd.watch=false` to containers you want to ignore:
+
+```yaml
+services:
+  database:
+    image: postgres:16
+    labels:
+      - dd.watch=false  # don't monitor this one
+```
+
+### Option B: Opt-in only
+
+Set the watcher to require explicit opt-in, then label the containers you want monitored:
+
+```yaml
+# Drydock environment
+DD_WATCHER_LOCAL_WATCHBYDEFAULT=false
+```
+
+```yaml
+# Your application stack
+services:
+  my-app:
+    image: myorg/my-app:1.5.0
+    labels:
+      - dd.watch=true
+```
+
+This is useful on hosts with many infrastructure containers (databases, proxies, caches) where you only care about a few application images.
+
+**Docs:** [Watchers configuration](/docs/configuration/watchers)
+
+</Step>
+<Step>
+
+## Filter which tags matter
+
+Drydock compares your running tag against all tags in the registry. Without filters, you'll get noise — `linux-amd64` variants, nightly builds, release candidates. Tag filters solve this.
+
+### Include pattern
+
+Only match tags that look like your current naming:
+
+```yaml
+labels:
+  - dd.tag.include=^\d+\.\d+\.\d+$          # semver only: 1.2.3
+  - dd.tag.include=^\d+\.\d+\.\d+-alpine$    # semver + alpine suffix
+  - dd.tag.include=^v\d+\.\d+\.\d+$          # semver with v prefix: v1.2.3
+```
+
+### Exclude pattern
+
+Remove known noise:
+
+```yaml
+labels:
+  - dd.tag.exclude=.*-rc\d*$    # exclude release candidates
+  - dd.tag.exclude=.*-beta.*    # exclude beta tags
+```
+
+### Transform pattern
+
+Normalize tags before comparison (useful when a registry uses inconsistent naming):
+
+```yaml
+labels:
+  - "dd.tag.transform=^v(.*) => $1"   # strip leading v for comparison
+```
+
+All patterns use [RE2 syntax](https://github.com/google/re2/wiki/Syntax) (linear-time, immune to ReDoS).
+
+**Docs:** [Tag filtering](/docs/configuration/watchers#tag-filtering)
+
+</Step>
+<Step>
+
+## Connect private registries
+
+Docker Hub public images work out of the box. For private registries, add credentials:
+
+<Tabs items={["Docker Hub (private)", "GHCR", "ECR", "Self-hosted"]}>
+<Tab value="Docker Hub (private)">
+
+```yaml
+environment:
+  - DD_REGISTRY_HUB_PRIVATE_LOGIN=myuser
+  - DD_REGISTRY_HUB_PRIVATE_TOKEN=dckr_pat_xxxxx
+```
+
+</Tab>
+<Tab value="GHCR">
+```yaml
+environment:
+  - DD_REGISTRY_GHCR_PRIVATE_TOKEN=ghp_xxxxx
+```
+</Tab>
+<Tab value="ECR">
+```yaml
+environment:
+  - DD_REGISTRY_ECR_PRIVATE_ACCESSKEYID=AKIA...
+  - DD_REGISTRY_ECR_PRIVATE_SECRETACCESSKEY=xxxxx
+  - DD_REGISTRY_ECR_PRIVATE_REGION=us-east-1
+```
+</Tab>
+<Tab value="Self-hosted">
+```yaml
+environment:
+  - DD_REGISTRY_CUSTOM_MYREGISTRY_URL=https://registry.example.com
+  - DD_REGISTRY_CUSTOM_MYREGISTRY_LOGIN=myuser
+  - DD_REGISTRY_CUSTOM_MYREGISTRY_PASSWORD=xxxxx
+```
+</Tab>
+</Tabs>
+
+The registry name (e.g., `PRIVATE`, `MYREGISTRY`) is just a label — pick whatever makes sense to you. You can configure multiple registries of the same type with different names.
+
+**Docs:** [Registries configuration](/docs/configuration/registries)
+
+</Step>
+<Step>
+
+## Set up notifications
+
+Drydock can notify you when updates are available. Add one or more notification triggers:
+
+<Tabs items={["Slack", "Discord", "Email (SMTP)", "ntfy", "Other"]}>
+<Tab value="Slack">
+
+```yaml
+environment:
+  - DD_TRIGGER_SLACK_ALERTS_TOKEN=xoxb-xxxxx
+  - DD_TRIGGER_SLACK_ALERTS_CHANNEL=#docker-updates
+```
+
+</Tab>
+<Tab value="Discord">
+```yaml
+environment:
+  - DD_TRIGGER_DISCORD_ALERTS_URL=https://discord.com/api/webhooks/xxxxx
+```
+</Tab>
+<Tab value="Email (SMTP)">
+```yaml
+environment:
+  - DD_TRIGGER_SMTP_ALERTS_HOST=smtp.gmail.com
+  - DD_TRIGGER_SMTP_ALERTS_PORT=465
+  - DD_TRIGGER_SMTP_ALERTS_FROM=drydock@example.com
+  - DD_TRIGGER_SMTP_ALERTS_TO=admin@example.com
+  - DD_TRIGGER_SMTP_ALERTS_USER=drydock@example.com
+  - DD_TRIGGER_SMTP_ALERTS_PASS=xxxxx
+```
+</Tab>
+<Tab value="ntfy">
+```yaml
+environment:
+  - DD_TRIGGER_NTFY_ALERTS_TOPIC=drydock-updates
+```
+
+Uses `https://ntfy.sh` by default. Set `DD_TRIGGER_NTFY_ALERTS_URL` for a self-hosted instance.
+</Tab>
+<Tab value="Other">
+Drydock supports 20+ notification services. See the [Triggers configuration](/docs/configuration/triggers) page for all options including Telegram, Teams, Matrix, Gotify, Pushover, Apprise, IFTTT, HTTP webhooks, Kafka, MQTT, and more.
+</Tab>
+</Tabs>
+
+### Filtering by severity
+
+By default, triggers fire on every detected update. Use `THRESHOLD` to only notify on significant changes:
+
+| Threshold | Fires on |
+|-----------|----------|
+| `all` (default) | Every update |
+| `major` | Major, minor, or patch semver changes (not digest-only) |
+| `minor` | Minor, patch, or prerelease changes |
+| `patch` | Patch or prerelease changes |
+| `digest` | Digest-only updates |
+
+```yaml
+environment:
+  - DD_TRIGGER_SLACK_ALERTS_TOKEN=xoxb-xxxxx
+  - DD_TRIGGER_SLACK_ALERTS_CHANNEL=#docker-updates
+  - DD_TRIGGER_SLACK_ALERTS_THRESHOLD=minor  # skip digest-only and major bumps
+```
+
+**Docs:** [Triggers configuration](/docs/configuration/triggers)
+
+</Step>
+<Step>
+
+## Enable auto-updates (optional)
+
+<Callout type="warn">Auto-updates modify running containers. Start with `DRYRUN=true` to preview what would happen before enabling real updates.</Callout>
+
+Drydock can pull new images and recreate containers automatically. The trigger type depends on how your containers are deployed:
+
+### Standalone containers (docker run)
+
+```yaml
+environment:
+  - DD_TRIGGER_DOCKER_LOCAL_PRUNE=true      # clean up old images
+  - DD_TRIGGER_DOCKER_LOCAL_DRYRUN=true     # preview only — remove when ready
+```
+
+When you click **Update** in the UI (or an auto-trigger fires), Drydock will:
+
+1. Pull the new image
+2. Rename the running container
+3. Create a new container with the original name and settings
+4. Start the new container
+5. Remove the old one (and old image if `PRUNE=true`)
+
+### Compose-managed containers
+
+```yaml
+environment:
+  - DD_TRIGGER_DOCKERCOMPOSE_MYSTACK_FILE=/compose/my-stack.yml
+  - DD_TRIGGER_DOCKERCOMPOSE_MYSTACK_DRYRUN=true  # preview only
+volumes:
+  - /path/to/my-stack/compose.yml:/compose/my-stack.yml  # must be writable
+```
+
+The compose trigger patches the image tag in your compose file and runs `docker compose up -d <service>`, preserving all compose dependencies, networks, and environment.
+
+<Callout type="warn">The compose file must be mounted **writable** (no `:ro`) — Drydock writes the updated image tag back to it.</Callout>
+
+### Both at the same time
+
+You can run both triggers simultaneously. Drydock auto-associates:
+
+- **Compose trigger** → containers with compose labels matching the configured file
+- **Docker trigger** → everything else
+
+```yaml
+environment:
+  - DD_TRIGGER_DOCKER_LOCAL_PRUNE=true
+  - DD_TRIGGER_DOCKERCOMPOSE_STACK_FILE=/compose/stack.yml
+volumes:
+  - /path/to/stack/compose.yml:/compose/stack.yml
+```
+
+**Docs:** [Docker trigger](/docs/configuration/triggers/docker) | [Docker Compose trigger](/docs/configuration/triggers/docker-compose)
+
+</Step>
+<Step>
+
+## Add safety features (recommended)
+
+Before enabling auto-updates in production, consider these safety layers:
+
+### Image backup and rollback
+
+Enabled by default when using the Docker trigger. Drydock keeps the previous image so you can one-click rollback from the UI. Configure how many backups to keep:
+
+```yaml
+environment:
+  - DD_TRIGGER_DOCKER_LOCAL_BACKUPCOUNT=3
+```
+
+### Auto-rollback on failure
+
+If a container fails its health check after an update, Drydock can automatically roll back:
+
+```yaml
+labels:
+  - dd.rollback.auto=true
+```
+
+Requires a `healthcheck` defined on the container.
+
+### Maintenance windows
+
+Restrict when auto-updates can run:
+
+```yaml
+environment:
+  - DD_WATCHER_LOCAL_MAINTENANCE_WINDOW=0 2-6 * * *   # 2am–6am daily
+  - DD_WATCHER_LOCAL_MAINTENANCE_WINDOW_TZ=America/New_York
+```
+
+Updates detected outside the window are queued and applied when it opens.
+
+### Lifecycle hooks
+
+Run commands before or after an update (database backups, cache flushes, health checks):
+
+```yaml
+labels:
+  - dd.hook.pre=docker exec mydb pg_dump -U postgres mydb > /backup/pre-update.sql
+  - dd.hook.post=curl -s http://healthcheck.example.com/ping
+```
+
+### Vulnerability scanning (Update Bouncer)
+
+Block updates that introduce critical CVEs:
+
+```yaml
+environment:
+  - DD_SECURITY_SCANNER=trivy
+  - DD_SECURITY_BLOCK_SEVERITY=CRITICAL,HIGH
+```
+
+**Docs:** [Backup & rollback](/docs/configuration/rollback) | [Lifecycle hooks](/docs/configuration/hooks) | [Update Bouncer](/docs/configuration/security)
+
+</Step>
+<Step>
+
+## Multi-host monitoring (optional)
+
+If you have containers on multiple Docker hosts, deploy Drydock agents on remote hosts that report back to the central controller:
+
+**Controller** (main instance — runs the UI and API):
+
+```yaml
+environment:
+  - DD_AGENT_CONTROLLER_TOKEN=a-secure-shared-token
+```
+
+**Agent** (remote host — lightweight, no UI):
+
+```yaml
+services:
+  drydock-agent:
+    image: codeswhat/drydock
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - DD_AGENT_MODE=agent
+      - DD_AGENT_CONTROLLER_URL=https://drydock.example.com
+      - DD_AGENT_CONTROLLER_TOKEN=a-secure-shared-token
+```
+
+Agents forward container state to the controller. Triggers (both notifications and updates) execute on the agent, allowing remote container updates.
+
+**Docs:** [Agents configuration](/docs/configuration/agents)
+
+</Step>
+</Steps>
+
+## Putting it all together
+
+Here's a complete single-host setup with notifications, auto-updates, and safety features:
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    container_name: drydock
+    depends_on:
+      socket-proxy:
+        condition: service_healthy
+    volumes:
+      - /opt/drydock/store:/store
+      - /path/to/my-stack/compose.yml:/compose/stack.yml
+    environment:
+      # Watcher
+      - DD_WATCHER_LOCAL_HOST=socket-proxy
+      - DD_WATCHER_LOCAL_PORT=2375
+      - DD_WATCHER_LOCAL_CRON=0 */6 * * *
+      - DD_WATCHER_LOCAL_MAINTENANCE_WINDOW=0 2-6 * * *
+
+      # Auth
+      - DD_AUTH_BASIC_ADMIN_USER=admin
+      - DD_AUTH_BASIC_ADMIN_HASH__FILE=/run/secrets/admin_hash
+
+      # Notifications
+      - DD_TRIGGER_SLACK_ALERTS_TOKEN=xoxb-xxxxx
+      - DD_TRIGGER_SLACK_ALERTS_CHANNEL=#docker-updates
+
+      # Auto-updates
+      - DD_TRIGGER_DOCKER_LOCAL_PRUNE=true
+      - DD_TRIGGER_DOCKERCOMPOSE_STACK_FILE=/compose/stack.yml
+
+      # Security
+      - DD_SECURITY_SCANNER=trivy
+      - DD_SECURITY_BLOCK_SEVERITY=CRITICAL,HIGH
+    ports:
+      - 3000:3000
+    secrets:
+      - admin_hash
+
+  socket-proxy:
+    image: tecnativa/docker-socket-proxy
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - CONTAINERS=1
+      - IMAGES=1
+      - EVENTS=1
+      - POST=1
+      - NETWORKS=1
+    healthcheck:
+      test: wget --spider http://localhost:2375/version || exit 1
+      interval: 5s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+
+secrets:
+  admin_hash:
+    file: ./secrets/admin_hash.txt
+```
+
+## What to explore next
+
+- [**Monitoring**](/docs/monitoring) — Prometheus metrics and Grafana dashboards
+- [**REST API**](/docs/api) — automate everything via the API
+- [**Webhooks**](/docs/configuration/webhooks) — trigger scans from CI/CD pipelines
+- [**FAQ**](/docs/faq) — common questions and troubleshooting
diff --git a/content/docs/v1.4/getting-started/meta.json b/content/docs/v1.4/getting-started/meta.json
new file mode 100644
index 000000000..ba9336fa1
--- /dev/null
+++ b/content/docs/v1.4/getting-started/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Getting started",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/index.mdx b/content/docs/v1.4/index.mdx
new file mode 100644
index 000000000..0792752ef
--- /dev/null
+++ b/content/docs/v1.4/index.mdx
@@ -0,0 +1,56 @@
+---
+title: "Introduction"
+description: "Open source container update monitoring built in TypeScript. Auto-discover containers, detect image updates across 23 registries, and trigger notifications via 20+ services."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+
+Drydock monitors your Docker containers for image updates. It auto-discovers running containers, checks 23 registries for new versions, and triggers notifications or automated updates via 20+ services.
+
+## 🔍 How it works
+
+🐳 **Watchers** scan Docker hosts to discover containers to monitor.
+
+📦 **Registries** query remote Docker registries to find update candidates.
+
+⚡ **Triggers** perform actions when updates are available — notify, update, or run custom scripts.
+
+## ✨ Key features
+
+- 🔎 Auto-discovery of running containers
+- 📦 23 registry integrations (Docker Hub, GHCR, ECR, GCR, GAR, GitLab, Quay, and more)
+- 🔔 20+ trigger types (Slack, Discord, Telegram, SMTP, webhooks, Docker auto-update, and more)
+- 🧪 Dry-run preview before applying updates
+- 💾 Image backup and one-click rollback
+- 🔄 Auto-rollback on health check failure
+- 🪝 Pre/post-update lifecycle hooks
+- 🔁 Graceful self-update
+- 🌐 Distributed agents for remote Docker hosts
+- 📊 Prometheus metrics and Grafana dashboard
+- 🔐 OIDC authentication support
+- 🛡️ Update Bouncer — vulnerability scanning, signature verification, and SBOM
+- 🛠️ Full REST API, webhooks, and audit log
+
+## 🚀 Quick start
+
+```bash
+docker run -d --name drydock \
+  -v /var/run/docker.sock:/var/run/docker.sock \
+  -p 3000:3000 \
+  codeswhat/drydock
+```
+
+<Callout type="warn">
+Direct socket access grants the container full control over the Docker daemon. See the [Quick Start guide](/docs/quickstart) for the recommended **socket proxy** setup and other [secure connection options](/docs/configuration/watchers#docker-socket-security).
+</Callout>
+
+## 📚 Next steps
+
+- [Getting started guide](/docs/getting-started) — step-by-step walkthrough from watching to notifications to auto-updates
+- [Configure registries](/docs/configuration/registries) — set up private image access
+- [Set up triggers](/docs/configuration/triggers) — enable notifications and auto-updates
+- [Configure webhooks](/docs/configuration/webhooks) — integrate with CI/CD pipelines
+- [Lifecycle hooks](/docs/configuration/hooks) — run commands before and after updates
+- [Backup & rollback](/docs/configuration/rollback) — automatic backups and one-click restore
+- [Enable authentication](/docs/configuration/authentications) — secure your instance
+- [Monitor with Prometheus](/docs/monitoring) — add observability
diff --git a/content/docs/v1.4/meta.json b/content/docs/v1.4/meta.json
new file mode 100644
index 000000000..aede77a04
--- /dev/null
+++ b/content/docs/v1.4/meta.json
@@ -0,0 +1,15 @@
+{
+  "title": "v1.4",
+  "pages": [
+    "index",
+    "quickstart",
+    "getting-started",
+    "configuration",
+    "updates",
+    "api",
+    "monitoring",
+    "faq",
+    "changelog"
+  ],
+  "root": true
+}
diff --git a/content/docs/v1.4/monitoring/index.mdx b/content/docs/v1.4/monitoring/index.mdx
new file mode 100644
index 000000000..bc1551477
--- /dev/null
+++ b/content/docs/v1.4/monitoring/index.mdx
@@ -0,0 +1,347 @@
+---
+title: "Monitoring"
+description: "drydock exposes an endpoint to check the service healthiness."
+---
+
+## HealthCheck
+
+drydock exposes an endpoint to check the service healthiness.
+
+### HealthCheck Endpoint
+
+The healthiness is exposed at [/health](http://localhost:3000/health).
+
+If the application is healthy, the Http Response Status Code is `200` (`500` otherwise).
+
+### Example
+
+```json
+{
+  "uptime": 123
+}
+```
+
+You can use it to configure health checks performed by your container orchestrator, for example:
+
+```yaml
+services:
+
+  drydock:
+    image: codeswhat/drydock:latest
+    ...
+    healthcheck:
+      test: curl --fail http://localhost:${DD_SERVER_PORT:-3000}/health || exit 1
+      interval: 10s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+```
+
+## Prometheus metrics
+
+![logo](/docs/assets/monitoring/prometheus.png)
+
+drydock exposes various metrics that [Prometheus](https://prometheus.io/) can scrape.
+
+### Variables
+
+| Env var | Required | Description | Supported values | Default value when missing |
+| --- | :---: | --- | --- | --- |
+| `DD_PROMETHEUS_ENABLED` | ⚪ | Enable Prometheus metrics endpoint at `/metrics` | `true`, `false` | `true` |
+
+### Metrics Endpoint
+
+The metrics are exposed at [/metrics](http://localhost:3000/metrics).
+
+By default, `/metrics` requires authentication when API auth is enabled.  
+To expose metrics without app authentication (for local Prometheus scrapes), set:
+
+```yaml
+environment:
+  - DD_SERVER_METRICS_AUTH=false
+```
+
+### Metrics
+
+#### drydock specific metrics
+
+```bash
+
+# HELP dd_containers The watched containers
+# TYPE dd_containers gauge
+dd_containers{id="8a787a1bb3fdf9cfcfc3fe73abcb714655b6232049b9b61c31252b1df59066d8",name="homeassistant",watcher="local",include_tags="^\\d+\\.\\d+.\\d+$",image_id="sha256:d4a6fafb7d4da37495e5c9be3242590be24a87d7edcc4f79761098889c54fca6",image_registry_url="https://registry-1.docker.io/v2",image_registry_name="hub",image_name="homeassistant/home-assistant",image_tag_value="2021.6.4",image_tag_semver="true",image_digest_watch="false",image_digest_repo="sha256:ca0edc3fb0b4647963629bdfccbb3ccfa352184b45a9b4145832000c2878dd72",image_architecture="amd64",image_os="linux",image_created="2021-06-12T05:33:38.440Z",result_tag="2021.6.5",update_available="true"} 1
+dd_containers{id="f653ec203d78d36b087c537226589e48f8af4a0899488c0d6a9e0beacbe9604e",name="nginx",watcher="local",image_id="sha256:d1a364dc548d5357f0da3268c888e1971bbdb957ee3f028fe7194f1d61c6fdee",image_registry_url="https://registry-1.docker.io/v2",image_registry_name="hub",image_name="library/nginx",image_tag_value="latest",image_tag_semver="false",image_digest_watch="true",image_digest_repo="sha256:6d75c99af15565a301e48297fa2d121e15d80ad526f8369c526324f0f7ccb750",image_digest_value="sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa",image_architecture="amd64",image_os="linux",image_created="2021-05-25T15:43:43.382Z",result_tag="latest",result_digest="sha256:61191087790c31e43eb37caa10de1135b002f10c09fdda7fa8a5989db74033aa",update_available="false"} 1
+dd_containers{id="0ca61f4adc859eb9cbb90bfb1b66bae0c78451c364df9b84a1859006da03d7dc",name="pihole",watcher="local",include_tags="^\\d+\\.\\d+.\\d+$",exclude_tags="undefined",image_id="sha256:eb777ee00e0c6ea00a2bbdc273a06b57acf232a4fd5495ce70ab94346550cea0",image_registry_url="https://registry-1.docker.io/v2",image_registry_name="hub",image_name="pihole/pihole",image_tag_value="v5.7",image_tag_semver="true",image_digest_watch="false",image_digest_repo="sha256:3a39992f3e0879a4705d87d0b059513af0749e6ea2579744653fe54ceae360a0",image_architecture="amd64",image_os="linux",image_variant="undefined",image_created="2021-02-16T23:37:05.436Z",result_tag="v5.7",update_available="false"} 1
+dd_containers{id="387ef114a1096a16e643058793ce86cee3e062586907bc5b9f8b1d62b1aad42f",name="portainer",watcher="local",include_tags="^\\d+\\.\\d+.\\d+-alpine$",image_id="sha256:ae2a1948dd22ecbee4aac30564064416ace33629cf3028598d4e132d9c091fd0",image_registry_url="https://registry-1.docker.io/v2",image_registry_name="hub",image_name="portainer/portainer-ce",image_tag_value="2.5.0-alpine",image_tag_semver="true",image_digest_watch="false",image_digest_repo="sha256:e73d6096d4ef9d6f1d88df821ac3ec99cb2227d7778b123b1f417e18d2d013c8",image_architecture="amd64",image_os="linux",image_created="2021-05-23T21:04:34.891Z",result_tag="2.5.1-alpine",update_available="true"} 1
+dd_containers{id="ee084217c982f67255e438020128312be1f41ccad5af5c572d8c913cd10e1f66",name="pyload",watcher="local",include_tags="^latest$",exclude_tags="undefined",image_id="sha256:dd54794e01d18d33f8efb3eef99774d915e307e1508987bb999fdb0f8d33019e",image_registry_url="https://registry-1.docker.io/v2",image_registry_name="hub",image_name="writl/pyload",image_tag_value="latest",image_tag_semver="false",image_digest_watch="false",image_digest_repo="sha256:55a0efec296fae88c5fa21dfbda3bfc51635ee1c824e41c4f866fc42b9f42a15",image_architecture="amd64",image_os="linux",image_variant="undefined",image_created="2021-01-10T18:07:48.691Z",result_tag="latest",update_available="false"} 1
+dd_containers{id="8baa7e6537b4a2c477bbc49ad1b0efa6bd1484a2c6ecdd7284f370df6f39eb75",name="traefik",watcher="local",include_tags="^\\d+\\.\\d+.\\d+$",exclude_tags="undefined",image_id="sha256:da4c4921aee8ad7a7f66870bb726a8fa4d18f9b0b927ab1ef572e06be5241d65",image_registry_url="https://registry-1.docker.io/v2",image_registry_name="hub",image_name="library/traefik",image_tag_value="2.4.5",image_tag_semver="true",image_digest_watch="false",image_digest_repo="sha256:062dff1b5c54845f34147e04a251a645f3a5318c42da7127bf25a6e0d3c6e4d5",image_architecture="amd64",image_os="linux",image_variant="undefined",image_created="2021-02-25T03:23:47.339Z",result_tag="2.4.8",update_available="true"} 1
+
+# HELP dd_registry_response The Registry response time (in second)
+# TYPE dd_registry_response summary
+dd_registry_response{quantile="0.01",type="hub",name="hub"} 0.628
+dd_registry_response{quantile="0.05",type="hub",name="hub"} 0.6284
+dd_registry_response{quantile="0.5",type="hub",name="hub"} 0.863
+dd_registry_response{quantile="0.9",type="hub",name="hub"} 1.0332999999999999
+dd_registry_response{quantile="0.95",type="hub",name="hub"} 1.0444
+dd_registry_response{quantile="0.99",type="hub",name="hub"} 1.046
+dd_registry_response{quantile="0.999",type="hub",name="hub"} 1.046
+dd_registry_response_sum{type="hub",name="hub"} 14.61
+dd_registry_response_count{type="hub",name="hub"} 18
+
+# HELP dd_trigger_count Total count of trigger events
+# TYPE dd_trigger_count counter
+dd_trigger_count{type="mock",name="example",status="success"} 1
+
+# HELP dd_watcher_total The number of watched containers
+# TYPE dd_watcher_total gauge
+dd_watcher_total{type="docker",name="local"} 6
+
+# HELP dd_watcher_logger_init_failures_total The number of watcher logger initialization failures
+# TYPE dd_watcher_logger_init_failures_total counter
+dd_watcher_logger_init_failures_total{type="docker",name="local"} 0
+
+# HELP dd_legacy_input_total Total number of legacy compatibility fallbacks consumed
+# TYPE dd_legacy_input_total counter
+dd_legacy_input_total{source="env",key="WUD_SERVER_PORT"} 1
+dd_legacy_input_total{source="label",key="wud.watch"} 3
+
+# HELP dd_watcher_maintenance_skip_total The number of watch cycles skipped due to maintenance window
+# TYPE dd_watcher_maintenance_skip_total counter
+dd_watcher_maintenance_skip_total{type="docker",name="local"} 0
+
+# HELP dd_webhook_total Total count of webhook operations
+# TYPE dd_webhook_total counter
+dd_webhook_total{action="watch"} 1
+
+# HELP dd_audit_entries_total Total count of audit log entries
+# TYPE dd_audit_entries_total counter
+dd_audit_entries_total{action="update"} 3
+
+# HELP dd_container_actions_total Total count of container action operations
+# TYPE dd_container_actions_total counter
+dd_container_actions_total{action="start"} 1
+
+# HELP dd_trigger_rollback_total Total count of trigger rollback outcomes
+# TYPE dd_trigger_rollback_total counter
+dd_trigger_rollback_total{type="docker",name="local",outcome="success",reason="manual"} 1
+```
+
+When a watcher logger cannot be initialized, drydock falls back to structured stderr JSON logs and increments `dd_watcher_logger_init_failures_total`.
+
+`dd_legacy_input_total` tracks local fallback usage of legacy `WUD_*` env vars and `wud.*` labels so you can monitor migration progress in your own Prometheus/Grafana stack. No data is sent to external services.
+
+### Audit timeline event coverage
+
+Use the audit API (`/api/audit`) and Audit UI view to track runtime events alongside metrics. Current event coverage includes:
+
+- `security-alert` when security scans detect high/critical issues.
+- `agent-disconnect` when a connected agent transitions to disconnected state.
+
+#### Standard process metrics
+
+```bash
+# HELP process_cpu_user_seconds_total Total user CPU time spent in seconds.
+# TYPE process_cpu_user_seconds_total counter
+process_cpu_user_seconds_total 0.43806500000000004
+
+# HELP process_cpu_system_seconds_total Total system CPU time spent in seconds.
+# TYPE process_cpu_system_seconds_total counter
+process_cpu_system_seconds_total 0.049822
+
+# HELP process_cpu_seconds_total Total user and system CPU time spent in seconds.
+# TYPE process_cpu_seconds_total counter
+process_cpu_seconds_total 0.48788699999999996
+
+# HELP process_start_time_seconds Start time of the process since unix epoch in seconds.
+# TYPE process_start_time_seconds gauge
+process_start_time_seconds 1601627305
+
+# HELP process_resident_memory_bytes Resident memory size in bytes.
+# TYPE process_resident_memory_bytes gauge
+process_resident_memory_bytes 74395648
+
+# HELP process_virtual_memory_bytes Virtual memory size in bytes.
+# TYPE process_virtual_memory_bytes gauge
+process_virtual_memory_bytes 950431744
+
+# HELP process_heap_bytes Process heap size in bytes.
+# TYPE process_heap_bytes gauge
+process_heap_bytes 116568064
+
+# HELP process_open_fds Number of open file descriptors.
+# TYPE process_open_fds gauge
+process_open_fds 22
+
+# HELP process_max_fds Maximum number of open file descriptors.
+# TYPE process_max_fds gauge
+process_max_fds 1048576
+```
+
+#### Standard Node.js metrics
+
+```bash
+# HELP nodejs_eventloop_lag_seconds Lag of event loop in seconds.
+# TYPE nodejs_eventloop_lag_seconds gauge
+nodejs_eventloop_lag_seconds 0.013967205
+
+# HELP nodejs_eventloop_lag_min_seconds The minimum recorded event loop delay.
+# TYPE nodejs_eventloop_lag_min_seconds gauge
+nodejs_eventloop_lag_min_seconds 0.000086912
+
+# HELP nodejs_eventloop_lag_max_seconds The maximum recorded event loop delay.
+# TYPE nodejs_eventloop_lag_max_seconds gauge
+nodejs_eventloop_lag_max_seconds 0.508821503
+
+# HELP nodejs_eventloop_lag_mean_seconds The mean of the recorded event loop delays.
+# TYPE nodejs_eventloop_lag_mean_seconds gauge
+nodejs_eventloop_lag_mean_seconds 0.012621618267074414
+
+# HELP nodejs_eventloop_lag_stddev_seconds The standard deviation of the recorded event loop delays.
+# TYPE nodejs_eventloop_lag_stddev_seconds gauge
+nodejs_eventloop_lag_stddev_seconds 0.02283534676636928
+
+# HELP nodejs_eventloop_lag_p50_seconds The 50th percentile of the recorded event loop delays.
+# TYPE nodejs_eventloop_lag_p50_seconds gauge
+nodejs_eventloop_lag_p50_seconds 0.010715135
+
+# HELP nodejs_eventloop_lag_p90_seconds The 90th percentile of the recorded event loop delays.
+# TYPE nodejs_eventloop_lag_p90_seconds gauge
+nodejs_eventloop_lag_p90_seconds 0.013647871
+
+# HELP nodejs_eventloop_lag_p99_seconds The 99th percentile of the recorded event loop delays.
+# TYPE nodejs_eventloop_lag_p99_seconds gauge
+nodejs_eventloop_lag_p99_seconds 0.023576575
+
+# HELP nodejs_active_handles Number of active libuv handles grouped by handle type. Every handle type is C++ class name.
+# TYPE nodejs_active_handles gauge
+nodejs_active_handles{type="Pipe"} 1
+nodejs_active_handles{type="Socket"} 3
+nodejs_active_handles{type="WriteStream"} 1
+nodejs_active_handles{type="Server"} 1
+
+# HELP nodejs_active_handles_total Total number of active handles.
+# TYPE nodejs_active_handles_total gauge
+nodejs_active_handles_total 6
+
+# HELP nodejs_active_requests Number of active libuv requests grouped by request type. Every request type is C++ class name.
+# TYPE nodejs_active_requests gauge
+
+# HELP nodejs_active_requests_total Total number of active requests.
+# TYPE nodejs_active_requests_total gauge
+nodejs_active_requests_total 0
+
+# HELP nodejs_heap_size_total_bytes Process heap size from Node.js in bytes.
+# TYPE nodejs_heap_size_total_bytes gauge
+nodejs_heap_size_total_bytes 26259456
+
+# HELP nodejs_heap_size_used_bytes Process heap size used from Node.js in bytes.
+# TYPE nodejs_heap_size_used_bytes gauge
+nodejs_heap_size_used_bytes 24616000
+
+# HELP nodejs_external_memory_bytes Node.js external memory size in bytes.
+# TYPE nodejs_external_memory_bytes gauge
+nodejs_external_memory_bytes 1738842
+
+# HELP nodejs_heap_space_size_total_bytes Process heap space size total from Node.js in bytes.
+# TYPE nodejs_heap_space_size_total_bytes gauge
+nodejs_heap_space_size_total_bytes{space="read_only"} 151552
+nodejs_heap_space_size_total_bytes{space="new"} 1048576
+nodejs_heap_space_size_total_bytes{space="old"} 19542016
+nodejs_heap_space_size_total_bytes{space="code"} 622592
+nodejs_heap_space_size_total_bytes{space="map"} 1576960
+nodejs_heap_space_size_total_bytes{space="large_object"} 3268608
+nodejs_heap_space_size_total_bytes{space="code_large_object"} 49152
+nodejs_heap_space_size_total_bytes{space="new_large_object"} 0
+
+# HELP nodejs_heap_space_size_used_bytes Process heap space size used from Node.js in bytes.
+# TYPE nodejs_heap_space_size_used_bytes gauge
+nodejs_heap_space_size_used_bytes{space="read_only"} 150392
+nodejs_heap_space_size_used_bytes{space="new"} 1036360
+nodejs_heap_space_size_used_bytes{space="old"} 18851160
+nodejs_heap_space_size_used_bytes{space="code"} 350112
+nodejs_heap_space_size_used_bytes{space="map"} 979272
+nodejs_heap_space_size_used_bytes{space="large_object"} 3251736
+nodejs_heap_space_size_used_bytes{space="code_large_object"} 2880
+nodejs_heap_space_size_used_bytes{space="new_large_object"} 0
+
+# HELP nodejs_heap_space_size_available_bytes Process heap space size available from Node.js in bytes.
+# TYPE nodejs_heap_space_size_available_bytes gauge
+nodejs_heap_space_size_available_bytes{space="read_only"} 0
+nodejs_heap_space_size_available_bytes{space="new"} 11064
+nodejs_heap_space_size_available_bytes{space="old"} 526680
+nodejs_heap_space_size_available_bytes{space="code"} 230304
+nodejs_heap_space_size_available_bytes{space="map"} 595064
+nodejs_heap_space_size_available_bytes{space="large_object"} 0
+nodejs_heap_space_size_available_bytes{space="code_large_object"} 0
+nodejs_heap_space_size_available_bytes{space="new_large_object"} 1047424
+
+# HELP nodejs_version_info Node.js version info.
+# TYPE nodejs_version_info gauge
+nodejs_version_info{version="v24.0.0",major="24",minor="0",patch="0"} 1
+
+# HELP nodejs_gc_duration_seconds Garbage collection duration by kind, one of major, minor, incremental or weakcb.
+# TYPE nodejs_gc_duration_seconds histogram
+nodejs_gc_duration_seconds_bucket{le="0.001",kind="incremental"} 5
+nodejs_gc_duration_seconds_bucket{le="0.01",kind="incremental"} 5
+nodejs_gc_duration_seconds_bucket{le="0.1",kind="incremental"} 5
+nodejs_gc_duration_seconds_bucket{le="1",kind="incremental"} 6
+nodejs_gc_duration_seconds_bucket{le="2",kind="incremental"} 6
+nodejs_gc_duration_seconds_bucket{le="5",kind="incremental"} 6
+nodejs_gc_duration_seconds_bucket{le="+Inf",kind="incremental"} 6
+nodejs_gc_duration_seconds_sum{kind="incremental"} 0.12669281899999998
+nodejs_gc_duration_seconds_count{kind="incremental"} 6
+nodejs_gc_duration_seconds_bucket{le="0.001",kind="major"} 0
+nodejs_gc_duration_seconds_bucket{le="0.01",kind="major"} 3
+nodejs_gc_duration_seconds_bucket{le="0.1",kind="major"} 3
+nodejs_gc_duration_seconds_bucket{le="1",kind="major"} 3
+nodejs_gc_duration_seconds_bucket{le="2",kind="major"} 3
+nodejs_gc_duration_seconds_bucket{le="5",kind="major"} 3
+nodejs_gc_duration_seconds_bucket{le="+Inf",kind="major"} 3
+nodejs_gc_duration_seconds_sum{kind="major"} 0.01499841
+nodejs_gc_duration_seconds_count{kind="major"} 3
+nodejs_gc_duration_seconds_bucket{le="0.001",kind="minor"} 1
+nodejs_gc_duration_seconds_bucket{le="0.01",kind="minor"} 1
+nodejs_gc_duration_seconds_bucket{le="0.1",kind="minor"} 1
+nodejs_gc_duration_seconds_bucket{le="1",kind="minor"} 1
+nodejs_gc_duration_seconds_bucket{le="2",kind="minor"} 1
+nodejs_gc_duration_seconds_bucket{le="5",kind="minor"} 1
+nodejs_gc_duration_seconds_bucket{le="+Inf",kind="minor"} 1
+nodejs_gc_duration_seconds_sum{kind="minor"} 0.0005726689999999999
+nodejs_gc_duration_seconds_count{kind="minor"} 1
+nodejs_gc_duration_seconds_bucket{le="0.001",kind="weakcb"} 1
+nodejs_gc_duration_seconds_bucket{le="0.01",kind="weakcb"} 1
+nodejs_gc_duration_seconds_bucket{le="0.1",kind="weakcb"} 1
+nodejs_gc_duration_seconds_bucket{le="1",kind="weakcb"} 1
+nodejs_gc_duration_seconds_bucket{le="2",kind="weakcb"} 1
+nodejs_gc_duration_seconds_bucket{le="5",kind="weakcb"} 1
+nodejs_gc_duration_seconds_bucket{le="+Inf",kind="weakcb"} 1
+nodejs_gc_duration_seconds_sum{kind="weakcb"} 4.94e-7
+nodejs_gc_duration_seconds_count{kind="weakcb"} 1
+```
+
+## Grafana
+
+![logo](/docs/assets/monitoring/grafana.png)
+
+You can use [Grafana](https://grafana.com/) to display charts and graphs using the Prometheus metrics.
+
+### Example dashboards
+
+A ready-to-use overview dashboard can be found under `grafana/overview.json`.
+
+It can be imported into any Grafana instance, just pick an existing data source.
+
+### Watched images
+
+You can also display drydock watched images on Grafana.
+
+#### Example to display the container Table
+
+![image](/docs/assets/monitoring/grafana_table.png)
+
+```bash
+sum by(image_registry_url, image_name, image_os, image_architecture, image_tag_value, result_tag) (dd_containers)
+
+# or if you want to display images to be updated only 
+sum by(image_registry_url, image_name, image_os, image_architecture, image_tag_value, result_tag) (dd_containers{update_available="true"})
+```
diff --git a/content/docs/v1.4/monitoring/meta.json b/content/docs/v1.4/monitoring/meta.json
new file mode 100644
index 000000000..c1b314309
--- /dev/null
+++ b/content/docs/v1.4/monitoring/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Monitoring",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/quickstart/index.mdx b/content/docs/v1.4/quickstart/index.mdx
new file mode 100644
index 000000000..29bb55be6
--- /dev/null
+++ b/content/docs/v1.4/quickstart/index.mdx
@@ -0,0 +1,136 @@
+---
+title: "Quick start"
+description: "Deploy Drydock with Docker in seconds using a socket proxy or direct mount."
+---
+
+import { Callout } from 'fumadocs-ui/components/callout';
+import { Tab, Tabs } from 'fumadocs-ui/components/tabs';
+
+## Run the Docker image
+
+The easiest way to start is to deploy the official _**drydock**_ image.
+
+<Tabs items={["Socket Proxy (Recommended)", "Direct Mount", "Docker CLI"]}>
+<Tab value="Socket Proxy (Recommended)">
+Using a socket proxy is the most secure way to expose the Docker API. The proxy limits which endpoints Drydock can access.
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    container_name: drydock
+    depends_on:
+      socket-proxy:
+        condition: service_healthy
+    environment:
+      - DD_WATCHER_LOCAL_HOST=socket-proxy
+      - DD_WATCHER_LOCAL_PORT=2375
+      - DD_AUTH_BASIC_ADMIN_USER=admin
+      - "DD_AUTH_BASIC_ADMIN_HASH=argon2id$$65536$$3$$4$$H/LzIyo+5tbepUCiuRU2bFai+nbf+y/ZjMYH7h+vf1g=$$GeCkn8cI/+DbKXUiPydlqKUvj5Ujb4wL5sUkSm83rQWyIejvWoejrk6zWmQ2x5an7qvSHYL9gZHpibCXAJNdYw=="
+    ports:
+      - 3000:3000
+
+  socket-proxy:
+    image: tecnativa/docker-socket-proxy
+    container_name: drydock-socket-proxy
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - CONTAINERS=1
+      - IMAGES=1
+      - EVENTS=1
+      - SERVICES=1
+      # Add POST=1 for container actions (start/stop/restart) or auto-updates
+      # Add NETWORKS=1 if using the Docker trigger for auto-updates
+    healthcheck:
+      test: wget --spider http://localhost:2375/version || exit 1
+      interval: 5s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+    restart: unless-stopped
+```
+
+</Tab>
+<Tab value="Direct Mount">
+
+<Callout type="warn">Direct socket access grants the container full control over the Docker daemon. Use the **Socket Proxy** tab above for production deployments. See [Docker Socket Security](/docs/configuration/watchers#docker-socket-security) for all available options.</Callout>
+
+The simplest setup — mount the Docker socket directly. Works out of the box on most systems.
+
+```yaml
+services:
+  drydock:
+    image: codeswhat/drydock
+    container_name: drydock
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - DD_AUTH_BASIC_ADMIN_USER=admin
+      - "DD_AUTH_BASIC_ADMIN_HASH=argon2id$$65536$$3$$4$$H/LzIyo+5tbepUCiuRU2bFai+nbf+y/ZjMYH7h+vf1g=$$GeCkn8cI/+DbKXUiPydlqKUvj5Ujb4wL5sUkSm83rQWyIejvWoejrk6zWmQ2x5an7qvSHYL9gZHpibCXAJNdYw=="
+    ports:
+      - 3000:3000
+```
+
+<Callout type="info">If you need a **read-only** socket mount (`:ro`), break-glass root mode requires both `DD_RUN_AS_ROOT=true` and `DD_ALLOW_INSECURE_ROOT=true`. Prefer socket proxy mode for least privilege. See [Docker Socket Security](/docs/configuration/watchers/#docker-socket-security) for details.</Callout>
+</Tab>
+<Tab value="Docker CLI">
+
+<Callout type="warn">Direct socket access grants the container full control over the Docker daemon. Use the **Socket Proxy** tab above for production deployments. See [Docker Socket Security](/docs/configuration/watchers#docker-socket-security) for all available options.</Callout>
+
+```bash
+docker run -d --name drydock \
+  -v "/var/run/docker.sock:/var/run/docker.sock" \
+  -e DD_AUTH_BASIC_ADMIN_USER=admin \
+  -e 'DD_AUTH_BASIC_ADMIN_HASH=argon2id$65536$3$4$H/LzIyo+5tbepUCiuRU2bFai+nbf+y/ZjMYH7h+vf1g=$GeCkn8cI/+DbKXUiPydlqKUvj5Ujb4wL5sUkSm83rQWyIejvWoejrk6zWmQ2x5an7qvSHYL9gZHpibCXAJNdYw==' \
+  -p 3000:3000 \
+  codeswhat/drydock
+```
+
+</Tab>
+</Tabs>
+
+The official image is published on Github Container Registry: `codeswhat/drydock`.
+
+<Callout type="warn">Authentication is **required by default** on fresh installs. The examples above use Basic auth with username `admin` and password `password`. See the [auth docs](/docs/configuration/authentications) for OIDC, anonymous access, and other options.</Callout>
+
+## Migrating from WUD
+
+If you are coming from What's Up Docker, you can switch images and keep your existing config (`WUD_*` env vars and `wud.*` labels still work).
+
+To rewrite your local config to drydock naming (`DD_*` and `dd.*`), run:
+
+```bash
+# preview changes only
+docker exec -it drydock node dist/index.js config migrate --dry-run
+
+# apply changes to specific files
+docker exec -it drydock node dist/index.js config migrate --file .env --file compose.yaml
+```
+
+`config migrate` reads/writes only local files in your deployment. It does not send usage data to external services.
+
+## Open the UI
+
+[Open the UI](http://localhost:3000) in a browser and check that everything is working as expected.
+
+## First 5 minutes in the UI
+
+1. Open the command palette with `Cmd/Ctrl+K`.
+2. Use prefix scopes to narrow search quickly:
+   - `/` pages
+   - `@` runtime resources (containers, agents, triggers, watchers)
+   - `#` config resources (registries, auth, notifications, settings)
+3. Leave the query empty to use recent results.
+4. Open **Notifications** and tune event rules (`update-available`, `update-applied`, `update-failed`, `security-alert`, `agent-disconnect`) plus trigger assignments.
+5. Reorder dashboard widgets by drag/drop; layout persists locally and can be reset.
+
+Keyboard shortcuts: `Enter` confirms action dialogs, `Escape` cancels dialogs and closes detail panels.
+
+## Next steps
+
+- [**Getting started guide**](/docs/getting-started) — step-by-step walkthrough from watching containers to notifications and auto-updates.
+- [**Add some triggers**](/docs/configuration/triggers) to get notified or auto-update containers.
+- [**Configure watchers**](/docs/configuration/watchers) to fine-tune how drydock monitors your containers.
+- [**Integrate other registries**](/docs/configuration/registries) (ECR, GCR, GHCR, and more).
+- See a **[complete configuration example](/docs/configuration/#complete-example)** illustrating common drydock options.
diff --git a/content/docs/v1.4/quickstart/meta.json b/content/docs/v1.4/quickstart/meta.json
new file mode 100644
index 000000000..0e67cc95f
--- /dev/null
+++ b/content/docs/v1.4/quickstart/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Quick Start",
+  "pages": ["index"]
+}
diff --git a/content/docs/v1.4/updates/index.mdx b/content/docs/v1.4/updates/index.mdx
new file mode 100644
index 000000000..381149192
--- /dev/null
+++ b/content/docs/v1.4/updates/index.mdx
@@ -0,0 +1,95 @@
+---
+title: "Updates"
+description: "This update adds skip/snooze controls per container to reduce noisy repeated notifications for known-bad versions."
+---
+
+## Per-container Update Policy (February 9, 2026)
+
+This update adds skip/snooze controls per container to reduce noisy repeated notifications for known-bad versions.
+
+### What changed
+
+- Added container-level update policy in store:
+  - `skipTags`
+  - `skipDigests`
+  - `snoozeUntil`
+- Added API endpoint:
+  - `PATCH /api/containers/:id/update-policy`
+  - Actions: `skip-current`, `clear-skips`, `snooze`, `unsnooze`, `clear`
+- Added UI controls on container cards:
+  - Skip current update
+  - Snooze for 1/7/30 days
+  - Clear snooze or all policy
+
+### Behavior
+
+- `updateKind` still reflects the detected remote update.
+- `updateAvailable` is suppressed while policy applies (skip/snooze), and becomes true again when a new unmatched version/digest is detected or snooze expires.
+
+## Trigger Coordination Improvements (February 9, 2026)
+
+This update improves how triggers can be coordinated when they share the same trigger name (for example `docker.update` and `discord.update`).
+
+### What changed
+
+#### 1. Trigger execution ordering
+
+You can now control trigger execution order with:
+
+`DD_TRIGGER_{trigger_type}_{trigger_name}_ORDER`
+
+- Lower values run first
+- Default is `100`
+- If two triggers have the same `ORDER`, they are sorted by trigger id
+
+Example:
+
+```bash
+DD_TRIGGER_DOCKER_UPDATE_ORDER=10
+DD_TRIGGER_DISCORD_UPDATE_ORDER=20
+```
+
+This ensures the Docker update trigger runs before the Discord notification trigger for the same update event.
+
+#### 2. Trigger name aliases in container labels
+
+Container labels `dd.trigger.include` and `dd.trigger.exclude` now accept either:
+
+- full trigger id (`docker.update`)
+- trigger name alias (`update`)
+
+Example:
+
+```bash
+dd.trigger.exclude=update
+```
+
+This applies to all triggers named `update` (for example `docker.update`, `discord.update`).
+
+#### 3. Shared threshold by trigger name
+
+Triggers sharing the same trigger name can share `THRESHOLD` automatically:
+
+- if exactly one threshold value is explicitly set among same-name triggers, that value is inherited by the others
+- if multiple different threshold values are set, no inheritance is applied
+
+Example:
+
+```bash
+DD_TRIGGER_DOCKER_UPDATE_THRESHOLD=minor
+```
+
+With no explicit Discord threshold, `discord.update` inherits `minor`.
+
+### Recommended setup for "update then notify"
+
+```bash
+DD_TRIGGER_DOCKER_UPDATE_THRESHOLD=minor
+DD_TRIGGER_DOCKER_UPDATE_ORDER=10
+DD_TRIGGER_DOCKER_UPDATE_PRUNE=true
+
+DD_TRIGGER_DISCORD_UPDATE_ORDER=20
+DD_TRIGGER_DISCORD_UPDATE_URL=<discord_webhook_url>
+DD_TRIGGER_DISCORD_UPDATE_SIMPLETITLE=Updated ${container.name}
+DD_TRIGGER_DISCORD_UPDATE_SIMPLEBODY=Container ${container.name} has been updated from ${container.updateKind.localValue} to ${container.updateKind.remoteValue}
+```
diff --git a/content/docs/v1.4/updates/meta.json b/content/docs/v1.4/updates/meta.json
new file mode 100644
index 000000000..1209ddd50
--- /dev/null
+++ b/content/docs/v1.4/updates/meta.json
@@ -0,0 +1,4 @@
+{
+  "title": "Updates",
+  "pages": ["index"]
+}
diff --git a/docs/README.md b/docs/README.md
index 3b8677b79..c70286da8 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -6,7 +6,12 @@ The published documentation is available at **[getdrydock.com/docs](https://getd
 
 Documentation content is now versioned at:
 
-- `/content/docs/current` (`1.4`, stable)
-- `/content/docs/v1.3` (previous stable)
+- `/content/docs/current` (`v1.5`, active release docs)
+- `/content/docs/v1.4` (previous stable docs)
+- `/content/docs/v1.3` (legacy docs)
 
-The site/docs app lives in `/apps/web` and reads from `/content/docs/current`.
+The site/docs app lives in `/apps/web` and uses `npm run sync:docs` to copy:
+
+- `current -> apps/web/content/docs/v1.5`
+- `v1.4 -> apps/web/content/docs/v1.4`
+- `v1.3 -> apps/web/content/docs/v1.3`
diff --git a/docs/agent-prompts/quality-by-file-prompts.md b/docs/agent-prompts/quality-by-file-prompts.md
new file mode 100644
index 000000000..a844a2b11
--- /dev/null
+++ b/docs/agent-prompts/quality-by-file-prompts.md
@@ -0,0 +1,455 @@
+# Quality Smells: File-by-File Agent Prompts
+
+Generated from: line count + `any` count + unsafe pattern count (`as any`, `catch (e: any)`, `: any`, `Promise<any>`).
+
+## Inventory
+
+| Priority | Lines | any | Unsafe | File |
+|---|---:|---:|---:|---|
+| P0 | 2159 | 2 | 0 | `app/triggers/providers/dockercompose/Dockercompose.ts` |
+| P0 | 1526 | 1 | 0 | `ui/src/layouts/AppLayout.vue` |
+| P1 | 1139 | 1 | 1 | `app/triggers/providers/docker/Docker.ts` |
+| P0 | 1056 | 32 | 31 | `app/watchers/providers/docker/Docker.ts` |
+| P2 | 937 | 0 | 0 | `ui/src/components/containers/ContainerFullPageTabContent.vue` |
+| P2 | 901 | 0 | 0 | `ui/src/components/containers/ContainerSideTabContent.vue` |
+| P2 | 881 | 0 | 0 | `app/triggers/providers/Trigger.ts` |
+| P2 | 862 | 1 | 0 | `ui/src/views/ContainersView.vue` |
+| P2 | 818 | 0 | 0 | `app/authentications/providers/oidc/Oidc.ts` |
+| P1 | 810 | 10 | 10 | `app/registry/index.ts` |
+| P2 | 804 | 0 | 0 | `app/triggers/providers/docker/ContainerUpdateExecutor.ts` |
+| P2 | 801 | 0 | 0 | `ui/src/views/AgentsView.vue` |
+| P2 | 792 | 1 | 0 | `ui/src/views/dashboard/useDashboardComputed.ts` |
+| P2 | 773 | 2 | 1 | `app/store/container.ts` |
+| P2 | 769 | 2 | 2 | `app/model/container.ts` |
+| P2 | 750 | 3 | 3 | `app/security/scan.ts` |
+| P3 | 687 | 1 | 0 | `app/configuration/index.ts` |
+| P3 | 677 | 1 | 0 | `app/watchers/providers/docker/oidc.ts` |
+| P3 | 662 | 2 | 0 | `ui/src/views/DashboardView.vue` |
+| P3 | 621 | 2 | 2 | `ui/src/utils/container-mapper.ts` |
+| P3 | 602 | 3 | 0 | `app/authentications/providers/basic/Basic.ts` |
+| P3 | 573 | 1 | 1 | `app/api/container/log-stream.ts` |
+| P0 | 523 | 23 | 20 | `app/agent/AgentClient.ts` |
+| P2 | 497 | 9 | 5 | `app/registries/Registry.ts` |
+| P2 | 492 | 6 | 6 | `app/watchers/providers/docker/tag-candidates.ts` |
+| P3 | 465 | 1 | 0 | `app/watchers/providers/docker/docker-image-details-orchestration.ts` |
+| P1 | 429 | 13 | 13 | `app/watchers/providers/docker/docker-helpers.ts` |
+| P2 | 414 | 7 | 6 | `app/watchers/providers/docker/container-init.ts` |
+| P3 | 376 | 1 | 0 | `ui/src/views/LoginView.vue` |
+| P3 | 375 | 1 | 0 | `app/triggers/providers/trigger-expression-parser.ts` |
+| P2 | 354 | 4 | 0 | `app/api/container/filters.ts` |
+| P3 | 342 | 2 | 2 | `app/release-notes/index.ts` |
+| P2 | 323 | 5 | 5 | `app/triggers/providers/dockercompose/ComposeFileParser.ts` |
+| P1 | 312 | 10 | 0 | `app/triggers/providers/docker/RegistryResolver.ts` |
+| P3 | 287 | 1 | 1 | `app/triggers/providers/dockercompose/PostStartExecutor.ts` |
+| P0 | 279 | 35 | 3 | `app/registry/trigger-shared-config.ts` |
+| P0 | 259 | 19 | 19 | `app/watchers/providers/docker/runtime-details.ts` |
+| P2 | 243 | 9 | 9 | `app/triggers/providers/docker/HealthMonitor.ts` |
+| P3 | 229 | 2 | 2 | `app/agent/api/event.ts` |
+| P3 | 206 | 3 | 3 | `app/triggers/providers/dockercompose/ComposeFileLockManager.ts` |
+| P3 | 205 | 2 | 0 | `app/api/container-actions.ts` |
+| P2 | 201 | 5 | 3 | `app/watchers/providers/docker/docker-remote-auth.ts` |
+| P0 | 168 | 16 | 16 | `app/watchers/providers/docker/docker-event-orchestration.ts` |
+| P3 | 164 | 1 | 1 | `app/agent/api/index.ts` |
+| P3 | 162 | 1 | 0 | `ui/src/components/containers/ContainersListContent.vue` |
+| P2 | 159 | 6 | 6 | `app/watchers/providers/docker/container-event-update.ts` |
+| P3 | 154 | 3 | 0 | `app/triggers/providers/pushover/Pushover.ts` |
+| P3 | 153 | 1 | 1 | `app/tag/index.ts` |
+| P2 | 151 | 5 | 5 | `app/registry/Component.ts` |
+| P3 | 147 | 1 | 1 | `app/tag/suggest.ts` |
+| P3 | 145 | 1 | 1 | `app/watchers/providers/docker/image-comparison.ts` |
+| P3 | 145 | 1 | 0 | `ui/src/composables/useContainerFilters.ts` |
+| P3 | 124 | 1 | 0 | `ui/src/services/auth.ts` |
+| P3 | 124 | 1 | 0 | `app/registries/providers/hub/Hub.ts` |
+| P3 | 115 | 1 | 1 | `app/triggers/hooks/HookRunner.ts` |
+| P3 | 110 | 1 | 1 | `app/release-notes/providers/GithubProvider.ts` |
+| P3 | 110 | 1 | 0 | `app/registries/providers/quay/Quay.ts` |
+| P3 | 109 | 1 | 1 | `app/agent/api/container.ts` |
+| P3 | 106 | 1 | 1 | `app/registries/providers/mau/Mau.ts` |
+| P3 | 104 | 1 | 0 | `app/api/auth-strategies.ts` |
+| P3 | 96 | 1 | 1 | `app/triggers/providers/teams/Teams.ts` |
+| P3 | 81 | 1 | 1 | `app/triggers/providers/mattermost/Mattermost.ts` |
+| P3 | 73 | 1 | 0 | `app/registries/providers/trueforge/trueforge.ts` |
+| P3 | 72 | 1 | 1 | `app/triggers/providers/googlechat/Googlechat.ts` |
+| P3 | 71 | 2 | 2 | `app/agent/api/watcher.ts` |
+| P3 | 71 | 1 | 1 | `app/agent/api/trigger.ts` |
+| P3 | 64 | 1 | 1 | `app/registries/providers/shared/SelfHostedBasic.ts` |
+| P3 | 39 | 1 | 1 | `app/vitest.config.ts` |
+| P3 | 37 | 2 | 2 | `app/agent/components/AgentTrigger.ts` |
+| P3 | 37 | 2 | 1 | `app/agent/components/AgentWatcher.ts` |
+| P3 | 35 | 1 | 0 | `app/api/auth-remember-me.ts` |
+| P3 | 28 | 2 | 1 | `app/watchers/Watcher.ts` |
+| P3 | 17 | 1 | 1 | `app/vitest.coverage-provider.ts` |
+| P3 | 13 | 2 | 1 | `ui/src/env.d.ts` |
+
+## Prompts
+
+### P0 — app/triggers/providers/dockercompose/Dockercompose.ts (lines=2159, any=2, unsafe=0)
+
+```text
+You are working on one file only: app/triggers/providers/dockercompose/Dockercompose.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/dockercompose/Dockercompose.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/dockercompose/Dockercompose.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P0 — ui/src/layouts/AppLayout.vue (lines=1526, any=1, unsafe=0)
+
+```text
+You are working on one file only: ui/src/layouts/AppLayout.vue\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: ui/src/layouts/AppLayout.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" ui/src/layouts/AppLayout.vue\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P1 — app/triggers/providers/docker/Docker.ts (lines=1139, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/triggers/providers/docker/Docker.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/docker/Docker.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/docker/Docker.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P0 — app/watchers/providers/docker/Docker.ts (lines=1056, any=32, unsafe=31)
+
+```text
+You are working on one file only: app/watchers/providers/docker/Docker.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/watchers/providers/docker/Docker.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/watchers/providers/docker/Docker.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — ui/src/components/containers/ContainerFullPageTabContent.vue (lines=937, any=0, unsafe=0)
+
+```text
+You are working on one file only: ui/src/components/containers/ContainerFullPageTabContent.vue\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: ui/src/components/containers/ContainerFullPageTabContent.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" ui/src/components/containers/ContainerFullPageTabContent.vue\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — ui/src/components/containers/ContainerSideTabContent.vue (lines=901, any=0, unsafe=0)
+
+```text
+You are working on one file only: ui/src/components/containers/ContainerSideTabContent.vue\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: ui/src/components/containers/ContainerSideTabContent.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" ui/src/components/containers/ContainerSideTabContent.vue\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/triggers/providers/Trigger.ts (lines=881, any=0, unsafe=0)
+
+```text
+You are working on one file only: app/triggers/providers/Trigger.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/Trigger.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/Trigger.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — ui/src/views/ContainersView.vue (lines=862, any=1, unsafe=0)
+
+```text
+You are working on one file only: ui/src/views/ContainersView.vue\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: ui/src/views/ContainersView.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" ui/src/views/ContainersView.vue\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/authentications/providers/oidc/Oidc.ts (lines=818, any=0, unsafe=0)
+
+```text
+You are working on one file only: app/authentications/providers/oidc/Oidc.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/authentications/providers/oidc/Oidc.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/authentications/providers/oidc/Oidc.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P1 — app/registry/index.ts (lines=810, any=10, unsafe=10)
+
+```text
+You are working on one file only: app/registry/index.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/registry/index.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/registry/index.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/triggers/providers/docker/ContainerUpdateExecutor.ts (lines=804, any=0, unsafe=0)
+
+```text
+You are working on one file only: app/triggers/providers/docker/ContainerUpdateExecutor.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/docker/ContainerUpdateExecutor.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/docker/ContainerUpdateExecutor.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — ui/src/views/AgentsView.vue (lines=801, any=0, unsafe=0)
+
+```text
+You are working on one file only: ui/src/views/AgentsView.vue\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: ui/src/views/AgentsView.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" ui/src/views/AgentsView.vue\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — ui/src/views/dashboard/useDashboardComputed.ts (lines=792, any=1, unsafe=0)
+
+```text
+You are working on one file only: ui/src/views/dashboard/useDashboardComputed.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: ui/src/views/dashboard/useDashboardComputed.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" ui/src/views/dashboard/useDashboardComputed.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/store/container.ts (lines=773, any=2, unsafe=1)
+
+```text
+You are working on one file only: app/store/container.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/store/container.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/store/container.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/model/container.ts (lines=769, any=2, unsafe=2)
+
+```text
+You are working on one file only: app/model/container.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/model/container.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/model/container.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/security/scan.ts (lines=750, any=3, unsafe=3)
+
+```text
+You are working on one file only: app/security/scan.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/security/scan.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/security/scan.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/configuration/index.ts (lines=687, any=1, unsafe=0)
+
+```text
+You are working on one file only: app/configuration/index.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/configuration/index.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/configuration/index.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/watchers/providers/docker/oidc.ts (lines=677, any=1, unsafe=0)
+
+```text
+You are working on one file only: app/watchers/providers/docker/oidc.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/watchers/providers/docker/oidc.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/watchers/providers/docker/oidc.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — ui/src/views/DashboardView.vue (lines=662, any=2, unsafe=0)
+
+```text
+You are working on one file only: ui/src/views/DashboardView.vue\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: ui/src/views/DashboardView.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" ui/src/views/DashboardView.vue\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — ui/src/utils/container-mapper.ts (lines=621, any=2, unsafe=2)
+
+```text
+You are working on one file only: ui/src/utils/container-mapper.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: ui/src/utils/container-mapper.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" ui/src/utils/container-mapper.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/authentications/providers/basic/Basic.ts (lines=602, any=3, unsafe=0)
+
+```text
+You are working on one file only: app/authentications/providers/basic/Basic.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/authentications/providers/basic/Basic.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/authentications/providers/basic/Basic.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/api/container/log-stream.ts (lines=573, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/api/container/log-stream.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/api/container/log-stream.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/api/container/log-stream.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P0 — app/agent/AgentClient.ts (lines=523, any=23, unsafe=20)
+
+```text
+You are working on one file only: app/agent/AgentClient.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/agent/AgentClient.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/agent/AgentClient.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/registries/Registry.ts (lines=497, any=9, unsafe=5)
+
+```text
+You are working on one file only: app/registries/Registry.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/registries/Registry.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/registries/Registry.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/watchers/providers/docker/tag-candidates.ts (lines=492, any=6, unsafe=6)
+
+```text
+You are working on one file only: app/watchers/providers/docker/tag-candidates.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/watchers/providers/docker/tag-candidates.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/watchers/providers/docker/tag-candidates.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/watchers/providers/docker/docker-image-details-orchestration.ts (lines=465, any=1, unsafe=0)
+
+```text
+You are working on one file only: app/watchers/providers/docker/docker-image-details-orchestration.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/watchers/providers/docker/docker-image-details-orchestration.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/watchers/providers/docker/docker-image-details-orchestration.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P1 — app/watchers/providers/docker/docker-helpers.ts (lines=429, any=13, unsafe=13)
+
+```text
+You are working on one file only: app/watchers/providers/docker/docker-helpers.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/watchers/providers/docker/docker-helpers.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/watchers/providers/docker/docker-helpers.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/watchers/providers/docker/container-init.ts (lines=414, any=7, unsafe=6)
+
+```text
+You are working on one file only: app/watchers/providers/docker/container-init.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/watchers/providers/docker/container-init.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/watchers/providers/docker/container-init.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — ui/src/views/LoginView.vue (lines=376, any=1, unsafe=0)
+
+```text
+You are working on one file only: ui/src/views/LoginView.vue\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: ui/src/views/LoginView.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" ui/src/views/LoginView.vue\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/triggers/providers/trigger-expression-parser.ts (lines=375, any=1, unsafe=0)
+
+```text
+You are working on one file only: app/triggers/providers/trigger-expression-parser.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/trigger-expression-parser.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/trigger-expression-parser.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/api/container/filters.ts (lines=354, any=4, unsafe=0)
+
+```text
+You are working on one file only: app/api/container/filters.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/api/container/filters.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/api/container/filters.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/release-notes/index.ts (lines=342, any=2, unsafe=2)
+
+```text
+You are working on one file only: app/release-notes/index.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/release-notes/index.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/release-notes/index.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/triggers/providers/dockercompose/ComposeFileParser.ts (lines=323, any=5, unsafe=5)
+
+```text
+You are working on one file only: app/triggers/providers/dockercompose/ComposeFileParser.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/dockercompose/ComposeFileParser.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/dockercompose/ComposeFileParser.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P1 — app/triggers/providers/docker/RegistryResolver.ts (lines=312, any=10, unsafe=0)
+
+```text
+You are working on one file only: app/triggers/providers/docker/RegistryResolver.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/docker/RegistryResolver.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/docker/RegistryResolver.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/triggers/providers/dockercompose/PostStartExecutor.ts (lines=287, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/triggers/providers/dockercompose/PostStartExecutor.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/dockercompose/PostStartExecutor.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/dockercompose/PostStartExecutor.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P0 — app/registry/trigger-shared-config.ts (lines=279, any=35, unsafe=3)
+
+```text
+You are working on one file only: app/registry/trigger-shared-config.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/registry/trigger-shared-config.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/registry/trigger-shared-config.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P0 — app/watchers/providers/docker/runtime-details.ts (lines=259, any=19, unsafe=19)
+
+```text
+You are working on one file only: app/watchers/providers/docker/runtime-details.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/watchers/providers/docker/runtime-details.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/watchers/providers/docker/runtime-details.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/triggers/providers/docker/HealthMonitor.ts (lines=243, any=9, unsafe=9)
+
+```text
+You are working on one file only: app/triggers/providers/docker/HealthMonitor.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/docker/HealthMonitor.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/docker/HealthMonitor.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/agent/api/event.ts (lines=229, any=2, unsafe=2)
+
+```text
+You are working on one file only: app/agent/api/event.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/agent/api/event.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/agent/api/event.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/triggers/providers/dockercompose/ComposeFileLockManager.ts (lines=206, any=3, unsafe=3)
+
+```text
+You are working on one file only: app/triggers/providers/dockercompose/ComposeFileLockManager.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/dockercompose/ComposeFileLockManager.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/dockercompose/ComposeFileLockManager.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/api/container-actions.ts (lines=205, any=2, unsafe=0)
+
+```text
+You are working on one file only: app/api/container-actions.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/api/container-actions.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/api/container-actions.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/watchers/providers/docker/docker-remote-auth.ts (lines=201, any=5, unsafe=3)
+
+```text
+You are working on one file only: app/watchers/providers/docker/docker-remote-auth.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/watchers/providers/docker/docker-remote-auth.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/watchers/providers/docker/docker-remote-auth.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P0 — app/watchers/providers/docker/docker-event-orchestration.ts (lines=168, any=16, unsafe=16)
+
+```text
+You are working on one file only: app/watchers/providers/docker/docker-event-orchestration.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/watchers/providers/docker/docker-event-orchestration.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/watchers/providers/docker/docker-event-orchestration.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/agent/api/index.ts (lines=164, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/agent/api/index.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/agent/api/index.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/agent/api/index.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — ui/src/components/containers/ContainersListContent.vue (lines=162, any=1, unsafe=0)
+
+```text
+You are working on one file only: ui/src/components/containers/ContainersListContent.vue\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: ui/src/components/containers/ContainersListContent.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" ui/src/components/containers/ContainersListContent.vue\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/watchers/providers/docker/container-event-update.ts (lines=159, any=6, unsafe=6)
+
+```text
+You are working on one file only: app/watchers/providers/docker/container-event-update.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/watchers/providers/docker/container-event-update.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/watchers/providers/docker/container-event-update.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/triggers/providers/pushover/Pushover.ts (lines=154, any=3, unsafe=0)
+
+```text
+You are working on one file only: app/triggers/providers/pushover/Pushover.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/pushover/Pushover.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/pushover/Pushover.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/tag/index.ts (lines=153, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/tag/index.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/tag/index.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/tag/index.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P2 — app/registry/Component.ts (lines=151, any=5, unsafe=5)
+
+```text
+You are working on one file only: app/registry/Component.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/registry/Component.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/registry/Component.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/tag/suggest.ts (lines=147, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/tag/suggest.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/tag/suggest.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/tag/suggest.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/watchers/providers/docker/image-comparison.ts (lines=145, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/watchers/providers/docker/image-comparison.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/watchers/providers/docker/image-comparison.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/watchers/providers/docker/image-comparison.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — ui/src/composables/useContainerFilters.ts (lines=145, any=1, unsafe=0)
+
+```text
+You are working on one file only: ui/src/composables/useContainerFilters.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: ui/src/composables/useContainerFilters.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" ui/src/composables/useContainerFilters.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — ui/src/services/auth.ts (lines=124, any=1, unsafe=0)
+
+```text
+You are working on one file only: ui/src/services/auth.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: ui/src/services/auth.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" ui/src/services/auth.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/registries/providers/hub/Hub.ts (lines=124, any=1, unsafe=0)
+
+```text
+You are working on one file only: app/registries/providers/hub/Hub.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/registries/providers/hub/Hub.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/registries/providers/hub/Hub.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/triggers/hooks/HookRunner.ts (lines=115, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/triggers/hooks/HookRunner.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/hooks/HookRunner.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/hooks/HookRunner.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/release-notes/providers/GithubProvider.ts (lines=110, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/release-notes/providers/GithubProvider.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/release-notes/providers/GithubProvider.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/release-notes/providers/GithubProvider.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/registries/providers/quay/Quay.ts (lines=110, any=1, unsafe=0)
+
+```text
+You are working on one file only: app/registries/providers/quay/Quay.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/registries/providers/quay/Quay.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/registries/providers/quay/Quay.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/agent/api/container.ts (lines=109, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/agent/api/container.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/agent/api/container.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/agent/api/container.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/registries/providers/mau/Mau.ts (lines=106, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/registries/providers/mau/Mau.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/registries/providers/mau/Mau.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/registries/providers/mau/Mau.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/api/auth-strategies.ts (lines=104, any=1, unsafe=0)
+
+```text
+You are working on one file only: app/api/auth-strategies.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/api/auth-strategies.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/api/auth-strategies.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/triggers/providers/teams/Teams.ts (lines=96, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/triggers/providers/teams/Teams.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/teams/Teams.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/teams/Teams.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/triggers/providers/mattermost/Mattermost.ts (lines=81, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/triggers/providers/mattermost/Mattermost.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/mattermost/Mattermost.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/mattermost/Mattermost.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/registries/providers/trueforge/trueforge.ts (lines=73, any=1, unsafe=0)
+
+```text
+You are working on one file only: app/registries/providers/trueforge/trueforge.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/registries/providers/trueforge/trueforge.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/registries/providers/trueforge/trueforge.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/triggers/providers/googlechat/Googlechat.ts (lines=72, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/triggers/providers/googlechat/Googlechat.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/triggers/providers/googlechat/Googlechat.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/triggers/providers/googlechat/Googlechat.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/agent/api/watcher.ts (lines=71, any=2, unsafe=2)
+
+```text
+You are working on one file only: app/agent/api/watcher.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/agent/api/watcher.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/agent/api/watcher.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/agent/api/trigger.ts (lines=71, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/agent/api/trigger.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/agent/api/trigger.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/agent/api/trigger.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/registries/providers/shared/SelfHostedBasic.ts (lines=64, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/registries/providers/shared/SelfHostedBasic.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/registries/providers/shared/SelfHostedBasic.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/registries/providers/shared/SelfHostedBasic.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/vitest.config.ts (lines=39, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/vitest.config.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/vitest.config.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/vitest.config.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/agent/components/AgentTrigger.ts (lines=37, any=2, unsafe=2)
+
+```text
+You are working on one file only: app/agent/components/AgentTrigger.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/agent/components/AgentTrigger.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/agent/components/AgentTrigger.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/agent/components/AgentWatcher.ts (lines=37, any=2, unsafe=1)
+
+```text
+You are working on one file only: app/agent/components/AgentWatcher.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/agent/components/AgentWatcher.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/agent/components/AgentWatcher.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/api/auth-remember-me.ts (lines=35, any=1, unsafe=0)
+
+```text
+You are working on one file only: app/api/auth-remember-me.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/api/auth-remember-me.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/api/auth-remember-me.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/watchers/Watcher.ts (lines=28, any=2, unsafe=1)
+
+```text
+You are working on one file only: app/watchers/Watcher.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/watchers/Watcher.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/watchers/Watcher.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — app/vitest.coverage-provider.ts (lines=17, any=1, unsafe=1)
+
+```text
+You are working on one file only: app/vitest.coverage-provider.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: app/vitest.coverage-provider.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" app/vitest.coverage-provider.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
+### P3 — ui/src/env.d.ts (lines=13, any=2, unsafe=1)
+
+```text
+You are working on one file only: ui/src/env.d.ts\n\nGoal: improve code quality with zero behavior change.\nDo in this file:\n1. Replace `any` with explicit types or `unknown` + narrowing guards.\n2. Replace `catch (e: any)` with `catch (e: unknown)` and normalize error messages safely.\n3. Remove `as any` by introducing narrow local interfaces/types where possible.\n4. Keep public API unchanged; do not rename exported symbols.\n5. Keep edits minimal and focused to this file.\n\nValidation:\n- Run targeted tests near this area (example candidate: ui/src/env.d.test.ts if it exists).\n- Run: rg -n "\\bany\\b|as any|catch \\((e|error): any\\)|Promise<any>|: any\\b" ui/src/env.d.ts\n- Ensure no behavior/assertion changes.\n\nReturn: short summary + patch.\n```
+
diff --git a/docs/audit-findings.html b/docs/audit-findings.html
new file mode 100644
index 000000000..780eeccab
--- /dev/null
+++ b/docs/audit-findings.html
@@ -0,0 +1,662 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Drydock CI Audit — Round 2</title>
+<style>
+  :root {
+    --bg: #1a1a2e;
+    --surface: #16213e;
+    --surface2: #1a2744;
+    --border: #2a3a5c;
+    --text: #e0e0e0;
+    --text-dim: #8892a4;
+    --accent-red: #ff6b6b;
+    --accent-orange: #ffa94d;
+    --accent-green: #69db7c;
+    --accent-blue: #74c0fc;
+    --accent-purple: #b197fc;
+    --accent-yellow: #ffd43b;
+    --tag-bg: rgba(255,255,255,0.06);
+  }
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body {
+    font-family: 'SF Mono', 'Cascadia Code', 'JetBrains Mono', monospace;
+    background: var(--bg); color: var(--text);
+    padding: 2rem; line-height: 1.6;
+    max-width: 1000px; margin: 0 auto;
+  }
+  h1 { font-size: 1.4rem; font-weight: 600; color: #fff; margin-bottom: 0.25rem; }
+  .subtitle { color: var(--text-dim); font-size: 0.8rem; margin-bottom: 1.5rem; border-bottom: 1px solid var(--border); padding-bottom: 1rem; }
+
+  .summary { display: flex; gap: 1rem; margin-bottom: 1rem; flex-wrap: wrap; }
+  .chip { font-size: 0.75rem; padding: 0.2rem 0.6rem; border-radius: 4px; display: flex; align-items: center; gap: 0.35rem; }
+  .chip-closed { background: rgba(105, 219, 124, 0.08); color: rgba(105, 219, 124, 0.5); }
+  .chip-open { background: rgba(255, 107, 107, 0.12); color: var(--accent-red); }
+  .chip-wontfix { background: rgba(136, 146, 164, 0.08); color: rgba(136, 146, 164, 0.5); }
+  .chip b { font-size: 0.9rem; }
+
+  .toolbar { display: flex; gap: 0.5rem; margin-bottom: 2rem; flex-wrap: wrap; }
+  .toolbar button { background: var(--surface2); border: 1px solid var(--border); color: var(--text-dim); padding: 0.35rem 0.75rem; border-radius: 6px; cursor: pointer; font-family: inherit; font-size: 0.75rem; transition: all 0.15s; }
+  .toolbar button:hover { background: #223050; color: var(--text); }
+  .toolbar button.active { border-color: var(--accent-blue); color: var(--accent-blue); background: rgba(116, 192, 252, 0.08); }
+  .toolbar button.copied { color: var(--accent-green); border-color: var(--accent-green); }
+  .toolbar .spacer { flex: 1; }
+  .toolbar .copy-all-btn { border-color: var(--accent-green); color: var(--accent-green); }
+
+  .concern-section { margin-bottom: 1.5rem; }
+  .concern-header { font-size: 0.95rem; font-weight: 600; margin-bottom: 0.5rem; padding: 0.4rem 0; border-bottom: 1px solid var(--border); display: flex; align-items: center; justify-content: space-between; }
+  .concern-section[data-concern="release"] .concern-header { color: var(--accent-red); }
+  .concern-section[data-concern="gates"] .concern-header { color: var(--accent-orange); }
+  .concern-section[data-concern="efficiency"] .concern-header { color: var(--accent-yellow); }
+  .concern-section[data-concern="observability"] .concern-header { color: var(--accent-green); }
+  .concern-section[data-concern="hardening"] .concern-header { color: var(--accent-purple); }
+  .concern-section[data-concern="decisions"] .concern-header { color: var(--text-dim); }
+
+  .card { background: var(--surface); border: 1px solid var(--border); border-radius: 8px; padding: 0.75rem 1rem; margin-bottom: 0.5rem; transition: border-color 0.15s; }
+  .card:hover { border-color: #3a5080; }
+  .card.hidden { display: none; }
+  .card-row { display: flex; justify-content: space-between; align-items: flex-start; gap: 0.5rem; }
+  .card-content { flex: 1; min-width: 0; }
+  .card-title { font-weight: 600; font-size: 0.82rem; color: #fff; margin-bottom: 0.25rem; }
+  .card-body { font-size: 0.75rem; color: var(--text-dim); line-height: 1.45; }
+  .card-detail { margin-top: 0.3rem; font-size: 0.72rem; color: var(--text-dim); }
+  .card-detail em { color: var(--accent-purple); font-style: normal; }
+  .card-footer { margin-top: 0.3rem; font-size: 0.68rem; color: #4a5a7a; }
+  .card-actions { display: flex; flex-direction: column; align-items: flex-end; gap: 0.3rem; flex-shrink: 0; }
+
+  .severity { font-size: 0.6rem; text-transform: uppercase; letter-spacing: 0.05em; padding: 0.1rem 0.35rem; border-radius: 3px; font-weight: 600; }
+  .sev-high { background: rgba(255, 107, 107, 0.15); color: var(--accent-red); }
+  .sev-medium { background: rgba(255, 169, 77, 0.15); color: var(--accent-orange); }
+  .sev-low { background: rgba(136, 146, 164, 0.12); color: var(--text-dim); }
+
+  .status { display: inline-flex; align-items: center; gap: 0.25rem; font-size: 0.65rem; padding: 0.1rem 0.4rem; border-radius: 4px; font-weight: 500; white-space: nowrap; }
+  .status-fixed { background: rgba(105, 219, 124, 0.12); color: var(--accent-green); }
+  .status-open { background: rgba(255, 107, 107, 0.12); color: var(--accent-red); }
+  .status-wontfix { background: rgba(136, 146, 164, 0.12); color: var(--text-dim); }
+  .dot { width: 5px; height: 5px; border-radius: 50%; display: inline-block; }
+  .dot-fixed { background: var(--accent-green); }
+  .dot-open { background: var(--accent-red); }
+  .dot-wontfix { background: var(--text-dim); }
+
+  .copy-card-btn { background: transparent; border: 1px solid var(--border); color: var(--text-dim); padding: 0.2rem 0.45rem; border-radius: 4px; cursor: pointer; font-family: inherit; font-size: 0.65rem; transition: all 0.15s; white-space: nowrap; }
+  .copy-card-btn:hover { border-color: var(--accent-green); color: var(--accent-green); }
+  .copy-card-btn.copied { border-color: var(--accent-green); color: var(--accent-green); }
+  .copy-group-btn { background: var(--surface2); border: 1px solid var(--border); color: var(--text-dim); padding: 0.25rem 0.6rem; border-radius: 5px; cursor: pointer; font-family: inherit; font-size: 0.7rem; transition: all 0.15s; }
+  .copy-group-btn:hover { background: #223050; color: var(--text); }
+  .copy-group-btn.copied { color: var(--accent-green); border-color: var(--accent-green); }
+
+  code { background: rgba(255,255,255,0.06); padding: 0.05rem 0.25rem; border-radius: 3px; font-size: inherit; }
+
+  .file-group { margin-bottom: 1.5rem; }
+  .file-group-header { display: flex; align-items: center; justify-content: space-between; margin-bottom: 0.5rem; padding: 0.4rem 0; border-bottom: 1px solid var(--border); }
+  .file-group-title { font-size: 0.85rem; font-weight: 600; color: var(--accent-blue); display: flex; align-items: center; gap: 0.4rem; }
+  .file-group-title .count { font-size: 0.7rem; background: rgba(116, 192, 252, 0.12); color: var(--accent-blue); padding: 0.1rem 0.4rem; border-radius: 3px; }
+
+  .divider { border: none; border-top: 1px solid var(--border); margin: 2rem 0; }
+  .round-label { font-size: 0.7rem; color: var(--text-dim); text-transform: uppercase; letter-spacing: 0.1em; margin-bottom: 0.5rem; }
+</style>
+</head>
+<body>
+
+<h1>Drydock CI Pipeline Audit</h1>
+<p class="subtitle">March 2026 &mdash; lefthook + GitHub Actions &mdash; Round 1 + Round 2</p>
+
+<div class="summary">
+  <span class="chip chip-closed"><b>26</b> closed (round 1)</span>
+  <span class="chip chip-open"><b>4</b> new open (round 2)</span>
+  <span class="chip chip-wontfix"><b>1</b> won't fix</span>
+</div>
+
+<div class="toolbar">
+  <button type="button" class="active" data-filter="open" onclick="setFilter('open')">Open only</button>
+  <button type="button" data-filter="all" onclick="setFilter('all')">All</button>
+  <button type="button" data-filter="fixed" onclick="setFilter('fixed')">Closed</button>
+  <span class="spacer"></span>
+  <button type="button" data-view="concern" onclick="setView('concern')" class="active">By concern</button>
+  <button type="button" data-view="file" onclick="setView('file')">By file</button>
+  <span class="spacer"></span>
+  <button type="button" class="copy-all-btn" onclick="copyAllOpen()">Copy all open</button>
+</div>
+
+<div id="view-concern">
+
+<!-- ═══════════════════════════════════════ -->
+<!-- ROUND 2 — NEW FINDINGS                 -->
+<!-- ═══════════════════════════════════════ -->
+
+<div class="concern-section" data-concern="efficiency">
+  <div class="concern-header">
+    <span>CI Efficiency</span>
+    <button type="button" class="copy-group-btn" onclick="copyConcern('efficiency')">Copy open</button>
+  </div>
+
+  <div class="card" data-status="open" data-files="run-playwright-qa.sh" data-concern="efficiency">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Playwright pre-push rebuilds Docker image every time</div>
+        <div class="card-body"><code>run-playwright-qa.sh</code> does a full <code>docker build</code> on every pre-push. No cache, no reuse. Adds 2-3+ min per push.</div>
+        <div class="card-detail"><em>Fix:</em> Skip rebuild if <code>drydock:dev</code> image already exists and source hasn't changed. Check <code>docker inspect</code> timestamp vs last git commit.</div>
+        <div class="card-footer">scripts/run-playwright-qa.sh:19</div>
+      </div>
+      <div class="card-actions">
+        <span class="severity sev-medium">med</span>
+        <span class="status status-open"><span class="dot dot-open"></span> Open</span>
+        <button type="button" class="copy-card-btn" onclick="copyCard(this)">Copy</button>
+      </div>
+    </div>
+  </div>
+
+  <div class="card" data-status="open" data-files="lefthook.yml" data-concern="efficiency">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Playwright pre-push timeout too short for cold start</div>
+        <div class="card-body">Timeout is 10m but first run includes browser install + Docker build + tests = 12-15 min. Will kill the process before completion.</div>
+        <div class="card-detail"><em>Fix:</em> Increase to <code>15m</code> in lefthook.yml.</div>
+        <div class="card-footer">lefthook.yml:99</div>
+      </div>
+      <div class="card-actions">
+        <span class="severity sev-low">low</span>
+        <span class="status status-open"><span class="dot dot-open"></span> Open</span>
+        <button type="button" class="copy-card-btn" onclick="copyCard(this)">Copy</button>
+      </div>
+    </div>
+  </div>
+
+  <!-- Round 1 closed items -->
+  <div class="card" data-status="fixed" data-files="ci-verify.yml" data-concern="efficiency">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Redundant Docker builds across jobs</div>
+        <div class="card-body">Playwright, DAST, load tests each rebuilt the image. ~3-5 min wasted/run.</div>
+        <div class="card-detail"><em>Fix:</em> Build job exports QA image as artifact. Consumers download + load.</div>
+        <div class="card-footer">H2 &middot; ci-verify.yml</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="ci-verify.yml" data-concern="efficiency">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Qlty plugin downloads on every run</div>
+        <div class="card-body">~30s wasted per run, no caching.</div>
+        <div class="card-detail"><em>Fix:</em> <code>actions/cache</code> keyed to <code>qlty.toml</code> hash.</div>
+        <div class="card-footer">M10 &middot; ci-verify.yml</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="40-50-60" data-concern="efficiency">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">4 workflows firing on merge to main</div>
+        <div class="card-body">CodeQL, Fuzz, Scorecard triggered alongside CI Verify.</div>
+        <div class="card-detail"><em>Fix:</em> Dropped push:main. Kept schedule + PR only.</div>
+        <div class="card-footer">H2b &middot; 40/50/60 workflows</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="security-snyk-weekly.yml" data-concern="efficiency">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Snyk container scan rebuilt image from scratch</div>
+        <div class="card-body">Weekly scan built without cache. ~5-10 min redundant.</div>
+        <div class="card-detail"><em>Fix:</em> Buildx + GHA cache.</div>
+        <div class="card-footer">security-snyk-weekly.yml</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+</div>
+
+<div class="concern-section" data-concern="observability">
+  <div class="concern-header">
+    <span>Observability &amp; Artifacts</span>
+    <button type="button" class="copy-group-btn" onclick="copyConcern('observability')">Copy open</button>
+  </div>
+
+  <div class="card" data-status="open" data-files="ci-verify.yml" data-concern="observability">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">DAST findings not in job summary</div>
+        <div class="card-body">ZAP and Nuclei upload report artifacts but don't add anything to <code>GITHUB_STEP_SUMMARY</code>. Other jobs (lint, test, load) all write summaries.</div>
+        <div class="card-detail"><em>Fix:</em> Add summary step after each DAST scan: finding count + severity breakdown + link to artifact.</div>
+        <div class="card-footer">ci-verify.yml (dast-zap-baseline, dast-nuclei jobs)</div>
+      </div>
+      <div class="card-actions">
+        <span class="severity sev-low">low</span>
+        <span class="status status-open"><span class="dot dot-open"></span> Open</span>
+        <button type="button" class="copy-card-btn" onclick="copyCard(this)">Copy</button>
+      </div>
+    </div>
+  </div>
+
+  <div class="card" data-status="open" data-files="run-e2e-tests.sh" data-concern="observability">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">E2E port discovery fragile with IPv6</div>
+        <div class="card-body"><code>docker port ... | head -1 | cut -d: -f2</code> breaks if Docker returns IPv6 format <code>[::1]:12345</code>.</div>
+        <div class="card-detail"><em>Fix:</em> Use <code>awk -F: '{print $NF}'</code> or <code>docker inspect</code> format string to extract port reliably.</div>
+        <div class="card-footer">scripts/run-e2e-tests.sh:62</div>
+      </div>
+      <div class="card-actions">
+        <span class="severity sev-low">low</span>
+        <span class="status status-open"><span class="dot dot-open"></span> Open</span>
+        <button type="button" class="copy-card-btn" onclick="copyCard(this)">Copy</button>
+      </div>
+    </div>
+  </div>
+
+  <!-- Round 1 closed items -->
+  <div class="card" data-status="fixed" data-files="lefthook.yml,run-playwright-qa.sh" data-concern="observability">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Playwright pre-push had no runner script</div>
+        <div class="card-detail"><em>Fix:</em> Added <code>run-playwright-qa.sh</code> with full lifecycle.</div>
+        <div class="card-footer">C3</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="ci-verify.yml" data-concern="observability">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Dependency review only on PRs</div>
+        <div class="card-detail"><em>Fix:</em> PR + push with base-ref/head-ref.</div>
+        <div class="card-footer">M1</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="qlty-smells-gate.mjs" data-concern="observability">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Qlty smells had no artifact output</div>
+        <div class="card-detail"><em>Fix:</em> SARIF + markdown summary uploaded.</div>
+        <div class="card-footer">M7</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="50-security-fuzz.yml" data-concern="observability">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Fuzz failures were silent</div>
+        <div class="card-detail"><em>Fix:</em> Artifact log + job summary + auto GitHub issue.</div>
+        <div class="card-footer">M9</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="run-e2e-tests.sh" data-concern="observability">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">E2E lock PID check used kill -0</div>
+        <div class="card-detail"><em>Fix:</em> <code>ps -p</code> with numeric guard.</div>
+        <div class="card-footer">H11</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="security-snyk-weekly.yml" data-concern="observability">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Snyk CLI version pinned inline in 4 places</div>
+        <div class="card-detail"><em>Fix:</em> Single workflow-level env var.</div>
+        <div class="card-footer">security-snyk-weekly.yml</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="ci-verify.yml" data-concern="observability">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Load test baselines via fragile API search</div>
+        <div class="card-detail"><em>Fix:</em> Committed baseline file at <code>test/load-test-baselines/ci.json</code>.</div>
+        <div class="card-footer">ci-verify.yml</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="extract-changelog-entry.mjs" data-concern="observability">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Changelog extraction didn't validate date format</div>
+        <div class="card-detail"><em>Fix:</em> YYYY-MM-DD strict validation.</div>
+        <div class="card-footer">extract-changelog-entry.mjs</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+</div>
+
+<div class="concern-section" data-concern="release">
+  <div class="concern-header">
+    <span>Release Integrity</span>
+    <button type="button" class="copy-group-btn" onclick="copyConcern('release')">Copy open</button>
+  </div>
+
+  <!-- All round 1 closed -->
+  <div class="card" data-status="fixed" data-files="release-from-tag.yml" data-concern="release">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Auto-tag re-ran full CI recursively</div>
+        <div class="card-detail"><em>Fix:</em> SHA-based verification gate.</div>
+        <div class="card-footer">C2</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="release-cut.yml,release-from-tag.yml" data-concern="release">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Release cut didn't verify prior CI</div>
+        <div class="card-detail"><em>Fix:</em> SHA verification in both workflows.</div>
+        <div class="card-footer">H1</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="release-from-tag.yml" data-concern="release">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Release retry rebuilt from scratch</div>
+        <div class="card-detail"><em>Fix:</em> Manifest-only re-publish.</div>
+        <div class="card-footer">H12</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="release-cut.yml" data-concern="release">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">CHANGELOG entry validation before release</div>
+        <div class="card-detail"><em>Fix:</em> Validation step before tag creation.</div>
+        <div class="card-footer">M14</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="release-from-tag.yml" data-concern="release">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">package.json version must match tag</div>
+        <div class="card-detail"><em>Fix:</em> Assertion compares base version across root/app/ui package.json.</div>
+        <div class="card-footer">L5</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="release-cut.yml,release-from-tag.yml" data-concern="release">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Workflow filename hardcoded in release polling</div>
+        <div class="card-detail"><em>Fix:</em> Dynamic resolution via API + pre-flight validation.</div>
+        <div class="card-footer">20/30 workflows</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+</div>
+
+<div class="concern-section" data-concern="gates">
+  <div class="concern-header">
+    <span>Gates &amp; Blocking</span>
+    <button type="button" class="copy-group-btn" onclick="copyConcern('gates')">Copy open</button>
+  </div>
+
+  <!-- All round 1 closed -->
+  <div class="card" data-status="fixed" data-files="ci-verify.yml,lefthook.yml" data-concern="gates">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Zizmor was non-blocking</div>
+        <div class="card-detail"><em>Fix:</em> Blocking in CI + local. Fails with install instructions.</div>
+        <div class="card-footer">H4</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="security-snyk-weekly.yml" data-concern="gates">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Snyk quota gate didn't block scan jobs</div>
+        <div class="card-detail"><em>Fix:</em> <code>if: needs.quota-plan.result == 'success'</code>.</div>
+        <div class="card-footer">H3</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="security-snyk-weekly.yml" data-concern="gates">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Snyk Code had continue-on-error</div>
+        <div class="card-detail"><em>Fix:</em> Removed. Weekly run is blocking.</div>
+        <div class="card-footer">H10</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="lefthook.yml" data-concern="gates">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Clean-tree gate blocked on untracked files</div>
+        <div class="card-detail"><em>Fix:</em> <code>git diff --quiet</code> &mdash; tracked changes only.</div>
+        <div class="card-footer">H8</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="all-workflows" data-concern="gates">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">No job timeouts</div>
+        <div class="card-detail"><em>Fix:</em> <code>timeout-minutes</code> on all 26 jobs.</div>
+        <div class="card-footer">M2</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="check-load-test-regression.sh" data-concern="gates">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">No absolute perf ceiling</div>
+        <div class="card-detail"><em>Fix:</em> p95 &le; 1200ms, p99 &le; 2500ms, rate &ge; 10/s.</div>
+        <div class="card-footer">M8</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="ci-verify.yml,validate-commit-range.mjs" data-concern="gates">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Commit message validation missing from CI</div>
+        <div class="card-detail"><em>Fix:</em> PR commit range validator + required status check.</div>
+        <div class="card-footer">ci-verify.yml + validate-commit-range.mjs</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+</div>
+
+<div class="concern-section" data-concern="hardening">
+  <div class="concern-header">
+    <span>Hardening &amp; Config</span>
+    <button type="button" class="copy-group-btn" onclick="copyConcern('hardening')">Copy open</button>
+  </div>
+
+  <div class="card" data-status="fixed" data-files="snyk-quota-config.json,snyk-quota-plan.mjs" data-concern="hardening">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Snyk quota limits hardcoded in script</div>
+        <div class="card-detail"><em>Fix:</em> Single config file <code>snyk-quota-config.json</code>.</div>
+        <div class="card-footer">security-snyk-weekly.yml + scripts/</div>
+      </div>
+      <div class="card-actions"><span class="status status-fixed"><span class="dot dot-fixed"></span> Closed</span></div>
+    </div>
+  </div>
+</div>
+
+<div class="concern-section" data-concern="decisions">
+  <div class="concern-header"><span>Decisions</span></div>
+
+  <div class="card" data-status="wontfix" data-files="" data-concern="decisions">
+    <div class="card-row">
+      <div class="card-content">
+        <div class="card-title">Snyk as release-cut prerequisite</div>
+        <div class="card-body">Weekly scan sufficient. Hard-gating would block emergency hotfixes.</div>
+        <div class="card-footer">H3 note</div>
+      </div>
+      <div class="card-actions"><span class="status status-wontfix"><span class="dot dot-wontfix"></span> Won't fix</span></div>
+    </div>
+  </div>
+</div>
+
+</div><!-- end view-concern -->
+
+<div id="view-file" class="hidden"></div>
+
+<script>
+function getCardMarkdown(card) {
+  const title = card.querySelector('.card-title').textContent.trim();
+  const body = card.querySelector('.card-body');
+  const footer = card.querySelector('.card-footer').textContent.trim();
+  const detail = card.querySelector('.card-detail');
+  const sev = card.querySelector('.severity');
+  let md = `### ${title}`;
+  if (sev) md += ` [${sev.textContent.trim()}]`;
+  md += `\n> ${footer}\n\n`;
+  if (body) md += `${body.textContent.trim()}\n\n`;
+  if (detail) md += `${detail.textContent.trim()}\n\n`;
+  return md;
+}
+
+function copyCard(btn) {
+  const card = btn.closest('.card');
+  navigator.clipboard.writeText(getCardMarkdown(card)).then(() => {
+    btn.textContent = 'Copied!'; btn.classList.add('copied');
+    setTimeout(() => { btn.textContent = 'Copy'; btn.classList.remove('copied'); }, 1500);
+  });
+}
+
+function copyConcern(concern) {
+  const section = document.querySelector(`.concern-section[data-concern="${concern}"]`);
+  const cards = section.querySelectorAll('.card[data-status="open"]');
+  if (!cards.length) return;
+  const heading = section.querySelector('.concern-header span').textContent.trim();
+  let md = `## ${heading}\n\n`;
+  cards.forEach(c => md += getCardMarkdown(c));
+  const btn = section.querySelector('.copy-group-btn');
+  navigator.clipboard.writeText(md).then(() => {
+    btn.textContent = 'Copied!'; btn.classList.add('copied');
+    setTimeout(() => { btn.textContent = 'Copy open'; btn.classList.remove('copied'); }, 1500);
+  });
+}
+
+function copyAllOpen() {
+  const cards = document.querySelectorAll('#view-concern .card[data-status="open"]');
+  let md = '# Drydock CI Audit — Open Items (Round 2)\n\n';
+  let cur = '';
+  cards.forEach(c => {
+    const s = c.closest('.concern-section').querySelector('.concern-header span').textContent.trim();
+    if (s !== cur) { cur = s; md += `## ${s}\n\n`; }
+    md += getCardMarkdown(c);
+  });
+  const btn = document.querySelector('.copy-all-btn');
+  navigator.clipboard.writeText(md).then(() => {
+    btn.textContent = 'Copied!'; btn.classList.add('copied');
+    setTimeout(() => { btn.textContent = 'Copy all open'; btn.classList.remove('copied'); }, 1500);
+  });
+}
+
+let currentFilter = 'open';
+function setFilter(f) {
+  currentFilter = f;
+  document.querySelectorAll('.toolbar button[data-filter]').forEach(b => b.classList.toggle('active', b.dataset.filter === f));
+  applyFilter();
+}
+function applyFilter() {
+  document.querySelectorAll('.card').forEach(c => {
+    const s = c.dataset.status;
+    if (currentFilter === 'all') c.classList.remove('hidden');
+    else if (currentFilter === 'open') c.classList.toggle('hidden', s !== 'open');
+    else if (currentFilter === 'fixed') c.classList.toggle('hidden', s !== 'fixed' && s !== 'wontfix');
+  });
+  document.querySelectorAll('.concern-section, .file-group').forEach(sec => {
+    sec.classList.toggle('hidden', sec.querySelectorAll('.card:not(.hidden)').length === 0);
+  });
+}
+
+function setView(v) {
+  document.querySelectorAll('.toolbar button[data-view]').forEach(b => b.classList.toggle('active', b.dataset.view === v));
+  document.getElementById('view-concern').classList.toggle('hidden', v !== 'concern');
+  document.getElementById('view-file').classList.toggle('hidden', v !== 'file');
+  if (v === 'file') buildFileView();
+  applyFilter();
+}
+
+function buildFileView() {
+  const container = document.getElementById('view-file');
+  if (container.children.length > 0) return;
+  const fileMap = new Map();
+  document.querySelectorAll('#view-concern .card').forEach(card => {
+    (card.dataset.files || 'other').split(',').forEach(f => {
+      f = f.trim(); if (!f) return;
+      if (!fileMap.has(f)) fileMap.set(f, []);
+      fileMap.get(f).push(card.cloneNode(true));
+    });
+  });
+  [...fileMap.entries()]
+    .sort((a, b) => {
+      const ao = a[1].filter(c => c.dataset.status === 'open').length;
+      const bo = b[1].filter(c => c.dataset.status === 'open').length;
+      return bo !== ao ? bo - ao : a[0].localeCompare(b[0]);
+    })
+    .forEach(([file, cards]) => {
+      const oc = cards.filter(c => c.dataset.status === 'open').length;
+      const g = document.createElement('div'); g.className = 'file-group';
+      const h = document.createElement('div'); h.className = 'file-group-header';
+      h.innerHTML = `<span class="file-group-title">${file}${oc ? ` <span class="count">${oc} open</span>` : ''}</span><button type="button" class="copy-group-btn" onclick="copyFileGroup(this,'${file}')">Copy open</button>`;
+      g.appendChild(h);
+      cards.forEach(c => { const b = c.querySelector('.copy-card-btn'); if (b) b.setAttribute('onclick','copyCard(this)'); g.appendChild(c); });
+      container.appendChild(g);
+    });
+}
+
+function copyFileGroup(btn, file) {
+  const cards = btn.closest('.file-group').querySelectorAll('.card[data-status="open"]');
+  if (!cards.length) return;
+  let md = `## ${file}\n\n`;
+  cards.forEach(c => md += getCardMarkdown(c));
+  navigator.clipboard.writeText(md).then(() => {
+    btn.textContent = 'Copied!'; btn.classList.add('copied');
+    setTimeout(() => { btn.textContent = 'Copy open'; btn.classList.remove('copied'); }, 1500);
+  });
+}
+
+applyFilter();
+</script>
+</body>
+</html>
diff --git a/docs/ci-flow.html b/docs/ci-flow.html
new file mode 100644
index 000000000..3e40bfc4d
--- /dev/null
+++ b/docs/ci-flow.html
@@ -0,0 +1,385 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Drydock CI Pipeline</title>
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;background:#fafafa;color:#1a1a1a;overflow-x:auto}
+
+/* Canvas */
+.canvas{min-width:1400px;padding:48px 48px 64px}
+
+/* Header */
+header{margin-bottom:40px}
+header h1{font-size:32px;font-weight:700;letter-spacing:-0.5px;color:#111}
+header p{font-size:14px;color:#666;margin-top:4px}
+
+/* Legend */
+.legend{display:flex;gap:24px;margin-bottom:36px;flex-wrap:wrap}
+.legend-item{display:flex;align-items:center;gap:6px;font-size:12px;color:#666;font-weight:500}
+.legend-dot{width:10px;height:10px;border-radius:3px}
+
+/* Swimlanes */
+.swimlane{display:flex;align-items:stretch;margin-bottom:2px;min-height:120px}
+.swimlane-label{
+  width:140px;flex-shrink:0;
+  display:flex;align-items:center;justify-content:center;
+  font-size:11px;font-weight:700;text-transform:uppercase;letter-spacing:1px;
+  color:#fff;border-radius:8px 0 0 8px;
+  writing-mode:horizontal-tb;text-align:center;padding:12px 8px;
+}
+.swimlane-content{
+  flex:1;display:flex;align-items:center;gap:12px;
+  padding:16px 24px;
+  background:#fff;border:1px solid #e5e5e5;border-left:none;
+  border-radius:0 8px 8px 0;
+  flex-wrap:wrap;position:relative;
+}
+
+/* Lane colors */
+.lane-commit .swimlane-label{background:#10b981}
+.lane-push .swimlane-label{background:#3b82f6}
+.lane-ci .swimlane-label{background:#6366f1}
+.lane-release .swimlane-label{background:#ec4899}
+.lane-schedule .swimlane-label{background:#8b5cf6}
+.lane-manual .swimlane-label{background:#f59e0b}
+
+/* Nodes */
+.node{
+  display:inline-flex;align-items:center;gap:8px;
+  padding:8px 14px;border-radius:8px;
+  font-size:12px;font-weight:600;
+  white-space:nowrap;position:relative;
+  border:2px solid;
+  transition:transform .15s,box-shadow .15s;
+  cursor:default;
+}
+.node:hover{transform:translateY(-2px);box-shadow:0 4px 12px rgba(0,0,0,.1)}
+.node .emoji{font-size:15px}
+.node-sub{font-size:10px;color:#666;font-weight:400;display:block;margin-top:1px}
+
+/* Node types */
+.n-block{background:#dcfce7;border-color:#86efac;color:#166534}
+.n-advisory{background:#fef9c3;border-color:#fde047;color:#854d0e}
+.n-conditional{background:#dbeafe;border-color:#93c5fd;color:#1e40af}
+.n-paid{background:#f3e8ff;border-color:#c4b5fd;color:#5b21b6}
+.n-action{background:#fce7f3;border-color:#f9a8d4;color:#9d174d}
+
+/* Arrows between nodes */
+.arrow{
+  display:flex;align-items:center;flex-shrink:0;
+  color:#d1d5db;font-size:18px;
+}
+.arrow svg{width:24px;height:24px}
+
+/* Separator between lanes */
+.lane-sep{
+  display:flex;align-items:center;justify-content:center;
+  padding:6px 0 6px 140px;
+}
+.lane-sep-line{
+  flex:1;height:0;border-top:2px dashed #e5e5e5;
+}
+.lane-sep-label{
+  padding:2px 16px;font-size:11px;font-weight:600;color:#999;
+  background:#fafafa;white-space:nowrap;
+}
+
+/* Group box */
+.group{
+  display:flex;flex-wrap:wrap;align-items:center;gap:8px;
+  padding:10px 14px;border-radius:10px;
+  border:1px dashed #d1d5db;background:rgba(0,0,0,.015);
+}
+.group-label{
+  width:100%;font-size:10px;font-weight:700;text-transform:uppercase;
+  letter-spacing:0.8px;color:#999;margin-bottom:2px;
+}
+
+/* Info cards at bottom */
+.info-row{display:flex;gap:16px;margin-top:36px;flex-wrap:wrap}
+.info-card{
+  flex:1;min-width:280px;
+  background:#fff;border:1px solid #e5e5e5;border-radius:12px;
+  padding:20px;
+}
+.info-card h3{font-size:13px;font-weight:700;text-transform:uppercase;letter-spacing:0.5px;color:#999;margin-bottom:10px}
+.info-card ul{list-style:none;padding:0}
+.info-card li{font-size:13px;color:#444;padding:4px 0;border-bottom:1px solid #f5f5f5;display:flex;gap:8px}
+.info-card li:last-child{border-bottom:none}
+.info-card li .label{color:#999;font-size:11px;min-width:80px;flex-shrink:0;font-weight:600}
+
+/* Schedule mini table */
+.sched{width:100%;font-size:12px;border-collapse:collapse}
+.sched th{text-align:left;padding:6px 8px;border-bottom:2px solid #eee;color:#999;font-weight:600;font-size:10px;text-transform:uppercase;letter-spacing:0.5px}
+.sched td{padding:6px 8px;border-bottom:1px solid #f5f5f5;color:#444}
+.sched tr:last-child td{border-bottom:none}
+.sched .dot{display:inline-block;width:8px;height:8px;border-radius:2px;margin-right:6px}
+</style>
+</head>
+<body>
+<div class="canvas">
+
+<header>
+  <h1>Drydock CI Pipeline</h1>
+  <p>Commit &rarr; Push &rarr; PR &rarr; Merge &rarr; Release &mdash; updated 2026-03-16</p>
+</header>
+
+<div class="legend">
+  <div class="legend-item"><div class="legend-dot" style="background:#86efac"></div> Blocking</div>
+  <div class="legend-item"><div class="legend-dot" style="background:#fde047"></div> Advisory</div>
+  <div class="legend-item"><div class="legend-dot" style="background:#93c5fd"></div> Conditional</div>
+  <div class="legend-item"><div class="legend-dot" style="background:#c4b5fd"></div> Paid / Quota</div>
+  <div class="legend-item"><div class="legend-dot" style="background:#f9a8d4"></div> Action / Output</div>
+  <div class="legend-item" style="margin-left:auto;opacity:.6"><span style="font-size:11px">Arrows = sequential &nbsp;|&nbsp; Grouped = parallel</span></div>
+</div>
+
+<!-- ═══════════════════════ COMMIT ═══════════════════════ -->
+<div class="swimlane lane-commit">
+  <div class="swimlane-label">Commit</div>
+  <div class="swimlane-content">
+    <div class="node n-block"><span class="emoji">💬</span> Commit message format<span class="node-sub">gitmoji + conventional</span></div>
+    <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+    <div class="node n-block"><span class="emoji">🔧</span> Biome fix + format<span class="node-sub">auto-fix, re-stage</span></div>
+    <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+    <div class="node n-block"><span class="emoji">📊</span> Per-file coverage<span class="node-sub">100% on staged files</span></div>
+  </div>
+</div>
+
+<div class="lane-sep"><div class="lane-sep-line"></div><div class="lane-sep-label">git push</div><div class="lane-sep-line"></div></div>
+
+<!-- ═══════════════════════ PUSH ═══════════════════════ -->
+<div class="swimlane lane-push">
+  <div class="swimlane-label">Pre-push</div>
+  <div class="swimlane-content">
+    <div class="node n-block"><span class="emoji">🌳</span> Clean tree<span class="node-sub">no uncommitted changes</span></div>
+    <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+
+    <div class="group">
+      <div class="group-label">Lint gate ~1 min (sequential)</div>
+      <div class="node n-block"><span class="emoji">🚫</span> ts-nocheck</div>
+      <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+      <div class="node n-block"><span class="emoji">🔧</span> Biome</div>
+      <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+      <div class="node n-block"><span class="emoji">🔍</span> Qlty gate</div>
+    </div>
+    <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+
+    <div class="node n-advisory"><span class="emoji">👃</span> Qlty smells<span class="node-sub">complexity / duplication</span></div>
+    <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+
+    <div class="group">
+      <div class="group-label">Build + Test ~45s (parallel)</div>
+      <div class="node n-block"><span class="emoji">⚙️</span> app: tsc + vitest</div>
+      <div class="node n-block"><span class="emoji">🎨</span> ui: vite + vitest</div>
+    </div>
+    <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+
+    <div class="group">
+      <div class="group-label">E2E ~10 min (sequential)</div>
+      <div class="node n-block"><span class="emoji">🥒</span> Cucumber</div>
+      <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+      <div class="node n-block"><span class="emoji">🎭</span> Playwright<span class="node-sub">builds image</span></div>
+    </div>
+    <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+
+    <div class="node n-block"><span class="emoji">🔐</span> Zizmor<span class="node-sub">blocks, requires install</span></div>
+  </div>
+</div>
+
+<div class="lane-sep"><div class="lane-sep-line"></div><div class="lane-sep-label">PR opened / push to main or release</div><div class="lane-sep-line"></div></div>
+
+<!-- ═══════════════════════ CI ═══════════════════════ -->
+<div class="swimlane lane-ci">
+  <div class="swimlane-label">CI Verify</div>
+  <div class="swimlane-content" style="flex-direction:column;align-items:stretch;gap:12px">
+
+    <div style="display:flex;gap:12px;align-items:center;flex-wrap:wrap">
+      <div class="group" style="flex:1">
+        <div class="group-label">Immediate start (parallel)</div>
+        <div class="node n-block"><span class="emoji">🔐</span> Zizmor</div>
+        <div class="node n-conditional"><span class="emoji">📦</span> Dep Review<span class="node-sub">PR + main push</span></div>
+        <div class="node n-conditional"><span class="emoji">💬</span> Commit Msg Gate<span class="node-sub">PR only</span></div>
+        <div class="node n-block"><span class="emoji">🧹</span> Lint + Smells</div>
+        <div class="node n-block"><span class="emoji">🧪</span> Test + Codecov</div>
+        <div class="node n-block"><span class="emoji">🏗️</span> Build<span class="node-sub">UI + Docker + QA artifact</span></div>
+      </div>
+    </div>
+
+    <div style="display:flex;gap:8px;align-items:center;padding-left:8px">
+      <svg aria-hidden="true" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="#d1d5db" stroke-width="2"><path d="M12 5v14m-4-4 4 4 4-4"/></svg>
+      <span style="font-size:11px;color:#999;font-weight:600">needs: build</span>
+    </div>
+
+    <div style="display:flex;gap:12px;align-items:center;flex-wrap:wrap">
+      <div class="group" style="flex:1">
+        <div class="group-label">After build (parallel)</div>
+        <div class="node n-block"><span class="emoji">🥒</span> E2E Cucumber</div>
+        <div class="node n-block"><span class="emoji">🎭</span> Playwright<span class="node-sub">loads QA artifact</span></div>
+        <div class="node n-conditional"><span class="emoji">🔬</span> DAST ZAP<span class="node-sub">release/* only</span></div>
+        <div class="node n-conditional"><span class="emoji">☢️</span> DAST Nuclei<span class="node-sub">release/* only</span></div>
+        <div class="node n-advisory"><span class="emoji">📊</span> Load Smoke<span class="node-sub">PR only, advisory</span></div>
+        <div class="node n-block"><span class="emoji">📈</span> Load CI<span class="node-sub">push only, enforced baseline</span></div>
+      </div>
+    </div>
+
+    <div style="display:flex;gap:8px;align-items:center;padding-left:8px">
+      <svg aria-hidden="true" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="#d1d5db" stroke-width="2"><path d="M12 5v14m-4-4 4 4 4-4"/></svg>
+      <span style="font-size:11px;color:#999;font-weight:600">all green on main &rarr;</span>
+    </div>
+
+    <div style="display:flex;gap:12px;align-items:center;flex-wrap:wrap">
+      <div class="node n-action"><span class="emoji">🏷️</span> Auto Tag<span class="node-sub">analyze commits &rarr; semver bump &rarr; push tag</span></div>
+    </div>
+
+  </div>
+</div>
+
+<div class="lane-sep"><div class="lane-sep-line"></div><div class="lane-sep-label">tag v* pushed (auto or manual cut)</div><div class="lane-sep-line"></div></div>
+
+<!-- ═══════════════════════ RELEASE ═══════════════════════ -->
+<div class="swimlane lane-release">
+  <div class="swimlane-label">Release</div>
+  <div class="swimlane-content">
+    <div class="group">
+      <div class="group-label">Pre-flight gates (sequential)</div>
+      <div class="node n-block"><span class="emoji">🔢</span> Version assert<span class="node-sub">tag vs package.json</span></div>
+      <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+      <div class="node n-block"><span class="emoji">✅</span> Verify CI<span class="node-sub">dynamic workflow lookup</span></div>
+    </div>
+    <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+
+    <div class="group">
+      <div class="group-label">Build + Publish</div>
+      <div class="node n-action"><span class="emoji">🐳</span> Multi-arch<span class="node-sub">amd64 + arm64</span></div>
+      <div class="node n-action"><span class="emoji">📦</span> Push registries<span class="node-sub">GHCR + Hub + Quay</span></div>
+    </div>
+    <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+
+    <div class="group">
+      <div class="group-label">Sign + Attest</div>
+      <div class="node n-action"><span class="emoji">📜</span> SBOM</div>
+      <div class="node n-action"><span class="emoji">🔏</span> Cosign + verify</div>
+      <div class="node n-action"><span class="emoji">🛡️</span> SLSA provenance</div>
+    </div>
+    <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+
+    <div class="group">
+      <div class="group-label">GitHub Release</div>
+      <div class="node n-block"><span class="emoji">📋</span> CHANGELOG gate<span class="node-sub">required for stable + RC</span></div>
+      <div class="node n-action"><span class="emoji">📝</span> Notes from CHANGELOG</div>
+      <div class="node n-action"><span class="emoji">📎</span> Archives + signatures</div>
+      <div class="node n-conditional"><span class="emoji">🏷️</span> RC prerelease<span class="node-sub">--prerelease on *-rc.*</span></div>
+    </div>
+  </div>
+</div>
+
+<div class="lane-sep"><div class="lane-sep-line"></div><div class="lane-sep-label">manual override</div><div class="lane-sep-line"></div></div>
+
+<!-- ═══════════════════════ MANUAL ═══════════════════════ -->
+<div class="swimlane lane-manual">
+  <div class="swimlane-label">Manual Cut</div>
+  <div class="swimlane-content">
+    <div class="node n-block"><span class="emoji">✅</span> Verify CI passed<span class="node-sub">dynamic workflow lookup</span></div>
+    <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+    <div class="node n-action"><span class="emoji">🔢</span> Infer or specify bump</div>
+    <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+    <div class="node n-block"><span class="emoji">📋</span> CHANGELOG gate<span class="node-sub">non-empty entry required</span></div>
+    <div class="arrow"><svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M5 12h14m-4-4 4 4-4 4"/></svg></div>
+    <div class="node n-action"><span class="emoji">🏷️</span> Create + push tag<span class="node-sub">triggers Release lane</span></div>
+  </div>
+</div>
+
+<div class="lane-sep"><div class="lane-sep-line"></div><div class="lane-sep-label">weekly / on-demand</div><div class="lane-sep-line"></div></div>
+
+<!-- ═══════════════════════ SCHEDULED ═══════════════════════ -->
+<div class="swimlane lane-schedule">
+  <div class="swimlane-label">Scheduled</div>
+  <div class="swimlane-content" style="padding:12px 20px">
+    <table class="sched">
+      <thead><tr><th></th><th>Scan</th><th>When</th><th>Also runs on</th><th>Gate</th></tr></thead>
+      <tbody>
+        <tr><td><span class="dot" style="background:#86efac"></span></td><td>CodeQL SAST</td><td>Mon 06:30</td><td>PRs</td><td>Blocking</td></tr>
+        <tr><td><span class="dot" style="background:#86efac"></span></td><td>Fuzz Testing</td><td>Sun 06:00</td><td>PRs</td><td>Blocking</td></tr>
+        <tr><td><span class="dot" style="background:#fde047"></span></td><td>OpenSSF Scorecard</td><td>Mon 06:00</td><td>branch protection</td><td>Advisory</td></tr>
+        <tr><td><span class="dot" style="background:#fde047"></span></td><td>Mutation (Stryker)</td><td>Tue 06:15</td><td>manual dispatch</td><td>Advisory</td></tr>
+        <tr><td><span class="dot" style="background:#c4b5fd"></span></td><td>Snyk Open Source</td><td>Mon 07:15</td><td>manual (main)</td><td>Blocking (quota-gated)</td></tr>
+        <tr><td><span class="dot" style="background:#c4b5fd"></span></td><td>Snyk Code SAST</td><td>Mon 07:15</td><td>manual (main)</td><td>Blocking (quota-gated)</td></tr>
+        <tr><td><span class="dot" style="background:#c4b5fd"></span></td><td>Snyk Container</td><td>Mon 07:15</td><td>manual (main)</td><td>Blocking (quota-gated)</td></tr>
+        <tr><td><span class="dot" style="background:#c4b5fd"></span></td><td>Snyk IaC</td><td>Mon 07:15</td><td>manual (main)</td><td>Blocking (quota-gated)</td></tr>
+      </tbody>
+    </table>
+  </div>
+</div>
+
+<!-- ═══════════════════════ INFO CARDS ═══════════════════════ -->
+<div class="info-row">
+  <div class="info-card">
+    <h3>Gate Layering</h3>
+    <ul>
+      <li><span class="label">Commit</span> Format + per-file coverage (staged only)</li>
+      <li><span class="label">Push</span> Clean tree + full lint + build + test + E2E + Zizmor</li>
+      <li><span class="label">PR</span> + dep review + commit msg gate + load smoke</li>
+      <li><span class="label">Merge</span> + enforced load test (committed baseline) + auto-tag</li>
+      <li><span class="label">Release</span> Version assert &rarr; CI verify &rarr; build &rarr; sign &rarr; CHANGELOG gate &rarr; publish</li>
+      <li><span class="label">Manual Cut</span> CI verify &rarr; bump &rarr; CHANGELOG gate &rarr; tag</li>
+      <li><span class="label">Weekly</span> Paid security scans + advisory mutation review</li>
+    </ul>
+  </div>
+  <div class="info-card">
+    <h3>Design Decisions</h3>
+    <ul>
+      <li><span class="label">Free / Paid</span> Free tools gate PRs, paid (Snyk) weekly + quota-gated</li>
+      <li><span class="label">QA Image</span> Built once in CI, shared as artifact</li>
+      <li><span class="label">Release CI</span> Dynamic workflow lookup, polls for prior success</li>
+      <li><span class="label">Version</span> Tag base version asserted against all package.json files</li>
+      <li><span class="label">CHANGELOG</span> Required for stable and RC; extraction enforces YYYY-MM-DD</li>
+      <li><span class="label">DAST</span> Only on release/* branches</li>
+      <li><span class="label">Load Test</span> Advisory on PR, enforced on merge (committed baseline)</li>
+      <li><span class="label">Mutation</span> Weekly/manual only, advisory-only, used to drive follow-up tests and refactors</li>
+      <li><span class="label">Zizmor</span> Blocking in both pre-push (requires local install) and CI</li>
+      <li><span class="label">Auto-tag</span> Requires ALL gates green, main push only</li>
+    </ul>
+  </div>
+  <div class="info-card">
+    <h3>Versioning &amp; Tags</h3>
+    <ul>
+      <li><span class="label">Stable</span> v1.5.0 &rarr; Docker: 1.5.0, 1.5, 1, latest</li>
+      <li><span class="label">RC</span> v1.5.0-rc.1 &rarr; Docker: 1.5.0-rc.1 only (--prerelease)</li>
+      <li><span class="label">Hotfix</span> Increment patch: v1.5.1, v1.5.2, ... (no ceiling)</li>
+      <li><span class="label">Registries</span> GHCR + Docker Hub + Quay.io</li>
+      <li><span class="label">Signing</span> Cosign keyless + SLSA provenance + SBOM</li>
+    </ul>
+  </div>
+</div>
+
+<div class="info-row" style="margin-top:16px">
+  <div class="info-card">
+    <h3>Timing</h3>
+    <ul>
+      <li><span class="label">Commit</span> ~5s (format + biome fix)</li>
+      <li><span class="label">Push</span> ~8-12 min (full local pipeline)</li>
+      <li><span class="label">CI (PR)</span> ~12 min (parallel jobs)</li>
+      <li><span class="label">CI (merge)</span> ~14 min (+ load test)</li>
+      <li><span class="label">Release</span> ~8 min (multi-arch build)</li>
+      <li><span class="label">Total</span> Commit to Docker Hub: ~35 min</li>
+    </ul>
+  </div>
+  <div class="info-card">
+    <h3>Workflow Files</h3>
+    <ul>
+      <li><span class="label">CI Verify</span> ci-verify.yml (includes 🛡️ CodeQL and 🎯 Fuzz Testing jobs)</li>
+      <li><span class="label">Release Cut</span> release-cut.yml (manual dispatch)</li>
+      <li><span class="label">Release From Tag</span> release-from-tag.yml (on tag push)</li>
+      <li><span class="label">Scorecard</span> security-scorecard.yml</li>
+      <li><span class="label">Snyk</span> security-snyk-weekly.yml (weekly + manual)</li>
+      <li><span class="label">Stryker</span> quality-mutation-weekly.yml</li>
+    </ul>
+  </div>
+</div>
+
+</div>
+</body>
+</html>
diff --git a/e2e/README.md b/e2e/README.md
index f89ba2faa..fabd35010 100644
--- a/e2e/README.md
+++ b/e2e/README.md
@@ -19,8 +19,7 @@ npm run test:cleanup   # Clean up test containers
 ## Load Tests
 
 ```bash
-npm run load:smoke       # Quick smoke test
+npm run load:ci          # CI load test (default)
 npm run load:behavior    # Behavioral test suite
 npm run load:stress      # Stress test
-npm run load:rate-limit  # Rate limit verification
 ```
diff --git a/e2e/features/api-log-stream.feature b/e2e/features/api-log-stream.feature
new file mode 100644
index 000000000..c5b885c0d
--- /dev/null
+++ b/e2e/features/api-log-stream.feature
@@ -0,0 +1,43 @@
+Feature: Drydock WebSocket Log Stream API
+
+  Scenario: System log stream must deliver backfill entries as valid JSON
+    When I authenticate for WebSocket
+    And I open WebSocket at /api/v1/log/stream?tail=10
+    Then WebSocket should have received at least 1 message
+    And every WebSocket message should be valid json
+    And every WebSocket message should have path $.timestamp
+    And every WebSocket message should have path $.level
+    And every WebSocket message should have path $.msg
+    And every WebSocket message should have path $.component
+
+  Scenario: System log stream must accept level filter without error
+    When I authenticate for WebSocket
+    And I open WebSocket at /api/v1/log/stream?tail=50&level=info
+    Then WebSocket should have received at least 1 message
+    And every WebSocket message should be valid json
+
+  Scenario: Container log stream must close normally with follow disabled
+    Given I GET /api/containers
+    And I store the index of container named hub_nginx_120 as containerIndex in scenario scope
+    And I store the value of body path $.data[`containerIndex`].id as containerId in scenario scope
+    When I authenticate for WebSocket
+    And I open WebSocket at /api/v1/containers/`containerId`/logs/stream?tail=5&follow=false
+    Then WebSocket should have closed with code 1000
+
+  Scenario: Container log stream must close with 4004 for unknown container
+    When I authenticate for WebSocket
+    And I open WebSocket at /api/v1/containers/nonexistent-e2e-container/logs/stream
+    Then WebSocket should have closed with code 4004
+
+  Scenario: Container log stream must deliver valid JSON messages when logs exist
+    Given I GET /api/containers
+    And I store the index of container named hub_nginx_120 as containerIndex in scenario scope
+    And I store the value of body path $.data[`containerIndex`].id as containerId in scenario scope
+    When I authenticate for WebSocket
+    And I open WebSocket at /api/v1/containers/`containerId`/logs/stream?tail=10&follow=false
+    Then WebSocket should have closed with code 1000
+    And every WebSocket message should be valid json
+    And every WebSocket message should have path $.type
+    And every WebSocket message should have path $.ts
+    And every WebSocket message should have path $.line
+    And every WebSocket message path $.type should be one of stdout, stderr
diff --git a/e2e/features/step_definitions/ws.js b/e2e/features/step_definitions/ws.js
new file mode 100644
index 000000000..c9cf25115
--- /dev/null
+++ b/e2e/features/step_definitions/ws.js
@@ -0,0 +1,173 @@
+const { When, Then, After } = require('@cucumber/cucumber');
+const assert = require('node:assert');
+const WebSocket = require('ws');
+const config = require('../../config');
+
+const baseUrl = `${config.protocol}://${config.host}:${config.port}`;
+const wsBaseUrl = baseUrl.replace(/^http/, 'ws');
+const credentials = `${config.username}:${config.password}`;
+const authHeader = `Basic ${Buffer.from(credentials).toString('base64')}`;
+
+function resolveTemplate(str, scope) {
+  return str.replaceAll(/`([^`]+)`/g, (_, name) => {
+    if (Object.hasOwn(scope, name) && scope[name] !== undefined) {
+      return scope[name];
+    }
+    return `\`${name}\``;
+  });
+}
+
+async function authenticateForWebSocket() {
+  const response = await fetch(`${baseUrl}/auth/login`, {
+    method: 'POST',
+    headers: { Authorization: authHeader },
+    redirect: 'manual',
+  });
+  const setCookie = response.headers.getSetCookie?.() ?? [];
+  const sessionCookie = setCookie
+    .map((header) => header.split(';')[0])
+    .filter(Boolean)
+    .join('; ');
+  assert.ok(sessionCookie, 'Login did not return a session cookie');
+  this.wsSessionCookie = sessionCookie;
+}
+
+function openWebSocket(url, cookie, timeoutMs = 10000) {
+  return new Promise((resolve, reject) => {
+    const ws = new WebSocket(url, {
+      headers: { Cookie: cookie },
+    });
+    const messages = [];
+    let closeCode;
+    let closeReason;
+    let opened = false;
+
+    const timeout = setTimeout(() => {
+      if (!opened) {
+        ws.terminate();
+        reject(new Error(`WebSocket connection timed out after ${timeoutMs}ms`));
+      } else {
+        resolve({ ws, messages, closeCode, closeReason });
+      }
+    }, timeoutMs);
+
+    ws.on('open', () => {
+      opened = true;
+    });
+
+    ws.on('message', (data) => {
+      messages.push(data.toString());
+    });
+
+    ws.on('close', (code, reason) => {
+      closeCode = code;
+      closeReason = reason.toString();
+      clearTimeout(timeout);
+      resolve({ ws, messages, closeCode, closeReason });
+    });
+
+    ws.on('error', (error) => {
+      clearTimeout(timeout);
+      reject(error);
+    });
+  });
+}
+
+When(/^I authenticate for WebSocket$/, async function () {
+  await authenticateForWebSocket.call(this);
+});
+
+When(/^I open WebSocket at (.+)$/, async function (path) {
+  const resolvedPath = resolveTemplate(path, this.scenarioScope);
+  assert.ok(this.wsSessionCookie, 'Must authenticate for WebSocket first');
+  const url = `${wsBaseUrl}${resolvedPath}`;
+  const result = await openWebSocket(url, this.wsSessionCookie);
+  this.wsResult = result;
+});
+
+When(/^I open WebSocket at (.+) waiting (\d+) seconds$/, async function (path, seconds) {
+  const resolvedPath = resolveTemplate(path, this.scenarioScope);
+  assert.ok(this.wsSessionCookie, 'Must authenticate for WebSocket first');
+  const url = `${wsBaseUrl}${resolvedPath}`;
+  const result = await openWebSocket(url, this.wsSessionCookie, Number(seconds) * 1000);
+  this.wsResult = result;
+});
+
+Then(/^WebSocket should have received at least (\d+) messages?$/, function (count) {
+  assert.ok(this.wsResult, 'No WebSocket result available');
+  assert.ok(
+    this.wsResult.messages.length >= Number(count),
+    `Expected at least ${count} WebSocket messages, got ${this.wsResult.messages.length}`,
+  );
+});
+
+Then(/^WebSocket should have closed with code (\d+)$/, function (code) {
+  assert.ok(this.wsResult, 'No WebSocket result available');
+  assert.strictEqual(
+    this.wsResult.closeCode,
+    Number(code),
+    `Expected WebSocket close code ${code}, got ${this.wsResult.closeCode} (reason: ${this.wsResult.closeReason})`,
+  );
+});
+
+Then(/^every WebSocket message should be valid json$/, function () {
+  assert.ok(this.wsResult, 'No WebSocket result available');
+  for (const [index, raw] of this.wsResult.messages.entries()) {
+    try {
+      JSON.parse(raw);
+    } catch {
+      assert.fail(`WebSocket message ${index} is not valid JSON: ${raw.slice(0, 200)}`);
+    }
+  }
+});
+
+Then(/^every WebSocket message should have path (.+)$/, function (path) {
+  assert.ok(this.wsResult, 'No WebSocket result available');
+  for (const [index, raw] of this.wsResult.messages.entries()) {
+    const parsed = JSON.parse(raw);
+    const tokens = path
+      .replace(/^\$\.?/, '')
+      .split('.')
+      .filter(Boolean);
+    let current = parsed;
+    for (const token of tokens) {
+      assert.ok(
+        current != null && Object.hasOwn(current, token),
+        `WebSocket message ${index} missing path ${path}`,
+      );
+      current = current[token];
+    }
+    assert.ok(
+      current !== undefined,
+      `WebSocket message ${index} has undefined value at path ${path}`,
+    );
+  }
+});
+
+Then(/^every WebSocket message path (.+) should be one of (.+)$/, function (path, allowedValues) {
+  assert.ok(this.wsResult, 'No WebSocket result available');
+  const allowed = allowedValues.split(',').map((v) => v.trim());
+  for (const [index, raw] of this.wsResult.messages.entries()) {
+    const parsed = JSON.parse(raw);
+    const tokens = path
+      .replace(/^\$\.?/, '')
+      .split('.')
+      .filter(Boolean);
+    let current = parsed;
+    for (const token of tokens) {
+      current = current?.[token];
+    }
+    assert.ok(
+      allowed.includes(String(current)),
+      `WebSocket message ${index} path ${path} value "${current}" not in [${allowed.join(', ')}]`,
+    );
+  }
+});
+
+After(function cleanupWebSocket() {
+  if (this.wsResult?.ws?.readyState === WebSocket.OPEN) {
+    this.wsResult.ws.close();
+  }
+  this.wsResult = undefined;
+  this.wsSessionCookie = undefined;
+});
diff --git a/e2e/package-lock.json b/e2e/package-lock.json
index 58bba0d8c..ce8924ae8 100644
--- a/e2e/package-lock.json
+++ b/e2e/package-lock.json
@@ -13,7 +13,7 @@
         "socket.io-parser": "^4.2.6"
       },
       "devDependencies": {
-        "@dotenvx/dotenvx": "1.55.1",
+        "@dotenvx/dotenvx": "1.57.1",
         "@playwright/test": "^1.58.2",
         "artillery": "2.0.30"
       },
@@ -363,52 +363,52 @@
       }
     },
     "node_modules/@aws-sdk/client-cloudwatch": {
-      "version": "3.1000.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-cloudwatch/-/client-cloudwatch-3.1000.0.tgz",
-      "integrity": "sha512-+mF+phTkVe8MURRuj07g8F3aL3vg7KxfGcb9BF/rN3azSdO6Sl1YCaC5+loHkkqzYlt3dwZsVdlPVpHjsfBtYg==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-cloudwatch/-/client-cloudwatch-3.1018.0.tgz",
+      "integrity": "sha512-pd1dY/sg8QnRfLyOBbjKZUgDSpAFRSuV8jElbY4wLGUByPlZIjF9Q6lDV81xpz61EE7hNWZmfVcNeHVVKrYEwg==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-node": "^3.972.14",
-        "@aws-sdk/middleware-host-header": "^3.972.6",
-        "@aws-sdk/middleware-logger": "^3.972.6",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/region-config-resolver": "^3.972.6",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-endpoints": "^3.996.3",
-        "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/hash-node": "^4.2.10",
-        "@smithy/invalid-dependency": "^4.2.10",
-        "@smithy/middleware-compression": "^4.3.35",
-        "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/middleware-stack": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-body-length-browser": "^4.2.1",
-        "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
-        "@smithy/util-endpoints": "^3.3.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-retry": "^4.2.10",
-        "@smithy/util-utf8": "^4.2.1",
-        "@smithy/util-waiter": "^4.2.10",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-node": "^3.972.26",
+        "@aws-sdk/middleware-host-header": "^3.972.8",
+        "@aws-sdk/middleware-logger": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-endpoints": "^3.996.5",
+        "@aws-sdk/util-user-agent-browser": "^3.972.8",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/hash-node": "^4.2.12",
+        "@smithy/invalid-dependency": "^4.2.12",
+        "@smithy/middleware-compression": "^4.3.41",
+        "@smithy/middleware-content-length": "^4.2.12",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-body-length-node": "^4.2.3",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/util-utf8": "^4.2.2",
+        "@smithy/util-waiter": "^4.2.13",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -416,53 +416,53 @@
       }
     },
     "node_modules/@aws-sdk/client-cloudwatch-logs": {
-      "version": "3.1000.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-cloudwatch-logs/-/client-cloudwatch-logs-3.1000.0.tgz",
-      "integrity": "sha512-8/YP++CiBIh5jADEmPfBCHYWErHNYlG5Ome5h82F/yB+x6i9ARF/Y/u95Z9IHwO25CDvxTPKH0U66h7HFL8tcg==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-cloudwatch-logs/-/client-cloudwatch-logs-3.1018.0.tgz",
+      "integrity": "sha512-y1Siaj4PP7PRDtUyjYHQnEl6l2uU2h8zApqcxZnP/ThTy745JFRAKbJRMoAzmV9dPPub3ymCuxVnXm3XYWFbtg==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-node": "^3.972.14",
-        "@aws-sdk/middleware-host-header": "^3.972.6",
-        "@aws-sdk/middleware-logger": "^3.972.6",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/region-config-resolver": "^3.972.6",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-endpoints": "^3.996.3",
-        "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/eventstream-serde-browser": "^4.2.10",
-        "@smithy/eventstream-serde-config-resolver": "^4.3.10",
-        "@smithy/eventstream-serde-node": "^4.2.10",
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/hash-node": "^4.2.10",
-        "@smithy/invalid-dependency": "^4.2.10",
-        "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/middleware-stack": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-body-length-browser": "^4.2.1",
-        "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
-        "@smithy/util-endpoints": "^3.3.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-retry": "^4.2.10",
-        "@smithy/util-utf8": "^4.2.1",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-node": "^3.972.26",
+        "@aws-sdk/middleware-host-header": "^3.972.8",
+        "@aws-sdk/middleware-logger": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-endpoints": "^3.996.5",
+        "@aws-sdk/util-user-agent-browser": "^3.972.8",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
+        "@smithy/eventstream-serde-browser": "^4.2.12",
+        "@smithy/eventstream-serde-config-resolver": "^4.3.12",
+        "@smithy/eventstream-serde-node": "^4.2.12",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/hash-node": "^4.2.12",
+        "@smithy/invalid-dependency": "^4.2.12",
+        "@smithy/middleware-content-length": "^4.2.12",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-body-length-node": "^4.2.3",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -470,50 +470,50 @@
       }
     },
     "node_modules/@aws-sdk/client-cognito-identity": {
-      "version": "3.1000.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-cognito-identity/-/client-cognito-identity-3.1000.0.tgz",
-      "integrity": "sha512-7PtY49oxAo0rzkXZ1ulumtRL4QYi30Q5AMJtqJhYCHc1VZr0I2f0LHxiwovzquqUPzmTArgY6LjcPB7bkB/54w==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-cognito-identity/-/client-cognito-identity-3.1018.0.tgz",
+      "integrity": "sha512-BRF3W1H8Ews1pomU6gJ/LtKvXezJofABrj6L928Uex89QafRiDik2c1bZ15woci2XdhtfHo4p0nxYOQcXsbUlw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-node": "^3.972.14",
-        "@aws-sdk/middleware-host-header": "^3.972.6",
-        "@aws-sdk/middleware-logger": "^3.972.6",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/region-config-resolver": "^3.972.6",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-endpoints": "^3.996.3",
-        "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/hash-node": "^4.2.10",
-        "@smithy/invalid-dependency": "^4.2.10",
-        "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/middleware-stack": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-body-length-browser": "^4.2.1",
-        "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
-        "@smithy/util-endpoints": "^3.3.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-retry": "^4.2.10",
-        "@smithy/util-utf8": "^4.2.1",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-node": "^3.972.26",
+        "@aws-sdk/middleware-host-header": "^3.972.8",
+        "@aws-sdk/middleware-logger": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-endpoints": "^3.996.5",
+        "@aws-sdk/util-user-agent-browser": "^3.972.8",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/hash-node": "^4.2.12",
+        "@smithy/invalid-dependency": "^4.2.12",
+        "@smithy/middleware-content-length": "^4.2.12",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-body-length-node": "^4.2.3",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -521,52 +521,52 @@
       }
     },
     "node_modules/@aws-sdk/client-ec2": {
-      "version": "3.1000.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ec2/-/client-ec2-3.1000.0.tgz",
-      "integrity": "sha512-SLdVSUScYXbUq2VRdKa3MloNRGnKqnmVdXkfQfJ4WyR5Lzrh1Gs6t9MXBxBMYPaFEdZhav/wMK92PSYdqLBKnA==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ec2/-/client-ec2-3.1018.0.tgz",
+      "integrity": "sha512-3T9FR7Xv6ARowfXZvBgtFhfYQZ7By+V17tho+wg7JJRWLH2WOD4iLvzXa0UpEcP0kearomb5qAqhUQfkXSS8WA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-node": "^3.972.14",
-        "@aws-sdk/middleware-host-header": "^3.972.6",
-        "@aws-sdk/middleware-logger": "^3.972.6",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-sdk-ec2": "^3.972.11",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/region-config-resolver": "^3.972.6",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-endpoints": "^3.996.3",
-        "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/hash-node": "^4.2.10",
-        "@smithy/invalid-dependency": "^4.2.10",
-        "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/middleware-stack": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-body-length-browser": "^4.2.1",
-        "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
-        "@smithy/util-endpoints": "^3.3.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-retry": "^4.2.10",
-        "@smithy/util-utf8": "^4.2.1",
-        "@smithy/util-waiter": "^4.2.10",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-node": "^3.972.26",
+        "@aws-sdk/middleware-host-header": "^3.972.8",
+        "@aws-sdk/middleware-logger": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-sdk-ec2": "^3.972.17",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-endpoints": "^3.996.5",
+        "@aws-sdk/util-user-agent-browser": "^3.972.8",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/hash-node": "^4.2.12",
+        "@smithy/invalid-dependency": "^4.2.12",
+        "@smithy/middleware-content-length": "^4.2.12",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-body-length-node": "^4.2.3",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/util-utf8": "^4.2.2",
+        "@smithy/util-waiter": "^4.2.13",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -574,51 +574,51 @@
       }
     },
     "node_modules/@aws-sdk/client-ecs": {
-      "version": "3.1000.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ecs/-/client-ecs-3.1000.0.tgz",
-      "integrity": "sha512-GCDJqt7WDDGqXi0xR3vus00z5i02dChwaOcm0BqPylvNjDftfUK5UJeb7F7Rkpf1h7Q9RQ3rBVv0kV3a+h+Gig==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ecs/-/client-ecs-3.1018.0.tgz",
+      "integrity": "sha512-bEx6PBGwCMK8svQyV7rZMlBPkUtOI33Rg/6Gu3AdiLfna7PA1oAJJR/8H3HGHLBnDYqIpULCZACqd6n/qUwacw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-node": "^3.972.14",
-        "@aws-sdk/middleware-host-header": "^3.972.6",
-        "@aws-sdk/middleware-logger": "^3.972.6",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/region-config-resolver": "^3.972.6",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-endpoints": "^3.996.3",
-        "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/hash-node": "^4.2.10",
-        "@smithy/invalid-dependency": "^4.2.10",
-        "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/middleware-stack": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-body-length-browser": "^4.2.1",
-        "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
-        "@smithy/util-endpoints": "^3.3.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-retry": "^4.2.10",
-        "@smithy/util-utf8": "^4.2.1",
-        "@smithy/util-waiter": "^4.2.10",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-node": "^3.972.26",
+        "@aws-sdk/middleware-host-header": "^3.972.8",
+        "@aws-sdk/middleware-logger": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-endpoints": "^3.996.5",
+        "@aws-sdk/util-user-agent-browser": "^3.972.8",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/hash-node": "^4.2.12",
+        "@smithy/invalid-dependency": "^4.2.12",
+        "@smithy/middleware-content-length": "^4.2.12",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-body-length-node": "^4.2.3",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/util-utf8": "^4.2.2",
+        "@smithy/util-waiter": "^4.2.13",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -626,51 +626,51 @@
       }
     },
     "node_modules/@aws-sdk/client-iam": {
-      "version": "3.1000.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-iam/-/client-iam-3.1000.0.tgz",
-      "integrity": "sha512-RR4mq7t+4Fb2iaFDTcXF6Tcigl2nSWUyH61rwtiSbRrNp9A3xSexCSw79SIAkfwsuhk8Ig/ZVt5qpRHWRj2zgA==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-iam/-/client-iam-3.1018.0.tgz",
+      "integrity": "sha512-waygi8Y4fpSNfzFUOj2MsIDwI6dOXMWWYTJCxYWJpMeB5FnMIxAquRwKvKfk/7qs1NcFPo/df9DlovuxAdrFWA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-node": "^3.972.14",
-        "@aws-sdk/middleware-host-header": "^3.972.6",
-        "@aws-sdk/middleware-logger": "^3.972.6",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/region-config-resolver": "^3.972.6",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-endpoints": "^3.996.3",
-        "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/hash-node": "^4.2.10",
-        "@smithy/invalid-dependency": "^4.2.10",
-        "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/middleware-stack": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-body-length-browser": "^4.2.1",
-        "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
-        "@smithy/util-endpoints": "^3.3.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-retry": "^4.2.10",
-        "@smithy/util-utf8": "^4.2.1",
-        "@smithy/util-waiter": "^4.2.10",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-node": "^3.972.26",
+        "@aws-sdk/middleware-host-header": "^3.972.8",
+        "@aws-sdk/middleware-logger": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-endpoints": "^3.996.5",
+        "@aws-sdk/util-user-agent-browser": "^3.972.8",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/hash-node": "^4.2.12",
+        "@smithy/invalid-dependency": "^4.2.12",
+        "@smithy/middleware-content-length": "^4.2.12",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-body-length-node": "^4.2.3",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/util-utf8": "^4.2.2",
+        "@smithy/util-waiter": "^4.2.13",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -678,55 +678,55 @@
       }
     },
     "node_modules/@aws-sdk/client-lambda": {
-      "version": "3.1000.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-lambda/-/client-lambda-3.1000.0.tgz",
-      "integrity": "sha512-ofAVxy8j1qFUB8jB3yHWhy5ybYyTE6qsIVlzu+ITD0cKTLjg4xjmLaDmZA9dYpe4xSh7PSuv0ughBQMWwppOCw==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-lambda/-/client-lambda-3.1018.0.tgz",
+      "integrity": "sha512-VXnYMYXhkP0C7bVKmfPjzCPEW2hefeTFwgm0egSNqFWPt0llFov1ScKAG6ukI/4N29oGp6ZSuUaaMkmC2p7rRw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-node": "^3.972.14",
-        "@aws-sdk/middleware-host-header": "^3.972.6",
-        "@aws-sdk/middleware-logger": "^3.972.6",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/region-config-resolver": "^3.972.6",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-endpoints": "^3.996.3",
-        "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/eventstream-serde-browser": "^4.2.10",
-        "@smithy/eventstream-serde-config-resolver": "^4.3.10",
-        "@smithy/eventstream-serde-node": "^4.2.10",
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/hash-node": "^4.2.10",
-        "@smithy/invalid-dependency": "^4.2.10",
-        "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/middleware-stack": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-body-length-browser": "^4.2.1",
-        "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
-        "@smithy/util-endpoints": "^3.3.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-retry": "^4.2.10",
-        "@smithy/util-stream": "^4.5.15",
-        "@smithy/util-utf8": "^4.2.1",
-        "@smithy/util-waiter": "^4.2.10",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-node": "^3.972.26",
+        "@aws-sdk/middleware-host-header": "^3.972.8",
+        "@aws-sdk/middleware-logger": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-endpoints": "^3.996.5",
+        "@aws-sdk/util-user-agent-browser": "^3.972.8",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
+        "@smithy/eventstream-serde-browser": "^4.2.12",
+        "@smithy/eventstream-serde-config-resolver": "^4.3.12",
+        "@smithy/eventstream-serde-node": "^4.2.12",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/hash-node": "^4.2.12",
+        "@smithy/invalid-dependency": "^4.2.12",
+        "@smithy/middleware-content-length": "^4.2.12",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-body-length-node": "^4.2.3",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/util-stream": "^4.5.20",
+        "@smithy/util-utf8": "^4.2.2",
+        "@smithy/util-waiter": "^4.2.13",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -734,66 +734,66 @@
       }
     },
     "node_modules/@aws-sdk/client-s3": {
-      "version": "3.1000.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-s3/-/client-s3-3.1000.0.tgz",
-      "integrity": "sha512-7kPy33qNGq3NfwHC0412T6LDK1bp4+eiPzetX0sVd9cpTSXuQDKpoOFnB0Njj6uZjJDcLS3n2OeyarwwgkQ0Ow==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-s3/-/client-s3-3.1018.0.tgz",
+      "integrity": "sha512-BiGKMjrkAJkyse1ECpVyxVYugf82FB3cM9zgKpx3boFuWobyolG5ri6XjoMIY8fpHddaO8ZClXEedACyelSLWA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha1-browser": "5.2.0",
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-node": "^3.972.14",
-        "@aws-sdk/middleware-bucket-endpoint": "^3.972.6",
-        "@aws-sdk/middleware-expect-continue": "^3.972.6",
-        "@aws-sdk/middleware-flexible-checksums": "^3.973.1",
-        "@aws-sdk/middleware-host-header": "^3.972.6",
-        "@aws-sdk/middleware-location-constraint": "^3.972.6",
-        "@aws-sdk/middleware-logger": "^3.972.6",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-sdk-s3": "^3.972.15",
-        "@aws-sdk/middleware-ssec": "^3.972.6",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/region-config-resolver": "^3.972.6",
-        "@aws-sdk/signature-v4-multi-region": "^3.996.3",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-endpoints": "^3.996.3",
-        "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/eventstream-serde-browser": "^4.2.10",
-        "@smithy/eventstream-serde-config-resolver": "^4.3.10",
-        "@smithy/eventstream-serde-node": "^4.2.10",
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/hash-blob-browser": "^4.2.11",
-        "@smithy/hash-node": "^4.2.10",
-        "@smithy/hash-stream-node": "^4.2.10",
-        "@smithy/invalid-dependency": "^4.2.10",
-        "@smithy/md5-js": "^4.2.10",
-        "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/middleware-stack": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-body-length-browser": "^4.2.1",
-        "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
-        "@smithy/util-endpoints": "^3.3.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-retry": "^4.2.10",
-        "@smithy/util-stream": "^4.5.15",
-        "@smithy/util-utf8": "^4.2.1",
-        "@smithy/util-waiter": "^4.2.10",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-node": "^3.972.26",
+        "@aws-sdk/middleware-bucket-endpoint": "^3.972.8",
+        "@aws-sdk/middleware-expect-continue": "^3.972.8",
+        "@aws-sdk/middleware-flexible-checksums": "^3.974.5",
+        "@aws-sdk/middleware-host-header": "^3.972.8",
+        "@aws-sdk/middleware-location-constraint": "^3.972.8",
+        "@aws-sdk/middleware-logger": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-sdk-s3": "^3.972.26",
+        "@aws-sdk/middleware-ssec": "^3.972.8",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
+        "@aws-sdk/signature-v4-multi-region": "^3.996.14",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-endpoints": "^3.996.5",
+        "@aws-sdk/util-user-agent-browser": "^3.972.8",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
+        "@smithy/eventstream-serde-browser": "^4.2.12",
+        "@smithy/eventstream-serde-config-resolver": "^4.3.12",
+        "@smithy/eventstream-serde-node": "^4.2.12",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/hash-blob-browser": "^4.2.13",
+        "@smithy/hash-node": "^4.2.12",
+        "@smithy/hash-stream-node": "^4.2.12",
+        "@smithy/invalid-dependency": "^4.2.12",
+        "@smithy/md5-js": "^4.2.12",
+        "@smithy/middleware-content-length": "^4.2.12",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-body-length-node": "^4.2.3",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/util-stream": "^4.5.20",
+        "@smithy/util-utf8": "^4.2.2",
+        "@smithy/util-waiter": "^4.2.13",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -801,52 +801,52 @@
       }
     },
     "node_modules/@aws-sdk/client-sqs": {
-      "version": "3.1000.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sqs/-/client-sqs-3.1000.0.tgz",
-      "integrity": "sha512-fGp197WE/wy05DNAKLokN21RwhH17go631U6GT/t3BwHv7DBd5oI4OLT5TLy0dc4freAd3ib3XET1OEc1TG/3Q==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sqs/-/client-sqs-3.1018.0.tgz",
+      "integrity": "sha512-zozAkt/4x5Emh7jHo/hKV9+qSDIVSH0lWH2UdeLkynM+kLorEZQULEsWcrha+LdZYVvfi/zqFAYCB6RFqXNoqQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-node": "^3.972.14",
-        "@aws-sdk/middleware-host-header": "^3.972.6",
-        "@aws-sdk/middleware-logger": "^3.972.6",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-sdk-sqs": "^3.972.11",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/region-config-resolver": "^3.972.6",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-endpoints": "^3.996.3",
-        "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/hash-node": "^4.2.10",
-        "@smithy/invalid-dependency": "^4.2.10",
-        "@smithy/md5-js": "^4.2.10",
-        "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/middleware-stack": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-body-length-browser": "^4.2.1",
-        "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
-        "@smithy/util-endpoints": "^3.3.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-retry": "^4.2.10",
-        "@smithy/util-utf8": "^4.2.1",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-node": "^3.972.26",
+        "@aws-sdk/middleware-host-header": "^3.972.8",
+        "@aws-sdk/middleware-logger": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-sdk-sqs": "^3.972.17",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-endpoints": "^3.996.5",
+        "@aws-sdk/util-user-agent-browser": "^3.972.8",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/hash-node": "^4.2.12",
+        "@smithy/invalid-dependency": "^4.2.12",
+        "@smithy/md5-js": "^4.2.12",
+        "@smithy/middleware-content-length": "^4.2.12",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-body-length-node": "^4.2.3",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -854,51 +854,51 @@
       }
     },
     "node_modules/@aws-sdk/client-ssm": {
-      "version": "3.1000.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ssm/-/client-ssm-3.1000.0.tgz",
-      "integrity": "sha512-pqxpsNEs2UTcyyzDdSXl9oTmLeiFQVQq7N2UEEGP5ItBdBnULrBN++9t/DhNfOZNENddDNJcuCslvoYKJ7wVcQ==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ssm/-/client-ssm-3.1018.0.tgz",
+      "integrity": "sha512-qURScwy9g9KMbI/jMCyBI5KuTZZ9U+vmh+bUl3MzKTlVafUzHCq6nlCX9VK8tl4mrqoO2e6raKdhiYsILxWhZQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-node": "^3.972.14",
-        "@aws-sdk/middleware-host-header": "^3.972.6",
-        "@aws-sdk/middleware-logger": "^3.972.6",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/region-config-resolver": "^3.972.6",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-endpoints": "^3.996.3",
-        "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/hash-node": "^4.2.10",
-        "@smithy/invalid-dependency": "^4.2.10",
-        "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/middleware-stack": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-body-length-browser": "^4.2.1",
-        "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
-        "@smithy/util-endpoints": "^3.3.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-retry": "^4.2.10",
-        "@smithy/util-utf8": "^4.2.1",
-        "@smithy/util-waiter": "^4.2.10",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-node": "^3.972.26",
+        "@aws-sdk/middleware-host-header": "^3.972.8",
+        "@aws-sdk/middleware-logger": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-endpoints": "^3.996.5",
+        "@aws-sdk/util-user-agent-browser": "^3.972.8",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/hash-node": "^4.2.12",
+        "@smithy/invalid-dependency": "^4.2.12",
+        "@smithy/middleware-content-length": "^4.2.12",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-body-length-node": "^4.2.3",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/util-utf8": "^4.2.2",
+        "@smithy/util-waiter": "^4.2.13",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -906,50 +906,50 @@
       }
     },
     "node_modules/@aws-sdk/client-sts": {
-      "version": "3.1000.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sts/-/client-sts-3.1000.0.tgz",
-      "integrity": "sha512-PMUloaoajk/YxLWh4OFC5H8wauISkeG5/OS/I0ZeptMVq36hKQmJgYFhOqcCWAm6u/88JX9XztmKCTX8CyFPVg==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-sts/-/client-sts-3.1018.0.tgz",
+      "integrity": "sha512-8XmQN27dPnqqCN+1o34pnfa4KEKCrqN7p08tb+MMVrARlP5lQKFS8OvvabdA0edKWdLqCCW7l5iH9qHzpwYhJw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-node": "^3.972.14",
-        "@aws-sdk/middleware-host-header": "^3.972.6",
-        "@aws-sdk/middleware-logger": "^3.972.6",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/region-config-resolver": "^3.972.6",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-endpoints": "^3.996.3",
-        "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/hash-node": "^4.2.10",
-        "@smithy/invalid-dependency": "^4.2.10",
-        "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/middleware-stack": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-body-length-browser": "^4.2.1",
-        "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
-        "@smithy/util-endpoints": "^3.3.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-retry": "^4.2.10",
-        "@smithy/util-utf8": "^4.2.1",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-node": "^3.972.26",
+        "@aws-sdk/middleware-host-header": "^3.972.8",
+        "@aws-sdk/middleware-logger": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-endpoints": "^3.996.5",
+        "@aws-sdk/util-user-agent-browser": "^3.972.8",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/hash-node": "^4.2.12",
+        "@smithy/invalid-dependency": "^4.2.12",
+        "@smithy/middleware-content-length": "^4.2.12",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-body-length-node": "^4.2.3",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -957,24 +957,24 @@
       }
     },
     "node_modules/@aws-sdk/core": {
-      "version": "3.973.15",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.973.15.tgz",
-      "integrity": "sha512-AlC0oQ1/mdJ8vCIqu524j5RB7M8i8E24bbkZmya1CuiQxkY7SdIZAyw7NDNMGaNINQFq/8oGRMX0HeOfCVsl/A==",
+      "version": "3.973.25",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/core/-/core-3.973.25.tgz",
+      "integrity": "sha512-TNrx7eq6nKNOO62HWPqoBqPLXEkW6nLZQGwjL6lq1jZtigWYbK1NbCnT7mKDzbLMHZfuOECUt3n6CzxjUW9HWQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/xml-builder": "^3.972.8",
-        "@smithy/core": "^3.23.6",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/signature-v4": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-utf8": "^4.2.1",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/xml-builder": "^3.972.16",
+        "@smithy/core": "^3.23.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/signature-v4": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -982,13 +982,13 @@
       }
     },
     "node_modules/@aws-sdk/crc64-nvme": {
-      "version": "3.972.3",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/crc64-nvme/-/crc64-nvme-3.972.3.tgz",
-      "integrity": "sha512-UExeK+EFiq5LAcbHm96CQLSia+5pvpUVSAsVApscBzayb7/6dJBJKwV4/onsk4VbWSmqxDMcfuTD+pC4RxgZHg==",
+      "version": "3.972.5",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/crc64-nvme/-/crc64-nvme-3.972.5.tgz",
+      "integrity": "sha512-2VbTstbjKdT+yKi8m7b3a9CiVac+pL/IY2PHJwsaGkkHmuuqkJZIErPck1h6P3T9ghQMLSdMPyW6Qp7Di5swFg==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -996,16 +996,16 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-cognito-identity": {
-      "version": "3.972.6",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-cognito-identity/-/credential-provider-cognito-identity-3.972.6.tgz",
-      "integrity": "sha512-RJqEZYFoXkBTVCwSJuYFd311qc/Q/cBJ8BH08+ggX/rUTWw47TUEyZlxzyTlKfP7DoXG4Khu/TX+pzU6godEGQ==",
+      "version": "3.972.18",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-cognito-identity/-/credential-provider-cognito-identity-3.972.18.tgz",
+      "integrity": "sha512-1Amo/hA/mzR6BR67Ts4Hnr7Z2WVPuyqv+N58HiYvR9SovfRP+BiqHRujn0tM7/4cJa9687yvAdcYaEFeJQc2tQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/nested-clients": "^3.996.3",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/nested-clients": "^3.996.15",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1013,16 +1013,16 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-env": {
-      "version": "3.972.13",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.972.13.tgz",
-      "integrity": "sha512-6ljXKIQ22WFKyIs1jbORIkGanySBHaPPTOI4OxACP5WXgbcR0nDYfqNJfXEGwCK7IzHdNbCSFsNKKs0qCexR8Q==",
+      "version": "3.972.23",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-env/-/credential-provider-env-3.972.23.tgz",
+      "integrity": "sha512-EamaclJcCEaPHp6wiVknNMM2RlsPMjAHSsYSFLNENBM8Wz92QPc6cOn3dif6vPDQt0Oo4IEghDy3NMDCzY/IvA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1030,21 +1030,21 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-http": {
-      "version": "3.972.15",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.972.15.tgz",
-      "integrity": "sha512-dJuSTreu/T8f24SHDNTjd7eQ4rabr0TzPh2UTCwYexQtzG3nTDKm1e5eIdhiroTMDkPEJeY+WPkA6F9wod/20A==",
+      "version": "3.972.25",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-http/-/credential-provider-http-3.972.25.tgz",
+      "integrity": "sha512-qPymamdPcLp6ugoVocG1y5r69ScNiRzb0hogX25/ij+Wz7c7WnsgjLTaz7+eB5BfRxeyUwuw5hgULMuwOGOpcw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-stream": "^4.5.15",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-stream": "^4.5.20",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1052,25 +1052,25 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-ini": {
-      "version": "3.972.13",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.972.13.tgz",
-      "integrity": "sha512-JKSoGb7XeabZLBJptpqoZIFbROUIS65NuQnEHGOpuT9GuuZwag2qciKANiDLFiYk4u8nSrJC9JIOnWKVvPVjeA==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-env": "^3.972.13",
-        "@aws-sdk/credential-provider-http": "^3.972.15",
-        "@aws-sdk/credential-provider-login": "^3.972.13",
-        "@aws-sdk/credential-provider-process": "^3.972.13",
-        "@aws-sdk/credential-provider-sso": "^3.972.13",
-        "@aws-sdk/credential-provider-web-identity": "^3.972.13",
-        "@aws-sdk/nested-clients": "^3.996.3",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/credential-provider-imds": "^4.2.10",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/shared-ini-file-loader": "^4.4.5",
-        "@smithy/types": "^4.13.0",
+      "version": "3.972.25",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-ini/-/credential-provider-ini-3.972.25.tgz",
+      "integrity": "sha512-G/v/PicYn4qs7xCv4vT6I4QKdvMyRvsgIFNBkUueCGlbLo7/PuKcNKgUozmLSsaYnE7jIl6UrfkP07EUubr48w==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-env": "^3.972.23",
+        "@aws-sdk/credential-provider-http": "^3.972.25",
+        "@aws-sdk/credential-provider-login": "^3.972.25",
+        "@aws-sdk/credential-provider-process": "^3.972.23",
+        "@aws-sdk/credential-provider-sso": "^3.972.25",
+        "@aws-sdk/credential-provider-web-identity": "^3.972.25",
+        "@aws-sdk/nested-clients": "^3.996.15",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/credential-provider-imds": "^4.2.12",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/shared-ini-file-loader": "^4.4.7",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1078,19 +1078,19 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-login": {
-      "version": "3.972.13",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-login/-/credential-provider-login-3.972.13.tgz",
-      "integrity": "sha512-RtYcrxdnJHKY8MFQGLltCURcjuMjnaQpAxPE6+/QEdDHHItMKZgabRe/KScX737F9vJMQsmJy9EmMOkCnoC1JQ==",
+      "version": "3.972.25",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-login/-/credential-provider-login-3.972.25.tgz",
+      "integrity": "sha512-bUdmyJeVua7SmD+g2a65x2/0YqsGn4K2k4GawI43js0odaNaIzpIhLtHehUnPnfLuyhPWbJR1NyuIO4iMVfM0w==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/nested-clients": "^3.996.3",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/shared-ini-file-loader": "^4.4.5",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/nested-clients": "^3.996.15",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/shared-ini-file-loader": "^4.4.7",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1098,23 +1098,23 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-node": {
-      "version": "3.972.14",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.972.14.tgz",
-      "integrity": "sha512-WqoC2aliIjQM/L3oFf6j+op/enT2i9Cc4UTxxMEKrJNECkq4/PlKE5BOjSYFcq6G9mz65EFbXJh7zOU4CvjSKQ==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/credential-provider-env": "^3.972.13",
-        "@aws-sdk/credential-provider-http": "^3.972.15",
-        "@aws-sdk/credential-provider-ini": "^3.972.13",
-        "@aws-sdk/credential-provider-process": "^3.972.13",
-        "@aws-sdk/credential-provider-sso": "^3.972.13",
-        "@aws-sdk/credential-provider-web-identity": "^3.972.13",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/credential-provider-imds": "^4.2.10",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/shared-ini-file-loader": "^4.4.5",
-        "@smithy/types": "^4.13.0",
+      "version": "3.972.26",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-node/-/credential-provider-node-3.972.26.tgz",
+      "integrity": "sha512-5XSK74rCXxCNj+UWv5bjq1EccYkiyW4XOHFU9NXnsCcQF8dJuHdua1qFg0m/LIwVOWklbKsrcnMtfxIXwgvwzQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/credential-provider-env": "^3.972.23",
+        "@aws-sdk/credential-provider-http": "^3.972.25",
+        "@aws-sdk/credential-provider-ini": "^3.972.25",
+        "@aws-sdk/credential-provider-process": "^3.972.23",
+        "@aws-sdk/credential-provider-sso": "^3.972.25",
+        "@aws-sdk/credential-provider-web-identity": "^3.972.25",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/credential-provider-imds": "^4.2.12",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/shared-ini-file-loader": "^4.4.7",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1122,17 +1122,17 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-process": {
-      "version": "3.972.13",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.972.13.tgz",
-      "integrity": "sha512-rsRG0LQA4VR+jnDyuqtXi2CePYSmfm5GNL9KxiW8DSe25YwJSr06W8TdUfONAC+rjsTI+aIH2rBGG5FjMeANrw==",
+      "version": "3.972.23",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-process/-/credential-provider-process-3.972.23.tgz",
+      "integrity": "sha512-IL/TFW59++b7MpHserjUblGrdP5UXy5Ekqqx1XQkERXBFJcZr74I7VaSrQT5dxdRMU16xGK4L0RQ5fQG1pMgnA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/shared-ini-file-loader": "^4.4.5",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/shared-ini-file-loader": "^4.4.7",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1140,19 +1140,19 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-sso": {
-      "version": "3.972.13",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.972.13.tgz",
-      "integrity": "sha512-fr0UU1wx8kNHDhTQBXioc/YviSW8iXuAxHvnH7eQUtn8F8o/FU3uu6EUMvAQgyvn7Ne5QFnC0Cj0BFlwCk+RFw==",
+      "version": "3.972.25",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-sso/-/credential-provider-sso-3.972.25.tgz",
+      "integrity": "sha512-r4OGAfHmlEa1QBInHWz+/dOD4tRljcjVNQe9wJ/AJNXEj1d2WdsRLppvRFImRV6FIs+bTpjtL0a23V5ELQpRPw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/nested-clients": "^3.996.3",
-        "@aws-sdk/token-providers": "3.999.0",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/shared-ini-file-loader": "^4.4.5",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/nested-clients": "^3.996.15",
+        "@aws-sdk/token-providers": "3.1018.0",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/shared-ini-file-loader": "^4.4.7",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1160,18 +1160,18 @@
       }
     },
     "node_modules/@aws-sdk/credential-provider-web-identity": {
-      "version": "3.972.13",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.972.13.tgz",
-      "integrity": "sha512-a6iFMh1pgUH0TdcouBppLJUfPM7Yd3R9S1xFodPtCRoLqCz2RQFA3qjA8x4112PVYXEd4/pHX2eihapq39w0rA==",
+      "version": "3.972.25",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-provider-web-identity/-/credential-provider-web-identity-3.972.25.tgz",
+      "integrity": "sha512-uM1OtoJgj+yK3MlAmda8uR9WJJCdm5HB25JyCeFL5a5q1Fbafalf4uKidFO3/L0Pgd+Fsflkb4cM6jHIswi3QQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/nested-clients": "^3.996.3",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/shared-ini-file-loader": "^4.4.5",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/nested-clients": "^3.996.15",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/shared-ini-file-loader": "^4.4.7",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1179,31 +1179,31 @@
       }
     },
     "node_modules/@aws-sdk/credential-providers": {
-      "version": "3.1000.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-providers/-/credential-providers-3.1000.0.tgz",
-      "integrity": "sha512-J0pBgTZ2b3UCnj+NQTPtWYjrEUne2aGwq1Xuuw8P2cIMpPBYJc39e59oYoRGpNseUXqcjkh0nLtWqZREEeMvkg==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@aws-sdk/client-cognito-identity": "3.1000.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/credential-provider-cognito-identity": "^3.972.6",
-        "@aws-sdk/credential-provider-env": "^3.972.13",
-        "@aws-sdk/credential-provider-http": "^3.972.15",
-        "@aws-sdk/credential-provider-ini": "^3.972.13",
-        "@aws-sdk/credential-provider-login": "^3.972.13",
-        "@aws-sdk/credential-provider-node": "^3.972.14",
-        "@aws-sdk/credential-provider-process": "^3.972.13",
-        "@aws-sdk/credential-provider-sso": "^3.972.13",
-        "@aws-sdk/credential-provider-web-identity": "^3.972.13",
-        "@aws-sdk/nested-clients": "^3.996.3",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/credential-provider-imds": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/types": "^4.13.0",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/credential-providers/-/credential-providers-3.1018.0.tgz",
+      "integrity": "sha512-Lou9mLRBRDEknOxJ0KBHcIZ5H0BCzlpsHXrSDqkil8kOxPBqxa56s3dS6S0Y/aVl2u7Nd1oOk4IHUf3A+WdqMQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@aws-sdk/client-cognito-identity": "3.1018.0",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/credential-provider-cognito-identity": "^3.972.18",
+        "@aws-sdk/credential-provider-env": "^3.972.23",
+        "@aws-sdk/credential-provider-http": "^3.972.25",
+        "@aws-sdk/credential-provider-ini": "^3.972.25",
+        "@aws-sdk/credential-provider-login": "^3.972.25",
+        "@aws-sdk/credential-provider-node": "^3.972.26",
+        "@aws-sdk/credential-provider-process": "^3.972.23",
+        "@aws-sdk/credential-provider-sso": "^3.972.25",
+        "@aws-sdk/credential-provider-web-identity": "^3.972.25",
+        "@aws-sdk/nested-clients": "^3.996.15",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
+        "@smithy/credential-provider-imds": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1211,18 +1211,18 @@
       }
     },
     "node_modules/@aws-sdk/middleware-bucket-endpoint": {
-      "version": "3.972.6",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-bucket-endpoint/-/middleware-bucket-endpoint-3.972.6.tgz",
-      "integrity": "sha512-3H2bhvb7Cb/S6WFsBy/Dy9q2aegC9JmGH1inO8Lb2sWirSqpLJlZmvQHPE29h2tIxzv6el/14X/tLCQ8BQU6ZQ==",
+      "version": "3.972.8",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-bucket-endpoint/-/middleware-bucket-endpoint-3.972.8.tgz",
+      "integrity": "sha512-WR525Rr2QJSETa9a050isktyWi/4yIGcmY3BQ1kpHqb0LqUglQHCS8R27dTJxxWNZvQ0RVGtEZjTCbZJpyF3Aw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-arn-parser": "^3.972.2",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-config-provider": "^4.2.1",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-arn-parser": "^3.972.3",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-config-provider": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1230,15 +1230,15 @@
       }
     },
     "node_modules/@aws-sdk/middleware-expect-continue": {
-      "version": "3.972.6",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-expect-continue/-/middleware-expect-continue-3.972.6.tgz",
-      "integrity": "sha512-QMdffpU+GkSGC+bz6WdqlclqIeCsOfgX8JFZ5xvwDtX+UTj4mIXm3uXu7Ko6dBseRcJz1FA6T9OmlAAY6JgJUg==",
+      "version": "3.972.8",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-expect-continue/-/middleware-expect-continue-3.972.8.tgz",
+      "integrity": "sha512-5DTBTiotEES1e2jOHAq//zyzCjeMB78lEHd35u15qnrid4Nxm7diqIf9fQQ3Ov0ChH1V3Vvt13thOnrACmfGVQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1246,25 +1246,25 @@
       }
     },
     "node_modules/@aws-sdk/middleware-flexible-checksums": {
-      "version": "3.973.1",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-flexible-checksums/-/middleware-flexible-checksums-3.973.1.tgz",
-      "integrity": "sha512-QLXsxsI6VW8LuGK+/yx699wzqP/NMCGk/hSGP+qtB+Lcff+23UlbahyouLlk+nfT7Iu021SkXBhnAuVd6IZcPw==",
+      "version": "3.974.5",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-flexible-checksums/-/middleware-flexible-checksums-3.974.5.tgz",
+      "integrity": "sha512-SPSvF0G1t8m8CcB0L+ClNFszzQOvXaxmRj25oRWDf6aU+TuN2PXPFAJ9A6lt1IvX4oGAqqbTdMPTYs/SSHUYYQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/crc32": "5.2.0",
         "@aws-crypto/crc32c": "5.2.0",
         "@aws-crypto/util": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/crc64-nvme": "^3.972.3",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/is-array-buffer": "^4.2.1",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-stream": "^4.5.15",
-        "@smithy/util-utf8": "^4.2.1",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/crc64-nvme": "^3.972.5",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/is-array-buffer": "^4.2.2",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-stream": "^4.5.20",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1272,15 +1272,15 @@
       }
     },
     "node_modules/@aws-sdk/middleware-host-header": {
-      "version": "3.972.6",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-host-header/-/middleware-host-header-3.972.6.tgz",
-      "integrity": "sha512-5XHwjPH1lHB+1q4bfC7T8Z5zZrZXfaLcjSMwTd1HPSPrCmPFMbg3UQ5vgNWcVj0xoX4HWqTGkSf2byrjlnRg5w==",
+      "version": "3.972.8",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-host-header/-/middleware-host-header-3.972.8.tgz",
+      "integrity": "sha512-wAr2REfKsqoKQ+OkNqvOShnBoh+nkPurDKW7uAeVSu6kUECnWlSJiPvnoqxGlfousEY/v9LfS9sNc46hjSYDIQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1288,14 +1288,14 @@
       }
     },
     "node_modules/@aws-sdk/middleware-location-constraint": {
-      "version": "3.972.6",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-location-constraint/-/middleware-location-constraint-3.972.6.tgz",
-      "integrity": "sha512-XdZ2TLwyj3Am6kvUc67vquQvs6+D8npXvXgyEUJAdkUDx5oMFJKOqpK+UpJhVDsEL068WAJl2NEGzbSik7dGJQ==",
+      "version": "3.972.8",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-location-constraint/-/middleware-location-constraint-3.972.8.tgz",
+      "integrity": "sha512-KaUoFuoFPziIa98DSQsTPeke1gvGXlc5ZGMhy+b+nLxZ4A7jmJgLzjEF95l8aOQN2T/qlPP3MrAyELm8ExXucw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1303,14 +1303,14 @@
       }
     },
     "node_modules/@aws-sdk/middleware-logger": {
-      "version": "3.972.6",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-logger/-/middleware-logger-3.972.6.tgz",
-      "integrity": "sha512-iFnaMFMQdljAPrvsCVKYltPt2j40LQqukAbXvW7v0aL5I+1GO7bZ/W8m12WxW3gwyK5p5u1WlHg8TSAizC5cZw==",
+      "version": "3.972.8",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-logger/-/middleware-logger-3.972.8.tgz",
+      "integrity": "sha512-CWl5UCM57WUFaFi5kB7IBY1UmOeLvNZAZ2/OZ5l20ldiJ3TiIz1pC65gYj8X0BCPWkeR1E32mpsCk1L1I4n+lA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1318,16 +1318,16 @@
       }
     },
     "node_modules/@aws-sdk/middleware-recursion-detection": {
-      "version": "3.972.6",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-recursion-detection/-/middleware-recursion-detection-3.972.6.tgz",
-      "integrity": "sha512-dY4v3of5EEMvik6+UDwQ96KfUFDk8m1oZDdkSc5lwi4o7rFrjnv0A+yTV+gu230iybQZnKgDLg/rt2P3H+Vscw==",
+      "version": "3.972.9",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-recursion-detection/-/middleware-recursion-detection-3.972.9.tgz",
+      "integrity": "sha512-/Wt5+CT8dpTFQxEJ9iGy/UGrXr7p2wlIOEHvIr/YcHYByzoLjrqkYqXdJjd9UIgWjv7eqV2HnFJen93UTuwfTQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
+        "@aws-sdk/types": "^3.973.6",
         "@aws/lambda-invoke-store": "^0.2.2",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/types": "^4.13.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1335,19 +1335,19 @@
       }
     },
     "node_modules/@aws-sdk/middleware-sdk-ec2": {
-      "version": "3.972.11",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-sdk-ec2/-/middleware-sdk-ec2-3.972.11.tgz",
-      "integrity": "sha512-Yu1kuUlt7ElhqITICXywBZFD+c1fsvNo9W6nwhvbNco/R0PrGd2xJDkeFE38Xb37ROByvOBdbQ+DCFtxvP228A==",
+      "version": "3.972.17",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-sdk-ec2/-/middleware-sdk-ec2-3.972.17.tgz",
+      "integrity": "sha512-8p8gSzSec0XeuqLnRU2ufTWTwV3TWocsV9I088ft0PMi+MvqYsy6oshD8e4ukDEWmAgKPyUuyJBcHMnQ8CcXcg==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-format-url": "^3.972.6",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/signature-v4": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-format-url": "^3.972.8",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/signature-v4": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1355,25 +1355,25 @@
       }
     },
     "node_modules/@aws-sdk/middleware-sdk-s3": {
-      "version": "3.972.15",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-sdk-s3/-/middleware-sdk-s3-3.972.15.tgz",
-      "integrity": "sha512-WDLgssevOU5BFx1s8jA7jj6cE5HuImz28sy9jKOaVtz0AW1lYqSzotzdyiybFaBcQTs5zxXOb2pUfyMxgEKY3Q==",
+      "version": "3.972.26",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-sdk-s3/-/middleware-sdk-s3-3.972.26.tgz",
+      "integrity": "sha512-5q7UGSTtt7/KF0Os8wj2VZtlLxeWJVb0e2eDrDJlWot2EIxUNKDDMPFq/FowUqrwZ40rO2bu6BypxaKNvQhI+g==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-arn-parser": "^3.972.2",
-        "@smithy/core": "^3.23.6",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/signature-v4": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-config-provider": "^4.2.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-stream": "^4.5.15",
-        "@smithy/util-utf8": "^4.2.1",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-arn-parser": "^3.972.3",
+        "@smithy/core": "^3.23.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/signature-v4": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-config-provider": "^4.2.2",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-stream": "^4.5.20",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1381,17 +1381,17 @@
       }
     },
     "node_modules/@aws-sdk/middleware-sdk-sqs": {
-      "version": "3.972.11",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-sdk-sqs/-/middleware-sdk-sqs-3.972.11.tgz",
-      "integrity": "sha512-Y4dryR0y7wN3hBayLOVSRuP3FeTs8KbNEL4orW/hKpf4jsrneDpI2RifUQVhiyb3QkC83bpeKaOSa0waHiPvcg==",
+      "version": "3.972.17",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-sdk-sqs/-/middleware-sdk-sqs-3.972.17.tgz",
+      "integrity": "sha512-LnzPRRoDXGtlFV2G1p2rsY6fRKrbf6Pvvc21KliSLw3+NmQca2+Aa1QIMRbpQvZYedsSqkGYwxe+qvXwQ2uxDw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-hex-encoding": "^4.2.1",
-        "@smithy/util-utf8": "^4.2.1",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-hex-encoding": "^4.2.2",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1399,14 +1399,14 @@
       }
     },
     "node_modules/@aws-sdk/middleware-ssec": {
-      "version": "3.972.6",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-ssec/-/middleware-ssec-3.972.6.tgz",
-      "integrity": "sha512-acvMUX9jF4I2Ew+Z/EA6gfaFaz9ehci5wxBmXCZeulLuv8m+iGf6pY9uKz8TPjg39bdAz3hxoE0eLP8Qz+IYlA==",
+      "version": "3.972.8",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-ssec/-/middleware-ssec-3.972.8.tgz",
+      "integrity": "sha512-wqlK0yO/TxEC2UsY9wIlqeeutF6jjLe0f96Pbm40XscTo57nImUk9lBcw0dPgsm0sppFtAkSlDrfpK+pC30Wqw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1414,18 +1414,19 @@
       }
     },
     "node_modules/@aws-sdk/middleware-user-agent": {
-      "version": "3.972.15",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-user-agent/-/middleware-user-agent-3.972.15.tgz",
-      "integrity": "sha512-ABlFVcIMmuRAwBT+8q5abAxOr7WmaINirDJBnqGY5b5jSDo00UMlg/G4a0xoAgwm6oAECeJcwkvDlxDwKf58fQ==",
+      "version": "3.972.26",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/middleware-user-agent/-/middleware-user-agent-3.972.26.tgz",
+      "integrity": "sha512-AilFIh4rI/2hKyyGN6XrB0yN96W2o7e7wyrPWCM6QjZM1mcC/pVkW3IWWRvuBWMpVP8Fg+rMpbzeLQ6dTM4gig==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-endpoints": "^3.996.3",
-        "@smithy/core": "^3.23.6",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-endpoints": "^3.996.5",
+        "@smithy/core": "^3.23.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-retry": "^4.2.12",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1433,49 +1434,49 @@
       }
     },
     "node_modules/@aws-sdk/nested-clients": {
-      "version": "3.996.3",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.996.3.tgz",
-      "integrity": "sha512-AU5TY1V29xqwg/MxmA2odwysTez+ccFAhmfRJk+QZT5HNv90UTA9qKd1J9THlsQkvmH7HWTEV1lDNxkQO5PzNw==",
+      "version": "3.996.15",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/nested-clients/-/nested-clients-3.996.15.tgz",
+      "integrity": "sha512-k6WAVNkub5DrU46iPQvH1m0xc1n+0dX79+i287tYJzf5g1yU2rX3uf4xNeL5JvK1NtYgfwMnsxHqhOXFBn367A==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/middleware-host-header": "^3.972.6",
-        "@aws-sdk/middleware-logger": "^3.972.6",
-        "@aws-sdk/middleware-recursion-detection": "^3.972.6",
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/region-config-resolver": "^3.972.6",
-        "@aws-sdk/types": "^3.973.4",
-        "@aws-sdk/util-endpoints": "^3.996.3",
-        "@aws-sdk/util-user-agent-browser": "^3.972.6",
-        "@aws-sdk/util-user-agent-node": "^3.973.0",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/core": "^3.23.6",
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/hash-node": "^4.2.10",
-        "@smithy/invalid-dependency": "^4.2.10",
-        "@smithy/middleware-content-length": "^4.2.10",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-retry": "^4.4.37",
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/middleware-stack": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-body-length-browser": "^4.2.1",
-        "@smithy/util-body-length-node": "^4.2.2",
-        "@smithy/util-defaults-mode-browser": "^4.3.36",
-        "@smithy/util-defaults-mode-node": "^4.2.39",
-        "@smithy/util-endpoints": "^3.3.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-retry": "^4.2.10",
-        "@smithy/util-utf8": "^4.2.1",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/middleware-host-header": "^3.972.8",
+        "@aws-sdk/middleware-logger": "^3.972.8",
+        "@aws-sdk/middleware-recursion-detection": "^3.972.9",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/region-config-resolver": "^3.972.10",
+        "@aws-sdk/types": "^3.973.6",
+        "@aws-sdk/util-endpoints": "^3.996.5",
+        "@aws-sdk/util-user-agent-browser": "^3.972.8",
+        "@aws-sdk/util-user-agent-node": "^3.973.12",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/core": "^3.23.12",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/hash-node": "^4.2.12",
+        "@smithy/invalid-dependency": "^4.2.12",
+        "@smithy/middleware-content-length": "^4.2.12",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-retry": "^4.4.44",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-body-length-node": "^4.2.3",
+        "@smithy/util-defaults-mode-browser": "^4.3.43",
+        "@smithy/util-defaults-mode-node": "^4.2.47",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1483,16 +1484,16 @@
       }
     },
     "node_modules/@aws-sdk/region-config-resolver": {
-      "version": "3.972.6",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/region-config-resolver/-/region-config-resolver-3.972.6.tgz",
-      "integrity": "sha512-Aa5PusHLXAqLTX1UKDvI3pHQJtIsF7Q+3turCHqfz/1F61/zDMWfbTC8evjhrrYVAtz9Vsv3SJ/waSUeu7B6gw==",
+      "version": "3.972.10",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/region-config-resolver/-/region-config-resolver-3.972.10.tgz",
+      "integrity": "sha512-1dq9ToC6e070QvnVhhbAs3bb5r6cQ10gTVc6cyRV5uvQe7P138TV2uG2i6+Yok4bAkVAcx5AqkTEBUvWEtBlsQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1500,17 +1501,17 @@
       }
     },
     "node_modules/@aws-sdk/signature-v4-multi-region": {
-      "version": "3.996.3",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/signature-v4-multi-region/-/signature-v4-multi-region-3.996.3.tgz",
-      "integrity": "sha512-gQYI/Buwp0CAGQxY7mR5VzkP56rkWq2Y1ROkFuXh5XY94DsSjJw62B3I0N0lysQmtwiL2ht2KHI9NylM/RP4FA==",
+      "version": "3.996.14",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/signature-v4-multi-region/-/signature-v4-multi-region-3.996.14.tgz",
+      "integrity": "sha512-4nZSrBr1NO+48HCM/6BRU8mnRjuHZjcpziCvLXZk5QVftwWz5Mxqbhwdz4xf7WW88buaTB8uRO2MHklSX1m0vg==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/middleware-sdk-s3": "^3.972.15",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/signature-v4": "^5.3.10",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/middleware-sdk-s3": "^3.972.26",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/signature-v4": "^5.3.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1518,18 +1519,18 @@
       }
     },
     "node_modules/@aws-sdk/token-providers": {
-      "version": "3.999.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.999.0.tgz",
-      "integrity": "sha512-cx0hHUlgXULfykx4rdu/ciNAJaa3AL5xz3rieCz7NKJ68MJwlj3664Y8WR5MGgxfyYJBdamnkjNSx5Kekuc0cg==",
+      "version": "3.1018.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/token-providers/-/token-providers-3.1018.0.tgz",
+      "integrity": "sha512-97OPNJHy37wmGOX44xAcu6E9oSTiqK9uPcy/fWpmN5uB3JuEp1f6x60Xot/jp+FxwhQWIFUsVJFnm3QKqt7T6Q==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/core": "^3.973.15",
-        "@aws-sdk/nested-clients": "^3.996.3",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/shared-ini-file-loader": "^4.4.5",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/core": "^3.973.25",
+        "@aws-sdk/nested-clients": "^3.996.15",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/shared-ini-file-loader": "^4.4.7",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1537,13 +1538,13 @@
       }
     },
     "node_modules/@aws-sdk/types": {
-      "version": "3.973.4",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.973.4.tgz",
-      "integrity": "sha512-RW60aH26Bsc016Y9B98hC0Plx6fK5P2v/iQYwMzrSjiDh1qRMUCP6KrXHYEHe3uFvKiOC93Z9zk4BJsUi6Tj1Q==",
+      "version": "3.973.6",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/types/-/types-3.973.6.tgz",
+      "integrity": "sha512-Atfcy4E++beKtwJHiDln2Nby8W/mam64opFPTiHEqgsthqeydFS1pY+OUlN1ouNOmf8ArPU/6cDS65anOP3KQw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1551,9 +1552,9 @@
       }
     },
     "node_modules/@aws-sdk/util-arn-parser": {
-      "version": "3.972.2",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-arn-parser/-/util-arn-parser-3.972.2.tgz",
-      "integrity": "sha512-VkykWbqMjlSgBFDyrY3nOSqupMc6ivXuGmvci6Q3NnLq5kC+mKQe2QBZ4nrWRE/jqOxeFP2uYzLtwncYYcvQDg==",
+      "version": "3.972.3",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-arn-parser/-/util-arn-parser-3.972.3.tgz",
+      "integrity": "sha512-HzSD8PMFrvgi2Kserxuff5VitNq2sgf3w9qxmskKDiDTThWfVteJxuCS9JXiPIPtmCrp+7N9asfIaVhBFORllA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -1564,16 +1565,16 @@
       }
     },
     "node_modules/@aws-sdk/util-endpoints": {
-      "version": "3.996.3",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-endpoints/-/util-endpoints-3.996.3.tgz",
-      "integrity": "sha512-yWIQSNiCjykLL+ezN5A+DfBb1gfXTytBxm57e64lYmwxDHNmInYHRJYYRAGWG1o77vKEiWaw4ui28e3yb1k5aQ==",
+      "version": "3.996.5",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-endpoints/-/util-endpoints-3.996.5.tgz",
+      "integrity": "sha512-Uh93L5sXFNbyR5sEPMzUU8tJ++Ku97EY4udmC01nB8Zu+xfBPwpIwJ6F7snqQeq8h2pf+8SGN5/NoytfKgYPIw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-endpoints": "^3.3.1",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-endpoints": "^3.3.3",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1581,15 +1582,15 @@
       }
     },
     "node_modules/@aws-sdk/util-format-url": {
-      "version": "3.972.6",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-format-url/-/util-format-url-3.972.6.tgz",
-      "integrity": "sha512-0YNVNgFyziCejXJx0rzxPiD2rkxTWco4c9wiMF6n37Tb9aQvIF8+t7GyEyIFCwQHZ0VMQaAl+nCZHOYz5I5EKw==",
+      "version": "3.972.8",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-format-url/-/util-format-url-3.972.8.tgz",
+      "integrity": "sha512-J6DS9oocrgxM8xlUTTmQOuwRF6rnAGEujAN9SAzllcrQmwn5iJ58ogxy3SEhD0Q7JZvlA5jvIXBkpQRqEqlE9A==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/querystring-builder": "^4.2.10",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/querystring-builder": "^4.2.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1597,9 +1598,9 @@
       }
     },
     "node_modules/@aws-sdk/util-locate-window": {
-      "version": "3.965.4",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-locate-window/-/util-locate-window-3.965.4.tgz",
-      "integrity": "sha512-H1onv5SkgPBK2P6JR2MjGgbOnttoNzSPIRoeZTNPZYyaplwGg50zS3amXvXqF0/qfXpWEC9rLWU564QTB9bSog==",
+      "version": "3.965.5",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-locate-window/-/util-locate-window-3.965.5.tgz",
+      "integrity": "sha512-WhlJNNINQB+9qtLtZJcpQdgZw3SCDCpXdUJP7cToGwHbCWCnRckGlc6Bx/OhWwIYFNAn+FIydY8SZ0QmVu3xTQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -1610,29 +1611,30 @@
       }
     },
     "node_modules/@aws-sdk/util-user-agent-browser": {
-      "version": "3.972.6",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-browser/-/util-user-agent-browser-3.972.6.tgz",
-      "integrity": "sha512-Fwr/llD6GOrFgQnKaI2glhohdGuBDfHfora6iG9qsBBBR8xv1SdCSwbtf5CWlUdCw5X7g76G/9Hf0Inh0EmoxA==",
+      "version": "3.972.8",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-browser/-/util-user-agent-browser-3.972.8.tgz",
+      "integrity": "sha512-B3KGXJviV2u6Cdw2SDY2aDhoJkVfY/Q/Trwk2CMSkikE1Oi6gRzxhvhIfiRpHfmIsAhV4EA54TVEX8K6CbHbkA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/types": "^4.13.1",
         "bowser": "^2.11.0",
         "tslib": "^2.6.2"
       }
     },
     "node_modules/@aws-sdk/util-user-agent-node": {
-      "version": "3.973.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-node/-/util-user-agent-node-3.973.0.tgz",
-      "integrity": "sha512-A9J2G4Nf236e9GpaC1JnA8wRn6u6GjnOXiTwBLA6NUJhlBTIGfrTy+K1IazmF8y+4OFdW3O5TZlhyspJMqiqjA==",
+      "version": "3.973.12",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/util-user-agent-node/-/util-user-agent-node-3.973.12.tgz",
+      "integrity": "sha512-8phW0TS8ntENJgDcFewYT/Q8dOmarpvSxEjATu2GUBAutiHr++oEGCiBUwxslCMNvwW2cAPZNT53S/ym8zm/gg==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@aws-sdk/middleware-user-agent": "^3.972.15",
-        "@aws-sdk/types": "^3.973.4",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/types": "^4.13.0",
+        "@aws-sdk/middleware-user-agent": "^3.972.26",
+        "@aws-sdk/types": "^3.973.6",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-config-provider": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1648,9 +1650,9 @@
       }
     },
     "node_modules/@aws-sdk/xml-builder": {
-      "version": "3.972.15",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.15.tgz",
-      "integrity": "sha512-PxMRlCFNiQnke9YR29vjFQwz4jq+6Q04rOVFeTDR2K7Qpv9h9FOWOxG+zJjageimYbWqE3bTuLjmryWHAWbvaA==",
+      "version": "3.972.16",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/xml-builder/-/xml-builder-3.972.16.tgz",
+      "integrity": "sha512-iu2pyvaqmeatIJLURLqx9D+4jKAdTH20ntzB6BFwjyN7V960r4jK32mx0Zf7YbtOYAbmbtQfDNuL60ONinyw7A==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -1663,9 +1665,9 @@
       }
     },
     "node_modules/@aws/lambda-invoke-store": {
-      "version": "0.2.3",
-      "resolved": "https://registry.npmjs.org/@aws/lambda-invoke-store/-/lambda-invoke-store-0.2.3.tgz",
-      "integrity": "sha512-oLvsaPMTBejkkmHhjf09xTgk71mOqyr/409NKhRIL08If7AhVfUsJhVsx386uJaqNd42v9kWamQ9lFbkoC2dYw==",
+      "version": "0.2.4",
+      "resolved": "https://registry.npmjs.org/@aws/lambda-invoke-store/-/lambda-invoke-store-0.2.4.tgz",
+      "integrity": "sha512-iY8yvjE0y651BixKNPgmv1WrQc+GZ142sb0z4gYnChDDY2YqI4P/jsSopBWrKfAt7LOJAkOXt7rC/hms+WclQQ==",
       "dev": true,
       "license": "Apache-2.0",
       "engines": {
@@ -1837,9 +1839,9 @@
       }
     },
     "node_modules/@azure/core-rest-pipeline": {
-      "version": "1.22.2",
-      "resolved": "https://registry.npmjs.org/@azure/core-rest-pipeline/-/core-rest-pipeline-1.22.2.tgz",
-      "integrity": "sha512-MzHym+wOi8CLUlKCQu12de0nwcq9k9Kuv43j4Wa++CsCpJwps2eeBQwD2Bu8snkxTtDKDx4GwjuR9E8yC8LNrg==",
+      "version": "1.23.0",
+      "resolved": "https://registry.npmjs.org/@azure/core-rest-pipeline/-/core-rest-pipeline-1.23.0.tgz",
+      "integrity": "sha512-Evs1INHo+jUjwHi1T6SG6Ua/LHOQBCLuKEEE6efIpt4ZOoNonaT1kP32GoOcdNDbfqsD2445CPri3MubBy5DEQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1848,7 +1850,7 @@
         "@azure/core-tracing": "^1.3.0",
         "@azure/core-util": "^1.13.0",
         "@azure/logger": "^1.3.0",
-        "@typespec/ts-http-runtime": "^0.3.0",
+        "@typespec/ts-http-runtime": "^0.3.4",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -1924,9 +1926,9 @@
       }
     },
     "node_modules/@azure/identity": {
-      "version": "4.13.0",
-      "resolved": "https://registry.npmjs.org/@azure/identity/-/identity-4.13.0.tgz",
-      "integrity": "sha512-uWC0fssc+hs1TGGVkkghiaFkkS7NkTxfnCH+Hdg+yTehTpMcehpok4PgUKKdyCH+9ldu6FhiHRv84Ntqj1vVcw==",
+      "version": "4.13.1",
+      "resolved": "https://registry.npmjs.org/@azure/identity/-/identity-4.13.1.tgz",
+      "integrity": "sha512-5C/2WD5Vb1lHnZS16dNQRPMjN6oV/Upba+C9nBIs15PmOi6A3ZGs4Lr2u60zw4S04gi+u3cEXiqTVP7M4Pz3kw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1937,8 +1939,8 @@
         "@azure/core-tracing": "^1.0.0",
         "@azure/core-util": "^1.11.0",
         "@azure/logger": "^1.0.0",
-        "@azure/msal-browser": "^4.2.0",
-        "@azure/msal-node": "^3.5.0",
+        "@azure/msal-browser": "^5.5.0",
+        "@azure/msal-node": "^5.1.0",
         "open": "^10.1.0",
         "tslib": "^2.2.0"
       },
@@ -1974,22 +1976,22 @@
       }
     },
     "node_modules/@azure/msal-browser": {
-      "version": "4.29.0",
-      "resolved": "https://registry.npmjs.org/@azure/msal-browser/-/msal-browser-4.29.0.tgz",
-      "integrity": "sha512-/f3eHkSNUTl6DLQHm+bKecjBKcRQxbd/XLx8lvSYp8Nl/HRyPuIPOijt9Dt0sH50/SxOwQ62RnFCmFlGK+bR/w==",
+      "version": "5.6.1",
+      "resolved": "https://registry.npmjs.org/@azure/msal-browser/-/msal-browser-5.6.1.tgz",
+      "integrity": "sha512-Ylmp8yngH7YRLV5mA1aF4CNS6WsJTPbVXaA0Tb1x1Gv/J3BM3hE4Q7nDaf7dRfU00FcxDBBudTjqlpH74ZSsgw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@azure/msal-common": "15.15.0"
+        "@azure/msal-common": "16.4.0"
       },
       "engines": {
         "node": ">=0.8.0"
       }
     },
     "node_modules/@azure/msal-common": {
-      "version": "15.15.0",
-      "resolved": "https://registry.npmjs.org/@azure/msal-common/-/msal-common-15.15.0.tgz",
-      "integrity": "sha512-/n+bN0AKlVa+AOcETkJSKj38+bvFs78BaP4rNtv3MJCmPH0YrHiskMRe74OhyZ5DZjGISlFyxqvf9/4QVEi2tw==",
+      "version": "16.4.0",
+      "resolved": "https://registry.npmjs.org/@azure/msal-common/-/msal-common-16.4.0.tgz",
+      "integrity": "sha512-twXt09PYtj1PffNNIAzQlrBd0DS91cdA6i1gAfzJ6BnPM4xNk5k9q/5xna7jLIjU3Jnp0slKYtucshGM8OGNAw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -1997,18 +1999,18 @@
       }
     },
     "node_modules/@azure/msal-node": {
-      "version": "3.8.8",
-      "resolved": "https://registry.npmjs.org/@azure/msal-node/-/msal-node-3.8.8.tgz",
-      "integrity": "sha512-+f1VrJH1iI517t4zgmuhqORja0bL6LDQXfBqkjuMmfTYXTQQnh1EvwwxO3UbKLT05N0obF72SRHFrC1RBDv5Gg==",
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/@azure/msal-node/-/msal-node-5.1.1.tgz",
+      "integrity": "sha512-71grXU6+5hl+3CL3joOxlj/AW6rmhthuTlG0fRqsTrhPArQBpZuUFzCIlKOGdcafLUa/i1hBdV78ZxJdlvRA+g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@azure/msal-common": "15.15.0",
+        "@azure/msal-common": "16.4.0",
         "jsonwebtoken": "^9.0.0",
         "uuid": "^8.3.0"
       },
       "engines": {
-        "node": ">=16"
+        "node": ">=20"
       }
     },
     "node_modules/@azure/msal-node/node_modules/uuid": {
@@ -2165,9 +2167,9 @@
       }
     },
     "node_modules/@babel/parser": {
-      "version": "7.29.0",
-      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.0.tgz",
-      "integrity": "sha512-IyDgFV5GeDUVX4YdF/3CPULtVGSXXMLh1xVIgdCgxApktqnQV0r7/8Nqthg+8YLGaAtdyIlo2qIdZrbCv4+7ww==",
+      "version": "7.29.2",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz",
+      "integrity": "sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2416,9 +2418,9 @@
       "license": "MIT"
     },
     "node_modules/@datadog/datadog-api-client": {
-      "version": "1.52.0",
-      "resolved": "https://registry.npmjs.org/@datadog/datadog-api-client/-/datadog-api-client-1.52.0.tgz",
-      "integrity": "sha512-CtaaA9cEB7jFebIFDqL2SlYJM1SdDVJWPExsX9aEMIjnwSR2aogL988Aouc/2WHkTXxsvvKGlT2ZpMrDq/LHdQ==",
+      "version": "1.53.0",
+      "resolved": "https://registry.npmjs.org/@datadog/datadog-api-client/-/datadog-api-client-1.53.0.tgz",
+      "integrity": "sha512-QLqTtVETsa2GN/YabSnSNhCfJP/cMaQRr3mYML9L76mH6JoNWERUpXzIko6uVmvvYS+QYvbmj8gQSu/RGwZEVQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -2450,9 +2452,9 @@
       }
     },
     "node_modules/@dotenvx/dotenvx": {
-      "version": "1.55.1",
-      "resolved": "https://registry.npmjs.org/@dotenvx/dotenvx/-/dotenvx-1.55.1.tgz",
-      "integrity": "sha512-WEuKyoe9CA7dfcFBnNbL0ndbCNcptaEYBygfFo9X1qEG+HD7xku4CYIplw6sbAHJavesZWbVBHeRSpvri0eKqw==",
+      "version": "1.57.1",
+      "resolved": "https://registry.npmjs.org/@dotenvx/dotenvx/-/dotenvx-1.57.1.tgz",
+      "integrity": "sha512-iKXuo8Nes9Ft4zF3AZOT4FHkl6OV8bHqn61a67qHokkBzSEurnKZAlOkT0FYrRNVGvE6nCfZMtYswyjfXCR1MQ==",
       "dev": true,
       "license": "BSD-3-Clause",
       "dependencies": {
@@ -3050,9 +3052,9 @@
       }
     },
     "node_modules/@oclif/core": {
-      "version": "4.8.2",
-      "resolved": "https://registry.npmjs.org/@oclif/core/-/core-4.8.2.tgz",
-      "integrity": "sha512-P+XAOtuWM/Fewau64c31bYUiLFJTzhth229xVbBrG1siLc7+2uezUYhP5eWn/++nZPZ/wChSqYgQNN4HPw/ZHQ==",
+      "version": "4.10.3",
+      "resolved": "https://registry.npmjs.org/@oclif/core/-/core-4.10.3.tgz",
+      "integrity": "sha512-0mD8vcrrX5uRsxzvI8tbWmSVGngvZA/Qo6O0ZGvLPAWEauSf5GFniwgirhY0SkszuHwu0S1J1ivj/jHmqtIDuA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3080,9 +3082,9 @@
       }
     },
     "node_modules/@oclif/plugin-help": {
-      "version": "6.2.37",
-      "resolved": "https://registry.npmjs.org/@oclif/plugin-help/-/plugin-help-6.2.37.tgz",
-      "integrity": "sha512-5N/X/FzlJaYfpaHwDC0YHzOzKDWa41s9t+4FpCDu4f9OMReds4JeNBaaWk9rlIzdKjh2M6AC5Q18ORfECRkHGA==",
+      "version": "6.2.40",
+      "resolved": "https://registry.npmjs.org/@oclif/plugin-help/-/plugin-help-6.2.40.tgz",
+      "integrity": "sha512-sU/PMrz1LnnnNk4T3qvZU8dTUiSc0MZaL7woh2wfuNSXbCnxicJzx4kX1sYeY6eF0NmqFiYlpNEQJykBG0g1sA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3093,14 +3095,14 @@
       }
     },
     "node_modules/@oclif/plugin-not-found": {
-      "version": "3.2.74",
-      "resolved": "https://registry.npmjs.org/@oclif/plugin-not-found/-/plugin-not-found-3.2.74.tgz",
-      "integrity": "sha512-6RD/EuIUGxAYR45nMQg+nw+PqwCXUxkR6Eyn+1fvbVjtb9d+60OPwB77LCRUI4zKNI+n0LOFaMniEdSpb+A7kQ==",
+      "version": "3.2.77",
+      "resolved": "https://registry.npmjs.org/@oclif/plugin-not-found/-/plugin-not-found-3.2.77.tgz",
+      "integrity": "sha512-bU9lpYYk8aTafGFbsEoj88KLqJGFcY2w84abcuAUHsGgwpGA/G67Z3DwzaSkfuH6HZ58orC3ueEKGCMpF5nUDQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@inquirer/prompts": "^7.10.1",
-        "@oclif/core": "^4.8.0",
+        "@oclif/core": "^4.10.2",
         "ansis": "^3.17.0",
         "fast-levenshtein": "^3.0.0"
       },
@@ -4270,53 +4272,6 @@
         "node": ">=18"
       }
     },
-    "node_modules/@playwright/test/node_modules/fsevents": {
-      "version": "2.3.2",
-      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
-      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
-      "dev": true,
-      "hasInstallScript": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "engines": {
-        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
-      }
-    },
-    "node_modules/@playwright/test/node_modules/playwright": {
-      "version": "1.58.2",
-      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.58.2.tgz",
-      "integrity": "sha512-vA30H8Nvkq/cPBnNw4Q8TWz1EJyqgpuinBcHET0YVJVFldr8JDNiU9LaWAE1KqSkRYazuaBhTpB5ZzShOezQ6A==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "dependencies": {
-        "playwright-core": "1.58.2"
-      },
-      "bin": {
-        "playwright": "cli.js"
-      },
-      "engines": {
-        "node": ">=18"
-      },
-      "optionalDependencies": {
-        "fsevents": "2.3.2"
-      }
-    },
-    "node_modules/@playwright/test/node_modules/playwright-core": {
-      "version": "1.58.2",
-      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.58.2.tgz",
-      "integrity": "sha512-yZkEtftgwS8CsfYo7nm0KE8jsvm6i/PTgVtB8DL726wNf6H2IMsDuxCpJj59KDaxCtSnrWan2AeDqM7JBaultg==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "bin": {
-        "playwright-core": "cli.js"
-      },
-      "engines": {
-        "node": ">=18"
-      }
-    },
     "node_modules/@protobufjs/aspromise": {
       "version": "1.1.2",
       "resolved": "https://registry.npmjs.org/@protobufjs/aspromise/-/aspromise-1.1.2.tgz",
@@ -4429,13 +4384,13 @@
       }
     },
     "node_modules/@smithy/abort-controller": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/abort-controller/-/abort-controller-4.2.10.tgz",
-      "integrity": "sha512-qocxM/X4XGATqQtUkbE9SPUB6wekBi+FyJOMbPj0AhvyvFGYEmOlz6VB22iMePCQsFmMIvFSeViDvA7mZJG47g==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/abort-controller/-/abort-controller-4.2.12.tgz",
+      "integrity": "sha512-xolrFw6b+2iYGl6EcOL7IJY71vvyZ0DJ3mcKtpykqPe2uscwtzDZJa1uVQXyP7w9Dd+kGwYnPbMsJrGISKiY/Q==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4443,9 +4398,9 @@
       }
     },
     "node_modules/@smithy/chunked-blob-reader": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/@smithy/chunked-blob-reader/-/chunked-blob-reader-5.2.1.tgz",
-      "integrity": "sha512-y5d4xRiD6TzeP5BWlb+Ig/VFqF+t9oANNhGeMqyzU7obw7FYgTgVi50i5JqBTeKp+TABeDIeeXFZdz65RipNtA==",
+      "version": "5.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/chunked-blob-reader/-/chunked-blob-reader-5.2.2.tgz",
+      "integrity": "sha512-St+kVicSyayWQca+I1rGitaOEH6uKgE8IUWoYnnEX26SWdWQcL6LvMSD19Lg+vYHKdT9B2Zuu7rd3i6Wnyb/iw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -4456,13 +4411,13 @@
       }
     },
     "node_modules/@smithy/chunked-blob-reader-native": {
-      "version": "4.2.2",
-      "resolved": "https://registry.npmjs.org/@smithy/chunked-blob-reader-native/-/chunked-blob-reader-native-4.2.2.tgz",
-      "integrity": "sha512-QzzYIlf4yg0w5TQaC9VId3B3ugSk1MI/wb7tgcHtd7CBV9gNRKZrhc2EPSxSZuDy10zUZ0lomNMgkc6/VVe8xg==",
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/@smithy/chunked-blob-reader-native/-/chunked-blob-reader-native-4.2.3.tgz",
+      "integrity": "sha512-jA5k5Udn7Y5717L86h4EIv06wIr3xn8GM1qHRi/Nf31annXcXHJjBKvgztnbn2TxH3xWrPBfgwHsOwZf0UmQWw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/util-base64": "^4.3.1",
+        "@smithy/util-base64": "^4.3.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4470,17 +4425,17 @@
       }
     },
     "node_modules/@smithy/config-resolver": {
-      "version": "4.4.9",
-      "resolved": "https://registry.npmjs.org/@smithy/config-resolver/-/config-resolver-4.4.9.tgz",
-      "integrity": "sha512-ejQvXqlcU30h7liR9fXtj7PIAau1t/sFbJpgWPfiYDs7zd16jpH0IsSXKcba2jF6ChTXvIjACs27kNMc5xxE2Q==",
+      "version": "4.4.13",
+      "resolved": "https://registry.npmjs.org/@smithy/config-resolver/-/config-resolver-4.4.13.tgz",
+      "integrity": "sha512-iIzMC5NmOUP6WL6o8iPBjFhUhBZ9pPjpUpQYWMUFQqKyXXzOftbfK8zcQCz/jFV1Psmf05BK5ypx4K2r4Tnwdg==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-config-provider": "^4.2.1",
-        "@smithy/util-endpoints": "^3.3.1",
-        "@smithy/util-middleware": "^4.2.10",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-config-provider": "^4.2.2",
+        "@smithy/util-endpoints": "^3.3.3",
+        "@smithy/util-middleware": "^4.2.12",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4488,21 +4443,21 @@
       }
     },
     "node_modules/@smithy/core": {
-      "version": "3.23.6",
-      "resolved": "https://registry.npmjs.org/@smithy/core/-/core-3.23.6.tgz",
-      "integrity": "sha512-4xE+0L2NrsFKpEVFlFELkIHQddBvMbQ41LRIP74dGCXnY1zQ9DgksrBcRBDJT+iOzGy4VEJIeU3hkUK5mn06kg==",
+      "version": "3.23.12",
+      "resolved": "https://registry.npmjs.org/@smithy/core/-/core-3.23.12.tgz",
+      "integrity": "sha512-o9VycsYNtgC+Dy3I0yrwCqv9CWicDnke0L7EVOrZtJpjb2t0EjaEofmMrYc0T1Kn3yk32zm6cspxF9u9Bj7e5w==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-body-length-browser": "^4.2.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-stream": "^4.5.15",
-        "@smithy/util-utf8": "^4.2.1",
-        "@smithy/uuid": "^1.1.1",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-body-length-browser": "^4.2.2",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-stream": "^4.5.20",
+        "@smithy/util-utf8": "^4.2.2",
+        "@smithy/uuid": "^1.1.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4510,16 +4465,16 @@
       }
     },
     "node_modules/@smithy/credential-provider-imds": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/credential-provider-imds/-/credential-provider-imds-4.2.10.tgz",
-      "integrity": "sha512-3bsMLJJLTZGZqVGGeBVFfLzuRulVsGTj12BzRKODTHqUABpIr0jMN1vN3+u6r2OfyhAQ2pXaMZWX/swBK5I6PQ==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/credential-provider-imds/-/credential-provider-imds-4.2.12.tgz",
+      "integrity": "sha512-cr2lR792vNZcYMriSIj+Um3x9KWrjcu98kn234xA6reOAFMmbRpQMOv8KPgEmLLtx3eldU6c5wALKFqNOhugmg==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4527,15 +4482,15 @@
       }
     },
     "node_modules/@smithy/eventstream-codec": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/eventstream-codec/-/eventstream-codec-4.2.10.tgz",
-      "integrity": "sha512-A4ynrsFFfSXUHicfTcRehytppFBcY3HQxEGYiyGktPIOye3Ot7fxpiy4VR42WmtGI4Wfo6OXt/c1Ky1nUFxYYQ==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-codec/-/eventstream-codec-4.2.12.tgz",
+      "integrity": "sha512-FE3bZdEl62ojmy8x4FHqxq2+BuOHlcxiH5vaZ6aqHJr3AIZzwF5jfx8dEiU/X0a8RboyNDjmXjlbr8AdEyLgiA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/crc32": "5.2.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-hex-encoding": "^4.2.1",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-hex-encoding": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4543,14 +4498,14 @@
       }
     },
     "node_modules/@smithy/eventstream-serde-browser": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-browser/-/eventstream-serde-browser-4.2.10.tgz",
-      "integrity": "sha512-0xupsu9yj9oDVuQ50YCTS9nuSYhGlrwqdaKQel9y2Fz7LU9fNErVlw9N0o4pm4qqvWEGbSTI4HKc6XJfB30MVw==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-browser/-/eventstream-serde-browser-4.2.12.tgz",
+      "integrity": "sha512-XUSuMxlTxV5pp4VpqZf6Sa3vT/Q75FVkLSpSSE3KkWBvAQWeuWt1msTv8fJfgA4/jcJhrbrbMzN1AC/hvPmm5A==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/eventstream-serde-universal": "^4.2.10",
-        "@smithy/types": "^4.13.0",
+        "@smithy/eventstream-serde-universal": "^4.2.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4558,13 +4513,13 @@
       }
     },
     "node_modules/@smithy/eventstream-serde-config-resolver": {
-      "version": "4.3.10",
-      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-config-resolver/-/eventstream-serde-config-resolver-4.3.10.tgz",
-      "integrity": "sha512-8kn6sinrduk0yaYHMJDsNuiFpXwQwibR7n/4CDUqn4UgaG+SeBHu5jHGFdU9BLFAM7Q4/gvr9RYxBHz9/jKrhA==",
+      "version": "4.3.12",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-config-resolver/-/eventstream-serde-config-resolver-4.3.12.tgz",
+      "integrity": "sha512-7epsAZ3QvfHkngz6RXQYseyZYHlmWXSTPOfPmXkiS+zA6TBNo1awUaMFL9vxyXlGdoELmCZyZe1nQE+imbmV+Q==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4572,14 +4527,14 @@
       }
     },
     "node_modules/@smithy/eventstream-serde-node": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-node/-/eventstream-serde-node-4.2.10.tgz",
-      "integrity": "sha512-uUrxPGgIffnYfvIOUmBM5i+USdEBRTdh7mLPttjphgtooxQ8CtdO1p6K5+Q4BBAZvKlvtJ9jWyrWpBJYzBKsyQ==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-node/-/eventstream-serde-node-4.2.12.tgz",
+      "integrity": "sha512-D1pFuExo31854eAvg89KMn9Oab/wEeJR6Buy32B49A9Ogdtx5fwZPqBHUlDzaCDpycTFk2+fSQgX689Qsk7UGA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/eventstream-serde-universal": "^4.2.10",
-        "@smithy/types": "^4.13.0",
+        "@smithy/eventstream-serde-universal": "^4.2.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4587,14 +4542,14 @@
       }
     },
     "node_modules/@smithy/eventstream-serde-universal": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-universal/-/eventstream-serde-universal-4.2.10.tgz",
-      "integrity": "sha512-aArqzOEvcs2dK+xQVCgLbpJQGfZihw8SD4ymhkwNTtwKbnrzdhJsFDKuMQnam2kF69WzgJYOU5eJlCx+CA32bw==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/eventstream-serde-universal/-/eventstream-serde-universal-4.2.12.tgz",
+      "integrity": "sha512-+yNuTiyBACxOJUTvbsNsSOfH9G9oKbaJE1lNL3YHpGcuucl6rPZMi3nrpehpVOVR2E07YqFFmtwpImtpzlouHQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/eventstream-codec": "^4.2.10",
-        "@smithy/types": "^4.13.0",
+        "@smithy/eventstream-codec": "^4.2.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4602,16 +4557,16 @@
       }
     },
     "node_modules/@smithy/fetch-http-handler": {
-      "version": "5.3.11",
-      "resolved": "https://registry.npmjs.org/@smithy/fetch-http-handler/-/fetch-http-handler-5.3.11.tgz",
-      "integrity": "sha512-wbTRjOxdFuyEg0CpumjZO0hkUl+fetJFqxNROepuLIoijQh51aMBmzFLfoQdwRjxsuuS2jizzIUTjPWgd8pd7g==",
+      "version": "5.3.15",
+      "resolved": "https://registry.npmjs.org/@smithy/fetch-http-handler/-/fetch-http-handler-5.3.15.tgz",
+      "integrity": "sha512-T4jFU5N/yiIfrtrsb9uOQn7RdELdM/7HbyLNr6uO/mpkj1ctiVs7CihVr51w4LyQlXWDpXFn4BElf1WmQvZu/A==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/querystring-builder": "^4.2.10",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-base64": "^4.3.1",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/querystring-builder": "^4.2.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-base64": "^4.3.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4619,15 +4574,15 @@
       }
     },
     "node_modules/@smithy/hash-blob-browser": {
-      "version": "4.2.11",
-      "resolved": "https://registry.npmjs.org/@smithy/hash-blob-browser/-/hash-blob-browser-4.2.11.tgz",
-      "integrity": "sha512-DrcAx3PM6AEbWZxsKl6CWAGnVwiz28Wp1ZhNu+Hi4uI/6C1PIZBIaPM2VoqBDAsOWbM6ZVzOEQMxFLLdmb4eBQ==",
+      "version": "4.2.13",
+      "resolved": "https://registry.npmjs.org/@smithy/hash-blob-browser/-/hash-blob-browser-4.2.13.tgz",
+      "integrity": "sha512-YrF4zWKh+ghLuquldj6e/RzE3xZYL8wIPfkt0MqCRphVICjyyjH8OwKD7LLlKpVEbk4FLizFfC1+gwK6XQdR3g==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/chunked-blob-reader": "^5.2.1",
-        "@smithy/chunked-blob-reader-native": "^4.2.2",
-        "@smithy/types": "^4.13.0",
+        "@smithy/chunked-blob-reader": "^5.2.2",
+        "@smithy/chunked-blob-reader-native": "^4.2.3",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4635,15 +4590,15 @@
       }
     },
     "node_modules/@smithy/hash-node": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/hash-node/-/hash-node-4.2.10.tgz",
-      "integrity": "sha512-1VzIOI5CcsvMDvP3iv1vG/RfLJVVVc67dCRyLSB2Hn9SWCZrDO3zvcIzj3BfEtqRW5kcMg5KAeVf1K3dR6nD3w==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/hash-node/-/hash-node-4.2.12.tgz",
+      "integrity": "sha512-QhBYbGrbxTkZ43QoTPrK72DoYviDeg6YKDrHTMJbbC+A0sml3kSjzFtXP7BtbyJnXojLfTQldGdUR0RGD8dA3w==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-buffer-from": "^4.2.1",
-        "@smithy/util-utf8": "^4.2.1",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-buffer-from": "^4.2.2",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4651,14 +4606,14 @@
       }
     },
     "node_modules/@smithy/hash-stream-node": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/hash-stream-node/-/hash-stream-node-4.2.10.tgz",
-      "integrity": "sha512-w78xsYrOlwXKwN5tv1GnKIRbHb1HygSpeZMP6xDxCPGf1U/xDHjCpJu64c5T35UKyEPwa0bPeIcvU69VY3khUA==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/hash-stream-node/-/hash-stream-node-4.2.12.tgz",
+      "integrity": "sha512-O3YbmGExeafuM/kP7Y8r6+1y0hIh3/zn6GROx0uNlB54K9oihAL75Qtc+jFfLNliTi6pxOAYZrRKD9A7iA6UFw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-utf8": "^4.2.1",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4666,13 +4621,13 @@
       }
     },
     "node_modules/@smithy/invalid-dependency": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/invalid-dependency/-/invalid-dependency-4.2.10.tgz",
-      "integrity": "sha512-vy9KPNSFUU0ajFYk0sDZIYiUlAWGEAhRfehIr5ZkdFrRFTAuXEPUd41USuqHU6vvLX4r6Q9X7MKBco5+Il0Org==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/invalid-dependency/-/invalid-dependency-4.2.12.tgz",
+      "integrity": "sha512-/4F1zb7Z8LOu1PalTdESFHR0RbPwHd3FcaG1sI3UEIriQTWakysgJr65lc1jj6QY5ye7aFsisajotH6UhWfm/g==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4680,9 +4635,9 @@
       }
     },
     "node_modules/@smithy/is-array-buffer": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@smithy/is-array-buffer/-/is-array-buffer-4.2.1.tgz",
-      "integrity": "sha512-Yfu664Qbf1B4IYIsYgKoABt010daZjkaCRvdU/sPnZG6TtHOB0md0RjNdLGzxe5UIdn9js4ftPICzmkRa9RJ4Q==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/is-array-buffer/-/is-array-buffer-4.2.2.tgz",
+      "integrity": "sha512-n6rQ4N8Jj4YTQO3YFrlgZuwKodf4zUFs7EJIWH86pSCWBaAtAGBFfCM7Wx6D2bBJ2xqFNxGBSrUWswT3M0VJow==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -4693,14 +4648,14 @@
       }
     },
     "node_modules/@smithy/md5-js": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/md5-js/-/md5-js-4.2.10.tgz",
-      "integrity": "sha512-Op+Dh6dPLWTjWITChFayDllIaCXRofOed8ecpggTC5fkh8yXes0vAEX7gRUfjGK+TlyxoCAA05gHbZW/zB9JwQ==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/md5-js/-/md5-js-4.2.12.tgz",
+      "integrity": "sha512-W/oIpHCpWU2+iAkfZYyGWE+qkpuf3vEXHLxQQDx9FPNZTTdnul0dZ2d/gUFrtQ5je1G2kp4cjG0/24YueG2LbQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-utf8": "^4.2.1",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4708,20 +4663,20 @@
       }
     },
     "node_modules/@smithy/middleware-compression": {
-      "version": "4.3.35",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-compression/-/middleware-compression-4.3.35.tgz",
-      "integrity": "sha512-lZp486kpmXBmXoPedbAzs982q+fRRwyv7O3+5tSkt8J8xf64Mod+I0l5P+CRfKzqwoRt0+1YFbBx97aHS7xYPw==",
+      "version": "4.3.41",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-compression/-/middleware-compression-4.3.41.tgz",
+      "integrity": "sha512-lJ/yTWaPQZfvT5GJUgGpjjmG4ZgNhlPmvAN+SfQKcsNBApY+CaW2vg/x7GhsD3g/liKlo7suMAAZNK5RVQ9OIQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/core": "^3.23.6",
-        "@smithy/is-array-buffer": "^4.2.1",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-config-provider": "^4.2.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-utf8": "^4.2.1",
+        "@smithy/core": "^3.23.12",
+        "@smithy/is-array-buffer": "^4.2.2",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-config-provider": "^4.2.2",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-utf8": "^4.2.2",
         "fflate": "0.8.1",
         "tslib": "^2.6.2"
       },
@@ -4730,14 +4685,14 @@
       }
     },
     "node_modules/@smithy/middleware-content-length": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-content-length/-/middleware-content-length-4.2.10.tgz",
-      "integrity": "sha512-TQZ9kX5c6XbjhaEBpvhSvMEZ0klBs1CFtOdPFwATZSbC9UeQfKHPLPN9Y+I6wZGMOavlYTOlHEPDrt42PMSH9w==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-content-length/-/middleware-content-length-4.2.12.tgz",
+      "integrity": "sha512-YE58Yz+cvFInWI/wOTrB+DbvUVz/pLn5mC5MvOV4fdRUc6qGwygyngcucRQjAhiCEbmfLOXX0gntSIcgMvAjmA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/types": "^4.13.0",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4745,19 +4700,19 @@
       }
     },
     "node_modules/@smithy/middleware-endpoint": {
-      "version": "4.4.20",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-endpoint/-/middleware-endpoint-4.4.20.tgz",
-      "integrity": "sha512-9W6Np4ceBP3XCYAGLoMCmn8t2RRVzuD1ndWPLBbv7H9CrwM9Bprf6Up6BM9ZA/3alodg0b7Kf6ftBK9R1N04vw==",
+      "version": "4.4.27",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-endpoint/-/middleware-endpoint-4.4.27.tgz",
+      "integrity": "sha512-T3TFfUgXQlpcg+UdzcAISdZpj4Z+XECZ/cefgA6wLBd6V4lRi0svN2hBouN/be9dXQ31X4sLWz3fAQDf+nt6BA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/core": "^3.23.6",
-        "@smithy/middleware-serde": "^4.2.11",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/shared-ini-file-loader": "^4.4.5",
-        "@smithy/types": "^4.13.0",
-        "@smithy/url-parser": "^4.2.10",
-        "@smithy/util-middleware": "^4.2.10",
+        "@smithy/core": "^3.23.12",
+        "@smithy/middleware-serde": "^4.2.15",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/shared-ini-file-loader": "^4.4.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/url-parser": "^4.2.12",
+        "@smithy/util-middleware": "^4.2.12",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4765,20 +4720,20 @@
       }
     },
     "node_modules/@smithy/middleware-retry": {
-      "version": "4.4.37",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-retry/-/middleware-retry-4.4.37.tgz",
-      "integrity": "sha512-/1psZZllBBSQ7+qo5+hhLz7AEPGLx3Z0+e3ramMBEuPK2PfvLK4SrncDB9VegX5mBn+oP/UTDrM6IHrFjvX1ZA==",
+      "version": "4.4.44",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-retry/-/middleware-retry-4.4.44.tgz",
+      "integrity": "sha512-Y1Rav7m5CFRPQyM4CI0koD/bXjyjJu3EQxZZhtLGD88WIrBrQ7kqXM96ncd6rYnojwOo/u9MXu57JrEvu/nLrA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/service-error-classification": "^4.2.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-retry": "^4.2.10",
-        "@smithy/uuid": "^1.1.1",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/service-error-classification": "^4.2.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-retry": "^4.2.12",
+        "@smithy/uuid": "^1.1.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4786,14 +4741,15 @@
       }
     },
     "node_modules/@smithy/middleware-serde": {
-      "version": "4.2.11",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-serde/-/middleware-serde-4.2.11.tgz",
-      "integrity": "sha512-STQdONGPwbbC7cusL60s7vOa6He6A9w2jWhoapL0mgVjmR19pr26slV+yoSP76SIssMTX/95e5nOZ6UQv6jolg==",
+      "version": "4.2.15",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-serde/-/middleware-serde-4.2.15.tgz",
+      "integrity": "sha512-ExYhcltZSli0pgAKOpQQe1DLFBLryeZ22605y/YS+mQpdNWekum9Ujb/jMKfJKgjtz1AZldtwA/wCYuKJgjjlg==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/types": "^4.13.0",
+        "@smithy/core": "^3.23.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4801,13 +4757,13 @@
       }
     },
     "node_modules/@smithy/middleware-stack": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/middleware-stack/-/middleware-stack-4.2.10.tgz",
-      "integrity": "sha512-pmts/WovNcE/tlyHa8z/groPeOtqtEpp61q3W0nW1nDJuMq/x+hWa/OVQBtgU0tBqupeXq0VBOLA4UZwE8I0YA==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/middleware-stack/-/middleware-stack-4.2.12.tgz",
+      "integrity": "sha512-kruC5gRHwsCOuyCd4ouQxYjgRAym2uDlCvQ5acuMtRrcdfg7mFBg6blaxcJ09STpt3ziEkis6bhg1uwrWU7txw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4815,15 +4771,15 @@
       }
     },
     "node_modules/@smithy/node-config-provider": {
-      "version": "4.3.10",
-      "resolved": "https://registry.npmjs.org/@smithy/node-config-provider/-/node-config-provider-4.3.10.tgz",
-      "integrity": "sha512-UALRbJtVX34AdP2VECKVlnNgidLHA2A7YgcJzwSBg1hzmnO/bZBHl/LDQQyYifzUwp1UOODnl9JJ3KNawpUJ9w==",
+      "version": "4.3.12",
+      "resolved": "https://registry.npmjs.org/@smithy/node-config-provider/-/node-config-provider-4.3.12.tgz",
+      "integrity": "sha512-tr2oKX2xMcO+rBOjobSwVAkV05SIfUKz8iI53rzxEmgW3GOOPOv0UioSDk+J8OpRQnpnhsO3Af6IEBabQBVmiw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/shared-ini-file-loader": "^4.4.5",
-        "@smithy/types": "^4.13.0",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/shared-ini-file-loader": "^4.4.7",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4831,16 +4787,16 @@
       }
     },
     "node_modules/@smithy/node-http-handler": {
-      "version": "4.4.12",
-      "resolved": "https://registry.npmjs.org/@smithy/node-http-handler/-/node-http-handler-4.4.12.tgz",
-      "integrity": "sha512-zo1+WKJkR9x7ZtMeMDAAsq2PufwiLDmkhcjpWPRRkmeIuOm6nq1qjFICSZbnjBvD09ei8KMo26BWxsu2BUU+5w==",
+      "version": "4.5.0",
+      "resolved": "https://registry.npmjs.org/@smithy/node-http-handler/-/node-http-handler-4.5.0.tgz",
+      "integrity": "sha512-Rnq9vQWiR1+/I6NZZMNzJHV6pZYyEHt2ZnuV3MG8z2NNenC4i/8Kzttz7CjZiHSmsN5frhXhg17z3Zqjjhmz1A==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/abort-controller": "^4.2.10",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/querystring-builder": "^4.2.10",
-        "@smithy/types": "^4.13.0",
+        "@smithy/abort-controller": "^4.2.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/querystring-builder": "^4.2.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4848,13 +4804,13 @@
       }
     },
     "node_modules/@smithy/property-provider": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/property-provider/-/property-provider-4.2.10.tgz",
-      "integrity": "sha512-5jm60P0CU7tom0eNrZ7YrkgBaoLFXzmqB0wVS+4uK8PPGmosSrLNf6rRd50UBvukztawZ7zyA8TxlrKpF5z9jw==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/property-provider/-/property-provider-4.2.12.tgz",
+      "integrity": "sha512-jqve46eYU1v7pZ5BM+fmkbq3DerkSluPr5EhvOcHxygxzD05ByDRppRwRPPpFrsFo5yDtCYLKu+kreHKVrvc7A==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4862,13 +4818,13 @@
       }
     },
     "node_modules/@smithy/protocol-http": {
-      "version": "5.3.10",
-      "resolved": "https://registry.npmjs.org/@smithy/protocol-http/-/protocol-http-5.3.10.tgz",
-      "integrity": "sha512-2NzVWpYY0tRdfeCJLsgrR89KE3NTWT2wGulhNUxYlRmtRmPwLQwKzhrfVaiNlA9ZpJvbW7cjTVChYKgnkqXj1A==",
+      "version": "5.3.12",
+      "resolved": "https://registry.npmjs.org/@smithy/protocol-http/-/protocol-http-5.3.12.tgz",
+      "integrity": "sha512-fit0GZK9I1xoRlR4jXmbLhoN0OdEpa96ul8M65XdmXnxXkuMxM0Y8HDT0Fh0Xb4I85MBvBClOzgSrV1X2s1Hxw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4876,14 +4832,14 @@
       }
     },
     "node_modules/@smithy/querystring-builder": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/querystring-builder/-/querystring-builder-4.2.10.tgz",
-      "integrity": "sha512-HeN7kEvuzO2DmAzLukE9UryiUvejD3tMp9a1D1NJETerIfKobBUCLfviP6QEk500166eD2IATaXM59qgUI+YDA==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/querystring-builder/-/querystring-builder-4.2.12.tgz",
+      "integrity": "sha512-6wTZjGABQufekycfDGMEB84BgtdOE/rCVTov+EDXQ8NHKTUNIp/j27IliwP7tjIU9LR+sSzyGBOXjeEtVgzCHg==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-uri-escape": "^4.2.1",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-uri-escape": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4891,13 +4847,13 @@
       }
     },
     "node_modules/@smithy/querystring-parser": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/querystring-parser/-/querystring-parser-4.2.10.tgz",
-      "integrity": "sha512-4Mh18J26+ao1oX5wXJfWlTT+Q1OpDR8ssiC9PDOuEgVBGloqg18Fw7h5Ct8DyT9NBYwJgtJ2nLjKKFU6RP1G1Q==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/querystring-parser/-/querystring-parser-4.2.12.tgz",
+      "integrity": "sha512-P2OdvrgiAKpkPNKlKUtWbNZKB1XjPxM086NeVhK+W+wI46pIKdWBe5QyXvhUm3MEcyS/rkLvY8rZzyUdmyDZBw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4905,26 +4861,26 @@
       }
     },
     "node_modules/@smithy/service-error-classification": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/service-error-classification/-/service-error-classification-4.2.10.tgz",
-      "integrity": "sha512-0R/+/Il5y8nB/By90o8hy/bWVYptbIfvoTYad0igYQO5RefhNCDmNzqxaMx7K1t/QWo0d6UynqpqN5cCQt1MCg==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/service-error-classification/-/service-error-classification-4.2.12.tgz",
+      "integrity": "sha512-LlP29oSQN0Tw0b6D0Xo6BIikBswuIiGYbRACy5ujw/JgWSzTdYj46U83ssf6Ux0GyNJVivs2uReU8pt7Eu9okQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0"
+        "@smithy/types": "^4.13.1"
       },
       "engines": {
         "node": ">=18.0.0"
       }
     },
     "node_modules/@smithy/shared-ini-file-loader": {
-      "version": "4.4.5",
-      "resolved": "https://registry.npmjs.org/@smithy/shared-ini-file-loader/-/shared-ini-file-loader-4.4.5.tgz",
-      "integrity": "sha512-pHgASxl50rrtOztgQCPmOXFjRW+mCd7ALr/3uXNzRrRoGV5G2+78GOsQ3HlQuBVHCh9o6xqMNvlIKZjWn4Euug==",
+      "version": "4.4.7",
+      "resolved": "https://registry.npmjs.org/@smithy/shared-ini-file-loader/-/shared-ini-file-loader-4.4.7.tgz",
+      "integrity": "sha512-HrOKWsUb+otTeo1HxVWeEb99t5ER1XrBi/xka2Wv6NVmTbuCUC1dvlrksdvxFtODLBjsC+PHK+fuy2x/7Ynyiw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4932,19 +4888,19 @@
       }
     },
     "node_modules/@smithy/signature-v4": {
-      "version": "5.3.10",
-      "resolved": "https://registry.npmjs.org/@smithy/signature-v4/-/signature-v4-5.3.10.tgz",
-      "integrity": "sha512-Wab3wW8468WqTKIxI+aZe3JYO52/RYT/8sDOdzkUhjnLakLe9qoQqIcfih/qxcF4qWEFoWBszY0mj5uxffaVXA==",
+      "version": "5.3.12",
+      "resolved": "https://registry.npmjs.org/@smithy/signature-v4/-/signature-v4-5.3.12.tgz",
+      "integrity": "sha512-B/FBwO3MVOL00DaRSXfXfa/TRXRheagt/q5A2NM13u7q+sHS59EOVGQNfG7DkmVtdQm5m3vOosoKAXSqn/OEgw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/is-array-buffer": "^4.2.1",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-hex-encoding": "^4.2.1",
-        "@smithy/util-middleware": "^4.2.10",
-        "@smithy/util-uri-escape": "^4.2.1",
-        "@smithy/util-utf8": "^4.2.1",
+        "@smithy/is-array-buffer": "^4.2.2",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-hex-encoding": "^4.2.2",
+        "@smithy/util-middleware": "^4.2.12",
+        "@smithy/util-uri-escape": "^4.2.2",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4952,18 +4908,18 @@
       }
     },
     "node_modules/@smithy/smithy-client": {
-      "version": "4.12.0",
-      "resolved": "https://registry.npmjs.org/@smithy/smithy-client/-/smithy-client-4.12.0.tgz",
-      "integrity": "sha512-R8bQ9K3lCcXyZmBnQqUZJF4ChZmtWT5NLi6x5kgWx5D+/j0KorXcA0YcFg/X5TOgnTCy1tbKc6z2g2y4amFupQ==",
+      "version": "4.12.7",
+      "resolved": "https://registry.npmjs.org/@smithy/smithy-client/-/smithy-client-4.12.7.tgz",
+      "integrity": "sha512-q3gqnwml60G44FECaEEsdQMplYhDMZYCtYhMCzadCnRnnHIobZJjegmdoUo6ieLQlPUzvrMdIJUpx6DoPmzANQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/core": "^3.23.6",
-        "@smithy/middleware-endpoint": "^4.4.20",
-        "@smithy/middleware-stack": "^4.2.10",
-        "@smithy/protocol-http": "^5.3.10",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-stream": "^4.5.15",
+        "@smithy/core": "^3.23.12",
+        "@smithy/middleware-endpoint": "^4.4.27",
+        "@smithy/middleware-stack": "^4.2.12",
+        "@smithy/protocol-http": "^5.3.12",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-stream": "^4.5.20",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4984,14 +4940,14 @@
       }
     },
     "node_modules/@smithy/url-parser": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/url-parser/-/url-parser-4.2.10.tgz",
-      "integrity": "sha512-uypjF7fCDsRk26u3qHmFI/ePL7bxxB9vKkE+2WKEciHhz+4QtbzWiHRVNRJwU3cKhrYDYQE3b0MRFtqfLYdA4A==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/url-parser/-/url-parser-4.2.12.tgz",
+      "integrity": "sha512-wOPKPEpso+doCZGIlr+e1lVI6+9VAKfL4kZWFgzVgGWY2hZxshNKod4l2LXS3PRC9otH/JRSjtEHqQ/7eLciRA==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/querystring-parser": "^4.2.10",
-        "@smithy/types": "^4.13.0",
+        "@smithy/querystring-parser": "^4.2.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -4999,14 +4955,14 @@
       }
     },
     "node_modules/@smithy/util-base64": {
-      "version": "4.3.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-base64/-/util-base64-4.3.1.tgz",
-      "integrity": "sha512-BKGuawX4Doq/bI/uEmg+Zyc36rJKWuin3py89PquXBIBqmbnJwBBsmKhdHfNEp0+A4TDgLmT/3MSKZ1SxHcR6w==",
+      "version": "4.3.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-base64/-/util-base64-4.3.2.tgz",
+      "integrity": "sha512-XRH6b0H/5A3SgblmMa5ErXQ2XKhfbQB+Fm/oyLZ2O2kCUrwgg55bU0RekmzAhuwOjA9qdN5VU2BprOvGGUkOOQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/util-buffer-from": "^4.2.1",
-        "@smithy/util-utf8": "^4.2.1",
+        "@smithy/util-buffer-from": "^4.2.2",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -5014,9 +4970,9 @@
       }
     },
     "node_modules/@smithy/util-body-length-browser": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-body-length-browser/-/util-body-length-browser-4.2.1.tgz",
-      "integrity": "sha512-SiJeLiozrAoCrgDBUgsVbmqHmMgg/2bA15AzcbcW+zan7SuyAVHN4xTSbq0GlebAIwlcaX32xacnrG488/J/6g==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-body-length-browser/-/util-body-length-browser-4.2.2.tgz",
+      "integrity": "sha512-JKCrLNOup3OOgmzeaKQwi4ZCTWlYR5H4Gm1r2uTMVBXoemo1UEghk5vtMi1xSu2ymgKVGW631e2fp9/R610ZjQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -5027,9 +4983,9 @@
       }
     },
     "node_modules/@smithy/util-body-length-node": {
-      "version": "4.2.2",
-      "resolved": "https://registry.npmjs.org/@smithy/util-body-length-node/-/util-body-length-node-4.2.2.tgz",
-      "integrity": "sha512-4rHqBvxtJEBvsZcFQSPQqXP2b/yy/YlB66KlcEgcH2WNoOKCKB03DSLzXmOsXjbl8dJ4OEYTn31knhdznwk7zw==",
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/@smithy/util-body-length-node/-/util-body-length-node-4.2.3.tgz",
+      "integrity": "sha512-ZkJGvqBzMHVHE7r/hcuCxlTY8pQr1kMtdsVPs7ex4mMU+EAbcXppfo5NmyxMYi2XU49eqaz56j2gsk4dHHPG/g==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -5040,13 +4996,13 @@
       }
     },
     "node_modules/@smithy/util-buffer-from": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-4.2.1.tgz",
-      "integrity": "sha512-/swhmt1qTiVkaejlmMPPDgZhEaWb/HWMGRBheaxwuVkusp/z+ErJyQxO6kaXumOciZSWlmq6Z5mNylCd33X7Ig==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-buffer-from/-/util-buffer-from-4.2.2.tgz",
+      "integrity": "sha512-FDXD7cvUoFWwN6vtQfEta540Y/YBe5JneK3SoZg9bThSoOAC/eGeYEua6RkBgKjGa/sz6Y+DuBZj3+YEY21y4Q==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/is-array-buffer": "^4.2.1",
+        "@smithy/is-array-buffer": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -5054,9 +5010,9 @@
       }
     },
     "node_modules/@smithy/util-config-provider": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-config-provider/-/util-config-provider-4.2.1.tgz",
-      "integrity": "sha512-462id/00U8JWFw6qBuTSWfN5TxOHvDu4WliI97qOIOnuC/g+NDAknTU8eoGXEPlLkRVgWEr03jJBLV4o2FL8+A==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-config-provider/-/util-config-provider-4.2.2.tgz",
+      "integrity": "sha512-dWU03V3XUprJwaUIFVv4iOnS1FC9HnMHDfUrlNDSh4315v0cWyaIErP8KiqGVbf5z+JupoVpNM7ZB3jFiTejvQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -5067,15 +5023,15 @@
       }
     },
     "node_modules/@smithy/util-defaults-mode-browser": {
-      "version": "4.3.36",
-      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-browser/-/util-defaults-mode-browser-4.3.36.tgz",
-      "integrity": "sha512-R0smq7EHQXRVMxkAxtH5akJ/FvgAmNF6bUy/GwY/N20T4GrwjT633NFm0VuRpC+8Bbv8R9A0DoJ9OiZL/M3xew==",
+      "version": "4.3.43",
+      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-browser/-/util-defaults-mode-browser-4.3.43.tgz",
+      "integrity": "sha512-Qd/0wCKMaXxev/z00TvNzGCH2jlKKKxXP1aDxB6oKwSQthe3Og2dMhSayGCnsma1bK/kQX1+X7SMP99t6FgiiQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -5083,18 +5039,18 @@
       }
     },
     "node_modules/@smithy/util-defaults-mode-node": {
-      "version": "4.2.39",
-      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-node/-/util-defaults-mode-node-4.2.39.tgz",
-      "integrity": "sha512-otWuoDm35btJV1L8MyHrPl462B07QCdMTktKc7/yM+Psv6KbED/ziXiHnmr7yPHUjfIwE9S8Max0LO24Mo3ZVg==",
+      "version": "4.2.47",
+      "resolved": "https://registry.npmjs.org/@smithy/util-defaults-mode-node/-/util-defaults-mode-node-4.2.47.tgz",
+      "integrity": "sha512-qSRbYp1EQ7th+sPFuVcVO05AE0QH635hycdEXlpzIahqHHf2Fyd/Zl+8v0XYMJ3cgDVPa0lkMefU7oNUjAP+DQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/config-resolver": "^4.4.9",
-        "@smithy/credential-provider-imds": "^4.2.10",
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/property-provider": "^4.2.10",
-        "@smithy/smithy-client": "^4.12.0",
-        "@smithy/types": "^4.13.0",
+        "@smithy/config-resolver": "^4.4.13",
+        "@smithy/credential-provider-imds": "^4.2.12",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/property-provider": "^4.2.12",
+        "@smithy/smithy-client": "^4.12.7",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -5102,14 +5058,14 @@
       }
     },
     "node_modules/@smithy/util-endpoints": {
-      "version": "3.3.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-endpoints/-/util-endpoints-3.3.1.tgz",
-      "integrity": "sha512-xyctc4klmjmieQiF9I1wssBWleRV0RhJ2DpO8+8yzi2LO1Z+4IWOZNGZGNj4+hq9kdo+nyfrRLmQTzc16Op2Vg==",
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/@smithy/util-endpoints/-/util-endpoints-3.3.3.tgz",
+      "integrity": "sha512-VACQVe50j0HZPjpwWcjyT51KUQ4AnsvEaQ2lKHOSL4mNLD0G9BjEniQ+yCt1qqfKfiAHRAts26ud7hBjamrwig==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/node-config-provider": "^4.3.10",
-        "@smithy/types": "^4.13.0",
+        "@smithy/node-config-provider": "^4.3.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -5117,9 +5073,9 @@
       }
     },
     "node_modules/@smithy/util-hex-encoding": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-hex-encoding/-/util-hex-encoding-4.2.1.tgz",
-      "integrity": "sha512-c1hHtkgAWmE35/50gmdKajgGAKV3ePJ7t6UtEmpfCWJmQE9BQAQPz0URUVI89eSkcDqCtzqllxzG28IQoZPvwA==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-hex-encoding/-/util-hex-encoding-4.2.2.tgz",
+      "integrity": "sha512-Qcz3W5vuHK4sLQdyT93k/rfrUwdJ8/HZ+nMUOyGdpeGA1Wxt65zYwi3oEl9kOM+RswvYq90fzkNDahPS8K0OIg==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -5130,13 +5086,13 @@
       }
     },
     "node_modules/@smithy/util-middleware": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/util-middleware/-/util-middleware-4.2.10.tgz",
-      "integrity": "sha512-LxaQIWLp4y0r72eA8mwPNQ9va4h5KeLM0I3M/HV9klmFaY2kN766wf5vsTzmaOpNNb7GgXAd9a25P3h8T49PSA==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/util-middleware/-/util-middleware-4.2.12.tgz",
+      "integrity": "sha512-Er805uFUOvgc0l8nv0e0su0VFISoxhJ/AwOn3gL2NWNY2LUEldP5WtVcRYSQBcjg0y9NfG8JYrCJaYDpupBHJQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/types": "^4.13.0",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -5144,14 +5100,14 @@
       }
     },
     "node_modules/@smithy/util-retry": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/util-retry/-/util-retry-4.2.10.tgz",
-      "integrity": "sha512-HrBzistfpyE5uqTwiyLsFHscgnwB0kgv8vySp7q5kZ0Eltn/tjosaSGGDj/jJ9ys7pWzIP/icE2d+7vMKXLv7A==",
+      "version": "4.2.12",
+      "resolved": "https://registry.npmjs.org/@smithy/util-retry/-/util-retry-4.2.12.tgz",
+      "integrity": "sha512-1zopLDUEOwumjcHdJ1mwBHddubYF8GMQvstVCLC54Y46rqoHwlIU+8ZzUeaBcD+WCJHyDGSeZ2ml9YSe9aqcoQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/service-error-classification": "^4.2.10",
-        "@smithy/types": "^4.13.0",
+        "@smithy/service-error-classification": "^4.2.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -5159,19 +5115,19 @@
       }
     },
     "node_modules/@smithy/util-stream": {
-      "version": "4.5.15",
-      "resolved": "https://registry.npmjs.org/@smithy/util-stream/-/util-stream-4.5.15.tgz",
-      "integrity": "sha512-OlOKnaqnkU9X+6wEkd7mN+WB7orPbCVDauXOj22Q7VtiTkvy7ZdSsOg4QiNAZMgI4OkvNf+/VLUC3VXkxuWJZw==",
+      "version": "4.5.20",
+      "resolved": "https://registry.npmjs.org/@smithy/util-stream/-/util-stream-4.5.20.tgz",
+      "integrity": "sha512-4yXLm5n/B5SRBR2p8cZ90Sbv4zL4NKsgxdzCzp/83cXw2KxLEumt5p+GAVyRNZgQOSrzXn9ARpO0lUe8XSlSDw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/fetch-http-handler": "^5.3.11",
-        "@smithy/node-http-handler": "^4.4.12",
-        "@smithy/types": "^4.13.0",
-        "@smithy/util-base64": "^4.3.1",
-        "@smithy/util-buffer-from": "^4.2.1",
-        "@smithy/util-hex-encoding": "^4.2.1",
-        "@smithy/util-utf8": "^4.2.1",
+        "@smithy/fetch-http-handler": "^5.3.15",
+        "@smithy/node-http-handler": "^4.5.0",
+        "@smithy/types": "^4.13.1",
+        "@smithy/util-base64": "^4.3.2",
+        "@smithy/util-buffer-from": "^4.2.2",
+        "@smithy/util-hex-encoding": "^4.2.2",
+        "@smithy/util-utf8": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -5179,9 +5135,9 @@
       }
     },
     "node_modules/@smithy/util-uri-escape": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-uri-escape/-/util-uri-escape-4.2.1.tgz",
-      "integrity": "sha512-YmiUDn2eo2IOiWYYvGQkgX5ZkBSiTQu4FlDo5jNPpAxng2t6Sjb6WutnZV9l6VR4eJul1ABmCrnWBC9hKHQa6Q==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-uri-escape/-/util-uri-escape-4.2.2.tgz",
+      "integrity": "sha512-2kAStBlvq+lTXHyAZYfJRb/DfS3rsinLiwb+69SstC9Vb0s9vNWkRwpnj918Pfi85mzi42sOqdV72OLxWAISnw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -5192,13 +5148,13 @@
       }
     },
     "node_modules/@smithy/util-utf8": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@smithy/util-utf8/-/util-utf8-4.2.1.tgz",
-      "integrity": "sha512-DSIwNaWtmzrNQHv8g7DBGR9mulSit65KSj5ymGEIAknmIN8IpbZefEep10LaMG/P/xquwbmJ1h9ectz8z6mV6g==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@smithy/util-utf8/-/util-utf8-4.2.2.tgz",
+      "integrity": "sha512-75MeYpjdWRe8M5E3AW0O4Cx3UadweS+cwdXjwYGBW5h/gxxnbeZ877sLPX/ZJA9GVTlL/qG0dXP29JWFCD1Ayw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/util-buffer-from": "^4.2.1",
+        "@smithy/util-buffer-from": "^4.2.2",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -5206,14 +5162,14 @@
       }
     },
     "node_modules/@smithy/util-waiter": {
-      "version": "4.2.10",
-      "resolved": "https://registry.npmjs.org/@smithy/util-waiter/-/util-waiter-4.2.10.tgz",
-      "integrity": "sha512-4eTWph/Lkg1wZEDAyObwme0kmhEb7J/JjibY2znJdrYRgKbKqB7YoEhhJVJ4R1g/SYih4zuwX7LpJaM8RsnTVg==",
+      "version": "4.2.13",
+      "resolved": "https://registry.npmjs.org/@smithy/util-waiter/-/util-waiter-4.2.13.tgz",
+      "integrity": "sha512-2zdZ9DTHngRtcYxJK1GUDxruNr53kv5W2Lupe0LMU+Imr6ohQg8M2T14MNkj1Y0wS3FFwpgpGQyvuaMF7CiTmQ==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "@smithy/abort-controller": "^4.2.10",
-        "@smithy/types": "^4.13.0",
+        "@smithy/abort-controller": "^4.2.12",
+        "@smithy/types": "^4.13.1",
         "tslib": "^2.6.2"
       },
       "engines": {
@@ -5221,9 +5177,9 @@
       }
     },
     "node_modules/@smithy/uuid": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/@smithy/uuid/-/uuid-1.1.1.tgz",
-      "integrity": "sha512-dSfDCeihDmZlV2oyr0yWPTUfh07suS+R5OB+FZGiv/hHyK3hrFBW5rR1UYjfa57vBsrP9lciFkRPzebaV1Qujw==",
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/@smithy/uuid/-/uuid-1.1.2.tgz",
+      "integrity": "sha512-O/IEdcCUKkubz60tFbGA7ceITTAJsty+lBjNoorP4Z6XRqaFb/OjQjZODophEcuq68nKm6/0r+6/lLQ+XVpk8g==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -5302,9 +5258,9 @@
       }
     },
     "node_modules/@types/node": {
-      "version": "25.3.2",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.3.2.tgz",
-      "integrity": "sha512-RpV6r/ij22zRRdyBPcxDeKAzH43phWVKEjL2iksqo1Vz3CuBUrgmPpPhALKiRfU7OMCmeeO9vECBMsV0hMTG8Q==",
+      "version": "25.5.0",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.0.tgz",
+      "integrity": "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -5335,14 +5291,14 @@
       }
     },
     "node_modules/@typescript-eslint/project-service": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.56.1.tgz",
-      "integrity": "sha512-TAdqQTzHNNvlVFfR+hu2PDJrURiwKsUvxFn1M0h95BB8ah5jejas08jUWG4dBA68jDMI988IvtfdAI53JzEHOQ==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.57.2.tgz",
+      "integrity": "sha512-FuH0wipFywXRTHf+bTTjNyuNQQsQC3qh/dYzaM4I4W0jrCqjCVuUh99+xd9KamUfmCGPvbO8NDngo/vsnNVqgw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.56.1",
-        "@typescript-eslint/types": "^8.56.1",
+        "@typescript-eslint/tsconfig-utils": "^8.57.2",
+        "@typescript-eslint/types": "^8.57.2",
         "debug": "^4.4.3"
       },
       "engines": {
@@ -5357,9 +5313,9 @@
       }
     },
     "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.56.1.tgz",
-      "integrity": "sha512-qOtCYzKEeyr3aR9f28mPJqBty7+DBqsdd63eO0yyDwc6vgThj2UjWfJIcsFeSucYydqcuudMOprZ+x1SpF3ZuQ==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.57.2.tgz",
+      "integrity": "sha512-3Lm5DSM+DCowsUOJC+YqHHnKEfFh5CoGkj5Z31NQSNF4l5wdOwqGn99wmwN/LImhfY3KJnmordBq/4+VDe2eKw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -5374,9 +5330,9 @@
       }
     },
     "node_modules/@typescript-eslint/types": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.56.1.tgz",
-      "integrity": "sha512-dbMkdIUkIkchgGDIv7KLUpa0Mda4IYjo4IAMJUZ+3xNoUXxMsk9YtKpTHSChRS85o+H9ftm51gsK1dZReY9CVw==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.57.2.tgz",
+      "integrity": "sha512-/iZM6FnM4tnx9csuTxspMW4BOSegshwX5oBDznJ7S4WggL7Vczz5d2W11ecc4vRrQMQHXRSxzrCsyG5EsPPTbA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -5388,16 +5344,16 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.56.1.tgz",
-      "integrity": "sha512-qzUL1qgalIvKWAf9C1HpvBjif+Vm6rcT5wZd4VoMb9+Km3iS3Cv9DY6dMRMDtPnwRAFyAi7YXJpTIEXLvdfPxg==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.57.2.tgz",
+      "integrity": "sha512-2MKM+I6g8tJxfSmFKOnHv2t8Sk3T6rF20A1Puk0svLK+uVapDZB/4pfAeB7nE83uAZrU6OxW+HmOd5wHVdXwXA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.56.1",
-        "@typescript-eslint/tsconfig-utils": "8.56.1",
-        "@typescript-eslint/types": "8.56.1",
-        "@typescript-eslint/visitor-keys": "8.56.1",
+        "@typescript-eslint/project-service": "8.57.2",
+        "@typescript-eslint/tsconfig-utils": "8.57.2",
+        "@typescript-eslint/types": "8.57.2",
+        "@typescript-eslint/visitor-keys": "8.57.2",
         "debug": "^4.4.3",
         "minimatch": "^10.2.2",
         "semver": "^7.7.3",
@@ -5416,13 +5372,13 @@
       }
     },
     "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.56.1",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.56.1.tgz",
-      "integrity": "sha512-KiROIzYdEV85YygXw6BI/Dx4fnBlFQu6Mq4QE4MOH9fFnhohw6wX/OAvDY2/C+ut0I3RSPKenvZJIVYqJNkhEw==",
+      "version": "8.57.2",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.57.2.tgz",
+      "integrity": "sha512-zhahknjobV2FiD6Ee9iLbS7OV9zi10rG26odsQdfBO/hjSzUQbkIYgda+iNKK1zNiW2ey+Lf8MU5btN17V3dUw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.56.1",
+        "@typescript-eslint/types": "8.57.2",
         "eslint-visitor-keys": "^5.0.0"
       },
       "engines": {
@@ -5447,9 +5403,9 @@
       }
     },
     "node_modules/@typespec/ts-http-runtime": {
-      "version": "0.3.3",
-      "resolved": "https://registry.npmjs.org/@typespec/ts-http-runtime/-/ts-http-runtime-0.3.3.tgz",
-      "integrity": "sha512-91fp6CAAJSRtH5ja95T1FHSKa8aPW9/Zw6cta81jlZTUw/+Vq8jM/AfF/14h2b71wwR84JUTW/3Y8QPhDAawFA==",
+      "version": "0.3.4",
+      "resolved": "https://registry.npmjs.org/@typespec/ts-http-runtime/-/ts-http-runtime-0.3.4.tgz",
+      "integrity": "sha512-CI0NhTrz4EBaa0U+HaaUZrJhPoso8sG7ZFya8uQoBA57fjzrjRSv87ekCjLZOFExN+gXE/z0xuN2QfH4H2HrLQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -5476,9 +5432,9 @@
       }
     },
     "node_modules/@upstash/redis": {
-      "version": "1.36.3",
-      "resolved": "https://registry.npmjs.org/@upstash/redis/-/redis-1.36.3.tgz",
-      "integrity": "sha512-wxo1ei4OHDHm4UGMgrNVz9QUEela9N/Iwi4p1JlHNSowQiPi+eljlGnfbZVkV0V4PIrjGtGFJt5GjWM5k28enA==",
+      "version": "1.37.0",
+      "resolved": "https://registry.npmjs.org/@upstash/redis/-/redis-1.37.0.tgz",
+      "integrity": "sha512-LqOJ3+XWPLSZ2rGSed5DYG3ixybxb8EhZu3yQqF7MdZX1wLBG/FRcI6xcUZXHy/SS7mmXWyadrud0HJHkOc+uw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -5486,14 +5442,14 @@
       }
     },
     "node_modules/@vue/compiler-core": {
-      "version": "3.5.29",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.29.tgz",
-      "integrity": "sha512-cuzPhD8fwRHk8IGfmYaR4eEe4cAyJEL66Ove/WZL7yWNL134nqLddSLwNRIsFlnnW1kK+p8Ck3viFnC0chXCXw==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.31.tgz",
+      "integrity": "sha512-k/ueL14aNIEy5Onf0OVzR8kiqF/WThgLdFhxwa4e/KF/0qe38IwIdofoSWBTvvxQOesaz6riAFAUaYjoF9fLLQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@babel/parser": "^7.29.0",
-        "@vue/shared": "3.5.29",
+        "@babel/parser": "^7.29.2",
+        "@vue/shared": "3.5.31",
         "entities": "^7.0.1",
         "estree-walker": "^2.0.2",
         "source-map-js": "^1.2.1"
@@ -5513,49 +5469,49 @@
       }
     },
     "node_modules/@vue/compiler-dom": {
-      "version": "3.5.29",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.29.tgz",
-      "integrity": "sha512-n0G5o7R3uBVmVxjTIYcz7ovr8sy7QObFG8OQJ3xGCDNhbG60biP/P5KnyY8NLd81OuT1WJflG7N4KWYHaeeaIg==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.31.tgz",
+      "integrity": "sha512-BMY/ozS/xxjYqRFL+tKdRpATJYDTTgWSo0+AJvJNg4ig+Hgb0dOsHPXvloHQ5hmlivUqw1Yt2pPIqp4e0v1GUw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-core": "3.5.29",
-        "@vue/shared": "3.5.29"
+        "@vue/compiler-core": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/compiler-sfc": {
-      "version": "3.5.29",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.29.tgz",
-      "integrity": "sha512-oJZhN5XJs35Gzr50E82jg2cYdZQ78wEwvRO6Y63TvLVTc+6xICzJHP1UIecdSPPYIbkautNBanDiWYa64QSFIA==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.31.tgz",
+      "integrity": "sha512-M8wpPgR9UJ8MiRGjppvx9uWJfLV7A/T+/rL8s/y3QG3u0c2/YZgff3d6SuimKRIhcYnWg5fTfDMlz2E6seUW8Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@babel/parser": "^7.29.0",
-        "@vue/compiler-core": "3.5.29",
-        "@vue/compiler-dom": "3.5.29",
-        "@vue/compiler-ssr": "3.5.29",
-        "@vue/shared": "3.5.29",
+        "@babel/parser": "^7.29.2",
+        "@vue/compiler-core": "3.5.31",
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/compiler-ssr": "3.5.31",
+        "@vue/shared": "3.5.31",
         "estree-walker": "^2.0.2",
         "magic-string": "^0.30.21",
-        "postcss": "^8.5.6",
+        "postcss": "^8.5.8",
         "source-map-js": "^1.2.1"
       }
     },
     "node_modules/@vue/compiler-ssr": {
-      "version": "3.5.29",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.29.tgz",
-      "integrity": "sha512-Y/ARJZE6fpjzL5GH/phJmsFwx3g6t2KmHKHx5q+MLl2kencADKIrhH5MLF6HHpRMmlRAYBRSvv347Mepf1zVNw==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.31.tgz",
+      "integrity": "sha512-h0xIMxrt/LHOvJKMri+vdYT92BrK3HFLtDqq9Pr/lVVfE4IyKZKvWf0vJFW10Yr6nX02OR4MkJwI0c1HDa1hog==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-dom": "3.5.29",
-        "@vue/shared": "3.5.29"
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/shared": {
-      "version": "3.5.29",
-      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.29.tgz",
-      "integrity": "sha512-w7SR0A5zyRByL9XUkCfdLs7t9XOHUyJ67qPGQjOou3p6GvBeBW+AVjUUmlxtZ4PIYaRvE+1LmK44O4uajlZwcg==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.31.tgz",
+      "integrity": "sha512-nBxuiuS9Lj5bPkPbWogPUnjxxWpkRniX7e5UBQDWl6Fsf4roq9wwV+cR7ezQ4zXswNvPIlsdj1slcLB7XCsRAw==",
       "dev": true,
       "license": "MIT"
     },
@@ -5685,19 +5641,6 @@
         "node": ">= 8"
       }
     },
-    "node_modules/anymatch/node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=8.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
     "node_modules/app-module-path": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/app-module-path/-/app-module-path-2.2.0.tgz",
@@ -5826,6 +5769,40 @@
         "node": ">=18"
       }
     },
+    "node_modules/artillery-engine-playwright/node_modules/fsevents": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/artillery-engine-playwright/node_modules/playwright": {
+      "version": "1.58.1",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.58.1.tgz",
+      "integrity": "sha512-+2uTZHxSCcxjvGc5C891LrS1/NlxglGxzrC4seZiVjcYVQfUa87wBL6rTDqzGjuoWNjnBzRqKmF6zRYGMvQUaQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "playwright-core": "1.58.1"
+      },
+      "bin": {
+        "playwright": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "fsevents": "2.3.2"
+      }
+    },
     "node_modules/artillery-plugin-apdex": {
       "version": "1.21.0",
       "resolved": "https://registry.npmjs.org/artillery-plugin-apdex/-/artillery-plugin-apdex-1.21.0.tgz",
@@ -6167,9 +6144,9 @@
       "license": "MIT"
     },
     "node_modules/brace-expansion": {
-      "version": "5.0.4",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz",
-      "integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==",
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^4.0.2"
@@ -6892,14 +6869,14 @@
       }
     },
     "node_modules/dependency-tree": {
-      "version": "11.3.0",
-      "resolved": "https://registry.npmjs.org/dependency-tree/-/dependency-tree-11.3.0.tgz",
-      "integrity": "sha512-T893F3p48rblazo45S/5jkFEvU8mzZ8obtNSyP2S1QCA8e9PpVH+hIakHnQYdnhitwQ8wo9btYJpQxnjiGm0Qg==",
+      "version": "11.4.0",
+      "resolved": "https://registry.npmjs.org/dependency-tree/-/dependency-tree-11.4.0.tgz",
+      "integrity": "sha512-r4wZ1pfv8eQrnoWbIGdrJTVmlb0dkXdwBjKsotKO4gmfqrOsAMG+0+cfA5EZ3NO8umc85twXOl1eO27E5pjTzw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "commander": "^12.1.0",
-        "filing-cabinet": "^5.1.0",
+        "filing-cabinet": "^5.2.0",
         "precinct": "^12.2.0",
         "typescript": "^5.9.3"
       },
@@ -6940,9 +6917,9 @@
       }
     },
     "node_modules/detective-cjs": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/detective-cjs/-/detective-cjs-6.0.1.tgz",
-      "integrity": "sha512-tLTQsWvd2WMcmn/60T2inEJNhJoi7a//PQ7DwRKEj1yEeiQs4mrONgsUtEJKnZmrGWBBmE0kJ1vqOG/NAxwaJw==",
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/detective-cjs/-/detective-cjs-6.1.0.tgz",
+      "integrity": "sha512-Qt3S4IddVNDb+71lm+jmt5NznIsgcKlibTnrw9Zr91rT9vRwKp+73+ImqLTNrQj4YuOxnzrC7GwIAVwF7136XQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -7195,9 +7172,9 @@
       }
     },
     "node_modules/eciesjs": {
-      "version": "0.4.17",
-      "resolved": "https://registry.npmjs.org/eciesjs/-/eciesjs-0.4.17.tgz",
-      "integrity": "sha512-TOOURki4G7sD1wDCjj7NfLaXZZ49dFOeEb5y39IXpb8p0hRzVvfvzZHOi5JcT+PpyAbi/Y+lxPb8eTag2WYH8w==",
+      "version": "0.4.18",
+      "resolved": "https://registry.npmjs.org/eciesjs/-/eciesjs-0.4.18.tgz",
+      "integrity": "sha512-wG99Zcfcys9fZux7Cft8BAX/YrOJLJSZ3jyYPfhZHqN2E+Ffx+QXBDsv3gubEgPtV6dTzJMSQUwk1H98/t/0wQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -7318,9 +7295,9 @@
       }
     },
     "node_modules/enhanced-resolve": {
-      "version": "5.20.0",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.0.tgz",
-      "integrity": "sha512-/ce7+jQ1PQ6rVXwe+jKEg5hW5ciicHwIQUagZkp6IufBoY3YDgdTTY1azVs0qoRgVmvsNB+rbjLJxDAeHHtwsQ==",
+      "version": "5.20.1",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.1.tgz",
+      "integrity": "sha512-Qohcme7V1inbAfvjItgw0EaxVX5q2rdVEZHRBrEQdRZTssLDGsL8Lwrznl8oQ/6kuTJONLaDcGjkNP247XEhcA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -7726,17 +7703,17 @@
       }
     },
     "node_modules/filing-cabinet": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/filing-cabinet/-/filing-cabinet-5.1.0.tgz",
-      "integrity": "sha512-xA3nKuR0N762AtUloSEbq4T+tOqNf1rZ3vgPW8Sijurqz9rvArjTpZhfrV1OxSrhX6OUoDGAONXo6liKZTNXKQ==",
+      "version": "5.2.0",
+      "resolved": "https://registry.npmjs.org/filing-cabinet/-/filing-cabinet-5.2.0.tgz",
+      "integrity": "sha512-eNrCJGdYQY0tV+ACNesQ7vb2aMxD76NM7THayMn0Z5XBt1Tonr4vbVN+FbhHfekKGQG9O5UaciDDR7+dw8P9ZA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "app-module-path": "^2.2.0",
         "commander": "^12.1.0",
-        "enhanced-resolve": "^5.19.0",
+        "enhanced-resolve": "^5.20.0",
         "module-definition": "^6.0.1",
-        "module-lookup-amd": "^9.1.0",
+        "module-lookup-amd": "^9.1.1",
         "resolve": "^1.22.11",
         "resolve-dependency-path": "^4.0.1",
         "sass-lookup": "^6.1.0",
@@ -7811,9 +7788,9 @@
       }
     },
     "node_modules/fs-extra": {
-      "version": "11.3.3",
-      "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-11.3.3.tgz",
-      "integrity": "sha512-VWSRii4t0AFm6ixFFmLLx1t7wS1gh+ckoa84aOeapGum0h+EZd1EhEumSB+ZdDLnEPuucsVB9oB7cxJHap6Afg==",
+      "version": "11.3.4",
+      "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-11.3.4.tgz",
+      "integrity": "sha512-CTXd6rk/M3/ULNQj8FBqBWHYBVYybQ3VPBw0xGKFe3tuH7ytT6ACnvzpIQ3UZtB8yvUKC2cXn1a+x+5EVQLovA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -8964,9 +8941,9 @@
       }
     },
     "node_modules/lru-cache": {
-      "version": "11.2.6",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.6.tgz",
-      "integrity": "sha512-ESL2CrkS/2wTPfuend7Zhkzo2u0daGJ/A2VucJOgQ/C48S/zB8MMeMHSGKYpXhIjbPxfuezITkaBH1wqv00DDQ==",
+      "version": "11.2.7",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.7.tgz",
+      "integrity": "sha512-aY/R+aEsRelme17KGQa/1ZSIpLpNYYrhcrepKTZgE+W3WM16YMCaPwOHLHsmopZHELU0Ojin1lPVxKR0MihncA==",
       "license": "BlueOak-1.0.0",
       "engines": {
         "node": "20 || >=22"
@@ -9248,9 +9225,9 @@
       }
     },
     "node_modules/nan": {
-      "version": "2.25.0",
-      "resolved": "https://registry.npmjs.org/nan/-/nan-2.25.0.tgz",
-      "integrity": "sha512-0M90Ag7Xn5KMLLZ7zliPWP3rT90P6PN+IzVFS0VqmnPktBk3700xUVv8Ikm9EUaUE5SDWdp/BIxdENzVznpm1g==",
+      "version": "2.26.2",
+      "resolved": "https://registry.npmjs.org/nan/-/nan-2.26.2.tgz",
+      "integrity": "sha512-0tTvBTYkt3tdGw22nrAy50x7gpbGCCFH3AFcyS5WiUu7Eu4vWlri1woE6qHBSfy11vksDqkiwjOnlR7WV8G1Hw==",
       "dev": true,
       "license": "MIT",
       "optional": true
@@ -9703,9 +9680,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -9716,13 +9693,13 @@
       }
     },
     "node_modules/playwright": {
-      "version": "1.58.1",
-      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.58.1.tgz",
-      "integrity": "sha512-+2uTZHxSCcxjvGc5C891LrS1/NlxglGxzrC4seZiVjcYVQfUa87wBL6rTDqzGjuoWNjnBzRqKmF6zRYGMvQUaQ==",
+      "version": "1.58.2",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.58.2.tgz",
+      "integrity": "sha512-vA30H8Nvkq/cPBnNw4Q8TWz1EJyqgpuinBcHET0YVJVFldr8JDNiU9LaWAE1KqSkRYazuaBhTpB5ZzShOezQ6A==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
-        "playwright-core": "1.58.1"
+        "playwright-core": "1.58.2"
       },
       "bin": {
         "playwright": "cli.js"
@@ -9762,10 +9739,23 @@
         "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
       }
     },
+    "node_modules/playwright/node_modules/playwright-core": {
+      "version": "1.58.2",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.58.2.tgz",
+      "integrity": "sha512-yZkEtftgwS8CsfYo7nm0KE8jsvm6i/PTgVtB8DL726wNf6H2IMsDuxCpJj59KDaxCtSnrWan2AeDqM7JBaultg==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "playwright-core": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/postcss": {
-      "version": "8.5.6",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz",
-      "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==",
+      "version": "8.5.8",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.8.tgz",
+      "integrity": "sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==",
       "dev": true,
       "funding": [
         {
@@ -9981,9 +9971,9 @@
       }
     },
     "node_modules/read-package-up/node_modules/type-fest": {
-      "version": "5.4.4",
-      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-5.4.4.tgz",
-      "integrity": "sha512-JnTrzGu+zPV3aXIUhnyWJj4z/wigMsdYajGLIYakqyOW1nPllzXEJee0QQbHj+CTIQtXGlAjuK0UY+2xTyjVAw==",
+      "version": "5.5.0",
+      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-5.5.0.tgz",
+      "integrity": "sha512-PlBfpQwiUvGViBNX84Yxwjsdhd1TUlXr6zjX7eoirtCPIr08NAmxwa+fcYBTeRQxHo9YC9wwF3m9i700sHma8g==",
       "license": "(MIT OR CC0-1.0)",
       "dependencies": {
         "tagged-tag": "^1.0.0"
@@ -10015,9 +10005,9 @@
       }
     },
     "node_modules/read-pkg/node_modules/type-fest": {
-      "version": "5.4.4",
-      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-5.4.4.tgz",
-      "integrity": "sha512-JnTrzGu+zPV3aXIUhnyWJj4z/wigMsdYajGLIYakqyOW1nPllzXEJee0QQbHj+CTIQtXGlAjuK0UY+2xTyjVAw==",
+      "version": "5.5.0",
+      "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-5.5.0.tgz",
+      "integrity": "sha512-PlBfpQwiUvGViBNX84Yxwjsdhd1TUlXr6zjX7eoirtCPIr08NAmxwa+fcYBTeRQxHo9YC9wwF3m9i700sHma8g==",
       "license": "(MIT OR CC0-1.0)",
       "dependencies": {
         "tagged-tag": "^1.0.0"
@@ -10042,19 +10032,6 @@
         "node": ">=8.10.0"
       }
     },
-    "node_modules/readdirp/node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=8.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
     "node_modules/reflect-metadata": {
       "version": "0.2.2",
       "resolved": "https://registry.npmjs.org/reflect-metadata/-/reflect-metadata-0.2.2.tgz",
@@ -10240,14 +10217,14 @@
       "license": "MIT"
     },
     "node_modules/sass-lookup": {
-      "version": "6.1.0",
-      "resolved": "https://registry.npmjs.org/sass-lookup/-/sass-lookup-6.1.0.tgz",
-      "integrity": "sha512-Zx+lVyoWqXZxHuYWlTA17Z5sczJ6braNT2C7rmClw+c4E7r/n911Zwss3h1uHI9reR5AgHZyNHF7c2+VIp5AUA==",
+      "version": "6.1.1",
+      "resolved": "https://registry.npmjs.org/sass-lookup/-/sass-lookup-6.1.1.tgz",
+      "integrity": "sha512-12dvZdQYTeKZ1ypjuiijZYuMZ1m0F+4+BkRX5yJi2WA9W3DBUrcdCt7bVuKlagHl11n8eYtalWDle+m98Ol2DA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "commander": "^12.1.0",
-        "enhanced-resolve": "^5.18.0"
+        "enhanced-resolve": "^5.20.0"
       },
       "bin": {
         "sass-lookup": "bin/cli.js"
@@ -10541,9 +10518,9 @@
       }
     },
     "node_modules/strnum": {
-      "version": "2.2.0",
-      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.0.tgz",
-      "integrity": "sha512-Y7Bj8XyJxnPAORMZj/xltsfo55uOiyHcU2tnAVzHUnSJR/KsEX+9RoDeXEnsXtl/CX4fAcrt64gZ13aGaWPeBg==",
+      "version": "2.2.2",
+      "resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.2.tgz",
+      "integrity": "sha512-DnR90I+jtXNSTXWdwrEy9FakW7UX+qUZg28gj5fk2vxxl7uS/3bpI4fjFYVmdK9etptYBPNkpahuQnEwhwECqA==",
       "dev": true,
       "funding": [
         {
@@ -10620,9 +10597,9 @@
       }
     },
     "node_modules/tapable": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.0.tgz",
-      "integrity": "sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.2.tgz",
+      "integrity": "sha512-1MOpMXuhGzGL5TTCZFItxCc0AARf1EZFQkGqMm7ERKj8+Hgr5oLvJOVFcC+lRmR8hCe2S3jC4T5D7Vg/d7/fhA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -10802,9 +10779,9 @@
       "license": "MIT"
     },
     "node_modules/ts-api-utils": {
-      "version": "2.4.0",
-      "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.4.0.tgz",
-      "integrity": "sha512-3TaVTaAv2gTiMB35i3FiGJaRfwb3Pyn/j3m/bfAvGe8FB7CF6u+LMYqYlDh7reQf7UNvoTvdfAqHGmPGOSsPmA==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/ts-api-utils/-/ts-api-utils-2.5.0.tgz",
+      "integrity": "sha512-OJ/ibxhPlqrMM0UiNHJ/0CKQkoKF243/AEmplt3qpRgkW8VG7IfOS41h7V8TjITqdByHzrjcS/2si+y4lIh8NA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -10878,9 +10855,9 @@
       "license": "MIT"
     },
     "node_modules/undici": {
-      "version": "7.24.1",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.1.tgz",
-      "integrity": "sha512-5xoBibbmnjlcR3jdqtY2Lnx7WbrD/tHlT01TmvqZUFVc9Q1w4+j5hbnapTqbcXITMH1ovjq/W7BkqBilHiVAaA==",
+      "version": "7.24.6",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.6.tgz",
+      "integrity": "sha512-Xi4agocCbRzt0yYMZGMA6ApD7gvtUFaxm4ZmeacWI4cZxaF6C+8I8QfofC20NAePiB/IcvZmzkJ7XPa471AEtA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -11236,9 +11213,9 @@
       }
     },
     "node_modules/yaml": {
-      "version": "2.8.2",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz",
-      "integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==",
+      "version": "2.8.3",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
+      "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
       "license": "ISC",
       "bin": {
         "yaml": "bin.mjs"
diff --git a/e2e/package.json b/e2e/package.json
index f06068ea3..e77b4466b 100644
--- a/e2e/package.json
+++ b/e2e/package.json
@@ -11,17 +11,16 @@
     "lint:fix": "biome check --fix .",
     "lint": "biome check .",
     "cucumber": "cucumber-js **/*.feature",
+    "test:security": "node --test tests/security/*.test.js",
     "test:playwright": "playwright test",
-    "test:playwright:ui": "playwright test --ui",
+    "test:playwright:ui": "playwright test --headed",
     "test:local": "dotenvx run -- ../scripts/run-e2e-tests.sh",
     "test:setup": "dotenvx run -- ../scripts/setup-test-containers.sh",
     "test:start-drydock": "dotenvx run -- ../scripts/start-drydock.sh",
     "test:cleanup": "../scripts/cleanup-test-containers.sh",
-    "load:smoke": "ARTILLERY_ENV=smoke ../scripts/run-load-test.sh",
-    "load:behavior": "ARTILLERY_FILE=./test/test-behavior.yml ARTILLERY_ENV=behavior ../scripts/run-load-test.sh",
     "load:ci": "ARTILLERY_ENV=ci ../scripts/run-load-test.sh",
-    "load:stress": "ARTILLERY_ENV=stress ../scripts/run-load-test.sh",
-    "load:rate-limit": "ARTILLERY_FILE=./test/test-rate-limit.yml ARTILLERY_ENV=ratelimit ../scripts/run-load-test.sh"
+    "load:behavior": "ARTILLERY_FILE=./test/test-behavior.yml ARTILLERY_ENV=behavior ../scripts/run-load-test.sh",
+    "load:stress": "ARTILLERY_ENV=stress ../scripts/run-load-test.sh"
   },
   "author": "CodesWhat",
   "repository": "CodesWhat/drydock",
@@ -31,12 +30,15 @@
     "socket.io-parser": "^4.2.6"
   },
   "devDependencies": {
-    "@dotenvx/dotenvx": "1.55.1",
+    "@dotenvx/dotenvx": "1.57.1",
     "@playwright/test": "^1.58.2",
     "artillery": "2.0.30"
   },
   "overrides": {
+    "brace-expansion": "5.0.5",
     "fast-xml-parser": "5.5.8",
-    "minimatch": "10.2.4"
+    "minimatch": "10.2.4",
+    "picomatch": "4.0.4",
+    "yaml": "2.8.3"
   }
 }
diff --git a/e2e/playwright.config.ts b/e2e/playwright.config.ts
index dde0d4f7a..09b912e92 100644
--- a/e2e/playwright.config.ts
+++ b/e2e/playwright.config.ts
@@ -1,38 +1,41 @@
-import { defineConfig, devices } from '@playwright/test';
+import { defineConfig } from '@playwright/test';
+
+const isCI = !!process.env.CI;
+const baseURL = process.env.DD_PLAYWRIGHT_BASE_URL || 'http://localhost:3333';
 
 export default defineConfig({
   testDir: './playwright',
   fullyParallel: false,
-  forbidOnly: !!process.env.CI,
-  retries: process.env.CI ? 1 : 0,
+  forbidOnly: isCI,
+  retries: isCI ? 1 : 0,
   workers: 1,
-  reporter: process.env.CI ? 'github' : 'html',
   timeout: 60_000,
+  reporter: isCI ? [['html', { outputFolder: 'playwright-report', open: 'never' }]] : [['list']],
 
   use: {
-    baseURL: process.env.DD_BASE_URL || 'http://localhost:3333',
-    trace: 'on-first-retry',
+    baseURL,
+    browserName: 'chromium',
+    trace: 'retain-on-failure',
     screenshot: 'only-on-failure',
   },
 
   projects: [
-    { name: 'setup', testMatch: /.*\.setup\.ts/ },
+    { name: 'setup', testMatch: /auth\.setup\.ts/ },
     {
-      name: 'authenticated',
-      testMatch: /(?:dashboard|containers)\.spec\.ts/,
+      name: 'chromium',
+      testMatch: /.*\.spec\.ts/,
+      testIgnore: /login\.spec\.ts/,
       use: {
-        ...devices['Desktop Chrome'],
         storageState: 'playwright/.auth/user.json',
       },
       dependencies: ['setup'],
     },
     {
-      // Login tests run last — they use cleared storage state and may
-      // trigger rate limiting with failed login attempts
       name: 'login',
       testMatch: /login\.spec\.ts/,
-      use: devices['Desktop Chrome'],
-      dependencies: ['authenticated'],
+      use: {
+        storageState: { cookies: [], origins: [] },
+      },
     },
   ],
 });
diff --git a/e2e/playwright/audit.spec.ts b/e2e/playwright/audit.spec.ts
new file mode 100644
index 000000000..d79272a98
--- /dev/null
+++ b/e2e/playwright/audit.spec.ts
@@ -0,0 +1,39 @@
+import { expect, test } from '@playwright/test';
+import { registerServerAvailabilityCheck } from './helpers/test-helpers';
+
+registerServerAvailabilityCheck(test);
+
+test.describe('Audit log', () => {
+  test.beforeEach(async ({ page }) => {
+    await page.goto('/audit?page=1');
+    await expect(page.getByRole('button', { name: 'Table view' })).toBeVisible({ timeout: 30_000 });
+  });
+
+  test('entries render and pagination navigates between pages', async ({ page }) => {
+    await page.getByRole('button', { name: 'Table view' }).click();
+
+    const rows = page.locator('tbody tr');
+    await expect(rows.first()).toBeVisible();
+
+    const paginationInfo = page.getByText(/Page \d+ of \d+ \(\d+ entries\)/).first();
+    test.skip(
+      (await paginationInfo.count()) === 0,
+      'Pagination controls are hidden because the audit log has only one page.',
+    );
+
+    const beforeText = (await paginationInfo.textContent()) || '';
+    const beforePage = Number(beforeText.match(/Page\s+(\d+)/)?.[1] || '1');
+
+    const paginationControls = paginationInfo.locator('xpath=..');
+    const prevButton = paginationControls.locator('button').first();
+    const nextButton = paginationControls.locator('button').nth(1);
+
+    await expect(nextButton).toBeEnabled();
+    await nextButton.click();
+    await expect(paginationInfo).toContainText(`Page ${beforePage + 1}`);
+
+    await expect(prevButton).toBeEnabled();
+    await prevButton.click();
+    await expect(paginationInfo).toContainText(`Page ${beforePage}`);
+  });
+});
diff --git a/e2e/playwright/auth.setup.ts b/e2e/playwright/auth.setup.ts
index a87c61a9b..1d57fcde7 100644
--- a/e2e/playwright/auth.setup.ts
+++ b/e2e/playwright/auth.setup.ts
@@ -1,22 +1,22 @@
 import { expect, test as setup } from '@playwright/test';
+import {
+  checkServerAvailability,
+  getCredentials,
+  getServerUnavailableMessage,
+  loginWithBasicAuth,
+} from './helpers/test-helpers';
 
 const authFile = 'playwright/.auth/user.json';
 
-setup('authenticate', async ({ page }) => {
-  const user = process.env.DD_USERNAME || 'admin';
-  const pass = process.env.DD_PASSWORD || 'admin';
+setup('authenticate', async ({ page, request, baseURL }) => {
+  const availability = await checkServerAvailability(request, baseURL);
+  expect(availability.healthy, getServerUnavailableMessage(baseURL)).toBeTruthy();
 
-  await page.goto('/login');
-
-  // Wait for the login form to appear (handles slow startup / rate limit recovery)
-  await expect(page.getByPlaceholder('Enter your username')).toBeVisible({ timeout: 15_000 });
+  const credentials = getCredentials();
 
-  await page.getByPlaceholder('Enter your username').fill(user);
-  await page.getByPlaceholder('Enter your password').fill(pass);
-  await page.getByRole('button', { name: 'Sign in' }).click();
+  await page.goto('/login');
 
-  // Wait for redirect to dashboard after successful login
-  await expect(page).toHaveURL('/', { timeout: 15_000 });
+  await loginWithBasicAuth(page, credentials);
 
   await page.context().storageState({ path: authFile });
 });
diff --git a/e2e/playwright/config.spec.ts b/e2e/playwright/config.spec.ts
new file mode 100644
index 000000000..ea25127f0
--- /dev/null
+++ b/e2e/playwright/config.spec.ts
@@ -0,0 +1,83 @@
+import { expect, type Locator, type Page, test } from '@playwright/test';
+import {
+  clickSidebarNavItem,
+  dismissAnnouncementBanners,
+  ensureSidebarExpanded,
+  registerServerAvailabilityCheck,
+} from './helpers/test-helpers';
+
+registerServerAvailabilityCheck(test);
+
+async function ensureFilterInputVisible(page: Page, placeholder: string): Promise<Locator | null> {
+  const input = page.getByPlaceholder(placeholder);
+  if (await input.isVisible().catch(() => false)) {
+    return input;
+  }
+
+  await dismissAnnouncementBanners(page);
+  const toggleButtons = page.locator('main').getByRole('button', { name: 'Toggle filters' });
+  const toggleCount = await toggleButtons.count();
+  for (let index = 0; index < toggleCount; index += 1) {
+    await toggleButtons.nth(index).click({ force: true });
+    if (await input.isVisible().catch(() => false)) {
+      return input;
+    }
+  }
+
+  return null;
+}
+
+test.describe('Config and management views', () => {
+  test('config tabs support URL deep-links', async ({ page }) => {
+    await page.goto('/config?tab=appearance');
+    await dismissAnnouncementBanners(page);
+    await expect(page).toHaveURL(/\/config\?tab=appearance/);
+    await expect(page.locator('main')).toContainText('Color Theme');
+
+    await dismissAnnouncementBanners(page);
+    await page.locator('main').getByRole('button', { name: 'Profile' }).click({ force: true });
+    await expect(page).toHaveURL(/\/config\?tab=profile/);
+    await expect(page.locator('main')).toContainText(
+      /Active Sessions|Loading profile|Failed to load profile/i,
+    );
+
+    await dismissAnnouncementBanners(page);
+    await page.locator('main').getByRole('button', { name: 'General' }).click({ force: true });
+    await expect(page).toHaveURL(/\/config\?tab=general/);
+  });
+
+  test('switches between registries/triggers/watchers and preserves URL deep-link queries', async ({
+    page,
+  }) => {
+    await page.goto('/registries');
+    await dismissAnnouncementBanners(page);
+    await ensureSidebarExpanded(page);
+
+    await clickSidebarNavItem(page, 'Triggers');
+    await expect(page).toHaveURL(/\/triggers(?:\?|$)/);
+
+    await clickSidebarNavItem(page, 'Watchers');
+    await expect(page).toHaveURL(/\/watchers(?:\?|$)/);
+
+    await page.goto('/registries?q=ghcr');
+    await expect(page).toHaveURL(/\/registries\?q=ghcr/);
+    const registriesFilterInput = await ensureFilterInputVisible(page, 'Filter by name or type...');
+    if (registriesFilterInput) {
+      await expect(registriesFilterInput).toHaveValue('ghcr');
+    }
+
+    await page.goto('/triggers?q=slack');
+    await expect(page).toHaveURL(/\/triggers\?q=slack/);
+    const triggersFilterInput = await ensureFilterInputVisible(page, 'Filter by name...');
+    if (triggersFilterInput) {
+      await expect(triggersFilterInput).toHaveValue('slack');
+    }
+
+    await page.goto('/watchers?q=remote');
+    await expect(page).toHaveURL(/\/watchers\?q=remote/);
+    const watchersFilterInput = await ensureFilterInputVisible(page, 'Filter by name...');
+    if (watchersFilterInput) {
+      await expect(watchersFilterInput).toHaveValue('remote');
+    }
+  });
+});
diff --git a/e2e/playwright/containers.spec.ts b/e2e/playwright/containers.spec.ts
index aae93d389..903880540 100644
--- a/e2e/playwright/containers.spec.ts
+++ b/e2e/playwright/containers.spec.ts
@@ -1,182 +1,199 @@
-import { expect, test } from '@playwright/test';
-
-test.describe('Containers view', () => {
-  test.beforeEach(async ({ page }) => {
-    await page.goto('/containers');
-    // Wait for view mode buttons to appear (containers page is loaded)
-    await expect(page.getByRole('button', { name: 'Table view' })).toBeVisible({ timeout: 30_000 });
+import { expect, type Locator, type Page, test } from '@playwright/test';
+import {
+  dismissAnnouncementBanners,
+  escapeRegExp,
+  registerServerAvailabilityCheck,
+} from './helpers/test-helpers';
+
+registerServerAvailabilityCheck(test);
+
+const KNOWN_CONTAINER_NAMES = [
+  'Nginx (Hooked)',
+  'Redis Cache',
+  'Traefik Proxy',
+  'Remote Nginx',
+  'MongoDB',
+  'PostgreSQL',
+  'Log Spammer',
+] as const;
+
+async function openContainersView(page: Page): Promise<void> {
+  await page.goto('/containers');
+  await dismissAnnouncementBanners(page);
+  await expect(page.getByRole('button', { name: 'Table view' })).toBeVisible({ timeout: 30_000 });
+}
+
+async function switchToCardsView(page: Page): Promise<void> {
+  await page.getByRole('button', { name: 'Cards view' }).click();
+  await expect(page.getByRole('button', { name: /Select / }).first()).toBeVisible({
+    timeout: 30_000,
   });
-
-  test('shows container count in header', async ({ page }) => {
-    await expect(page.getByRole('banner').getByText('Containers')).toBeVisible();
-    // Count format is "N/N" — wait for containers to load
-    await expect(page.getByText(/\d+\/\d+/)).toBeVisible({ timeout: 30_000 });
+}
+
+async function showFilterPanel(page: Page): Promise<void> {
+  const searchInput = page.getByPlaceholder('Search name or image...');
+  if (await searchInput.isVisible().catch(() => false)) {
+    return;
+  }
+  await dismissAnnouncementBanners(page);
+  await page.getByRole('button', { name: 'Toggle filters' }).click();
+  await expect(searchInput).toBeVisible();
+}
+
+async function openAnyContainerDetail(page: Page): Promise<string> {
+  await page.goto('/containers');
+  await dismissAnnouncementBanners(page);
+  // Clear any persisted search filter from previous tests
+  const searchInput = page.getByPlaceholder('Search name or image...');
+  if (await searchInput.isVisible().catch(() => false)) {
+    await searchInput.clear();
+    await page.waitForTimeout(300);
+  }
+  await expect(page.getByRole('button', { name: 'Table view' })).toBeVisible({ timeout: 30_000 });
+  const detailPanel = page.locator('[data-test="container-side-detail"]');
+
+  for (const containerName of KNOWN_CONTAINER_NAMES) {
+    const locator = page.getByRole('row', {
+      name: new RegExp(`\\b${escapeRegExp(containerName)}\\b`, 'i'),
+    });
+    if ((await locator.count()) > 0) {
+      await locator.first().click();
+      await expect(detailPanel).toBeVisible({ timeout: 15_000 });
+      return containerName;
+    }
+  }
+
+  const fallback = page.locator('tbody tr').first();
+  await expect(fallback).toBeVisible();
+  const label = (await fallback.textContent()) || 'selected container';
+  await fallback.click();
+  await expect(detailPanel).toBeVisible({ timeout: 15_000 });
+
+  return label.trim();
+}
+
+function detailTabButton(detailPanel: Locator, iconName: string): Locator {
+  return detailPanel.locator(`button:has(iconify-icon[icon*="${iconName}"])`).first();
+}
+
+function readContainerActionsFeatureFlag(payload: unknown): boolean | undefined {
+  if (!payload || typeof payload !== 'object') {
+    return undefined;
+  }
+
+  const rawFeature = (payload as { configuration?: { feature?: unknown } }).configuration?.feature;
+  if (!rawFeature || typeof rawFeature !== 'object') {
+    return undefined;
+  }
+
+  const containerActions = (rawFeature as Record<string, unknown>).containeractions;
+  return typeof containerActions === 'boolean' ? containerActions : undefined;
+}
+
+test.describe('Containers', () => {
+  test('container list loads and supports table/cards/list view toggles', async ({ page }) => {
+    await openContainersView(page);
+
+    await page.getByRole('button', { name: 'Table view' }).click();
+    await expect(page.locator('th', { hasText: 'Container' })).toBeVisible();
+
+    await page.getByRole('button', { name: 'Cards view' }).click();
+    await expect(page.getByRole('button', { name: /Select / }).first()).toBeVisible();
+
+    await page.getByRole('button', { name: 'List view' }).click();
+    await expect(page.getByRole('button', { name: /Select / }).first()).toBeVisible();
   });
 
-  test('has view mode toggle buttons', async ({ page }) => {
-    await expect(page.getByRole('button', { name: 'Table view' })).toBeVisible();
-    await expect(page.getByRole('button', { name: 'Cards view' })).toBeVisible();
-    await expect(page.getByRole('button', { name: 'List view' })).toBeVisible();
+  test('stack grouping and search filtering narrow the container list', async ({ page }) => {
+    await openContainersView(page);
+    await switchToCardsView(page);
+    await dismissAnnouncementBanners(page);
+
+    const allCards = page.getByRole('button', { name: /Select / });
+    const initialCount = await allCards.count();
+    expect(initialCount).toBeGreaterThan(0);
+
+    const groupByStackToggle = page
+      .locator('[data-test="containers-list-content"] button:has(iconify-icon[icon*="stack"])')
+      .first();
+    await groupByStackToggle.click();
+    await expect(page.locator('[data-test="containers-grouped-views"]')).toContainText(
+      /web-stack|infra|data|security-test/i,
+    );
+
+    await showFilterPanel(page);
+    const searchInput = page.getByPlaceholder('Search name or image...');
+    await searchInput.fill('nginx');
+    await page.waitForTimeout(500);
+
+    await expect(page.getByText(/nginx/i).first()).toBeVisible({ timeout: 10000 });
+    const filteredCards = page.getByRole('button', { name: /Select / });
+    const filteredRows = page.locator('[data-test="containers-grouped-views"] tr');
+    const filteredCount = (await filteredCards.count()) + (await filteredRows.count());
+    expect(filteredCount).toBeGreaterThan(0);
   });
 
-  test.describe('Card view', () => {
-    test.beforeEach(async ({ page }) => {
-      await page.getByRole('button', { name: 'Cards view' }).click();
-    });
+  test('container detail panel opens and required tabs are navigable', async ({ page }) => {
+    const selectedName = await openAnyContainerDetail(page);
+    const detailPanel = page.locator('[data-test="container-side-detail"]');
+    const detailContent = page.locator('[data-test="container-side-tab-content"]');
 
-    test('renders all containers as cards', async ({ page }) => {
-      await expect(page.getByRole('button', { name: 'Select Remote Nginx' })).toBeVisible();
-      await expect(page.getByRole('button', { name: 'Select PostgreSQL' })).toBeVisible();
-      await expect(page.getByRole('button', { name: 'Select MongoDB' })).toBeVisible();
-      await expect(page.getByRole('button', { name: 'Select Alpine (Latest)' })).toBeVisible();
-    });
+    await expect(detailPanel).toContainText(selectedName);
 
-    test('shows current and latest version labels on update cards', async ({ page }) => {
-      const nginxCard = page.getByRole('button', {
-        name: 'Select PostgreSQL',
-      });
-      await expect(nginxCard.getByText('Current')).toBeVisible();
-      await expect(nginxCard.getByText('Latest')).toBeVisible();
-    });
+    await detailTabButton(detailPanel, 'info').click({ force: true });
+    await expect(detailContent).toContainText('Version');
 
-    test('shows running status badge on cards', async ({ page }) => {
-      const card = page.getByRole('button', {
-        name: 'Select PostgreSQL',
-      });
-      await expect(card.getByText('running')).toBeVisible();
-    });
+    await detailTabButton(detailPanel, 'scroll').click({ force: true });
+    await expect(
+      detailContent.locator('text=/Search logs|not running|Log/i').first(),
+    ).toBeVisible();
 
-    test('shows registry badge on cards', async ({ page }) => {
-      await expect(page.getByText('Dockerhub').first()).toBeVisible();
-    });
+    await detailTabButton(detailPanel, 'sliders-horizontal').click({ force: true });
+    await expect(detailContent).toContainText('Environment Variables');
 
-    test('container without update has no Latest label', async ({ page }) => {
-      const alpineCard = page.getByRole('button', {
-        name: 'Select Alpine (Latest)',
-      });
-      await expect(alpineCard.getByText('Current')).toBeVisible();
-      // Alpine (Latest) should not show a "Latest" label (the word by itself)
-      const latestLabels = alpineCard.locator(':text-is("Latest")');
-      await expect(latestLabels).toHaveCount(0);
-    });
-  });
-
-  test.describe('Table view', () => {
-    test.beforeEach(async ({ page }) => {
-      await page.getByRole('button', { name: 'Table view' }).click();
-    });
+    await detailTabButton(detailPanel, 'cube').click({ force: true });
+    await expect(detailContent).toContainText('Labels');
 
-    test('renders table with correct column headers', async ({ page }) => {
-      await expect(page.locator('th', { hasText: 'Container' })).toBeVisible();
-      await expect(page.locator('th', { hasText: 'Version' })).toBeVisible();
-      await expect(page.locator('th', { hasText: 'Kind' })).toBeVisible();
-      await expect(page.locator('th', { hasText: 'Status' })).toBeVisible();
-      await expect(page.locator('th', { hasText: 'Host' })).toBeVisible();
-      await expect(page.locator('th', { hasText: 'Registry' })).toBeVisible();
-    });
-
-    test('renders at least one container row', async ({ page }) => {
-      const rows = page.locator('tbody tr');
-      await expect(rows.first()).toBeVisible();
-      expect(await rows.count()).toBeGreaterThan(0);
-    });
-
-    test('shows version in table row', async ({ page }) => {
-      const pgRow = page.locator('tr', { hasText: 'PostgreSQL' });
-      // Version cell is the 3rd td (index 2)
-      const versionCell = pgRow.locator('td').nth(2);
-      await expect(versionCell).toContainText('16.0');
-      await expect(versionCell).toContainText('18.3');
-    });
-
-    test('shows kind badges in kind column', async ({ page }) => {
-      const pgRow = page.locator('tr', { hasText: 'PostgreSQL' });
-      const kindCell = pgRow.locator('td').nth(3);
-      await expect(kindCell).toContainText('major');
-    });
-
-    test('shows kind badges with correct types', async ({ page }) => {
-      await expect(
-        page.locator('tr', { hasText: 'Log Spammer' }).locator('td').nth(3),
-      ).toContainText('minor');
-      await expect(
-        page.locator('tr', { hasText: 'PostgreSQL' }).locator('td').nth(3),
-      ).toContainText('major');
-      await expect(
-        page.locator('tr', { hasText: 'Python (Unsafe)' }).locator('td').nth(3),
-      ).toContainText('patch');
-    });
-
-    test('shows running status for all rendered containers', async ({ page }) => {
-      const rows = page.locator('tbody tr');
-      await expect(rows.first()).toBeVisible();
-      const rowCount = await rows.count();
-      expect(rowCount).toBeGreaterThan(0);
-
-      const runningBadges = page.locator('tbody tr td:has-text("running")');
-      await expect(runningBadges).toHaveCount(rowCount);
-    });
-
-    test('container without update shows dash for kind', async ({ page }) => {
-      const alpineRow = page.locator('tr', { hasText: 'Alpine (Latest)' });
-      await expect(alpineRow.getByText('—')).toBeVisible();
-    });
-  });
-
-  test.describe('List view', () => {
-    test.beforeEach(async ({ page }) => {
-      await page.getByRole('button', { name: 'List view' }).click();
-    });
-
-    test('renders all containers as list items', async ({ page }) => {
-      await expect(page.getByRole('button', { name: 'Select Remote Nginx' })).toBeVisible();
-      await expect(page.getByRole('button', { name: 'Select PostgreSQL' })).toBeVisible();
-      await expect(page.getByRole('button', { name: 'Select Alpine (Latest)' })).toBeVisible();
-      await expect(page.getByRole('button', { name: 'Select Traefik Proxy' })).toBeVisible();
-    });
-
-    test('shows kind badge on list items with updates', async ({ page }) => {
-      const pgItem = page.getByRole('button', {
-        name: 'Select PostgreSQL',
-      });
-      await expect(pgItem).toContainText('major');
-    });
-
-    test('shows host location on list items', async ({ page }) => {
-      const pgItem = page.getByRole('button', {
-        name: 'Select PostgreSQL',
-      });
-      await expect(pgItem).toContainText('Local');
-    });
-
-    test('container without update has no kind badge', async ({ page }) => {
-      const alpineItem = page.getByRole('button', {
-        name: 'Select Alpine (Latest)',
-      });
-      await expect(alpineItem).toContainText('running');
-      await expect(alpineItem).not.toContainText('minor');
-      await expect(alpineItem).not.toContainText('major');
-      await expect(alpineItem).not.toContainText('patch');
-    });
+    await detailTabButton(detailPanel, 'lightning').click({ force: true });
+    await expect(detailContent).toContainText('Update Workflow');
   });
 
-  test.describe('View mode persistence', () => {
-    test('switching view modes updates the active button', async ({ page }) => {
-      await page.getByRole('button', { name: 'Table view' }).click();
-      await expect(page.getByRole('button', { name: 'Table view' })).toHaveAttribute(
-        'aria-pressed',
-        'true',
-      );
-
-      await page.getByRole('button', { name: 'List view' }).click();
-      await expect(page.getByRole('button', { name: 'List view' })).toHaveAttribute(
-        'aria-pressed',
-        'true',
-      );
-      await expect(page.getByRole('button', { name: 'Table view' })).not.toHaveAttribute(
-        'aria-pressed',
-        'true',
-      );
-    });
+  test('actions tab shows trigger list and Update/Preview/Scan controls with feature gating', async ({
+    page,
+  }) => {
+    await openAnyContainerDetail(page);
+
+    const detailPanel = page.locator('[data-test="container-side-detail"]');
+    const detailContent = page.locator('[data-test="container-side-tab-content"]');
+
+    await detailTabButton(detailPanel, 'lightning').click({ force: true });
+
+    await expect(detailContent).toContainText('Associated Triggers');
+    await expect(
+      detailContent.getByRole('button', { name: /Preview Update|Previewing/ }),
+    ).toBeVisible();
+    await expect(detailContent.getByRole('button', { name: 'Scan Now' })).toBeVisible();
+
+    const updateNowCount = await detailContent.getByRole('button', { name: 'Update Now' }).count();
+    const forceUpdateCount = await detailContent
+      .getByRole('button', { name: /Force Update/i })
+      .count();
+    expect(updateNowCount + forceUpdateCount).toBeGreaterThan(0);
+
+    const serverResponse = await page.request.get('/api/server');
+    let actionsEnabled = true;
+    if (serverResponse.ok()) {
+      actionsEnabled = readContainerActionsFeatureFlag(await serverResponse.json()) ?? true;
+    }
+
+    const scanButton = detailContent.getByRole('button', { name: 'Scan Now' });
+    if (actionsEnabled) {
+      await expect(scanButton).toBeEnabled();
+    } else {
+      await scanButton.click();
+      await expect(
+        page.getByText('Container actions disabled by server configuration'),
+      ).toBeVisible();
+    }
   });
 });
diff --git a/e2e/playwright/dashboard.spec.ts b/e2e/playwright/dashboard.spec.ts
index b74e6b6ab..90898e511 100644
--- a/e2e/playwright/dashboard.spec.ts
+++ b/e2e/playwright/dashboard.spec.ts
@@ -1,59 +1,87 @@
 import { expect, test } from '@playwright/test';
+import { registerServerAvailabilityCheck } from './helpers/test-helpers';
+
+registerServerAvailabilityCheck(test);
 
 test.describe('Dashboard', () => {
   test.beforeEach(async ({ page }) => {
     await page.goto('/');
-    // Wait for dashboard to fully load (stat cards appear)
-    await expect(page.locator('main')).toContainText('Registries', {
-      timeout: 30_000,
-    });
+    await expect(page.locator('main')).toContainText('Updates Available', { timeout: 30_000 });
   });
 
-  test('displays stat cards with labels', async ({ page }) => {
-    const main = page.locator('main');
-    await expect(main).toContainText('Registries');
-    await expect(main).toContainText('Containers');
-    await expect(main).toContainText('Updates Available');
-    await expect(main).toContainText('Security Issues');
-  });
+  test('stat cards render labels and numeric values', async ({ page }) => {
+    const statLabels = ['Registries', 'Containers', 'Updates Available', 'Security Issues'];
 
-  test('shows container count with running/stopped breakdown', async ({ page }) => {
-    const main = page.locator('main');
-    await expect(main).toContainText(/\d+ running/);
+    for (const label of statLabels) {
+      const card = page.locator('.stat-card').filter({ hasText: label }).first();
+      await expect(card).toBeVisible();
+      await expect(card).toContainText(/\d+/);
+    }
   });
 
-  test('shows update maturity detail on updates stat card', async ({ page }) => {
-    const main = page.locator('main');
-    await expect(main).toContainText(/\d+ fresh · \d+ settled/);
-  });
+  test('critical dashboard widgets are present', async ({ page }) => {
+    const requiredSections = [
+      'Updates Available',
+      'Update Breakdown',
+      'Host Status',
+      'Security Overview',
+    ];
 
-  test('renders updates available section', async ({ page }) => {
-    const main = page.locator('main');
-    await expect(main.getByText('Updates Available').first()).toBeVisible();
+    for (const section of requiredSections) {
+      await expect(page.locator('main')).toContainText(section);
+    }
   });
 
-  test('renders update breakdown section', async ({ page }) => {
-    const main = page.locator('main');
-    await expect(main.getByText('Update Breakdown')).toBeVisible();
-  });
+  test('updates available columns stay aligned while the widget scrolls', async ({ page }) => {
+    const scrollContainer = page.locator(
+      '[aria-label="Updates Available widget"] .dd-scroll-stable',
+    );
+    await expect(scrollContainer).toBeVisible();
 
-  test('renders host status section', async ({ page }) => {
-    const main = page.locator('main');
-    await expect(main.getByText('Host Status')).toBeVisible();
-    await expect(main).toContainText(/connected/i);
-  });
+    const samples = await scrollContainer.evaluate(async (el) => {
+      const table = el.closest('[aria-label="Updates Available widget"]')?.querySelector('table');
+      const headerRow = table?.querySelector('thead tr');
+      const maxScroll = Math.max(0, el.scrollHeight - el.clientHeight);
+      const stops = [0, 0.25, 0.5, 0.75, 1].map((pct) => Math.round(maxScroll * pct));
+      const results: Array<{
+        headers: Array<{ left: number; width: number }>;
+        scrollTop: number;
+      }> = [];
 
-  test('renders security overview section', async ({ page }) => {
-    const main = page.locator('main');
-    await expect(main.getByText('Security Overview')).toBeVisible();
-  });
+      for (const target of stops) {
+        el.scrollTop = target;
+        await new Promise((resolve) => requestAnimationFrame(() => requestAnimationFrame(resolve)));
+        const headers = headerRow
+          ? Array.from(headerRow.children).map((cell) => {
+              const rect = cell.getBoundingClientRect();
+              return {
+                left: Number(rect.left.toFixed(3)),
+                width: Number(rect.width.toFixed(3)),
+              };
+            })
+          : [];
+
+        results.push({ scrollTop: el.scrollTop, headers });
+      }
+
+      return { maxScroll, results };
+    });
+
+    expect(samples.maxScroll).toBeGreaterThanOrEqual(0);
+    expect(samples.results[0]?.headers.length).toBeGreaterThan(0);
 
-  test('sidebar has navigation links', async ({ page }) => {
-    const sidebar = page.getByRole('complementary');
-    await expect(sidebar.getByText('Dashboard').first()).toBeVisible();
-    await expect(sidebar.getByText('Containers').first()).toBeVisible();
-    await expect(sidebar.getByText('Security').first()).toBeVisible();
-    await expect(sidebar.getByText('Audit').first()).toBeVisible();
-    await expect(sidebar.getByText('System Logs').first()).toBeVisible();
+    const baseline = samples.results[0].headers;
+    for (const sample of samples.results.slice(1)) {
+      for (const [index, header] of baseline.entries()) {
+        expect(
+          Math.abs(sample.headers[index].left - header.left),
+          `header ${index} drifted horizontally at scrollTop=${sample.scrollTop}`,
+        ).toBeLessThanOrEqual(0.5);
+        expect(
+          Math.abs(sample.headers[index].width - header.width),
+          `header ${index} width changed at scrollTop=${sample.scrollTop}`,
+        ).toBeLessThanOrEqual(0.5);
+      }
+    }
   });
 });
diff --git a/e2e/playwright/helpers/test-helpers.ts b/e2e/playwright/helpers/test-helpers.ts
new file mode 100644
index 000000000..760f08ea7
--- /dev/null
+++ b/e2e/playwright/helpers/test-helpers.ts
@@ -0,0 +1,151 @@
+import { type APIRequestContext, type test as base, expect, type Page } from '@playwright/test';
+
+const DEFAULT_BASE_URL = process.env.DD_PLAYWRIGHT_BASE_URL || 'http://localhost:3333';
+const HEALTH_ENDPOINTS = ['/health', '/api/health'] as const;
+const HEALTH_TIMEOUT_MS = 5_000;
+const HEALTH_RETRY_ATTEMPTS = 3;
+const HEALTH_RETRY_DELAY_MS = 1_000;
+
+interface Credentials {
+  password: string;
+  username: string;
+}
+
+interface ServerAvailabilityResult {
+  checkedUrls: string[];
+  healthy: boolean;
+}
+
+function getCredentials(): Credentials {
+  return {
+    username: process.env.DD_USERNAME || 'admin',
+    password: process.env.DD_PASSWORD || 'admin',
+  };
+}
+
+function resolveHealthUrls(baseURL?: string): string[] {
+  const targetBaseUrl = (baseURL || DEFAULT_BASE_URL).replace(/\/$/, '');
+  return HEALTH_ENDPOINTS.map((endpoint) => `${targetBaseUrl}${endpoint}`);
+}
+
+async function wait(ms: number): Promise<void> {
+  await new Promise((resolve) => {
+    setTimeout(resolve, ms);
+  });
+}
+
+async function checkHealthEndpoints(
+  request: APIRequestContext,
+  healthUrls: string[],
+): Promise<boolean> {
+  for (const healthUrl of healthUrls) {
+    try {
+      const response = await request.get(healthUrl, { timeout: HEALTH_TIMEOUT_MS });
+      if (response.ok()) {
+        return true;
+      }
+    } catch {
+      // Try the next endpoint.
+    }
+  }
+
+  return false;
+}
+
+async function checkServerAvailability(
+  request: APIRequestContext,
+  baseURL?: string,
+): Promise<ServerAvailabilityResult> {
+  const checkedUrls = resolveHealthUrls(baseURL);
+
+  for (let attempt = 1; attempt <= HEALTH_RETRY_ATTEMPTS; attempt += 1) {
+    if (await checkHealthEndpoints(request, checkedUrls)) {
+      return { healthy: true, checkedUrls };
+    }
+
+    if (attempt < HEALTH_RETRY_ATTEMPTS) {
+      await wait(HEALTH_RETRY_DELAY_MS);
+    }
+  }
+
+  return { healthy: false, checkedUrls };
+}
+
+async function isServerAvailable(request: APIRequestContext, baseURL?: string): Promise<boolean> {
+  const availability = await checkServerAvailability(request, baseURL);
+  return availability.healthy;
+}
+
+function registerServerAvailabilityCheck(test: typeof base): void {
+  test.beforeAll(async ({ request, baseURL }) => {
+    const availability = await checkServerAvailability(request, baseURL);
+    expect(
+      availability.healthy,
+      `Playwright QA server is unavailable. Checked health endpoints: ${availability.checkedUrls.join(', ')}`,
+    ).toBeTruthy();
+  });
+}
+
+function getServerUnavailableMessage(baseURL?: string): string {
+  const checkedUrls = resolveHealthUrls(baseURL);
+  return `Playwright QA server is unavailable. Checked health endpoints: ${checkedUrls.join(', ')}`;
+}
+
+async function loginWithBasicAuth(
+  page: Page,
+  credentials: Credentials = getCredentials(),
+): Promise<void> {
+  await expect(page.getByPlaceholder('Enter your username')).toBeVisible({ timeout: 15_000 });
+  await page.getByPlaceholder('Enter your username').fill(credentials.username);
+  await page.getByPlaceholder('Enter your password').fill(credentials.password);
+  await page.getByRole('button', { name: 'Sign in' }).click();
+  await expect(page).toHaveURL('/', { timeout: 20_000 });
+}
+
+async function ensureSidebarExpanded(page: Page): Promise<void> {
+  const expandButton = page.getByRole('button', { name: 'Expand sidebar' });
+  if (await expandButton.isVisible().catch(() => false)) {
+    await expandButton.click();
+  }
+}
+
+async function dismissAnnouncementBanners(page: Page): Promise<void> {
+  const dismissButtons = page.locator('[data-testid$="-dismiss-session"]');
+  await dismissButtons
+    .first()
+    .waitFor({ state: 'visible', timeout: 1_500 })
+    .catch(() => {});
+
+  for (let attempt = 0; attempt < 8; attempt += 1) {
+    const dismissButton = dismissButtons.first();
+    if (!(await dismissButton.isVisible().catch(() => false))) {
+      return;
+    }
+    await dismissButton.click();
+    await page.waitForTimeout(100);
+  }
+}
+
+async function clickSidebarNavItem(page: Page, label: string): Promise<void> {
+  await dismissAnnouncementBanners(page);
+  const item = page.locator('aside .nav-item').filter({ hasText: label }).first();
+  await expect(item).toBeVisible();
+  await item.click();
+}
+
+function escapeRegExp(value: string): string {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+export {
+  checkServerAvailability,
+  clickSidebarNavItem,
+  dismissAnnouncementBanners,
+  ensureSidebarExpanded,
+  escapeRegExp,
+  getCredentials,
+  getServerUnavailableMessage,
+  isServerAvailable,
+  loginWithBasicAuth,
+  registerServerAvailabilityCheck,
+};
diff --git a/e2e/playwright/login.spec.ts b/e2e/playwright/login.spec.ts
index 23016df74..72f806a2a 100644
--- a/e2e/playwright/login.spec.ts
+++ b/e2e/playwright/login.spec.ts
@@ -1,47 +1,27 @@
 import { expect, test } from '@playwright/test';
+import {
+  getCredentials,
+  loginWithBasicAuth,
+  registerServerAvailabilityCheck,
+} from './helpers/test-helpers';
+
+registerServerAvailabilityCheck(test);
 
-// These tests do NOT use the auth setup — they test the login flow itself
 test.use({ storageState: { cookies: [], origins: [] } });
 
-test.describe('Login', () => {
-  test('shows login form with username and password fields', async ({ page }) => {
+test.describe('Login flow', () => {
+  test('basic auth credentials login redirects to dashboard', async ({ page }) => {
     await page.goto('/login');
+
     await expect(page.getByRole('heading', { name: 'Sign in to Drydock' })).toBeVisible();
-    await expect(page.getByPlaceholder('Enter your username')).toBeVisible();
-    await expect(page.getByPlaceholder('Enter your password')).toBeVisible();
-    await expect(page.getByRole('button', { name: 'Sign in' })).toBeVisible();
-  });
 
-  test('shows OIDC provider button', async ({ page }) => {
-    await page.goto('/login');
-    await expect(page.getByRole('button', { name: 'dex' })).toBeVisible();
-  });
+    await loginWithBasicAuth(page, getCredentials());
 
-  test('shows remember me checkbox', async ({ page }) => {
-    await page.goto('/login');
-    await expect(page.getByText('Remember me')).toBeVisible();
+    await expect(page.locator('main')).toContainText('Updates Available');
   });
 
-  test('redirects unauthenticated users to login', async ({ page }) => {
+  test('redirects unauthenticated users to login before dashboard', async ({ page }) => {
     await page.goto('/');
     await expect(page).toHaveURL(/\/login/);
   });
-
-  test('successful login redirects to dashboard', async ({ page }) => {
-    await page.goto('/login');
-    await expect(page.getByPlaceholder('Enter your username')).toBeVisible({ timeout: 10_000 });
-    await page.getByPlaceholder('Enter your username').fill('admin');
-    await page.getByPlaceholder('Enter your password').fill('admin');
-    await page.getByRole('button', { name: 'Sign in' }).click();
-    await expect(page).toHaveURL('/', { timeout: 15_000 });
-  });
-
-  test('failed login shows error message', async ({ page }) => {
-    await page.goto('/login');
-    await expect(page.getByPlaceholder('Enter your username')).toBeVisible({ timeout: 10_000 });
-    await page.getByPlaceholder('Enter your username').fill('admin');
-    await page.getByPlaceholder('Enter your password').fill('wrongpassword');
-    await page.getByRole('button', { name: 'Sign in' }).click();
-    await expect(page.getByText(/invalid|incorrect|failed/i)).toBeVisible({ timeout: 10_000 });
-  });
 });
diff --git a/e2e/playwright/navigation.spec.ts b/e2e/playwright/navigation.spec.ts
new file mode 100644
index 000000000..97dc695ad
--- /dev/null
+++ b/e2e/playwright/navigation.spec.ts
@@ -0,0 +1,58 @@
+import { expect, test } from '@playwright/test';
+import {
+  clickSidebarNavItem,
+  ensureSidebarExpanded,
+  registerServerAvailabilityCheck,
+} from './helpers/test-helpers';
+
+registerServerAvailabilityCheck(test);
+
+const SIDEBAR_NAV_TARGETS: Array<{ label: string; urlPattern: RegExp }> = [
+  { label: 'Dashboard', urlPattern: /\/(?:\?|$)/ },
+  { label: 'Containers', urlPattern: /\/containers(?:\?|$)/ },
+  { label: 'Security', urlPattern: /\/security(?:\?|$)/ },
+  { label: 'Audit', urlPattern: /\/audit(?:\?|$)/ },
+  { label: 'System Logs', urlPattern: /\/logs(?:\?|$)/ },
+  { label: 'Hosts', urlPattern: /\/servers(?:\?|$)/ },
+  { label: 'Registries', urlPattern: /\/registries(?:\?|$)/ },
+  { label: 'Watchers', urlPattern: /\/watchers(?:\?|$)/ },
+  { label: 'General', urlPattern: /\/config(?:\?|$)/ },
+  { label: 'Notifications', urlPattern: /\/notifications(?:\?|$)/ },
+  { label: 'Triggers', urlPattern: /\/triggers(?:\?|$)/ },
+  { label: 'Auth', urlPattern: /\/auth(?:\?|$)/ },
+  { label: 'Agents', urlPattern: /\/agents(?:\?|$)/ },
+];
+
+test.describe('Navigation', () => {
+  test.beforeEach(async ({ page }) => {
+    await page.goto('/');
+    await ensureSidebarExpanded(page);
+  });
+
+  test('sidebar links navigate to all primary views', async ({ page }) => {
+    for (const target of SIDEBAR_NAV_TARGETS) {
+      await clickSidebarNavItem(page, target.label);
+      await expect(page).toHaveURL(target.urlPattern);
+    }
+  });
+
+  test('browser back and forward navigation follows visited routes', async ({ page }) => {
+    await clickSidebarNavItem(page, 'Containers');
+    await expect(page).toHaveURL(/\/containers(?:\?|$)/);
+
+    await clickSidebarNavItem(page, 'Security');
+    await expect(page).toHaveURL(/\/security(?:\?|$)/);
+
+    await page.goBack();
+    await expect(page).toHaveURL(/\/containers(?:\?|$)/);
+
+    await page.goBack();
+    await expect(page).toHaveURL(/\/(?:\?|$)/);
+
+    await page.goForward();
+    await expect(page).toHaveURL(/\/containers(?:\?|$)/);
+
+    await page.goForward();
+    await expect(page).toHaveURL(/\/security(?:\?|$)/);
+  });
+});
diff --git a/e2e/playwright/security.spec.ts b/e2e/playwright/security.spec.ts
new file mode 100644
index 000000000..f33e942b4
--- /dev/null
+++ b/e2e/playwright/security.spec.ts
@@ -0,0 +1,27 @@
+import { expect, test } from '@playwright/test';
+import { registerServerAvailabilityCheck } from './helpers/test-helpers';
+
+registerServerAvailabilityCheck(test);
+
+test.describe('Security view', () => {
+  test.beforeEach(async ({ page }) => {
+    await page.goto('/security');
+    await expect(page.locator('main')).toContainText('Scan Now', { timeout: 30_000 });
+  });
+
+  test('CVE breakdown renders and SBOM download control is available', async ({ page }) => {
+    const breakdownLabels = ['Critical', 'High', 'Medium', 'Low'];
+    for (const label of breakdownLabels) {
+      await expect(page.locator('main')).toContainText(label);
+    }
+
+    await page.getByRole('button', { name: 'Table view' }).click();
+
+    const rows = page.locator('tbody tr');
+    const rowCount = await rows.count();
+    test.skip(rowCount === 0, 'No security rows available in this run');
+
+    await rows.first().click();
+    await expect(page.getByRole('button', { name: 'Download SBOM' })).toBeVisible();
+  });
+});
diff --git a/e2e/tests/security/brace-expansion-lockfile.test.js b/e2e/tests/security/brace-expansion-lockfile.test.js
new file mode 100644
index 000000000..b13774872
--- /dev/null
+++ b/e2e/tests/security/brace-expansion-lockfile.test.js
@@ -0,0 +1,39 @@
+const assert = require('node:assert/strict');
+const { readFileSync } = require('node:fs');
+const { join } = require('node:path');
+const test = require('node:test');
+
+function compareSemver(a, b) {
+  const aParts = a.split('.').map(Number);
+  const bParts = b.split('.').map(Number);
+
+  for (let index = 0; index < Math.max(aParts.length, bParts.length); index += 1) {
+    const aPart = aParts[index] ?? 0;
+    const bPart = bParts[index] ?? 0;
+
+    if (aPart !== bPart) {
+      return aPart - bPart;
+    }
+  }
+
+  return 0;
+}
+
+test('package manifest explicitly pins brace-expansion to the patched version', () => {
+  const packageJsonPath = join(process.cwd(), 'package.json');
+  const packageJson = JSON.parse(readFileSync(packageJsonPath, 'utf8'));
+
+  assert.equal(packageJson.overrides?.['brace-expansion'], '5.0.5');
+});
+
+test('package lockfile does not resolve vulnerable brace-expansion versions', () => {
+  const lockfilePath = join(process.cwd(), 'package-lock.json');
+  const lockfile = JSON.parse(readFileSync(lockfilePath, 'utf8'));
+  const vulnerableEntries = Object.entries(lockfile.packages ?? {})
+    .filter(
+      ([path, value]) => path.includes('brace-expansion') && typeof value.version === 'string',
+    )
+    .filter(([, value]) => compareSemver(value.version, '5.0.5') < 0);
+
+  assert.deepEqual(vulnerableEntries, []);
+});
diff --git a/e2e/tests/security/picomatch-lockfile.test.js b/e2e/tests/security/picomatch-lockfile.test.js
new file mode 100644
index 000000000..b9b712a90
--- /dev/null
+++ b/e2e/tests/security/picomatch-lockfile.test.js
@@ -0,0 +1,37 @@
+const assert = require('node:assert/strict');
+const { readFileSync } = require('node:fs');
+const { join } = require('node:path');
+const test = require('node:test');
+
+function compareSemver(a, b) {
+  const aParts = a.split('.').map(Number);
+  const bParts = b.split('.').map(Number);
+
+  for (let index = 0; index < Math.max(aParts.length, bParts.length); index += 1) {
+    const aPart = aParts[index] ?? 0;
+    const bPart = bParts[index] ?? 0;
+
+    if (aPart !== bPart) {
+      return aPart - bPart;
+    }
+  }
+
+  return 0;
+}
+
+test('package manifest explicitly pins picomatch to the patched version', () => {
+  const packageJsonPath = join(process.cwd(), 'package.json');
+  const packageJson = JSON.parse(readFileSync(packageJsonPath, 'utf8'));
+
+  assert.equal(packageJson.overrides?.picomatch, '4.0.4');
+});
+
+test('package lockfile does not resolve vulnerable picomatch versions', () => {
+  const lockfilePath = join(process.cwd(), 'package-lock.json');
+  const lockfile = JSON.parse(readFileSync(lockfilePath, 'utf8'));
+  const vulnerableEntries = Object.entries(lockfile.packages ?? {})
+    .filter(([path, value]) => path.includes('picomatch') && typeof value.version === 'string')
+    .filter(([, value]) => compareSemver(value.version, '4.0.4') < 0);
+
+  assert.deepEqual(vulnerableEntries, []);
+});
diff --git a/e2e/tests/security/yaml-lockfile.test.js b/e2e/tests/security/yaml-lockfile.test.js
new file mode 100644
index 000000000..2c7498883
--- /dev/null
+++ b/e2e/tests/security/yaml-lockfile.test.js
@@ -0,0 +1,35 @@
+const assert = require('node:assert/strict');
+const { readFileSync } = require('node:fs');
+const { join } = require('node:path');
+const test = require('node:test');
+
+function compareSemver(a, b) {
+  const aParts = a.split('.').map(Number);
+  const bParts = b.split('.').map(Number);
+
+  for (let index = 0; index < Math.max(aParts.length, bParts.length); index += 1) {
+    const aPart = aParts[index] ?? 0;
+    const bPart = bParts[index] ?? 0;
+
+    if (aPart !== bPart) {
+      return aPart - bPart;
+    }
+  }
+
+  return 0;
+}
+
+test('package manifest explicitly pins yaml to the patched version', () => {
+  const packageJson = JSON.parse(readFileSync(join(process.cwd(), 'package.json'), 'utf8'));
+
+  assert.equal(packageJson.overrides?.yaml, '2.8.3');
+});
+
+test('package lockfile does not resolve vulnerable yaml versions', () => {
+  const lockfile = JSON.parse(readFileSync(join(process.cwd(), 'package-lock.json'), 'utf8'));
+  const vulnerableEntries = Object.entries(lockfile.packages ?? {})
+    .filter(([path, value]) => path === 'node_modules/yaml' && typeof value.version === 'string')
+    .filter(([, value]) => compareSemver(value.version, '2.8.3') < 0);
+
+  assert.deepEqual(vulnerableEntries, []);
+});
diff --git a/healthcheck.c b/healthcheck.c
new file mode 100644
index 000000000..55332686f
--- /dev/null
+++ b/healthcheck.c
@@ -0,0 +1,76 @@
+/*
+ * healthcheck - Minimal HTTP healthcheck for Docker containers
+ *
+ * Opens a TCP connection to localhost, sends GET /health, exits 0 on 2xx.
+ * Statically linked, ~20KB binary. No TLS (unnecessary for localhost probes).
+ *
+ * Usage: healthcheck [port]   (default: 3000)
+ *
+ * MIT License - part of the Drydock project
+ */
+
+#include <sys/time.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <unistd.h>
+
+#define DEFAULT_PORT 3000
+#define TIMEOUT_SEC 5
+#define BUF_SIZE 256
+
+int main(int argc, char *argv[]) {
+    int port = DEFAULT_PORT;
+
+    if (argc > 1) {
+        port = atoi(argv[1]);
+        if (port <= 0 || port > 65535) {
+            return 1;
+        }
+    }
+
+    int fd = socket(AF_INET, SOCK_STREAM, 0);
+    if (fd < 0)
+        return 1;
+
+    /* Set send/recv timeout */
+    struct timeval tv = {.tv_sec = TIMEOUT_SEC, .tv_usec = 0};
+    setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv));
+    setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
+
+    struct sockaddr_in addr = {
+        .sin_family = AF_INET,
+        .sin_port = htons(port),
+        .sin_addr.s_addr = htonl(INADDR_LOOPBACK),
+    };
+
+    if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
+        close(fd);
+        return 1;
+    }
+
+    const char *req = "GET /health HTTP/1.0\r\nHost: localhost\r\n\r\n";
+    if (write(fd, req, strlen(req)) < 0) {
+        close(fd);
+        return 1;
+    }
+
+    char buf[BUF_SIZE];
+    int n = read(fd, buf, sizeof(buf) - 1);
+    close(fd);
+
+    if (n <= 0)
+        return 1;
+
+    buf[n] = '\0';
+
+    /* Parse status code from "HTTP/1.x NNN" */
+    char *sp = strchr(buf, ' ');
+    if (!sp)
+        return 1;
+
+    int status = atoi(sp + 1);
+    return (status >= 200 && status <= 299) ? 0 : 1;
+}
diff --git a/lefthook.yml b/lefthook.yml
index 988ede1b6..59b654370 100644
--- a/lefthook.yml
+++ b/lefthook.yml
@@ -5,7 +5,7 @@
 #   0. Clean tree gate — rejects untracked/uncommitted/stashed files
 #   1. Lint gate (~20s) — catches formatting/lint before burning CPU
 #   2. Build + test (~26s parallel) — independent workspaces run concurrently
-#   3. E2E + zizmor (blocking)
+#   3. E2E + Playwright + zizmor (blocking)
 #
 # Snyk scans are CI-only (release workflow) to preserve the 200/month quota.
 #
@@ -60,7 +60,7 @@ pre-push:
       priority: 2
       timeout: 30s
     qlty:
-      run: CI=1 qlty check --all --no-progress </dev/null
+      run: ./scripts/qlty-check-gate.sh all
       priority: 3
       timeout: 4m
 
@@ -74,7 +74,13 @@ pre-push:
     e2e:
       run: ./scripts/run-e2e-tests.sh
       priority: 5
-      timeout: 2m
+      timeout: 10m
+
+    # ── Playwright: mirrors CI "Playwright E2E" job ────────────────
+    e2e-playwright:
+      run: ./scripts/run-playwright-qa.sh
+      priority: 6
+      timeout: 15m
 
     # ── Zizmor: GitHub Actions security scanner (blocking) ───────────
     zizmor:
@@ -82,5 +88,5 @@ pre-push:
       run: zizmor .github/workflows/
       skip:
         - run: '! command -v zizmor >/dev/null 2>&1'
-      priority: 6
+      priority: 7
       timeout: 30s
diff --git a/package-lock.json b/package-lock.json
index 01d180a55..42286da01 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5,16 +5,17 @@
   "packages": {
     "": {
       "devDependencies": {
-        "@biomejs/biome": "^2.4.7"
+        "@biomejs/biome": "^2.4.8",
+        "lefthook": "^2.1.4"
       },
       "engines": {
         "node": ">=24.0.0"
       }
     },
     "node_modules/@biomejs/biome": {
-      "version": "2.4.7",
-      "resolved": "https://registry.npmjs.org/@biomejs/biome/-/biome-2.4.7.tgz",
-      "integrity": "sha512-vXrgcmNGZ4lpdwZSpMf1hWw1aWS6B+SyeSYKTLrNsiUsAdSRN0J4d/7mF3ogJFbIwFFSOL3wT92Zzxia/d5/ng==",
+      "version": "2.4.8",
+      "resolved": "https://registry.npmjs.org/@biomejs/biome/-/biome-2.4.8.tgz",
+      "integrity": "sha512-ponn0oKOky1oRXBV+rlSaUlixUxf1aZvWC19Z41zBfUOUesthrQqL3OtiAlSB1EjFjyWpn98Q64DHelhA6jNlA==",
       "dev": true,
       "license": "MIT OR Apache-2.0",
       "bin": {
@@ -28,20 +29,20 @@
         "url": "https://opencollective.com/biome"
       },
       "optionalDependencies": {
-        "@biomejs/cli-darwin-arm64": "2.4.7",
-        "@biomejs/cli-darwin-x64": "2.4.7",
-        "@biomejs/cli-linux-arm64": "2.4.7",
-        "@biomejs/cli-linux-arm64-musl": "2.4.7",
-        "@biomejs/cli-linux-x64": "2.4.7",
-        "@biomejs/cli-linux-x64-musl": "2.4.7",
-        "@biomejs/cli-win32-arm64": "2.4.7",
-        "@biomejs/cli-win32-x64": "2.4.7"
+        "@biomejs/cli-darwin-arm64": "2.4.8",
+        "@biomejs/cli-darwin-x64": "2.4.8",
+        "@biomejs/cli-linux-arm64": "2.4.8",
+        "@biomejs/cli-linux-arm64-musl": "2.4.8",
+        "@biomejs/cli-linux-x64": "2.4.8",
+        "@biomejs/cli-linux-x64-musl": "2.4.8",
+        "@biomejs/cli-win32-arm64": "2.4.8",
+        "@biomejs/cli-win32-x64": "2.4.8"
       }
     },
     "node_modules/@biomejs/cli-darwin-arm64": {
-      "version": "2.4.7",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-arm64/-/cli-darwin-arm64-2.4.7.tgz",
-      "integrity": "sha512-Oo0cF5mHzmvDmTXw8XSjhCia8K6YrZnk7aCS54+/HxyMdZMruMO3nfpDsrlar/EQWe41r1qrwKiCa2QDYHDzWA==",
+      "version": "2.4.8",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-arm64/-/cli-darwin-arm64-2.4.8.tgz",
+      "integrity": "sha512-ARx0tECE8I7S2C2yjnWYLNbBdDoPdq3oyNLhMglmuctThwUsuzFWRKrHmIGwIRWKz0Mat9DuzLEDp52hGnrxGQ==",
       "cpu": [
         "arm64"
       ],
@@ -56,9 +57,9 @@
       }
     },
     "node_modules/@biomejs/cli-darwin-x64": {
-      "version": "2.4.7",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-x64/-/cli-darwin-x64-2.4.7.tgz",
-      "integrity": "sha512-I+cOG3sd/7HdFtvDSnF9QQPrWguUH7zrkIMMykM3PtfWU9soTcS2yRb9Myq6MHmzbeCT08D1UmY+BaiMl5CcoQ==",
+      "version": "2.4.8",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-x64/-/cli-darwin-x64-2.4.8.tgz",
+      "integrity": "sha512-Jg9/PsB9vDCJlANE8uhG7qDhb5w0Ix69D7XIIc8IfZPUoiPrbLm33k2Ig3NOJ/7nb3UbesFz3D1aDKm9DvzjhQ==",
       "cpu": [
         "x64"
       ],
@@ -73,9 +74,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-arm64": {
-      "version": "2.4.7",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64/-/cli-linux-arm64-2.4.7.tgz",
-      "integrity": "sha512-om6FugwmibzfP/6ALj5WRDVSND4H2G9X0nkI1HZpp2ySf9lW2j0X68oQSaHEnls6666oy4KDsc5RFjT4m0kV0w==",
+      "version": "2.4.8",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64/-/cli-linux-arm64-2.4.8.tgz",
+      "integrity": "sha512-5CdrsJct76XG2hpKFwXnEtlT1p+4g4yV+XvvwBpzKsTNLO9c6iLlAxwcae2BJ7ekPGWjNGw9j09T5KGPKKxQig==",
       "cpu": [
         "arm64"
       ],
@@ -90,9 +91,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-arm64-musl": {
-      "version": "2.4.7",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64-musl/-/cli-linux-arm64-musl-2.4.7.tgz",
-      "integrity": "sha512-I2NvM9KPb09jWml93O2/5WMfNR7Lee5Latag1JThDRMURVhPX74p9UDnyTw3Ae6cE1DgXfw7sqQgX7rkvpc0vw==",
+      "version": "2.4.8",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64-musl/-/cli-linux-arm64-musl-2.4.8.tgz",
+      "integrity": "sha512-Zo9OhBQDJ3IBGPlqHiTISloo5H0+FBIpemqIJdW/0edJ+gEcLR+MZeZozcUyz3o1nXkVA7++DdRKQT0599j9jA==",
       "cpu": [
         "arm64"
       ],
@@ -107,9 +108,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-x64": {
-      "version": "2.4.7",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64/-/cli-linux-x64-2.4.7.tgz",
-      "integrity": "sha512-bV8/uo2Tj+gumnk4sUdkerWyCPRabaZdv88IpbmDWARQQoA/Q0YaqPz1a+LSEDIL7OfrnPi9Hq1Llz4ZIGyIQQ==",
+      "version": "2.4.8",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64/-/cli-linux-x64-2.4.8.tgz",
+      "integrity": "sha512-PdKXspVEaMCQLjtZCn6vfSck/li4KX9KGwSDbZdgIqlrizJ2MnMcE3TvHa2tVfXNmbjMikzcfJpuPWH695yJrw==",
       "cpu": [
         "x64"
       ],
@@ -124,9 +125,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-x64-musl": {
-      "version": "2.4.7",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64-musl/-/cli-linux-x64-musl-2.4.7.tgz",
-      "integrity": "sha512-00kx4YrBMU8374zd2wHuRV5wseh0rom5HqRND+vDldJPrWwQw+mzd/d8byI9hPx926CG+vWzq6AeiT7Yi5y59g==",
+      "version": "2.4.8",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64-musl/-/cli-linux-x64-musl-2.4.8.tgz",
+      "integrity": "sha512-Gi8quv8MEuDdKaPFtS2XjEnMqODPsRg6POT6KhoP+VrkNb+T2ywunVB+TvOU0LX1jAZzfBr+3V1mIbBhzAMKvw==",
       "cpu": [
         "x64"
       ],
@@ -141,9 +142,9 @@
       }
     },
     "node_modules/@biomejs/cli-win32-arm64": {
-      "version": "2.4.7",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-arm64/-/cli-win32-arm64-2.4.7.tgz",
-      "integrity": "sha512-hOUHBMlFCvDhu3WCq6vaBoG0dp0LkWxSEnEEsxxXvOa9TfT6ZBnbh72A/xBM7CBYB7WgwqboetzFEVDnMxelyw==",
+      "version": "2.4.8",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-arm64/-/cli-win32-arm64-2.4.8.tgz",
+      "integrity": "sha512-LoFatS0tnHv6KkCVpIy3qZCih+MxUMvdYiPWLHRri7mhi2vyOOs8OrbZBcLTUEWCS+ktO72nZMy4F96oMhkOHQ==",
       "cpu": [
         "arm64"
       ],
@@ -158,9 +159,9 @@
       }
     },
     "node_modules/@biomejs/cli-win32-x64": {
-      "version": "2.4.7",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-x64/-/cli-win32-x64-2.4.7.tgz",
-      "integrity": "sha512-qEpGjSkPC3qX4ycbMUthXvi9CkRq7kZpkqMY1OyhmYlYLnANnooDQ7hDerM8+0NJ+DZKVnsIc07h30XOpt7LtQ==",
+      "version": "2.4.8",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-x64/-/cli-win32-x64-2.4.8.tgz",
+      "integrity": "sha512-vAn7iXDoUbqFXqVocuq1sMYAd33p8+mmurqJkWl6CtIhobd/O6moe4rY5AJvzbunn/qZCdiDVcveqtkFh1e7Hg==",
       "cpu": [
         "x64"
       ],
@@ -173,6 +174,169 @@
       "engines": {
         "node": ">=14.21.3"
       }
+    },
+    "node_modules/lefthook": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/lefthook/-/lefthook-2.1.4.tgz",
+      "integrity": "sha512-JNfJ5gAn0KADvJ1I6/xMcx70+/6TL6U9gqGkKvPw5RNMfatC7jIg0Evl97HN846xmfz959BV70l8r3QsBJk30w==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "bin": {
+        "lefthook": "bin/index.js"
+      },
+      "optionalDependencies": {
+        "lefthook-darwin-arm64": "2.1.4",
+        "lefthook-darwin-x64": "2.1.4",
+        "lefthook-freebsd-arm64": "2.1.4",
+        "lefthook-freebsd-x64": "2.1.4",
+        "lefthook-linux-arm64": "2.1.4",
+        "lefthook-linux-x64": "2.1.4",
+        "lefthook-openbsd-arm64": "2.1.4",
+        "lefthook-openbsd-x64": "2.1.4",
+        "lefthook-windows-arm64": "2.1.4",
+        "lefthook-windows-x64": "2.1.4"
+      }
+    },
+    "node_modules/lefthook-darwin-arm64": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/lefthook-darwin-arm64/-/lefthook-darwin-arm64-2.1.4.tgz",
+      "integrity": "sha512-BUAAE9+rUrjr39a+wH/1zHmGrDdwUQ2Yq/z6BQbM/yUb9qtXBRcQ5eOXxApqWW177VhGBpX31aqIlfAZ5Q7wzw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ]
+    },
+    "node_modules/lefthook-darwin-x64": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/lefthook-darwin-x64/-/lefthook-darwin-x64-2.1.4.tgz",
+      "integrity": "sha512-K1ncIMEe84fe+ss1hQNO7rIvqiKy2TJvTFpkypvqFodT7mJXZn7GLKYTIXdIuyPAYthRa9DwFnx5uMoHwD2F1Q==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ]
+    },
+    "node_modules/lefthook-freebsd-arm64": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/lefthook-freebsd-arm64/-/lefthook-freebsd-arm64-2.1.4.tgz",
+      "integrity": "sha512-PVUhjOhVN71YaYsVdQyNbFZ4a2jFB2Tg5hKrrn9kaWpx64aLz/XivLjwr8sEuTaP1GRlEWBpW6Bhrcsyo39qFw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ]
+    },
+    "node_modules/lefthook-freebsd-x64": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/lefthook-freebsd-x64/-/lefthook-freebsd-x64-2.1.4.tgz",
+      "integrity": "sha512-ZWV9o/LeyWNEBoVO+BhLqxH3rGTba05nkm5NvMjEFSj7LbUNUDbQmupZwtHl1OMGJO66eZP0CalzRfUH6GhBxQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ]
+    },
+    "node_modules/lefthook-linux-arm64": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/lefthook-linux-arm64/-/lefthook-linux-arm64-2.1.4.tgz",
+      "integrity": "sha512-iWN0pGnTjrIvNIcSI1vQBJXUbybTqJ5CLMniPA0olabMXQfPDrdMKVQe+mgdwHK+E3/Y0H0ZNL3lnOj6Sk6szA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/lefthook-linux-x64": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/lefthook-linux-x64/-/lefthook-linux-x64-2.1.4.tgz",
+      "integrity": "sha512-96bTBE/JdYgqWYAJDh+/e/0MaxJ25XTOAk7iy/fKoZ1ugf6S0W9bEFbnCFNooXOcxNVTan5xWKfcjJmPIKtsJA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
+    },
+    "node_modules/lefthook-openbsd-arm64": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/lefthook-openbsd-arm64/-/lefthook-openbsd-arm64-2.1.4.tgz",
+      "integrity": "sha512-oYUoK6AIJNEr9lUSpIMj6g7sWzotvtc3ryw7yoOyQM6uqmEduw73URV/qGoUcm4nqqmR93ZalZwR2r3Gd61zvw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ]
+    },
+    "node_modules/lefthook-openbsd-x64": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/lefthook-openbsd-x64/-/lefthook-openbsd-x64-2.1.4.tgz",
+      "integrity": "sha512-i/Dv9Jcm68y9cggr1PhyUhOabBGP9+hzQPoiyOhKks7y9qrJl79A8XfG6LHekSuYc2VpiSu5wdnnrE1cj2nfTg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ]
+    },
+    "node_modules/lefthook-windows-arm64": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/lefthook-windows-arm64/-/lefthook-windows-arm64-2.1.4.tgz",
+      "integrity": "sha512-hSww7z+QX4YMnw2lK7DMrs3+w7NtxksuMKOkCKGyxUAC/0m1LAICo0ZbtdDtZ7agxRQQQ/SEbzFRhU5ysNcbjA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
+    "node_modules/lefthook-windows-x64": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/lefthook-windows-x64/-/lefthook-windows-x64-2.1.4.tgz",
+      "integrity": "sha512-eE68LwnogxwcPgGsbVGPGxmghyMGmU9SdGwcc+uhGnUxPz1jL89oECMWJNc36zjVK24umNeDAzB5KA3lw1MuWw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ]
     }
   }
 }
diff --git a/package.json b/package.json
index b982ccc05..b3d3c97d1 100644
--- a/package.json
+++ b/package.json
@@ -1,8 +1,13 @@
 {
+  "version": "1.5.0",
+  "scripts": {
+    "prepare": "lefthook install"
+  },
   "engines": {
     "node": ">=24.0.0"
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.4.7"
+    "@biomejs/biome": "^2.4.8",
+    "lefthook": "^2.1.4"
   }
 }
diff --git a/scripts/check-load-test-regression.sh b/scripts/check-load-test-regression.sh
index fd8d68fd1..95772443d 100755
--- a/scripts/check-load-test-regression.sh
+++ b/scripts/check-load-test-regression.sh
@@ -8,6 +8,9 @@ BASELINE_REPORT="${2:-}"
 DD_LOAD_TEST_MAX_P95_INCREASE_PCT="${DD_LOAD_TEST_MAX_P95_INCREASE_PCT:-20}"
 DD_LOAD_TEST_MAX_P99_INCREASE_PCT="${DD_LOAD_TEST_MAX_P99_INCREASE_PCT:-25}"
 DD_LOAD_TEST_MAX_RATE_DECREASE_PCT="${DD_LOAD_TEST_MAX_RATE_DECREASE_PCT:-15}"
+DD_LOAD_TEST_MAX_P95_MS="${DD_LOAD_TEST_MAX_P95_MS:-1200}"
+DD_LOAD_TEST_MAX_P99_MS="${DD_LOAD_TEST_MAX_P99_MS:-2500}"
+DD_LOAD_TEST_MIN_REQUEST_RATE="${DD_LOAD_TEST_MIN_REQUEST_RATE:-10}"
 DD_LOAD_TEST_REGRESSION_ENFORCE="${DD_LOAD_TEST_REGRESSION_ENFORCE:-false}"
 DD_LOAD_TEST_BASELINE_ARTIFACT_NAME="${DD_LOAD_TEST_BASELINE_ARTIFACT_NAME:-}"
 
@@ -37,11 +40,44 @@ is_true() {
 	esac
 }
 
+is_false() {
+	local normalized
+	normalized="$(printf "%s" "${1}" | tr '[:upper:]' '[:lower:]')"
+	case "${normalized}" in
+	0 | false | no | off)
+		return 0
+		;;
+	*)
+		return 1
+		;;
+	esac
+}
+
 is_number() {
 	local value="$1"
 	[[ ${value} =~ ^[0-9]+([.][0-9]+)?$ ]]
 }
 
+validate_enforcement_mode() {
+	if is_true "${DD_LOAD_TEST_REGRESSION_ENFORCE}" || is_false "${DD_LOAD_TEST_REGRESSION_ENFORCE}"; then
+		return 0
+	fi
+
+	summary "### Load Test Regression Gate"
+	summary "- Invalid DD_LOAD_TEST_REGRESSION_ENFORCE value: \`${DD_LOAD_TEST_REGRESSION_ENFORCE}\` (expected true/false)."
+	exit 2
+}
+
+exit_with_gate_status() {
+	local reason="$1"
+	if is_true "${DD_LOAD_TEST_REGRESSION_ENFORCE}"; then
+		summary "- Regression status: FAIL (enforced, ${reason})"
+		exit 1
+	fi
+	summary "- Regression status: WARN (advisory, ${reason})"
+	exit 0
+}
+
 load_metric() {
 	local report="$1"
 	local query="$2"
@@ -79,20 +115,33 @@ is_greater_than() {
     if (left > right) {
       exit 0
     }
+    exit 1
+	}'
+}
+
+is_less_than() {
+	local left="$1"
+	local right="$2"
+	awk -v left="${left}" -v right="${right}" 'BEGIN {
+    if (left < right) {
+      exit 0
+    }
     exit 1
   }'
 }
 
+validate_enforcement_mode
+
 if [ ! -f "${CURRENT_REPORT}" ]; then
 	summary "### Load Test Regression Gate"
 	summary "- Current report not found: \`${CURRENT_REPORT}\`"
-	exit 0
+	exit_with_gate_status "missing current report"
 fi
 
 if [ ! -f "${BASELINE_REPORT}" ]; then
 	summary "### Load Test Regression Gate"
 	summary "- Baseline report not found: \`${BASELINE_REPORT}\`"
-	exit 0
+	exit_with_gate_status "missing baseline report"
 fi
 
 current_p95="$(load_metric "${CURRENT_REPORT}" '.aggregate.summaries["http.response_time"].p95')"
@@ -110,7 +159,22 @@ for metric_name in current_p95 current_p99 current_rate baseline_p95 baseline_p9
 		summary "- Missing or non-numeric metric: \`${metric_name}\` from reports."
 		summary "- Current report: \`${CURRENT_REPORT}\`"
 		summary "- Baseline report: \`${BASELINE_REPORT}\`"
-		exit 0
+		exit_with_gate_status "missing or non-numeric metric"
+	fi
+done
+
+for threshold_name in \
+	DD_LOAD_TEST_MAX_P95_INCREASE_PCT \
+	DD_LOAD_TEST_MAX_P99_INCREASE_PCT \
+	DD_LOAD_TEST_MAX_RATE_DECREASE_PCT \
+	DD_LOAD_TEST_MAX_P95_MS \
+	DD_LOAD_TEST_MAX_P99_MS \
+	DD_LOAD_TEST_MIN_REQUEST_RATE; do
+	threshold_value="${!threshold_name}"
+	if ! is_number "${threshold_value}"; then
+		summary "### Load Test Regression Gate"
+		summary "- Invalid threshold config: \`${threshold_name}=${threshold_value}\` (must be numeric)."
+		exit 2
 	fi
 done
 
@@ -120,26 +184,41 @@ rate_decrease_pct="$(percent_decrease "${current_rate}" "${baseline_rate}")"
 
 if [ "${p95_increase_pct}" = "nan" ] || [ "${p99_increase_pct}" = "nan" ] || [ "${rate_decrease_pct}" = "nan" ]; then
 	summary "### Load Test Regression Gate"
-	summary "- Baseline metrics are zero or invalid; skipping regression check."
+	summary "- Baseline metrics are zero or invalid; cannot evaluate regression."
 	summary "- Current report: \`${CURRENT_REPORT}\`"
 	summary "- Baseline report: \`${BASELINE_REPORT}\`"
-	exit 0
+	exit_with_gate_status "invalid baseline metrics"
 fi
 
-p95_regressed=false
-p99_regressed=false
-rate_regressed=false
+p95_pct_regressed=false
+p99_pct_regressed=false
+rate_pct_regressed=false
+p95_abs_regressed=false
+p99_abs_regressed=false
+rate_abs_regressed=false
 
 if is_greater_than "${p95_increase_pct}" "${DD_LOAD_TEST_MAX_P95_INCREASE_PCT}"; then
-	p95_regressed=true
+	p95_pct_regressed=true
 fi
 
 if is_greater_than "${p99_increase_pct}" "${DD_LOAD_TEST_MAX_P99_INCREASE_PCT}"; then
-	p99_regressed=true
+	p99_pct_regressed=true
 fi
 
 if is_greater_than "${rate_decrease_pct}" "${DD_LOAD_TEST_MAX_RATE_DECREASE_PCT}"; then
-	rate_regressed=true
+	rate_pct_regressed=true
+fi
+
+if is_greater_than "${current_p95}" "${DD_LOAD_TEST_MAX_P95_MS}"; then
+	p95_abs_regressed=true
+fi
+
+if is_greater_than "${current_p99}" "${DD_LOAD_TEST_MAX_P99_MS}"; then
+	p99_abs_regressed=true
+fi
+
+if is_less_than "${current_rate}" "${DD_LOAD_TEST_MIN_REQUEST_RATE}"; then
+	rate_abs_regressed=true
 fi
 
 summary "### Load Test Regression Gate"
@@ -148,27 +227,40 @@ summary "- Baseline report: \`${BASELINE_REPORT}\`"
 if [ -n "${DD_LOAD_TEST_BASELINE_ARTIFACT_NAME}" ]; then
 	summary "- Baseline artifact: \`${DD_LOAD_TEST_BASELINE_ARTIFACT_NAME}\`"
 fi
-summary "- Thresholds: p95 <= +${DD_LOAD_TEST_MAX_P95_INCREASE_PCT}%, p99 <= +${DD_LOAD_TEST_MAX_P99_INCREASE_PCT}%, request_rate >= -${DD_LOAD_TEST_MAX_RATE_DECREASE_PCT}%"
+summary "- Relative thresholds: p95 <= +${DD_LOAD_TEST_MAX_P95_INCREASE_PCT}%, p99 <= +${DD_LOAD_TEST_MAX_P99_INCREASE_PCT}%, request_rate >= -${DD_LOAD_TEST_MAX_RATE_DECREASE_PCT}%"
+summary "- Absolute thresholds: p95 <= ${DD_LOAD_TEST_MAX_P95_MS} ms, p99 <= ${DD_LOAD_TEST_MAX_P99_MS} ms, request_rate >= ${DD_LOAD_TEST_MIN_REQUEST_RATE} req/s"
 
-if [ "${p95_regressed}" = true ]; then
-	summary "- p95: \`${baseline_p95}\` -> \`${current_p95}\` ms (\`+${p95_increase_pct}%\`) FAIL"
-else
-	summary "- p95: \`${baseline_p95}\` -> \`${current_p95}\` ms (\`+${p95_increase_pct}%\`) PASS"
-fi
+p95_pct_status="PASS"
+p99_pct_status="PASS"
+rate_pct_status="PASS"
+p95_abs_status="PASS"
+p99_abs_status="PASS"
+rate_abs_status="PASS"
 
-if [ "${p99_regressed}" = true ]; then
-	summary "- p99: \`${baseline_p99}\` -> \`${current_p99}\` ms (\`+${p99_increase_pct}%\`) FAIL"
-else
-	summary "- p99: \`${baseline_p99}\` -> \`${current_p99}\` ms (\`+${p99_increase_pct}%\`) PASS"
+if [ "${p95_pct_regressed}" = true ]; then
+	p95_pct_status="FAIL"
 fi
-
-if [ "${rate_regressed}" = true ]; then
-	summary "- request_rate: \`${baseline_rate}\` -> \`${current_rate}\` req/s (\`-${rate_decrease_pct}%\`) FAIL"
-else
-	summary "- request_rate: \`${baseline_rate}\` -> \`${current_rate}\` req/s (\`-${rate_decrease_pct}%\`) PASS"
+if [ "${p99_pct_regressed}" = true ]; then
+	p99_pct_status="FAIL"
+fi
+if [ "${rate_pct_regressed}" = true ]; then
+	rate_pct_status="FAIL"
+fi
+if [ "${p95_abs_regressed}" = true ]; then
+	p95_abs_status="FAIL"
 fi
+if [ "${p99_abs_regressed}" = true ]; then
+	p99_abs_status="FAIL"
+fi
+if [ "${rate_abs_regressed}" = true ]; then
+	rate_abs_status="FAIL"
+fi
+
+summary "- p95: \`${baseline_p95}\` -> \`${current_p95}\` ms | delta \`+${p95_increase_pct}%\` (<= +${DD_LOAD_TEST_MAX_P95_INCREASE_PCT}%: ${p95_pct_status}) | ceiling <= ${DD_LOAD_TEST_MAX_P95_MS} ms: ${p95_abs_status}"
+summary "- p99: \`${baseline_p99}\` -> \`${current_p99}\` ms | delta \`+${p99_increase_pct}%\` (<= +${DD_LOAD_TEST_MAX_P99_INCREASE_PCT}%: ${p99_pct_status}) | ceiling <= ${DD_LOAD_TEST_MAX_P99_MS} ms: ${p99_abs_status}"
+summary "- request_rate: \`${baseline_rate}\` -> \`${current_rate}\` req/s | delta \`-${rate_decrease_pct}%\` (>= -${DD_LOAD_TEST_MAX_RATE_DECREASE_PCT}%: ${rate_pct_status}) | floor >= ${DD_LOAD_TEST_MIN_REQUEST_RATE} req/s: ${rate_abs_status}"
 
-if [ "${p95_regressed}" = true ] || [ "${p99_regressed}" = true ] || [ "${rate_regressed}" = true ]; then
+if [ "${p95_pct_regressed}" = true ] || [ "${p99_pct_regressed}" = true ] || [ "${rate_pct_regressed}" = true ] || [ "${p95_abs_regressed}" = true ] || [ "${p99_abs_regressed}" = true ] || [ "${rate_abs_regressed}" = true ]; then
 	if is_true "${DD_LOAD_TEST_REGRESSION_ENFORCE}"; then
 		summary "- Regression status: FAIL (enforced)"
 		exit 1
diff --git a/scripts/commit-message.mjs b/scripts/commit-message.mjs
new file mode 100644
index 000000000..4e4f5bb7d
--- /dev/null
+++ b/scripts/commit-message.mjs
@@ -0,0 +1,104 @@
+const COMMIT_TYPES = {
+  feat: { emoji: '✨', purpose: 'new feature' },
+  fix: { emoji: '🐛', purpose: 'bug fix' },
+  docs: { emoji: '📝', purpose: 'documentation change' },
+  style: { emoji: '💄', purpose: 'style/cosmetic change' },
+  refactor: { emoji: '♻️', purpose: 'refactor without behavior change' },
+  perf: { emoji: '⚡', purpose: 'performance improvement' },
+  test: { emoji: '✅', purpose: 'test change' },
+  chore: { emoji: '🔧', purpose: 'tooling/config change' },
+  security: { emoji: '🔒', purpose: 'security fix' },
+  deps: { emoji: '⬆️', purpose: 'dependency change' },
+  revert: { emoji: '🗑️', purpose: 'intentional revert' },
+};
+
+const subjectRegex =
+  /^(?<emoji>✨|🐛|📝|💄|♻️|⚡|✅|🔧|🔒|⬆️|🗑️)\s(?<type>feat|fix|docs|style|refactor|perf|test|chore|security|deps|revert)(?:\((?<scope>[a-z0-9][a-z0-9._/-]*)\))?:\s(?<description>.+)$/u;
+
+export function validateCommitMessage(rawMessage) {
+  const message = (rawMessage ?? '').trim();
+  const subject = message.split(/\r?\n/u, 1)[0] ?? '';
+
+  // Allow default Git-generated metadata commits.
+  if (subject.startsWith('Merge ')) {
+    return { valid: true, errors: [] };
+  }
+  if (subject.startsWith('Revert "')) {
+    return { valid: true, errors: [] };
+  }
+
+  const errors = [];
+  const match = subject.match(subjectRegex);
+
+  if (!match?.groups) {
+    if (!/^\p{Emoji}/u.test(subject)) {
+      errors.push('Missing required emoji (gitmoji) prefix.');
+    }
+    if (
+      !/\s(feat|fix|docs|style|refactor|perf|test|chore|security|deps|revert)(\(|:)/u.test(subject)
+    ) {
+      errors.push('Missing or unsupported commit type.');
+    }
+    errors.push('Subject does not match required format.');
+
+    return { valid: false, errors };
+  }
+
+  const { emoji, type, description } = match.groups;
+  const expectedEmoji = COMMIT_TYPES[type]?.emoji;
+  if (expectedEmoji && emoji !== expectedEmoji) {
+    errors.push(
+      `Invalid emoji/type pair. Expected "${expectedEmoji} ${type}" but got "${emoji} ${type}".`,
+    );
+  }
+
+  if (/^[A-Z]/u.test(description)) {
+    errors.push('Description must be imperative and lowercase at the start.');
+  }
+
+  if (/\.$/u.test(description)) {
+    errors.push('Description must not end with a trailing period.');
+  }
+
+  if (subject.length > 100) {
+    errors.push('Subject exceeds 100 characters.');
+  }
+
+  return { valid: errors.length === 0, errors };
+}
+
+export function formatValidationFailure(rawMessage, errors) {
+  const message = (rawMessage ?? '').trim();
+  const subject = message.split(/\r?\n/u, 1)[0] ?? '';
+
+  const allowedPairs = Object.entries(COMMIT_TYPES)
+    .map(([type, meta]) => `  ${meta.emoji} ${type}: ${meta.purpose}`)
+    .join('\n');
+
+  const formattedErrors = errors.map((error) => `  - ${error}`).join('\n');
+
+  return [
+    '❌ Invalid commit message.',
+    '',
+    `Current subject: ${subject || '<empty>'}`,
+    '',
+    'Required subject format:',
+    '  <emoji> <type>(<scope>): <description>',
+    '',
+    'Valid examples:',
+    '  ✨ feat(docker): add health check endpoint',
+    '  🐛 fix: resolve socket EACCES (#38)',
+    '  ♻️ refactor(store): simplify collection init',
+    '',
+    'Allowed emoji/type pairs:',
+    allowedPairs,
+    '',
+    'Validation errors:',
+    formattedErrors,
+    '',
+    'AI_ACTION_REQUIRED: rewrite the commit subject to match the required format exactly.',
+    'Fix command:',
+    '  git commit --amend -m "✨ feat(scope): concise imperative description"',
+    '',
+  ].join('\n');
+}
diff --git a/scripts/commit-message.test.mjs b/scripts/commit-message.test.mjs
new file mode 100644
index 000000000..513c61402
--- /dev/null
+++ b/scripts/commit-message.test.mjs
@@ -0,0 +1,47 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { validateCommitMessage } from './commit-message.mjs';
+
+test('accepts a valid feat message with scope', () => {
+  const result = validateCommitMessage('✨ feat(docker): add health check endpoint');
+  assert.equal(result.valid, true);
+});
+
+test('accepts a valid fix message without scope', () => {
+  const result = validateCommitMessage('🐛 fix: resolve socket EACCES (#38)');
+  assert.equal(result.valid, true);
+});
+
+test('rejects message without emoji prefix', () => {
+  const result = validateCommitMessage('feat(docker): add health check endpoint');
+  assert.equal(result.valid, false);
+  assert.match(result.errors.join(' '), /emoji/i);
+});
+
+test('rejects unknown commit type', () => {
+  const result = validateCommitMessage('✨ feature(api): add endpoint');
+  assert.equal(result.valid, false);
+  assert.match(result.errors.join(' '), /type/i);
+});
+
+test('rejects mismatched emoji/type pairs', () => {
+  const result = validateCommitMessage('✨ fix(api): resolve edge case');
+  assert.equal(result.valid, false);
+  assert.match(result.errors.join(' '), /emoji\/type pair/i);
+});
+
+test('rejects trailing period', () => {
+  const result = validateCommitMessage('✨ feat(api): add endpoint.');
+  assert.equal(result.valid, false);
+  assert.match(result.errors.join(' '), /trailing period/i);
+});
+
+test('allows auto-generated merge commits', () => {
+  const result = validateCommitMessage('Merge pull request #123 from CodesWhat/release/v1.5.0');
+  assert.equal(result.valid, true);
+});
+
+test('allows default git revert commits', () => {
+  const result = validateCommitMessage('Revert "✨ feat(api): add endpoint"');
+  assert.equal(result.valid, true);
+});
diff --git a/scripts/extract-changelog-entry.mjs b/scripts/extract-changelog-entry.mjs
new file mode 100644
index 000000000..79587fac6
--- /dev/null
+++ b/scripts/extract-changelog-entry.mjs
@@ -0,0 +1,112 @@
+#!/usr/bin/env node
+
+import { readFileSync } from 'node:fs';
+
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+function normalizeVersion(version) {
+  return String(version ?? '')
+    .trim()
+    .replace(/^v/u, '');
+}
+
+function listChangelogVersions(changelog) {
+  const versions = [];
+  const headingRegex = /^##\s+\[([^\]]+)\].*$/gmu;
+  for (const match of changelog.matchAll(headingRegex)) {
+    const version = String(match[1] ?? '').trim();
+    if (version) {
+      versions.push(version);
+    }
+  }
+  return versions;
+}
+
+export function extractChangelogEntry(changelog, version) {
+  const normalizedVersion = normalizeVersion(version);
+  if (!normalizedVersion) {
+    throw new Error('Version is required');
+  }
+
+  const content = String(changelog ?? '');
+  const versionHeadingRegex = new RegExp(
+    `^##\\s+\\[${escapeRegExp(normalizedVersion)}\\].*$`,
+    'mu',
+  );
+  const startMatch = content.match(versionHeadingRegex);
+  if (!startMatch || startMatch.index === undefined) {
+    const availableVersions = listChangelogVersions(content).slice(0, 10);
+    const availableText =
+      availableVersions.length > 0
+        ? ` Available versions: ${availableVersions.join(', ')}`
+        : ' No version headings found in changelog.';
+    throw new Error(
+      `Changelog entry not found for version ${normalizedVersion}. Expected heading: ## [${normalizedVersion}] - YYYY-MM-DD.${availableText}`,
+    );
+  }
+
+  // Skip date format validation for [Unreleased] heading
+  if (normalizedVersion.toLowerCase() !== 'unreleased') {
+    const strictHeadingRegex = new RegExp(
+      `^##\\s+\\[${escapeRegExp(normalizedVersion)}\\]\\s+-\\s+\\d{4}-\\d{2}-\\d{2}\\s*$`,
+      'u',
+    );
+    if (!strictHeadingRegex.test(startMatch[0])) {
+      throw new Error(
+        `Invalid changelog heading for version ${normalizedVersion}. Expected heading format: ## [${normalizedVersion}] - YYYY-MM-DD.`,
+      );
+    }
+  }
+
+  const startIndex = startMatch.index;
+  const remaining = content.slice(startIndex + startMatch[0].length);
+  const nextHeadingOffset = remaining.search(/\n##\s+\[/u);
+  const endIndex =
+    nextHeadingOffset === -1
+      ? content.length
+      : startIndex + startMatch[0].length + nextHeadingOffset;
+
+  return content.slice(startIndex, endIndex).trim();
+}
+
+function parseArgs(argv) {
+  const args = {};
+  for (let i = 0; i < argv.length; i += 1) {
+    const key = argv[i];
+    if (!key.startsWith('--')) {
+      continue;
+    }
+    const value = argv[i + 1];
+    if (value === undefined || value.startsWith('--')) {
+      throw new Error(`Missing value for argument: ${key}`);
+    }
+    args[key.slice(2)] = value;
+    i += 1;
+  }
+  return args;
+}
+
+function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const version = args.version;
+  const file = args.file ?? 'CHANGELOG.md';
+
+  if (!version) {
+    throw new Error('--version is required');
+  }
+
+  const changelog = readFileSync(file, 'utf8');
+  const entry = extractChangelogEntry(changelog, version);
+  console.log(entry);
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) {
+  try {
+    main();
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+  }
+}
diff --git a/scripts/extract-changelog-entry.test.mjs b/scripts/extract-changelog-entry.test.mjs
new file mode 100644
index 000000000..2897fe4d0
--- /dev/null
+++ b/scripts/extract-changelog-entry.test.mjs
@@ -0,0 +1,47 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { extractChangelogEntry } from './extract-changelog-entry.mjs';
+
+const SAMPLE_CHANGELOG = `# Changelog
+
+## [1.4.2] - 2026-03-15
+
+### Added
+- add release automation
+
+## [1.4.1] - 2026-03-10
+
+### Fixed
+- fix a regression
+`;
+
+test('extracts section for a specific version', () => {
+  const entry = extractChangelogEntry(SAMPLE_CHANGELOG, '1.4.1');
+  assert.match(entry, /## \[1\.4\.1\] - 2026-03-10/u);
+  assert.match(entry, /fix a regression/u);
+  assert.doesNotMatch(entry, /1\.4\.2/u);
+});
+
+test('accepts version with a leading v', () => {
+  const entry = extractChangelogEntry(SAMPLE_CHANGELOG, 'v1.4.2');
+  assert.match(entry, /## \[1\.4\.2\] - 2026-03-15/u);
+});
+
+test('throws when version is not found', () => {
+  assert.throws(
+    () => extractChangelogEntry(SAMPLE_CHANGELOG, '9.9.9'),
+    /not found.*available versions/i,
+  );
+});
+
+test('throws when matched version heading does not use YYYY-MM-DD date', () => {
+  const invalidDateChangelog = `# Changelog
+
+## [1.4.2] - TBD
+
+### Added
+- add release automation
+`;
+
+  assert.throws(() => extractChangelogEntry(invalidDateChangelog, '1.4.2'), /YYYY-MM-DD/u);
+});
diff --git a/scripts/pre-commit-coverage.sh b/scripts/pre-commit-coverage.sh
index a1981c9eb..07c92c96c 100755
--- a/scripts/pre-commit-coverage.sh
+++ b/scripts/pre-commit-coverage.sh
@@ -1,87 +1,36 @@
 #!/usr/bin/env bash
-# Pre-commit coverage gate: runs tests related to staged files and checks
-# that each staged source file maintains coverage thresholds.
+# Pre-commit test gate: runs vitest --changed on staged workspaces.
+# Called by lefthook pre-commit (glob: *.{ts,vue}, priority: 3, timeout: 5m).
 #
-# Only activates when instrumented source files are staged:
-# - app/*.ts
-# - ui/src/*.ts
-# Uses vitest --changed first and scopes coverage to staged files.
-# If dependency-based selection misses relevant tests, it retries with a
-# full vitest run to avoid false negatives on per-file thresholds.
-#
-# Thresholds: 100% lines/functions/statements, 95% branches.
-# Branch threshold is slightly relaxed because v8 coverage reports
-# phantom uncovered branches on ternaries and exhaustive if-chains.
-# The pre-push hook enforces full 100% globally via `npm test`.
-set -euo pipefail
+# Only runs tests related to changes (vitest --changed HEAD), not the full suite.
+# No --coverage flag — global thresholds would fail on partial runs.
+# Full coverage enforcement happens in pre-push via build-and-test.
+# Fails fast on first workspace failure.
 
-cd "$(git rev-parse --show-toplevel)"
+set -euo pipefail
 
-# Collect staged source files (excludes deletions and test files)
-staged_app=()
-staged_ui=()
+# Determine which workspace(s) have staged ts/vue files
+has_app=false
+has_ui=false
 
-while IFS= read -r file; do
-	case "$file" in
-	app/*.test.ts) ;; # skip test files — we measure source coverage
-	app/*.ts) staged_app+=("$file") ;;
-	ui/src/*.spec.ts) ;; # skip test files
-	ui/src/*.ts) staged_ui+=("$file") ;;
+for f in "$@"; do
+	case "${f}" in
+	app/*) has_app=true ;;
+	ui/*) has_ui=true ;;
 	esac
-done < <(git diff --cached --name-only --diff-filter=d)
+done
 
-# Skip if no relevant source files staged
-if [[ ${#staged_app[@]} -eq 0 && ${#staged_ui[@]} -eq 0 ]]; then
-	echo "⏭  No app/ui source files staged — skipping coverage check"
+if ! "${has_app}" && ! "${has_ui}"; then
+	echo "No app/ or ui/ files staged; skipping tests."
 	exit 0
 fi
 
-pids=()
-labels=()
-fail=0
-
-run() {
-	local label=$1
-	shift
-	"$@" &
-	pids+=($!)
-	labels+=("$label")
-}
-
-# Common coverage flags: scope to staged files, per-file thresholds
-COVERAGE_FLAGS="--coverage --coverage.thresholds.perFile --coverage.thresholds.branches=95"
-
-if [[ ${#staged_app[@]} -gt 0 ]]; then
-	# Build --coverage.include patterns for each staged file (paths relative to app/)
-	include_args=()
-	for f in "${staged_app[@]}"; do
-		include_args+=(--coverage.include "${f#app/}")
-	done
-	echo "🧪 Running coverage for ${#staged_app[@]} staged app file(s)..."
-	# shellcheck disable=SC2086
-	run "app-coverage" bash -c "cd app && npx vitest run --changed $COVERAGE_FLAGS ${include_args[*]} || { echo '↩️  app --changed coverage failed; retrying full run'; npx vitest run $COVERAGE_FLAGS ${include_args[*]}; }"
-fi
-
-if [[ ${#staged_ui[@]} -gt 0 ]]; then
-	# Build --coverage.include patterns for each staged file (paths relative to ui/)
-	include_args=()
-	for f in "${staged_ui[@]}"; do
-		include_args+=(--coverage.include "${f#ui/}")
-	done
-	echo "🧪 Running coverage for ${#staged_ui[@]} staged ui file(s)..."
-	# shellcheck disable=SC2086
-	run "ui-coverage" bash -c "cd ui && npx vitest run --changed $COVERAGE_FLAGS ${include_args[*]} || { echo '↩️  ui --changed coverage failed; retrying full run'; npx vitest run $COVERAGE_FLAGS ${include_args[*]}; }"
+if "${has_app}"; then
+	echo "⏳ app: running tests on changed files..."
+	(cd app && npx vitest run --changed HEAD --reporter=dot)
 fi
 
-for i in "${!pids[@]}"; do
-	if ! wait "${pids[$i]}"; then
-		echo "❌ FAILED: ${labels[$i]} — coverage threshold not met" >&2
-		fail=1
-	fi
-done
-
-if [[ $fail -eq 0 ]]; then
-	echo "✅ Coverage check passed"
+if "${has_ui}"; then
+	echo "⏳ ui: running tests on changed files..."
+	(cd ui && npx vitest run --changed HEAD --reporter=dot)
 fi
-
-exit $fail
diff --git a/scripts/pre-push-coverage.sh b/scripts/pre-push-coverage.sh
new file mode 100755
index 000000000..9adae2f95
--- /dev/null
+++ b/scripts/pre-push-coverage.sh
@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+# Coverage gate for pre-push hook.
+# Runs vitest --coverage with JSON reporter, then parses the output
+# to produce a machine-readable gap report at .coverage-gaps.json.
+#
+# On failure: prints exact files + uncovered lines so an agent can fix them.
+# The gap report is gitignored and read by agents to know what to test.
+set -euo pipefail
+
+cd "$(git rev-parse --show-toplevel)"
+
+export GAPS_FILE=".coverage-gaps.json"
+fail=0
+
+run_coverage() {
+	local workspace=$1
+
+	echo "📊 ${workspace}: running coverage..."
+	if ! (cd "${workspace}" && npx vitest run --coverage --reporter=json --reporter=dot 2>&1); then
+		echo "❌ ${workspace} coverage below threshold" >&2
+		fail=1
+	fi
+}
+
+run_coverage "app"
+run_coverage "ui"
+
+# Parse coverage JSON summaries into a single gap report
+# shellcheck disable=SC2016
+node -e '
+const fs = require("fs");
+const path = require("path");
+const gaps = [];
+
+for (const workspace of ["app", "ui"]) {
+  const summaryPath = path.join(workspace, "coverage", "coverage-summary.json");
+  if (!fs.existsSync(summaryPath)) continue;
+  const summary = JSON.parse(fs.readFileSync(summaryPath, "utf8"));
+
+  for (const [file, data] of Object.entries(summary)) {
+    if (file === "total") continue;
+    const rel = path.relative(process.cwd(), file);
+    const uncovered = {};
+    let hasGap = false;
+
+    for (const metric of ["lines", "statements", "branches", "functions"]) {
+      const m = data[metric];
+      if (m && m.pct < 100) {
+        uncovered[metric] = { pct: m.pct, covered: m.covered, total: m.total };
+        hasGap = true;
+      }
+    }
+
+    if (hasGap) {
+      gaps.push({ file: rel, ...uncovered });
+    }
+  }
+}
+
+fs.writeFileSync(process.env.GAPS_FILE, JSON.stringify(gaps, null, 2) + "\n");
+
+if (gaps.length > 0) {
+  console.error("");
+  console.error("┌─────────────────────────────────────────────────┐");
+  console.error("│  COVERAGE GAPS — fix these files to reach 100%  │");
+  console.error("└─────────────────────────────────────────────────┘");
+  console.error("");
+  for (const g of gaps) {
+    const metrics = Object.entries(g)
+      .filter(([k]) => k !== "file")
+      .map(([k, v]) => `${k}: ${v.pct}% (${v.covered}/${v.total})`)
+      .join(", ");
+    console.error(`  ${g.file}`);
+    console.error(`    ${metrics}`);
+  }
+  console.error("");
+  console.error(`Gap report written to ${process.env.GAPS_FILE}`);
+  console.error("Agents: read this file to know exactly what tests to write.");
+}
+' 2>&1
+
+if [ $fail -ne 0 ]; then
+	echo ""
+	echo "Coverage thresholds not met. Fix gaps before pushing."
+	echo "Run: cat .coverage-gaps.json  — to see exact gaps"
+	exit 1
+fi
+
+# Clean state — remove gap file when everything passes
+rm -f "${GAPS_FILE}"
+echo "✅ Coverage thresholds met (100%)."
diff --git a/scripts/qlty-check-gate.sh b/scripts/qlty-check-gate.sh
new file mode 100755
index 000000000..5a7df9886
--- /dev/null
+++ b/scripts/qlty-check-gate.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+mode="${1:-changed}"
+
+case "$mode" in
+changed | all) ;;
+*)
+	echo "Usage: $0 [changed|all]"
+	exit 1
+	;;
+esac
+
+cmd=(qlty check --no-progress)
+
+if [ "$mode" = "all" ]; then
+	cmd+=(--all)
+elif git rev-parse --verify --quiet refs/remotes/origin/main >/dev/null; then
+	cmd+=(--upstream origin/main)
+fi
+
+echo "Running Qlty gate: ${cmd[*]}"
+"${cmd[@]}" </dev/null
diff --git a/scripts/qlty-smells-gate.mjs b/scripts/qlty-smells-gate.mjs
new file mode 100755
index 000000000..3ee696126
--- /dev/null
+++ b/scripts/qlty-smells-gate.mjs
@@ -0,0 +1,168 @@
+#!/usr/bin/env node
+
+import { spawnSync } from 'node:child_process';
+import { appendFileSync, mkdirSync, writeFileSync } from 'node:fs';
+import { dirname } from 'node:path';
+
+function parseArgs(argv) {
+  const defaults = {
+    scope: 'changed',
+    upstream: 'origin/main',
+    enforce: false,
+    maxTotal: 0,
+    sarifOutput: '',
+    summaryOutput: '',
+  };
+
+  return argv.reduce((acc, arg) => {
+    if (!arg.startsWith('--')) {
+      return acc;
+    }
+
+    const [key, rawValue] = arg.slice(2).split('=', 2);
+    const value = rawValue ?? 'true';
+
+    if (key === 'scope') {
+      acc.scope = value;
+      return acc;
+    }
+    if (key === 'upstream') {
+      acc.upstream = value;
+      return acc;
+    }
+    if (key === 'enforce') {
+      acc.enforce = value === 'true';
+      return acc;
+    }
+    if (key === 'max-total') {
+      acc.maxTotal = Number(value);
+      return acc;
+    }
+    if (key === 'sarif-output') {
+      acc.sarifOutput = value;
+      return acc;
+    }
+    if (key === 'summary-output') {
+      acc.summaryOutput = value;
+      return acc;
+    }
+    return acc;
+  }, defaults);
+}
+
+function fail(message) {
+  console.error(message);
+  process.exit(1);
+}
+
+function buildQltyArgs({ scope, upstream }) {
+  if (scope !== 'changed' && scope !== 'all') {
+    fail(`Unsupported --scope value: ${scope}. Expected "changed" or "all".`);
+  }
+
+  const args = ['smells', '--quiet', '--sarif'];
+  if (scope === 'all') {
+    args.push('--all');
+  } else if (upstream) {
+    args.push('--upstream', upstream);
+  }
+  return args;
+}
+
+function parseSarif(stdout) {
+  const trimmed = stdout.trimStart();
+  if (!trimmed) {
+    return { runs: [] };
+  }
+
+  try {
+    return JSON.parse(trimmed);
+  } catch (error) {
+    fail(
+      `Failed to parse qlty smells SARIF output: ${
+        error instanceof Error ? error.message : String(error)
+      }`,
+    );
+  }
+}
+
+function summarizeResults(results) {
+  const counts = new Map();
+  for (const result of results) {
+    const ruleId = result.ruleId ?? 'unknown';
+    counts.set(ruleId, (counts.get(ruleId) ?? 0) + 1);
+  }
+  return counts;
+}
+
+function appendSummary(lines) {
+  const summaryPath = process.env.GITHUB_STEP_SUMMARY;
+  if (!summaryPath) {
+    return;
+  }
+  appendFileSync(summaryPath, `${lines.join('\n')}\n`);
+}
+
+function writeOutputFile(path, content) {
+  if (!path) {
+    return;
+  }
+  mkdirSync(dirname(path), { recursive: true });
+  writeFileSync(path, content, 'utf8');
+}
+
+function main() {
+  const options = parseArgs(process.argv.slice(2));
+  if (!Number.isInteger(options.maxTotal) || options.maxTotal < 0) {
+    fail(`--max-total must be a non-negative integer. Received: ${options.maxTotal}`);
+  }
+
+  const qltyArgs = buildQltyArgs(options);
+  const run = spawnSync('qlty', qltyArgs, {
+    encoding: 'utf8',
+    maxBuffer: 1024 * 1024 * 25,
+  });
+
+  if (run.error) {
+    fail(`Failed to execute qlty: ${run.error.message}`);
+  }
+
+  if ((run.status ?? 1) !== 0) {
+    process.stderr.write(run.stderr || run.stdout || '');
+    process.exit(run.status ?? 1);
+  }
+
+  const sarif = parseSarif(run.stdout);
+  writeOutputFile(options.sarifOutput, `${JSON.stringify(sarif, null, 2)}\n`);
+  const results = sarif.runs?.flatMap((runEntry) => runEntry.results ?? []) ?? [];
+  const total = results.length;
+  const ruleCounts = summarizeResults(results);
+
+  const header = `Qlty smells (${options.scope}) found ${total} issue${total === 1 ? '' : 's'}.`;
+  console.log(header);
+
+  const sortedRules = [...ruleCounts.entries()].sort((left, right) => right[1] - left[1]);
+  for (const [rule, count] of sortedRules) {
+    console.log(`- ${rule}: ${count}`);
+  }
+
+  const summaryLines = [
+    '### Qlty Smells',
+    `- Scope: \`${options.scope}\``,
+    `- Total findings: **${total}**`,
+  ];
+  for (const [rule, count] of sortedRules) {
+    summaryLines.push(`- \`${rule}\`: ${count}`);
+  }
+  appendSummary(summaryLines);
+  writeOutputFile(options.summaryOutput, `${summaryLines.join('\n')}\n`);
+
+  if (options.enforce && total > options.maxTotal) {
+    console.error(
+      `AI_ACTION_REQUIRED: qlty smells limit exceeded (${total} > ${options.maxTotal}).`,
+    );
+    process.exit(1);
+  }
+}
+
+main();
diff --git a/scripts/release-next-version.mjs b/scripts/release-next-version.mjs
new file mode 100644
index 000000000..b28e71987
--- /dev/null
+++ b/scripts/release-next-version.mjs
@@ -0,0 +1,154 @@
+#!/usr/bin/env node
+
+import { execFileSync } from 'node:child_process';
+
+const PATCH_TYPES = new Set([
+  'fix',
+  'docs',
+  'style',
+  'refactor',
+  'perf',
+  'test',
+  'chore',
+  'security',
+  'deps',
+  'revert',
+]);
+
+const conventionalSubjectRegex =
+  /^(?:\S+\s+)?(?<type>feat|fix|docs|style|refactor|perf|test|chore|security|deps|revert)(?<breakingA>!)?(?:\([^)]+\))?(?<breakingB>!)?:\s.+$/u;
+
+export function inferReleaseLevel(commits) {
+  let hasFeat = false;
+  let hasPatch = false;
+
+  for (const commit of commits) {
+    const message = String(commit ?? '').trim();
+    if (!message) {
+      continue;
+    }
+
+    if (/\bBREAKING[ -]CHANGE:/iu.test(message)) {
+      return 'major';
+    }
+
+    const subject = message.split(/\r?\n/u, 1)[0] ?? '';
+    const match = subject.match(conventionalSubjectRegex);
+    if (!match?.groups) {
+      continue;
+    }
+
+    const type = match.groups.type;
+    if (match.groups.breakingA === '!' || match.groups.breakingB === '!') {
+      return 'major';
+    }
+
+    if (type === 'feat') {
+      hasFeat = true;
+      continue;
+    }
+
+    if (PATCH_TYPES.has(type)) {
+      hasPatch = true;
+    }
+  }
+
+  if (hasFeat) {
+    return 'minor';
+  }
+  if (hasPatch) {
+    return 'patch';
+  }
+  return null;
+}
+
+export function bumpSemver(currentVersion, level) {
+  const match = String(currentVersion ?? '')
+    .trim()
+    .match(/^v?(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)$/u);
+  if (!match?.groups) {
+    throw new Error(`Invalid current version: ${currentVersion}`);
+  }
+
+  const major = Number(match.groups.major);
+  const minor = Number(match.groups.minor);
+  const patch = Number(match.groups.patch);
+
+  if (level === 'major') {
+    return `${major + 1}.0.0`;
+  }
+  if (level === 'minor') {
+    return `${major}.${minor + 1}.0`;
+  }
+  if (level === 'patch') {
+    return `${major}.${minor}.${patch + 1}`;
+  }
+
+  throw new Error(`Invalid release level: ${level}`);
+}
+
+function parseArgs(argv) {
+  const args = {};
+  for (let i = 0; i < argv.length; i += 1) {
+    const key = argv[i];
+    const value = argv[i + 1];
+    if (!key.startsWith('--')) {
+      continue;
+    }
+    if (value === undefined || value.startsWith('--')) {
+      throw new Error(`Missing value for argument: ${key}`);
+    }
+    args[key.slice(2)] = value;
+    i += 1;
+  }
+  return args;
+}
+
+function getCommitMessages(fromRef, toRef) {
+  const range = `${fromRef}..${toRef}`;
+  const output = execFileSync('git', ['log', '--format=%B%x00', range], {
+    encoding: 'utf8',
+  });
+
+  return output
+    .split('\0')
+    .map((message) => message.trim())
+    .filter(Boolean);
+}
+
+function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const bump = args.bump ?? 'auto';
+  const current = args.current;
+
+  if (!current) {
+    throw new Error('--current is required');
+  }
+
+  let releaseLevel = bump;
+  if (bump === 'auto') {
+    const fromRef = args.from;
+    const toRef = args.to ?? 'HEAD';
+    if (!fromRef) {
+      throw new Error('--from is required when --bump auto');
+    }
+    const commits = getCommitMessages(fromRef, toRef);
+    releaseLevel = inferReleaseLevel(commits);
+    if (!releaseLevel) {
+      throw new Error('No releasable commits found between refs');
+    }
+  }
+
+  const nextVersion = bumpSemver(current, releaseLevel);
+  console.log(`release_level=${releaseLevel}`);
+  console.log(`next_version=${nextVersion}`);
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) {
+  try {
+    main();
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+  }
+}
diff --git a/scripts/release-next-version.test.mjs b/scripts/release-next-version.test.mjs
new file mode 100644
index 000000000..99fb0c2f3
--- /dev/null
+++ b/scripts/release-next-version.test.mjs
@@ -0,0 +1,48 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { bumpSemver, inferReleaseLevel } from './release-next-version.mjs';
+
+test('infers minor when at least one feat commit exists', () => {
+  const level = inferReleaseLevel([
+    '🐛 fix(api): resolve edge case',
+    '✨ feat(auth): add oidc issuer validation',
+  ]);
+  assert.equal(level, 'minor');
+});
+
+test('infers patch when only patch-level commit types exist', () => {
+  const level = inferReleaseLevel([
+    '🐛 fix(api): resolve edge case',
+    '🔧 chore(ci): tighten retries',
+  ]);
+  assert.equal(level, 'patch');
+});
+
+test('infers major for breaking change footer', () => {
+  const level = inferReleaseLevel([
+    '✨ feat(api): rename response envelope\n\nBREAKING CHANGE: removed legacy alias',
+  ]);
+  assert.equal(level, 'major');
+});
+
+test('infers major for bang syntax', () => {
+  const level = inferReleaseLevel(['✨ feat(api)!: remove legacy endpoint']);
+  assert.equal(level, 'major');
+});
+
+test('returns null when there are no releasable commits', () => {
+  const level = inferReleaseLevel(['Merge pull request #123 from CodesWhat/release/v1.5.0']);
+  assert.equal(level, null);
+});
+
+test('bumps patch versions', () => {
+  assert.equal(bumpSemver('1.4.9', 'patch'), '1.4.10');
+});
+
+test('bumps minor versions', () => {
+  assert.equal(bumpSemver('1.4.9', 'minor'), '1.5.0');
+});
+
+test('bumps major versions', () => {
+  assert.equal(bumpSemver('1.4.9', 'major'), '2.0.0');
+});
diff --git a/scripts/run-e2e-tests.sh b/scripts/run-e2e-tests.sh
index d8d29d14d..1f9ce8929 100755
--- a/scripts/run-e2e-tests.sh
+++ b/scripts/run-e2e-tests.sh
@@ -14,7 +14,7 @@ acquire_lock() {
 		# Recover stale locks from dead processes.
 		if [ -f "$LOCK_DIR/pid" ]; then
 			lock_pid=$(cat "$LOCK_DIR/pid" 2>/dev/null || true)
-			if [ -n "${lock_pid:-}" ] && ! kill -0 "$lock_pid" 2>/dev/null; then
+			if [ -n "${lock_pid:-}" ] && [[ $lock_pid =~ ^[0-9]+$ ]] && ! ps -p "$lock_pid" >/dev/null 2>&1; then
 				rm -rf "$LOCK_DIR"
 				continue
 			fi
@@ -58,8 +58,8 @@ acquire_lock
 # Start drydock (uses random port to avoid conflicts)
 "$SCRIPT_DIR/start-drydock.sh"
 
-# Query the assigned port from the running container
-E2E_PORT=$(docker port drydock 3000/tcp | head -1 | cut -d: -f2)
+# Query the assigned port from the running container (works for IPv4 and IPv6 outputs)
+E2E_PORT=$(docker port drydock 3000/tcp | head -n1 | awk -F: '{print $NF}')
 echo "🔌 Drydock available on port $E2E_PORT"
 
 # Run e2e tests with the dynamically assigned port
diff --git a/scripts/run-load-test.sh b/scripts/run-load-test.sh
index e3fc84cd4..b1a3a5206 100755
--- a/scripts/run-load-test.sh
+++ b/scripts/run-load-test.sh
@@ -91,7 +91,7 @@ fi
 
 if is_port_in_use "${DD_LOAD_TEST_PORT}"; then
 	echo "Port ${DD_LOAD_TEST_PORT} is already in use; choose a free port."
-	echo "Example: DD_LOAD_TEST_PORT=3800 DD_LOAD_TEST_TARGET=http://127.0.0.1:3800 npm run load:smoke"
+	echo "Example: DD_LOAD_TEST_PORT=3800 DD_LOAD_TEST_TARGET=http://127.0.0.1:3800 npm run load:ci"
 	exit 1
 fi
 
diff --git a/scripts/run-playwright-qa.sh b/scripts/run-playwright-qa.sh
new file mode 100755
index 000000000..79f73ae6c
--- /dev/null
+++ b/scripts/run-playwright-qa.sh
@@ -0,0 +1,192 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+REPO_ROOT=$(cd "$SCRIPT_DIR/.." && pwd)
+COMPOSE_FILE="$REPO_ROOT/test/qa-compose.yml"
+PROJECT_NAME="${DD_PLAYWRIGHT_PROJECT:-drydock-playwright-local}"
+QA_IMAGE="drydock:dev"
+USER_PROVIDED_PLAYWRIGHT_PORT="${DD_PLAYWRIGHT_PORT:-}"
+DD_PLAYWRIGHT_PORT="${DD_PLAYWRIGHT_PORT:-3333}"
+RESTART_COLIMA="${DD_PLAYWRIGHT_RESTART_COLIMA:-true}"
+
+is_port_available() {
+	local port="$1"
+	python3 - "$port" <<'PY'
+import socket
+import sys
+
+port = int(sys.argv[1])
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+try:
+    sock.bind(("127.0.0.1", port))
+except OSError:
+    raise SystemExit(1)
+finally:
+    sock.close()
+PY
+}
+
+restart_colima() {
+	if [[ $RESTART_COLIMA != "true" ]]; then
+		return
+	fi
+
+	if ! command -v colima >/dev/null 2>&1; then
+		return
+	fi
+
+	echo "🔄 Restarting Colima..."
+	colima stop >/dev/null 2>&1 || true
+	colima start >/dev/null
+}
+
+wait_for_docker_engine() {
+	for _ in $(seq 1 60); do
+		if docker info >/dev/null 2>&1; then
+			return
+		fi
+		sleep 1
+	done
+
+	echo "❌ Docker engine did not become ready."
+	exit 1
+}
+
+remove_stale_playwright_containers() {
+	local stale
+	stale=$(
+		{
+			docker ps -a --filter "name=drydock-playwright-" --format '{{.Names}}' || true
+			docker ps -a --filter "label=com.docker.compose.project.config_files=$COMPOSE_FILE" --format '{{.Names}}' || true
+		} | awk 'NF' | sort -u
+	)
+	if [[ -z $stale ]]; then
+		return
+	fi
+
+	echo "🧹 Removing stale Playwright containers..."
+	while IFS= read -r name; do
+		[[ -z $name ]] && continue
+		docker rm -f "$name" >/dev/null 2>&1 || true
+	done <<<"$stale"
+}
+
+restart_colima
+wait_for_docker_engine
+remove_stale_playwright_containers
+
+if ! is_port_available "$DD_PLAYWRIGHT_PORT"; then
+	echo "❌ DD_PLAYWRIGHT_PORT=$DD_PLAYWRIGHT_PORT is already in use."
+	if [[ -z $USER_PROVIDED_PLAYWRIGHT_PORT ]]; then
+		echo "   Default QA runs use localhost:3333. Free this port or set DD_PLAYWRIGHT_PORT."
+	fi
+	exit 1
+fi
+
+export DD_PLAYWRIGHT_PORT
+
+PLAYWRIGHT_BASE_URL="${DD_PLAYWRIGHT_BASE_URL:-http://localhost:${DD_PLAYWRIGHT_PORT}}"
+HEALTH_URL="${DD_PLAYWRIGHT_HEALTH_URL:-${PLAYWRIGHT_BASE_URL}/health}"
+
+cleanup() {
+	docker compose -p "$PROJECT_NAME" -f "$COMPOSE_FILE" down -v --remove-orphans >/dev/null 2>&1 || true
+}
+trap cleanup EXIT
+
+iso8601_to_epoch() {
+	local timestamp="$1"
+	python3 - "$timestamp" <<'PY'
+import datetime
+import sys
+
+ts = sys.argv[1].strip()
+if not ts:
+    raise SystemExit(1)
+
+if ts.endswith("Z"):
+    ts = f"{ts[:-1]}+00:00"
+
+try:
+    dt = datetime.datetime.fromisoformat(ts)
+except ValueError:
+    raise SystemExit(1)
+
+if dt.tzinfo is None:
+    dt = dt.replace(tzinfo=datetime.timezone.utc)
+
+print(int(dt.timestamp()))
+PY
+}
+
+should_build_qa_image() {
+	if ! docker image inspect "$QA_IMAGE" >/dev/null 2>&1; then
+		echo "ℹ️  QA image '$QA_IMAGE' not found; building..."
+		return 0
+	fi
+
+	local image_created
+	image_created=$(docker image inspect --format='{{.Created}}' "$QA_IMAGE" 2>/dev/null | head -n 1 || true)
+	if [[ -z $image_created ]]; then
+		echo "ℹ️  Unable to read '$QA_IMAGE' creation timestamp; building..."
+		return 0
+	fi
+
+	local last_commit_epoch
+	last_commit_epoch=$(git -C "$REPO_ROOT" log -1 --format=%ct 2>/dev/null || true)
+	if [[ ! $last_commit_epoch =~ ^[0-9]+$ ]]; then
+		echo "ℹ️  Unable to read latest git commit timestamp; building..."
+		return 0
+	fi
+
+	if ! command -v python3 >/dev/null 2>&1; then
+		echo "ℹ️  python3 is unavailable for timestamp parsing; building..."
+		return 0
+	fi
+
+	local image_created_epoch
+	if ! image_created_epoch=$(iso8601_to_epoch "$image_created"); then
+		echo "ℹ️  Unable to parse '$QA_IMAGE' creation timestamp; building..."
+		return 0
+	fi
+
+	if ((image_created_epoch >= last_commit_epoch)); then
+		echo "♻️  Reusing '$QA_IMAGE' (newer than latest commit)."
+		return 1
+	fi
+
+	echo "ℹ️  Latest commit is newer than '$QA_IMAGE'; rebuilding..."
+	return 0
+}
+
+echo "🧹 Ensuring no stale Playwright QA stack is running..."
+docker compose -p "$PROJECT_NAME" -f "$COMPOSE_FILE" down -v --remove-orphans >/dev/null 2>&1 || true
+
+if should_build_qa_image; then
+	echo "🐳 Building drydock QA image ($QA_IMAGE)..."
+	docker build --build-arg DD_VERSION=prepush --tag "$QA_IMAGE" "$REPO_ROOT"
+fi
+
+echo "🚀 Starting Playwright QA stack..."
+docker compose -p "$PROJECT_NAME" -f "$COMPOSE_FILE" up -d
+
+echo "⏳ Waiting for Playwright QA health: $HEALTH_URL"
+for _ in $(seq 1 60); do
+	if curl -sf "$HEALTH_URL" >/dev/null 2>&1; then
+		echo "✅ Playwright QA is healthy"
+		break
+	fi
+	sleep 2
+done
+
+if ! curl -sf "$HEALTH_URL" >/dev/null 2>&1; then
+	echo "❌ Playwright QA failed to become healthy after 120 seconds."
+	docker compose -p "$PROJECT_NAME" -f "$COMPOSE_FILE" ps || true
+	docker compose -p "$PROJECT_NAME" -f "$COMPOSE_FILE" logs --no-color --tail 80 || true
+	exit 1
+fi
+
+echo "🧪 Running Playwright E2E tests..."
+(cd "$REPO_ROOT/e2e" && DD_PLAYWRIGHT_BASE_URL="$PLAYWRIGHT_BASE_URL" npm run test:playwright)
+
+echo "✅ Playwright E2E tests completed"
diff --git a/scripts/setup-test-containers.sh b/scripts/setup-test-containers.sh
index cd218822a..a373e79ba 100755
--- a/scripts/setup-test-containers.sh
+++ b/scripts/setup-test-containers.sh
@@ -6,8 +6,12 @@ echo "🐳 Setting up test containers for local e2e tests..."
 
 # Login to private registries (if credentials available)
 if [ -n "${GITLAB_TOKEN:-}" ]; then
-	# shellcheck disable=SC2153 # GITLAB_USERNAME is an env var, not a typo of GITHUB_USERNAME
-	docker login registry.gitlab.com -u "$GITLAB_USERNAME" -p "$GITLAB_TOKEN"
+	gitlab_username="${GITLAB_USERNAME:-}"
+	if [ -n "$gitlab_username" ]; then
+		docker login registry.gitlab.com -u "$gitlab_username" -p "$GITLAB_TOKEN"
+	else
+		echo "⚠️  Skipping GitLab login (GITLAB_TOKEN set but GITLAB_USERNAME missing)"
+	fi
 fi
 
 # Pull nginx as a test image
@@ -58,8 +62,11 @@ fi
 run_test_container gitlab_test --label "$LABEL_WATCH" --label 'dd.tag.include=^v16\.[01]\.0$' registry.gitlab.com/gitlab-org/gitlab-runner:v16.0.0
 
 # HUB
-# shellcheck disable=SC2016 # drydock resolves ${major}/${minor}/${patch} placeholders at runtime.
-run_test_container hub_homeassistant_202161 --label "$LABEL_WATCH" --label 'dd.tag.include=^\d+\.\d+.\d+$' --label 'dd.link.template=https://github.com/home-assistant/core/releases/tag/${major}.${minor}.${patch}' homeassistant/home-assistant:2021.6.1
+run_test_container hub_homeassistant_202161 \
+	--label "$LABEL_WATCH" \
+	--label 'dd.tag.include=^\d+\.\d+.\d+$' \
+	--label 'dd.link.template=https://github.com/home-assistant/core/releases/tag/'"\${major}.\${minor}.\${patch}" \
+	homeassistant/home-assistant:2021.6.1
 run_test_container hub_homeassistant_latest --label "$LABEL_WATCH" --label 'dd.watch.digest=true' --label 'dd.tag.include=^latest$' homeassistant/home-assistant
 run_test_container hub_nginx_120 --label "$LABEL_WATCH" --label 'dd.tag.include=^\d+\.\d+-alpine$' nginx:1.20-alpine
 run_test_container hub_nginx_latest --label "$LABEL_WATCH" --label 'dd.watch.digest=true' --label 'dd.tag.include=^latest$' nginx
diff --git a/scripts/snyk-code-gate.sh b/scripts/snyk-code-gate.sh
index 9b7144553..3495c404c 100755
--- a/scripts/snyk-code-gate.sh
+++ b/scripts/snyk-code-gate.sh
@@ -1,18 +1,31 @@
 #!/usr/bin/env bash
-# Run snyk code test as informational scan.
-# Prints findings for developer awareness but does not block push.
-# Rationale: Snyk SAST cannot distinguish HIGH from CRITICAL in SARIF,
-# and current HIGH findings are false positives (Docker API data flow
-# misclassified as user-supplied regex input). Snyk Code still runs
-# in CI for proper gating.
+# Run snyk code test.
+# Default mode is informational to avoid noisy false positives during local use.
+# Set SNYK_CODE_ENFORCE=true to fail on findings in CI.
 set -uo pipefail
 
 export CI=1
 export TERM=dumb
 export NO_COLOR=1
+SNYK_CODE_ENFORCE="${SNYK_CODE_ENFORCE:-false}"
 
-echo "Running Snyk Code SAST scan (informational)..."
-snyk code test --severity-threshold=high "$@" 2>&1 |
-	perl -pe 's/\e\[[0-9;?]*[ -\/]*[@-~]//g' ||
-	true
-echo "Snyk Code: scan complete (informational — see CI for gate)"
+echo "Running Snyk Code SAST scan..."
+set +e
+snyk code test --severity-threshold=high "$@" 2>&1 | perl -pe 's/\e\[[0-9;?]*[ -\/]*[@-~]//g'
+status=$?
+set -e
+
+if [ "$status" -eq 0 ]; then
+	echo "Snyk Code: no high-severity findings."
+elif [ "$status" -eq 1 ]; then
+	if [ "$SNYK_CODE_ENFORCE" = "true" ]; then
+		echo "Snyk Code: enforcement enabled, failing on findings."
+		exit 1
+	fi
+	echo "Snyk Code: informational mode, findings reported but not enforced."
+else
+	echo "Snyk Code: scan failed unexpectedly (exit code $status)."
+	exit "$status"
+fi
+
+echo "Snyk Code: scan complete"
diff --git a/scripts/snyk-container-gate.sh b/scripts/snyk-container-gate.sh
new file mode 100755
index 000000000..b9a8e764e
--- /dev/null
+++ b/scripts/snyk-container-gate.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ $# -lt 1 ]; then
+	echo "Usage: $0 <image> [additional snyk args...]"
+	exit 1
+fi
+
+export CI=1
+export TERM=dumb
+export NO_COLOR=1
+
+image="$1"
+shift
+
+snyk container test "$image" --severity-threshold=high "$@" 2>&1 |
+	perl -pe 's/\e\[[0-9;?]*[ -\/]*[@-~]//g'
diff --git a/scripts/snyk-iac-gate.sh b/scripts/snyk-iac-gate.sh
new file mode 100755
index 000000000..0814e70a9
--- /dev/null
+++ b/scripts/snyk-iac-gate.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+export CI=1
+export TERM=dumb
+export NO_COLOR=1
+
+snyk iac test --severity-threshold=high "$@" 2>&1 |
+	perl -pe 's/\e\[[0-9;?]*[ -\/]*[@-~]//g'
diff --git a/scripts/snyk-quota-config.json b/scripts/snyk-quota-config.json
new file mode 100644
index 000000000..7325acb72
--- /dev/null
+++ b/scripts/snyk-quota-config.json
@@ -0,0 +1,15 @@
+{
+  "runsPerMonth": 4,
+  "testsPerRun": {
+    "openSource": 4,
+    "code": 1,
+    "container": 1,
+    "iac": 1
+  },
+  "quotas": {
+    "openSource": 200,
+    "code": 100,
+    "container": 100,
+    "iac": 300
+  }
+}
diff --git a/scripts/snyk-quota-plan.mjs b/scripts/snyk-quota-plan.mjs
new file mode 100644
index 000000000..25b87afb7
--- /dev/null
+++ b/scripts/snyk-quota-plan.mjs
@@ -0,0 +1,151 @@
+#!/usr/bin/env node
+
+import fs from 'node:fs';
+
+const PRODUCT_KEYS = ['openSource', 'code', 'container', 'iac'];
+export const DEFAULT_CONFIG_PATH = new URL('./snyk-quota-config.json', import.meta.url);
+
+function toPositiveInt(value, name) {
+  const numeric = Number(value);
+  if (!Number.isInteger(numeric) || numeric < 0) {
+    throw new Error(`${name} must be a non-negative integer`);
+  }
+  return numeric;
+}
+
+function normalizeQuotas(quotas) {
+  return {
+    openSource: toPositiveInt(quotas?.openSource, 'quotas.openSource'),
+    code: toPositiveInt(quotas?.code, 'quotas.code'),
+    container: toPositiveInt(quotas?.container, 'quotas.container'),
+    iac: toPositiveInt(quotas?.iac, 'quotas.iac'),
+  };
+}
+
+function normalizeTestsPerRun(testsPerRun) {
+  return {
+    openSource: toPositiveInt(testsPerRun?.openSource, 'testsPerRun.openSource'),
+    code: toPositiveInt(testsPerRun?.code, 'testsPerRun.code'),
+    container: toPositiveInt(testsPerRun?.container, 'testsPerRun.container'),
+    iac: toPositiveInt(testsPerRun?.iac, 'testsPerRun.iac'),
+  };
+}
+
+function normalizeQuotaConfig(config) {
+  return {
+    runsPerMonth: toPositiveInt(config?.runsPerMonth, 'runsPerMonth'),
+    testsPerRun: normalizeTestsPerRun(config?.testsPerRun),
+    quotas: normalizeQuotas(config?.quotas),
+  };
+}
+
+export function loadQuotaConfig(configPath = DEFAULT_CONFIG_PATH) {
+  let raw;
+  try {
+    raw = fs.readFileSync(configPath, 'utf8');
+  } catch (error) {
+    throw new Error(
+      `Unable to read quota config at ${String(configPath)}: ${
+        error instanceof Error ? error.message : String(error)
+      }`,
+    );
+  }
+
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (error) {
+    throw new Error(
+      `Quota config is not valid JSON at ${String(configPath)}: ${
+        error instanceof Error ? error.message : String(error)
+      }`,
+    );
+  }
+
+  return normalizeQuotaConfig(parsed);
+}
+
+export function evaluateQuotaPlan({
+  runsPerMonth,
+  openSourceTestsPerRun,
+  codeTestsPerRun,
+  containerTestsPerRun,
+  iacTestsPerRun,
+  quotas,
+}) {
+  const normalizedQuotas = normalizeQuotas(quotas);
+  const normalizedRunsPerMonth = toPositiveInt(runsPerMonth, 'runsPerMonth');
+  const monthly = {
+    openSource:
+      normalizedRunsPerMonth * toPositiveInt(openSourceTestsPerRun, 'openSourceTestsPerRun'),
+    code: normalizedRunsPerMonth * toPositiveInt(codeTestsPerRun, 'codeTestsPerRun'),
+    container: normalizedRunsPerMonth * toPositiveInt(containerTestsPerRun, 'containerTestsPerRun'),
+    iac: normalizedRunsPerMonth * toPositiveInt(iacTestsPerRun, 'iacTestsPerRun'),
+  };
+
+  const violations = [];
+  for (const product of PRODUCT_KEYS) {
+    const monthlyTests = monthly[product];
+    const quota = normalizedQuotas[product];
+    if (monthlyTests > quota) {
+      violations.push(`${product} exceeds monthly quota: ${monthlyTests}/${quota}`);
+    }
+  }
+
+  return {
+    ok: violations.length === 0,
+    monthly,
+    violations,
+  };
+}
+
+function parseArgs(argv) {
+  const args = {};
+  for (let i = 0; i < argv.length; i += 1) {
+    const key = argv[i];
+    if (!key.startsWith('--')) {
+      continue;
+    }
+    const value = argv[i + 1];
+    if (value === undefined || value.startsWith('--')) {
+      throw new Error(`Missing value for argument: ${key}`);
+    }
+    args[key.slice(2)] = value;
+    i += 1;
+  }
+  return args;
+}
+
+function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const config = loadQuotaConfig(args.config);
+  const plan = evaluateQuotaPlan({
+    runsPerMonth: args.runsPerMonth ?? config.runsPerMonth,
+    openSourceTestsPerRun: args.openSourceTestsPerRun ?? config.testsPerRun.openSource,
+    codeTestsPerRun: args.codeTestsPerRun ?? config.testsPerRun.code,
+    containerTestsPerRun: args.containerTestsPerRun ?? config.testsPerRun.container,
+    iacTestsPerRun: args.iacTestsPerRun ?? config.testsPerRun.iac,
+    quotas: config.quotas,
+  });
+
+  const payload = {
+    ok: plan.ok,
+    monthly: plan.monthly,
+    quotas: config.quotas,
+    violations: plan.violations,
+  };
+
+  console.log(JSON.stringify(payload, null, 2));
+  if (!plan.ok) {
+    process.exit(1);
+  }
+}
+
+if (import.meta.url === `file://${process.argv[1]}`) {
+  try {
+    main();
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+  }
+}
diff --git a/scripts/snyk-quota-plan.test.mjs b/scripts/snyk-quota-plan.test.mjs
new file mode 100644
index 000000000..3d0c8cfe8
--- /dev/null
+++ b/scripts/snyk-quota-plan.test.mjs
@@ -0,0 +1,82 @@
+import assert from 'node:assert/strict';
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import test from 'node:test';
+import { evaluateQuotaPlan, loadQuotaConfig } from './snyk-quota-plan.mjs';
+
+test('default config plan stays within configured Snyk quotas', () => {
+  const config = loadQuotaConfig();
+  const result = evaluateQuotaPlan({
+    runsPerMonth: config.runsPerMonth,
+    openSourceTestsPerRun: config.testsPerRun.openSource,
+    codeTestsPerRun: config.testsPerRun.code,
+    containerTestsPerRun: config.testsPerRun.container,
+    iacTestsPerRun: config.testsPerRun.iac,
+    quotas: config.quotas,
+  });
+
+  assert.equal(result.ok, true);
+  assert.equal(result.monthly.openSource, 16);
+  assert.equal(result.monthly.code, 4);
+  assert.equal(result.monthly.container, 4);
+  assert.equal(result.monthly.iac, 4);
+  assert.equal(config.quotas.code, 100);
+});
+
+test('fails plan when code scans exceed monthly quota', () => {
+  const config = loadQuotaConfig();
+  const result = evaluateQuotaPlan({
+    runsPerMonth: 40,
+    openSourceTestsPerRun: 1,
+    codeTestsPerRun: 3,
+    containerTestsPerRun: 1,
+    iacTestsPerRun: 1,
+    quotas: config.quotas,
+  });
+
+  assert.equal(result.ok, false);
+  assert.match(result.violations.join(' '), /code/i);
+});
+
+test('loads quota and cadence values from a custom config file', () => {
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'snyk-quota-plan-'));
+  const configPath = path.join(tmpDir, 'config.json');
+
+  fs.writeFileSync(
+    configPath,
+    JSON.stringify({
+      runsPerMonth: 2,
+      testsPerRun: {
+        openSource: 5,
+        code: 1,
+        container: 2,
+        iac: 3,
+      },
+      quotas: {
+        openSource: 10,
+        code: 2,
+        container: 4,
+        iac: 6,
+      },
+    }),
+  );
+
+  const config = loadQuotaConfig(configPath);
+  const result = evaluateQuotaPlan({
+    runsPerMonth: config.runsPerMonth,
+    openSourceTestsPerRun: config.testsPerRun.openSource,
+    codeTestsPerRun: config.testsPerRun.code,
+    containerTestsPerRun: config.testsPerRun.container,
+    iacTestsPerRun: config.testsPerRun.iac,
+    quotas: config.quotas,
+  });
+
+  assert.equal(result.ok, true);
+  assert.deepEqual(result.monthly, {
+    openSource: 10,
+    code: 2,
+    container: 4,
+    iac: 6,
+  });
+});
diff --git a/scripts/start-drydock.sh b/scripts/start-drydock.sh
index 7eaa67919..4fcc304e1 100755
--- a/scripts/start-drydock.sh
+++ b/scripts/start-drydock.sh
@@ -97,10 +97,9 @@ fi
 DOCKER_ARGS+=(--env DD_REGISTRY_GCR_PRIVATE_CLIENTEMAIL="${GCR_CLIENT_EMAIL:-gcr@drydock-test.iam.gserviceaccount.com}")
 DOCKER_ARGS+=(--env "DD_REGISTRY_GCR_PRIVATE_PRIVATEKEY=${GCR_PRIVATE_KEY:------BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDZ\n-----END PRIVATE KEY-----}")
 
-# shellcheck disable=SC2016,SC2054
 DOCKER_ARGS+=(
 	--env DD_AUTH_BASIC_JOHN_USER="john"
-	--env DD_AUTH_BASIC_JOHN_HASH='argon2id$65536$3$4$ZHJ5ZG9jay1iYXNpYy1hdXRoLXNhbHQ=$GumQTfvOsp+hTyVxLIQvvP2izj/+lCCVYTPnwm9+ZC0+x0OQomJgNgIYFI7e5iUZtblM2rlIIYIwxaAeegWMKQ=='
+	--env DD_AUTH_BASIC_JOHN_HASH="argon2id\$65536\$3\$4\$ZHJ5ZG9jay1iYXNpYy1hdXRoLXNhbHQ=\$GumQTfvOsp+hTyVxLIQvvP2izj/+lCCVYTPnwm9+ZC0+x0OQomJgNgIYFI7e5iUZtblM2rlIIYIwxaAeegWMKQ=="
 	drydock
 )
 
diff --git a/scripts/validate-commit-msg.mjs b/scripts/validate-commit-msg.mjs
new file mode 100644
index 000000000..f9da51067
--- /dev/null
+++ b/scripts/validate-commit-msg.mjs
@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+
+import { readFileSync } from 'node:fs';
+import { formatValidationFailure, validateCommitMessage } from './commit-message.mjs';
+
+function main() {
+  const commitMessageFile = process.argv[2];
+
+  if (!commitMessageFile) {
+    console.error('❌ Missing commit message file argument.');
+    console.error('This script must be executed by the git commit-msg hook.');
+    return 1;
+  }
+
+  let commitMessage = '';
+  try {
+    commitMessage = readFileSync(commitMessageFile, 'utf8');
+  } catch (error) {
+    console.error(`❌ Failed to read commit message file: ${commitMessageFile}`);
+    console.error(error instanceof Error ? error.message : String(error));
+    return 1;
+  }
+
+  const result = validateCommitMessage(commitMessage);
+  if (!result.valid) {
+    console.error(formatValidationFailure(commitMessage, result.errors));
+    return 1;
+  }
+
+  return 0;
+}
+
+process.exit(main());
diff --git a/scripts/validate-commit-range.mjs b/scripts/validate-commit-range.mjs
new file mode 100644
index 000000000..da8e190a6
--- /dev/null
+++ b/scripts/validate-commit-range.mjs
@@ -0,0 +1,170 @@
+#!/usr/bin/env node
+
+import { execFileSync } from 'node:child_process';
+import { pathToFileURL } from 'node:url';
+import { formatValidationFailure, validateCommitMessage } from './commit-message.mjs';
+
+function getCommitSubject(rawMessage) {
+  const message = (rawMessage ?? '').trim();
+  return message.split(/\r?\n/u, 1)[0] ?? '';
+}
+
+function escapeGithubActionsCommand(value) {
+  return value.replaceAll('%', '%25').replaceAll('\r', '%0D').replaceAll('\n', '%0A');
+}
+
+export function parseArgs(args) {
+  let baseSha = '';
+  let headSha = '';
+  const positionals = [];
+
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index];
+
+    if (arg === '--base') {
+      baseSha = args[index + 1] ?? '';
+      index += 1;
+      continue;
+    }
+
+    if (arg === '--head') {
+      headSha = args[index + 1] ?? '';
+      index += 1;
+      continue;
+    }
+
+    if (arg.startsWith('--')) {
+      throw new Error(`Unknown argument: ${arg}`);
+    }
+
+    positionals.push(arg);
+  }
+
+  if (!baseSha && positionals[0]) {
+    baseSha = positionals[0];
+  }
+
+  if (!headSha && positionals[1]) {
+    headSha = positionals[1];
+  }
+
+  if (!baseSha || !headSha) {
+    throw new Error('Missing required arguments: --base <sha> --head <sha>');
+  }
+
+  return { baseSha, headSha };
+}
+
+export function findInvalidCommitMessages(commits) {
+  const failures = [];
+
+  for (const commit of commits) {
+    const result = validateCommitMessage(commit.message);
+    if (!result.valid) {
+      failures.push({
+        sha: commit.sha,
+        message: commit.message,
+        errors: result.errors,
+      });
+    }
+  }
+
+  return failures;
+}
+
+export function listCommitsInRange(baseSha, headSha, { execFile = execFileSync } = {}) {
+  const range = `${baseSha}..${headSha}`;
+  const output = execFile('git', ['log', '--reverse', '--format=%H%x00%B%x00', range], {
+    encoding: 'utf8',
+  });
+  return parseGitLogOutput(output);
+}
+
+function parseGitLogOutput(output) {
+  const tokens = output.split('\0');
+  const commits = [];
+
+  for (let index = 0; index + 1 < tokens.length; index += 2) {
+    const sha = tokens[index]?.trim() ?? '';
+    if (!sha) {
+      continue;
+    }
+
+    commits.push({
+      sha,
+      message: tokens[index + 1] ?? '',
+    });
+  }
+
+  return commits;
+}
+
+function printFailure(failure, stderr) {
+  const subject = getCommitSubject(failure.message) || '<empty>';
+
+  stderr(`\nCommit ${failure.sha}: ${subject}\n`);
+  stderr(formatValidationFailure(failure.message, failure.errors));
+
+  if (process.env.GITHUB_ACTIONS === 'true') {
+    const summary = escapeGithubActionsCommand(`${failure.sha} ${subject}`);
+    stderr(`::error title=Invalid commit message::${summary}`);
+  }
+}
+
+export function main(
+  args = process.argv.slice(2),
+  {
+    getCommits = listCommitsInRange,
+    getGitLogOutput,
+    stdout = console.log,
+    stderr = console.error,
+  } = {},
+) {
+  let baseSha;
+  let headSha;
+  try {
+    ({ baseSha, headSha } = parseArgs(args));
+  } catch (error) {
+    stderr('❌ Missing commit range arguments.');
+    stderr(error instanceof Error ? error.message : String(error));
+    stderr('Usage: node scripts/validate-commit-range.mjs --base <base-sha> --head <head-sha>');
+    return 1;
+  }
+
+  let commits;
+  try {
+    if (typeof getGitLogOutput === 'function') {
+      commits = parseGitLogOutput(getGitLogOutput(baseSha, headSha));
+    } else {
+      commits = getCommits(baseSha, headSha);
+    }
+  } catch (error) {
+    stderr(`❌ Failed to read commits in range ${baseSha}..${headSha}`);
+    stderr(error instanceof Error ? error.message : String(error));
+    return 1;
+  }
+
+  if (commits.length === 0) {
+    stdout(`No commits found in range ${baseSha}..${headSha}.`);
+    return 0;
+  }
+
+  const failures = findInvalidCommitMessages(commits);
+  if (failures.length === 0) {
+    stdout(`✅ Validated ${commits.length} commit message(s) in range ${baseSha}..${headSha}.`);
+    return 0;
+  }
+
+  for (const failure of failures) {
+    printFailure(failure, stderr);
+  }
+
+  stderr(`\n❌ ${failures.length} of ${commits.length} commit message(s) failed validation.`);
+  return 1;
+}
+
+const isDirectRun = process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href;
+
+if (isDirectRun) {
+  process.exit(main());
+}
diff --git a/scripts/validate-commit-range.test.mjs b/scripts/validate-commit-range.test.mjs
new file mode 100644
index 000000000..9356a7eae
--- /dev/null
+++ b/scripts/validate-commit-range.test.mjs
@@ -0,0 +1,45 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { main, parseArgs } from './validate-commit-range.mjs';
+
+test('parseArgs requires --base and --head', () => {
+  assert.throws(() => parseArgs(['--base', 'abc123']), /Missing required arguments/);
+  assert.throws(() => parseArgs(['--head', 'def456']), /Missing required arguments/);
+});
+
+test('main returns non-zero when commit range contains invalid messages', () => {
+  const stdout = [];
+  const stderr = [];
+
+  const exitCode = main(['--base', 'abc123', '--head', 'def456'], {
+    getCommits: () => [
+      { sha: '1111111', message: '✨ feat(api): add health endpoint' },
+      { sha: '2222222', message: 'fix(api): missing emoji prefix' },
+    ],
+    stdout: (message) => stdout.push(message),
+    stderr: (message) => stderr.push(message),
+  });
+
+  assert.equal(exitCode, 1);
+  assert.equal(stdout.length, 0);
+  assert.match(stderr.join('\n'), /2222222/);
+  assert.match(stderr.join('\n'), /Invalid commit message/);
+});
+
+test('main succeeds when all commit messages in range are valid', () => {
+  const stdout = [];
+  const stderr = [];
+
+  const exitCode = main(['--base', 'abc123', '--head', 'def456'], {
+    getCommits: () => [
+      { sha: '1111111', message: '✨ feat(api): add health endpoint' },
+      { sha: '2222222', message: '🐛 fix(ci): handle missing env var' },
+    ],
+    stdout: (message) => stdout.push(message),
+    stderr: (message) => stderr.push(message),
+  });
+
+  assert.equal(exitCode, 0);
+  assert.equal(stderr.length, 0);
+  assert.match(stdout.join('\n'), /Validated 2 commit message\(s\)/);
+});
diff --git a/test/README.md b/test/README.md
index 37cb3418f..de2c3cf98 100644
--- a/test/README.md
+++ b/test/README.md
@@ -2,15 +2,13 @@
 
 ## Load Testing (Artillery)
 
-Load-test scenarios live in `test/test.yml`, `test/test-behavior.yml`, and `test/test-rate-limit.yml` and run against the stack in `test/ci-compose.yml`.
+Load-test scenarios live in `test/test.yml` and `test/test-behavior.yml` and run against the stack in `test/ci-compose.yml`.
 
 ### Profiles
 
-- `smoke`: low traffic sanity check (used for pull requests)
-- `ci`: moderate traffic regression profile (used for push, advisory, optimized for faster CI runtime)
+- `ci`: default CI profile for regression and correctness gates (arrivalRate 2-6 req/s, 40s duration)
 - `behavior`: feature-behavior profile for SSE reconnect, log routes, and write-path checks
 - `stress`: higher traffic profile for manual pressure testing
-- `ratelimit`: focused burst profile that validates `429` behavior for scan endpoint limits
 
 ### Local commands
 
@@ -18,10 +16,9 @@ From repo root:
 
 ```bash
 ./scripts/run-load-test.sh
-ARTILLERY_ENV=smoke ./scripts/run-load-test.sh
+ARTILLERY_ENV=ci ./scripts/run-load-test.sh
 ARTILLERY_FILE=./test/test-behavior.yml ARTILLERY_ENV=behavior ./scripts/run-load-test.sh
 ARTILLERY_ENV=stress ./scripts/run-load-test.sh
-ARTILLERY_FILE=./test/test-rate-limit.yml ARTILLERY_ENV=ratelimit ./scripts/run-load-test.sh
 DD_LOAD_TEST_PORT=3333 ./scripts/run-load-test.sh
 ```
 
@@ -40,11 +37,9 @@ Summarize a saved JSON report (including status mix + slow endpoints):
 From `e2e/`:
 
 ```bash
-npm run load:smoke
-npm run load:behavior
 npm run load:ci
+npm run load:behavior
 npm run load:stress
-npm run load:rate-limit
 ```
 
 ### Notes
@@ -53,12 +48,10 @@ npm run load:rate-limit
 - If not available, it falls back to an explicit pinned `npx` version.
 - The load-test stack is isolated via a dedicated Compose project name to avoid collisions with other local test stacks.
 - The runner auto-selects a free random host port when `DD_LOAD_TEST_PORT` is not set.
-- The rate-limit profile resolves `containerId` through `test/load-test.processor.cjs` before measured requests so scan endpoint p95/p99 is not skewed by `/api/containers/watch` setup latency.
 - In CI, the workflow enables Buildx + GHA cache to speed repeated image builds.
 - CI uploads Artillery JSON reports as workflow artifacts and posts a short p95/p99/request-rate summary in the job summary.
-- PR smoke CI also performs a regression check against the latest non-expired `load-test-ci` artifact from `main`.
-- Regression check defaults to advisory mode with drift thresholds: `p95 <= +20%`, `p99 <= +25%`, `request_rate >= -15%`.
-- To enforce the gate, set `DD_LOAD_TEST_REGRESSION_ENFORCE=true` in the CI step environment.
+- The push CI load-test job performs a regression check against the committed baseline at `test/load-test-baselines/ci.json`.
+- Regression gate is enforced with both drift and absolute thresholds: `p95 <= +20%` and `<= 1200ms`, `p99 <= +25%` and `<= 2500ms`, `request_rate >= -15%` and `>= 10 req/s`.
 - You can run the same check locally with `./scripts/check-load-test-regression.sh <current.json> <baseline.json>`.
 - Correctness checks (5xx, failed VUs, and optional 429 bounds) are handled by `./scripts/check-load-test-correctness.sh <report.json> "<title>"`.
-- Staged enforcement: pull requests run load-test checks in advisory mode; push runs enforce correctness checks while regression drift stays advisory.
+- Load-test correctness gates are enforced for the CI profile.
diff --git a/test/cmd_test.sh b/test/cmd_test.sh
index 6b2f27e9e..0fd44acad 100755
--- a/test/cmd_test.sh
+++ b/test/cmd_test.sh
@@ -1,9 +1,6 @@
 #!/bin/bash
 
 set -e
-# shellcheck disable=SC2154
-echo "${name}"
-# shellcheck disable=SC2154
-echo "${update_kind_local_value}"
-# shellcheck disable=SC2154
-echo "${update_kind_remote_value}"
+echo "${name:-}"
+echo "${update_kind_local_value:-}"
+echo "${update_kind_remote_value:-}"
diff --git a/test/cpu-bench-compose.yml b/test/cpu-bench-compose.yml
index 7ec82aab7..15ff85c81 100644
--- a/test/cpu-bench-compose.yml
+++ b/test/cpu-bench-compose.yml
@@ -1,50 +1,71 @@
-# CPU idle benchmark: WUD latest vs Drydock 1.3.9 vs Drydock 1.4.0
+# CPU idle benchmark: version comparison (1.4.0 vs 1.4.5 vs 1.5.0-dev)
 #
-# All configured identically where possible:
-# - cron-only (hourly), no watchbydefault
-# - Drydock 1.4.0 uses optimization toggles
+# Simulates constrained hardware (Pi 4-class) via cpus + memory limits.
 #
 # Usage:
 #   docker compose -f test/cpu-bench-compose.yml up -d
-#   sleep 180   # let containers settle for 3 minutes
-#   docker stats --no-stream cpu-wud-latest cpu-drydock-139 cpu-drydock-140
+#   ./test/cpu-bench.sh              # runs warmup + measurement
+#   docker compose -f test/cpu-bench-compose.yml down
+
+x-common-env: &common-env
+  - DD_RUN_AS_ROOT=true
+  - DD_ALLOW_INSECURE_ROOT=true
+  - DD_LOG_FORMAT=json
+  - DD_WATCHER_LOCAL_WATCHBYDEFAULT=false
+  - DD_WATCHER_LOCAL_CRON=0 * * * *
+  - DD_WATCHER_LOCAL_WATCHEVENTS=false
+  - DD_LOG_BUFFER_ENABLED=false
+  - DD_SESSION_SECRET=bench
+
+x-constraints: &constraints
+  cpus: 0.5
+  mem_limit: 256m
 
 services:
-  wud-latest:
-    image: ghcr.io/getwud/wud:latest
-    container_name: cpu-wud-latest
+  # v1.4.0: curl healthcheck, first release with idle CPU optimizations
+  drydock-140:
+    image: codeswhat/drydock:1.4.0
+    container_name: cpu-dd-140
+    user: root
+    <<: *constraints
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-    environment:
-      - WUD_WATCHER_LOCAL_WATCHBYDEFAULT=false
-      - WUD_WATCHER_LOCAL_CRON=0 * * * *
+    environment: *common-env
 
-  drydock-139:
-    image: codeswhat/drydock:1.3.9
-    container_name: cpu-drydock-139
+  # v1.4.5: curl healthcheck, latest stable
+  drydock-145:
+    image: codeswhat/drydock:1.4.5
+    container_name: cpu-dd-145
     user: root
+    <<: *constraints
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-    environment:
-      - DD_RUN_AS_ROOT=true
-      - DD_ALLOW_INSECURE_ROOT=true
-      - DD_LOG_FORMAT=json
-      - DD_WATCHER_LOCAL_WATCHBYDEFAULT=false
-      - DD_WATCHER_LOCAL_CRON=0 * * * *
-      - DD_SESSION_SECRET=bench-139
+    environment: *common-env
 
-  drydock-140:
-    image: codeswhat/drydock:1.4.0
-    container_name: cpu-drydock-140
+  # v1.4.5 with node healthcheck (simulates what nchieffo is doing)
+  drydock-145-node:
+    image: codeswhat/drydock:1.4.5
+    container_name: cpu-dd-145-node
+    user: root
+    <<: *constraints
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment: *common-env
+    healthcheck:
+      test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/health', r => { process.exit(r.statusCode === 200 ? 0 : 1) }).on('error', () => process.exit(1))"]
+      interval: 30s
+      timeout: 5s
+
+  # v1.5.0-dev: static C binary healthcheck, curl removed
+  drydock-150:
+    image: drydock:hc-bench
+    container_name: cpu-dd-150
     user: root
+    <<: *constraints
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-    environment:
-      - DD_RUN_AS_ROOT=true
-      - DD_ALLOW_INSECURE_ROOT=true
-      - DD_LOG_FORMAT=json
-      - DD_WATCHER_LOCAL_WATCHBYDEFAULT=false
-      - DD_WATCHER_LOCAL_CRON=0 * * * *
-      - DD_WATCHER_LOCAL_WATCHEVENTS=false
-      - DD_LOG_BUFFER_ENABLED=false
-      - DD_SESSION_SECRET=bench-140
+    environment: *common-env
+    healthcheck:
+      test: ["CMD", "/bin/healthcheck", "3000"]
+      interval: 30s
+      timeout: 5s
diff --git a/test/cpu-bench.sh b/test/cpu-bench.sh
new file mode 100755
index 000000000..79fbff0a0
--- /dev/null
+++ b/test/cpu-bench.sh
@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+# CPU idle benchmark: measure healthcheck strategy impact
+#
+# Measures CPU via docker stats over a measurement window.
+# Samples every N seconds and computes averages via awk.
+#
+# Usage:
+#   docker compose -f test/cpu-bench-compose.yml up -d
+#   ./test/cpu-bench.sh [warmup_seconds] [measure_seconds] [sample_interval]
+#
+# Defaults: 180s warmup, 60s measurement, 2s sample interval
+
+set -euo pipefail
+
+WARMUP=${1:-180}
+MEASURE=${2:-60}
+INTERVAL=${3:-2}
+CONTAINERS="cpu-dd-140 cpu-dd-145 cpu-dd-145-node cpu-dd-150"
+TMPFILE=$(mktemp)
+trap 'rm -f "$TMPFILE"' EXIT
+
+echo "=== Drydock CPU Healthcheck Benchmark ==="
+echo ""
+echo "Containers: $CONTAINERS"
+echo "Warmup:     ${WARMUP}s"
+echo "Measure:    ${MEASURE}s"
+echo "Interval:   ${INTERVAL}s"
+echo ""
+
+# Verify all containers are running
+for c in $CONTAINERS; do
+	if ! docker inspect --format='{{.State.Running}}' "$c" 2>/dev/null | grep -q true; then
+		echo "ERROR: Container $c is not running."
+		echo "Run: docker compose -f test/cpu-bench-compose.yml up -d"
+		exit 1
+	fi
+done
+
+echo "All containers running. Warming up for ${WARMUP}s..."
+sleep "$WARMUP"
+
+echo ""
+echo "Collecting CPU samples for ${MEASURE}s (every ${INTERVAL}s)..."
+echo ""
+
+# Collect samples to temp file: "container_name cpu_percent"
+true >"$TMPFILE"
+ELAPSED=0
+while [ "$ELAPSED" -lt "$MEASURE" ]; do
+	# shellcheck disable=SC2086
+	docker stats --no-stream --format '{{.Name}} {{.CPUPerc}}' $CONTAINERS 2>/dev/null | while IFS=' ' read -r name cpu_pct; do
+		cpu_val=${cpu_pct%\%}
+		echo "$name $cpu_val" >>"$TMPFILE"
+	done
+
+	ELAPSED=$((ELAPSED + INTERVAL))
+	if [ "$ELAPSED" -lt "$MEASURE" ]; then
+		sleep "$INTERVAL"
+	fi
+done
+
+# Compute and display results
+TOTAL_SAMPLES=$(grep -c "cpu-hc-curl" "$TMPFILE" 2>/dev/null || echo 0)
+
+echo "=== Results (${MEASURE}s measurement, ${TOTAL_SAMPLES} samples per container) ==="
+echo ""
+printf "%-20s %10s %10s %10s %10s\n" "Container" "Avg CPU%" "Min CPU%" "Max CPU%" "Samples"
+printf "%-20s %10s %10s %10s %10s\n" "--------------------" "----------" "----------" "----------" "----------"
+
+for c in $CONTAINERS; do
+	RESULT=$(grep "^$c " "$TMPFILE" | awk '
+    BEGIN { sum=0; count=0; min=9999; max=0 }
+    {
+      sum += $2; count++
+      if ($2 < min) min = $2
+      if ($2 > max) max = $2
+    }
+    END {
+      if (count > 0) printf "%.2f %.2f %.2f %d", sum/count, min, max, count
+      else printf "N/A N/A N/A 0"
+    }
+  ')
+	read -r avg mn mx cnt <<<"$RESULT"
+	printf "%-20s %9s%% %9s%% %9s%% %10s\n" "$c" "$avg" "$mn" "$mx" "$cnt"
+done
+
+echo ""
+echo "Legend:"
+echo "  cpu-dd-140      = v1.4.0 (curl healthcheck)"
+echo "  cpu-dd-145      = v1.4.5 (curl healthcheck)"
+echo "  cpu-dd-145-node = v1.4.5 (node -e healthcheck, simulates user override)"
+echo "  cpu-dd-150      = v1.5.0-dev (static C binary healthcheck)"
diff --git a/test/load-test-baselines/ci.json b/test/load-test-baselines/ci.json
new file mode 100644
index 000000000..c45dfafea
--- /dev/null
+++ b/test/load-test-baselines/ci.json
@@ -0,0 +1,18 @@
+{
+  "meta": {
+    "source": "committed-baseline",
+    "description": "Reference CI baseline for regression checks. Matches ci profile (arrivalRate 2-6 req/s, 40s duration).",
+    "updated_at": "2026-03-22"
+  },
+  "aggregate": {
+    "summaries": {
+      "http.response_time": {
+        "p95": 300.0,
+        "p99": 500.0
+      }
+    },
+    "rates": {
+      "http.request_rate": 5.0
+    }
+  }
+}
diff --git a/test/qa-compose.yml b/test/qa-compose.yml
index 40eb71b1c..661f21ad7 100644
--- a/test/qa-compose.yml
+++ b/test/qa-compose.yml
@@ -1,10 +1,10 @@
 services:
   drydock:
     image: drydock:dev
-    container_name: drydock-qa
+    container_name: drydock-playwright-qa
     user: root
     ports:
-      - "3333:3000"
+      - "${DD_PLAYWRIGHT_PORT:-3333}:3000"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - ./qa-compose.yml:/drydock/qa-compose.yml:ro
@@ -25,7 +25,7 @@ services:
       - DD_SERVER_WEBHOOK_ENABLED=true
       - DD_SERVER_WEBHOOK_TOKEN=test-token-12345
       - DD_SESSION_SECRET=qa-test-session-secret
-      - DD_PUBLIC_URL=http://localhost:3333
+      - DD_PUBLIC_URL=http://localhost:${DD_PLAYWRIGHT_PORT:-3333}
       # --- OIDC (Dex) ---
       - DD_AUTH_OIDC_DEX_DISCOVERY=http://dex:5556/dex/.well-known/openid-configuration
       - DD_AUTH_OIDC_DEX_CLIENTID=drydock
@@ -84,9 +84,9 @@ services:
   # ── OIDC Identity Provider (Dex) ─────────────────────
   dex:
     image: dexidp/dex:latest
-    container_name: dex-oidc
-    ports:
-      - "5556:5556"
+    container_name: drydock-playwright-dex
+    expose:
+      - "5556"
     volumes:
       - ./dex-config.yaml:/etc/dex/config.yaml:ro
     command: ["dex", "serve", "/etc/dex/config.yaml"]
@@ -94,9 +94,9 @@ services:
   # ── MQTT broker (Mosquitto) ──────────────────────────
   mosquitto:
     image: eclipse-mosquitto:2
-    container_name: mosquitto
-    ports:
-      - "1883:1883"
+    container_name: drydock-playwright-mosquitto
+    expose:
+      - "1883"
     volumes:
       - ./mosquitto.conf:/mosquitto/config/mosquitto.conf:ro
     healthcheck:
@@ -112,7 +112,7 @@ services:
   # Access at http://localhost:9443 (HTTPS) or http://localhost:9000
   portainer:
     image: portainer/portainer-ce:2.27.5
-    container_name: portainer
+    container_name: drydock-playwright-portainer
     ports:
       - "9000:9000"
       - "9443:9443"
@@ -126,7 +126,7 @@ services:
   # ── Trivy vulnerability scanner (client-server mode) ──
   trivy-server:
     image: aquasec/trivy:0.69.3
-    container_name: trivy-server
+    container_name: drydock-playwright-trivy-server
     command: ["server", "--listen", "0.0.0.0:4954"]
     expose:
       - "4954"
@@ -168,8 +168,8 @@ services:
   # Icon uses colon separator with nested prefix (tests Fix 03 + Fix 06)
   nginx-hooked:
     image: nginx:1.25.5
-    pull_policy: never
-    container_name: nginx-hooked
+    pull_policy: missing
+    container_name: drydock-playwright-nginx-hooked
     labels:
       - dd.watch=true
       - dd.display.name=Nginx (Hooked)
@@ -183,8 +183,8 @@ services:
   # Icon uses colon separator (tests Fix 06)
   redis-cache:
     image: redis:7.2.0
-    pull_policy: never
-    container_name: redis-cache
+    pull_policy: missing
+    container_name: drydock-playwright-redis-cache
     labels:
       - dd.watch=true
       - dd.display.name=Redis Cache
@@ -195,8 +195,8 @@ services:
   # Icon uses dash separator (standard format — baseline comparison)
   traefik-proxy:
     image: traefik:v3.0.0
-    pull_policy: never
-    container_name: traefik-proxy
+    pull_policy: missing
+    container_name: drydock-playwright-traefik-proxy
     labels:
       - dd.watch=true
       - dd.display.name=Traefik Proxy
@@ -209,8 +209,8 @@ services:
   # LSCR/GHCR public image (tests anonymous token exchange)
   lscr-nginx:
     image: ghcr.io/linuxserver/nginx:1.26.2
-    pull_policy: never
-    container_name: lscr-nginx
+    pull_policy: missing
+    container_name: drydock-playwright-lscr-nginx
     labels:
       - dd.watch=true
       - dd.display.name=LSCR Nginx (GHCR)
@@ -219,8 +219,8 @@ services:
   # PostgreSQL ungrouped (tests ungrouped container)
   postgres-db:
     image: postgres:16.0
-    pull_policy: never
-    container_name: postgres-db
+    pull_policy: missing
+    container_name: drydock-playwright-postgres-db
     environment:
       - POSTGRES_PASSWORD=testpass
     labels:
@@ -230,8 +230,8 @@ services:
   # Mongo — old version with update (tests another registry + more data)
   mongo-db:
     image: mongo:7.0.0
-    pull_policy: never
-    container_name: mongo-db
+    pull_policy: missing
+    container_name: drydock-playwright-mongo-db
     labels:
       - dd.watch=true
       - dd.display.name=MongoDB
@@ -243,7 +243,7 @@ services:
   # After watcher finds update, trigger scan to get "blocked" bouncer status
   node-vulnerable:
     image: node:16.0.0-alpine
-    container_name: node-vulnerable
+    container_name: drydock-playwright-node-vulnerable
     command: ["node", "-e", "setInterval(() => {}, 60000)"]
     labels:
       - dd.watch=true
@@ -255,7 +255,7 @@ services:
   # Should show "unsafe" bouncer after scan (not blocked since only CRITICALs block)
   python-unsafe:
     image: python:3.9.0-slim
-    container_name: python-unsafe
+    container_name: drydock-playwright-python-unsafe
     command: ["python", "-c", "import time; time.sleep(999999)"]
     labels:
       - dd.watch=true
@@ -269,21 +269,34 @@ services:
   alpine-latest:
     image: alpine:latest
     pull_policy: always
-    container_name: alpine-latest
+    container_name: drydock-playwright-alpine-latest
     command: ["sleep", "infinity"]
     labels:
       - dd.watch=true
       - dd.display.name=Alpine (Latest)
       - dd.tag.include=^latest$$
 
+  # ── Container pinned at current version (skip update) ──
+  # Redis 7.4 has an update available but the bootstrap script
+  # calls the skip-update API so it shows the "pinned" badge.
+  redis-pinned:
+    image: redis:7.4.0
+    pull_policy: missing
+    container_name: drydock-playwright-redis-pinned
+    command: ["redis-server", "--save", ""]
+    labels:
+      - dd.watch=true
+      - dd.display.name=Redis (Pinned)
+      - dd.group=test
+
   # ── Log spammer (generates container log activity) ─────
 
   # Busybox printing a line every 5s — populates dashboard container log
   log-spammer:
     image: busybox:1.36
-    pull_policy: never
-    container_name: log-spammer
-    command: ["sh", "-c", "i=0; while true; do i=$((i+1)); echo \"[$$i] drydock-qa heartbeat $(date -u +%H:%M:%S)\"; sleep 5; done"]
+    pull_policy: missing
+    container_name: drydock-playwright-log-spammer
+    command: ["sh", "-c", "i=0; while true; do i=$((i+1)); echo \"[$$i] drydock-playwright-qa heartbeat $(date -u +%H:%M:%S)\"; sleep 5; done"]
     labels:
       - dd.watch=true
       - dd.display.name=Log Spammer
@@ -296,8 +309,8 @@ services:
   # to reproduce the Docker transient alias race condition.
   slow-shutdown:
     image: busybox:1.36
-    pull_policy: never
-    container_name: slow-shutdown
+    pull_policy: missing
+    container_name: drydock-playwright-slow-shutdown
     command: ["sh", "-c", "trap 'echo SIGTERM received; sleep 15; exit 0' TERM; echo 'slow-shutdown running'; while true; do sleep 1; done"]
     stop_grace_period: 30s
     labels:
@@ -310,8 +323,8 @@ services:
   # Memcached — starts then exits (shows "stopped" in container list)
   memcached-stopped:
     image: memcached:1.6.0
-    pull_policy: never
-    container_name: memcached-stopped
+    pull_policy: missing
+    container_name: drydock-playwright-memcached-stopped
     command: ["sh", "-c", "exit 0"]
     labels:
       - dd.watch=true
diff --git a/test/run-playwright-qa-cache.test.sh b/test/run-playwright-qa-cache.test.sh
new file mode 100755
index 000000000..7f4745c9f
--- /dev/null
+++ b/test/run-playwright-qa-cache.test.sh
@@ -0,0 +1,101 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+REPO_ROOT=$(cd "$SCRIPT_DIR/.." && pwd)
+TARGET_SCRIPT="$REPO_ROOT/scripts/run-playwright-qa.sh"
+
+make_mock_binary() {
+	local path="$1"
+	local name="$2"
+	cat >"$path/$name"
+	chmod +x "$path/$name"
+}
+
+run_case() {
+	local case_name="$1"
+	local image_exists="$2"
+	local image_created="$3"
+	local commit_epoch="$4"
+	local expect_build="$5"
+
+	local tmp_dir
+	tmp_dir=$(mktemp -d)
+	trap 'rm -rf "$tmp_dir"' RETURN
+
+	local mock_bin="$tmp_dir/bin"
+	mkdir -p "$mock_bin"
+
+	export MOCK_LOG="$tmp_dir/mock.log"
+	export MOCK_IMAGE_EXISTS="$image_exists"
+	export MOCK_IMAGE_CREATED="$image_created"
+	export MOCK_COMMIT_EPOCH="$commit_epoch"
+
+	make_mock_binary "$mock_bin" docker <<'SCRIPT'
+#!/usr/bin/env bash
+set -euo pipefail
+echo "docker $*" >> "$MOCK_LOG"
+if [[ "${1:-}" == "image" && "${2:-}" == "inspect" ]]; then
+	if [[ "$MOCK_IMAGE_EXISTS" != "1" ]]; then
+		exit 1
+	fi
+	if [[ "$*" == *"--format"* ]]; then
+		printf "%s\n" "$MOCK_IMAGE_CREATED"
+	fi
+	exit 0
+fi
+exit 0
+SCRIPT
+
+	make_mock_binary "$mock_bin" git <<'SCRIPT'
+#!/usr/bin/env bash
+set -euo pipefail
+if [[ "${1:-}" == "-C" && "${3:-}" == "log" && "${4:-}" == "-1" && "${5:-}" == "--format=%ct" ]]; then
+	printf "%s\n" "$MOCK_COMMIT_EPOCH"
+	exit 0
+fi
+echo "unexpected git args: $*" >&2
+exit 1
+SCRIPT
+
+	make_mock_binary "$mock_bin" curl <<'SCRIPT'
+#!/usr/bin/env bash
+set -euo pipefail
+exit 0
+SCRIPT
+
+	make_mock_binary "$mock_bin" npm <<'SCRIPT'
+#!/usr/bin/env bash
+set -euo pipefail
+exit 0
+SCRIPT
+
+	make_mock_binary "$mock_bin" sleep <<'SCRIPT'
+#!/usr/bin/env bash
+set -euo pipefail
+exit 0
+SCRIPT
+
+	if ! PATH="$mock_bin:$PATH" DD_PLAYWRIGHT_PORT=0 DD_PLAYWRIGHT_RESTART_COLIMA=false bash "$TARGET_SCRIPT" >/dev/null 2>&1; then
+		echo "case '$case_name' failed to execute test target" >&2
+		exit 1
+	fi
+
+	local did_build=0
+	if grep -q '^docker build ' "$MOCK_LOG"; then
+		did_build=1
+	fi
+
+	if [[ $did_build != "$expect_build" ]]; then
+		echo "FAIL: $case_name (expected build=$expect_build, got build=$did_build)" >&2
+		echo "mock log:" >&2
+		sed 's/^/  /' "$MOCK_LOG" >&2
+		exit 1
+	fi
+
+	echo "PASS: $case_name"
+}
+
+run_case "skip build when image exists and is newer than latest commit" 1 "2026-03-16T12:00:00Z" 1773600000 0
+run_case "build when image is missing" 0 "" 1773600000 1
+run_case "build when latest commit is newer than image" 1 "2026-03-15T12:00:00Z" 1773700000 1
diff --git a/test/test.yml b/test/test.yml
index 6c470275c..7146feb88 100644
--- a/test/test.yml
+++ b/test/test.yml
@@ -1,18 +1,6 @@
 config:
   target: "http://localhost:3333"
   environments:
-    smoke:
-      target: "http://localhost:3000"
-      phases:
-        - duration: 10
-          arrivalRate: 1
-          name: "Smoke warm up"
-        - duration: 20
-          arrivalRate: 2
-          name: "Smoke steady"
-        - duration: 10
-          arrivalRate: 2
-          name: "Smoke sustain"
     ci:
       target: "http://localhost:3000"
       phases:
diff --git a/ui/components.d.ts b/ui/components.d.ts
index 45569740b..d465ce1ed 100644
--- a/ui/components.d.ts
+++ b/ui/components.d.ts
@@ -1,6 +1,5 @@
 export {};
 
-/* prettier-ignore */
 declare module 'vue' {
   export interface GlobalComponents {
     AppIcon: typeof import('./src/components/AppIcon.vue')['default'];
diff --git a/ui/knip.json b/ui/knip.json
index e895ac553..132f3ca60 100644
--- a/ui/knip.json
+++ b/ui/knip.json
@@ -1,5 +1,5 @@
 {
-  "$schema": "https://unpkg.com/knip@5/schema.json",
+  "$schema": "https://unpkg.com/knip@6/schema.json",
   "entry": ["scripts/*.mjs"],
   "project": ["src/**/*.{ts,vue}", "tests/**/*.ts"],
   "ignore": ["**/*.typecheck.ts"],
diff --git a/ui/package-lock.json b/ui/package-lock.json
index dcb4b456d..cd06ddb0d 100644
--- a/ui/package-lock.json
+++ b/ui/package-lock.json
@@ -1,25 +1,27 @@
 {
   "name": "drydock-ui",
-  "version": "1.4.5",
+  "version": "1.5.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "drydock-ui",
-      "version": "1.4.5",
+      "version": "1.5.0",
       "license": "AGPL-3.0-only",
       "dependencies": {
         "@fontsource/ibm-plex-mono": "^5.2.7",
+        "grid-layout-plus": "^1.1.1",
         "iconify-icon": "^3.0.2",
-        "tailwindcss": "^4.2.1",
+        "tailwindcss": "^4.2.2",
         "vue": "^3.5.30",
-        "vue-router": "^5.0.2"
+        "vue-draggable-plus": "^0.6.1",
+        "vue-router": "^5.0.4"
       },
       "devDependencies": {
         "@fontsource/comic-mono": "^5.2.5",
         "@fontsource/commit-mono": "^5.2.5",
-        "@fontsource/inconsolata": "^5.2.7",
-        "@fontsource/jetbrains-mono": "^5.2.7",
+        "@fontsource/inconsolata": "^5.2.8",
+        "@fontsource/jetbrains-mono": "^5.2.8",
         "@fontsource/source-code-pro": "^5.2.7",
         "@iconify-json/fa6-solid": "^1.2.4",
         "@iconify-json/heroicons": "^1.2.3",
@@ -29,16 +31,19 @@
         "@iconify-json/tabler": "^1.2.31",
         "@storybook/vue3": "^10.2.19",
         "@storybook/vue3-vite": "^10.2.19",
-        "@tailwindcss/vite": "^4.2.1",
+        "@stryker-mutator/core": "^9.6.0",
+        "@stryker-mutator/typescript-checker": "^9.6.0",
+        "@stryker-mutator/vitest-runner": "^9.6.0",
+        "@tailwindcss/vite": "^4.2.2",
         "@types/node": "^25.5.0",
         "@vitejs/plugin-vue": "^6.0.5",
         "@vitest/coverage-v8": "^4.1.0",
-        "@vue/test-utils": "^2.4.0",
-        "jsdom": "^29.0.0",
-        "knip": "^5.87.0",
+        "@vue/test-utils": "^2.4.6",
+        "jsdom": "^29.0.1",
+        "knip": "^6.0.1",
         "storybook": "^10.2.19",
         "typescript": "^5.9.3",
-        "vite": "^7.3.1",
+        "vite": "^8.0.1",
         "vitest": "^4.1.0"
       },
       "engines": {
@@ -69,10 +74,20 @@
         "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
       }
     },
+    "node_modules/@asamuzakjp/css-color/node_modules/lru-cache": {
+      "version": "11.2.7",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.7.tgz",
+      "integrity": "sha512-aY/R+aEsRelme17KGQa/1ZSIpLpNYYrhcrepKTZgE+W3WM16YMCaPwOHLHsmopZHELU0Ojin1lPVxKR0MihncA==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
     "node_modules/@asamuzakjp/dom-selector": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.0.3.tgz",
-      "integrity": "sha512-Q6mU0Z6bfj6YvnX2k9n0JxiIwrCFN59x/nWmYQnAqP000ruX/yV+5bp/GRcF5T8ncvfwJQ7fgfP74DlpKExILA==",
+      "version": "7.0.4",
+      "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.0.4.tgz",
+      "integrity": "sha512-jXR6x4AcT3eIrS2fSNAwJpwirOkGcd+E7F7CP3zjdTqz9B/2huHOL8YJZBgekKwLML+u7qB/6P1LXQuMScsx0w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -86,6 +101,16 @@
         "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
       }
     },
+    "node_modules/@asamuzakjp/dom-selector/node_modules/lru-cache": {
+      "version": "11.2.7",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.7.tgz",
+      "integrity": "sha512-aY/R+aEsRelme17KGQa/1ZSIpLpNYYrhcrepKTZgE+W3WM16YMCaPwOHLHsmopZHELU0Ojin1lPVxKR0MihncA==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
     "node_modules/@asamuzakjp/nwsapi": {
       "version": "2.3.9",
       "resolved": "https://registry.npmjs.org/@asamuzakjp/nwsapi/-/nwsapi-2.3.9.tgz",
@@ -99,7 +124,6 @@
       "integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@babel/helper-validator-identifier": "^7.28.5",
         "js-tokens": "^4.0.0",
@@ -109,13 +133,56 @@
         "node": ">=6.9.0"
       }
     },
-    "node_modules/@babel/code-frame/node_modules/js-tokens": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
-      "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==",
+    "node_modules/@babel/compat-data": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.29.0.tgz",
+      "integrity": "sha512-T1NCJqT/j9+cn8fvkt7jtwbLBfLC/1y1c7NtCeXFRgzGTsafi68MRv8yzkYSapBnFA6L3U2VSc02ciDzoAJhJg==",
       "dev": true,
       "license": "MIT",
-      "peer": true
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/core": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.0.tgz",
+      "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/code-frame": "^7.29.0",
+        "@babel/generator": "^7.29.0",
+        "@babel/helper-compilation-targets": "^7.28.6",
+        "@babel/helper-module-transforms": "^7.28.6",
+        "@babel/helpers": "^7.28.6",
+        "@babel/parser": "^7.29.0",
+        "@babel/template": "^7.28.6",
+        "@babel/traverse": "^7.29.0",
+        "@babel/types": "^7.29.0",
+        "@jridgewell/remapping": "^2.3.5",
+        "convert-source-map": "^2.0.0",
+        "debug": "^4.1.0",
+        "gensync": "^1.0.0-beta.2",
+        "json5": "^2.2.3",
+        "semver": "^6.3.1"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/babel"
+      }
+    },
+    "node_modules/@babel/core/node_modules/semver": {
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+      "dev": true,
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
+      }
     },
     "node_modules/@babel/generator": {
       "version": "7.29.1",
@@ -133,485 +200,662 @@
         "node": ">=6.9.0"
       }
     },
-    "node_modules/@babel/helper-string-parser": {
-      "version": "7.27.1",
-      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
-      "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
+    "node_modules/@babel/helper-annotate-as-pure": {
+      "version": "7.27.3",
+      "resolved": "https://registry.npmjs.org/@babel/helper-annotate-as-pure/-/helper-annotate-as-pure-7.27.3.tgz",
+      "integrity": "sha512-fXSwMQqitTGeHLBC08Eq5yXz2m37E4pJX1qAU1+2cNedz/ifv/bVXft90VeSav5nFO61EcNgwr0aJxbyPaWBPg==",
+      "dev": true,
       "license": "MIT",
+      "dependencies": {
+        "@babel/types": "^7.27.3"
+      },
       "engines": {
         "node": ">=6.9.0"
       }
     },
-    "node_modules/@babel/helper-validator-identifier": {
-      "version": "7.28.5",
-      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
-      "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
+    "node_modules/@babel/helper-compilation-targets": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.28.6.tgz",
+      "integrity": "sha512-JYtls3hqi15fcx5GaSNL7SCTJ2MNmjrkHXg4FSpOA/grxK8KwyZ5bubHsCq8FXCkua6xhuaaBit+3b7+VZRfcA==",
+      "dev": true,
       "license": "MIT",
+      "dependencies": {
+        "@babel/compat-data": "^7.28.6",
+        "@babel/helper-validator-option": "^7.27.1",
+        "browserslist": "^4.24.0",
+        "lru-cache": "^5.1.1",
+        "semver": "^6.3.1"
+      },
       "engines": {
         "node": ">=6.9.0"
       }
     },
-    "node_modules/@babel/parser": {
-      "version": "7.29.0",
-      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.0.tgz",
-      "integrity": "sha512-IyDgFV5GeDUVX4YdF/3CPULtVGSXXMLh1xVIgdCgxApktqnQV0r7/8Nqthg+8YLGaAtdyIlo2qIdZrbCv4+7ww==",
+    "node_modules/@babel/helper-compilation-targets/node_modules/semver": {
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+      "dev": true,
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
+      }
+    },
+    "node_modules/@babel/helper-create-class-features-plugin": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-create-class-features-plugin/-/helper-create-class-features-plugin-7.28.6.tgz",
+      "integrity": "sha512-dTOdvsjnG3xNT9Y0AUg1wAl38y+4Rl4sf9caSQZOXdNqVn+H+HbbJ4IyyHaIqNR6SW9oJpA/RuRjsjCw2IdIow==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@babel/types": "^7.29.0"
+        "@babel/helper-annotate-as-pure": "^7.27.3",
+        "@babel/helper-member-expression-to-functions": "^7.28.5",
+        "@babel/helper-optimise-call-expression": "^7.27.1",
+        "@babel/helper-replace-supers": "^7.28.6",
+        "@babel/helper-skip-transparent-expression-wrappers": "^7.27.1",
+        "@babel/traverse": "^7.28.6",
+        "semver": "^6.3.1"
       },
-      "bin": {
-        "parser": "bin/babel-parser.js"
+      "engines": {
+        "node": ">=6.9.0"
       },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0"
+      }
+    },
+    "node_modules/@babel/helper-create-class-features-plugin/node_modules/semver": {
+      "version": "6.3.1",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
+      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
+      "dev": true,
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
+      }
+    },
+    "node_modules/@babel/helper-globals": {
+      "version": "7.28.0",
+      "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.28.0.tgz",
+      "integrity": "sha512-+W6cISkXFa1jXsDEdYA8HeevQT/FULhxzR99pxphltZcVaugps53THCeiWA8SguxxpSp3gKPiuYfSWopkLQ4hw==",
+      "dev": true,
+      "license": "MIT",
       "engines": {
-        "node": ">=6.0.0"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@babel/runtime": {
-      "version": "7.28.6",
-      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.28.6.tgz",
-      "integrity": "sha512-05WQkdpL9COIMz4LjTxGpPNCdlpyimKppYNoJ5Di5EUObifl8t4tuLuUBBZEpoLYOmfvIWrsp9fCl0HoPRVTdA==",
+    "node_modules/@babel/helper-member-expression-to-functions": {
+      "version": "7.28.5",
+      "resolved": "https://registry.npmjs.org/@babel/helper-member-expression-to-functions/-/helper-member-expression-to-functions-7.28.5.tgz",
+      "integrity": "sha512-cwM7SBRZcPCLgl8a7cY0soT1SptSzAlMH39vwiRpOQkJlh53r5hdHwLSCZpQdVLT39sZt+CRpNwYG4Y2v77atg==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
+      "dependencies": {
+        "@babel/traverse": "^7.28.5",
+        "@babel/types": "^7.28.5"
+      },
       "engines": {
         "node": ">=6.9.0"
       }
     },
-    "node_modules/@babel/types": {
-      "version": "7.29.0",
-      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
-      "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
+    "node_modules/@babel/helper-module-imports": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.28.6.tgz",
+      "integrity": "sha512-l5XkZK7r7wa9LucGw9LwZyyCUscb4x37JWTPz7swwFE/0FMQAGpiWUZn8u9DzkSBWEcK25jmvubfpw2dnAMdbw==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@babel/helper-string-parser": "^7.27.1",
-        "@babel/helper-validator-identifier": "^7.28.5"
+        "@babel/traverse": "^7.28.6",
+        "@babel/types": "^7.28.6"
       },
       "engines": {
         "node": ">=6.9.0"
       }
     },
-    "node_modules/@bcoe/v8-coverage": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/@bcoe/v8-coverage/-/v8-coverage-1.0.2.tgz",
-      "integrity": "sha512-6zABk/ECA/QYSCQ1NGiVwwbQerUCZ+TQbp64Q3AgmfNvurHH0j8TtXa1qbShXA6qqkpAj4V5W8pP6mLe1mcMqA==",
+    "node_modules/@babel/helper-module-transforms": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.6.tgz",
+      "integrity": "sha512-67oXFAYr2cDLDVGLXTEABjdBJZ6drElUSI7WKp70NrpyISso3plG9SAGEF6y7zbha/wOzUByWWTJvEDVNIUGcA==",
       "dev": true,
       "license": "MIT",
+      "dependencies": {
+        "@babel/helper-module-imports": "^7.28.6",
+        "@babel/helper-validator-identifier": "^7.28.5",
+        "@babel/traverse": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0"
       }
     },
-    "node_modules/@bramus/specificity": {
-      "version": "2.4.2",
-      "resolved": "https://registry.npmjs.org/@bramus/specificity/-/specificity-2.4.2.tgz",
-      "integrity": "sha512-ctxtJ/eA+t+6q2++vj5j7FYX3nRu311q1wfYH3xjlLOsczhlhxAg2FWNUXhpGvAw3BWo1xBcvOV6/YLc2r5FJw==",
+    "node_modules/@babel/helper-optimise-call-expression": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-optimise-call-expression/-/helper-optimise-call-expression-7.27.1.tgz",
+      "integrity": "sha512-URMGH08NzYFhubNSGJrpUEphGKQwMQYBySzat5cAByY1/YgIRkULnIy3tAMeszlL/so2HbeilYloUmSpd7GdVw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "css-tree": "^3.0.0"
+        "@babel/types": "^7.27.1"
       },
-      "bin": {
-        "specificity": "bin/cli.js"
+      "engines": {
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@csstools/color-helpers": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/@csstools/color-helpers/-/color-helpers-6.0.2.tgz",
-      "integrity": "sha512-LMGQLS9EuADloEFkcTBR3BwV/CGHV7zyDxVRtVDTwdI2Ca4it0CCVTT9wCkxSgokjE5Ho41hEPgb8OEUwoXr6Q==",
+    "node_modules/@babel/helper-plugin-utils": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.28.6.tgz",
+      "integrity": "sha512-S9gzZ/bz83GRysI7gAD4wPT/AI3uCnY+9xn+Mx/KPs2JwHJIz1W8PZkg2cqyt3RNOBM8ejcXhV6y8Og7ly/Dug==",
       "dev": true,
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/csstools"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/csstools"
-        }
-      ],
-      "license": "MIT-0",
+      "license": "MIT",
       "engines": {
-        "node": ">=20.19.0"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@csstools/css-calc": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/@csstools/css-calc/-/css-calc-3.1.1.tgz",
-      "integrity": "sha512-HJ26Z/vmsZQqs/o3a6bgKslXGFAungXGbinULZO3eMsOyNJHeBBZfup5FiZInOghgoM4Hwnmw+OgbJCNg1wwUQ==",
+    "node_modules/@babel/helper-replace-supers": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/helper-replace-supers/-/helper-replace-supers-7.28.6.tgz",
+      "integrity": "sha512-mq8e+laIk94/yFec3DxSjCRD2Z0TAjhVbEJY3UQrlwVo15Lmt7C2wAUbK4bjnTs4APkwsYLTahXRraQXhb1WCg==",
       "dev": true,
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/csstools"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/csstools"
-        }
-      ],
       "license": "MIT",
+      "dependencies": {
+        "@babel/helper-member-expression-to-functions": "^7.28.5",
+        "@babel/helper-optimise-call-expression": "^7.27.1",
+        "@babel/traverse": "^7.28.6"
+      },
       "engines": {
-        "node": ">=20.19.0"
+        "node": ">=6.9.0"
       },
       "peerDependencies": {
-        "@csstools/css-parser-algorithms": "^4.0.0",
-        "@csstools/css-tokenizer": "^4.0.0"
+        "@babel/core": "^7.0.0"
       }
     },
-    "node_modules/@csstools/css-color-parser": {
-      "version": "4.0.2",
-      "resolved": "https://registry.npmjs.org/@csstools/css-color-parser/-/css-color-parser-4.0.2.tgz",
-      "integrity": "sha512-0GEfbBLmTFf0dJlpsNU7zwxRIH0/BGEMuXLTCvFYxuL1tNhqzTbtnFICyJLTNK4a+RechKP75e7w42ClXSnJQw==",
+    "node_modules/@babel/helper-skip-transparent-expression-wrappers": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-skip-transparent-expression-wrappers/-/helper-skip-transparent-expression-wrappers-7.27.1.tgz",
+      "integrity": "sha512-Tub4ZKEXqbPjXgWLl2+3JpQAYBJ8+ikpQ2Ocj/q/r0LwE3UhENh7EUabyHjz2kCEsrRY83ew2DQdHluuiDQFzg==",
       "dev": true,
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/csstools"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/csstools"
-        }
-      ],
       "license": "MIT",
       "dependencies": {
-        "@csstools/color-helpers": "^6.0.2",
-        "@csstools/css-calc": "^3.1.1"
+        "@babel/traverse": "^7.27.1",
+        "@babel/types": "^7.27.1"
       },
       "engines": {
-        "node": ">=20.19.0"
-      },
-      "peerDependencies": {
-        "@csstools/css-parser-algorithms": "^4.0.0",
-        "@csstools/css-tokenizer": "^4.0.0"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@csstools/css-parser-algorithms": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/@csstools/css-parser-algorithms/-/css-parser-algorithms-4.0.0.tgz",
-      "integrity": "sha512-+B87qS7fIG3L5h3qwJ/IFbjoVoOe/bpOdh9hAjXbvx0o8ImEmUsGXN0inFOnk2ChCFgqkkGFQ+TpM5rbhkKe4w==",
+    "node_modules/@babel/helper-string-parser": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
+      "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-validator-identifier": {
+      "version": "7.28.5",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
+      "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@babel/helper-validator-option": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.27.1.tgz",
+      "integrity": "sha512-YvjJow9FxbhFFKDSuFnVCe2WxXk1zWc22fFePVNEaWJEu8IrZVlda6N0uHwzZrUM1il7NC9Mlp4MaJYbYd9JSg==",
       "dev": true,
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/csstools"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/csstools"
-        }
-      ],
       "license": "MIT",
       "engines": {
-        "node": ">=20.19.0"
-      },
-      "peerDependencies": {
-        "@csstools/css-tokenizer": "^4.0.0"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@csstools/css-syntax-patches-for-csstree": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.1.1.tgz",
-      "integrity": "sha512-BvqN0AMWNAnLk9G8jnUT77D+mUbY/H2b3uDTvg2isJkHaOufUE2R3AOwxWo7VBQKT1lOdwdvorddo2B/lk64+w==",
+    "node_modules/@babel/helpers": {
+      "version": "7.29.2",
+      "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.29.2.tgz",
+      "integrity": "sha512-HoGuUs4sCZNezVEKdVcwqmZN8GoHirLUcLaYVNBK2J0DadGtdcqgr3BCbvH8+XUo4NGjNl3VOtSjEKNzqfFgKw==",
       "dev": true,
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/csstools"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/csstools"
-        }
-      ],
-      "license": "MIT-0",
-      "peerDependencies": {
-        "css-tree": "^3.2.1"
+      "license": "MIT",
+      "dependencies": {
+        "@babel/template": "^7.28.6",
+        "@babel/types": "^7.29.0"
       },
-      "peerDependenciesMeta": {
-        "css-tree": {
-          "optional": true
-        }
+      "engines": {
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@csstools/css-tokenizer": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-4.0.0.tgz",
-      "integrity": "sha512-QxULHAm7cNu72w97JUNCBFODFaXpbDg+dP8b/oWFAZ2MTRppA3U00Y2L1HqaS4J6yBqxwa/Y3nMBaxVKbB/NsA==",
-      "dev": true,
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/csstools"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/csstools"
-        }
-      ],
+    "node_modules/@babel/parser": {
+      "version": "7.29.2",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz",
+      "integrity": "sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==",
       "license": "MIT",
+      "dependencies": {
+        "@babel/types": "^7.29.0"
+      },
+      "bin": {
+        "parser": "bin/babel-parser.js"
+      },
       "engines": {
-        "node": ">=20.19.0"
+        "node": ">=6.0.0"
       }
     },
-    "node_modules/@emnapi/core": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.8.1.tgz",
-      "integrity": "sha512-AvT9QFpxK0Zd8J0jopedNm+w/2fIzvtPKPjqyw9jwvBaReTTqPBk9Hixaz7KbjimP+QNz605/XnjFcDAL2pqBg==",
+    "node_modules/@babel/plugin-proposal-decorators": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-proposal-decorators/-/plugin-proposal-decorators-7.29.0.tgz",
+      "integrity": "sha512-CVBVv3VY/XRMxRYq5dwr2DS7/MvqPm23cOCjbwNnVrfOqcWlnefua1uUs0sjdKOGjvPUG633o07uWzJq4oI6dA==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
       "dependencies": {
-        "@emnapi/wasi-threads": "1.1.0",
-        "tslib": "^2.4.0"
+        "@babel/helper-create-class-features-plugin": "^7.28.6",
+        "@babel/helper-plugin-utils": "^7.28.6",
+        "@babel/plugin-syntax-decorators": "^7.28.6"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@emnapi/runtime": {
-      "version": "1.8.1",
-      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.8.1.tgz",
-      "integrity": "sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg==",
+    "node_modules/@babel/plugin-syntax-decorators": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-decorators/-/plugin-syntax-decorators-7.28.6.tgz",
+      "integrity": "sha512-71EYI0ONURHJBL4rSFXnITXqXrrY8q4P0q006DPfN+Rk+ASM+++IBXem/ruokgBZR8YNEWZ8R6B+rCb8VcUTqA==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
       "dependencies": {
-        "tslib": "^2.4.0"
+        "@babel/helper-plugin-utils": "^7.28.6"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@emnapi/wasi-threads": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.1.0.tgz",
-      "integrity": "sha512-WI0DdZ8xFSbgMjR1sFsKABJ/C5OnRrjT06JXbZKexJGrDuPTzZdDYfFlsgcCXCyf+suG5QU2e/y1Wo2V/OapLQ==",
+    "node_modules/@babel/plugin-syntax-jsx": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-jsx/-/plugin-syntax-jsx-7.28.6.tgz",
+      "integrity": "sha512-wgEmr06G6sIpqr8YDwA2dSRTE3bJ+V0IfpzfSY3Lfgd7YWOaAdlykvJi13ZKBt8cZHfgH1IXN+CL656W3uUa4w==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
       "dependencies": {
-        "tslib": "^2.4.0"
+        "@babel/helper-plugin-utils": "^7.28.6"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.3.tgz",
-      "integrity": "sha512-9fJMTNFTWZMh5qwrBItuziu834eOCUcEqymSH7pY+zoMVEZg3gcPuBNxH1EvfVYe9h0x/Ptw8KBzv7qxb7l8dg==",
-      "cpu": [
-        "ppc64"
-      ],
+    "node_modules/@babel/plugin-syntax-typescript": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-typescript/-/plugin-syntax-typescript-7.28.6.tgz",
+      "integrity": "sha512-+nDNmQye7nlnuuHDboPbGm00Vqg3oO8niRRL27/4LYHUsHYh0zJ1xWOz0uRwNFmM1Avzk8wZbc6rdiYhomzv/A==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "aix"
-      ],
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/android-arm": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.3.tgz",
-      "integrity": "sha512-i5D1hPY7GIQmXlXhs2w8AWHhenb00+GxjxRncS2ZM7YNVGNfaMxgzSGuO8o8SJzRc/oZwU2bcScvVERk03QhzA==",
-      "cpu": [
-        "arm"
-      ],
+    "node_modules/@babel/plugin-transform-destructuring": {
+      "version": "7.28.5",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-destructuring/-/plugin-transform-destructuring-7.28.5.tgz",
+      "integrity": "sha512-Kl9Bc6D0zTUcFUvkNuQh4eGXPKKNDOJQXVyyM4ZAQPMveniJdxi8XMJwLo+xSoW3MIq81bD33lcUe9kZpl0MCw==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ],
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.27.1",
+        "@babel/traverse": "^7.28.5"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/android-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.3.tgz",
-      "integrity": "sha512-YdghPYUmj/FX2SYKJ0OZxf+iaKgMsKHVPF1MAq/P8WirnSpCStzKJFjOjzsW0QQ7oIAiccHdcqjbHmJxRb/dmg==",
-      "cpu": [
-        "arm64"
-      ],
+    "node_modules/@babel/plugin-transform-explicit-resource-management": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-explicit-resource-management/-/plugin-transform-explicit-resource-management-7.28.6.tgz",
+      "integrity": "sha512-Iao5Konzx2b6g7EPqTy40UZbcdXE126tTxVFr/nAIj+WItNxjKSYTEw3RC+A2/ZetmdJsgueL1KhaMCQHkLPIg==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ],
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.28.6",
+        "@babel/plugin-transform-destructuring": "^7.28.5"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/android-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.3.tgz",
-      "integrity": "sha512-IN/0BNTkHtk8lkOM8JWAYFg4ORxBkZQf9zXiEOfERX/CzxW3Vg1ewAhU7QSWQpVIzTW+b8Xy+lGzdYXV6UZObQ==",
-      "cpu": [
-        "x64"
-      ],
+    "node_modules/@babel/plugin-transform-modules-commonjs": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-modules-commonjs/-/plugin-transform-modules-commonjs-7.28.6.tgz",
+      "integrity": "sha512-jppVbf8IV9iWWwWTQIxJMAJCWBuuKx71475wHwYytrRGQ2CWiDvYlADQno3tcYpS/T2UUWFQp3nVtYfK/YBQrA==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ],
+      "dependencies": {
+        "@babel/helper-module-transforms": "^7.28.6",
+        "@babel/helper-plugin-utils": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/darwin-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.3.tgz",
-      "integrity": "sha512-Re491k7ByTVRy0t3EKWajdLIr0gz2kKKfzafkth4Q8A5n1xTHrkqZgLLjFEHVD+AXdUGgQMq+Godfq45mGpCKg==",
-      "cpu": [
-        "arm64"
-      ],
+    "node_modules/@babel/plugin-transform-typescript": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/plugin-transform-typescript/-/plugin-transform-typescript-7.28.6.tgz",
+      "integrity": "sha512-0YWL2RFxOqEm9Efk5PvreamxPME8OyY0wM5wh5lHjF+VtVhdneCWGzZeSqzOfiobVqQaNCd2z0tQvnI9DaPWPw==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
+      "dependencies": {
+        "@babel/helper-annotate-as-pure": "^7.27.3",
+        "@babel/helper-create-class-features-plugin": "^7.28.6",
+        "@babel/helper-plugin-utils": "^7.28.6",
+        "@babel/helper-skip-transparent-expression-wrappers": "^7.27.1",
+        "@babel/plugin-syntax-typescript": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/darwin-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.3.tgz",
-      "integrity": "sha512-vHk/hA7/1AckjGzRqi6wbo+jaShzRowYip6rt6q7VYEDX4LEy1pZfDpdxCBnGtl+A5zq8iXDcyuxwtv3hNtHFg==",
-      "cpu": [
-        "x64"
-      ],
+    "node_modules/@babel/preset-typescript": {
+      "version": "7.28.5",
+      "resolved": "https://registry.npmjs.org/@babel/preset-typescript/-/preset-typescript-7.28.5.tgz",
+      "integrity": "sha512-+bQy5WOI2V6LJZpPVxY+yp66XdZ2yifu0Mc1aP5CQKgjn4QM5IN2i5fAZ4xKop47pr8rpVhiAeu+nDQa12C8+g==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
+      "dependencies": {
+        "@babel/helper-plugin-utils": "^7.27.1",
+        "@babel/helper-validator-option": "^7.27.1",
+        "@babel/plugin-syntax-jsx": "^7.27.1",
+        "@babel/plugin-transform-modules-commonjs": "^7.27.1",
+        "@babel/plugin-transform-typescript": "^7.28.5"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
+      },
+      "peerDependencies": {
+        "@babel/core": "^7.0.0-0"
       }
     },
-    "node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-ipTYM2fjt3kQAYOvo6vcxJx3nBYAzPjgTCk7QEgZG8AUO3ydUhvelmhrbOheMnGOlaSFUoHXB6un+A7q4ygY9w==",
-      "cpu": [
-        "arm64"
-      ],
+    "node_modules/@babel/runtime": {
+      "version": "7.29.2",
+      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.29.2.tgz",
+      "integrity": "sha512-JiDShH45zKHWyGe4ZNVRrCjBz8Nh9TMmZG1kh4QTK8hCBTWBi8Da+i7s1fJw7/lYpM4ccepSNfqzZ/QvABBi5g==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "freebsd"
-      ],
+      "peer": true,
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/freebsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.3.tgz",
-      "integrity": "sha512-dDk0X87T7mI6U3K9VjWtHOXqwAMJBNN2r7bejDsc+j03SEjtD9HrOl8gVFByeM0aJksoUuUVU9TBaZa2rgj0oA==",
-      "cpu": [
-        "x64"
-      ],
+    "node_modules/@babel/template": {
+      "version": "7.28.6",
+      "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
+      "integrity": "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "freebsd"
-      ],
+      "dependencies": {
+        "@babel/code-frame": "^7.28.6",
+        "@babel/parser": "^7.28.6",
+        "@babel/types": "^7.28.6"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/linux-arm": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.3.tgz",
-      "integrity": "sha512-s6nPv2QkSupJwLYyfS+gwdirm0ukyTFNl3KTgZEAiJDd+iHZcbTPPcWCcRYH+WlNbwChgH2QkE9NSlNrMT8Gfw==",
-      "cpu": [
-        "arm"
-      ],
+    "node_modules/@babel/traverse": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.0.tgz",
+      "integrity": "sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+      "dependencies": {
+        "@babel/code-frame": "^7.29.0",
+        "@babel/generator": "^7.29.0",
+        "@babel/helper-globals": "^7.28.0",
+        "@babel/parser": "^7.29.0",
+        "@babel/template": "^7.28.6",
+        "@babel/types": "^7.29.0",
+        "debug": "^4.3.1"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/linux-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.3.tgz",
-      "integrity": "sha512-sZOuFz/xWnZ4KH3YfFrKCf1WyPZHakVzTiqji3WDc0BCl2kBwiJLCXpzLzUBLgmp4veFZdvN5ChW4Eq/8Fc2Fg==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
+    "node_modules/@babel/types": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
+      "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
+      "dependencies": {
+        "@babel/helper-string-parser": "^7.27.1",
+        "@babel/helper-validator-identifier": "^7.28.5"
+      },
       "engines": {
-        "node": ">=18"
+        "node": ">=6.9.0"
       }
     },
-    "node_modules/@esbuild/linux-ia32": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.3.tgz",
-      "integrity": "sha512-yGlQYjdxtLdh0a3jHjuwOrxQjOZYD/C9PfdbgJJF3TIZWnm/tMd/RcNiLngiu4iwcBAOezdnSLAwQDPqTmtTYg==",
-      "cpu": [
-        "ia32"
-      ],
+    "node_modules/@bcoe/v8-coverage": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/@bcoe/v8-coverage/-/v8-coverage-1.0.2.tgz",
+      "integrity": "sha512-6zABk/ECA/QYSCQ1NGiVwwbQerUCZ+TQbp64Q3AgmfNvurHH0j8TtXa1qbShXA6qqkpAj4V5W8pP6mLe1mcMqA==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/linux-loong64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.3.tgz",
-      "integrity": "sha512-WO60Sn8ly3gtzhyjATDgieJNet/KqsDlX5nRC5Y3oTFcS1l0KWba+SEa9Ja1GfDqSF1z6hif/SkpQJbL63cgOA==",
-      "cpu": [
-        "loong64"
-      ],
+    "node_modules/@bramus/specificity": {
+      "version": "2.4.2",
+      "resolved": "https://registry.npmjs.org/@bramus/specificity/-/specificity-2.4.2.tgz",
+      "integrity": "sha512-ctxtJ/eA+t+6q2++vj5j7FYX3nRu311q1wfYH3xjlLOsczhlhxAg2FWNUXhpGvAw3BWo1xBcvOV6/YLc2r5FJw==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "engines": {
-        "node": ">=18"
+      "dependencies": {
+        "css-tree": "^3.0.0"
+      },
+      "bin": {
+        "specificity": "bin/cli.js"
       }
     },
-    "node_modules/@esbuild/linux-mips64el": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.3.tgz",
-      "integrity": "sha512-APsymYA6sGcZ4pD6k+UxbDjOFSvPWyZhjaiPyl/f79xKxwTnrn5QUnXR5prvetuaSMsb4jgeHewIDCIWljrSxw==",
-      "cpu": [
-        "mips64el"
-      ],
+    "node_modules/@csstools/color-helpers": {
+      "version": "6.0.2",
+      "resolved": "https://registry.npmjs.org/@csstools/color-helpers/-/color-helpers-6.0.2.tgz",
+      "integrity": "sha512-LMGQLS9EuADloEFkcTBR3BwV/CGHV7zyDxVRtVDTwdI2Ca4it0CCVTT9wCkxSgokjE5Ho41hEPgb8OEUwoXr6Q==",
       "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
       ],
+      "license": "MIT-0",
       "engines": {
-        "node": ">=18"
+        "node": ">=20.19.0"
       }
     },
-    "node_modules/@esbuild/linux-ppc64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.3.tgz",
-      "integrity": "sha512-eizBnTeBefojtDb9nSh4vvVQ3V9Qf9Df01PfawPcRzJH4gFSgrObw+LveUyDoKU3kxi5+9RJTCWlj4FjYXVPEA==",
+    "node_modules/@csstools/css-calc": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/@csstools/css-calc/-/css-calc-3.1.1.tgz",
+      "integrity": "sha512-HJ26Z/vmsZQqs/o3a6bgKslXGFAungXGbinULZO3eMsOyNJHeBBZfup5FiZInOghgoM4Hwnmw+OgbJCNg1wwUQ==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-color-parser": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@csstools/css-color-parser/-/css-color-parser-4.0.2.tgz",
+      "integrity": "sha512-0GEfbBLmTFf0dJlpsNU7zwxRIH0/BGEMuXLTCvFYxuL1tNhqzTbtnFICyJLTNK4a+RechKP75e7w42ClXSnJQw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "@csstools/color-helpers": "^6.0.2",
+        "@csstools/css-calc": "^3.1.1"
+      },
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-parser-algorithms": "^4.0.0",
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-parser-algorithms": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@csstools/css-parser-algorithms/-/css-parser-algorithms-4.0.0.tgz",
+      "integrity": "sha512-+B87qS7fIG3L5h3qwJ/IFbjoVoOe/bpOdh9hAjXbvx0o8ImEmUsGXN0inFOnk2ChCFgqkkGFQ+TpM5rbhkKe4w==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      },
+      "peerDependencies": {
+        "@csstools/css-tokenizer": "^4.0.0"
+      }
+    },
+    "node_modules/@csstools/css-syntax-patches-for-csstree": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.1.2.tgz",
+      "integrity": "sha512-5GkLzz4prTIpoyeUiIu3iV6CSG3Plo7xRVOFPKI7FVEJ3mZ0A8SwK0XU3Gl7xAkiQ+mDyam+NNp875/C5y+jSA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT-0",
+      "peerDependencies": {
+        "css-tree": "^3.2.1"
+      },
+      "peerDependenciesMeta": {
+        "css-tree": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@csstools/css-tokenizer": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-4.0.0.tgz",
+      "integrity": "sha512-QxULHAm7cNu72w97JUNCBFODFaXpbDg+dP8b/oWFAZ2MTRppA3U00Y2L1HqaS4J6yBqxwa/Y3nMBaxVKbB/NsA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/csstools"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/csstools"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.19.0"
+      }
+    },
+    "node_modules/@emnapi/core": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.1.tgz",
+      "integrity": "sha512-mukuNALVsoix/w1BJwFzwXBN/dHeejQtuVzcDsfOEsdpCumXb/E9j8w11h5S54tT1xhifGfbbSm/ICrObRb3KA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "@emnapi/wasi-threads": "1.2.0",
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@emnapi/runtime": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.1.tgz",
+      "integrity": "sha512-VYi5+ZVLhpgK4hQ0TAjiQiZ6ol0oe4mBx7mVv7IflsiEp0OWoVsp/+f9Vc1hOhE0TtkORVrI1GvzyreqpgWtkA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@emnapi/wasi-threads": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.0.tgz",
+      "integrity": "sha512-N10dEJNSsUx41Z6pZsXU8FjPjpBEplgH24sfkmITrBED1/U2Esum9F3lfLrMjKHHjmi557zQn7kR9R+XWXu5Rg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@esbuild/aix-ppc64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.4.tgz",
+      "integrity": "sha512-cQPwL2mp2nSmHHJlCyoXgHGhbEPMrEEU5xhkcy3Hs/O7nGZqEpZ2sUtLaL9MORLtDfRvVl2/3PAuEkYZH0Ty8Q==",
       "cpu": [
         "ppc64"
       ],
@@ -619,50 +863,50 @@
       "license": "MIT",
       "optional": true,
       "os": [
-        "linux"
+        "aix"
       ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/linux-riscv64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.3.tgz",
-      "integrity": "sha512-3Emwh0r5wmfm3ssTWRQSyVhbOHvqegUDRd0WhmXKX2mkHJe1SFCMJhagUleMq+Uci34wLSipf8Lagt4LlpRFWQ==",
+    "node_modules/@esbuild/android-arm": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.4.tgz",
+      "integrity": "sha512-X9bUgvxiC8CHAGKYufLIHGXPJWnr0OCdR0anD2e21vdvgCI8lIfqFbnoeOz7lBjdrAGUhqLZLcQo6MLhTO2DKQ==",
       "cpu": [
-        "riscv64"
+        "arm"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "linux"
+        "android"
       ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/linux-s390x": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.3.tgz",
-      "integrity": "sha512-pBHUx9LzXWBc7MFIEEL0yD/ZVtNgLytvx60gES28GcWMqil8ElCYR4kvbV2BDqsHOvVDRrOxGySBM9Fcv744hw==",
+    "node_modules/@esbuild/android-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.4.tgz",
+      "integrity": "sha512-gdLscB7v75wRfu7QSm/zg6Rx29VLdy9eTr2t44sfTW7CxwAtQghZ4ZnqHk3/ogz7xao0QAgrkradbBzcqFPasw==",
       "cpu": [
-        "s390x"
+        "arm64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "linux"
+        "android"
       ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/linux-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.3.tgz",
-      "integrity": "sha512-Czi8yzXUWIQYAtL/2y6vogER8pvcsOsk5cpwL4Gk5nJqH5UZiVByIY8Eorm5R13gq+DQKYg0+JyQoytLQas4dA==",
+    "node_modules/@esbuild/android-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.4.tgz",
+      "integrity": "sha512-PzPFnBNVF292sfpfhiyiXCGSn9HZg5BcAz+ivBuSsl6Rk4ga1oEXAamhOXRFyMcjwr2DVtm40G65N3GLeH1Lvw==",
       "cpu": [
         "x64"
       ],
@@ -670,16 +914,16 @@
       "license": "MIT",
       "optional": true,
       "os": [
-        "linux"
+        "android"
       ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-sDpk0RgmTCR/5HguIZa9n9u+HVKf40fbEUt+iTzSnCaGvY9kFP0YKBWZtJaraonFnqef5SlJ8/TiPAxzyS+UoA==",
+    "node_modules/@esbuild/darwin-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.4.tgz",
+      "integrity": "sha512-b7xaGIwdJlht8ZFCvMkpDN6uiSmnxxK56N2GDTMYPr2/gzvfdQN8rTfBsvVKmIVY/X7EM+/hJKEIbbHs9oA4tQ==",
       "cpu": [
         "arm64"
       ],
@@ -687,16 +931,16 @@
       "license": "MIT",
       "optional": true,
       "os": [
-        "netbsd"
+        "darwin"
       ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/netbsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.3.tgz",
-      "integrity": "sha512-P14lFKJl/DdaE00LItAukUdZO5iqNH7+PjoBm+fLQjtxfcfFE20Xf5CrLsmZdq5LFFZzb5JMZ9grUwvtVYzjiA==",
+    "node_modules/@esbuild/darwin-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.4.tgz",
+      "integrity": "sha512-sR+OiKLwd15nmCdqpXMnuJ9W2kpy0KigzqScqHI3Hqwr7IXxBp3Yva+yJwoqh7rE8V77tdoheRYataNKL4QrPw==",
       "cpu": [
         "x64"
       ],
@@ -704,16 +948,16 @@
       "license": "MIT",
       "optional": true,
       "os": [
-        "netbsd"
+        "darwin"
       ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.3.tgz",
-      "integrity": "sha512-AIcMP77AvirGbRl/UZFTq5hjXK+2wC7qFRGoHSDrZ5v5b8DK/GYpXW3CPRL53NkvDqb9D+alBiC/dV0Fb7eJcw==",
+    "node_modules/@esbuild/freebsd-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-jnfpKe+p79tCnm4GVav68A7tUFeKQwQyLgESwEAUzyxk/TJr4QdGog9sqWNcUbr/bZt/O/HXouspuQDd9JxFSw==",
       "cpu": [
         "arm64"
       ],
@@ -721,16 +965,16 @@
       "license": "MIT",
       "optional": true,
       "os": [
-        "openbsd"
+        "freebsd"
       ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/openbsd-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.3.tgz",
-      "integrity": "sha512-DnW2sRrBzA+YnE70LKqnM3P+z8vehfJWHXECbwBmH/CU51z6FiqTQTHFenPlHmo3a8UgpLyH3PT+87OViOh1AQ==",
+    "node_modules/@esbuild/freebsd-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.4.tgz",
+      "integrity": "sha512-2kb4ceA/CpfUrIcTUl1wrP/9ad9Atrp5J94Lq69w7UwOMolPIGrfLSvAKJp0RTvkPPyn6CIWrNy13kyLikZRZQ==",
       "cpu": [
         "x64"
       ],
@@ -738,129 +982,375 @@
       "license": "MIT",
       "optional": true,
       "os": [
-        "openbsd"
+        "freebsd"
       ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.3.tgz",
-      "integrity": "sha512-NinAEgr/etERPTsZJ7aEZQvvg/A6IsZG/LgZy+81wON2huV7SrK3e63dU0XhyZP4RKGyTm7aOgmQk0bGp0fy2g==",
+    "node_modules/@esbuild/linux-arm": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.4.tgz",
+      "integrity": "sha512-aBYgcIxX/wd5n2ys0yESGeYMGF+pv6g0DhZr3G1ZG4jMfruU9Tl1i2Z+Wnj9/KjGz1lTLCcorqE2viePZqj4Eg==",
       "cpu": [
-        "arm64"
+        "arm"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "openharmony"
+        "linux"
       ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/sunos-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.3.tgz",
-      "integrity": "sha512-PanZ+nEz+eWoBJ8/f8HKxTTD172SKwdXebZ0ndd953gt1HRBbhMsaNqjTyYLGLPdoWHy4zLU7bDVJztF5f3BHA==",
+    "node_modules/@esbuild/linux-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.4.tgz",
+      "integrity": "sha512-7nQOttdzVGth1iz57kxg9uCz57dxQLHWxopL6mYuYthohPKEK0vU0C3O21CcBK6KDlkYVcnDXY099HcCDXd9dA==",
       "cpu": [
-        "x64"
+        "arm64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "sunos"
+        "linux"
       ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/win32-arm64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.3.tgz",
-      "integrity": "sha512-B2t59lWWYrbRDw/tjiWOuzSsFh1Y/E95ofKz7rIVYSQkUYBjfSgf6oeYPNWHToFRr2zx52JKApIcAS/D5TUBnA==",
+    "node_modules/@esbuild/linux-ia32": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.4.tgz",
+      "integrity": "sha512-oPtixtAIzgvzYcKBQM/qZ3R+9TEUd1aNJQu0HhGyqtx6oS7qTpvjheIWBbes4+qu1bNlo2V4cbkISr8q6gRBFA==",
       "cpu": [
-        "arm64"
+        "ia32"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "win32"
+        "linux"
       ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/win32-ia32": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.3.tgz",
-      "integrity": "sha512-QLKSFeXNS8+tHW7tZpMtjlNb7HKau0QDpwm49u0vUp9y1WOF+PEzkU84y9GqYaAVW8aH8f3GcBck26jh54cX4Q==",
+    "node_modules/@esbuild/linux-loong64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.4.tgz",
+      "integrity": "sha512-8mL/vh8qeCoRcFH2nM8wm5uJP+ZcVYGGayMavi8GmRJjuI3g1v6Z7Ni0JJKAJW+m0EtUuARb6Lmp4hMjzCBWzA==",
       "cpu": [
-        "ia32"
+        "loong64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "win32"
+        "linux"
       ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@esbuild/win32-x64": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.3.tgz",
-      "integrity": "sha512-4uJGhsxuptu3OcpVAzli+/gWusVGwZZHTlS63hh++ehExkVT8SgiEf7/uC/PclrPPkLhZqGgCTjd0VWLo6xMqA==",
+    "node_modules/@esbuild/linux-mips64el": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.4.tgz",
+      "integrity": "sha512-1RdrWFFiiLIW7LQq9Q2NES+HiD4NyT8Itj9AUeCl0IVCA459WnPhREKgwrpaIfTOe+/2rdntisegiPWn/r/aAw==",
       "cpu": [
-        "x64"
+        "mips64el"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
-        "win32"
+        "linux"
       ],
       "engines": {
         "node": ">=18"
       }
     },
-    "node_modules/@exodus/bytes": {
-      "version": "1.15.0",
-      "resolved": "https://registry.npmjs.org/@exodus/bytes/-/bytes-1.15.0.tgz",
-      "integrity": "sha512-UY0nlA+feH81UGSHv92sLEPLCeZFjXOuHhrIo0HQydScuQc8s0A7kL/UdgwgDq8g8ilksmuoF35YVTNphV2aBQ==",
+    "node_modules/@esbuild/linux-ppc64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.4.tgz",
+      "integrity": "sha512-tLCwNG47l3sd9lpfyx9LAGEGItCUeRCWeAx6x2Jmbav65nAwoPXfewtAdtbtit/pJFLUWOhpv0FpS6GQAmPrHA==",
+      "cpu": [
+        "ppc64"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
       "engines": {
-        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
-      },
-      "peerDependencies": {
-        "@noble/hashes": "^1.8.0 || ^2.0.0"
-      },
-      "peerDependenciesMeta": {
-        "@noble/hashes": {
-          "optional": true
-        }
+        "node": ">=18"
       }
     },
-    "node_modules/@fontsource/comic-mono": {
-      "version": "5.2.5",
-      "resolved": "https://registry.npmjs.org/@fontsource/comic-mono/-/comic-mono-5.2.5.tgz",
-      "integrity": "sha512-LkTanqEt2YSFors2j+VSnvJlVO5n8zDyjlQU+hz9yl30MHyRsyJfgWyrVHKfE0NjbMVlVScZ4xT5Q72oR0MyXA==",
+    "node_modules/@esbuild/linux-riscv64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.4.tgz",
+      "integrity": "sha512-BnASypppbUWyqjd1KIpU4AUBiIhVr6YlHx/cnPgqEkNoVOhHg+YiSVxM1RLfiy4t9cAulbRGTNCKOcqHrEQLIw==",
+      "cpu": [
+        "riscv64"
+      ],
       "dev": true,
-      "license": "mit",
-      "funding": {
-        "url": "https://github.com/sponsors/ayuhito"
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
       }
     },
-    "node_modules/@fontsource/commit-mono": {
-      "version": "5.2.5",
-      "resolved": "https://registry.npmjs.org/@fontsource/commit-mono/-/commit-mono-5.2.5.tgz",
-      "integrity": "sha512-htX8yQWtiPt5L1Hzh4sirvfUJT2+KYiquDB/Q2sY2tWQYplpBUOD5zHnIM3k36Hnm4V+JIIqA/wmwupSQ68WjA==",
+    "node_modules/@esbuild/linux-s390x": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.4.tgz",
+      "integrity": "sha512-+eUqgb/Z7vxVLezG8bVB9SfBie89gMueS+I0xYh2tJdw3vqA/0ImZJ2ROeWwVJN59ihBeZ7Tu92dF/5dy5FttA==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/linux-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.4.tgz",
+      "integrity": "sha512-S5qOXrKV8BQEzJPVxAwnryi2+Iq5pB40gTEIT69BQONqR7JH1EPIcQ/Uiv9mCnn05jff9umq/5nqzxlqTOg9NA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/netbsd-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-xHT8X4sb0GS8qTqiwzHqpY00C95DPAq7nAwX35Ie/s+LO9830hrMd3oX0ZMKLvy7vsonee73x0lmcdOVXFzd6Q==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/netbsd-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.4.tgz",
+      "integrity": "sha512-RugOvOdXfdyi5Tyv40kgQnI0byv66BFgAqjdgtAKqHoZTbTF2QqfQrFwa7cHEORJf6X2ht+l9ABLMP0dnKYsgg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "netbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openbsd-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.4.tgz",
+      "integrity": "sha512-2MyL3IAaTX+1/qP0O1SwskwcwCoOI4kV2IBX1xYnDDqthmq5ArrW94qSIKCAuRraMgPOmG0RDTA74mzYNQA9ow==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openbsd-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.4.tgz",
+      "integrity": "sha512-u8fg/jQ5aQDfsnIV6+KwLOf1CmJnfu1ShpwqdwC0uA7ZPwFws55Ngc12vBdeUdnuWoQYx/SOQLGDcdlfXhYmXQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openbsd"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/openharmony-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.4.tgz",
+      "integrity": "sha512-JkTZrl6VbyO8lDQO3yv26nNr2RM2yZzNrNHEsj9bm6dOwwu9OYN28CjzZkH57bh4w0I2F7IodpQvUAEd1mbWXg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/sunos-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.4.tgz",
+      "integrity": "sha512-/gOzgaewZJfeJTlsWhvUEmUG4tWEY2Spp5M20INYRg2ZKl9QPO3QEEgPeRtLjEWSW8FilRNacPOg8R1uaYkA6g==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "sunos"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-arm64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.4.tgz",
+      "integrity": "sha512-Z9SExBg2y32smoDQdf1HRwHRt6vAHLXcxD2uGgO/v2jK7Y718Ix4ndsbNMU/+1Qiem9OiOdaqitioZwxivhXYg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-ia32": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.4.tgz",
+      "integrity": "sha512-DAyGLS0Jz5G5iixEbMHi5KdiApqHBWMGzTtMiJ72ZOLhbu/bzxgAe8Ue8CTS3n3HbIUHQz/L51yMdGMeoxXNJw==",
+      "cpu": [
+        "ia32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@esbuild/win32-x64": {
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.4.tgz",
+      "integrity": "sha512-+knoa0BDoeXgkNvvV1vvbZX4+hizelrkwmGJBdT17t8FNPwG2lKemmuMZlmaNQ3ws3DKKCxpb4zRZEIp3UxFCg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@exodus/bytes": {
+      "version": "1.15.0",
+      "resolved": "https://registry.npmjs.org/@exodus/bytes/-/bytes-1.15.0.tgz",
+      "integrity": "sha512-UY0nlA+feH81UGSHv92sLEPLCeZFjXOuHhrIo0HQydScuQc8s0A7kL/UdgwgDq8g8ilksmuoF35YVTNphV2aBQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+      },
+      "peerDependencies": {
+        "@noble/hashes": "^1.8.0 || ^2.0.0"
+      },
+      "peerDependenciesMeta": {
+        "@noble/hashes": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@floating-ui/core": {
+      "version": "1.7.5",
+      "resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.7.5.tgz",
+      "integrity": "sha512-1Ih4WTWyw0+lKyFMcBHGbb5U5FtuHJuujoyyr5zTaWS5EYMeT6Jb2AuDeftsCsEuchO+mM2ij5+q9crhydzLhQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@floating-ui/utils": "^0.2.11"
+      }
+    },
+    "node_modules/@floating-ui/dom": {
+      "version": "1.7.6",
+      "resolved": "https://registry.npmjs.org/@floating-ui/dom/-/dom-1.7.6.tgz",
+      "integrity": "sha512-9gZSAI5XM36880PPMm//9dfiEngYoC6Am2izES1FF406YFsjvyBMmeJ2g4SAju3xWwtuynNRFL2s9hgxpLI5SQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@floating-ui/core": "^1.7.5",
+        "@floating-ui/utils": "^0.2.11"
+      }
+    },
+    "node_modules/@floating-ui/utils": {
+      "version": "0.2.11",
+      "resolved": "https://registry.npmjs.org/@floating-ui/utils/-/utils-0.2.11.tgz",
+      "integrity": "sha512-RiB/yIh78pcIxl6lLMG0CgBXAZ2Y0eVHqMPYugu+9U0AeT6YBeiJpf7lbdJNIugFP5SIjwNRgo4DhR1Qxi26Gg==",
+      "license": "MIT"
+    },
+    "node_modules/@fontsource/comic-mono": {
+      "version": "5.2.5",
+      "resolved": "https://registry.npmjs.org/@fontsource/comic-mono/-/comic-mono-5.2.5.tgz",
+      "integrity": "sha512-LkTanqEt2YSFors2j+VSnvJlVO5n8zDyjlQU+hz9yl30MHyRsyJfgWyrVHKfE0NjbMVlVScZ4xT5Q72oR0MyXA==",
+      "dev": true,
+      "license": "mit",
+      "funding": {
+        "url": "https://github.com/sponsors/ayuhito"
+      }
+    },
+    "node_modules/@fontsource/commit-mono": {
+      "version": "5.2.5",
+      "resolved": "https://registry.npmjs.org/@fontsource/commit-mono/-/commit-mono-5.2.5.tgz",
+      "integrity": "sha512-htX8yQWtiPt5L1Hzh4sirvfUJT2+KYiquDB/Q2sY2tWQYplpBUOD5zHnIM3k36Hnm4V+JIIqA/wmwupSQ68WjA==",
       "dev": true,
       "license": "OFL-1.1",
       "funding": {
@@ -937,9 +1427,9 @@
       }
     },
     "node_modules/@iconify-json/lucide": {
-      "version": "1.2.98",
-      "resolved": "https://registry.npmjs.org/@iconify-json/lucide/-/lucide-1.2.98.tgz",
-      "integrity": "sha512-Lx2464W8Tty/QEnZ2UPb73nPdML/HpGCj0J0w37jP3/jx3l4fniZBjDxe1TgHiIL5XW9QO3vlx53ZQZ5JsNpzQ==",
+      "version": "1.2.99",
+      "resolved": "https://registry.npmjs.org/@iconify-json/lucide/-/lucide-1.2.99.tgz",
+      "integrity": "sha512-XE2Pg8uax2uN3ZbvvnO0C5ADgZOyUgEPiwnhD/xrJwz/bfpWwL3mbDwxntEWB2G1mwo2OqKMF50/jp6ia2QzKw==",
       "dev": true,
       "license": "ISC",
       "dependencies": {
@@ -957,9 +1447,9 @@
       }
     },
     "node_modules/@iconify-json/tabler": {
-      "version": "1.2.31",
-      "resolved": "https://registry.npmjs.org/@iconify-json/tabler/-/tabler-1.2.31.tgz",
-      "integrity": "sha512-Jfcw5TpGhfKKWyz1dGk7e79zIgDmpMKNYL0bjt17sURBPifAxowQcWAzcEhuiWU7FGXUM2NT6UhvACFZp7Hnjw==",
+      "version": "1.2.32",
+      "resolved": "https://registry.npmjs.org/@iconify-json/tabler/-/tabler-1.2.32.tgz",
+      "integrity": "sha512-0UlpROc9X0VrqJLeE87o3JLsQauHMhj82GnH9TkPaymhBeS9wPB3NOqxQyzw+MHgPL08uVSggwfkTaoRfhQ+RQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -972,51 +1462,401 @@
       "integrity": "sha512-+wluvCrRhXrhyOmRDJ3q8mux9JkKy5SJ/v8ol2tu4FVjyYvtEzkc/3pK15ET6RKg4b4w4BmTk1+gsCUhf21Ykg==",
       "license": "MIT"
     },
-    "node_modules/@isaacs/cliui": {
-      "version": "8.0.2",
-      "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz",
-      "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==",
+    "node_modules/@inquirer/ansi": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@inquirer/ansi/-/ansi-2.0.4.tgz",
+      "integrity": "sha512-DpcZrQObd7S0R/U3bFdkcT5ebRwbTTC4D3tCc1vsJizmgPLxNJBo+AAFmrZwe8zk30P2QzgzGWZ3Q9uJwWuhIg==",
       "dev": true,
-      "license": "ISC",
-      "dependencies": {
-        "string-width": "^5.1.2",
-        "string-width-cjs": "npm:string-width@^4.2.0",
-        "strip-ansi": "^7.0.1",
-        "strip-ansi-cjs": "npm:strip-ansi@^6.0.1",
-        "wrap-ansi": "^8.1.0",
-        "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0"
-      },
+      "license": "MIT",
       "engines": {
-        "node": ">=12"
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
       }
     },
-    "node_modules/@jridgewell/gen-mapping": {
-      "version": "0.3.13",
-      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz",
-      "integrity": "sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==",
+    "node_modules/@inquirer/checkbox": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/@inquirer/checkbox/-/checkbox-5.1.2.tgz",
+      "integrity": "sha512-PubpMPO2nJgMufkoB3P2wwxNXEMUXnBIKi/ACzDUYfaoPuM7gSTmuxJeMscoLVEsR4qqrCMf5p0SiYGWnVJ8kw==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@jridgewell/sourcemap-codec": "^1.5.0",
-        "@jridgewell/trace-mapping": "^0.3.24"
+        "@inquirer/ansi": "^2.0.4",
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/figures": "^2.0.4",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
       }
     },
-    "node_modules/@jridgewell/remapping": {
-      "version": "2.3.5",
-      "resolved": "https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz",
-      "integrity": "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==",
+    "node_modules/@inquirer/confirm": {
+      "version": "6.0.10",
+      "resolved": "https://registry.npmjs.org/@inquirer/confirm/-/confirm-6.0.10.tgz",
+      "integrity": "sha512-tiNyA73pgpQ0FQ7axqtoLUe4GDYjNCDcVsbgcA5anvwg2z6i+suEngLKKJrWKJolT//GFPZHwN30binDIHgSgQ==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@jridgewell/gen-mapping": "^0.3.5",
-        "@jridgewell/trace-mapping": "^0.3.24"
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
       }
     },
-    "node_modules/@jridgewell/resolve-uri": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
-      "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
+    "node_modules/@inquirer/core": {
+      "version": "11.1.7",
+      "resolved": "https://registry.npmjs.org/@inquirer/core/-/core-11.1.7.tgz",
+      "integrity": "sha512-1BiBNDk9btIwYIzNZpkikIHXWeNzNncJePPqwDyVMhXhD1ebqbpn1mKGctpoqAbzywZfdG0O4tvmsGIcOevAPQ==",
+      "dev": true,
       "license": "MIT",
+      "dependencies": {
+        "@inquirer/ansi": "^2.0.4",
+        "@inquirer/figures": "^2.0.4",
+        "@inquirer/type": "^4.0.4",
+        "cli-width": "^4.1.0",
+        "fast-wrap-ansi": "^0.2.0",
+        "mute-stream": "^3.0.0",
+        "signal-exit": "^4.1.0"
+      },
       "engines": {
-        "node": ">=6.0.0"
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/editor": {
+      "version": "5.0.10",
+      "resolved": "https://registry.npmjs.org/@inquirer/editor/-/editor-5.0.10.tgz",
+      "integrity": "sha512-VJx4XyaKea7t8hEApTw5dxeIyMtWXre2OiyJcICCRZI4hkoHsMoCnl/KbUnJJExLbH9csLLHMVR144ZhFE1CwA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/external-editor": "^2.0.4",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/expand": {
+      "version": "5.0.10",
+      "resolved": "https://registry.npmjs.org/@inquirer/expand/-/expand-5.0.10.tgz",
+      "integrity": "sha512-fC0UHJPXsTRvY2fObiwuQYaAnHrp3aDqfwKUJSdfpgv18QUG054ezGbaRNStk/BKD5IPijeMKWej8VV8O5Q/eQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/external-editor": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@inquirer/external-editor/-/external-editor-2.0.4.tgz",
+      "integrity": "sha512-Prenuv9C1PHj2Itx0BcAOVBTonz02Hc2Nd2DbU67PdGUaqn0nPCnV34oDyyoaZHnmfRxkpuhh/u51ThkrO+RdA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "chardet": "^2.1.1",
+        "iconv-lite": "^0.7.2"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/figures": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@inquirer/figures/-/figures-2.0.4.tgz",
+      "integrity": "sha512-eLBsjlS7rPS3WEhmOmh1znQ5IsQrxWzxWDxO51e4urv+iVrSnIHbq4zqJIOiyNdYLa+BVjwOtdetcQx1lWPpiQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      }
+    },
+    "node_modules/@inquirer/input": {
+      "version": "5.0.10",
+      "resolved": "https://registry.npmjs.org/@inquirer/input/-/input-5.0.10.tgz",
+      "integrity": "sha512-nvZ6qEVeX/zVtZ1dY2hTGDQpVGD3R7MYPLODPgKO8Y+RAqxkrP3i/3NwF3fZpLdaMiNuK0z2NaYIx9tPwiSegQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/number": {
+      "version": "4.0.10",
+      "resolved": "https://registry.npmjs.org/@inquirer/number/-/number-4.0.10.tgz",
+      "integrity": "sha512-Ht8OQstxiS3APMGjHV0aYAjRAysidWdwurWEo2i8yI5xbhOBWqizT0+MU1S2GCcuhIBg+3SgWVjEoXgfhY+XaA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/password": {
+      "version": "5.0.10",
+      "resolved": "https://registry.npmjs.org/@inquirer/password/-/password-5.0.10.tgz",
+      "integrity": "sha512-QbNyvIE8q2GTqKLYSsA8ATG+eETo+m31DSR0+AU7x3d2FhaTWzqQek80dj3JGTo743kQc6mhBR0erMjYw5jQ0A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/ansi": "^2.0.4",
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/prompts": {
+      "version": "8.3.2",
+      "resolved": "https://registry.npmjs.org/@inquirer/prompts/-/prompts-8.3.2.tgz",
+      "integrity": "sha512-yFroiSj2iiBFlm59amdTvAcQFvWS6ph5oKESls/uqPBect7rTU2GbjyZO2DqxMGuIwVA8z0P4K6ViPcd/cp+0w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/checkbox": "^5.1.2",
+        "@inquirer/confirm": "^6.0.10",
+        "@inquirer/editor": "^5.0.10",
+        "@inquirer/expand": "^5.0.10",
+        "@inquirer/input": "^5.0.10",
+        "@inquirer/number": "^4.0.10",
+        "@inquirer/password": "^5.0.10",
+        "@inquirer/rawlist": "^5.2.6",
+        "@inquirer/search": "^4.1.6",
+        "@inquirer/select": "^5.1.2"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/rawlist": {
+      "version": "5.2.6",
+      "resolved": "https://registry.npmjs.org/@inquirer/rawlist/-/rawlist-5.2.6.tgz",
+      "integrity": "sha512-jfw0MLJ5TilNsa9zlJ6nmRM0ZFVZhhTICt4/6CU2Dv1ndY7l3sqqo1gIYZyMMDw0LvE1u1nzJNisfHEhJIxq5w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/search": {
+      "version": "4.1.6",
+      "resolved": "https://registry.npmjs.org/@inquirer/search/-/search-4.1.6.tgz",
+      "integrity": "sha512-3/6kTRae98hhDevENScy7cdFEuURnSpM3JbBNg8yfXLw88HgTOl+neUuy/l9W0No5NzGsLVydhBzTIxZP7yChQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/figures": "^2.0.4",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/select": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/@inquirer/select/-/select-5.1.2.tgz",
+      "integrity": "sha512-kTK8YIkHV+f02y7bWCh7E0u2/11lul5WepVTclr3UMBtBr05PgcZNWfMa7FY57ihpQFQH/spLMHTcr0rXy50tA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@inquirer/ansi": "^2.0.4",
+        "@inquirer/core": "^11.1.7",
+        "@inquirer/figures": "^2.0.4",
+        "@inquirer/type": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@inquirer/type": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/@inquirer/type/-/type-4.0.4.tgz",
+      "integrity": "sha512-PamArxO3cFJZoOzspzo6cxVlLeIftyBsZw/S9bKY5DzxqJVZgjoj1oP8d0rskKtp7sZxBycsoer1g6UeJV1BBA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=23.5.0 || ^22.13.0 || ^21.7.0 || ^20.12.0"
+      },
+      "peerDependencies": {
+        "@types/node": ">=18"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@interactjs/types": {
+      "version": "1.10.27",
+      "resolved": "https://registry.npmjs.org/@interactjs/types/-/types-1.10.27.tgz",
+      "integrity": "sha512-BUdv0cvs4H5ODuwft2Xp4eL8Vmi3LcihK42z0Ft/FbVJZoRioBsxH+LlsBdK4tAie7PqlKGy+1oyOncu1nQ6eA==",
+      "license": "MIT"
+    },
+    "node_modules/@isaacs/cliui": {
+      "version": "8.0.2",
+      "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz",
+      "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "string-width": "^5.1.2",
+        "string-width-cjs": "npm:string-width@^4.2.0",
+        "strip-ansi": "^7.0.1",
+        "strip-ansi-cjs": "npm:strip-ansi@^6.0.1",
+        "wrap-ansi": "^8.1.0",
+        "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@jridgewell/gen-mapping": {
+      "version": "0.3.13",
+      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz",
+      "integrity": "sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==",
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/sourcemap-codec": "^1.5.0",
+        "@jridgewell/trace-mapping": "^0.3.24"
+      }
+    },
+    "node_modules/@jridgewell/remapping": {
+      "version": "2.3.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz",
+      "integrity": "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/gen-mapping": "^0.3.5",
+        "@jridgewell/trace-mapping": "^0.3.24"
+      }
+    },
+    "node_modules/@jridgewell/resolve-uri": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
+      "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.0.0"
       }
     },
     "node_modules/@jridgewell/sourcemap-codec": {
@@ -1035,6 +1875,12 @@
         "@jridgewell/sourcemap-codec": "^1.4.14"
       }
     },
+    "node_modules/@juggle/resize-observer": {
+      "version": "3.4.0",
+      "resolved": "https://registry.npmjs.org/@juggle/resize-observer/-/resize-observer-3.4.0.tgz",
+      "integrity": "sha512-dfLbk+PwWvFzSxwk3n5ySL0hfBog779o8h68wK/7/APo/7cgyWp5jcXockbxdk5kFRkbeXWm4Fbi9FrdN381sA==",
+      "license": "Apache-2.0"
+    },
     "node_modules/@napi-rs/wasm-runtime": {
       "version": "1.1.1",
       "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.1.tgz",
@@ -1047,55 +1893,405 @@
         "@emnapi/runtime": "^1.7.1",
         "@tybys/wasm-util": "^0.10.1"
       },
-      "funding": {
-        "type": "github",
-        "url": "https://github.com/sponsors/Brooooooklyn"
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/Brooooooklyn"
+      }
+    },
+    "node_modules/@nodelib/fs.scandir": {
+      "version": "2.1.5",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
+      "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@nodelib/fs.stat": "2.0.5",
+        "run-parallel": "^1.1.9"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@nodelib/fs.stat": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
+      "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@nodelib/fs.walk": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
+      "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@nodelib/fs.scandir": "2.1.5",
+        "fastq": "^1.6.0"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/@one-ini/wasm": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/@one-ini/wasm/-/wasm-0.1.1.tgz",
+      "integrity": "sha512-XuySG1E38YScSJoMlqovLru4KTUNSjgVTIjyh7qMX6aNN5HY5Ct5LhRJdxO79JtTzKfzV/bnWpz+zquYrISsvw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@oxc-parser/binding-android-arm-eabi": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm-eabi/-/binding-android-arm-eabi-0.120.0.tgz",
+      "integrity": "sha512-WU3qtINx802wOl8RxAF1v0VvmC2O4D9M8Sv486nLeQ7iPHVmncYZrtBhB4SYyX+XZxj2PNnCcN+PW21jHgiOxg==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-android-arm64": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm64/-/binding-android-arm64-0.120.0.tgz",
+      "integrity": "sha512-SEf80EHdhlbjZEgzeWm0ZA/br4GKMenDW3QB/gtyeTV1gStvvZeFi40ioHDZvds2m4Z9J1bUAUL8yn1/+A6iGg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-darwin-arm64": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-arm64/-/binding-darwin-arm64-0.120.0.tgz",
+      "integrity": "sha512-xVrrbCai8R8CUIBu3CjryutQnEYhZqs1maIqDvtUCFZb8vY33H7uh9mHpL3a0JBIKoBUKjPH8+rzyAeXnS2d6A==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-darwin-x64": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-x64/-/binding-darwin-x64-0.120.0.tgz",
+      "integrity": "sha512-xyHBbnJ6mydnQUH7MAcafOkkrNzQC6T+LXgDH/3InEq2BWl/g424IMRiJVSpVqGjB+p2bd0h0WRR8iIwzjU7rw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-freebsd-x64": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-freebsd-x64/-/binding-freebsd-x64-0.120.0.tgz",
+      "integrity": "sha512-UMnVRllquXUYTeNfFKmxTTEdZ/ix1nLl0ducDzMSREoWYGVIHnOOxoKMWlCOvRr9Wk/HZqo2rh1jeumbPGPV9A==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-arm-gnueabihf": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-0.120.0.tgz",
+      "integrity": "sha512-tkvn2CQ7QdcsMnpfiX3fd3wA3EFsWKYlcQzq9cFw/xc89Al7W6Y4O0FgLVkVQpo0Tnq/qtE1XfkJOnRRA9S/NA==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-arm-musleabihf": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-musleabihf/-/binding-linux-arm-musleabihf-0.120.0.tgz",
+      "integrity": "sha512-WN5y135Ic42gQDk9grbwY9++fDhqf8knN6fnP+0WALlAUh4odY/BDK1nfTJRSfpJD9P3r1BwU0m3pW2DU89whQ==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-arm64-gnu": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-0.120.0.tgz",
+      "integrity": "sha512-1GgQBCcXvFMw99EPdMy+4NZ3aYyXsxjf9kbUUg8HuAy3ZBXzOry5KfFEzT9nqmgZI1cuetvApkiJBZLAPo8uaw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-arm64-musl": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-musl/-/binding-linux-arm64-musl-0.120.0.tgz",
+      "integrity": "sha512-gmMQ70gsPdDBgpcErvJEoWNBr7bJooSLlvOBVBSGfOzlP5NvJ3bFvnUeZZ9d+dPrqSngtonf7nyzWUTUj/U+lw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-ppc64-gnu": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-0.120.0.tgz",
+      "integrity": "sha512-T/kZuU0ajop0xhzVMwH5r3srC9Nqup5HaIo+3uFjIN5uPxa0LvSxC1ZqP4aQGJVW5G0z8/nCkjIfSMS91P/wzw==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-riscv64-gnu": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-gnu/-/binding-linux-riscv64-gnu-0.120.0.tgz",
+      "integrity": "sha512-vn21KXLAXzaI3N5CZWlBr1iWeXLl9QFIMor7S1hUjUGTeUuWCoE6JZB040/ZNDwf+JXPX8Ao9KbmJq9FMC2iGw==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-riscv64-musl": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-musl/-/binding-linux-riscv64-musl-0.120.0.tgz",
+      "integrity": "sha512-SUbUxlar007LTGmSLGIC5x/WJvwhdX+PwNzFJ9f/nOzZOrCFbOT4ikt7pJIRg1tXVsEfzk5mWpGO1NFiSs4PIw==",
+      "cpu": [
+        "riscv64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-s390x-gnu": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-0.120.0.tgz",
+      "integrity": "sha512-hYiPJTxyfJY2+lMBFk3p2bo0R9GN+TtpPFlRqVchL1qvLG+pznstramHNvJlw9AjaoRUHwp9IKR7UZQnRPGjgQ==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-x64-gnu": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-gnu/-/binding-linux-x64-gnu-0.120.0.tgz",
+      "integrity": "sha512-q+5jSVZkprJCIy3dzJpApat0InJaoxQLsJuD6DkX8hrUS61z2lHQ1Fe9L2+TYbKHXCLWbL0zXe7ovkIdopBGMQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-linux-x64-musl": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-musl/-/binding-linux-x64-musl-0.120.0.tgz",
+      "integrity": "sha512-D9QDDZNnH24e7X4ftSa6ar/2hCavETfW3uk0zgcMIrZNy459O5deTbWrjGzZiVrSWigGtlQwzs2McBP0QsfV1w==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-openharmony-arm64": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-openharmony-arm64/-/binding-openharmony-arm64-0.120.0.tgz",
+      "integrity": "sha512-TBU8ZwOUWAOUWVfmI16CYWbvh4uQb9zHnGBHsw5Cp2JUVG044OIY1CSHODLifqzQIMTXvDvLzcL89GGdUIqNrA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@oxc-parser/binding-wasm32-wasi": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-wasm32-wasi/-/binding-wasm32-wasi-0.120.0.tgz",
+      "integrity": "sha512-WG/FOZgDJCpJnuF3ToG/K28rcOmSY7FmFmfBKYb2fmLyhDzPpUldFGV7/Fz4ru0Iz/v4KPmf8xVgO8N3lO4KHA==",
+      "cpu": [
+        "wasm32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "@napi-rs/wasm-runtime": "^1.1.1"
+      },
+      "engines": {
+        "node": ">=14.0.0"
       }
     },
-    "node_modules/@nodelib/fs.scandir": {
-      "version": "2.1.5",
-      "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
-      "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
+    "node_modules/@oxc-parser/binding-win32-arm64-msvc": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-0.120.0.tgz",
+      "integrity": "sha512-1T0HKGcsz/BKo77t7+89L8Qvu4f9DoleKWHp3C5sJEcbCjDOLx3m9m722bWZTY+hANlUEs+yjlK+lBFsA+vrVQ==",
+      "cpu": [
+        "arm64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@nodelib/fs.stat": "2.0.5",
-        "run-parallel": "^1.1.9"
-      },
+      "optional": true,
+      "os": [
+        "win32"
+      ],
       "engines": {
-        "node": ">= 8"
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
-    "node_modules/@nodelib/fs.stat": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
-      "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
+    "node_modules/@oxc-parser/binding-win32-ia32-msvc": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-0.120.0.tgz",
+      "integrity": "sha512-L7vfLzbOXsjBXV0rv/6Y3Jd9BRjPeCivINZAqrSyAOZN3moCopDN+Psq9ZrGNZtJzP8946MtlRFZ0Als0wBCOw==",
+      "cpu": [
+        "ia32"
+      ],
       "dev": true,
       "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
       "engines": {
-        "node": ">= 8"
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
-    "node_modules/@nodelib/fs.walk": {
-      "version": "1.2.8",
-      "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
-      "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
+    "node_modules/@oxc-parser/binding-win32-x64-msvc": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-x64-msvc/-/binding-win32-x64-msvc-0.120.0.tgz",
+      "integrity": "sha512-ys+upfqNtSu58huAhJMBKl3XCkGzyVFBlMlGPzHeFKgpFF/OdgNs1MMf8oaJIbgMH8ZxgGF7qfue39eJohmKIg==",
+      "cpu": [
+        "x64"
+      ],
       "dev": true,
       "license": "MIT",
-      "dependencies": {
-        "@nodelib/fs.scandir": "2.1.5",
-        "fastq": "^1.6.0"
-      },
+      "optional": true,
+      "os": [
+        "win32"
+      ],
       "engines": {
-        "node": ">= 8"
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
-    "node_modules/@one-ini/wasm": {
-      "version": "0.1.1",
-      "resolved": "https://registry.npmjs.org/@one-ini/wasm/-/wasm-0.1.1.tgz",
-      "integrity": "sha512-XuySG1E38YScSJoMlqovLru4KTUNSjgVTIjyh7qMX6aNN5HY5Ct5LhRJdxO79JtTzKfzV/bnWpz+zquYrISsvw==",
+    "node_modules/@oxc-project/types": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.120.0.tgz",
+      "integrity": "sha512-k1YNu55DuvAip/MGE1FTsIuU3FUCn6v/ujG9V7Nq5Df/kX2CWb13hhwD0lmJGMGqE+bE1MXvv9SZVnMzEXlWcg==",
       "dev": true,
-      "license": "MIT"
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/Boshen"
+      }
     },
     "node_modules/@oxc-resolver/binding-android-arm-eabi": {
       "version": "11.19.1",
@@ -1391,31 +2587,10 @@
         "node": ">=14"
       }
     },
-    "node_modules/@rolldown/pluginutils": {
-      "version": "1.0.0-rc.2",
-      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.2.tgz",
-      "integrity": "sha512-izyXV/v+cHiRfozX62W9htOAvwMo4/bXKDrQ+vom1L1qRuexPock/7VZDAhnpHCLNejd3NJ6hiab+tO0D44Rgw==",
-      "dev": true,
-      "license": "MIT"
-    },
-    "node_modules/@rollup/rollup-android-arm-eabi": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.59.0.tgz",
-      "integrity": "sha512-upnNBkA6ZH2VKGcBj9Fyl9IGNPULcjXRlg0LLeaioQWueH30p6IXtJEbKAgvyv+mJaMxSm1l6xwDXYjpEMiLMg==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "android"
-      ]
-    },
-    "node_modules/@rollup/rollup-android-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.59.0.tgz",
-      "integrity": "sha512-hZ+Zxj3SySm4A/DylsDKZAeVg0mvi++0PYVceVyX7hemkw7OreKdCvW2oQ3T1FMZvCaQXqOTHb8qmBShoqk69Q==",
+    "node_modules/@rolldown/binding-android-arm64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-pv1y2Fv0JybcykuiiD3qBOBdz6RteYojRFY1d+b95WVuzx211CRh+ytI/+9iVyWQ6koTh5dawe4S/yRfOFjgaA==",
       "cpu": [
         "arm64"
       ],
@@ -1424,12 +2599,15 @@
       "optional": true,
       "os": [
         "android"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-darwin-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.59.0.tgz",
-      "integrity": "sha512-W2Psnbh1J8ZJw0xKAd8zdNgF9HRLkdWwwdWqubSVk0pUuQkoHnv7rx4GiF9rT4t5DIZGAsConRE3AxCdJ4m8rg==",
+    "node_modules/@rolldown/binding-darwin-arm64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-cFYr6zTG/3PXXF3pUO+umXxt1wkRK/0AYT8lDwuqvRC+LuKYWSAQAQZjCWDQpAH172ZV6ieYrNnFzVVcnSflAg==",
       "cpu": [
         "arm64"
       ],
@@ -1438,12 +2616,15 @@
       "optional": true,
       "os": [
         "darwin"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-darwin-x64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.59.0.tgz",
-      "integrity": "sha512-ZW2KkwlS4lwTv7ZVsYDiARfFCnSGhzYPdiOU4IM2fDbL+QGlyAbjgSFuqNRbSthybLbIJ915UtZBtmuLrQAT/w==",
+    "node_modules/@rolldown/binding-darwin-x64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-ZCsYknnHzeXYps0lGBz8JrF37GpE9bFVefrlmDrAQhOEi4IOIlcoU1+FwHEtyXGx2VkYAvhu7dyBf75EJQffBw==",
       "cpu": [
         "x64"
       ],
@@ -1452,26 +2633,15 @@
       "optional": true,
       "os": [
         "darwin"
-      ]
-    },
-    "node_modules/@rollup/rollup-freebsd-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.59.0.tgz",
-      "integrity": "sha512-EsKaJ5ytAu9jI3lonzn3BgG8iRBjV4LxZexygcQbpiU0wU0ATxhNVEpXKfUa0pS05gTcSDMKpn3Sx+QB9RlTTA==",
-      "cpu": [
-        "arm64"
       ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "freebsd"
-      ]
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-freebsd-x64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.59.0.tgz",
-      "integrity": "sha512-d3DuZi2KzTMjImrxoHIAODUZYoUUMsuUiY4SRRcJy6NJoZ6iIqWnJu9IScV9jXysyGMVuW+KNzZvBLOcpdl3Vg==",
+    "node_modules/@rolldown/binding-freebsd-x64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-dMLeprcVsyJsKolRXyoTH3NL6qtsT0Y2xeuEA8WQJquWFXkEC4bcu1rLZZSnZRMtAqwtrF/Ib9Ddtpa/Gkge9Q==",
       "cpu": [
         "x64"
       ],
@@ -1480,26 +2650,15 @@
       "optional": true,
       "os": [
         "freebsd"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.59.0.tgz",
-      "integrity": "sha512-t4ONHboXi/3E0rT6OZl1pKbl2Vgxf9vJfWgmUoCEVQVxhW6Cw/c8I6hbbu7DAvgp82RKiH7TpLwxnJeKv2pbsw==",
-      "cpu": [
-        "arm"
       ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-arm-musleabihf": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.59.0.tgz",
-      "integrity": "sha512-CikFT7aYPA2ufMD086cVORBYGHffBo4K8MQ4uPS/ZnY54GKj36i196u8U+aDVT2LX4eSMbyHtyOh7D7Zvk2VvA==",
+    "node_modules/@rolldown/binding-linux-arm-gnueabihf": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.12.tgz",
+      "integrity": "sha512-YqWjAgGC/9M1lz3GR1r1rP79nMgo3mQiiA+Hfo+pvKFK1fAJ1bCi0ZQVh8noOqNacuY1qIcfyVfP6HoyBRZ85Q==",
       "cpu": [
         "arm"
       ],
@@ -1508,26 +2667,15 @@
       "optional": true,
       "os": [
         "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-arm64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.59.0.tgz",
-      "integrity": "sha512-jYgUGk5aLd1nUb1CtQ8E+t5JhLc9x5WdBKew9ZgAXg7DBk0ZHErLHdXM24rfX+bKrFe+Xp5YuJo54I5HFjGDAA==",
-      "cpu": [
-        "arm64"
       ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-arm64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.59.0.tgz",
-      "integrity": "sha512-peZRVEdnFWZ5Bh2KeumKG9ty7aCXzzEsHShOZEFiCQlDEepP1dpUl/SrUNXNg13UmZl+gzVDPsiCwnV1uI0RUA==",
+    "node_modules/@rolldown/binding-linux-arm64-gnu": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.12.tgz",
+      "integrity": "sha512-/I5AS4cIroLpslsmzXfwbe5OmWvSsrFuEw3mwvbQ1kDxJ822hFHIx+vsN/TAzNVyepI/j/GSzrtCIwQPeKCLIg==",
       "cpu": [
         "arm64"
       ],
@@ -1536,54 +2684,32 @@
       "optional": true,
       "os": [
         "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-loong64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.59.0.tgz",
-      "integrity": "sha512-gbUSW/97f7+r4gHy3Jlup8zDG190AuodsWnNiXErp9mT90iCy9NKKU0Xwx5k8VlRAIV2uU9CsMnEFg/xXaOfXg==",
-      "cpu": [
-        "loong64"
       ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-loong64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.59.0.tgz",
-      "integrity": "sha512-yTRONe79E+o0FWFijasoTjtzG9EBedFXJMl888NBEDCDV9I2wGbFFfJQQe63OijbFCUZqxpHz1GzpbtSFikJ4Q==",
+    "node_modules/@rolldown/binding-linux-arm64-musl": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.12.tgz",
+      "integrity": "sha512-V6/wZztnBqlx5hJQqNWwFdxIKN0m38p8Jas+VoSfgH54HSj9tKTt1dZvG6JRHcjh6D7TvrJPWFGaY9UBVOaWPw==",
       "cpu": [
-        "loong64"
+        "arm64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
         "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-ppc64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.59.0.tgz",
-      "integrity": "sha512-sw1o3tfyk12k3OEpRddF68a1unZ5VCN7zoTNtSn2KndUE+ea3m3ROOKRCZxEpmT9nsGnogpFP9x6mnLTCaoLkA==",
-      "cpu": [
-        "ppc64"
       ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-ppc64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.59.0.tgz",
-      "integrity": "sha512-+2kLtQ4xT3AiIxkzFVFXfsmlZiG5FXYW7ZyIIvGA7Bdeuh9Z0aN4hVyXS/G1E9bTP/vqszNIN/pUKCk/BTHsKA==",
+    "node_modules/@rolldown/binding-linux-ppc64-gnu": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.12.tgz",
+      "integrity": "sha512-AP3E9BpcUYliZCxa3w5Kwj9OtEVDYK6sVoUzy4vTOJsjPOgdaJZKFmN4oOlX0Wp0RPV2ETfmIra9x1xuayFB7g==",
       "cpu": [
         "ppc64"
       ],
@@ -1592,40 +2718,15 @@
       "optional": true,
       "os": [
         "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-riscv64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.59.0.tgz",
-      "integrity": "sha512-NDYMpsXYJJaj+I7UdwIuHHNxXZ/b/N2hR15NyH3m2qAtb/hHPA4g4SuuvrdxetTdndfj9b1WOmy73kcPRoERUg==",
-      "cpu": [
-        "riscv64"
-      ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-linux-riscv64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.59.0.tgz",
-      "integrity": "sha512-nLckB8WOqHIf1bhymk+oHxvM9D3tyPndZH8i8+35p/1YiVoVswPid2yLzgX7ZJP0KQvnkhM4H6QZ5m0LzbyIAg==",
-      "cpu": [
-        "riscv64"
       ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "linux"
-      ]
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-s390x-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.59.0.tgz",
-      "integrity": "sha512-oF87Ie3uAIvORFBpwnCvUzdeYUqi2wY6jRFWJAy1qus/udHFYIkplYRW+wo+GRUP4sKzYdmE1Y3+rY5Gc4ZO+w==",
+    "node_modules/@rolldown/binding-linux-s390x-gnu": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.12.tgz",
+      "integrity": "sha512-nWwpvUSPkoFmZo0kQazZYOrT7J5DGOJ/+QHHzjvNlooDZED8oH82Yg67HvehPPLAg5fUff7TfWFHQS8IV1n3og==",
       "cpu": [
         "s390x"
       ],
@@ -1634,12 +2735,15 @@
       "optional": true,
       "os": [
         "linux"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-x64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.59.0.tgz",
-      "integrity": "sha512-3AHmtQq/ppNuUspKAlvA8HtLybkDflkMuLK4DPo77DfthRb71V84/c4MlWJXixZz4uruIH4uaa07IqoAkG64fg==",
+    "node_modules/@rolldown/binding-linux-x64-gnu": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.12.tgz",
+      "integrity": "sha512-RNrafz5bcwRy+O9e6P8Z/OCAJW/A+qtBczIqVYwTs14pf4iV1/+eKEjdOUta93q2TsT/FI0XYDP3TCky38LMAg==",
       "cpu": [
         "x64"
       ],
@@ -1648,12 +2752,15 @@
       "optional": true,
       "os": [
         "linux"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-linux-x64-musl": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.59.0.tgz",
-      "integrity": "sha512-2UdiwS/9cTAx7qIUZB/fWtToJwvt0Vbo0zmnYt7ED35KPg13Q0ym1g442THLC7VyI6JfYTP4PiSOWyoMdV2/xg==",
+    "node_modules/@rolldown/binding-linux-x64-musl": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.12.tgz",
+      "integrity": "sha512-Jpw/0iwoKWx3LJ2rc1yjFrj+T7iHZn2JDg1Yny1ma0luviFS4mhAIcd1LFNxK3EYu3DHWCps0ydXQ5i/rrJ2ig==",
       "cpu": [
         "x64"
       ],
@@ -1662,26 +2769,15 @@
       "optional": true,
       "os": [
         "linux"
-      ]
-    },
-    "node_modules/@rollup/rollup-openbsd-x64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.59.0.tgz",
-      "integrity": "sha512-M3bLRAVk6GOwFlPTIxVBSYKUaqfLrn8l0psKinkCFxl4lQvOSz8ZrKDz2gxcBwHFpci0B6rttydI4IpS4IS/jQ==",
-      "cpu": [
-        "x64"
       ],
-      "dev": true,
-      "license": "MIT",
-      "optional": true,
-      "os": [
-        "openbsd"
-      ]
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-openharmony-arm64": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.59.0.tgz",
-      "integrity": "sha512-tt9KBJqaqp5i5HUZzoafHZX8b5Q2Fe7UjYERADll83O4fGqJ49O1FsL6LpdzVFQcpwvnyd0i+K/VSwu/o/nWlA==",
+    "node_modules/@rolldown/binding-openharmony-arm64": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.12.tgz",
+      "integrity": "sha512-vRugONE4yMfVn0+7lUKdKvN4D5YusEiPilaoO2sgUWpCvrncvWgPMzK00ZFFJuiPgLwgFNP5eSiUlv2tfc+lpA==",
       "cpu": [
         "arm64"
       ],
@@ -1690,40 +2786,49 @@
       "optional": true,
       "os": [
         "openharmony"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-win32-arm64-msvc": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.59.0.tgz",
-      "integrity": "sha512-V5B6mG7OrGTwnxaNUzZTDTjDS7F75PO1ae6MJYdiMu60sq0CqN5CVeVsbhPxalupvTX8gXVSU9gq+Rx1/hvu6A==",
+    "node_modules/@rolldown/binding-wasm32-wasi": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.12.tgz",
+      "integrity": "sha512-ykGiLr/6kkiHc0XnBfmFJuCjr5ZYKKofkx+chJWDjitX+KsJuAmrzWhwyOMSHzPhzOHOy7u9HlFoa5MoAOJ/Zg==",
       "cpu": [
-        "arm64"
+        "wasm32"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
-      "os": [
-        "win32"
-      ]
+      "dependencies": {
+        "@napi-rs/wasm-runtime": "^1.1.1"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
     },
-    "node_modules/@rollup/rollup-win32-ia32-msvc": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.59.0.tgz",
-      "integrity": "sha512-UKFMHPuM9R0iBegwzKF4y0C4J9u8C6MEJgFuXTBerMk7EJ92GFVFYBfOZaSGLu6COf7FxpQNqhNS4c4icUPqxA==",
+    "node_modules/@rolldown/binding-win32-arm64-msvc": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.12.tgz",
+      "integrity": "sha512-5eOND4duWkwx1AzCxadcOrNeighiLwMInEADT0YM7xeEOOFcovWZCq8dadXgcRHSf3Ulh1kFo/qvzoFiCLOL1Q==",
       "cpu": [
-        "ia32"
+        "arm64"
       ],
       "dev": true,
       "license": "MIT",
       "optional": true,
       "os": [
         "win32"
-      ]
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
     },
-    "node_modules/@rollup/rollup-win32-x64-gnu": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.59.0.tgz",
-      "integrity": "sha512-laBkYlSS1n2L8fSo1thDNGrCTQMmxjYY5G0WFWjFFYZkKPjsMBsgJfGf4TLxXrF6RyhI60L8TMOjBMvXiTcxeA==",
+    "node_modules/@rolldown/binding-win32-x64-msvc": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.12.tgz",
+      "integrity": "sha512-PyqoipaswDLAZtot351MLhrlrh6lcZPo2LSYE+VDxbVk24LVKAGOuE4hb8xZQmrPAuEtTZW8E6D2zc5EUZX4Lw==",
       "cpu": [
         "x64"
       ],
@@ -1732,21 +2837,37 @@
       "optional": true,
       "os": [
         "win32"
-      ]
-    },
-    "node_modules/@rollup/rollup-win32-x64-msvc": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.59.0.tgz",
-      "integrity": "sha512-2HRCml6OztYXyJXAvdDXPKcawukWY2GpR5/nxKp4iBgiO3wcoEGkAaqctIbZcNB6KlUQBIqt8VYkNSj2397EfA==",
-      "cpu": [
-        "x64"
       ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/pluginutils": {
+      "version": "1.0.0-rc.2",
+      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.2.tgz",
+      "integrity": "sha512-izyXV/v+cHiRfozX62W9htOAvwMo4/bXKDrQ+vom1L1qRuexPock/7VZDAhnpHCLNejd3NJ6hiab+tO0D44Rgw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@sec-ant/readable-stream": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/@sec-ant/readable-stream/-/readable-stream-0.4.1.tgz",
+      "integrity": "sha512-831qok9r2t8AlxLko40y2ebgSDhenenCatLVeW/uBtnHPyhHOvG0C7TvfgecV+wHzIm5KUICgzmVpWS+IMEAeg==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@sindresorhus/merge-streams": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@sindresorhus/merge-streams/-/merge-streams-4.0.0.tgz",
+      "integrity": "sha512-tlqY9xq5ukxTUZBmoOp+m61cqwQD5pHJtFY3Mn8CA8ps6yghLH/Hw8UPdqg4OLmFW3IFlcXnQNmo/dh8HzXYIQ==",
       "dev": true,
       "license": "MIT",
-      "optional": true,
-      "os": [
-        "win32"
-      ]
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
     },
     "node_modules/@standard-schema/spec": {
       "version": "1.1.0",
@@ -1756,13 +2877,13 @@
       "license": "MIT"
     },
     "node_modules/@storybook/builder-vite": {
-      "version": "10.2.19",
-      "resolved": "https://registry.npmjs.org/@storybook/builder-vite/-/builder-vite-10.2.19.tgz",
-      "integrity": "sha512-a59xALzM9GeYh6p+wzAeBbDyIe+qyrC4nxS3QNzb5i2ZOhrq1iIpvnDaOWe80NC8mV3IlqUEGY8Uawkf//1Rmg==",
+      "version": "10.3.3",
+      "resolved": "https://registry.npmjs.org/@storybook/builder-vite/-/builder-vite-10.3.3.tgz",
+      "integrity": "sha512-awspKCTZvXyeV3KabL0id62mFbxR5u/5yyGQultwCiSb2/yVgBfip2MAqLyS850pvTiB6QFVM9deOyd2/G/bEA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@storybook/csf-plugin": "10.2.19",
+        "@storybook/csf-plugin": "10.3.3",
         "ts-dedent": "^2.0.0"
       },
       "funding": {
@@ -1770,14 +2891,14 @@
         "url": "https://opencollective.com/storybook"
       },
       "peerDependencies": {
-        "storybook": "^10.2.19",
+        "storybook": "^10.3.3",
         "vite": "^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0"
       }
     },
     "node_modules/@storybook/csf-plugin": {
-      "version": "10.2.19",
-      "resolved": "https://registry.npmjs.org/@storybook/csf-plugin/-/csf-plugin-10.2.19.tgz",
-      "integrity": "sha512-BpjYIOdyQn/Rm6MjUAc5Gl8HlARZrskD/OhUNShiOh2fznb523dHjiE5mbU1kKM/+L1uvRlEqqih40rTx+xCrg==",
+      "version": "10.3.3",
+      "resolved": "https://registry.npmjs.org/@storybook/csf-plugin/-/csf-plugin-10.3.3.tgz",
+      "integrity": "sha512-Utlh7zubm+4iOzBBfzLW4F4vD99UBtl2Do4edlzK2F7krQIcFvR2ontjAE8S1FQVLZAC3WHalCOS+Ch8zf3knA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1790,7 +2911,7 @@
       "peerDependencies": {
         "esbuild": "*",
         "rollup": "*",
-        "storybook": "^10.2.19",
+        "storybook": "^10.3.3",
         "vite": "*",
         "webpack": "*"
       },
@@ -1828,9 +2949,9 @@
       }
     },
     "node_modules/@storybook/vue3": {
-      "version": "10.2.19",
-      "resolved": "https://registry.npmjs.org/@storybook/vue3/-/vue3-10.2.19.tgz",
-      "integrity": "sha512-+aWeZIAVRl1IsWCQOducaPXzWtgn53fKAaSZFROlu9//WISCrduHS15USMarynEFBM593vGoHWp4uZ5Z/y87tA==",
+      "version": "10.3.3",
+      "resolved": "https://registry.npmjs.org/@storybook/vue3/-/vue3-10.3.3.tgz",
+      "integrity": "sha512-crlsH9mjwKg9i/5mVAf/PEqjkHa2FeNoXqfAGzQVelElLZ71R18dEBGGkqGpaHU2ziVlvYKSBWALAU5zT9UZQQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1843,19 +2964,19 @@
         "url": "https://opencollective.com/storybook"
       },
       "peerDependencies": {
-        "storybook": "^10.2.19",
+        "storybook": "^10.3.3",
         "vue": "^3.0.0"
       }
     },
     "node_modules/@storybook/vue3-vite": {
-      "version": "10.2.19",
-      "resolved": "https://registry.npmjs.org/@storybook/vue3-vite/-/vue3-vite-10.2.19.tgz",
-      "integrity": "sha512-YCTEG885XQGJtWNQDY9Anw9c6BNvKnKtlOC92lJi52Ois5UXdjtm8VMjq6sn9Vt2SbcR/zLsmyDWRpUvbWtQiw==",
+      "version": "10.3.3",
+      "resolved": "https://registry.npmjs.org/@storybook/vue3-vite/-/vue3-vite-10.3.3.tgz",
+      "integrity": "sha512-jVZIHutDBpYMx62CFDSPHUe5Y+uuabP5VBItrZbEPf8sqx4mcDXc6wsV0SYcYh7fw0q+5YVfYiGASkoVk3i/VA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@storybook/builder-vite": "10.2.19",
-        "@storybook/vue3": "10.2.19",
+        "@storybook/builder-vite": "10.3.3",
+        "@storybook/vue3": "10.3.3",
         "magic-string": "^0.30.0",
         "typescript": "^5.9.3",
         "vue-component-meta": "^2.0.0",
@@ -1866,54 +2987,180 @@
         "url": "https://opencollective.com/storybook"
       },
       "peerDependencies": {
-        "storybook": "^10.2.19",
+        "storybook": "^10.3.3",
         "vite": "^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0"
       }
     },
+    "node_modules/@stryker-mutator/api": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/@stryker-mutator/api/-/api-9.6.0.tgz",
+      "integrity": "sha512-kJEEwOVoWDXGEIXuM+9efT6LSJ7nyxnQQvjEoKg8GSZXbDUjfD0tqA0aBD06U1SzQLKCM7ffjgPffr154MHZKw==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "mutation-testing-metrics": "3.7.2",
+        "mutation-testing-report-schema": "3.7.2",
+        "tslib": "~2.8.0",
+        "typed-inject": "~5.0.0"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
+    "node_modules/@stryker-mutator/core": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/@stryker-mutator/core/-/core-9.6.0.tgz",
+      "integrity": "sha512-oSbw01l6HXHt0iW9x5fQj7yHGGT8ZjCkXSkI7Bsu0juO7Q6vRMXk7XcvKpCBgRgzKXi1osg8+iIzj7acHuxepQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@inquirer/prompts": "^8.0.0",
+        "@stryker-mutator/api": "9.6.0",
+        "@stryker-mutator/instrumenter": "9.6.0",
+        "@stryker-mutator/util": "9.6.0",
+        "ajv": "~8.18.0",
+        "chalk": "~5.6.0",
+        "commander": "~14.0.0",
+        "diff-match-patch": "1.0.5",
+        "emoji-regex": "~10.6.0",
+        "execa": "~9.6.0",
+        "json-rpc-2.0": "^1.7.0",
+        "lodash.groupby": "~4.6.0",
+        "minimatch": "~10.2.4",
+        "mutation-server-protocol": "~0.4.0",
+        "mutation-testing-elements": "3.7.2",
+        "mutation-testing-metrics": "3.7.2",
+        "mutation-testing-report-schema": "3.7.2",
+        "npm-run-path": "~6.0.0",
+        "progress": "~2.0.3",
+        "rxjs": "~7.8.1",
+        "semver": "^7.6.3",
+        "source-map": "~0.7.4",
+        "tree-kill": "~1.2.2",
+        "tslib": "2.8.1",
+        "typed-inject": "~5.0.0",
+        "typed-rest-client": "~2.2.0"
+      },
+      "bin": {
+        "stryker": "bin/stryker.js"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
+    "node_modules/@stryker-mutator/instrumenter": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/@stryker-mutator/instrumenter/-/instrumenter-9.6.0.tgz",
+      "integrity": "sha512-tWdRYfm9LF4Go7cNOos0xEIOEnN7ZOSj38rfXvGZS9IINlvYBrBCl2xcz/67v6l5A7xksMWWByZRIq2bgdnnUg==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@babel/core": "~7.29.0",
+        "@babel/generator": "~7.29.0",
+        "@babel/parser": "~7.29.0",
+        "@babel/plugin-proposal-decorators": "~7.29.0",
+        "@babel/plugin-transform-explicit-resource-management": "^7.28.0",
+        "@babel/preset-typescript": "~7.28.0",
+        "@stryker-mutator/api": "9.6.0",
+        "@stryker-mutator/util": "9.6.0",
+        "angular-html-parser": "~10.4.0",
+        "semver": "~7.7.0",
+        "tslib": "2.8.1",
+        "weapon-regex": "~1.3.2"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      }
+    },
+    "node_modules/@stryker-mutator/typescript-checker": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/@stryker-mutator/typescript-checker/-/typescript-checker-9.6.0.tgz",
+      "integrity": "sha512-mPoB2Eogda4bpIoNgdN+VHnZvbwD0R/oNCCbmq7UQVLZtzF09nH1M1kbilYdmrCyxYYkFyTCKy3WhU3YGWdDjA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@stryker-mutator/api": "9.6.0",
+        "@stryker-mutator/util": "9.6.0",
+        "semver": "~7.7.0"
+      },
+      "engines": {
+        "node": ">=20.0.0"
+      },
+      "peerDependencies": {
+        "@stryker-mutator/core": "9.6.0",
+        "typescript": ">=3.6"
+      }
+    },
+    "node_modules/@stryker-mutator/util": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/@stryker-mutator/util/-/util-9.6.0.tgz",
+      "integrity": "sha512-gw7fJOFNHEj9inAEOodD9RrrMEMhZmWJ46Ww/kDJAXlSsBBmdwCzeomNLngmLTvgp14z7Tfq85DHYwvmNMdOxA==",
+      "dev": true,
+      "license": "Apache-2.0"
+    },
+    "node_modules/@stryker-mutator/vitest-runner": {
+      "version": "9.6.0",
+      "resolved": "https://registry.npmjs.org/@stryker-mutator/vitest-runner/-/vitest-runner-9.6.0.tgz",
+      "integrity": "sha512-/zyELz5jTDAiH0Hr23G6KSnBFl9XV+vn0T0qUAk4sPqJoP5NVm9jjpgt9EBACS/VTkVqSvXqBid4jmESPx11Sg==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@stryker-mutator/api": "9.6.0",
+        "@stryker-mutator/util": "9.6.0",
+        "tslib": "~2.8.0"
+      },
+      "engines": {
+        "node": ">=14.18.0"
+      },
+      "peerDependencies": {
+        "@stryker-mutator/core": "9.6.0",
+        "vitest": ">=2.0.0"
+      }
+    },
     "node_modules/@tailwindcss/node": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.2.1.tgz",
-      "integrity": "sha512-jlx6sLk4EOwO6hHe1oCGm1Q4AN/s0rSrTTPBGPM0/RQ6Uylwq17FuU8IeJJKEjtc6K6O07zsvP+gDO6MMWo7pg==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/node/-/node-4.2.2.tgz",
+      "integrity": "sha512-pXS+wJ2gZpVXqFaUEjojq7jzMpTGf8rU6ipJz5ovJV6PUGmlJ+jvIwGrzdHdQ80Sg+wmQxUFuoW1UAAwHNEdFA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@jridgewell/remapping": "^2.3.5",
         "enhanced-resolve": "^5.19.0",
         "jiti": "^2.6.1",
-        "lightningcss": "1.31.1",
+        "lightningcss": "1.32.0",
         "magic-string": "^0.30.21",
         "source-map-js": "^1.2.1",
-        "tailwindcss": "4.2.1"
+        "tailwindcss": "4.2.2"
       }
     },
     "node_modules/@tailwindcss/oxide": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.2.1.tgz",
-      "integrity": "sha512-yv9jeEFWnjKCI6/T3Oq50yQEOqmpmpfzG1hcZsAOaXFQPfzWprWrlHSdGPEF3WQTi8zu8ohC9Mh9J470nT5pUw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide/-/oxide-4.2.2.tgz",
+      "integrity": "sha512-qEUA07+E5kehxYp9BVMpq9E8vnJuBHfJEC0vPC5e7iL/hw7HR61aDKoVoKzrG+QKp56vhNZe4qwkRmMC0zDLvg==",
       "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">= 20"
       },
       "optionalDependencies": {
-        "@tailwindcss/oxide-android-arm64": "4.2.1",
-        "@tailwindcss/oxide-darwin-arm64": "4.2.1",
-        "@tailwindcss/oxide-darwin-x64": "4.2.1",
-        "@tailwindcss/oxide-freebsd-x64": "4.2.1",
-        "@tailwindcss/oxide-linux-arm-gnueabihf": "4.2.1",
-        "@tailwindcss/oxide-linux-arm64-gnu": "4.2.1",
-        "@tailwindcss/oxide-linux-arm64-musl": "4.2.1",
-        "@tailwindcss/oxide-linux-x64-gnu": "4.2.1",
-        "@tailwindcss/oxide-linux-x64-musl": "4.2.1",
-        "@tailwindcss/oxide-wasm32-wasi": "4.2.1",
-        "@tailwindcss/oxide-win32-arm64-msvc": "4.2.1",
-        "@tailwindcss/oxide-win32-x64-msvc": "4.2.1"
+        "@tailwindcss/oxide-android-arm64": "4.2.2",
+        "@tailwindcss/oxide-darwin-arm64": "4.2.2",
+        "@tailwindcss/oxide-darwin-x64": "4.2.2",
+        "@tailwindcss/oxide-freebsd-x64": "4.2.2",
+        "@tailwindcss/oxide-linux-arm-gnueabihf": "4.2.2",
+        "@tailwindcss/oxide-linux-arm64-gnu": "4.2.2",
+        "@tailwindcss/oxide-linux-arm64-musl": "4.2.2",
+        "@tailwindcss/oxide-linux-x64-gnu": "4.2.2",
+        "@tailwindcss/oxide-linux-x64-musl": "4.2.2",
+        "@tailwindcss/oxide-wasm32-wasi": "4.2.2",
+        "@tailwindcss/oxide-win32-arm64-msvc": "4.2.2",
+        "@tailwindcss/oxide-win32-x64-msvc": "4.2.2"
       }
     },
     "node_modules/@tailwindcss/oxide-android-arm64": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.2.1.tgz",
-      "integrity": "sha512-eZ7G1Zm5EC8OOKaesIKuw77jw++QJ2lL9N+dDpdQiAB/c/B2wDh0QPFHbkBVrXnwNugvrbJFk1gK2SsVjwWReg==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.2.2.tgz",
+      "integrity": "sha512-dXGR1n+P3B6748jZO/SvHZq7qBOqqzQ+yFrXpoOWWALWndF9MoSKAT3Q0fYgAzYzGhxNYOoysRvYlpixRBBoDg==",
       "cpu": [
         "arm64"
       ],
@@ -1928,9 +3175,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-darwin-arm64": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.2.1.tgz",
-      "integrity": "sha512-q/LHkOstoJ7pI1J0q6djesLzRvQSIfEto148ppAd+BVQK0JYjQIFSK3JgYZJa+Yzi0DDa52ZsQx2rqytBnf8Hw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.2.2.tgz",
+      "integrity": "sha512-iq9Qjr6knfMpZHj55/37ouZeykwbDqF21gPFtfnhCCKGDcPI/21FKC9XdMO/XyBM7qKORx6UIhGgg6jLl7BZlg==",
       "cpu": [
         "arm64"
       ],
@@ -1945,9 +3192,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-darwin-x64": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.2.1.tgz",
-      "integrity": "sha512-/f/ozlaXGY6QLbpvd/kFTro2l18f7dHKpB+ieXz+Cijl4Mt9AI2rTrpq7V+t04nK+j9XBQHnSMdeQRhbGyt6fw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.2.2.tgz",
+      "integrity": "sha512-BlR+2c3nzc8f2G639LpL89YY4bdcIdUmiOOkv2GQv4/4M0vJlpXEa0JXNHhCHU7VWOKWT/CjqHdTP8aUuDJkuw==",
       "cpu": [
         "x64"
       ],
@@ -1962,9 +3209,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-freebsd-x64": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.2.1.tgz",
-      "integrity": "sha512-5e/AkgYJT/cpbkys/OU2Ei2jdETCLlifwm7ogMC7/hksI2fC3iiq6OcXwjibcIjPung0kRtR3TxEITkqgn0TcA==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.2.2.tgz",
+      "integrity": "sha512-YUqUgrGMSu2CDO82hzlQ5qSb5xmx3RUrke/QgnoEx7KvmRJHQuZHZmZTLSuuHwFf0DJPybFMXMYf+WJdxHy/nQ==",
       "cpu": [
         "x64"
       ],
@@ -1979,9 +3226,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm-gnueabihf": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.2.1.tgz",
-      "integrity": "sha512-Uny1EcVTTmerCKt/1ZuKTkb0x8ZaiuYucg2/kImO5A5Y/kBz41/+j0gxUZl+hTF3xkWpDmHX+TaWhOtba2Fyuw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.2.2.tgz",
+      "integrity": "sha512-FPdhvsW6g06T9BWT0qTwiVZYE2WIFo2dY5aCSpjG/S/u1tby+wXoslXS0kl3/KXnULlLr1E3NPRRw0g7t2kgaQ==",
       "cpu": [
         "arm"
       ],
@@ -1996,9 +3243,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm64-gnu": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.2.1.tgz",
-      "integrity": "sha512-CTrwomI+c7n6aSSQlsPL0roRiNMDQ/YzMD9EjcR+H4f0I1SQ8QqIuPnsVp7QgMkC1Qi8rtkekLkOFjo7OlEFRQ==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.2.2.tgz",
+      "integrity": "sha512-4og1V+ftEPXGttOO7eCmW7VICmzzJWgMx+QXAJRAhjrSjumCwWqMfkDrNu1LXEQzNAwz28NCUpucgQPrR4S2yw==",
       "cpu": [
         "arm64"
       ],
@@ -2013,9 +3260,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-arm64-musl": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.2.1.tgz",
-      "integrity": "sha512-WZA0CHRL/SP1TRbA5mp9htsppSEkWuQ4KsSUumYQnyl8ZdT39ntwqmz4IUHGN6p4XdSlYfJwM4rRzZLShHsGAQ==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.2.2.tgz",
+      "integrity": "sha512-oCfG/mS+/+XRlwNjnsNLVwnMWYH7tn/kYPsNPh+JSOMlnt93mYNCKHYzylRhI51X+TbR+ufNhhKKzm6QkqX8ag==",
       "cpu": [
         "arm64"
       ],
@@ -2030,9 +3277,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-x64-gnu": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.2.1.tgz",
-      "integrity": "sha512-qMFzxI2YlBOLW5PhblzuSWlWfwLHaneBE0xHzLrBgNtqN6mWfs+qYbhryGSXQjFYB1Dzf5w+LN5qbUTPhW7Y5g==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.2.2.tgz",
+      "integrity": "sha512-rTAGAkDgqbXHNp/xW0iugLVmX62wOp2PoE39BTCGKjv3Iocf6AFbRP/wZT/kuCxC9QBh9Pu8XPkv/zCZB2mcMg==",
       "cpu": [
         "x64"
       ],
@@ -2047,9 +3294,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-linux-x64-musl": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.2.1.tgz",
-      "integrity": "sha512-5r1X2FKnCMUPlXTWRYpHdPYUY6a1Ar/t7P24OuiEdEOmms5lyqjDRvVY1yy9Rmioh+AunQ0rWiOTPE8F9A3v5g==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.2.2.tgz",
+      "integrity": "sha512-XW3t3qwbIwiSyRCggeO2zxe3KWaEbM0/kW9e8+0XpBgyKU4ATYzcVSMKteZJ1iukJ3HgHBjbg9P5YPRCVUxlnQ==",
       "cpu": [
         "x64"
       ],
@@ -2064,9 +3311,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-wasm32-wasi": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.2.1.tgz",
-      "integrity": "sha512-MGFB5cVPvshR85MTJkEvqDUnuNoysrsRxd6vnk1Lf2tbiqNlXpHYZqkqOQalydienEWOHHFyyuTSYRsLfxFJ2Q==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-wasm32-wasi/-/oxide-wasm32-wasi-4.2.2.tgz",
+      "integrity": "sha512-eKSztKsmEsn1O5lJ4ZAfyn41NfG7vzCg496YiGtMDV86jz1q/irhms5O0VrY6ZwTUkFy/EKG3RfWgxSI3VbZ8Q==",
       "bundleDependencies": [
         "@napi-rs/wasm-runtime",
         "@emnapi/core",
@@ -2094,9 +3341,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-win32-arm64-msvc": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.2.1.tgz",
-      "integrity": "sha512-YlUEHRHBGnCMh4Nj4GnqQyBtsshUPdiNroZj8VPkvTZSoHsilRCwXcVKnG9kyi0ZFAS/3u+qKHBdDc81SADTRA==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.2.2.tgz",
+      "integrity": "sha512-qPmaQM4iKu5mxpsrWZMOZRgZv1tOZpUm+zdhhQP0VhJfyGGO3aUKdbh3gDZc/dPLQwW4eSqWGrrcWNBZWUWaXQ==",
       "cpu": [
         "arm64"
       ],
@@ -2111,9 +3358,9 @@
       }
     },
     "node_modules/@tailwindcss/oxide-win32-x64-msvc": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.2.1.tgz",
-      "integrity": "sha512-rbO34G5sMWWyrN/idLeVxAZgAKWrn5LiR3/I90Q9MkA67s6T1oB0xtTe+0heoBvHSpbU9Mk7i6uwJnpo4u21XQ==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.2.2.tgz",
+      "integrity": "sha512-1T/37VvI7WyH66b+vqHj/cLwnCxt7Qt3WFu5Q8hk65aOvlwAhs7rAp1VkulBJw/N4tMirXjVnylTR72uI0HGcA==",
       "cpu": [
         "x64"
       ],
@@ -2128,18 +3375,18 @@
       }
     },
     "node_modules/@tailwindcss/vite": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/@tailwindcss/vite/-/vite-4.2.1.tgz",
-      "integrity": "sha512-TBf2sJjYeb28jD2U/OhwdW0bbOsxkWPwQ7SrqGf9sVcoYwZj7rkXljroBO9wKBut9XnmQLXanuDUeqQK0lGg/w==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/@tailwindcss/vite/-/vite-4.2.2.tgz",
+      "integrity": "sha512-mEiF5HO1QqCLXoNEfXVA1Tzo+cYsrqV7w9Juj2wdUFyW07JRenqMG225MvPwr3ZD9N1bFQj46X7r33iHxLUW0w==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@tailwindcss/node": "4.2.1",
-        "@tailwindcss/oxide": "4.2.1",
-        "tailwindcss": "4.2.1"
+        "@tailwindcss/node": "4.2.2",
+        "@tailwindcss/oxide": "4.2.2",
+        "tailwindcss": "4.2.2"
       },
       "peerDependencies": {
-        "vite": "^5.2.0 || ^6 || ^7"
+        "vite": "^5.2.0 || ^6 || ^7 || ^8"
       }
     },
     "node_modules/@testing-library/dom": {
@@ -2258,6 +3505,32 @@
         "undici-types": "~7.18.0"
       }
     },
+    "node_modules/@types/sortablejs": {
+      "version": "1.15.9",
+      "resolved": "https://registry.npmjs.org/@types/sortablejs/-/sortablejs-1.15.9.tgz",
+      "integrity": "sha512-7HP+rZGE2p886PKV9c9OJzLBI6BBJu1O7lJGYnPyG3fS4/duUCcngkNCjsLwIMV+WMqANe3tt4irrXHSIe68OQ==",
+      "license": "MIT"
+    },
+    "node_modules/@vexip-ui/hooks": {
+      "version": "2.9.3",
+      "resolved": "https://registry.npmjs.org/@vexip-ui/hooks/-/hooks-2.9.3.tgz",
+      "integrity": "sha512-DrGlwSa0P0KQ98RU0MrQ4+KcItZDaejAJISv3iT6T6/E2ly4z7c2dzuNzn5Wk7y4FYnkXDfrf2UFNv7EDw8GJg==",
+      "license": "MIT",
+      "dependencies": {
+        "@floating-ui/dom": "^1.7.0",
+        "@juggle/resize-observer": "^3.4.0",
+        "@vexip-ui/utils": "2.16.4"
+      },
+      "peerDependencies": {
+        "vue": "^3.2.25"
+      }
+    },
+    "node_modules/@vexip-ui/utils": {
+      "version": "2.16.4",
+      "resolved": "https://registry.npmjs.org/@vexip-ui/utils/-/utils-2.16.4.tgz",
+      "integrity": "sha512-KX+Q4EsuwDp6ZlRJ7OAkiYxu52D5CVM8zpqQz/FXYV+JUtzl9T3dvxgtA8gQ0wm5Sh/xT6jp8Wo4X7tLAzRh/A==",
+      "license": "MIT"
+    },
     "node_modules/@vitejs/plugin-vue": {
       "version": "6.0.5",
       "resolved": "https://registry.npmjs.org/@vitejs/plugin-vue/-/plugin-vue-6.0.5.tgz",
@@ -2276,14 +3549,14 @@
       }
     },
     "node_modules/@vitest/coverage-v8": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-4.1.0.tgz",
-      "integrity": "sha512-nDWulKeik2bL2Va/Wl4x7DLuTKAXa906iRFooIRPR+huHkcvp9QDkPQ2RJdmjOFrqOqvNfoSQLF68deE3xC3CQ==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-4.1.2.tgz",
+      "integrity": "sha512-sPK//PHO+kAkScb8XITeB1bf7fsk85Km7+rt4eeuRR3VS1/crD47cmV5wicisJmjNdfeokTZwjMk4Mj2d58Mgg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@bcoe/v8-coverage": "^1.0.2",
-        "@vitest/utils": "4.1.0",
+        "@vitest/utils": "4.1.2",
         "ast-v8-to-istanbul": "^1.0.0",
         "istanbul-lib-coverage": "^3.2.2",
         "istanbul-lib-report": "^3.0.1",
@@ -2291,14 +3564,14 @@
         "magicast": "^0.5.2",
         "obug": "^2.1.1",
         "std-env": "^4.0.0-rc.1",
-        "tinyrainbow": "^3.0.3"
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       },
       "peerDependencies": {
-        "@vitest/browser": "4.1.0",
-        "vitest": "4.1.0"
+        "@vitest/browser": "4.1.2",
+        "vitest": "4.1.2"
       },
       "peerDependenciesMeta": {
         "@vitest/browser": {
@@ -2362,13 +3635,13 @@
       }
     },
     "node_modules/@vitest/mocker": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.1.0.tgz",
-      "integrity": "sha512-evxREh+Hork43+Y4IOhTo+h5lGmVRyjqI739Rz4RlUPqwrkFFDF6EMvOOYjTx4E8Tl6gyCLRL8Mu7Ry12a13Tw==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.1.2.tgz",
+      "integrity": "sha512-Ize4iQtEALHDttPRCmN+FKqOl2vxTiNUhzobQFFt/BM1lRUTG7zRCLOykG/6Vo4E4hnUdfVLo5/eqKPukcWW7Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/spy": "4.1.0",
+        "@vitest/spy": "4.1.2",
         "estree-walker": "^3.0.3",
         "magic-string": "^0.30.21"
       },
@@ -2377,7 +3650,7 @@
       },
       "peerDependencies": {
         "msw": "^2.4.9",
-        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0-0"
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0"
       },
       "peerDependenciesMeta": {
         "msw": {
@@ -2389,9 +3662,9 @@
       }
     },
     "node_modules/@vitest/mocker/node_modules/@vitest/spy": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.1.0.tgz",
-      "integrity": "sha512-pz77k+PgNpyMDv2FV6qmk5ZVau6c3R8HC8v342T2xlFxQKTrSeYw9waIJG8KgV9fFwAtTu4ceRzMivPTH6wSxw==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.1.2.tgz",
+      "integrity": "sha512-DU4fBnbVCJGNBwVA6xSToNXrkZNSiw59H8tcuUspVMsBDBST4nfvsPsEHDHGtWRRnqBERBQu7TrTKskmjqTXKA==",
       "dev": true,
       "license": "MIT",
       "funding": {
@@ -2399,26 +3672,26 @@
       }
     },
     "node_modules/@vitest/pretty-format": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.1.0.tgz",
-      "integrity": "sha512-3RZLZlh88Ib0J7NQTRATfc/3ZPOnSUn2uDBUoGNn5T36+bALixmzphN26OUD3LRXWkJu4H0s5vvUeqBiw+kS0A==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.1.2.tgz",
+      "integrity": "sha512-dwQga8aejqeuB+TvXCMzSQemvV9hNEtDDpgUKDzOmNQayl2OG241PSWeJwKRH3CiC+sESrmoFd49rfnq7T4RnA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "tinyrainbow": "^3.0.3"
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       }
     },
     "node_modules/@vitest/runner": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.1.0.tgz",
-      "integrity": "sha512-Duvx2OzQ7d6OjchL+trw+aSrb9idh7pnNfxrklo14p3zmNL4qPCDeIJAK+eBKYjkIwG96Bc6vYuxhqDXQOWpoQ==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.1.2.tgz",
+      "integrity": "sha512-Gr+FQan34CdiYAwpGJmQG8PgkyFVmARK8/xSijia3eTFgVfpcpztWLuP6FttGNfPLJhaZVP/euvujeNYar36OQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/utils": "4.1.0",
+        "@vitest/utils": "4.1.2",
         "pathe": "^2.0.3"
       },
       "funding": {
@@ -2426,14 +3699,14 @@
       }
     },
     "node_modules/@vitest/snapshot": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.1.0.tgz",
-      "integrity": "sha512-0Vy9euT1kgsnj1CHttwi9i9o+4rRLEaPRSOJ5gyv579GJkNpgJK+B4HSv/rAWixx2wdAFci1X4CEPjiu2bXIMg==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.1.2.tgz",
+      "integrity": "sha512-g7yfUmxYS4mNxk31qbOYsSt2F4m1E02LFqO53Xpzg3zKMhLAPZAjjfyl9e6z7HrW6LvUdTwAQR3HHfLjpko16A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/pretty-format": "4.1.0",
-        "@vitest/utils": "4.1.0",
+        "@vitest/pretty-format": "4.1.2",
+        "@vitest/utils": "4.1.2",
         "magic-string": "^0.30.21",
         "pathe": "^2.0.3"
       },
@@ -2455,15 +3728,15 @@
       }
     },
     "node_modules/@vitest/utils": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.1.0.tgz",
-      "integrity": "sha512-XfPXT6a8TZY3dcGY8EdwsBulFCIw+BeeX0RZn2x/BtiY/75YGh8FeWGG8QISN/WhaqSrE2OrlDgtF8q5uhOTmw==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.1.2.tgz",
+      "integrity": "sha512-xw2/TiX82lQHA06cgbqRKFb5lCAy3axQ4H4SoUFhUsg+wztiet+co86IAMDtF6Vm1hc7J6j09oh/rgDn+JdKIQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/pretty-format": "4.1.0",
+        "@vitest/pretty-format": "4.1.2",
         "convert-source-map": "^2.0.0",
-        "tinyrainbow": "^3.0.3"
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
@@ -2526,13 +3799,13 @@
       }
     },
     "node_modules/@vue/compiler-core": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.30.tgz",
-      "integrity": "sha512-s3DfdZkcu/qExZ+td75015ljzHc6vE+30cFMGRPROYjqkroYI5NV2X1yAMX9UeyBNWB9MxCfPcsjpLS11nzkkw==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-core/-/compiler-core-3.5.31.tgz",
+      "integrity": "sha512-k/ueL14aNIEy5Onf0OVzR8kiqF/WThgLdFhxwa4e/KF/0qe38IwIdofoSWBTvvxQOesaz6riAFAUaYjoF9fLLQ==",
       "license": "MIT",
       "dependencies": {
-        "@babel/parser": "^7.29.0",
-        "@vue/shared": "3.5.30",
+        "@babel/parser": "^7.29.2",
+        "@vue/shared": "3.5.31",
         "entities": "^7.0.1",
         "estree-walker": "^2.0.2",
         "source-map-js": "^1.2.1"
@@ -2557,26 +3830,26 @@
       "license": "MIT"
     },
     "node_modules/@vue/compiler-dom": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.30.tgz",
-      "integrity": "sha512-eCFYESUEVYHhiMuK4SQTldO3RYxyMR/UQL4KdGD1Yrkfdx4m/HYuZ9jSfPdA+nWJY34VWndiYdW/wZXyiPEB9g==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-dom/-/compiler-dom-3.5.31.tgz",
+      "integrity": "sha512-BMY/ozS/xxjYqRFL+tKdRpATJYDTTgWSo0+AJvJNg4ig+Hgb0dOsHPXvloHQ5hmlivUqw1Yt2pPIqp4e0v1GUw==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-core": "3.5.30",
-        "@vue/shared": "3.5.30"
+        "@vue/compiler-core": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/compiler-sfc": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.30.tgz",
-      "integrity": "sha512-LqmFPDn89dtU9vI3wHJnwaV6GfTRD87AjWpTWpyrdVOObVtjIuSeZr181z5C4PmVx/V3j2p+0f7edFKGRMpQ5A==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-sfc/-/compiler-sfc-3.5.31.tgz",
+      "integrity": "sha512-M8wpPgR9UJ8MiRGjppvx9uWJfLV7A/T+/rL8s/y3QG3u0c2/YZgff3d6SuimKRIhcYnWg5fTfDMlz2E6seUW8Q==",
       "license": "MIT",
       "dependencies": {
-        "@babel/parser": "^7.29.0",
-        "@vue/compiler-core": "3.5.30",
-        "@vue/compiler-dom": "3.5.30",
-        "@vue/compiler-ssr": "3.5.30",
-        "@vue/shared": "3.5.30",
+        "@babel/parser": "^7.29.2",
+        "@vue/compiler-core": "3.5.31",
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/compiler-ssr": "3.5.31",
+        "@vue/shared": "3.5.31",
         "estree-walker": "^2.0.2",
         "magic-string": "^0.30.21",
         "postcss": "^8.5.8",
@@ -2590,13 +3863,13 @@
       "license": "MIT"
     },
     "node_modules/@vue/compiler-ssr": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.30.tgz",
-      "integrity": "sha512-NsYK6OMTnx109PSL2IAyf62JP6EUdk4Dmj6AkWcJGBvN0dQoMYtVekAmdqgTtWQgEJo+Okstbf/1p7qZr5H+bA==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/compiler-ssr/-/compiler-ssr-3.5.31.tgz",
+      "integrity": "sha512-h0xIMxrt/LHOvJKMri+vdYT92BrK3HFLtDqq9Pr/lVVfE4IyKZKvWf0vJFW10Yr6nX02OR4MkJwI0c1HDa1hog==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-dom": "3.5.30",
-        "@vue/shared": "3.5.30"
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/compiler-vue2": {
@@ -2611,37 +3884,31 @@
       }
     },
     "node_modules/@vue/devtools-api": {
-      "version": "8.0.6",
-      "resolved": "https://registry.npmjs.org/@vue/devtools-api/-/devtools-api-8.0.6.tgz",
-      "integrity": "sha512-+lGBI+WTvJmnU2FZqHhEB8J1DXcvNlDeEalz77iYgOdY1jTj1ipSBaKj3sRhYcy+kqA8v/BSuvOz1XJucfQmUA==",
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/@vue/devtools-api/-/devtools-api-8.1.1.tgz",
+      "integrity": "sha512-bsDMJ07b3GN1puVwJb/fyFnj/U2imyswK5UQVLZwVl7O05jDrt6BHxeG5XffmOOdasOj/bOmIjxJvGPxU7pcqw==",
       "license": "MIT",
       "dependencies": {
-        "@vue/devtools-kit": "^8.0.6"
+        "@vue/devtools-kit": "^8.1.1"
       }
     },
     "node_modules/@vue/devtools-kit": {
-      "version": "8.0.6",
-      "resolved": "https://registry.npmjs.org/@vue/devtools-kit/-/devtools-kit-8.0.6.tgz",
-      "integrity": "sha512-9zXZPTJW72OteDXeSa5RVML3zWDCRcO5t77aJqSs228mdopYj5AiTpihozbsfFJ0IodfNs7pSgOGO3qfCuxDtw==",
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/@vue/devtools-kit/-/devtools-kit-8.1.1.tgz",
+      "integrity": "sha512-gVBaBv++i+adg4JpH71k9ppl4soyR7Y2McEqO5YNgv0BI1kMZ7BDX5gnwkZ5COYgiCyhejZG+yGNrBAjj6Coqg==",
       "license": "MIT",
       "dependencies": {
-        "@vue/devtools-shared": "^8.0.6",
+        "@vue/devtools-shared": "^8.1.1",
         "birpc": "^2.6.1",
         "hookable": "^5.5.3",
-        "mitt": "^3.0.1",
-        "perfect-debounce": "^2.0.0",
-        "speakingurl": "^14.0.1",
-        "superjson": "^2.2.2"
+        "perfect-debounce": "^2.0.0"
       }
     },
     "node_modules/@vue/devtools-shared": {
-      "version": "8.0.6",
-      "resolved": "https://registry.npmjs.org/@vue/devtools-shared/-/devtools-shared-8.0.6.tgz",
-      "integrity": "sha512-Pp1JylTqlgMJvxW6MGyfTF8vGvlBSCAvMFaDCYa82Mgw7TT5eE5kkHgDvmOGHWeJE4zIDfCpCxHapsK2LtIAJg==",
-      "license": "MIT",
-      "dependencies": {
-        "rfdc": "^1.4.1"
-      }
+      "version": "8.1.1",
+      "resolved": "https://registry.npmjs.org/@vue/devtools-shared/-/devtools-shared-8.1.1.tgz",
+      "integrity": "sha512-+h4ttmJYl/txpxHKaoZcaKpC+pvckgLzIDiSQlaQ7kKthKh8KuwoLW2D8hPJEnqKzXOvu15UHEoGyngAXCz0EQ==",
+      "license": "MIT"
     },
     "node_modules/@vue/language-core": {
       "version": "2.2.12",
@@ -2669,53 +3936,53 @@
       }
     },
     "node_modules/@vue/reactivity": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.30.tgz",
-      "integrity": "sha512-179YNgKATuwj9gB+66snskRDOitDiuOZqkYia7mHKJaidOMo/WJxHKF8DuGc4V4XbYTJANlfEKb0yxTQotnx4Q==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/reactivity/-/reactivity-3.5.31.tgz",
+      "integrity": "sha512-DtKXxk9E/KuVvt8VxWu+6Luc9I9ETNcqR1T1oW1gf02nXaZ1kuAx58oVu7uX9XxJR0iJCro6fqBLw9oSBELo5g==",
       "license": "MIT",
       "dependencies": {
-        "@vue/shared": "3.5.30"
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/runtime-core": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.30.tgz",
-      "integrity": "sha512-e0Z+8PQsUTdwV8TtEsLzUM7SzC7lQwYKePydb7K2ZnmS6jjND+WJXkmmfh/swYzRyfP1EY3fpdesyYoymCzYfg==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-core/-/runtime-core-3.5.31.tgz",
+      "integrity": "sha512-AZPmIHXEAyhpkmN7aWlqjSfYynmkWlluDNPHMCZKFHH+lLtxP/30UJmoVhXmbDoP1Ng0jG0fyY2zCj1PnSSA6Q==",
       "license": "MIT",
       "dependencies": {
-        "@vue/reactivity": "3.5.30",
-        "@vue/shared": "3.5.30"
+        "@vue/reactivity": "3.5.31",
+        "@vue/shared": "3.5.31"
       }
     },
     "node_modules/@vue/runtime-dom": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.30.tgz",
-      "integrity": "sha512-2UIGakjU4WSQ0T4iwDEW0W7vQj6n7AFn7taqZ9Cvm0Q/RA2FFOziLESrDL4GmtI1wV3jXg5nMoJSYO66egDUBw==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/runtime-dom/-/runtime-dom-3.5.31.tgz",
+      "integrity": "sha512-xQJsNRmGPeDCJq/u813tyonNgWBFjzfVkBwDREdEWndBnGdHLHgkwNBQxLtg4zDrzKTEcnikUy1UUNecb3lJ6g==",
       "license": "MIT",
       "dependencies": {
-        "@vue/reactivity": "3.5.30",
-        "@vue/runtime-core": "3.5.30",
-        "@vue/shared": "3.5.30",
+        "@vue/reactivity": "3.5.31",
+        "@vue/runtime-core": "3.5.31",
+        "@vue/shared": "3.5.31",
         "csstype": "^3.2.3"
       }
     },
     "node_modules/@vue/server-renderer": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.30.tgz",
-      "integrity": "sha512-v+R34icapydRwbZRD0sXwtHqrQJv38JuMB4JxbOxd8NEpGLny7cncMp53W9UH/zo4j8eDHjQ1dEJXwzFQknjtQ==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/server-renderer/-/server-renderer-3.5.31.tgz",
+      "integrity": "sha512-GJuwRvMcdZX/CriUnyIIOGkx3rMV3H6sOu0JhdKbduaeCji6zb60iOGMY7tFoN24NfsUYoFBhshZtGxGpxO4iA==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-ssr": "3.5.30",
-        "@vue/shared": "3.5.30"
+        "@vue/compiler-ssr": "3.5.31",
+        "@vue/shared": "3.5.31"
       },
       "peerDependencies": {
-        "vue": "3.5.30"
+        "vue": "3.5.31"
       }
     },
     "node_modules/@vue/shared": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.30.tgz",
-      "integrity": "sha512-YXgQ7JjaO18NeK2K9VTbDHaFy62WrObMa6XERNfNOkAhD1F1oDSf3ZJ7K6GqabZ0BvSDHajp8qfS5Sa2I9n8uQ==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/@vue/shared/-/shared-3.5.31.tgz",
+      "integrity": "sha512-nBxuiuS9Lj5bPkPbWogPUnjxxWpkRniX7e5UBQDWl6Fsf4roq9wwV+cR7ezQ4zXswNvPIlsdj1slcLB7XCsRAw==",
       "license": "MIT"
     },
     "node_modules/@vue/test-utils": {
@@ -2758,6 +4025,23 @@
         "node": ">=0.4.0"
       }
     },
+    "node_modules/ajv": {
+      "version": "8.18.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
+      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "fast-deep-equal": "^3.1.3",
+        "fast-uri": "^3.0.1",
+        "json-schema-traverse": "^1.0.0",
+        "require-from-string": "^2.0.2"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/epoberezkin"
+      }
+    },
     "node_modules/alien-signals": {
       "version": "1.0.13",
       "resolved": "https://registry.npmjs.org/alien-signals/-/alien-signals-1.0.13.tgz",
@@ -2765,6 +4049,16 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/angular-html-parser": {
+      "version": "10.4.0",
+      "resolved": "https://registry.npmjs.org/angular-html-parser/-/angular-html-parser-10.4.0.tgz",
+      "integrity": "sha512-++nLNyZwRfHqFh7akH5Gw/JYizoFlMRz0KRigfwfsLqV8ZqlcVRb1LkPEWdYvEKDnbktknM2J4BXaYUGrQZPww==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 14"
+      }
+    },
     "node_modules/ansi-regex": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
@@ -2864,6 +4158,13 @@
         "js-tokens": "^10.0.0"
       }
     },
+    "node_modules/ast-v8-to-istanbul/node_modules/js-tokens": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-10.0.0.tgz",
+      "integrity": "sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/ast-walker-scope": {
       "version": "0.8.3",
       "resolved": "https://registry.npmjs.org/ast-walker-scope/-/ast-walker-scope-0.8.3.tgz",
@@ -2903,6 +4204,19 @@
         "node": "18 || 20 || >=22"
       }
     },
+    "node_modules/baseline-browser-mapping": {
+      "version": "2.10.11",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.11.tgz",
+      "integrity": "sha512-DAKrHphkJyiGuau/cFieRYhcTFeK/lBuD++C7cZ6KZHbMhBrisoi+EvhQ5RZrIfV5qwsW8kgQ07JIC+MDJRAhg==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "baseline-browser-mapping": "dist/cli.cjs"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
     "node_modules/bidi-js": {
       "version": "1.0.3",
       "resolved": "https://registry.npmjs.org/bidi-js/-/bidi-js-1.0.3.tgz",
@@ -2923,9 +4237,9 @@
       }
     },
     "node_modules/brace-expansion": {
-      "version": "5.0.4",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz",
-      "integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==",
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2948,6 +4262,40 @@
         "node": ">=8"
       }
     },
+    "node_modules/browserslist": {
+      "version": "4.28.1",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.1.tgz",
+      "integrity": "sha512-ZC5Bd0LgJXgwGqUknZY/vkUQ04r8NXnJZ3yYi4vDmSiZmC/pdSN0NbNRPxZpbtO4uAfDUAFffO8IZoM3Gj8IkA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/browserslist"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "baseline-browser-mapping": "^2.9.0",
+        "caniuse-lite": "^1.0.30001759",
+        "electron-to-chromium": "^1.5.263",
+        "node-releases": "^2.0.27",
+        "update-browserslist-db": "^1.2.0"
+      },
+      "bin": {
+        "browserslist": "cli.js"
+      },
+      "engines": {
+        "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7"
+      }
+    },
     "node_modules/bundle-name": {
       "version": "4.1.0",
       "resolved": "https://registry.npmjs.org/bundle-name/-/bundle-name-4.1.0.tgz",
@@ -2995,6 +4343,27 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/caniuse-lite": {
+      "version": "1.0.30001781",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001781.tgz",
+      "integrity": "sha512-RdwNCyMsNBftLjW6w01z8bKEvT6e/5tpPVEgtn22TiLGlstHOVecsX2KHFkD5e/vRnIE4EGzpuIODb3mtswtkw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/caniuse-lite"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "CC-BY-4.0"
+    },
     "node_modules/chai": {
       "version": "5.3.3",
       "resolved": "https://registry.npmjs.org/chai/-/chai-5.3.3.tgz",
@@ -3012,6 +4381,19 @@
         "node": ">=18"
       }
     },
+    "node_modules/chalk": {
+      "version": "5.6.2",
+      "resolved": "https://registry.npmjs.org/chalk/-/chalk-5.6.2.tgz",
+      "integrity": "sha512-7NzBL0rN6fMUW+f7A6Io4h40qQlG+xGmtMxfbnH/K7TAtt8JQWVQK+6g0UXKMeVJoyV5EkkNsErQ8pVD3bLHbA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "^12.17.0 || ^14.13 || >=16.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/chalk?sponsor=1"
+      }
+    },
     "node_modules/character-parser": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/character-parser/-/character-parser-2.2.0.tgz",
@@ -3022,6 +4404,13 @@
         "is-regex": "^1.0.3"
       }
     },
+    "node_modules/chardet": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/chardet/-/chardet-2.1.1.tgz",
+      "integrity": "sha512-PsezH1rqdV9VvyNhxxOW32/d75r01NY7TQCmOqomRo15ZSOKbpTFVsfjghxo6JloQUCGnH4k1LGu0R4yCLlWQQ==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/check-error": {
       "version": "2.1.3",
       "resolved": "https://registry.npmjs.org/check-error/-/check-error-2.1.3.tgz",
@@ -3047,6 +4436,16 @@
         "url": "https://paulmillr.com/funding/"
       }
     },
+    "node_modules/cli-width": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/cli-width/-/cli-width-4.1.0.tgz",
+      "integrity": "sha512-ouuZd4/dm2Sw5Gmqy6bGyNNNe1qt9RpmxveLSO7KcgsTnU7RXfsw+/bukWGo1abgBiMAic068rclZsO4IWmmxQ==",
+      "dev": true,
+      "license": "ISC",
+      "engines": {
+        "node": ">= 12"
+      }
+    },
     "node_modules/color-convert": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
@@ -3068,13 +4467,13 @@
       "license": "MIT"
     },
     "node_modules/commander": {
-      "version": "10.0.1",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-10.0.1.tgz",
-      "integrity": "sha512-y4Mg2tXshplEbSGzx7amzPwKKOCGuoSRP/CjEdwwk0FOGlUbq6lKuoyDZTNZkmxHdJtp54hdfY/JUrdL7Xfdug==",
+      "version": "14.0.3",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-14.0.3.tgz",
+      "integrity": "sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw==",
       "dev": true,
       "license": "MIT",
       "engines": {
-        "node": ">=14"
+        "node": ">=20"
       }
     },
     "node_modules/confbox": {
@@ -3112,21 +4511,6 @@
       "dev": true,
       "license": "MIT"
     },
-    "node_modules/copy-anything": {
-      "version": "4.0.5",
-      "resolved": "https://registry.npmjs.org/copy-anything/-/copy-anything-4.0.5.tgz",
-      "integrity": "sha512-7Vv6asjS4gMOuILabD3l739tsaxFQmC+a7pLZm02zyvs8p977bL3zEgq3yDk5rn9B0PbYgIv++jmHcuUab4RhA==",
-      "license": "MIT",
-      "dependencies": {
-        "is-what": "^5.2.0"
-      },
-      "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/mesqueeb"
-      }
-    },
     "node_modules/cross-spawn": {
       "version": "7.0.6",
       "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
@@ -3190,6 +4574,24 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/debug": {
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
+      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ms": "^2.1.3"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/decimal.js": {
       "version": "10.6.0",
       "resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.6.0.tgz",
@@ -3260,6 +4662,17 @@
         "node": ">=6"
       }
     },
+    "node_modules/des.js": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/des.js/-/des.js-1.1.0.tgz",
+      "integrity": "sha512-r17GxjhUCjSRy8aiJpr8/UadFIzMzJGexI3Nmz4ADi9LYSFx4gTBp80+NaX/YsXWWLhpZ7v/v/ubEc/bCNfKwg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "inherits": "^2.0.1",
+        "minimalistic-assert": "^1.0.0"
+      }
+    },
     "node_modules/detect-libc": {
       "version": "2.1.2",
       "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
@@ -3270,6 +4683,13 @@
         "node": ">=8"
       }
     },
+    "node_modules/diff-match-patch": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/diff-match-patch/-/diff-match-patch-1.0.5.tgz",
+      "integrity": "sha512-IayShXAgj/QMXgB0IWmKx+rOPuGMhqm5w6jvFxmVenXKIzRqTAAsbBPT3kWQeGANj3jGgvcvv4yK6SxqYmikgw==",
+      "dev": true,
+      "license": "Apache-2.0"
+    },
     "node_modules/doctypes": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/doctypes/-/doctypes-1.1.0.tgz",
@@ -3326,17 +4746,34 @@
         "node": ">=14"
       }
     },
+    "node_modules/editorconfig/node_modules/commander": {
+      "version": "10.0.1",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-10.0.1.tgz",
+      "integrity": "sha512-y4Mg2tXshplEbSGzx7amzPwKKOCGuoSRP/CjEdwwk0FOGlUbq6lKuoyDZTNZkmxHdJtp54hdfY/JUrdL7Xfdug==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/electron-to-chromium": {
+      "version": "1.5.326",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.326.tgz",
+      "integrity": "sha512-uRBlUfKKdsXMkiiOurgaybNC10tjrD+skXLEg7NHbm6h0uAoqj3xMb9uue5BfcSCXJ4mcyJMOucI6q55D7p6KQ==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/emoji-regex": {
-      "version": "9.2.2",
-      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz",
-      "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==",
+      "version": "10.6.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.6.0.tgz",
+      "integrity": "sha512-toUI84YS5YmxW219erniWD0CIVOo46xGKColeNQRgOzDorgBi1v4D71/OFzgD9GO2UGKIv1C3Sp8DAn0+j5w7A==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/enhanced-resolve": {
-      "version": "5.20.0",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.0.tgz",
-      "integrity": "sha512-/ce7+jQ1PQ6rVXwe+jKEg5hW5ciicHwIQUagZkp6IufBoY3YDgdTTY1azVs0qoRgVmvsNB+rbjLJxDAeHHtwsQ==",
+      "version": "5.20.1",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.20.1.tgz",
+      "integrity": "sha512-Qohcme7V1inbAfvjItgw0EaxVX5q2rdVEZHRBrEQdRZTssLDGsL8Lwrznl8oQ/6kuTJONLaDcGjkNP247XEhcA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3401,9 +4838,9 @@
       }
     },
     "node_modules/esbuild": {
-      "version": "0.27.3",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.3.tgz",
-      "integrity": "sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg==",
+      "version": "0.27.4",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.4.tgz",
+      "integrity": "sha512-Rq4vbHnYkK5fws5NF7MYTU68FPRE1ajX7heQ/8QXXWqNgqqJ/GkmmyxIzUnf2Sr/bakf8l54716CcMGHYhMrrQ==",
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
@@ -3414,32 +4851,42 @@
         "node": ">=18"
       },
       "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.27.3",
-        "@esbuild/android-arm": "0.27.3",
-        "@esbuild/android-arm64": "0.27.3",
-        "@esbuild/android-x64": "0.27.3",
-        "@esbuild/darwin-arm64": "0.27.3",
-        "@esbuild/darwin-x64": "0.27.3",
-        "@esbuild/freebsd-arm64": "0.27.3",
-        "@esbuild/freebsd-x64": "0.27.3",
-        "@esbuild/linux-arm": "0.27.3",
-        "@esbuild/linux-arm64": "0.27.3",
-        "@esbuild/linux-ia32": "0.27.3",
-        "@esbuild/linux-loong64": "0.27.3",
-        "@esbuild/linux-mips64el": "0.27.3",
-        "@esbuild/linux-ppc64": "0.27.3",
-        "@esbuild/linux-riscv64": "0.27.3",
-        "@esbuild/linux-s390x": "0.27.3",
-        "@esbuild/linux-x64": "0.27.3",
-        "@esbuild/netbsd-arm64": "0.27.3",
-        "@esbuild/netbsd-x64": "0.27.3",
-        "@esbuild/openbsd-arm64": "0.27.3",
-        "@esbuild/openbsd-x64": "0.27.3",
-        "@esbuild/openharmony-arm64": "0.27.3",
-        "@esbuild/sunos-x64": "0.27.3",
-        "@esbuild/win32-arm64": "0.27.3",
-        "@esbuild/win32-ia32": "0.27.3",
-        "@esbuild/win32-x64": "0.27.3"
+        "@esbuild/aix-ppc64": "0.27.4",
+        "@esbuild/android-arm": "0.27.4",
+        "@esbuild/android-arm64": "0.27.4",
+        "@esbuild/android-x64": "0.27.4",
+        "@esbuild/darwin-arm64": "0.27.4",
+        "@esbuild/darwin-x64": "0.27.4",
+        "@esbuild/freebsd-arm64": "0.27.4",
+        "@esbuild/freebsd-x64": "0.27.4",
+        "@esbuild/linux-arm": "0.27.4",
+        "@esbuild/linux-arm64": "0.27.4",
+        "@esbuild/linux-ia32": "0.27.4",
+        "@esbuild/linux-loong64": "0.27.4",
+        "@esbuild/linux-mips64el": "0.27.4",
+        "@esbuild/linux-ppc64": "0.27.4",
+        "@esbuild/linux-riscv64": "0.27.4",
+        "@esbuild/linux-s390x": "0.27.4",
+        "@esbuild/linux-x64": "0.27.4",
+        "@esbuild/netbsd-arm64": "0.27.4",
+        "@esbuild/netbsd-x64": "0.27.4",
+        "@esbuild/openbsd-arm64": "0.27.4",
+        "@esbuild/openbsd-x64": "0.27.4",
+        "@esbuild/openharmony-arm64": "0.27.4",
+        "@esbuild/sunos-x64": "0.27.4",
+        "@esbuild/win32-arm64": "0.27.4",
+        "@esbuild/win32-ia32": "0.27.4",
+        "@esbuild/win32-x64": "0.27.4"
+      }
+    },
+    "node_modules/escalade": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz",
+      "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
       }
     },
     "node_modules/esm-resolve": {
@@ -3473,6 +4920,33 @@
         "@types/estree": "^1.0.0"
       }
     },
+    "node_modules/execa": {
+      "version": "9.6.1",
+      "resolved": "https://registry.npmjs.org/execa/-/execa-9.6.1.tgz",
+      "integrity": "sha512-9Be3ZoN4LmYR90tUoVu2te2BsbzHfhJyfEiAVfz7N5/zv+jduIfLrV2xdQXOHbaD6KgpGdO9PRPM1Y4Q9QkPkA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@sindresorhus/merge-streams": "^4.0.0",
+        "cross-spawn": "^7.0.6",
+        "figures": "^6.1.0",
+        "get-stream": "^9.0.0",
+        "human-signals": "^8.0.1",
+        "is-plain-obj": "^4.1.0",
+        "is-stream": "^4.0.1",
+        "npm-run-path": "^6.0.0",
+        "pretty-ms": "^9.2.0",
+        "signal-exit": "^4.1.0",
+        "strip-final-newline": "^4.0.0",
+        "yoctocolors": "^2.1.1"
+      },
+      "engines": {
+        "node": "^18.19.0 || >=20.5.0"
+      },
+      "funding": {
+        "url": "https://github.com/sindresorhus/execa?sponsor=1"
+      }
+    },
     "node_modules/expect-type": {
       "version": "1.3.0",
       "resolved": "https://registry.npmjs.org/expect-type/-/expect-type-1.3.0.tgz",
@@ -3489,6 +4963,13 @@
       "integrity": "sha512-LmDxfWXwcTArk8fUEnOfSZpHOJ6zOMUJKOtFLFqJLoKJetuQG874Uc7/Kki7zFLzYybmZhp1M7+98pfMqeX8yA==",
       "license": "MIT"
     },
+    "node_modules/fast-deep-equal": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
+      "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/fast-glob": {
       "version": "3.3.3",
       "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.3.tgz",
@@ -3506,6 +4987,50 @@
         "node": ">=8.6.0"
       }
     },
+    "node_modules/fast-string-truncated-width": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/fast-string-truncated-width/-/fast-string-truncated-width-3.0.3.tgz",
+      "integrity": "sha512-0jjjIEL6+0jag3l2XWWizO64/aZVtpiGE3t0Zgqxv0DPuxiMjvB3M24fCyhZUO4KomJQPj3LTSUnDP3GpdwC0g==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/fast-string-width": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/fast-string-width/-/fast-string-width-3.0.2.tgz",
+      "integrity": "sha512-gX8LrtNEI5hq8DVUfRQMbr5lpaS4nMIWV+7XEbXk2b8kiQIizgnlr12B4dA3ZEx3308ze0O4Q1R+cHts8kyUJg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "fast-string-truncated-width": "^3.0.2"
+      }
+    },
+    "node_modules/fast-uri": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz",
+      "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/fastify"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/fastify"
+        }
+      ],
+      "license": "BSD-3-Clause"
+    },
+    "node_modules/fast-wrap-ansi": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/fast-wrap-ansi/-/fast-wrap-ansi-0.2.0.tgz",
+      "integrity": "sha512-rLV8JHxTyhVmFYhBJuMujcrHqOT2cnO5Zxj37qROj23CP39GXubJRBUFF0z8KFK77Uc0SukZUf7JZhsVEQ6n8w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "fast-string-width": "^3.0.2"
+      }
+    },
     "node_modules/fastq": {
       "version": "1.20.1",
       "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.20.1.tgz",
@@ -3543,6 +5068,22 @@
         }
       }
     },
+    "node_modules/figures": {
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/figures/-/figures-6.1.0.tgz",
+      "integrity": "sha512-d+l3qxjSesT4V7v2fh+QnmFnUWv9lSpjarhShNTgBOfA0ttejbQUAlHLitbjkoRiDulW0OPoQPYIGhIC8ohejg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "is-unicode-supported": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/fill-range": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
@@ -3614,6 +5155,16 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/gensync": {
+      "version": "1.0.0-beta.2",
+      "resolved": "https://registry.npmjs.org/gensync/-/gensync-1.0.0-beta.2.tgz",
+      "integrity": "sha512-3hN7NaskYvMDLQY55gnW3NQ+mesEAepTqlg+VEbj7zzqEMBVNhzcGYYeqFo/TlYz6eQiFcp1HcsCZO+nGgS8zg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
     "node_modules/get-intrinsic": {
       "version": "1.3.0",
       "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
@@ -3653,6 +5204,36 @@
         "node": ">= 0.4"
       }
     },
+    "node_modules/get-stream": {
+      "version": "9.0.1",
+      "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-9.0.1.tgz",
+      "integrity": "sha512-kVCxPF3vQM/N0B1PmoqVUqgHP+EeVjmZSQn+1oCRPxd2P21P2F19lIgbR3HBosbB1PUhOAoctJnfEn2GbN2eZA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@sec-ant/readable-stream": "^0.4.1",
+        "is-stream": "^4.0.1"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/get-tsconfig": {
+      "version": "4.13.7",
+      "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.7.tgz",
+      "integrity": "sha512-7tN6rFgBlMgpBML5j8typ92BKFi2sFQvIdpAqLA2beia5avZDrMs0FLZiM5etShWq5irVyGcGMEA1jcDaK7A/Q==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "resolve-pkg-maps": "^1.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1"
+      }
+    },
     "node_modules/glob": {
       "version": "10.5.0",
       "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz",
@@ -3708,6 +5289,20 @@
       "dev": true,
       "license": "ISC"
     },
+    "node_modules/grid-layout-plus": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/grid-layout-plus/-/grid-layout-plus-1.1.1.tgz",
+      "integrity": "sha512-7CWehJubrVC8Ps5QFUlnDsp0kiREvKfi3Pdjp21EyY8BNzSusqI3Utcxvu1Y9UUKe3YExvbhJzIxHK6rorbRaQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@vexip-ui/hooks": "^2.8.0",
+        "@vexip-ui/utils": "^2.16.1",
+        "interactjs": "^1.10.27"
+      },
+      "peerDependencies": {
+        "vue": "^3.0.0"
+      }
+    },
     "node_modules/has-flag": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
@@ -3803,6 +5398,16 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/human-signals": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/human-signals/-/human-signals-8.0.1.tgz",
+      "integrity": "sha512-eKCa6bwnJhvxj14kZk5NCPc6Hb6BdsU9DZcOnmQKSnO1VKrfV0zCvtttPZUsBvjmNDn8rpcJfpwSYnHBjc95MQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18.18.0"
+      }
+    },
     "node_modules/iconify-icon": {
       "version": "3.0.2",
       "resolved": "https://registry.npmjs.org/iconify-icon/-/iconify-icon-3.0.2.tgz",
@@ -3815,6 +5420,23 @@
         "url": "https://github.com/sponsors/cyberalien"
       }
     },
+    "node_modules/iconv-lite": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.2.tgz",
+      "integrity": "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
     "node_modules/indent-string": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/indent-string/-/indent-string-4.0.0.tgz",
@@ -3825,6 +5447,13 @@
         "node": ">=8"
       }
     },
+    "node_modules/inherits": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/ini": {
       "version": "1.3.8",
       "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz",
@@ -3832,6 +5461,15 @@
       "dev": true,
       "license": "ISC"
     },
+    "node_modules/interactjs": {
+      "version": "1.10.27",
+      "resolved": "https://registry.npmjs.org/interactjs/-/interactjs-1.10.27.tgz",
+      "integrity": "sha512-y/8RcCftGAF24gSp76X2JS3XpHiUvDQyhF8i7ujemBz77hwiHDuJzftHx7thY8cxGogwGiPJ+o97kWB6eAXnsA==",
+      "license": "MIT",
+      "dependencies": {
+        "@interactjs/types": "1.10.27"
+      }
+    },
     "node_modules/is-core-module": {
       "version": "2.16.1",
       "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz",
@@ -3950,6 +5588,19 @@
         "node": ">=0.12.0"
       }
     },
+    "node_modules/is-plain-obj": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-4.1.0.tgz",
+      "integrity": "sha512-+Pgi+vMuUNkJyExiMBt5IlFoMyKnr5zhJ4Uspz58WOhBF5QoIZkFyNHIbBAtHwzVAgk5RtndVNsDRN61/mmDqg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/is-potential-custom-element-name": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/is-potential-custom-element-name/-/is-potential-custom-element-name-1.0.1.tgz",
@@ -3983,16 +5634,30 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
-    "node_modules/is-what": {
-      "version": "5.5.0",
-      "resolved": "https://registry.npmjs.org/is-what/-/is-what-5.5.0.tgz",
-      "integrity": "sha512-oG7cgbmg5kLYae2N5IVd3jm2s+vldjxJzK1pcu9LfpGuQ93MQSzo0okvRna+7y5ifrD+20FE8FvjusyGaz14fw==",
+    "node_modules/is-stream": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-4.0.1.tgz",
+      "integrity": "sha512-Dnz92NInDqYckGEUJv689RbRiTSEHCQ7wOVeALbkOz999YpqT46yMRIGtSNl2iCL1waAZSx40+h59NV/EwzV/A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/is-unicode-supported": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/is-unicode-supported/-/is-unicode-supported-2.1.0.tgz",
+      "integrity": "sha512-mE00Gnza5EEB3Ds0HfMyllZzbBrmLOX3vfWoj9A9PEnTfratQ/BcaJOuMhnkhjXvb2+FkY3VuHqtAGpTPmglFQ==",
+      "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">=18"
       },
       "funding": {
-        "url": "https://github.com/sponsors/mesqueeb"
+        "url": "https://github.com/sponsors/sindresorhus"
       }
     },
     "node_modules/is-wsl": {
@@ -4115,6 +5780,13 @@
         "node": ">=14"
       }
     },
+    "node_modules/js-md4": {
+      "version": "0.3.2",
+      "resolved": "https://registry.npmjs.org/js-md4/-/js-md4-0.3.2.tgz",
+      "integrity": "sha512-/GDnfQYsltsjRswQhN9fhv3EMw2sCpUdrdxyWDOUK7eyD++r3gRhzgiQgc/x4MAv2i1iuQ4lxO5mvqM3vj4bwA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/js-stringify": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/js-stringify/-/js-stringify-1.0.2.tgz",
@@ -4123,21 +5795,21 @@
       "license": "MIT"
     },
     "node_modules/js-tokens": {
-      "version": "10.0.0",
-      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-10.0.0.tgz",
-      "integrity": "sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q==",
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
+      "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==",
       "dev": true,
       "license": "MIT"
     },
     "node_modules/jsdom": {
-      "version": "29.0.0",
-      "resolved": "https://registry.npmjs.org/jsdom/-/jsdom-29.0.0.tgz",
-      "integrity": "sha512-9FshNB6OepopZ08unmmGpsF7/qCjxGPbo3NbgfJAnPeHXnsODE9WWffXZtRFRFe0ntzaAOcSKNJFz8wiyvF1jQ==",
+      "version": "29.0.1",
+      "resolved": "https://registry.npmjs.org/jsdom/-/jsdom-29.0.1.tgz",
+      "integrity": "sha512-z6JOK5gRO7aMybVq/y/MlIpKh8JIi68FBKMUtKkK2KH/wMSRlCxQ682d08LB9fYXplyY/UXG8P4XXTScmdjApg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@asamuzakjp/css-color": "^5.0.1",
-        "@asamuzakjp/dom-selector": "^7.0.2",
+        "@asamuzakjp/dom-selector": "^7.0.3",
         "@bramus/specificity": "^2.4.2",
         "@csstools/css-syntax-patches-for-csstree": "^1.1.1",
         "@exodus/bytes": "^1.15.0",
@@ -4151,7 +5823,7 @@
         "saxes": "^6.0.0",
         "symbol-tree": "^3.2.4",
         "tough-cookie": "^6.0.1",
-        "undici": "^7.24.3",
+        "undici": "^7.24.5",
         "w3c-xmlserializer": "^5.0.0",
         "webidl-conversions": "^8.0.1",
         "whatwg-mimetype": "^5.0.0",
@@ -4170,6 +5842,16 @@
         }
       }
     },
+    "node_modules/jsdom/node_modules/lru-cache": {
+      "version": "11.2.7",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.7.tgz",
+      "integrity": "sha512-aY/R+aEsRelme17KGQa/1ZSIpLpNYYrhcrepKTZgE+W3WM16YMCaPwOHLHsmopZHELU0Ojin1lPVxKR0MihncA==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
     "node_modules/jsesc": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz",
@@ -4182,6 +5864,20 @@
         "node": ">=6"
       }
     },
+    "node_modules/json-rpc-2.0": {
+      "version": "1.7.1",
+      "resolved": "https://registry.npmjs.org/json-rpc-2.0/-/json-rpc-2.0-1.7.1.tgz",
+      "integrity": "sha512-JqZjhjAanbpkXIzFE7u8mE/iFblawwlXtONaCvRqI+pyABVz7B4M1EUNpyVW+dZjqgQ2L5HFmZCmOCgUKm00hg==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/json-schema-traverse": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz",
+      "integrity": "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/json5": {
       "version": "2.2.3",
       "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
@@ -4206,9 +5902,9 @@
       }
     },
     "node_modules/knip": {
-      "version": "5.87.0",
-      "resolved": "https://registry.npmjs.org/knip/-/knip-5.87.0.tgz",
-      "integrity": "sha512-oJBrwd4/Mt5E6817vcdQLaPpejxZTxpASauYLkp6HaT0HN1seHnpF96KEjza9O8yARvHEQ9+So9AFUjkPci7dQ==",
+      "version": "6.0.6",
+      "resolved": "https://registry.npmjs.org/knip/-/knip-6.0.6.tgz",
+      "integrity": "sha512-PA+r1mTDLHH3eShlffn2ZDyH1hHvmgDj7JsTP3JKuhV/jZTyHbRkGcOd+uaSxfJZmcZyOE5zw3naP33WllTIlA==",
       "dev": true,
       "funding": [
         {
@@ -4225,8 +5921,10 @@
         "@nodelib/fs.walk": "^1.2.3",
         "fast-glob": "^3.3.3",
         "formatly": "^0.3.0",
+        "get-tsconfig": "4.13.7",
         "jiti": "^2.6.0",
         "minimist": "^1.2.8",
+        "oxc-parser": "^0.120.0",
         "oxc-resolver": "^11.19.1",
         "picocolors": "^1.1.1",
         "picomatch": "^4.0.1",
@@ -4241,17 +5939,13 @@
         "knip-bun": "bin/knip-bun.js"
       },
       "engines": {
-        "node": ">=18.18.0"
-      },
-      "peerDependencies": {
-        "@types/node": ">=18",
-        "typescript": ">=5.0.4 <7"
+        "node": "^20.19.0 || >=22.12.0"
       }
     },
     "node_modules/lightningcss": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.31.1.tgz",
-      "integrity": "sha512-l51N2r93WmGUye3WuFoN5k10zyvrVs0qfKBhyC5ogUQ6Ew6JUSswh78mbSO+IU3nTWsyOArqPCcShdQSadghBQ==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.32.0.tgz",
+      "integrity": "sha512-NXYBzinNrblfraPGyrbPoD19C1h9lfI/1mzgWYvXUTe414Gz/X1FD2XBZSZM7rRTrMA8JL3OtAaGifrIKhQ5yQ==",
       "dev": true,
       "license": "MPL-2.0",
       "dependencies": {
@@ -4265,23 +5959,23 @@
         "url": "https://opencollective.com/parcel"
       },
       "optionalDependencies": {
-        "lightningcss-android-arm64": "1.31.1",
-        "lightningcss-darwin-arm64": "1.31.1",
-        "lightningcss-darwin-x64": "1.31.1",
-        "lightningcss-freebsd-x64": "1.31.1",
-        "lightningcss-linux-arm-gnueabihf": "1.31.1",
-        "lightningcss-linux-arm64-gnu": "1.31.1",
-        "lightningcss-linux-arm64-musl": "1.31.1",
-        "lightningcss-linux-x64-gnu": "1.31.1",
-        "lightningcss-linux-x64-musl": "1.31.1",
-        "lightningcss-win32-arm64-msvc": "1.31.1",
-        "lightningcss-win32-x64-msvc": "1.31.1"
+        "lightningcss-android-arm64": "1.32.0",
+        "lightningcss-darwin-arm64": "1.32.0",
+        "lightningcss-darwin-x64": "1.32.0",
+        "lightningcss-freebsd-x64": "1.32.0",
+        "lightningcss-linux-arm-gnueabihf": "1.32.0",
+        "lightningcss-linux-arm64-gnu": "1.32.0",
+        "lightningcss-linux-arm64-musl": "1.32.0",
+        "lightningcss-linux-x64-gnu": "1.32.0",
+        "lightningcss-linux-x64-musl": "1.32.0",
+        "lightningcss-win32-arm64-msvc": "1.32.0",
+        "lightningcss-win32-x64-msvc": "1.32.0"
       }
     },
     "node_modules/lightningcss-android-arm64": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-android-arm64/-/lightningcss-android-arm64-1.31.1.tgz",
-      "integrity": "sha512-HXJF3x8w9nQ4jbXRiNppBCqeZPIAfUo8zE/kOEGbW5NZvGc/K7nMxbhIr+YlFlHW5mpbg/YFPdbnCh1wAXCKFg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-android-arm64/-/lightningcss-android-arm64-1.32.0.tgz",
+      "integrity": "sha512-YK7/ClTt4kAK0vo6w3X+Pnm0D2cf2vPHbhOXdoNti1Ga0al1P4TBZhwjATvjNwLEBCnKvjJc2jQgHXH0NEwlAg==",
       "cpu": [
         "arm64"
       ],
@@ -4300,9 +5994,9 @@
       }
     },
     "node_modules/lightningcss-darwin-arm64": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.31.1.tgz",
-      "integrity": "sha512-02uTEqf3vIfNMq3h/z2cJfcOXnQ0GRwQrkmPafhueLb2h7mqEidiCzkE4gBMEH65abHRiQvhdcQ+aP0D0g67sg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.32.0.tgz",
+      "integrity": "sha512-RzeG9Ju5bag2Bv1/lwlVJvBE3q6TtXskdZLLCyfg5pt+HLz9BqlICO7LZM7VHNTTn/5PRhHFBSjk5lc4cmscPQ==",
       "cpu": [
         "arm64"
       ],
@@ -4321,9 +6015,9 @@
       }
     },
     "node_modules/lightningcss-darwin-x64": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.31.1.tgz",
-      "integrity": "sha512-1ObhyoCY+tGxtsz1lSx5NXCj3nirk0Y0kB/g8B8DT+sSx4G9djitg9ejFnjb3gJNWo7qXH4DIy2SUHvpoFwfTA==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.32.0.tgz",
+      "integrity": "sha512-U+QsBp2m/s2wqpUYT/6wnlagdZbtZdndSmut/NJqlCcMLTWp5muCrID+K5UJ6jqD2BFshejCYXniPDbNh73V8w==",
       "cpu": [
         "x64"
       ],
@@ -4342,9 +6036,9 @@
       }
     },
     "node_modules/lightningcss-freebsd-x64": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.31.1.tgz",
-      "integrity": "sha512-1RINmQKAItO6ISxYgPwszQE1BrsVU5aB45ho6O42mu96UiZBxEXsuQ7cJW4zs4CEodPUioj/QrXW1r9pLUM74A==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.32.0.tgz",
+      "integrity": "sha512-JCTigedEksZk3tHTTthnMdVfGf61Fky8Ji2E4YjUTEQX14xiy/lTzXnu1vwiZe3bYe0q+SpsSH/CTeDXK6WHig==",
       "cpu": [
         "x64"
       ],
@@ -4363,9 +6057,9 @@
       }
     },
     "node_modules/lightningcss-linux-arm-gnueabihf": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.31.1.tgz",
-      "integrity": "sha512-OOCm2//MZJ87CdDK62rZIu+aw9gBv4azMJuA8/KB74wmfS3lnC4yoPHm0uXZ/dvNNHmnZnB8XLAZzObeG0nS1g==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.32.0.tgz",
+      "integrity": "sha512-x6rnnpRa2GL0zQOkt6rts3YDPzduLpWvwAF6EMhXFVZXD4tPrBkEFqzGowzCsIWsPjqSK+tyNEODUBXeeVHSkw==",
       "cpu": [
         "arm"
       ],
@@ -4384,9 +6078,9 @@
       }
     },
     "node_modules/lightningcss-linux-arm64-gnu": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.31.1.tgz",
-      "integrity": "sha512-WKyLWztD71rTnou4xAD5kQT+982wvca7E6QoLpoawZ1gP9JM0GJj4Tp5jMUh9B3AitHbRZ2/H3W5xQmdEOUlLg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.32.0.tgz",
+      "integrity": "sha512-0nnMyoyOLRJXfbMOilaSRcLH3Jw5z9HDNGfT/gwCPgaDjnx0i8w7vBzFLFR1f6CMLKF8gVbebmkUN3fa/kQJpQ==",
       "cpu": [
         "arm64"
       ],
@@ -4405,9 +6099,9 @@
       }
     },
     "node_modules/lightningcss-linux-arm64-musl": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.31.1.tgz",
-      "integrity": "sha512-mVZ7Pg2zIbe3XlNbZJdjs86YViQFoJSpc41CbVmKBPiGmC4YrfeOyz65ms2qpAobVd7WQsbW4PdsSJEMymyIMg==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.32.0.tgz",
+      "integrity": "sha512-UpQkoenr4UJEzgVIYpI80lDFvRmPVg6oqboNHfoH4CQIfNA+HOrZ7Mo7KZP02dC6LjghPQJeBsvXhJod/wnIBg==",
       "cpu": [
         "arm64"
       ],
@@ -4426,9 +6120,9 @@
       }
     },
     "node_modules/lightningcss-linux-x64-gnu": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.31.1.tgz",
-      "integrity": "sha512-xGlFWRMl+0KvUhgySdIaReQdB4FNudfUTARn7q0hh/V67PVGCs3ADFjw+6++kG1RNd0zdGRlEKa+T13/tQjPMA==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.32.0.tgz",
+      "integrity": "sha512-V7Qr52IhZmdKPVr+Vtw8o+WLsQJYCTd8loIfpDaMRWGUZfBOYEJeyJIkqGIDMZPwPx24pUMfwSxxI8phr/MbOA==",
       "cpu": [
         "x64"
       ],
@@ -4447,9 +6141,9 @@
       }
     },
     "node_modules/lightningcss-linux-x64-musl": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.31.1.tgz",
-      "integrity": "sha512-eowF8PrKHw9LpoZii5tdZwnBcYDxRw2rRCyvAXLi34iyeYfqCQNA9rmUM0ce62NlPhCvof1+9ivRaTY6pSKDaA==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.32.0.tgz",
+      "integrity": "sha512-bYcLp+Vb0awsiXg/80uCRezCYHNg1/l3mt0gzHnWV9XP1W5sKa5/TCdGWaR/zBM2PeF/HbsQv/j2URNOiVuxWg==",
       "cpu": [
         "x64"
       ],
@@ -4468,9 +6162,9 @@
       }
     },
     "node_modules/lightningcss-win32-arm64-msvc": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.31.1.tgz",
-      "integrity": "sha512-aJReEbSEQzx1uBlQizAOBSjcmr9dCdL3XuC/6HLXAxmtErsj2ICo5yYggg1qOODQMtnjNQv2UHb9NpOuFtYe4w==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.32.0.tgz",
+      "integrity": "sha512-8SbC8BR40pS6baCM8sbtYDSwEVQd4JlFTOlaD3gWGHfThTcABnNDBda6eTZeqbofalIJhFx0qKzgHJmcPTnGdw==",
       "cpu": [
         "arm64"
       ],
@@ -4489,9 +6183,9 @@
       }
     },
     "node_modules/lightningcss-win32-x64-msvc": {
-      "version": "1.31.1",
-      "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.31.1.tgz",
-      "integrity": "sha512-I9aiFrbd7oYHwlnQDqr1Roz+fTz61oDDJX7n9tYF9FJymH1cIN1DtKw3iYt6b8WZgEjoNwVSncwF4wx/ZedMhw==",
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.32.0.tgz",
+      "integrity": "sha512-Amq9B/SoZYdDi1kFrojnoqPLxYhQ4Wo5XiL8EVJrVsB8ARoC1PWW6VGtT0WKCemjy8aC+louJnjS7U18x3b06Q==",
       "cpu": [
         "x64"
       ],
@@ -4526,6 +6220,13 @@
         "url": "https://github.com/sponsors/antfu"
       }
     },
+    "node_modules/lodash.groupby": {
+      "version": "4.6.0",
+      "resolved": "https://registry.npmjs.org/lodash.groupby/-/lodash.groupby-4.6.0.tgz",
+      "integrity": "sha512-5dcWxm23+VAoz+awKmBaiBvzox8+RqMgFhi7UvX9DHZr2HdxHXM/Wrf8cfKpsW37RNrvtPn6hSwNqurSILbmJw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/loupe": {
       "version": "3.2.1",
       "resolved": "https://registry.npmjs.org/loupe/-/loupe-3.2.1.tgz",
@@ -4534,13 +6235,13 @@
       "license": "MIT"
     },
     "node_modules/lru-cache": {
-      "version": "11.2.7",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.7.tgz",
-      "integrity": "sha512-aY/R+aEsRelme17KGQa/1ZSIpLpNYYrhcrepKTZgE+W3WM16YMCaPwOHLHsmopZHELU0Ojin1lPVxKR0MihncA==",
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz",
+      "integrity": "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==",
       "dev": true,
-      "license": "BlueOak-1.0.0",
-      "engines": {
-        "node": "20 || >=22"
+      "license": "ISC",
+      "dependencies": {
+        "yallist": "^3.0.2"
       }
     },
     "node_modules/lz-string": {
@@ -4647,19 +6348,6 @@
         "node": ">=8.6"
       }
     },
-    "node_modules/micromatch/node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=8.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/jonschlinkert"
-      }
-    },
     "node_modules/min-indent": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/min-indent/-/min-indent-1.0.1.tgz",
@@ -4670,6 +6358,13 @@
         "node": ">=4"
       }
     },
+    "node_modules/minimalistic-assert": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz",
+      "integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/minimatch": {
       "version": "10.2.4",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz",
@@ -4706,22 +6401,16 @@
         "node": ">=16 || 14 >=14.17"
       }
     },
-    "node_modules/mitt": {
-      "version": "3.0.1",
-      "resolved": "https://registry.npmjs.org/mitt/-/mitt-3.0.1.tgz",
-      "integrity": "sha512-vKivATfr97l2/QBCYAkXYDbrIWPM2IIKEl7YPhjCvKlG3kE2gm+uBo6nEXK3M5/Ffh/FLpKExzOQ3JJoJGFKBw==",
-      "license": "MIT"
-    },
     "node_modules/mlly": {
-      "version": "1.8.0",
-      "resolved": "https://registry.npmjs.org/mlly/-/mlly-1.8.0.tgz",
-      "integrity": "sha512-l8D9ODSRWLe2KHJSifWGwBqpTZXIXTeo8mlKjY+E2HAakaTeNpqAyBZ8GSqLzHgw4XmHmC8whvpjJNMbFZN7/g==",
+      "version": "1.8.2",
+      "resolved": "https://registry.npmjs.org/mlly/-/mlly-1.8.2.tgz",
+      "integrity": "sha512-d+ObxMQFmbt10sretNDytwt85VrbkhhUA/JBGm1MPaWJ65Cl4wOgLaB1NYvJSZ0Ef03MMEU/0xpPMXUIQ29UfA==",
       "license": "MIT",
       "dependencies": {
-        "acorn": "^8.15.0",
+        "acorn": "^8.16.0",
         "pathe": "^2.0.3",
         "pkg-types": "^1.3.1",
-        "ufo": "^1.6.1"
+        "ufo": "^1.6.3"
       }
     },
     "node_modules/mlly/node_modules/confbox": {
@@ -4741,12 +6430,66 @@
         "pathe": "^2.0.1"
       }
     },
+    "node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/muggle-string": {
       "version": "0.4.1",
       "resolved": "https://registry.npmjs.org/muggle-string/-/muggle-string-0.4.1.tgz",
       "integrity": "sha512-VNTrAak/KhO2i8dqqnqnAHOa3cYBwXEZe9h+D5h/1ZqFSTEFHdM65lR7RoIqq3tBBYavsOXV84NoHXZ0AkPyqQ==",
       "license": "MIT"
     },
+    "node_modules/mutation-server-protocol": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/mutation-server-protocol/-/mutation-server-protocol-0.4.1.tgz",
+      "integrity": "sha512-SBGK0j8hLDne7bktgThKI8kGvGTx3rY3LAeQTmOKZ5bVnL/7TorLMvcVF7dIPJCu5RNUWhkkuF53kurygYVt3g==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "zod": "^4.1.12"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/mutation-testing-elements": {
+      "version": "3.7.2",
+      "resolved": "https://registry.npmjs.org/mutation-testing-elements/-/mutation-testing-elements-3.7.2.tgz",
+      "integrity": "sha512-i7X2Q4X5eYon72W2QQ9HND7plVhQcqTnv+Xc3KeYslRZSJ4WYJoal8LFdbWm7dKWLNE0rYkCUrvboasWzF3MMA==",
+      "dev": true,
+      "license": "Apache-2.0"
+    },
+    "node_modules/mutation-testing-metrics": {
+      "version": "3.7.2",
+      "resolved": "https://registry.npmjs.org/mutation-testing-metrics/-/mutation-testing-metrics-3.7.2.tgz",
+      "integrity": "sha512-ichXZSC4FeJbcVHYOWzWUhNuTJGogc0WiQol8lqEBrBSp+ADl3fmcZMqrx0ogInEUiImn+A8JyTk6uh9vd25TQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "mutation-testing-report-schema": "3.7.2"
+      }
+    },
+    "node_modules/mutation-testing-report-schema": {
+      "version": "3.7.2",
+      "resolved": "https://registry.npmjs.org/mutation-testing-report-schema/-/mutation-testing-report-schema-3.7.2.tgz",
+      "integrity": "sha512-fN5M61SDzIOeJyatMOhGPLDOFz5BQIjTNPjo4PcHIEUWrejO4i4B5PFuQ/2l43709hEsTxeiXX00H73WERKcDw==",
+      "dev": true,
+      "license": "Apache-2.0"
+    },
+    "node_modules/mute-stream": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/mute-stream/-/mute-stream-3.0.0.tgz",
+      "integrity": "sha512-dkEJPVvun4FryqBmZ5KhDo0K9iDXAwn08tMLDinNdRBNPcYEDiWYysLcc6k3mjTMlbP9KyylvRpd4wFtwrT9rw==",
+      "dev": true,
+      "license": "ISC",
+      "engines": {
+        "node": "^20.17.0 || >=22.9.0"
+      }
+    },
     "node_modules/nanoid": {
       "version": "3.3.11",
       "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz",
@@ -4765,6 +6508,13 @@
         "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1"
       }
     },
+    "node_modules/node-releases": {
+      "version": "2.0.36",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.36.tgz",
+      "integrity": "sha512-TdC8FSgHz8Mwtw9g5L4gR/Sh9XhSP/0DEkQxfEFXOpiul5IiHgHan2VhYYb6agDSfp4KuvltmGApc8HMgUrIkA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/nopt": {
       "version": "7.2.1",
       "resolved": "https://registry.npmjs.org/nopt/-/nopt-7.2.1.tgz",
@@ -4781,6 +6531,36 @@
         "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
       }
     },
+    "node_modules/npm-run-path": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-6.0.0.tgz",
+      "integrity": "sha512-9qny7Z9DsQU8Ou39ERsPU4OZQlSTP47ShQzuKZ6PRXpYLtIFgl/DEBYEXKlvcEa+9tHVcK8CF81Y2V72qaZhWA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "path-key": "^4.0.0",
+        "unicorn-magic": "^0.3.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/npm-run-path/node_modules/path-key": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/path-key/-/path-key-4.0.0.tgz",
+      "integrity": "sha512-haREypq7xkM7ErfgIyA0z+Bj4AGKlMSdlQE2jvJo6huWD1EdkKYV+G/T4nq0YEF2vgTT8kqMFKo1uHn950r4SQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/object-assign": {
       "version": "4.1.1",
       "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
@@ -4791,6 +6571,19 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/object-inspect": {
+      "version": "1.13.4",
+      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz",
+      "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
     "node_modules/obug": {
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/obug/-/obug-2.1.1.tgz",
@@ -4821,6 +6614,44 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/oxc-parser": {
+      "version": "0.120.0",
+      "resolved": "https://registry.npmjs.org/oxc-parser/-/oxc-parser-0.120.0.tgz",
+      "integrity": "sha512-WyPWZlcIm+Fkte63FGfgFB8mAAk33aH9h5N9lphXVOHSXEBFFsmYdOBedVKly363aWABjZdaj/m9lBfEY4wt+w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@oxc-project/types": "^0.120.0"
+      },
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/Boshen"
+      },
+      "optionalDependencies": {
+        "@oxc-parser/binding-android-arm-eabi": "0.120.0",
+        "@oxc-parser/binding-android-arm64": "0.120.0",
+        "@oxc-parser/binding-darwin-arm64": "0.120.0",
+        "@oxc-parser/binding-darwin-x64": "0.120.0",
+        "@oxc-parser/binding-freebsd-x64": "0.120.0",
+        "@oxc-parser/binding-linux-arm-gnueabihf": "0.120.0",
+        "@oxc-parser/binding-linux-arm-musleabihf": "0.120.0",
+        "@oxc-parser/binding-linux-arm64-gnu": "0.120.0",
+        "@oxc-parser/binding-linux-arm64-musl": "0.120.0",
+        "@oxc-parser/binding-linux-ppc64-gnu": "0.120.0",
+        "@oxc-parser/binding-linux-riscv64-gnu": "0.120.0",
+        "@oxc-parser/binding-linux-riscv64-musl": "0.120.0",
+        "@oxc-parser/binding-linux-s390x-gnu": "0.120.0",
+        "@oxc-parser/binding-linux-x64-gnu": "0.120.0",
+        "@oxc-parser/binding-linux-x64-musl": "0.120.0",
+        "@oxc-parser/binding-openharmony-arm64": "0.120.0",
+        "@oxc-parser/binding-wasm32-wasi": "0.120.0",
+        "@oxc-parser/binding-win32-arm64-msvc": "0.120.0",
+        "@oxc-parser/binding-win32-ia32-msvc": "0.120.0",
+        "@oxc-parser/binding-win32-x64-msvc": "0.120.0"
+      }
+    },
     "node_modules/oxc-resolver": {
       "version": "11.19.1",
       "resolved": "https://registry.npmjs.org/oxc-resolver/-/oxc-resolver-11.19.1.tgz",
@@ -4860,6 +6691,19 @@
       "dev": true,
       "license": "BlueOak-1.0.0"
     },
+    "node_modules/parse-ms": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/parse-ms/-/parse-ms-4.0.0.tgz",
+      "integrity": "sha512-TXfryirbmq34y8QBwgqCVLi+8oA3oWx2eAnSn62ITyEhEYaWRlVZ2DvMM9eZbMs/RfxPu/PK/aBLyGj4IrqMHw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/parse5": {
       "version": "8.0.0",
       "resolved": "https://registry.npmjs.org/parse5/-/parse5-8.0.0.tgz",
@@ -4950,9 +6794,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "license": "MIT",
       "engines": {
         "node": ">=12"
@@ -5000,20 +6844,46 @@
         "node": "^10 || ^12 || >=14"
       }
     },
-    "node_modules/pretty-format": {
-      "version": "27.5.1",
-      "resolved": "https://registry.npmjs.org/pretty-format/-/pretty-format-27.5.1.tgz",
-      "integrity": "sha512-Qb1gy5OrP5+zDf2Bvnzdl3jsTf1qXVMazbvCoKhtKqVs4/YK4ozX4gKQJJVyNe+cajNPn0KoC0MC3FUmaHWEmQ==",
+    "node_modules/pretty-format": {
+      "version": "27.5.1",
+      "resolved": "https://registry.npmjs.org/pretty-format/-/pretty-format-27.5.1.tgz",
+      "integrity": "sha512-Qb1gy5OrP5+zDf2Bvnzdl3jsTf1qXVMazbvCoKhtKqVs4/YK4ozX4gKQJJVyNe+cajNPn0KoC0MC3FUmaHWEmQ==",
+      "dev": true,
+      "license": "MIT",
+      "peer": true,
+      "dependencies": {
+        "ansi-regex": "^5.0.1",
+        "ansi-styles": "^5.0.0",
+        "react-is": "^17.0.1"
+      },
+      "engines": {
+        "node": "^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0"
+      }
+    },
+    "node_modules/pretty-ms": {
+      "version": "9.3.0",
+      "resolved": "https://registry.npmjs.org/pretty-ms/-/pretty-ms-9.3.0.tgz",
+      "integrity": "sha512-gjVS5hOP+M3wMm5nmNOucbIrqudzs9v/57bWRHQWLYklXqoXKrVfYW2W9+glfGsqtPgpiz5WwyEEB+ksXIx3gQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "parse-ms": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/progress": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/progress/-/progress-2.0.3.tgz",
+      "integrity": "sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
-      "dependencies": {
-        "ansi-regex": "^5.0.1",
-        "ansi-styles": "^5.0.0",
-        "react-is": "^17.0.1"
-      },
       "engines": {
-        "node": "^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0"
+        "node": ">=0.4.0"
       }
     },
     "node_modules/promise": {
@@ -5034,13 +6904,13 @@
       "license": "ISC"
     },
     "node_modules/pug": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/pug/-/pug-3.0.3.tgz",
-      "integrity": "sha512-uBi6kmc9f3SZ3PXxqcHiUZLmIXgfgWooKWXcwSGwQd2Zi5Rb0bT14+8CJjJgI8AB+nndLaNgHGrcc6bPIB665g==",
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/pug/-/pug-3.0.4.tgz",
+      "integrity": "sha512-kFfq5mMzrS7+wrl5pLJzZEzemx34OQ0w4SARfhy/3yxTlhbstsudDwJzhf1hP02yHzbjoVMSXUj/Sz6RNfMyXg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "pug-code-gen": "^3.0.3",
+        "pug-code-gen": "^3.0.4",
         "pug-filters": "^4.0.0",
         "pug-lexer": "^5.0.1",
         "pug-linker": "^4.0.0",
@@ -5063,9 +6933,9 @@
       }
     },
     "node_modules/pug-code-gen": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/pug-code-gen/-/pug-code-gen-3.0.3.tgz",
-      "integrity": "sha512-cYQg0JW0w32Ux+XTeZnBEeuWrAY7/HNE6TWnhiHGnnRYlCgyAUPoyh9KzCMa9WhcJlJ1AtQqpEYHc+vbCzA+Aw==",
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/pug-code-gen/-/pug-code-gen-3.0.4.tgz",
+      "integrity": "sha512-6okWYIKdasTyXICyEtvobmTZAVX57JkzgzIi4iRJlin8kmhG+Xry2dsus+Mun/nGCn6F2U49haHI5mkELXB14g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -5179,6 +7049,22 @@
         "node": ">=6"
       }
     },
+    "node_modules/qs": {
+      "version": "6.15.0",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.15.0.tgz",
+      "integrity": "sha512-mAZTtNCeetKMH+pSjrb76NAM8V9a05I9aBZOHztWy/UqcJdQYNsf59vrRKWnojAT9Y+GbIvoTBC++CPHqpDBhQ==",
+      "dev": true,
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "side-channel": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=0.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
     "node_modules/quansync": {
       "version": "0.2.11",
       "resolved": "https://registry.npmjs.org/quansync/-/quansync-0.2.11.tgz",
@@ -5279,6 +7165,16 @@
         "node": ">= 4"
       }
     },
+    "node_modules/recast/node_modules/source-map": {
+      "version": "0.6.1",
+      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "dev": true,
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/redent": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/redent/-/redent-3.0.0.tgz",
@@ -5324,6 +7220,16 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/resolve-pkg-maps": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz",
+      "integrity": "sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==",
+      "dev": true,
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1"
+      }
+    },
     "node_modules/reusify": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.1.0.tgz",
@@ -5335,57 +7241,57 @@
         "node": ">=0.10.0"
       }
     },
-    "node_modules/rfdc": {
-      "version": "1.4.1",
-      "resolved": "https://registry.npmjs.org/rfdc/-/rfdc-1.4.1.tgz",
-      "integrity": "sha512-q1b3N5QkRUWUl7iyylaaj3kOpIT0N2i9MqIEQXP73GVsN9cw3fdx8X63cEmWhJGi2PPCF23Ijp7ktmd39rawIA==",
-      "license": "MIT"
-    },
-    "node_modules/rollup": {
-      "version": "4.59.0",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.59.0.tgz",
-      "integrity": "sha512-2oMpl67a3zCH9H79LeMcbDhXW/UmWG/y2zuqnF2jQq5uq9TbM9TVyXvA4+t+ne2IIkBdrLpAaRQAvo7YI/Yyeg==",
+    "node_modules/rolldown": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.12.tgz",
+      "integrity": "sha512-yP4USLIMYrwpPHEFB5JGH1uxhcslv6/hL0OyvTuY+3qlOSJvZ7ntYnoWpehBxufkgN0cvXxppuTu5hHa/zPh+A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@types/estree": "1.0.8"
+        "@oxc-project/types": "=0.122.0",
+        "@rolldown/pluginutils": "1.0.0-rc.12"
       },
       "bin": {
-        "rollup": "dist/bin/rollup"
+        "rolldown": "bin/cli.mjs"
       },
       "engines": {
-        "node": ">=18.0.0",
-        "npm": ">=8.0.0"
+        "node": "^20.19.0 || >=22.12.0"
       },
       "optionalDependencies": {
-        "@rollup/rollup-android-arm-eabi": "4.59.0",
-        "@rollup/rollup-android-arm64": "4.59.0",
-        "@rollup/rollup-darwin-arm64": "4.59.0",
-        "@rollup/rollup-darwin-x64": "4.59.0",
-        "@rollup/rollup-freebsd-arm64": "4.59.0",
-        "@rollup/rollup-freebsd-x64": "4.59.0",
-        "@rollup/rollup-linux-arm-gnueabihf": "4.59.0",
-        "@rollup/rollup-linux-arm-musleabihf": "4.59.0",
-        "@rollup/rollup-linux-arm64-gnu": "4.59.0",
-        "@rollup/rollup-linux-arm64-musl": "4.59.0",
-        "@rollup/rollup-linux-loong64-gnu": "4.59.0",
-        "@rollup/rollup-linux-loong64-musl": "4.59.0",
-        "@rollup/rollup-linux-ppc64-gnu": "4.59.0",
-        "@rollup/rollup-linux-ppc64-musl": "4.59.0",
-        "@rollup/rollup-linux-riscv64-gnu": "4.59.0",
-        "@rollup/rollup-linux-riscv64-musl": "4.59.0",
-        "@rollup/rollup-linux-s390x-gnu": "4.59.0",
-        "@rollup/rollup-linux-x64-gnu": "4.59.0",
-        "@rollup/rollup-linux-x64-musl": "4.59.0",
-        "@rollup/rollup-openbsd-x64": "4.59.0",
-        "@rollup/rollup-openharmony-arm64": "4.59.0",
-        "@rollup/rollup-win32-arm64-msvc": "4.59.0",
-        "@rollup/rollup-win32-ia32-msvc": "4.59.0",
-        "@rollup/rollup-win32-x64-gnu": "4.59.0",
-        "@rollup/rollup-win32-x64-msvc": "4.59.0",
-        "fsevents": "~2.3.2"
+        "@rolldown/binding-android-arm64": "1.0.0-rc.12",
+        "@rolldown/binding-darwin-arm64": "1.0.0-rc.12",
+        "@rolldown/binding-darwin-x64": "1.0.0-rc.12",
+        "@rolldown/binding-freebsd-x64": "1.0.0-rc.12",
+        "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.12",
+        "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.12",
+        "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.12",
+        "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.12",
+        "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.12",
+        "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.12",
+        "@rolldown/binding-linux-x64-musl": "1.0.0-rc.12",
+        "@rolldown/binding-openharmony-arm64": "1.0.0-rc.12",
+        "@rolldown/binding-wasm32-wasi": "1.0.0-rc.12",
+        "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.12",
+        "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.12"
+      }
+    },
+    "node_modules/rolldown/node_modules/@oxc-project/types": {
+      "version": "0.122.0",
+      "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.122.0.tgz",
+      "integrity": "sha512-oLAl5kBpV4w69UtFZ9xqcmTi+GENWOcPF7FCrczTiBbmC0ibXxCwyvZGbO39rCVEuLGAZM84DH0pUIyyv/YJzA==",
+      "dev": true,
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/Boshen"
       }
     },
+    "node_modules/rolldown/node_modules/@rolldown/pluginutils": {
+      "version": "1.0.0-rc.12",
+      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.12.tgz",
+      "integrity": "sha512-HHMwmarRKvoFsJorqYlFeFRzXZqCt2ETQlEDOb9aqssrnVBB1/+xgTGtuTrIk5vzLNX1MjMtTf7W9z3tsSbrxw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/run-applescript": {
       "version": "7.1.0",
       "resolved": "https://registry.npmjs.org/run-applescript/-/run-applescript-7.1.0.tgz",
@@ -5423,6 +7329,23 @@
         "queue-microtask": "^1.2.2"
       }
     },
+    "node_modules/rxjs": {
+      "version": "7.8.2",
+      "resolved": "https://registry.npmjs.org/rxjs/-/rxjs-7.8.2.tgz",
+      "integrity": "sha512-dhKf903U/PQZY6boNNtAGdWbG85WAbjT/1xYoZIC7FAY0yWapOBQVsVrDl58W86//e1VpMNBtRV4MaXfdMySFA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "tslib": "^2.1.0"
+      }
+    },
+    "node_modules/safer-buffer": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/saxes": {
       "version": "6.0.0",
       "resolved": "https://registry.npmjs.org/saxes/-/saxes-6.0.0.tgz",
@@ -5486,6 +7409,82 @@
         "node": ">=8"
       }
     },
+    "node_modules/side-channel": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz",
+      "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "object-inspect": "^1.13.3",
+        "side-channel-list": "^1.0.0",
+        "side-channel-map": "^1.0.1",
+        "side-channel-weakmap": "^1.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-list": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz",
+      "integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "object-inspect": "^1.13.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-map": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz",
+      "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "call-bound": "^1.0.2",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.5",
+        "object-inspect": "^1.13.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-weakmap": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz",
+      "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "call-bound": "^1.0.2",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.5",
+        "object-inspect": "^1.13.3",
+        "side-channel-map": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
     "node_modules/siginfo": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/siginfo/-/siginfo-2.0.0.tgz",
@@ -5507,9 +7506,9 @@
       }
     },
     "node_modules/smol-toml": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.0.tgz",
-      "integrity": "sha512-4zemZi0HvTnYwLfrpk/CF9LOd9Lt87kAt50GnqhMpyF9U3poDAP2+iukq2bZsO/ufegbYehBkqINbsWxj4l4cw==",
+      "version": "1.6.1",
+      "resolved": "https://registry.npmjs.org/smol-toml/-/smol-toml-1.6.1.tgz",
+      "integrity": "sha512-dWUG8F5sIIARXih1DTaQAX4SsiTXhInKf1buxdY9DIg4ZYPZK5nGM1VRIYmEbDbsHt7USo99xSLFu5Q1IqTmsg==",
       "dev": true,
       "license": "BSD-3-Clause",
       "engines": {
@@ -5520,13 +7519,13 @@
       }
     },
     "node_modules/source-map": {
-      "version": "0.6.1",
-      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
+      "version": "0.7.6",
+      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.7.6.tgz",
+      "integrity": "sha512-i5uvt8C3ikiWeNZSVZNWcfZPItFQOsYTUAOkcUPGd8DqDy1uOUikjt5dG+uRlwyvR108Fb9DOd4GvXfT0N2/uQ==",
       "dev": true,
       "license": "BSD-3-Clause",
       "engines": {
-        "node": ">=0.10.0"
+        "node": ">= 12"
       }
     },
     "node_modules/source-map-js": {
@@ -5538,15 +7537,6 @@
         "node": ">=0.10.0"
       }
     },
-    "node_modules/speakingurl": {
-      "version": "14.0.1",
-      "resolved": "https://registry.npmjs.org/speakingurl/-/speakingurl-14.0.1.tgz",
-      "integrity": "sha512-1POYv7uv2gXoyGFpBCmpDVSNV74IfsWlDW216UPjbWufNf+bSU6GdbDsxdcxtfwb4xlI3yxzOTKClUosxARYrQ==",
-      "license": "BSD-3-Clause",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
     "node_modules/stackback": {
       "version": "0.0.2",
       "resolved": "https://registry.npmjs.org/stackback/-/stackback-0.0.2.tgz",
@@ -5562,15 +7552,15 @@
       "license": "MIT"
     },
     "node_modules/storybook": {
-      "version": "10.2.19",
-      "resolved": "https://registry.npmjs.org/storybook/-/storybook-10.2.19.tgz",
-      "integrity": "sha512-UUm5eGSm6BLhkcFP0WbxkmAHJZfVN2ViLpIZOqiIPS++q32VYn+CLFC0lrTYTDqYvaG7i4BK4uowXYujzE4NdQ==",
+      "version": "10.3.3",
+      "resolved": "https://registry.npmjs.org/storybook/-/storybook-10.3.3.tgz",
+      "integrity": "sha512-tMoRAts9EVqf+mEMPLC6z1DPyHbcPe+CV1MhLN55IKsl0HxNjvVGK44rVPSePbltPE6vIsn4bdRj6CCUt8SJwQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@storybook/global": "^5.0.0",
         "@storybook/icons": "^2.0.1",
-        "@testing-library/jest-dom": "^6.6.3",
+        "@testing-library/jest-dom": "^6.9.1",
         "@testing-library/user-event": "^14.6.1",
         "@vitest/expect": "3.2.4",
         "@vitest/spy": "3.2.4",
@@ -5651,6 +7641,13 @@
         "node": ">=8"
       }
     },
+    "node_modules/string-width/node_modules/emoji-regex": {
+      "version": "9.2.2",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz",
+      "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/strip-ansi": {
       "version": "7.2.0",
       "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
@@ -5694,6 +7691,19 @@
         "url": "https://github.com/chalk/ansi-regex?sponsor=1"
       }
     },
+    "node_modules/strip-final-newline": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/strip-final-newline/-/strip-final-newline-4.0.0.tgz",
+      "integrity": "sha512-aulFJcD6YK8V1G7iRB5tigAP4TsHBZZrOV8pjV++zdUwmeV8uzbY7yn6h9MswN62adStNZFuCIx4haBnRuMDaw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/strip-indent": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/strip-indent/-/strip-indent-3.0.0.tgz",
@@ -5720,18 +7730,6 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/superjson": {
-      "version": "2.2.6",
-      "resolved": "https://registry.npmjs.org/superjson/-/superjson-2.2.6.tgz",
-      "integrity": "sha512-H+ue8Zo4vJmV2nRjpx86P35lzwDT3nItnIsocgumgr0hHMQ+ZGq5vrERg9kJBo5AWGmxZDhzDo+WVIJqkB0cGA==",
-      "license": "MIT",
-      "dependencies": {
-        "copy-anything": "^4"
-      },
-      "engines": {
-        "node": ">=16"
-      }
-    },
     "node_modules/supports-color": {
       "version": "7.2.0",
       "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
@@ -5766,15 +7764,15 @@
       "license": "MIT"
     },
     "node_modules/tailwindcss": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.1.tgz",
-      "integrity": "sha512-/tBrSQ36vCleJkAOsy9kbNTgaxvGbyOamC30PRePTQe/o1MFwEKHQk4Cn7BNGaPtjp+PuUrByJehM1hgxfq4sw==",
+      "version": "4.2.2",
+      "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.2.tgz",
+      "integrity": "sha512-KWBIxs1Xb6NoLdMVqhbhgwZf2PGBpPEiwOqgI4pFIYbNTfBXiKYyWoTsXgBQ9WFg/OlhnvHaY+AEpW7wSmFo2Q==",
       "license": "MIT"
     },
     "node_modules/tapable": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.0.tgz",
-      "integrity": "sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.2.tgz",
+      "integrity": "sha512-1MOpMXuhGzGL5TTCZFItxCc0AARf1EZFQkGqMm7ERKj8+Hgr5oLvJOVFcC+lRmR8hCe2S3jC4T5D7Vg/d7/fhA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -5846,22 +7844,22 @@
       }
     },
     "node_modules/tldts": {
-      "version": "7.0.26",
-      "resolved": "https://registry.npmjs.org/tldts/-/tldts-7.0.26.tgz",
-      "integrity": "sha512-WiGwQjr0qYdNNG8KpMKlSvpxz652lqa3Rd+/hSaDcY4Uo6SKWZq2LAF+hsAhUewTtYhXlorBKgNF3Kk8hnjGoQ==",
+      "version": "7.0.27",
+      "resolved": "https://registry.npmjs.org/tldts/-/tldts-7.0.27.tgz",
+      "integrity": "sha512-I4FZcVFcqCRuT0ph6dCDpPuO4Xgzvh+spkcTr1gK7peIvxWauoloVO0vuy1FQnijT63ss6AsHB6+OIM4aXHbPg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "tldts-core": "^7.0.26"
+        "tldts-core": "^7.0.27"
       },
       "bin": {
         "tldts": "bin/cli.js"
       }
     },
     "node_modules/tldts-core": {
-      "version": "7.0.26",
-      "resolved": "https://registry.npmjs.org/tldts-core/-/tldts-core-7.0.26.tgz",
-      "integrity": "sha512-5WJ2SqFsv4G2Dwi7ZFVRnz6b2H1od39QME1lc2y5Ew3eWiZMAeqOAfWpRP9jHvhUl881406QtZTODvjttJs+ew==",
+      "version": "7.0.27",
+      "resolved": "https://registry.npmjs.org/tldts-core/-/tldts-core-7.0.27.tgz",
+      "integrity": "sha512-YQ7uPjgWUibIK6DW5lrKujGwUKhLevU4hcGbP5O6TcIUb+oTjJYJVWPS4nZsIHrEEEG6myk/oqAJUEQmpZrHsg==",
       "dev": true,
       "license": "MIT"
     },
@@ -5911,6 +7909,16 @@
         "node": ">=20"
       }
     },
+    "node_modules/tree-kill": {
+      "version": "1.2.2",
+      "resolved": "https://registry.npmjs.org/tree-kill/-/tree-kill-1.2.2.tgz",
+      "integrity": "sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "tree-kill": "cli.js"
+      }
+    },
     "node_modules/ts-dedent": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/ts-dedent/-/ts-dedent-2.2.0.tgz",
@@ -5935,6 +7943,16 @@
       "dev": true,
       "license": "0BSD"
     },
+    "node_modules/tunnel": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+      "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.6.11 <=0.7.0 || >=0.7.3"
+      }
+    },
     "node_modules/type-fest": {
       "version": "2.19.0",
       "resolved": "https://registry.npmjs.org/type-fest/-/type-fest-2.19.0.tgz",
@@ -5948,6 +7966,33 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/typed-inject": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/typed-inject/-/typed-inject-5.0.0.tgz",
+      "integrity": "sha512-0Ql2ORqBORLMdAW89TQKZsb1PQkFGImFfVmncXWe7a+AA3+7dh7Se9exxZowH4kbnlvKEFkMxUYdHUpjYWFJaA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/typed-rest-client": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/typed-rest-client/-/typed-rest-client-2.2.0.tgz",
+      "integrity": "sha512-/e2Rk9g20N0r44kaQLb3v6QGuryOD8SPb53t43Y5kqXXA+SqWuU7zLiMxetw61jNn/JFrxTdr5nPDhGY/eTNhQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "des.js": "^1.1.0",
+        "js-md4": "^0.3.2",
+        "qs": "^6.14.1",
+        "tunnel": "0.0.6",
+        "underscore": "^1.12.1"
+      },
+      "engines": {
+        "node": ">= 16.0.0"
+      }
+    },
     "node_modules/typescript": {
       "version": "5.9.3",
       "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
@@ -5978,10 +8023,17 @@
         "node": ">=14"
       }
     },
+    "node_modules/underscore": {
+      "version": "1.13.8",
+      "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.13.8.tgz",
+      "integrity": "sha512-DXtD3ZtEQzc7M8m4cXotyHR+FAS18C64asBYY5vqZexfYryNNnDc02W4hKg3rdQuqOYas1jkseX0+nZXjTXnvQ==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/undici": {
-      "version": "7.24.4",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.4.tgz",
-      "integrity": "sha512-BM/JzwwaRXxrLdElV2Uo6cTLEjhSb3WXboncJamZ15NgUURmvlXvxa6xkwIOILIjPNo9i8ku136ZvWV0Uly8+w==",
+      "version": "7.24.6",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-7.24.6.tgz",
+      "integrity": "sha512-Xi4agocCbRzt0yYMZGMA6ApD7gvtUFaxm4ZmeacWI4cZxaF6C+8I8QfofC20NAePiB/IcvZmzkJ7XPa471AEtA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -5995,6 +8047,19 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/unicorn-magic": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/unicorn-magic/-/unicorn-magic-0.3.0.tgz",
+      "integrity": "sha512-+QBBXBCvifc56fsbuxZQ6Sic3wqqc3WWaqxs58gvJrcOuN83HGTCwz3oS5phzU9LthRNE9VrJCFCLUgHeeFnfA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/unplugin": {
       "version": "2.3.11",
       "resolved": "https://registry.npmjs.org/unplugin/-/unplugin-2.3.11.tgz",
@@ -6027,6 +8092,37 @@
         "url": "https://github.com/sponsors/sxzz"
       }
     },
+    "node_modules/update-browserslist-db": {
+      "version": "1.2.3",
+      "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.2.3.tgz",
+      "integrity": "sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/browserslist"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/browserslist"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "escalade": "^3.2.0",
+        "picocolors": "^1.1.1"
+      },
+      "bin": {
+        "update-browserslist-db": "cli.js"
+      },
+      "peerDependencies": {
+        "browserslist": ">= 4.21.0"
+      }
+    },
     "node_modules/use-sync-external-store": {
       "version": "1.6.0",
       "resolved": "https://registry.npmjs.org/use-sync-external-store/-/use-sync-external-store-1.6.0.tgz",
@@ -6038,17 +8134,16 @@
       }
     },
     "node_modules/vite": {
-      "version": "7.3.1",
-      "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.1.tgz",
-      "integrity": "sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==",
+      "version": "8.0.3",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.3.tgz",
+      "integrity": "sha512-B9ifbFudT1TFhfltfaIPgjo9Z3mDynBTJSUYxTjOQruf/zHH+ezCQKcoqO+h7a9Pw9Nm/OtlXAiGT1axBgwqrQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "esbuild": "^0.27.0",
-        "fdir": "^6.5.0",
-        "picomatch": "^4.0.3",
-        "postcss": "^8.5.6",
-        "rollup": "^4.43.0",
+        "lightningcss": "^1.32.0",
+        "picomatch": "^4.0.4",
+        "postcss": "^8.5.8",
+        "rolldown": "1.0.0-rc.12",
         "tinyglobby": "^0.2.15"
       },
       "bin": {
@@ -6065,9 +8160,10 @@
       },
       "peerDependencies": {
         "@types/node": "^20.19.0 || >=22.12.0",
+        "@vitejs/devtools": "^0.1.0",
+        "esbuild": "^0.27.0",
         "jiti": ">=1.21.0",
         "less": "^4.0.0",
-        "lightningcss": "^1.21.0",
         "sass": "^1.70.0",
         "sass-embedded": "^1.70.0",
         "stylus": ">=0.54.8",
@@ -6080,13 +8176,16 @@
         "@types/node": {
           "optional": true
         },
-        "jiti": {
+        "@vitejs/devtools": {
           "optional": true
         },
-        "less": {
+        "esbuild": {
+          "optional": true
+        },
+        "jiti": {
           "optional": true
         },
-        "lightningcss": {
+        "less": {
           "optional": true
         },
         "sass": {
@@ -6113,19 +8212,19 @@
       }
     },
     "node_modules/vitest": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.1.0.tgz",
-      "integrity": "sha512-YbDrMF9jM2Lqc++2530UourxZHmkKLxrs4+mYhEwqWS97WJ7wOYEkcr+QfRgJ3PW9wz3odRijLZjHEaRLTNbqw==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.1.2.tgz",
+      "integrity": "sha512-xjR1dMTVHlFLh98JE3i/f/WePqJsah4A0FK9cc8Ehp9Udk0AZk6ccpIZhh1qJ/yxVWRZ+Q54ocnD8TXmkhspGg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@vitest/expect": "4.1.0",
-        "@vitest/mocker": "4.1.0",
-        "@vitest/pretty-format": "4.1.0",
-        "@vitest/runner": "4.1.0",
-        "@vitest/snapshot": "4.1.0",
-        "@vitest/spy": "4.1.0",
-        "@vitest/utils": "4.1.0",
+        "@vitest/expect": "4.1.2",
+        "@vitest/mocker": "4.1.2",
+        "@vitest/pretty-format": "4.1.2",
+        "@vitest/runner": "4.1.2",
+        "@vitest/snapshot": "4.1.2",
+        "@vitest/spy": "4.1.2",
+        "@vitest/utils": "4.1.2",
         "es-module-lexer": "^2.0.0",
         "expect-type": "^1.3.0",
         "magic-string": "^0.30.21",
@@ -6136,8 +8235,8 @@
         "tinybench": "^2.9.0",
         "tinyexec": "^1.0.2",
         "tinyglobby": "^0.2.15",
-        "tinyrainbow": "^3.0.3",
-        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0-0",
+        "tinyrainbow": "^3.1.0",
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0",
         "why-is-node-running": "^2.3.0"
       },
       "bin": {
@@ -6153,13 +8252,13 @@
         "@edge-runtime/vm": "*",
         "@opentelemetry/api": "^1.9.0",
         "@types/node": "^20.0.0 || ^22.0.0 || >=24.0.0",
-        "@vitest/browser-playwright": "4.1.0",
-        "@vitest/browser-preview": "4.1.0",
-        "@vitest/browser-webdriverio": "4.1.0",
-        "@vitest/ui": "4.1.0",
+        "@vitest/browser-playwright": "4.1.2",
+        "@vitest/browser-preview": "4.1.2",
+        "@vitest/browser-webdriverio": "4.1.2",
+        "@vitest/ui": "4.1.2",
         "happy-dom": "*",
         "jsdom": "*",
-        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0-0"
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0"
       },
       "peerDependenciesMeta": {
         "@edge-runtime/vm": {
@@ -6195,27 +8294,27 @@
       }
     },
     "node_modules/vitest/node_modules/@vitest/expect": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.1.0.tgz",
-      "integrity": "sha512-EIxG7k4wlWweuCLG9Y5InKFwpMEOyrMb6ZJ1ihYu02LVj/bzUwn2VMU+13PinsjRW75XnITeFrQBMH5+dLvCDA==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.1.2.tgz",
+      "integrity": "sha512-gbu+7B0YgUJ2nkdsRJrFFW6X7NTP44WlhiclHniUhxADQJH5Szt9mZ9hWnJPJ8YwOK5zUOSSlSvyzRf0u1DSBQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@standard-schema/spec": "^1.1.0",
         "@types/chai": "^5.2.2",
-        "@vitest/spy": "4.1.0",
-        "@vitest/utils": "4.1.0",
+        "@vitest/spy": "4.1.2",
+        "@vitest/utils": "4.1.2",
         "chai": "^6.2.2",
-        "tinyrainbow": "^3.0.3"
+        "tinyrainbow": "^3.1.0"
       },
       "funding": {
         "url": "https://opencollective.com/vitest"
       }
     },
     "node_modules/vitest/node_modules/@vitest/spy": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.1.0.tgz",
-      "integrity": "sha512-pz77k+PgNpyMDv2FV6qmk5ZVau6c3R8HC8v342T2xlFxQKTrSeYw9waIJG8KgV9fFwAtTu4ceRzMivPTH6wSxw==",
+      "version": "4.1.2",
+      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.1.2.tgz",
+      "integrity": "sha512-DU4fBnbVCJGNBwVA6xSToNXrkZNSiw59H8tcuUspVMsBDBST4nfvsPsEHDHGtWRRnqBERBQu7TrTKskmjqTXKA==",
       "dev": true,
       "license": "MIT",
       "funding": {
@@ -6250,16 +8349,16 @@
       "license": "MIT"
     },
     "node_modules/vue": {
-      "version": "3.5.30",
-      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.30.tgz",
-      "integrity": "sha512-hTHLc6VNZyzzEH/l7PFGjpcTvUgiaPK5mdLkbjrTeWSRcEfxFrv56g/XckIYlE9ckuobsdwqd5mk2g1sBkMewg==",
+      "version": "3.5.31",
+      "resolved": "https://registry.npmjs.org/vue/-/vue-3.5.31.tgz",
+      "integrity": "sha512-iV/sU9SzOlmA/0tygSmjkEN6Jbs3nPoIPFhCMLD2STrjgOU8DX7ZtzMhg4ahVwf5Rp9KoFzcXeB1ZrVbLBp5/Q==",
       "license": "MIT",
       "dependencies": {
-        "@vue/compiler-dom": "3.5.30",
-        "@vue/compiler-sfc": "3.5.30",
-        "@vue/runtime-dom": "3.5.30",
-        "@vue/server-renderer": "3.5.30",
-        "@vue/shared": "3.5.30"
+        "@vue/compiler-dom": "3.5.31",
+        "@vue/compiler-sfc": "3.5.31",
+        "@vue/runtime-dom": "3.5.31",
+        "@vue/server-renderer": "3.5.31",
+        "@vue/shared": "3.5.31"
       },
       "peerDependencies": {
         "typescript": "*"
@@ -6299,9 +8398,9 @@
       "license": "MIT"
     },
     "node_modules/vue-component-type-helpers": {
-      "version": "3.2.5",
-      "resolved": "https://registry.npmjs.org/vue-component-type-helpers/-/vue-component-type-helpers-3.2.5.tgz",
-      "integrity": "sha512-tkvNr+bU8+xD/onAThIe7CHFvOJ/BO6XCOrxMzeytJq40nTfpGDJuVjyCM8ccGZKfAbGk2YfuZyDMXM56qheZQ==",
+      "version": "3.2.6",
+      "resolved": "https://registry.npmjs.org/vue-component-type-helpers/-/vue-component-type-helpers-3.2.6.tgz",
+      "integrity": "sha512-O02tnvIfOQVmnvoWwuSydwRoHjZVt8UEBR+2p4rT35p8GAy5VTlWP8o5qXfJR/GWCN0nVZoYWsVUvx2jwgdBmQ==",
       "dev": true,
       "license": "MIT"
     },
@@ -6339,6 +8438,23 @@
         "node": ">=16.14"
       }
     },
+    "node_modules/vue-draggable-plus": {
+      "version": "0.6.1",
+      "resolved": "https://registry.npmjs.org/vue-draggable-plus/-/vue-draggable-plus-0.6.1.tgz",
+      "integrity": "sha512-FbtQ/fuoixiOfTZzG3yoPl4JAo9HJXRHmBQZFB9x2NYCh6pq0TomHf7g5MUmpaDYv+LU2n6BPq2YN9sBO+FbIg==",
+      "license": "MIT",
+      "dependencies": {
+        "@types/sortablejs": "^1.15.8"
+      },
+      "peerDependencies": {
+        "@types/sortablejs": "^1.15.0"
+      },
+      "peerDependenciesMeta": {
+        "@vue/composition-api": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/vue-inbrowser-compiler-independent-utils": {
       "version": "4.71.1",
       "resolved": "https://registry.npmjs.org/vue-inbrowser-compiler-independent-utils/-/vue-inbrowser-compiler-independent-utils-4.71.1.tgz",
@@ -6350,9 +8466,9 @@
       }
     },
     "node_modules/vue-router": {
-      "version": "5.0.3",
-      "resolved": "https://registry.npmjs.org/vue-router/-/vue-router-5.0.3.tgz",
-      "integrity": "sha512-nG1c7aAFac7NYj8Hluo68WyWfc41xkEjaR0ViLHCa3oDvTQ/nIuLJlXJX1NUPw/DXzx/8+OKMng045HHQKQKWw==",
+      "version": "5.0.4",
+      "resolved": "https://registry.npmjs.org/vue-router/-/vue-router-5.0.4.tgz",
+      "integrity": "sha512-lCqDLCI2+fKVRl2OzXuzdSWmxXFLQRxQbmHugnRpTMyYiT+hNaycV0faqG5FBHDXoYrZ6MQcX87BvbY8mQ20Bg==",
       "license": "MIT",
       "dependencies": {
         "@babel/generator": "^7.28.6",
@@ -6431,6 +8547,13 @@
         "node": "20 || >=22"
       }
     },
+    "node_modules/weapon-regex": {
+      "version": "1.3.6",
+      "resolved": "https://registry.npmjs.org/weapon-regex/-/weapon-regex-1.3.6.tgz",
+      "integrity": "sha512-wsf1m1jmMrso5nhwVFJJHSubEBf3+pereGd7+nBKtYJ18KoB/PWJOHS3WRkwS04VrOU0iJr2bZU+l1QaTJ+9nA==",
+      "dev": true,
+      "license": "Apache-2.0"
+    },
     "node_modules/webidl-conversions": {
       "version": "8.0.1",
       "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-8.0.1.tgz",
@@ -6623,9 +8746,9 @@
       }
     },
     "node_modules/ws": {
-      "version": "8.19.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.19.0.tgz",
-      "integrity": "sha512-blAT2mjOEIi0ZzruJfIhb3nps74PRWTCz1IjglWEEpQl5XS/UNama6u2/rjFkDDouqr4L67ry+1aGIALViWjDg==",
+      "version": "8.20.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz",
+      "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -6677,10 +8800,17 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/yallist": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-3.1.1.tgz",
+      "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/yaml": {
-      "version": "2.8.2",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz",
-      "integrity": "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==",
+      "version": "2.8.3",
+      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
+      "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
       "license": "ISC",
       "bin": {
         "yaml": "bin.mjs"
@@ -6692,6 +8822,19 @@
         "url": "https://github.com/sponsors/eemeli"
       }
     },
+    "node_modules/yoctocolors": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/yoctocolors/-/yoctocolors-2.1.2.tgz",
+      "integrity": "sha512-CzhO+pFNo8ajLM2d2IW/R93ipy99LWjtwblvC1RsoSUMZgyLbYFr221TnSNT7GjGdYui6P459mw9JH/g/zW2ug==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/zod": {
       "version": "4.3.6",
       "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
diff --git a/ui/package.json b/ui/package.json
index d54090aa8..bd0015c0f 100644
--- a/ui/package.json
+++ b/ui/package.json
@@ -1,6 +1,6 @@
 {
   "name": "drydock-ui",
-  "version": "1.4.5",
+  "version": "1.5.0",
   "description": "Drydock dashboard — Vue 3 + Tailwind CSS 4 SPA",
   "repository": "CodesWhat/drydock",
   "engines": {
@@ -19,8 +19,10 @@
     "format": "biome format --write .",
     "lint:fix": "biome check --fix .",
     "lint": "biome check .",
+    "test:security": "node ./node_modules/vitest/vitest.mjs run tests/security/*.spec.ts --maxWorkers=1 --fileParallelism=false",
     "test:unit": "vitest run --coverage",
     "test:unit:watch": "vitest",
+    "test:mutation": "stryker run",
     "test:storybook": "COMPONENTS_DTS=false storybook build --test --quiet",
     "storybook": "COMPONENTS_DTS=false storybook dev -p 6006",
     "build-storybook": "COMPONENTS_DTS=false storybook build",
@@ -28,16 +30,18 @@
   },
   "dependencies": {
     "@fontsource/ibm-plex-mono": "^5.2.7",
+    "grid-layout-plus": "^1.1.1",
     "iconify-icon": "^3.0.2",
-    "tailwindcss": "^4.2.1",
+    "tailwindcss": "^4.2.2",
     "vue": "^3.5.30",
-    "vue-router": "^5.0.2"
+    "vue-draggable-plus": "^0.6.1",
+    "vue-router": "^5.0.4"
   },
   "devDependencies": {
     "@fontsource/comic-mono": "^5.2.5",
     "@fontsource/commit-mono": "^5.2.5",
-    "@fontsource/inconsolata": "^5.2.7",
-    "@fontsource/jetbrains-mono": "^5.2.7",
+    "@fontsource/inconsolata": "^5.2.8",
+    "@fontsource/jetbrains-mono": "^5.2.8",
     "@fontsource/source-code-pro": "^5.2.7",
     "@iconify-json/fa6-solid": "^1.2.4",
     "@iconify-json/heroicons": "^1.2.3",
@@ -47,19 +51,24 @@
     "@iconify-json/tabler": "^1.2.31",
     "@storybook/vue3": "^10.2.19",
     "@storybook/vue3-vite": "^10.2.19",
-    "@tailwindcss/vite": "^4.2.1",
+    "@stryker-mutator/core": "^9.6.0",
+    "@stryker-mutator/typescript-checker": "^9.6.0",
+    "@stryker-mutator/vitest-runner": "^9.6.0",
+    "@tailwindcss/vite": "^4.2.2",
     "@types/node": "^25.5.0",
     "@vitejs/plugin-vue": "^6.0.5",
     "@vitest/coverage-v8": "^4.1.0",
-    "@vue/test-utils": "^2.4.0",
-    "jsdom": "^29.0.0",
-    "knip": "^5.87.0",
+    "@vue/test-utils": "^2.4.6",
+    "jsdom": "^29.0.1",
+    "knip": "^6.0.1",
     "storybook": "^10.2.19",
     "typescript": "^5.9.3",
-    "vite": "^7.3.1",
+    "vite": "^8.0.1",
     "vitest": "^4.1.0"
   },
   "overrides": {
-    "minimatch": "^10.2.3"
+    "minimatch": "^10.2.3",
+    "picomatch": "4.0.4",
+    "yaml": "2.8.3"
   }
 }
diff --git a/ui/src/App.vue b/ui/src/App.vue
index 98240aef8..4ca59f987 100644
--- a/ui/src/App.vue
+++ b/ui/src/App.vue
@@ -1,3 +1,5 @@
 <template>
   <router-view />
+  <ConfirmDialog />
+  <AppToast />
 </template>
diff --git a/ui/src/boot/icon-bundle.json b/ui/src/boot/icon-bundle.json
index 005de1809..6b6a5b397 100644
--- a/ui/src/boot/icon-bundle.json
+++ b/ui/src/boot/icon-bundle.json
@@ -149,6 +149,11 @@
     "width": 512,
     "height": 512
   },
+  "fa6-solid:thumbtack": {
+    "body": "<path fill=\"currentColor\" d=\"M32 32C32 14.3 46.3 0 64 0h256c17.7 0 32 14.3 32 32s-14.3 32-32 32h-29.5l11.4 148.2c36.7 19.9 65.7 53.2 79.5 94.7l1 3c3.3 9.8 1.6 20.5-4.4 28.8S362.3 352 352 352H32c-10.3 0-19.9-4.9-26-13.3s-7.7-19.1-4.4-28.8l1-3c13.8-41.5 42.8-74.8 79.5-94.7L93.5 64H64c-17.7 0-32-14.3-32-32m128 352h64v96c0 17.7-14.3 32-32 32s-32-14.3-32-32z\"/>",
+    "width": 384,
+    "height": 512
+  },
   "fa6-solid:stop": {
     "body": "<path fill=\"currentColor\" d=\"M0 128c0-35.3 28.7-64 64-64h256c35.3 0 64 28.7 64 64v256c0 35.3-28.7 64-64 64H64c-35.3 0-64-28.7-64-64z\"/>",
     "width": 384,
@@ -359,6 +364,21 @@
     "width": 448,
     "height": 512
   },
+  "fa6-solid:tag": {
+    "body": "<path fill=\"currentColor\" d=\"M0 80v149.5c0 17 6.7 33.3 18.7 45.3l176 176c25 25 65.5 25 90.5 0l133.5-133.5c25-25 25-65.5 0-90.5l-176-176c-12-12-28.3-18.7-45.3-18.7L48 32C21.5 32 0 53.5 0 80m112 32a32 32 0 1 1 0 64a32 32 0 1 1 0-64\"/>",
+    "width": 448,
+    "height": 512
+  },
+  "fa6-solid:file-lines": {
+    "body": "<path fill=\"currentColor\" d=\"M64 0C28.7 0 0 28.7 0 64v384c0 35.3 28.7 64 64 64h256c35.3 0 64-28.7 64-64V160H256c-17.7 0-32-14.3-32-32V0zm192 0v128h128zM112 256h160c8.8 0 16 7.2 16 16s-7.2 16-16 16H112c-8.8 0-16-7.2-16-16s7.2-16 16-16m0 64h160c8.8 0 16 7.2 16 16s-7.2 16-16 16H112c-8.8 0-16-7.2-16-16s7.2-16 16-16m0 64h160c8.8 0 16 7.2 16 16s-7.2 16-16 16H112c-8.8 0-16-7.2-16-16s7.2-16 16-16\"/>",
+    "width": 384,
+    "height": 512
+  },
+  "fa6-solid:arrow-up-right-from-square": {
+    "body": "<path fill=\"currentColor\" d=\"M320 0c-17.7 0-32 14.3-32 32s14.3 32 32 32h82.7L201.4 265.4c-12.5 12.5-12.5 32.8 0 45.3s32.8 12.5 45.3 0L448 109.3V192c0 17.7 14.3 32 32 32s32-14.3 32-32V32c0-17.7-14.3-32-32-32zM80 32C35.8 32 0 67.8 0 112v320c0 44.2 35.8 80 80 80h320c44.2 0 80-35.8 80-80V320c0-17.7-14.3-32-32-32s-32 14.3-32 32v112c0 8.8-7.2 16-16 16H80c-8.8 0-16-7.2-16-16V112c0-8.8 7.2-16 16-16h112c17.7 0 32-14.3 32-32s-14.3-32-32-32z\"/>",
+    "width": 512,
+    "height": 512
+  },
   "ph:squares-four": {
     "body": "<path fill=\"currentColor\" d=\"M104 40H56a16 16 0 0 0-16 16v48a16 16 0 0 0 16 16h48a16 16 0 0 0 16-16V56a16 16 0 0 0-16-16m0 64H56V56h48zm96-64h-48a16 16 0 0 0-16 16v48a16 16 0 0 0 16 16h48a16 16 0 0 0 16-16V56a16 16 0 0 0-16-16m0 64h-48V56h48zm-96 32H56a16 16 0 0 0-16 16v48a16 16 0 0 0 16 16h48a16 16 0 0 0 16-16v-48a16 16 0 0 0-16-16m0 64H56v-48h48zm96-64h-48a16 16 0 0 0-16 16v48a16 16 0 0 0 16 16h48a16 16 0 0 0 16-16v-48a16 16 0 0 0-16-16m0 64h-48v-48h48z\"/>",
     "width": 256,
@@ -659,6 +679,16 @@
     "width": 256,
     "height": 256
   },
+  "ph:push-pin": {
+    "body": "<path fill=\"currentColor\" d=\"m235.32 81.37l-60.69-60.68a16 16 0 0 0-22.63 0l-53.63 53.8c-10.66-3.34-35-7.37-60.4 13.14a16 16 0 0 0-1.29 23.78L85 159.71l-42.66 42.63a8 8 0 0 0 11.32 11.32L96.29 171l48.29 48.29A16 16 0 0 0 155.9 224h1.13a15.93 15.93 0 0 0 11.64-6.33c19.64-26.1 17.75-47.32 13.19-60L235.33 104a16 16 0 0 0-.01-22.63M224 92.69l-57.27 57.46a8 8 0 0 0-1.49 9.22c9.46 18.93-1.8 38.59-9.34 48.62L48 100.08c12.08-9.74 23.64-12.31 32.48-12.31A40.1 40.1 0 0 1 96.81 91a8 8 0 0 0 9.25-1.51L163.32 32L224 92.68Z\"/>",
+    "width": 256,
+    "height": 256
+  },
+  "ph:push-pin-duotone": {
+    "body": "<g fill=\"currentColor\"><path d=\"m229.66 98.34l-57.27 57.46c11.46 22.93-1.72 45.86-10.11 57a8 8 0 0 1-12 .83L42.34 105.76A8 8 0 0 1 43 93.85c29.65-23.92 57.4-10 57.4-10l57.27-57.46a8 8 0 0 1 11.31 0L229.66 87a8 8 0 0 1 0 11.34\" opacity=\".2\"/><path d=\"m235.32 81.37l-60.69-60.68a16 16 0 0 0-22.63 0l-53.63 53.8c-10.66-3.34-35-7.37-60.4 13.14a16 16 0 0 0-1.29 23.78L85 159.71l-42.66 42.63a8 8 0 0 0 11.32 11.32L96.29 171l48.29 48.29A16 16 0 0 0 155.9 224h1.13a15.93 15.93 0 0 0 11.64-6.33c19.64-26.1 17.75-47.32 13.19-60L235.33 104a16 16 0 0 0-.01-22.63M224 92.69l-57.27 57.46a8 8 0 0 0-1.49 9.22c9.46 18.93-1.8 38.59-9.34 48.62L48 100.08c12.08-9.74 23.64-12.31 32.48-12.31A40.1 40.1 0 0 1 96.81 91a8 8 0 0 0 9.25-1.51L163.32 32L224 92.68Z\"/></g>",
+    "width": 256,
+    "height": 256
+  },
   "ph:stop": {
     "body": "<path fill=\"currentColor\" d=\"M200 40H56a16 16 0 0 0-16 16v144a16 16 0 0 0 16 16h144a16 16 0 0 0 16-16V56a16 16 0 0 0-16-16m0 160H56V56h144z\"/>",
     "width": 256,
@@ -1119,6 +1149,36 @@
     "width": 256,
     "height": 256
   },
+  "ph:tag": {
+    "body": "<path fill=\"currentColor\" d=\"M243.31 136L144 36.69A15.86 15.86 0 0 0 132.69 32H40a8 8 0 0 0-8 8v92.69A15.86 15.86 0 0 0 36.69 144L136 243.31a16 16 0 0 0 22.63 0l84.68-84.68a16 16 0 0 0 0-22.63m-96 96L48 132.69V48h84.69L232 147.31ZM96 84a12 12 0 1 1-12-12a12 12 0 0 1 12 12\"/>",
+    "width": 256,
+    "height": 256
+  },
+  "ph:tag-duotone": {
+    "body": "<g fill=\"currentColor\"><path d=\"M237.66 153L153 237.66a8 8 0 0 1-11.31 0l-99.35-99.32a8 8 0 0 1-2.34-5.65V40h92.69a8 8 0 0 1 5.65 2.34l99.32 99.32a8 8 0 0 1 0 11.34\" opacity=\".2\"/><path d=\"M243.31 136L144 36.69A15.86 15.86 0 0 0 132.69 32H40a8 8 0 0 0-8 8v92.69A15.86 15.86 0 0 0 36.69 144L136 243.31a16 16 0 0 0 22.63 0l84.68-84.68a16 16 0 0 0 0-22.63m-96 96L48 132.69V48h84.69L232 147.31ZM96 84a12 12 0 1 1-12-12a12 12 0 0 1 12 12\"/></g>",
+    "width": 256,
+    "height": 256
+  },
+  "ph:file-text": {
+    "body": "<path fill=\"currentColor\" d=\"m213.66 82.34l-56-56A8 8 0 0 0 152 24H56a16 16 0 0 0-16 16v176a16 16 0 0 0 16 16h144a16 16 0 0 0 16-16V88a8 8 0 0 0-2.34-5.66M160 51.31L188.69 80H160ZM200 216H56V40h88v48a8 8 0 0 0 8 8h48zm-32-80a8 8 0 0 1-8 8H96a8 8 0 0 1 0-16h64a8 8 0 0 1 8 8m0 32a8 8 0 0 1-8 8H96a8 8 0 0 1 0-16h64a8 8 0 0 1 8 8\"/>",
+    "width": 256,
+    "height": 256
+  },
+  "ph:file-text-duotone": {
+    "body": "<g fill=\"currentColor\"><path d=\"M208 88h-56V32Z\" opacity=\".2\"/><path d=\"m213.66 82.34l-56-56A8 8 0 0 0 152 24H56a16 16 0 0 0-16 16v176a16 16 0 0 0 16 16h144a16 16 0 0 0 16-16V88a8 8 0 0 0-2.34-5.66M160 51.31L188.69 80H160ZM200 216H56V40h88v48a8 8 0 0 0 8 8h48zm-32-80a8 8 0 0 1-8 8H96a8 8 0 0 1 0-16h64a8 8 0 0 1 8 8m0 32a8 8 0 0 1-8 8H96a8 8 0 0 1 0-16h64a8 8 0 0 1 8 8\"/></g>",
+    "width": 256,
+    "height": 256
+  },
+  "ph:arrow-square-out": {
+    "body": "<path fill=\"currentColor\" d=\"M224 104a8 8 0 0 1-16 0V59.32l-66.33 66.34a8 8 0 0 1-11.32-11.32L196.68 48H152a8 8 0 0 1 0-16h64a8 8 0 0 1 8 8Zm-40 24a8 8 0 0 0-8 8v72H48V80h72a8 8 0 0 0 0-16H48a16 16 0 0 0-16 16v128a16 16 0 0 0 16 16h128a16 16 0 0 0 16-16v-72a8 8 0 0 0-8-8\"/>",
+    "width": 256,
+    "height": 256
+  },
+  "ph:arrow-square-out-duotone": {
+    "body": "<g fill=\"currentColor\"><path d=\"M184 80v128a8 8 0 0 1-8 8H48a8 8 0 0 1-8-8V80a8 8 0 0 1 8-8h128a8 8 0 0 1 8 8\" opacity=\".2\"/><path d=\"M224 104a8 8 0 0 1-16 0V59.32l-66.33 66.34a8 8 0 0 1-11.32-11.32L196.68 48H152a8 8 0 0 1 0-16h64a8 8 0 0 1 8 8Zm-40 24a8 8 0 0 0-8 8v72H48V80h72a8 8 0 0 0 0-16H48a16 16 0 0 0-16 16v128a16 16 0 0 0 16 16h128a16 16 0 0 0 16-16v-72a8 8 0 0 0-8-8\"/></g>",
+    "width": 256,
+    "height": 256
+  },
   "lucide:layout-dashboard": {
     "body": "<g fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"2\"><rect width=\"7\" height=\"9\" x=\"3\" y=\"3\" rx=\"1\"/><rect width=\"7\" height=\"5\" x=\"14\" y=\"3\" rx=\"1\"/><rect width=\"7\" height=\"9\" x=\"14\" y=\"12\" rx=\"1\"/><rect width=\"7\" height=\"5\" x=\"3\" y=\"16\" rx=\"1\"/></g>",
     "width": 24,
@@ -1269,6 +1329,11 @@
     "width": 24,
     "height": 24
   },
+  "lucide:pin": {
+    "body": "<path fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"2\" d=\"M12 17v5M9 10.76a2 2 0 0 1-1.11 1.79l-1.78.9A2 2 0 0 0 5 15.24V16a1 1 0 0 0 1 1h12a1 1 0 0 0 1-1v-.76a2 2 0 0 0-1.11-1.79l-1.78-.9A2 2 0 0 1 15 10.76V7a1 1 0 0 1 1-1a2 2 0 0 0 0-4H8a2 2 0 0 0 0 4a1 1 0 0 1 1 1z\"/>",
+    "width": 24,
+    "height": 24
+  },
   "lucide:square": {
     "body": "<rect width=\"18\" height=\"18\" x=\"3\" y=\"3\" fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"2\" rx=\"2\"/>",
     "width": 24,
@@ -1484,6 +1549,21 @@
     "width": 24,
     "height": 24
   },
+  "lucide:tag": {
+    "body": "<g fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"2\"><path d=\"M12.586 2.586A2 2 0 0 0 11.172 2H4a2 2 0 0 0-2 2v7.172a2 2 0 0 0 .586 1.414l8.704 8.704a2.426 2.426 0 0 0 3.42 0l6.58-6.58a2.426 2.426 0 0 0 0-3.42z\"/><circle cx=\"7.5\" cy=\"7.5\" r=\".5\" fill=\"currentColor\"/></g>",
+    "width": 24,
+    "height": 24
+  },
+  "lucide:file-text": {
+    "body": "<g fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"2\"><path d=\"M6 22a2 2 0 0 1-2-2V4a2 2 0 0 1 2-2h8a2.4 2.4 0 0 1 1.704.706l3.588 3.588A2.4 2.4 0 0 1 20 8v12a2 2 0 0 1-2 2z\"/><path d=\"M14 2v5a1 1 0 0 0 1 1h5M10 9H8m8 4H8m8 4H8\"/></g>",
+    "width": 24,
+    "height": 24
+  },
+  "lucide:external-link": {
+    "body": "<path fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"2\" d=\"M15 3h6v6m-11 5L21 3m-3 10v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V8a2 2 0 0 1 2-2h6\"/>",
+    "width": 24,
+    "height": 24
+  },
   "tabler:layout-dashboard": {
     "body": "<path fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"2\" d=\"M5 4h4a1 1 0 0 1 1 1v6a1 1 0 0 1-1 1H5a1 1 0 0 1-1-1V5a1 1 0 0 1 1-1m0 12h4a1 1 0 0 1 1 1v2a1 1 0 0 1-1 1H5a1 1 0 0 1-1-1v-2a1 1 0 0 1 1-1m10-4h4a1 1 0 0 1 1 1v6a1 1 0 0 1-1 1h-4a1 1 0 0 1-1-1v-6a1 1 0 0 1 1-1m0-8h4a1 1 0 0 1 1 1v2a1 1 0 0 1-1 1h-4a1 1 0 0 1-1-1V5a1 1 0 0 1 1-1\"/>",
     "width": 24,
@@ -1634,6 +1714,11 @@
     "width": 24,
     "height": 24
   },
+  "tabler:pin": {
+    "body": "<path fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"2\" d=\"m15 4.5l-4 4L7 10l-1.5 1.5l7 7L14 17l1.5-4l4-4M9 15l-4.5 4.5M14.5 4L20 9.5\"/>",
+    "width": 24,
+    "height": 24
+  },
   "tabler:player-stop": {
     "body": "<path fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"2\" d=\"M5 7a2 2 0 0 1 2-2h10a2 2 0 0 1 2 2v10a2 2 0 0 1-2 2H7a2 2 0 0 1-2-2z\"/>",
     "width": 24,
@@ -1864,6 +1949,16 @@
     "width": 24,
     "height": 24
   },
+  "tabler:tag": {
+    "body": "<g fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"2\"><path d=\"M6.5 7.5a1 1 0 1 0 2 0a1 1 0 1 0-2 0\"/><path d=\"M3 6v5.172a2 2 0 0 0 .586 1.414l7.71 7.71a2.41 2.41 0 0 0 3.408 0l5.592-5.592a2.41 2.41 0 0 0 0-3.408l-7.71-7.71A2 2 0 0 0 11.172 3H6a3 3 0 0 0-3 3\"/></g>",
+    "width": 24,
+    "height": 24
+  },
+  "tabler:external-link": {
+    "body": "<path fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"2\" d=\"M12 6H6a2 2 0 0 0-2 2v10a2 2 0 0 0 2 2h10a2 2 0 0 0 2-2v-6m-7 1l9-9m-5 0h5v5\"/>",
+    "width": 24,
+    "height": 24
+  },
   "heroicons:squares-2x2": {
     "body": "<path fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M3.75 6A2.25 2.25 0 0 1 6 3.75h2.25A2.25 2.25 0 0 1 10.5 6v2.25a2.25 2.25 0 0 1-2.25 2.25H6a2.25 2.25 0 0 1-2.25-2.25zm0 9.75A2.25 2.25 0 0 1 6 13.5h2.25a2.25 2.25 0 0 1 2.25 2.25V18a2.25 2.25 0 0 1-2.25 2.25H6A2.25 2.25 0 0 1 3.75 18zM13.5 6a2.25 2.25 0 0 1 2.25-2.25H18A2.25 2.25 0 0 1 20.25 6v2.25A2.25 2.25 0 0 1 18 10.5h-2.25a2.25 2.25 0 0 1-2.25-2.25zm0 9.75a2.25 2.25 0 0 1 2.25-2.25H18a2.25 2.25 0 0 1 2.25 2.25V18A2.25 2.25 0 0 1 18 20.25h-2.25A2.25 2.25 0 0 1 13.5 18z\"/>",
     "width": 24,
@@ -2009,6 +2104,11 @@
     "width": 24,
     "height": 24
   },
+  "heroicons:map-pin": {
+    "body": "<g fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\"><path d=\"M15 10.5a3 3 0 1 1-6 0a3 3 0 0 1 6 0\"/><path d=\"M19.5 10.5c0 7.142-7.5 11.25-7.5 11.25S4.5 17.642 4.5 10.5a7.5 7.5 0 1 1 15 0\"/></g>",
+    "width": 24,
+    "height": 24
+  },
   "heroicons:stop": {
     "body": "<path fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M5.25 7.5A2.25 2.25 0 0 1 7.5 5.25h9a2.25 2.25 0 0 1 2.25 2.25v9a2.25 2.25 0 0 1-2.25 2.25h-9a2.25 2.25 0 0 1-2.25-2.25z\"/>",
     "width": 24,
@@ -2204,6 +2304,16 @@
     "width": 24,
     "height": 24
   },
+  "heroicons:tag": {
+    "body": "<g fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\"><path d=\"M9.568 3H5.25A2.25 2.25 0 0 0 3 5.25v4.318c0 .597.237 1.17.659 1.591l9.581 9.581c.699.699 1.78.872 2.607.33a18.1 18.1 0 0 0 5.224-5.223c.54-.827.368-1.908-.33-2.607l-9.583-9.58A2.25 2.25 0 0 0 9.568 3\"/><path d=\"M6 6h.008v.008H6z\"/></g>",
+    "width": 24,
+    "height": 24
+  },
+  "heroicons:arrow-top-right-on-square": {
+    "body": "<path fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M13.5 6H5.25A2.25 2.25 0 0 0 3 8.25v10.5A2.25 2.25 0 0 0 5.25 21h10.5A2.25 2.25 0 0 0 18 18.75V10.5m-10.5 6L21 3m0 0h-5.25M21 3v5.25\"/>",
+    "width": 24,
+    "height": 24
+  },
   "iconoir:dashboard": {
     "body": "<g fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\"><path d=\"M15 15.8c0-1.767-3-4.8-3-4.8s-3 3.033-3 4.8s1.343 3.2 3 3.2s3-1.433 3-3.2Z\"/><path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M12 4v4m-8.5-.5l3 3m11 0l3-3M2 17h4m12 0h4\"/></g>",
     "width": 24,
@@ -2344,6 +2454,11 @@
     "width": 24,
     "height": 24
   },
+  "iconoir:pin": {
+    "body": "<path fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M9.5 14.5L3 21M5 9.485l9.193 9.193l1.697-1.697l-.393-3.787l5.51-4.673l-5.85-5.85l-4.674 5.51l-3.786-.393z\"/>",
+    "width": 24,
+    "height": 24
+  },
   "iconoir:square": {
     "body": "<path fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\" d=\"M21 3.6v16.8a.6.6 0 0 1-.6.6H3.6a.6.6 0 0 1-.6-.6V3.6a.6.6 0 0 1 .6-.6h16.8a.6.6 0 0 1 .6.6\"/>",
     "width": 24,
@@ -2543,5 +2658,15 @@
     "body": "<g fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-linejoin=\"round\" stroke-width=\"1.5\"><path d=\"M8 18c0 2.415 1.79 3 4 3c3.759 0 5-2.5 2.5-7.5C11 18 10.5 11 11 9c-1.5 3-3 5.818-3 9\"/><path d=\"M12 21c5.05 0 8-2.904 8-7.875C20 8.155 12 3 12 3S4 8.154 4 13.125C4 18.095 6.95 21 12 21\"/></g>",
     "width": 24,
     "height": 24
+  },
+  "iconoir:label": {
+    "body": "<path fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" d=\"M3 17.4V6.6a.6.6 0 0 1 .6-.6h13.079c.2 0 .388.1.5.267l3.6 5.4a.6.6 0 0 1 0 .666l-3.6 5.4a.6.6 0 0 1-.5.267H3.6a.6.6 0 0 1-.6-.6Z\"/>",
+    "width": 24,
+    "height": 24
+  },
+  "iconoir:open-new-window": {
+    "body": "<g fill=\"none\" stroke=\"currentColor\" stroke-linecap=\"round\" stroke-width=\"1.5\"><path stroke-linejoin=\"round\" d=\"M21 3h-6m6 0l-9 9m9-9v6\"/><path d=\"M21 13v6a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h6\"/></g>",
+    "width": 24,
+    "height": 24
   }
 }
diff --git a/ui/src/components/AnnouncementBanner.vue b/ui/src/components/AnnouncementBanner.vue
index e30f662f2..627b7b036 100644
--- a/ui/src/components/AnnouncementBanner.vue
+++ b/ui/src/components/AnnouncementBanner.vue
@@ -1,65 +1,113 @@
 <script setup lang="ts">
-import { useAttrs } from 'vue';
+import { computed, ref, useAttrs } from 'vue';
 
-defineProps<{
-  title: string;
-  icon?: string;
-  dismissLabel?: string;
-  permanentDismissLabel?: string;
-}>();
+type BannerTone = 'warning' | 'error';
+
+const props = withDefaults(
+  defineProps<{
+    title: string;
+    icon?: string;
+    tone?: BannerTone;
+    dismissLabel?: string;
+    permanentDismissLabel?: string;
+    linkHref?: string;
+    linkLabel?: string;
+  }>(),
+  {
+    tone: 'warning',
+  },
+);
 
-defineEmits<{
+const emit = defineEmits<{
   dismiss: [];
   'dismiss-permanent': [];
 }>();
 
 const attrs = useAttrs();
 const testIdPrefix = attrs['data-testid'] as string | undefined;
+
+const permanentDismissChecked = ref(false);
+
+function handleDismiss() {
+  if (permanentDismissChecked.value) {
+    emit('dismiss-permanent');
+  } else {
+    emit('dismiss');
+  }
+}
+
+const toneStyles = computed(() => {
+  const cssVar = props.tone === 'error' ? '--dd-danger' : '--dd-warning';
+  return {
+    backgroundColor: `color-mix(in srgb, var(${cssVar}) 25%, var(--dd-bg-card))`,
+    borderColor: `var(${cssVar})`,
+    textColor: `var(${cssVar})`,
+    buttonTextColor: `var(${cssVar})`,
+    buttonBackgroundColor: 'transparent',
+    buttonBorderColor: `var(${cssVar})`,
+    iconName: props.icon ?? 'warning',
+  };
+});
 </script>
 
 <template>
   <div
     class="fixed top-3 left-1/2 -translate-x-1/2 z-50 w-[calc(100%-2rem)] max-w-5xl dd-rounded px-3 py-2.5 flex flex-col gap-2.5 sm:flex-row sm:items-start sm:justify-between"
     :style="{
-      backgroundColor: 'color-mix(in srgb, var(--dd-warning) 25%, var(--dd-bg-card))',
-      border: '1px solid var(--dd-warning)',
+      backgroundColor: toneStyles.backgroundColor,
+      border: `1px solid ${toneStyles.borderColor}`,
       boxShadow: 'var(--dd-shadow-lg)',
     }">
     <div class="flex items-start gap-2.5 min-w-0">
-      <AppIcon :name="icon ?? 'warning'" :size="14" class="shrink-0 mt-0.5" :style="{ color: 'var(--dd-warning)' }" />
+      <AppIcon
+        :name="toneStyles.iconName"
+        :size="14"
+        class="shrink-0 mt-0.5"
+        :style="{ color: toneStyles.textColor }" />
       <div class="min-w-0">
-        <p class="text-xs font-semibold" :style="{ color: 'var(--dd-warning)' }">
+        <p class="text-xs font-semibold" :style="{ color: toneStyles.textColor }">
           {{ title }}
         </p>
-        <p class="text-[0.6875rem] mt-0.5" :style="{ color: 'var(--dd-text)' }">
+        <p class="text-2xs-plus mt-0.5" :style="{ color: 'var(--dd-text)' }">
           <slot />
         </p>
       </div>
     </div>
-    <div class="flex items-center gap-2 shrink-0">
-      <button
+    <div class="flex flex-col items-end gap-1.5 shrink-0">
+      <a v-if="linkHref"
+        :href="linkHref"
+        target="_blank"
+        rel="noopener noreferrer"
+        :data-testid="testIdPrefix ? `${testIdPrefix}-link` : undefined"
+        class="inline-flex items-center gap-1 text-2xs-plus px-2.5 py-1.5 dd-rounded transition-colors w-full justify-center"
+        :style="{
+          border: `1px solid ${toneStyles.buttonBorderColor}`,
+          color: toneStyles.buttonTextColor,
+          backgroundColor: toneStyles.buttonBackgroundColor,
+        }">
+        {{ linkLabel ?? 'Learn more' }}
+        <AppIcon name="external-link" :size="10" />
+      </a>
+      <AppButton size="none" variant="plain" weight="none"
         :data-testid="testIdPrefix ? `${testIdPrefix}-dismiss-session` : undefined"
-        class="text-[0.6875rem] px-2.5 py-1.5 dd-rounded transition-colors"
+        class="text-2xs-plus px-2.5 py-1.5 dd-rounded transition-colors w-full text-center"
         :style="{
-          border: '1px solid var(--dd-warning)',
-          color: 'var(--dd-warning)',
-          backgroundColor: 'transparent',
+          border: `1px solid ${toneStyles.buttonBorderColor}`,
+          color: toneStyles.buttonTextColor,
+          backgroundColor: toneStyles.buttonBackgroundColor,
         }"
-        @click="$emit('dismiss')">
+        @click="handleDismiss">
         {{ dismissLabel ?? 'Dismiss' }}
-      </button>
-      <button
-        v-if="permanentDismissLabel !== undefined"
+      </AppButton>
+      <label v-if="permanentDismissLabel !== undefined"
         :data-testid="testIdPrefix ? `${testIdPrefix}-dismiss-forever` : undefined"
-        class="text-[0.6875rem] px-2.5 py-1.5 dd-rounded transition-colors"
-        :style="{
-          border: '1px solid var(--dd-warning)',
-          color: 'var(--dd-bg)',
-          backgroundColor: 'var(--dd-warning)',
-        }"
-        @click="$emit('dismiss-permanent')">
-        {{ permanentDismissLabel }}
-      </button>
+        class="flex items-center gap-1.5 cursor-pointer">
+        <input
+          type="checkbox"
+          v-model="permanentDismissChecked"
+          class="shrink-0 w-3 h-3 dd-rounded-sm cursor-pointer" />
+        <span class="text-3xs" :style="{ color: toneStyles.textColor }">{{ permanentDismissLabel }}</span>
+      </label>
     </div>
   </div>
 </template>
diff --git a/ui/src/components/AppBadge.vue b/ui/src/components/AppBadge.vue
new file mode 100644
index 000000000..5000ab6e6
--- /dev/null
+++ b/ui/src/components/AppBadge.vue
@@ -0,0 +1,56 @@
+<script setup lang="ts">
+import { computed } from 'vue';
+
+type Tone = 'success' | 'danger' | 'warning' | 'caution' | 'info' | 'primary' | 'alt' | 'neutral';
+
+interface Props {
+  tone?: Tone;
+  size?: 'xs' | 'sm' | 'md';
+  uppercase?: boolean;
+  dot?: boolean;
+  custom?: { bg: string; text: string };
+}
+
+const props = withDefaults(defineProps<Props>(), {
+  tone: 'neutral',
+  size: 'sm',
+  uppercase: true,
+  dot: false,
+});
+
+const sizeClasses: Record<string, string> = {
+  xs: 'text-3xs font-bold',
+  sm: 'text-2xs font-semibold',
+  md: 'text-2xs-plus font-semibold',
+};
+
+const badgeClasses = computed(() => [
+  'badge',
+  sizeClasses[props.size],
+  props.uppercase ? 'uppercase' : '',
+]);
+
+const colorStyle = computed(() => {
+  if (props.custom) {
+    return { backgroundColor: props.custom.bg, color: props.custom.text };
+  }
+  return {
+    backgroundColor: `var(--dd-${props.tone}-muted)`,
+    color: `var(--dd-${props.tone})`,
+  };
+});
+
+const dotStyle = computed(() => {
+  if (props.custom) {
+    return { backgroundColor: props.custom.text };
+  }
+  return { backgroundColor: `var(--dd-${props.tone})` };
+});
+</script>
+
+<template>
+  <span :class="badgeClasses" :style="colorStyle">
+    <span v-if="dot" class="w-1.5 h-1.5 rounded-full mr-1.5 shrink-0" :style="dotStyle" />
+    <slot />
+  </span>
+</template>
diff --git a/ui/src/components/AppButton.vue b/ui/src/components/AppButton.vue
new file mode 100644
index 000000000..2fc8d486b
--- /dev/null
+++ b/ui/src/components/AppButton.vue
@@ -0,0 +1,121 @@
+<script setup lang="ts">
+import { computed, useAttrs } from 'vue';
+
+type ButtonSize =
+  | 'none'
+  | 'xs'
+  | 'compact'
+  | 'sm'
+  | 'md'
+  | 'icon-xs'
+  | 'icon-sm'
+  | 'icon-md'
+  | 'icon-lg';
+type ButtonVariant =
+  | 'muted'
+  | 'outlined'
+  | 'secondary'
+  | 'elevated'
+  | 'plain'
+  | 'text-muted'
+  | 'text-secondary'
+  | 'link-secondary';
+type ButtonWeight = 'none' | 'medium' | 'semibold' | 'bold';
+
+const sizeClasses: Record<ButtonSize, string> = {
+  none: '',
+  xs: 'px-2 py-1 text-2xs',
+  compact: 'px-2 py-1.5 text-2xs',
+  sm: 'px-2.5 py-1.5 text-2xs',
+  md: 'px-3 py-1.5 text-2xs-plus',
+  'icon-xs': 'inline-flex items-center justify-center w-9 h-9',
+  'icon-sm': 'inline-flex items-center justify-center w-10 h-10 text-2xs-plus',
+  'icon-md': 'inline-flex items-center justify-center w-11 h-11 text-2xs-plus',
+  'icon-lg': 'inline-flex items-center justify-center w-12 h-12 text-2xs-plus',
+};
+
+const variantClasses: Record<ButtonVariant, string> = {
+  muted: 'dd-text-muted hover:dd-text hover:dd-bg-elevated',
+  outlined:
+    'dd-text-muted dd-border border hover:dd-text hover:dd-bg-elevated hover:dd-border-strong',
+  secondary: 'dd-text-secondary hover:dd-text hover:dd-bg-elevated',
+  elevated: 'dd-bg-elevated dd-text hover:opacity-90',
+  'text-muted': 'dd-text-muted hover:dd-text',
+  'text-secondary': 'dd-text-secondary hover:dd-text',
+  'link-secondary': 'text-drydock-secondary hover:underline',
+  plain: '',
+};
+
+const weightClasses: Record<ButtonWeight, string> = {
+  none: '',
+  medium: 'font-medium',
+  semibold: 'font-semibold',
+  bold: 'font-bold',
+};
+
+const props = withDefaults(
+  defineProps<{
+    size?: ButtonSize;
+    variant?: ButtonVariant;
+    weight?: ButtonWeight;
+    type?: 'button' | 'submit' | 'reset';
+    tooltip?: string | Record<string, unknown>;
+    ariaLabel?: string;
+  }>(),
+  {
+    size: 'md',
+    variant: 'muted',
+    weight: 'semibold',
+    type: 'button',
+  },
+);
+
+defineOptions({
+  inheritAttrs: false,
+});
+
+const attrs = useAttrs();
+
+const resolvedAriaLabel = computed(() => {
+  if (props.ariaLabel) {
+    return props.ariaLabel;
+  }
+  if (typeof props.tooltip === 'string') {
+    return props.tooltip;
+  }
+  if (typeof attrs['aria-label'] === 'string') {
+    return attrs['aria-label'];
+  }
+  return undefined;
+});
+
+const resolvedTitle = computed(() => {
+  if (typeof props.tooltip === 'string') {
+    return props.tooltip;
+  }
+  if (typeof attrs.title === 'string') {
+    return attrs.title;
+  }
+  return undefined;
+});
+
+const buttonClasses = computed(() => [
+  'dd-rounded transition-colors',
+  sizeClasses[props.size],
+  weightClasses[props.weight],
+  variantClasses[props.variant],
+]);
+</script>
+
+<template>
+  <button
+    v-bind="attrs"
+    v-tooltip="tooltip"
+    :type="type"
+    :aria-label="resolvedAriaLabel"
+    :title="resolvedTitle"
+    :class="buttonClasses"
+  >
+    <slot />
+  </button>
+</template>
diff --git a/ui/src/components/AppIcon.stories.ts b/ui/src/components/AppIcon.stories.ts
index a584e27fc..33601cb66 100644
--- a/ui/src/components/AppIcon.stories.ts
+++ b/ui/src/components/AppIcon.stories.ts
@@ -32,7 +32,7 @@ export const CommonIcons: Story = {
              class="px-3 py-2 dd-rounded flex items-center gap-2"
              :style="{ border: '1px solid var(--dd-border-strong)', backgroundColor: 'var(--dd-bg-card)' }">
           <AppIcon :name="name" :size="14" />
-          <span class="text-[0.6875rem] dd-text-muted">{{ name }}</span>
+          <span class="text-2xs-plus dd-text-muted">{{ name }}</span>
         </div>
       </div>
     `,
diff --git a/ui/src/components/AppIconButton.vue b/ui/src/components/AppIconButton.vue
new file mode 100644
index 000000000..01230b5dd
--- /dev/null
+++ b/ui/src/components/AppIconButton.vue
@@ -0,0 +1,65 @@
+<script setup lang="ts">
+import { computed, useAttrs } from 'vue';
+import AppIcon from './AppIcon.vue';
+import {
+  iconButtonIconSizes,
+  iconButtonSizeClasses,
+  type IconButtonSize,
+} from './appIconButtonSizes';
+type IconButtonVariant = 'muted' | 'secondary' | 'danger' | 'success' | 'plain';
+
+const props = withDefaults(
+  defineProps<{
+    icon: string;
+    size?: IconButtonSize;
+    variant?: IconButtonVariant;
+    disabled?: boolean;
+    loading?: boolean;
+    tooltip?: string | Record<string, unknown>;
+    ariaLabel?: string;
+  }>(),
+  {
+    size: 'sm',
+    variant: 'muted',
+    disabled: false,
+    loading: false,
+  },
+);
+
+defineOptions({
+  inheritAttrs: false,
+});
+
+const attrs = useAttrs();
+
+const variantClasses: Record<IconButtonVariant, string> = {
+  muted: 'dd-text-muted hover:dd-text hover:dd-bg-elevated',
+  secondary: 'dd-text-secondary hover:dd-text hover:dd-bg-elevated',
+  danger: 'dd-text-muted hover:dd-text-danger hover:dd-bg-elevated',
+  success: 'dd-text-muted hover:dd-text-success hover:dd-bg-elevated',
+  plain: '',
+};
+
+const iconSize = computed(() => iconButtonIconSizes[props.size]);
+
+const buttonClasses = computed(() => [
+  'inline-flex items-center justify-center dd-rounded transition-colors min-w-8 min-h-8',
+  iconButtonSizeClasses[props.size],
+  variantClasses[props.variant],
+  props.disabled ? 'opacity-40 cursor-not-allowed' : '',
+]);
+</script>
+
+<template>
+  <button
+    v-bind="attrs"
+    v-tooltip="tooltip"
+    type="button"
+    :aria-label="ariaLabel || (typeof tooltip === 'string' ? tooltip : undefined)"
+    :disabled="disabled"
+    :class="buttonClasses"
+  >
+    <AppIcon v-if="loading" name="spinner" :size="iconSize" class="dd-spin" />
+    <AppIcon v-else :name="icon" :size="iconSize" />
+  </button>
+</template>
diff --git a/ui/src/components/AppLogViewer.vue b/ui/src/components/AppLogViewer.vue
new file mode 100644
index 000000000..b2d0431e3
--- /dev/null
+++ b/ui/src/components/AppLogViewer.vue
@@ -0,0 +1,484 @@
+<script setup lang="ts">
+import { computed, nextTick, onMounted, ref, watch } from 'vue';
+import StatusDot from '@/components/StatusDot.vue';
+import { useLogSearch } from '../composables/useLogSearch';
+import type { AppLogEntry } from '../types/log-entry';
+import type { AnsiColor, AnsiTextSegment } from '../utils/container-logs';
+
+interface JsonToken {
+  text: string;
+  type: 'key' | 'string' | 'number' | 'boolean' | 'null' | 'punctuation' | 'text';
+}
+
+const props = withDefaults(
+  defineProps<{
+    entries: AppLogEntry[];
+    compact?: boolean;
+    showLineNumbers?: boolean;
+    emptyMessage?: string;
+    statusLabel?: string;
+    statusColor?: string;
+    paused?: boolean;
+    autoScrollPinned?: boolean;
+    lineCount?: number;
+  }>(),
+  {
+    compact: false,
+    showLineNumbers: true,
+    emptyMessage: 'No log entries yet',
+    statusLabel: 'Offline',
+    statusColor: 'var(--dd-danger)',
+    paused: false,
+    autoScrollPinned: true,
+    lineCount: undefined,
+  },
+);
+
+const emit = defineEmits<{
+  (e: 'toggle-pause'): void;
+  (e: 'toggle-pin'): void;
+}>();
+
+const lineElements = new Map<number, HTMLElement>();
+const logViewport = ref<HTMLElement | null>(null);
+const copySuccess = ref(false);
+
+function isNearBottom(element: HTMLElement): boolean {
+  return element.scrollHeight - element.scrollTop - element.clientHeight < 28;
+}
+
+function scrollToBottom(): void {
+  if (!logViewport.value) {
+    return;
+  }
+  logViewport.value.scrollTop = logViewport.value.scrollHeight;
+}
+
+function handleLogScroll(): void {
+  if (!logViewport.value) {
+    return;
+  }
+
+  const nearBottom = isNearBottom(logViewport.value);
+  if (nearBottom !== props.autoScrollPinned) {
+    emit('toggle-pin');
+  }
+}
+
+function togglePin(): void {
+  const wasPinned = props.autoScrollPinned;
+  emit('toggle-pin');
+  if (!wasPinned) {
+    void nextTick(() => scrollToBottom());
+  }
+}
+
+function setLineElement(entryId: number, element: Element | null): void {
+  if (!(element instanceof HTMLElement)) {
+    lineElements.delete(entryId);
+    return;
+  }
+
+  lineElements.set(entryId, element);
+}
+
+const {
+  searchQuery,
+  regexSearch,
+  searchError,
+  matchedEntryIds,
+  matchLabel,
+  jumpToMatch,
+  isMatchedEntry,
+  isCurrentMatch,
+} = useLogSearch({
+  visibleEntries: computed(() => props.entries),
+  lineElements,
+});
+
+const renderedLineCount = computed(() => props.lineCount ?? props.entries.length);
+
+watch(
+  () => props.entries.length,
+  () => {
+    const visibleIds = new Set(props.entries.map((entry) => entry.id));
+    for (const id of lineElements.keys()) {
+      if (!visibleIds.has(id)) {
+        lineElements.delete(id);
+      }
+    }
+
+    if (props.autoScrollPinned) {
+      void nextTick(() => scrollToBottom());
+    }
+  },
+);
+
+onMounted(() => {
+  if (props.autoScrollPinned) {
+    void nextTick(() => scrollToBottom());
+  }
+});
+
+function ansiColorValue(color: AnsiColor | null): string | null {
+  if (!color) {
+    return null;
+  }
+
+  const colorMap: Readonly<Record<AnsiColor, string>> = {
+    black: '#111827',
+    red: 'var(--dd-danger)',
+    green: 'var(--dd-success)',
+    yellow: 'var(--dd-warning)',
+    blue: 'var(--dd-info)',
+    magenta: '#d946ef',
+    cyan: '#06b6d4',
+    white: 'var(--dd-log-text)',
+  };
+
+  return colorMap[color];
+}
+
+function ansiSegmentStyle(segment: AnsiTextSegment): Record<string, string> {
+  const style: Record<string, string> = {};
+
+  const colorValue = ansiColorValue(segment.color);
+  if (colorValue) {
+    style.color = colorValue;
+  }
+  if (segment.bold) {
+    style.fontWeight = '700';
+  }
+  if (segment.dim) {
+    style.opacity = 'var(--dd-opacity-dim)';
+  }
+
+  return style;
+}
+
+function tokenizeJson(prettyJson: string): JsonToken[] {
+  const tokens: JsonToken[] = [];
+  let cursor = 0;
+  const numberPattern = /^-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?/;
+
+  while (cursor < prettyJson.length) {
+    const character = prettyJson[cursor];
+
+    if (/\s/u.test(character)) {
+      let end = cursor + 1;
+      while (end < prettyJson.length && /\s/u.test(prettyJson[end])) {
+        end += 1;
+      }
+      tokens.push({ text: prettyJson.slice(cursor, end), type: 'text' });
+      cursor = end;
+      continue;
+    }
+
+    if ('{}[],:'.includes(character)) {
+      tokens.push({ text: character, type: 'punctuation' });
+      cursor += 1;
+      continue;
+    }
+
+    if (character === '"') {
+      let end = cursor + 1;
+      while (end < prettyJson.length) {
+        if (prettyJson[end] === '"' && prettyJson[end - 1] !== '\\') {
+          end += 1;
+          break;
+        }
+        end += 1;
+      }
+
+      let lookAhead = end;
+      while (lookAhead < prettyJson.length && /\s/u.test(prettyJson[lookAhead])) {
+        lookAhead += 1;
+      }
+
+      tokens.push({
+        text: prettyJson.slice(cursor, end),
+        type: prettyJson[lookAhead] === ':' ? 'key' : 'string',
+      });
+      cursor = end;
+      continue;
+    }
+
+    const remaining = prettyJson.slice(cursor);
+    if (remaining.startsWith('true') || remaining.startsWith('false')) {
+      const value = remaining.startsWith('true') ? 'true' : 'false';
+      tokens.push({ text: value, type: 'boolean' });
+      cursor += value.length;
+      continue;
+    }
+
+    if (remaining.startsWith('null')) {
+      tokens.push({ text: 'null', type: 'null' });
+      cursor += 4;
+      continue;
+    }
+
+    const numberMatch = remaining.match(numberPattern);
+    if (numberMatch?.[0]) {
+      tokens.push({ text: numberMatch[0], type: 'number' });
+      cursor += numberMatch[0].length;
+      continue;
+    }
+
+    tokens.push({ text: character, type: 'text' });
+    cursor += 1;
+  }
+
+  return tokens;
+}
+
+function tokenClassName(token: JsonToken): string {
+  if (token.type === 'key') {
+    return 'json-key';
+  }
+  if (token.type === 'string') {
+    return 'json-string';
+  }
+  if (token.type === 'number') {
+    return 'json-number';
+  }
+  if (token.type === 'boolean') {
+    return 'json-boolean';
+  }
+  if (token.type === 'null') {
+    return 'json-null';
+  }
+  if (token.type === 'punctuation') {
+    return 'json-punctuation';
+  }
+  return 'json-text';
+}
+
+async function copyLogs(): Promise<void> {
+  const text = props.entries
+    .map((entry) => {
+      const parts = [entry.timestamp];
+      if (entry.channel) {
+        parts.push(entry.channel.toUpperCase());
+      } else if (entry.level) {
+        parts.push(entry.level.toUpperCase());
+      }
+      if (entry.component) {
+        parts.push(entry.component);
+      }
+      parts.push(entry.plainLine);
+      return parts.filter((part) => part && part.trim().length > 0).join(' ');
+    })
+    .join('\n');
+
+  try {
+    await navigator.clipboard.writeText(text);
+    copySuccess.value = true;
+    setTimeout(() => {
+      copySuccess.value = false;
+    }, 2000);
+  } catch {
+    // Clipboard API may not be available in all contexts.
+  }
+}
+</script>
+
+<template>
+  <div
+    class="dd-rounded overflow-hidden flex flex-col min-h-[300px] flex-1"
+    :style="{ backgroundColor: 'var(--dd-bg-code)' }"
+    data-test="app-log-viewer"
+  >
+    <div
+      class="px-3 py-2.5 flex flex-col gap-2"
+      :style="{ borderBottom: '1px solid var(--dd-log-divider)' }"
+    >
+      <div class="flex items-center gap-2 justify-between">
+        <div class="flex items-center gap-2 min-w-0">
+          <slot name="toolbar-left" />
+        </div>
+
+        <div class="flex items-center gap-1.5">
+          <AppButton size="none" variant="plain" weight="none"
+            type="button"
+            data-test="container-log-toggle-pause"
+            class="px-2 py-1 dd-rounded text-2xs font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+            @click="emit('toggle-pause')"
+          >
+            <span class="inline-flex items-center gap-1">
+              <AppIcon :name="props.paused ? 'play' : 'pause'" :size="11" />
+              {{ props.paused ? 'Resume' : 'Pause' }}
+            </span>
+          </AppButton>
+
+          <AppButton size="none" variant="plain" weight="none"
+            type="button"
+            class="px-2 py-1 dd-rounded text-2xs font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+            @click="togglePin"
+          >
+            {{ props.autoScrollPinned ? 'Unpin' : 'Pin' }}
+          </AppButton>
+
+          <AppButton size="none" variant="plain" weight="none"
+            type="button"
+            data-test="container-log-copy"
+            class="px-2 py-1 dd-rounded text-2xs font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+            @click="copyLogs"
+          >
+            <span class="inline-flex items-center gap-1">
+              <AppIcon :name="copySuccess ? 'check' : 'ph:copy'" :size="11" />
+              {{ copySuccess ? 'Copied' : 'Copy' }}
+            </span>
+          </AppButton>
+
+          <slot name="toolbar-right" />
+        </div>
+      </div>
+
+      <div class="flex flex-wrap items-center gap-2">
+        <div class="relative flex-1 min-w-[220px]">
+          <AppIcon
+            name="search"
+            :size="11"
+            class="absolute left-2 top-1/2 -translate-y-1/2 dd-text-muted pointer-events-none"
+          />
+          <input
+            v-model="searchQuery"
+            data-test="container-log-search-input"
+            type="text"
+            class="w-full pl-7 pr-2 py-1.5 dd-rounded text-2xs-plus outline-none dd-text dd-placeholder"
+            style="background-color: var(--dd-log-footer-bg)"
+            placeholder="Search logs"
+          />
+        </div>
+
+        <AppButton size="none" variant="plain" weight="none"
+          type="button"
+          data-test="container-log-regex-toggle"
+          class="px-2 py-1.5 dd-rounded text-2xs font-semibold uppercase tracking-wide transition-colors"
+          :class="regexSearch ? 'text-drydock-secondary dd-bg-elevated' : 'dd-text-muted hover:dd-text hover:dd-bg-elevated'"
+          @click="regexSearch = !regexSearch"
+        >
+          .* Regex
+        </AppButton>
+
+        <template v-if="searchQuery">
+          <AppButton size="none" variant="plain" weight="none"
+            type="button"
+            data-test="container-log-prev-match"
+            class="px-2 py-1.5 dd-rounded text-2xs font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+            :disabled="matchedEntryIds.length === 0"
+            @click="jumpToMatch('prev')"
+          >
+            Prev
+          </AppButton>
+          <AppButton size="none" variant="plain" weight="none"
+            type="button"
+            data-test="container-log-next-match"
+            class="px-2 py-1.5 dd-rounded text-2xs font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+            :disabled="matchedEntryIds.length === 0"
+            @click="jumpToMatch('next')"
+          >
+            Next
+          </AppButton>
+          <span data-test="container-log-match-index" class="text-2xs dd-text-muted font-mono">{{ matchLabel }}</span>
+        </template>
+
+        <slot name="filter-bar" />
+      </div>
+
+      <div v-if="searchError" class="text-2xs" style="color: var(--dd-danger)">
+        {{ searchError }}
+      </div>
+    </div>
+
+    <div
+      ref="logViewport"
+      class="flex-1 min-h-0 overflow-auto font-mono"
+      :class="props.compact ? 'text-2xs' : 'text-2xs-plus'"
+      @scroll="handleLogScroll"
+    >
+      <div v-if="props.entries.length === 0" class="px-3 py-5 text-center text-2xs-plus dd-text-muted">
+        {{ props.emptyMessage }}
+      </div>
+
+      <div
+        v-for="(entry, index) in props.entries"
+        :key="entry.id"
+        :ref="(element) => setLineElement(entry.id, element as Element | null)"
+        data-test="container-log-row"
+        class="px-3 py-1.5 transition-colors"
+        :class="[
+          isMatchedEntry(entry.id) ? 'ring-1 ring-drydock-secondary/50' : '',
+          isCurrentMatch(entry.id) ? 'bg-drydock-secondary/10' : '',
+        ]"
+      >
+        <div class="flex items-center gap-2 whitespace-nowrap">
+          <span v-if="props.showLineNumbers" class="shrink-0 tabular-nums dd-text-muted">{{ index + 1 }}</span>
+          <span class="shrink-0 tabular-nums" style="color: var(--dd-log-text-muted)">{{ entry.timestamp || '-' }}</span>
+
+          <slot name="entry-prefix" :entry="entry" />
+
+          <pre
+            v-if="entry.json"
+            class="min-w-0 flex-1 whitespace-pre-wrap break-words"
+            style="color: var(--dd-log-text)"
+          ><span v-for="(token, tokenIndex) in tokenizeJson(entry.json.pretty)" :key="`${entry.id}-${tokenIndex}`" :class="tokenClassName(token)">{{ token.text }}</span></pre>
+          <span v-else class="min-w-0 flex-1" style="color: var(--dd-log-text)">
+            <span
+              v-for="(segment, segmentIndex) in entry.ansiSegments"
+              :key="`${entry.id}-${segmentIndex}`"
+              :style="ansiSegmentStyle(segment)"
+            >{{ segment.text }}</span>
+          </span>
+        </div>
+      </div>
+    </div>
+
+    <div
+      class="px-3 py-1.5 flex items-center justify-between text-2xs gap-2"
+      :style="{ borderTop: '1px solid var(--dd-log-divider)', backgroundColor: 'var(--dd-log-footer-bg)' }"
+    >
+      <div class="flex items-center gap-2 min-w-0">
+        <span class="dd-text-muted font-mono">{{ renderedLineCount }} lines</span>
+        <slot name="footer-extra" />
+      </div>
+
+      <div class="flex items-center gap-1.5">
+        <StatusDot :color="props.statusColor" size="md" />
+        <span class="font-semibold" :style="{ color: props.statusColor }">
+          {{ props.statusLabel }}
+        </span>
+      </div>
+    </div>
+  </div>
+</template>
+
+<style scoped>
+.json-key {
+  color: #93c5fd;
+}
+
+.json-string {
+  color: #86efac;
+}
+
+.json-number {
+  color: #f9a8d4;
+}
+
+.json-boolean {
+  color: #fcd34d;
+}
+
+.json-null {
+  color: #c4b5fd;
+}
+
+.json-punctuation {
+  color: var(--dd-log-text-muted);
+}
+
+.json-text {
+  color: var(--dd-log-text);
+}
+</style>
diff --git a/ui/src/components/AppTabBar.vue b/ui/src/components/AppTabBar.vue
new file mode 100644
index 000000000..6428cc221
--- /dev/null
+++ b/ui/src/components/AppTabBar.vue
@@ -0,0 +1,78 @@
+<script setup lang="ts">
+import { computed } from 'vue';
+import AppIcon from './AppIcon.vue';
+
+interface Tab {
+  id: string;
+  label: string;
+  icon?: string;
+  count?: number;
+  disabled?: boolean;
+}
+
+interface Props {
+  tabs: Tab[];
+  modelValue: string;
+  size?: 'compact' | 'default';
+  iconOnly?: boolean;
+}
+
+const props = withDefaults(defineProps<Props>(), {
+  size: 'default',
+  iconOnly: false,
+});
+
+defineEmits<{
+  'update:modelValue': [id: string];
+}>();
+
+const sizeClasses = computed(() =>
+  props.size === 'compact'
+    ? 'px-2 py-1.5 text-2xs font-semibold uppercase tracking-wide'
+    : 'px-3 py-2 text-2xs-plus font-semibold uppercase tracking-wide',
+);
+
+const iconSize = computed(() => (props.size === 'compact' ? 10 : 12));
+
+const countStyle = {
+  backgroundColor: 'var(--dd-neutral-muted)',
+  color: 'var(--dd-neutral)',
+};
+</script>
+
+<template>
+  <div class="flex items-center gap-1 border-b" :style="{ borderColor: 'var(--dd-border)' }">
+    <button
+      v-for="tab in tabs"
+      :key="tab.id"
+      type="button"
+      :disabled="tab.disabled"
+      :aria-label="iconOnly ? tab.label : undefined"
+      v-tooltip="iconOnly ? tab.label : undefined"
+      class="relative transition-colors"
+      :class="[
+        sizeClasses,
+        tab.id === modelValue ? 'dd-text' : 'dd-text-muted hover:dd-text',
+        tab.disabled && 'opacity-40 cursor-not-allowed',
+      ]"
+      @click="!tab.disabled && $emit('update:modelValue', tab.id)"
+    >
+      <span class="inline-flex items-center">
+        <AppIcon v-if="tab.icon" :name="tab.icon" :size="iconSize" :class="!iconOnly && 'mr-1.5'" />
+        <span v-if="!iconOnly">{{ tab.label }}</span>
+        <span
+          v-if="tab.count != null"
+          class="ml-1.5 badge text-4xs font-bold px-1.5 py-0"
+          :style="countStyle"
+        >
+          {{ tab.count }}
+        </span>
+      </span>
+      <div
+        v-if="tab.id === modelValue"
+        class="absolute bottom-0 left-0 right-0 h-[2px] rounded-t-full"
+        style="background-color: var(--color-drydock-secondary)"
+      />
+    </button>
+  </div>
+</template>
diff --git a/ui/src/components/AppToast.vue b/ui/src/components/AppToast.vue
new file mode 100644
index 000000000..caf1d5076
--- /dev/null
+++ b/ui/src/components/AppToast.vue
@@ -0,0 +1,95 @@
+<script setup lang="ts">
+import { useToast, type ToastTone } from '@/composables/useToast';
+import AppIconButton from '@/components/AppIconButton.vue';
+
+const { toasts, dismissToast } = useToast();
+
+function toneStyles(tone: ToastTone) {
+  switch (tone) {
+    case 'error':
+      return {
+        bg: 'color-mix(in srgb, var(--dd-danger) 25%, var(--dd-bg-card))',
+        border: 'var(--dd-danger)',
+        text: 'var(--dd-danger)',
+        iconName: 'warning',
+      };
+    case 'success':
+      return {
+        bg: 'color-mix(in srgb, var(--dd-success) 25%, var(--dd-bg-card))',
+        border: 'var(--dd-success)',
+        text: 'var(--dd-success)',
+        iconName: 'up-to-date',
+      };
+    case 'warning':
+      return {
+        bg: 'color-mix(in srgb, var(--dd-warning) 25%, var(--dd-bg-card))',
+        border: 'var(--dd-warning)',
+        text: 'var(--dd-warning)',
+        iconName: 'warning',
+      };
+    default:
+      return {
+        bg: 'color-mix(in srgb, var(--dd-primary) 25%, var(--dd-bg-card))',
+        border: 'var(--dd-primary)',
+        text: 'var(--dd-primary)',
+        iconName: 'info',
+      };
+  }
+}
+</script>
+
+<template>
+  <Teleport to="body">
+    <div class="fixed top-16 left-1/2 -translate-x-1/2 z-[60] flex flex-col gap-2 w-[calc(100%-2rem)] max-w-lg pointer-events-none">
+      <TransitionGroup name="toast">
+        <div
+          v-for="toast in toasts"
+          :key="toast.id"
+          class="dd-rounded px-3 py-2.5 flex items-start gap-2.5 pointer-events-auto"
+          :style="{
+            backgroundColor: toneStyles(toast.tone).bg,
+            border: `1px solid ${toneStyles(toast.tone).border}`,
+            boxShadow: 'var(--dd-shadow-lg)',
+          }">
+          <AppIcon
+            :name="toneStyles(toast.tone).iconName"
+            :size="14"
+            class="shrink-0 mt-0.5"
+            :style="{ color: toneStyles(toast.tone).text }" />
+          <div class="min-w-0 flex-1">
+            <p class="text-xs font-semibold" :style="{ color: toneStyles(toast.tone).text }">
+              {{ toast.title }}
+            </p>
+            <p v-if="toast.body" class="text-2xs-plus mt-0.5" :style="{ color: 'var(--dd-text)' }">
+              {{ toast.body }}
+            </p>
+          </div>
+          <AppIconButton
+            icon="xmark"
+            size="xs"
+            variant="plain"
+            class="shrink-0 mt-0.5"
+            :style="{ color: toneStyles(toast.tone).text }"
+            aria-label="Dismiss"
+            @click="dismissToast(toast.id)"
+          />
+        </div>
+      </TransitionGroup>
+    </div>
+  </Teleport>
+</template>
+
+<style scoped>
+.toast-enter-active,
+.toast-leave-active {
+  transition: all 0.3s ease;
+}
+.toast-enter-from {
+  opacity: 0;
+  transform: translateY(-1rem);
+}
+.toast-leave-to {
+  opacity: 0;
+  transform: translateY(-0.5rem);
+}
+</style>
diff --git a/ui/src/components/ConfirmDialog.vue b/ui/src/components/ConfirmDialog.vue
index c86d719ac..c809dccd9 100644
--- a/ui/src/components/ConfirmDialog.vue
+++ b/ui/src/components/ConfirmDialog.vue
@@ -50,22 +50,22 @@ onUnmounted(() => globalThis.removeEventListener('keydown', handleKeydown));
   <Teleport to="body">
     <Transition name="confirm-fade">
       <div v-if="visible && current"
-           class="fixed inset-0 z-[100] bg-black/50 backdrop-blur-sm flex items-start justify-center pt-[20vh]"
+           class="fixed inset-0 z-overlay bg-black/50 backdrop-blur-sm flex items-start justify-center pt-[20vh]"
            @pointerdown.self="dismiss">
-        <div class="relative w-full max-w-[420px] min-w-[340px] mx-4 dd-rounded-lg overflow-hidden"
+        <div class="relative w-full max-w-[var(--dd-layout-dialog-max-width)] min-w-[var(--dd-layout-dialog-min-width)] mx-4 dd-rounded-lg overflow-hidden"
              role="dialog"
              aria-modal="true"
              :aria-labelledby="dialogTitleId"
              :aria-describedby="dialogDescriptionId"
-             :style="{
-               backgroundColor: 'var(--dd-bg-card)',
-               border: '1px solid var(--dd-border-strong)',
-               boxShadow: '0 16px 48px rgba(0, 0, 0, 0.3)',
-             }">
+               :style="{
+                 backgroundColor: 'var(--dd-bg-card)',
+                 border: '1px solid var(--dd-border-strong)',
+                 boxShadow: 'var(--dd-shadow-modal)',
+               }">
           <!-- Header -->
           <div class="px-5 pt-4 pb-3"
                :style="{ borderBottom: '1px solid var(--dd-border)' }">
-            <span :id="dialogTitleId" class="text-[0.8125rem] font-semibold dd-text">{{ current.header }}</span>
+            <span :id="dialogTitleId" class="text-xs-plus font-semibold dd-text">{{ current.header }}</span>
           </div>
 
           <!-- Body -->
@@ -75,8 +75,8 @@ onUnmounted(() => globalThis.removeEventListener('keydown', handleKeydown));
 
           <!-- Footer -->
           <div class="px-5 pt-3 pb-4.5 flex items-center justify-end gap-2.5">
-            <button
-              class="px-4 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors cursor-pointer"
+            <AppButton size="none" variant="plain" weight="none"
+              class="px-4 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors cursor-pointer"
               :aria-label="current.rejectLabel || 'Cancel'"
               :style="{
                 backgroundColor: 'var(--dd-bg-inset)',
@@ -85,9 +85,9 @@ onUnmounted(() => globalThis.removeEventListener('keydown', handleKeydown));
               }"
               @click="reject">
               {{ current.rejectLabel || 'Cancel' }}
-            </button>
-            <button
-              class="px-4 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors flex items-center gap-1.5 cursor-pointer"
+            </AppButton>
+            <AppButton size="none" variant="plain" weight="none"
+              class="px-4 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors flex items-center gap-1.5 cursor-pointer"
               :aria-label="current.acceptLabel || 'Confirm'"
               :style="current.severity === 'danger'
                 ? {
@@ -102,7 +102,7 @@ onUnmounted(() => globalThis.removeEventListener('keydown', handleKeydown));
                   }"
               @click="accept">
               {{ current.acceptLabel || 'Confirm' }}
-            </button>
+            </AppButton>
           </div>
         </div>
       </div>
@@ -113,7 +113,7 @@ onUnmounted(() => globalThis.removeEventListener('keydown', handleKeydown));
 <style scoped>
 .confirm-fade-enter-active,
 .confirm-fade-leave-active {
-  transition: opacity 0.15s ease;
+  transition: opacity var(--dd-duration-fast) ease;
 }
 .confirm-fade-enter-from,
 .confirm-fade-leave-to {
diff --git a/ui/src/components/DataCardGrid.stories.ts b/ui/src/components/DataCardGrid.stories.ts
index cc2f1ed66..3d8f26a74 100644
--- a/ui/src/components/DataCardGrid.stories.ts
+++ b/ui/src/components/DataCardGrid.stories.ts
@@ -1,20 +1,10 @@
 import type { Meta, StoryObj } from '@storybook/vue3';
 import { expect, fn, userEvent, within } from 'storybook/test';
 import DataCardGrid from './DataCardGrid.vue';
-
-interface ServiceCard {
-  id: string;
-  name: string;
-  server: string;
-  status: 'healthy' | 'degraded' | 'offline';
-  updates: number;
-}
-
-const services: ServiceCard[] = [
-  { id: 'gateway', name: 'API Gateway', server: 'edge-1', status: 'healthy', updates: 0 },
-  { id: 'worker', name: 'Background Worker', server: 'edge-2', status: 'degraded', updates: 2 },
-  { id: 'reports', name: 'Reports Service', server: 'edge-3', status: 'offline', updates: 1 },
-];
+import {
+  type SampleServiceCard as ServiceCard,
+  sampleServiceCards as services,
+} from './stories/sampleData';
 
 const meta = {
   component: DataCardGrid,
@@ -50,10 +40,10 @@ export const Default: Story = {
         <template #card="{ item, selected }">
           <div class="px-4 py-3 flex items-start justify-between gap-3">
             <div class="min-w-0">
-              <div class="text-[0.8125rem] font-semibold truncate dd-text">{{ item.name }}</div>
-              <div class="text-[0.6875rem] mt-0.5 dd-text-muted">server: {{ item.server }}</div>
+              <div class="text-xs-plus font-semibold truncate dd-text">{{ item.name }}</div>
+              <div class="text-2xs-plus mt-0.5 dd-text-muted">server: {{ item.server }}</div>
             </div>
-            <span class="text-[0.5625rem] uppercase font-bold px-2 py-1 dd-rounded shrink-0"
+            <span class="text-3xs uppercase font-bold px-2 py-1 dd-rounded shrink-0"
                   :style="{
                     backgroundColor:
                       item.status === 'healthy'
@@ -71,10 +61,10 @@ export const Default: Story = {
               {{ item.status }}
             </span>
           </div>
-          <div class="px-4 pb-3 text-[0.6875rem] dd-text-secondary">
+          <div class="px-4 pb-3 text-2xs-plus dd-text-secondary">
             {{ item.updates }} pending update{{ item.updates === 1 ? '' : 's' }}
           </div>
-          <div class="px-4 py-2.5 mt-auto text-[0.625rem] dd-text-muted"
+          <div class="px-4 py-2.5 mt-auto text-2xs dd-text-muted"
                :style="{ borderTop: '1px solid var(--dd-border-strong)', backgroundColor: selected ? 'var(--dd-bg-elevated)' : 'var(--dd-bg-inset)' }">
             {{ selected ? 'Selected for details' : 'Click to open details' }}
           </div>
diff --git a/ui/src/components/DataFilterBar.stories.ts b/ui/src/components/DataFilterBar.stories.ts
index 9d19aa17a..37b45e11a 100644
--- a/ui/src/components/DataFilterBar.stories.ts
+++ b/ui/src/components/DataFilterBar.stories.ts
@@ -26,9 +26,9 @@ const renderWithFilters = (args: Story['args']) => ({
           <input
             type="text"
             placeholder="Filter by name..."
-            class="flex-1 min-w-[120px] max-w-[240px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder"
+            class="flex-1 min-w-[120px] max-w-[var(--dd-layout-filter-max-width)] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder"
           />
-          <button class="text-[0.625rem] dd-text-muted hover:dd-text transition-colors">Clear</button>
+          <button class="text-2xs dd-text-muted hover:dd-text transition-colors">Clear</button>
         </template>
       </DataFilterBar>
     </div>
diff --git a/ui/src/components/DataFilterBar.vue b/ui/src/components/DataFilterBar.vue
index d20afd72a..a0a3b55e1 100644
--- a/ui/src/components/DataFilterBar.vue
+++ b/ui/src/components/DataFilterBar.vue
@@ -1,4 +1,6 @@
 <script setup lang="ts">
+import AppIconButton from './AppIconButton.vue';
+
 defineProps<{
   modelValue: string;
   filteredCount: number;
@@ -38,17 +40,14 @@ function viewModeLabel(id: string): string {
       <div class="flex items-center gap-2.5 relative">
         <!-- Filter toggle button -->
         <div v-if="!hideFilter" class="relative" v-tooltip.top="'Filters'">
-          <button type="button"
-                  class="w-7 h-7 dd-rounded flex items-center justify-center text-[0.6875rem] transition-colors"
+          <AppIconButton icon="filter" size="toolbar" variant="plain" class="text-2xs-plus"
                   :class="showFilters || (activeFilterCount ?? 0) > 0 ? 'dd-text dd-bg-elevated' : 'dd-text-secondary hover:dd-text hover:dd-bg-elevated'"
                   aria-label="Toggle filters"
                   :aria-expanded="String(showFilters)"
                   :aria-controls="filterPanelId"
-                  @click.stop="emit('update:showFilters', !showFilters)">
-            <AppIcon name="filter" :size="13" />
-          </button>
+                  @click.stop="emit('update:showFilters', !showFilters)" />
           <span v-if="(activeFilterCount ?? 0) > 0"
-                class="absolute -top-1 -right-1 w-3.5 h-3.5 rounded-full text-[0.5rem] font-bold flex items-center justify-center text-white pointer-events-none"
+                class="absolute -top-1 -right-1 w-3.5 h-3.5 rounded-full text-4xs font-bold flex items-center justify-center text-white pointer-events-none"
                 style="background: var(--dd-primary);">
             {{ activeFilterCount }}
           </span>
@@ -65,22 +64,19 @@ function viewModeLabel(id: string): string {
 
         <!-- Right side: count + view mode switcher -->
         <div class="flex items-center gap-2 ml-auto">
-          <span class="text-[0.625rem] font-semibold tabular-nums shrink-0 px-2 py-1 dd-rounded dd-text-muted dd-bg-card">
+          <span class="text-2xs font-semibold tabular-nums shrink-0 px-2 py-1 dd-rounded dd-text-muted dd-bg-card">
             {{ filteredCount }}/{{ totalCount }}<template v-if="countLabel"> {{ countLabel }}</template>
           </span>
           <div class="flex items-center dd-rounded overflow-hidden"
                role="group"
                aria-label="View mode">
-            <button v-for="vm in (viewModes ?? defaultViewModes)" :key="vm.id"
-                    type="button"
-                    class="w-7 h-7 flex items-center justify-center text-[0.6875rem] transition-colors"
+            <AppIconButton v-for="vm in (viewModes ?? defaultViewModes)" :key="vm.id"
+                    :icon="vm.icon" size="toolbar" variant="plain"
                     :class="modelValue === vm.id ? 'dd-text dd-bg-elevated' : 'dd-text-secondary hover:dd-text hover:dd-bg-elevated'"
-                    v-tooltip.top="viewModeLabel(vm.id)"
+                    :tooltip="viewModeLabel(vm.id)"
                     :aria-label="viewModeLabel(vm.id)"
                     :aria-pressed="String(modelValue === vm.id)"
-                    @click="emit('update:modelValue', vm.id)">
-              <AppIcon :name="vm.icon" :size="11" />
-            </button>
+                    @click="emit('update:modelValue', vm.id)" />
           </div>
         </div>
       </div>
diff --git a/ui/src/components/DataListAccordion.stories.ts b/ui/src/components/DataListAccordion.stories.ts
index dffb23717..2d7a629c7 100644
--- a/ui/src/components/DataListAccordion.stories.ts
+++ b/ui/src/components/DataListAccordion.stories.ts
@@ -1,38 +1,10 @@
 import type { Meta, StoryObj } from '@storybook/vue3';
 import { expect, fn, userEvent, within } from 'storybook/test';
 import DataListAccordion from './DataListAccordion.vue';
-
-interface WatcherItem {
-  id: string;
-  name: string;
-  endpoint: string;
-  status: 'connected' | 'disconnected';
-  containers: number;
-}
-
-const watchers: WatcherItem[] = [
-  {
-    id: 'local',
-    name: 'Local Docker',
-    endpoint: 'unix:///var/run/docker.sock',
-    status: 'connected',
-    containers: 18,
-  },
-  {
-    id: 'edge-1',
-    name: 'Edge Cluster 1',
-    endpoint: 'tcp://10.42.0.12:2376',
-    status: 'connected',
-    containers: 9,
-  },
-  {
-    id: 'edge-2',
-    name: 'Edge Cluster 2',
-    endpoint: 'tcp://10.42.0.13:2376',
-    status: 'disconnected',
-    containers: 0,
-  },
-];
+import {
+  type SampleWatcherItem as WatcherItem,
+  sampleWatcherItems as watchers,
+} from './stories/sampleData';
 
 const meta = {
   component: DataListAccordion,
@@ -63,23 +35,23 @@ const renderAccordion = (args: Story['args']) => ({
              :style="{ backgroundColor: item.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)' }" />
         <AppIcon name="servers" :size="12" class="dd-text-secondary" />
         <span class="text-sm font-semibold flex-1 min-w-0 truncate dd-text">{{ item.name }}</span>
-        <span class="text-[0.625rem] font-mono dd-text-muted hidden sm:inline">{{ item.endpoint }}</span>
+        <span class="text-2xs font-mono dd-text-muted hidden sm:inline">{{ item.endpoint }}</span>
       </template>
       <template #details="{ item }">
         <div class="grid grid-cols-1 sm:grid-cols-2 gap-x-8 gap-y-3 mt-2">
           <div>
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Status</div>
+            <div class="text-2xs font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Status</div>
             <div class="text-xs font-semibold"
                  :style="{ color: item.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)' }">
               {{ item.status }}
             </div>
           </div>
           <div>
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Containers</div>
+            <div class="text-2xs font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Containers</div>
             <div class="text-xs dd-text">{{ item.containers }}</div>
           </div>
           <div class="sm:col-span-2">
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Endpoint</div>
+            <div class="text-2xs font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Endpoint</div>
             <div class="text-xs font-mono dd-text">{{ item.endpoint }}</div>
           </div>
         </div>
diff --git a/ui/src/components/DataTable.stories.ts b/ui/src/components/DataTable.stories.ts
index 1ed365e3e..ef1a13a53 100644
--- a/ui/src/components/DataTable.stories.ts
+++ b/ui/src/components/DataTable.stories.ts
@@ -1,14 +1,7 @@
 import type { Meta, StoryObj } from '@storybook/vue3';
 import { expect, fn, userEvent, within } from 'storybook/test';
 import DataTable from './DataTable.vue';
-
-interface SampleRow {
-  id: string;
-  name: string;
-  status: 'running' | 'stopped';
-  server: string;
-  updates: number;
-}
+import { sampleContainerRows as rows } from './stories/sampleData';
 
 const columns = [
   { key: 'name', label: 'Container', width: '44%' },
@@ -22,12 +15,6 @@ const columnsWithIcon = [
   ...columns,
 ];
 
-const rows: SampleRow[] = [
-  { id: 'api', name: 'drydock-api', status: 'running', server: 'local', updates: 0 },
-  { id: 'web', name: 'drydock-web', status: 'running', server: 'edge-1', updates: 2 },
-  { id: 'db', name: 'postgres', status: 'stopped', server: 'edge-2', updates: 1 },
-];
-
 const meta = {
   component: DataTable,
   tags: ['autodocs'],
@@ -92,7 +79,7 @@ export const WithCustomCellsAndActions: Story = {
           </div>
         </template>
         <template #cell-status="{ row }">
-          <span class="badge text-[0.5625rem] font-bold uppercase"
+          <span class="badge text-3xs font-bold uppercase"
                 :style="{
                   backgroundColor: row.status === 'running' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
                   color: row.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)',
@@ -101,7 +88,7 @@ export const WithCustomCellsAndActions: Story = {
           </span>
         </template>
         <template #actions="{ row }">
-          <button class="px-2 py-1 text-[0.625rem] dd-rounded dd-bg-elevated dd-text-muted hover:dd-text">
+          <button class="px-2 py-1 text-2xs dd-rounded dd-bg-elevated dd-text-muted hover:dd-text">
             Open {{ row.id }}
           </button>
         </template>
diff --git a/ui/src/components/DataTable.vue b/ui/src/components/DataTable.vue
index 105fb9daa..055abf8f2 100644
--- a/ui/src/components/DataTable.vue
+++ b/ui/src/components/DataTable.vue
@@ -21,16 +21,20 @@ const props = withDefaults(
     selectedKey?: string | null;
     showActions?: boolean;
     compact?: boolean;
+    fixedLayout?: boolean;
     virtualScroll?: boolean;
     virtualRowHeight?: number;
     virtualOverscan?: number;
     virtualMaxHeight?: string;
     /** Optional max-height for scroll area when virtualScroll is false (e.g., '340px') */
     maxHeight?: string;
+    /** Optional function returning extra CSS classes for a row (e.g. dim during actions) */
+    rowClass?: (row: Record<string, unknown>) => string;
   }>(),
   {
     showActions: false,
     compact: false,
+    fixedLayout: false,
     virtualScroll: false,
     virtualRowHeight: 56,
     virtualOverscan: 6,
@@ -117,6 +121,7 @@ const totalColumnCount = computed(() => props.columns.length + (props.showAction
 const normalizedRowHeight = computed(() => Math.max(24, props.virtualRowHeight));
 const normalizedOverscan = computed(() => Math.max(0, props.virtualOverscan));
 const virtualizationEnabled = computed(() => props.virtualScroll && props.rows.length > 0);
+const useFixedLayout = computed(() => props.fixedLayout || Object.keys(colWidths).length > 0);
 
 function fallbackViewportHeight(): number {
   const explicitMaxHeight = parsePixelHeight(props.virtualMaxHeight);
@@ -343,15 +348,15 @@ function handleHeaderKeydown(event: KeyboardEvent, col: DataTableColumn) {
       @scroll="handleVirtualScroll">
       <table
         ref="tableRef"
-        class="w-full text-xs"
-        :style="{ borderCollapse: 'separate', borderSpacing: '0', ...(Object.keys(colWidths).length > 0 ? { tableLayout: 'fixed' } : {}) }">
+        class="w-full text-xs isolate"
+        :style="{ borderCollapse: 'separate', borderSpacing: '0', ...(useFixedLayout ? { tableLayout: 'fixed' } : {}) }">
         <thead>
           <tr :style="{ backgroundColor: 'var(--dd-bg-inset)', borderBottom: 'none' }">
             <th v-for="(col, colIdx) in columns" :key="col.key"
                 :data-col-key="col.key"
                 :class="[
                   col.icon ? 'text-center pl-5 pr-0' : [col.align ?? 'text-center', 'px-5'],
-                  'whitespace-nowrap py-2.5 font-semibold uppercase tracking-wider text-[0.625rem] select-none transition-colors relative',
+                  'whitespace-nowrap py-2.5 font-semibold uppercase tracking-wider text-2xs select-none transition-colors relative',
                   isSortableColumn(col) ? 'cursor-pointer' : '',
                   sortKey === col.key ? 'dd-text-secondary' : 'dd-text-muted hover:dd-text-secondary',
                 ]"
@@ -361,7 +366,7 @@ function handleHeaderKeydown(event: KeyboardEvent, col: DataTableColumn) {
                 @keydown="handleHeaderKeydown($event, col)"
                 @click="!resizing && isSortableColumn(col) && toggleSort(col.key, sortKey, sortAsc)">
               {{ col.label }}
-              <span v-if="sortKey === col.key" class="inline-block ml-0.5 text-[0.5rem]">{{ sortAsc ? '\u25B2' : '\u25BC' }}</span>
+              <span v-if="sortKey === col.key" class="inline-block ml-0.5 text-4xs">{{ sortAsc ? '\u25B2' : '\u25BC' }}</span>
               <!-- Resize handle -->
               <div v-if="!col.icon && colIdx < columns.length - 1"
                    role="separator"
@@ -372,7 +377,7 @@ function handleHeaderKeydown(event: KeyboardEvent, col: DataTableColumn) {
                      style="background: var(--dd-text-muted)" />
               </div>
             </th>
-            <th v-if="showActions" class="text-center px-4 py-2.5 font-semibold uppercase tracking-wider text-[0.625rem] whitespace-nowrap dd-text-muted relative">
+            <th v-if="showActions" class="text-center px-4 py-2.5 font-semibold uppercase tracking-wider text-2xs whitespace-nowrap dd-text-muted relative">
               Actions
               <div v-if="lastResizableColumnKey"
                    role="separator"
@@ -394,7 +399,10 @@ function handleHeaderKeydown(event: KeyboardEvent, col: DataTableColumn) {
           </tr>
           <tr v-for="(row, i) in visibleRows" :key="getRowKey(row, rowKey)"
               class="cursor-pointer transition-colors hover:dd-bg-hover"
-              :class="selectedKey != null && getRowKey(row, rowKey) === selectedKey ? 'ring-1 ring-inset ring-drydock-secondary' : ''"
+              :class="[
+                selectedKey != null && getRowKey(row, rowKey) === selectedKey ? 'ring-1 ring-inset ring-drydock-secondary' : '',
+                rowClass?.(row) ?? '',
+              ]"
               :style="{
                 backgroundColor: selectedKey != null && getRowKey(row, rowKey) === selectedKey
                   ? 'var(--dd-bg-elevated)'
@@ -405,8 +413,8 @@ function handleHeaderKeydown(event: KeyboardEvent, col: DataTableColumn) {
               @keydown="handleRowKeydown($event, row)"
               @click="emit('row-click', row)">
             <td v-for="col in columns" :key="col.key"
-                class="py-3 align-middle overflow-hidden text-ellipsis"
-                :class="col.icon ? 'text-center pl-5 pr-0' : [col.align ?? 'text-center', 'px-5']">
+                class="py-3 align-middle"
+                :class="col.icon ? 'text-center pl-5 pr-0' : ['overflow-hidden text-ellipsis', col.align ?? 'text-center', 'px-5']">
               <slot :name="'cell-' + col.key" :row="row" :value="row[col.key]">
                 {{ row[col.key] }}
               </slot>
diff --git a/ui/src/components/DataViewLayout.stories.ts b/ui/src/components/DataViewLayout.stories.ts
index a2549fb65..9d69a44f7 100644
--- a/ui/src/components/DataViewLayout.stories.ts
+++ b/ui/src/components/DataViewLayout.stories.ts
@@ -34,7 +34,7 @@ export const ContentOnly: Story = {
           <div class="px-3 py-2 dd-rounded flex items-center justify-between"
                :style="{ backgroundColor: 'var(--dd-bg-card)', border: '1px solid var(--dd-border-strong)' }">
             <span class="text-xs font-semibold dd-text">Containers</span>
-            <span class="text-[0.625rem] dd-text-muted">14 / 23 visible</span>
+            <span class="text-2xs dd-text-muted">14 / 23 visible</span>
           </div>
           <div class="dd-rounded p-4"
                :style="{ backgroundColor: 'var(--dd-bg-card)', border: '1px solid var(--dd-border-strong)' }">
@@ -58,7 +58,7 @@ export const WithDetailPanelSlot: Story = {
           <div class="px-3 py-2 dd-rounded flex items-center justify-between"
                :style="{ backgroundColor: 'var(--dd-bg-card)', border: '1px solid var(--dd-border-strong)' }">
             <span class="text-xs font-semibold dd-text">Servers</span>
-            <span class="text-[0.625rem] dd-text-muted">3 connected, 1 disconnected</span>
+            <span class="text-2xs dd-text-muted">3 connected, 1 disconnected</span>
           </div>
           <div class="dd-rounded p-4"
                :style="{ backgroundColor: 'var(--dd-bg-card)', border: '1px solid var(--dd-border-strong)' }">
@@ -84,7 +84,7 @@ export const WithDetailPanelSlot: Story = {
               </button>
             </div>
             <div class="p-4 space-y-2">
-              <div class="text-[0.625rem] uppercase tracking-wider font-semibold dd-text-muted">Selection</div>
+              <div class="text-2xs uppercase tracking-wider font-semibold dd-text-muted">Selection</div>
               <div class="text-xs font-mono dd-text">edge-1 / drydock-api</div>
             </div>
           </aside>
@@ -176,10 +176,10 @@ export const IntegratedWorkspace: Story = {
               v-model="query"
               type="text"
               placeholder="Filter by name or server..."
-              class="flex-1 min-w-[120px] max-w-[260px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder"
+              class="flex-1 min-w-[120px] max-w-[260px] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder"
             />
             <button
-              class="text-[0.625rem] dd-text-muted hover:dd-text transition-colors"
+              class="text-2xs dd-text-muted hover:dd-text transition-colors"
               @click="query = ''"
             >
               Clear
@@ -196,7 +196,7 @@ export const IntegratedWorkspace: Story = {
           @row-click="openDetails($event)"
         >
           <template #cell-status="{ row }">
-            <span class="badge text-[0.5625rem] uppercase font-bold"
+            <span class="badge text-3xs uppercase font-bold"
                   :style="{
                     backgroundColor: row.status === 'running' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
                     color: row.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)',
@@ -216,9 +216,9 @@ export const IntegratedWorkspace: Story = {
           <template #card="{ item, selected }">
             <div class="px-4 py-3">
               <div class="text-sm font-semibold dd-text">{{ item.name }}</div>
-              <div class="text-[0.6875rem] dd-text-muted mt-1">{{ item.server }}</div>
+              <div class="text-2xs-plus dd-text-muted mt-1">{{ item.server }}</div>
             </div>
-            <div class="px-4 py-2.5 text-[0.625rem] dd-text-muted"
+            <div class="px-4 py-2.5 text-2xs dd-text-muted"
                  :style="{ borderTop: '1px solid var(--dd-border-strong)', backgroundColor: selected ? 'var(--dd-bg-elevated)' : 'var(--dd-bg-inset)' }">
               {{ item.status }}
             </div>
@@ -233,7 +233,7 @@ export const IntegratedWorkspace: Story = {
         >
           <template #header="{ item }">
             <span class="text-sm font-semibold flex-1 min-w-0 truncate dd-text">{{ item.name }}</span>
-            <span class="text-[0.625rem] font-mono dd-text-muted">{{ item.server }}</span>
+            <span class="text-2xs font-mono dd-text-muted">{{ item.server }}</span>
           </template>
           <template #details="{ item }">
             <div class="text-xs dd-text">Status: {{ item.status }}</div>
@@ -254,7 +254,7 @@ export const IntegratedWorkspace: Story = {
               <div class="text-sm font-semibold dd-text">Selection</div>
             </template>
             <template #subtitle>
-              <span class="text-[0.6875rem] font-mono dd-text-secondary">{{ selected?.name }}</span>
+              <span class="text-2xs-plus font-mono dd-text-secondary">{{ selected?.name }}</span>
             </template>
             <div class="p-4 text-xs dd-text-muted">
               Server: {{ selected?.server }}<br />
diff --git a/ui/src/components/DataViewLayout.vue b/ui/src/components/DataViewLayout.vue
index 75d9c83da..a002cc9a0 100644
--- a/ui/src/components/DataViewLayout.vue
+++ b/ui/src/components/DataViewLayout.vue
@@ -26,7 +26,7 @@
 <template>
   <div class="flex flex-col flex-1 min-h-0">
     <div class="flex gap-2 min-w-0 flex-1 min-h-0">
-      <div class="flex-1 min-w-0 min-h-0 overflow-auto pb-6 pr-2 sm:pr-[15px]">
+      <div class="flex-1 min-h-0 min-w-0 overflow-y-auto overflow-x-hidden pr-2 sm:pr-[15px] dd-touch-scroll">
         <slot />
       </div>
       <slot name="panel" />
diff --git a/ui/src/components/DetailField.vue b/ui/src/components/DetailField.vue
new file mode 100644
index 000000000..416949203
--- /dev/null
+++ b/ui/src/components/DetailField.vue
@@ -0,0 +1,23 @@
+<script setup lang="ts">
+interface Props {
+  label: string;
+  mono?: boolean;
+  compact?: boolean;
+}
+
+const props = withDefaults(defineProps<Props>(), {
+  mono: false,
+  compact: false,
+});
+</script>
+
+<template>
+  <div>
+    <div class="dd-text-label" :class="props.compact ? 'mb-0.5' : 'mb-1'" style="color: var(--dd-text-muted)">
+      {{ props.label }}
+    </div>
+    <div class="text-2xs-plus" :class="[props.mono && 'font-mono']" style="color: var(--dd-text)">
+      <slot />
+    </div>
+  </div>
+</template>
diff --git a/ui/src/components/DetailPanel.stories.ts b/ui/src/components/DetailPanel.stories.ts
index 93fcbb318..26f08e5d8 100644
--- a/ui/src/components/DetailPanel.stories.ts
+++ b/ui/src/components/DetailPanel.stories.ts
@@ -80,33 +80,33 @@ const renderPanel = (args: Story['args']) => ({
         <template #header>
           <div class="flex items-center justify-between gap-2">
             <h3 class="text-sm font-semibold dd-text">Container Details</h3>
-            <span class="badge text-[0.5625rem] uppercase font-bold"
+            <span class="badge text-3xs uppercase font-bold"
                   :style="{ backgroundColor: 'var(--dd-success-muted)', color: 'var(--dd-success)' }">
               running
             </span>
           </div>
         </template>
         <template #subtitle>
-          <span class="text-[0.6875rem] font-mono dd-text-secondary">drydock-api</span>
-          <span class="text-[0.625rem] dd-text-muted">edge-1</span>
+          <span class="text-2xs-plus font-mono dd-text-secondary">drydock-api</span>
+          <span class="text-2xs dd-text-muted">edge-1</span>
         </template>
         <template #tabs>
           <div class="px-4 py-2.5 flex items-center gap-2"
                :style="{ borderBottom: '1px solid var(--dd-border)' }">
-            <button class="px-2 py-1 text-[0.625rem] dd-rounded dd-bg-elevated dd-text">Overview</button>
-            <button class="px-2 py-1 text-[0.625rem] dd-rounded dd-text-muted">Logs</button>
-            <button class="px-2 py-1 text-[0.625rem] dd-rounded dd-text-muted">History</button>
+            <button class="px-2 py-1 text-2xs dd-rounded dd-bg-elevated dd-text">Overview</button>
+            <button class="px-2 py-1 text-2xs dd-rounded dd-text-muted">Logs</button>
+            <button class="px-2 py-1 text-2xs dd-rounded dd-text-muted">History</button>
           </div>
         </template>
         <div class="p-4 space-y-3">
           <div class="dd-rounded p-3"
                :style="{ backgroundColor: 'var(--dd-bg-inset)', border: '1px solid var(--dd-border-strong)' }">
-            <div class="text-[0.625rem] uppercase tracking-wider font-semibold mb-1 dd-text-muted">Image</div>
+            <div class="text-2xs uppercase tracking-wider font-semibold mb-1 dd-text-muted">Image</div>
             <div class="text-xs font-mono dd-text">ghcr.io/drydock/app:1.3.7</div>
           </div>
           <div class="dd-rounded p-3"
                :style="{ backgroundColor: 'var(--dd-bg-inset)', border: '1px solid var(--dd-border-strong)' }">
-            <div class="text-[0.625rem] uppercase tracking-wider font-semibold mb-1 dd-text-muted">Uptime</div>
+            <div class="text-2xs uppercase tracking-wider font-semibold mb-1 dd-text-muted">Uptime</div>
             <div class="text-xs dd-text">4d 12h</div>
           </div>
         </div>
diff --git a/ui/src/components/DetailPanel.vue b/ui/src/components/DetailPanel.vue
index ab0e87877..b88664049 100644
--- a/ui/src/components/DetailPanel.vue
+++ b/ui/src/components/DetailPanel.vue
@@ -1,5 +1,6 @@
 <script setup lang="ts">
 import { computed, onMounted, onUnmounted } from 'vue';
+import AppIconButton from './AppIconButton.vue';
 
 const props = withDefaults(
   defineProps<{
@@ -23,7 +24,11 @@ const emit = defineEmits<{
 }>();
 
 const panelDesktopWidth = computed(() =>
-  props.size === 'sm' ? '420px' : props.size === 'md' ? '560px' : '720px',
+  props.size === 'sm'
+    ? 'var(--dd-layout-panel-width-sm)'
+    : props.size === 'md'
+      ? 'var(--dd-layout-panel-width-md)'
+      : 'var(--dd-layout-panel-width-lg)',
 );
 
 function closePanel() {
@@ -60,7 +65,7 @@ onUnmounted(() => globalThis.removeEventListener('keydown', handleKeydown));
            width: isMobile ? '100%' : panelDesktopWidth,
            maxWidth: isMobile ? '100%' : 'min(calc(100vw - 32px), 920px)',
            backgroundColor: 'var(--dd-bg-card)',
-           height: isMobile ? '100vh' : 'calc(100vh - 96px)',
+           height: isMobile ? '100vh' : 'calc(100vh - var(--dd-layout-main-viewport-offset))',
            minHeight: '480px',
          }">
 
@@ -69,30 +74,25 @@ onUnmounted(() => globalThis.removeEventListener('keydown', handleKeydown));
          :style="{ borderBottom: '1px solid var(--dd-border)' }">
       <div class="flex items-center gap-2">
         <div v-if="(showSizeControls && !isMobile) || showFullPage" class="flex items-center dd-rounded overflow-hidden">
-          <button v-if="showFullPage"
-                  class="px-2 py-1 transition-colors"
-                  :class="'dd-text-muted hover:dd-text hover:dd-bg-elevated'"
-                  v-tooltip.top="'Open full page view'"
-                  @click="$emit('full-page')">
-            <AppIcon name="frame-corners" :size="12" />
-          </button>
-          <button v-if="showSizeControls && !isMobile"
+          <AppIconButton v-if="showFullPage"
+                  icon="frame-corners" size="toolbar" variant="muted"
+                  tooltip="Open full page view"
+                  @click="$emit('full-page')" />
+          <AppButton size="none" variant="plain" weight="none" v-if="showSizeControls && !isMobile"
                   v-for="s in (['lg', 'md', 'sm'] as const)" :key="s"
-                  class="px-2 py-1 text-[0.625rem] font-semibold uppercase tracking-wide transition-colors"
+                  class="px-2 py-1 text-2xs font-semibold uppercase tracking-wide transition-colors"
                   :class="size === s
                     ? 'dd-bg-elevated dd-text'
                     : 'dd-text-muted hover:dd-text hover:dd-bg-elevated'"
                   @click="$emit('update:size', s)">
             {{ s === 'sm' ? 'S' : s === 'md' ? 'M' : 'L' }}
-          </button>
+          </AppButton>
         </div>
         <slot name="toolbar" />
       </div>
-      <button aria-label="Close details panel"
-              class="flex items-center justify-center w-7 h-7 dd-rounded text-xs font-medium transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-              @click="closePanel">
-        <AppIcon name="xmark" :size="14" />
-      </button>
+      <AppIconButton icon="xmark" size="toolbar" variant="muted"
+              aria-label="Close details panel"
+              @click="closePanel" />
     </div>
 
     <!-- Header -->
@@ -110,7 +110,7 @@ onUnmounted(() => globalThis.removeEventListener('keydown', handleKeydown));
     <slot name="tabs" />
 
     <!-- Main scrollable content -->
-    <div class="flex-1 min-w-0 min-h-0 overflow-y-auto">
+    <div class="flex flex-col flex-1 min-w-0 min-h-0 overflow-y-auto">
       <slot />
     </div>
   </aside>
diff --git a/ui/src/components/EmptyState.vue b/ui/src/components/EmptyState.vue
index 43a518479..527300661 100644
--- a/ui/src/components/EmptyState.vue
+++ b/ui/src/components/EmptyState.vue
@@ -25,10 +25,10 @@ defineEmits<{
     <p class="text-sm font-medium mb-1 dd-text-secondary">
       {{ message }}
     </p>
-    <button v-if="showClear"
+    <AppButton size="none" variant="plain" weight="none" v-if="showClear"
             class="text-xs font-medium mt-2 px-3 py-1.5 dd-rounded transition-colors text-drydock-secondary bg-drydock-secondary/10 hover:bg-drydock-secondary/20"
             @click="$emit('clear')">
       Clear all filters
-    </button>
+    </AppButton>
   </div>
 </template>
diff --git a/ui/src/components/LogViewer.vue b/ui/src/components/LogViewer.vue
index a89c5a5e0..ad3934861 100644
--- a/ui/src/components/LogViewer.vue
+++ b/ui/src/components/LogViewer.vue
@@ -26,7 +26,7 @@ const props = withDefaults(
     containerClass: '',
     containerStyle: undefined,
     loadingClass: 'text-xs dd-text-muted text-center py-6',
-    errorClass: 'text-[0.6875rem] px-3 py-2 dd-rounded',
+    errorClass: 'text-2xs-plus px-3 py-2 dd-rounded',
     errorStyle: () => ({
       backgroundColor: 'var(--dd-danger-muted)',
       color: 'var(--dd-danger)',
diff --git a/ui/src/components/NotificationBell.vue b/ui/src/components/NotificationBell.vue
index 767232148..321f162f2 100644
--- a/ui/src/components/NotificationBell.vue
+++ b/ui/src/components/NotificationBell.vue
@@ -1,6 +1,7 @@
 <script setup lang="ts">
 import { computed, onMounted, onUnmounted, ref } from 'vue';
 import { useRouter } from 'vue-router';
+import AppIconButton from '@/components/AppIconButton.vue';
 import { ROUTES } from '../router/routes';
 import { useStorageRef } from '../composables/useStorageRef';
 import { getAuditLog } from '../services/audit';
@@ -9,7 +10,16 @@ import { actionIcon, actionLabel, statusColor, timeAgo } from '../utils/audit-he
 
 const router = useRouter();
 
+const BELL_ACTIONS = [
+  'update-available',
+  'update-applied',
+  'update-failed',
+  'security-alert',
+  'agent-disconnect',
+];
+
 const showBell = ref(false);
+const bellPanelStyle = ref<Record<string, string>>({});
 const entries = ref<AuditEntry[]>([]);
 const loading = ref(false);
 const lastSeen = useStorageRef('dd-bell-last-seen', '');
@@ -22,7 +32,7 @@ const unreadCount = computed(() => {
 async function fetchEntries() {
   loading.value = true;
   try {
-    const data = await getAuditLog({ limit: 20 });
+    const data = await getAuditLog({ limit: 20, actions: BELL_ACTIONS });
     entries.value = data.entries ?? [];
   } catch {
     // Silently fail — bell is non-critical.
@@ -31,9 +41,16 @@ async function fetchEntries() {
   }
 }
 
-function toggle() {
+function toggle(event: MouseEvent) {
   showBell.value = !showBell.value;
   if (showBell.value) {
+    const button = event.currentTarget as HTMLElement;
+    const rect = button.getBoundingClientRect();
+    bellPanelStyle.value = {
+      position: 'fixed',
+      top: `${rect.bottom + 4}px`,
+      right: `${window.innerWidth - rect.right}px`,
+    };
     fetchEntries();
   }
 }
@@ -96,41 +113,45 @@ function isUnread(entry: AuditEntry): boolean {
 
 <template>
   <div class="relative notification-bell-wrapper">
-    <button aria-label="Notifications"
+    <AppIconButton
+            icon="notifications"
+            size="sm"
+            variant="secondary"
+            tooltip="Notifications"
+            aria-label="Notifications"
             :aria-expanded="String(showBell)"
-            class="relative flex items-center justify-center w-8 h-8 dd-rounded transition-colors dd-text-secondary hover:dd-bg-elevated hover:dd-text"
-            @click="toggle">
-      <AppIcon name="notifications" :size="18" />
-      <span v-if="unreadCount > 0"
-            class="badge-pulse absolute -top-0.5 -right-0.5 w-4 h-4 flex items-center justify-center rounded-full text-[0.5625rem] font-bold text-white"
-            style="background: var(--dd-danger);">
-        {{ unreadCount > 9 ? '9+' : unreadCount }}
-      </span>
-    </button>
+            class="relative"
+            @click="toggle"
+    />
+    <span v-if="unreadCount > 0"
+          class="badge-pulse absolute -top-0.5 -right-0.5 w-4 h-4 flex items-center justify-center rounded-full text-3xs font-bold text-white pointer-events-none"
+          style="background: var(--dd-danger);">
+      {{ unreadCount > 9 ? '9+' : unreadCount }}
+    </span>
     <Transition name="menu-fade">
-      <div v-if="showBell"
-           class="absolute right-0 top-full mt-1 w-[calc(100vw-1rem)] max-w-[380px] dd-rounded-lg shadow-lg z-50"
-           :style="{ backgroundColor: 'var(--dd-bg-card)', border: '1px solid var(--dd-border-strong)', boxShadow: 'var(--dd-shadow-lg)' }">
+      <div v-if="showBell" data-test="notification-dropdown"
+           class="w-[calc(100vw-1rem)] max-w-[380px] dd-rounded-lg shadow-lg"
+           :style="{ ...bellPanelStyle, zIndex: 'var(--z-popover)', backgroundColor: 'var(--dd-bg-card)', border: '1px solid var(--dd-border-strong)', boxShadow: 'var(--dd-shadow-tooltip)' }">
         <!-- Header -->
         <div class="flex items-center justify-between px-3 py-2"
              :style="{ borderBottom: '1px solid var(--dd-border)' }">
-          <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Notifications</span>
-          <button v-if="unreadCount > 0"
-                  class="text-[0.625rem] font-medium dd-text-secondary hover:dd-text transition-colors"
+          <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Notifications</span>
+          <AppButton size="none" variant="plain" weight="none" v-if="unreadCount > 0"
+                  class="text-2xs font-medium dd-text-secondary hover:dd-text transition-colors"
                   @click="markAllRead">
             Mark all read
-          </button>
+          </AppButton>
         </div>
 
         <!-- Scrollable list -->
         <div class="max-h-[400px] overflow-y-auto">
-          <div v-if="loading && entries.length === 0" class="px-3 py-6 text-center text-[0.6875rem] dd-text-muted">
+          <div v-if="loading && entries.length === 0" class="px-3 py-6 text-center text-2xs-plus dd-text-muted">
             Loading...
           </div>
-          <div v-else-if="entries.length === 0" class="px-3 py-6 text-center text-[0.6875rem] dd-text-muted">
+          <div v-else-if="entries.length === 0" class="px-3 py-6 text-center text-2xs-plus dd-text-muted">
             No notifications yet
           </div>
-          <button v-for="entry in entries"
+          <AppButton size="none" variant="plain" weight="none" v-for="entry in entries"
                   :key="entry.id"
                   class="w-full text-left px-3 py-2 flex items-start gap-2.5 transition-colors hover:dd-bg-elevated"
                   :style="{ borderBottom: '1px solid var(--dd-border)' }"
@@ -140,29 +161,29 @@ function isUnread(entry: AuditEntry): boolean {
                      class="shrink-0 mt-0.5"
                      :style="{ color: statusColor(entry.status) }" />
             <div class="flex-1 min-w-0">
-              <div class="text-[0.6875rem] truncate dd-text"
+              <div class="text-2xs-plus truncate dd-text"
                    :class="{ 'font-bold': isUnread(entry), 'font-medium': !isUnread(entry) }">
                 {{ actionLabel(entry.action) }}
               </div>
-              <div class="text-[0.625rem] truncate dd-text-muted font-mono mt-0.5">
+              <div class="text-2xs truncate dd-text-muted font-mono mt-0.5">
                 {{ entry.containerName }}
               </div>
-              <div v-if="versionSummary(entry)" class="text-[0.625rem] dd-text-secondary font-mono mt-0.5">
+              <div v-if="versionSummary(entry)" class="text-2xs dd-text-secondary font-mono mt-0.5">
                 {{ versionSummary(entry) }}
               </div>
             </div>
-            <span class="text-[0.625rem] dd-text-muted whitespace-nowrap shrink-0 mt-0.5">
+            <span class="text-2xs dd-text-muted whitespace-nowrap shrink-0 mt-0.5">
               {{ timeAgo(entry.timestamp) }}
             </span>
-          </button>
+          </AppButton>
         </div>
 
         <!-- Footer -->
-        <button class="w-full text-center px-3 py-2 text-[0.6875rem] font-medium dd-text-secondary hover:dd-text transition-colors"
+        <AppButton size="none" variant="plain" weight="none" class="w-full text-center px-3 py-2 text-2xs-plus font-medium dd-text-secondary hover:dd-text transition-colors"
                 :style="{ borderTop: '1px solid var(--dd-border)' }"
                 @click="viewAll">
           View all
-        </button>
+        </AppButton>
       </div>
     </Transition>
   </div>
diff --git a/ui/src/components/ScanProgressBanner.vue b/ui/src/components/ScanProgressBanner.vue
index 0a9148b5e..49fee0f9c 100644
--- a/ui/src/components/ScanProgressBanner.vue
+++ b/ui/src/components/ScanProgressBanner.vue
@@ -8,7 +8,7 @@ defineProps<{
   <div class="my-3 px-3 py-2 dd-rounded flex items-center gap-2.5"
        :style="{ backgroundColor: 'var(--dd-info-muted)', border: '1px solid var(--dd-info)' }">
     <AppIcon name="restart" :size="12" class="animate-spin shrink-0" :style="{ color: 'var(--dd-info)' }" />
-    <span class="text-[0.6875rem] font-semibold" :style="{ color: 'var(--dd-info)' }">
+    <span class="text-2xs-plus font-semibold" :style="{ color: 'var(--dd-info)' }">
       Scanning {{ progress.done }}/{{ progress.total }} containers...
     </span>
     <div class="flex-1 h-1 dd-rounded overflow-hidden" :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
diff --git a/ui/src/components/SecurityEmptyState.vue b/ui/src/components/SecurityEmptyState.vue
index b018f21d3..025083ee2 100644
--- a/ui/src/components/SecurityEmptyState.vue
+++ b/ui/src/components/SecurityEmptyState.vue
@@ -1,4 +1,6 @@
 <script setup lang="ts">
+import ScanProgressText from './ScanProgressText.vue';
+
 withDefaults(
   defineProps<{
     hasVulnerabilityData: boolean;
@@ -48,14 +50,14 @@ defineEmits<{
       {{ scannerMessage }}
     </p>
     <div class="flex items-center gap-2 mt-2">
-      <button
+      <AppButton size="none" variant="plain" weight="none"
         v-if="activeFilterCount > 0"
         data-testid="security-empty-clear-filters"
         class="text-xs font-medium px-3 py-1.5 dd-rounded transition-colors text-drydock-secondary bg-drydock-secondary/10 hover:bg-drydock-secondary/20"
         @click="$emit('clear-filters')"
       >
         Clear all filters
-      </button>
+      </AppButton>
 
       <a
         v-if="!hasVulnerabilityData && scannerSetupNeeded"
@@ -69,7 +71,7 @@ defineEmits<{
       </a>
 
       <span v-if="!hasVulnerabilityData && !scannerSetupNeeded" class="inline-flex" v-tooltip.top="scanDisabledReason">
-        <button
+        <AppButton size="none" variant="plain" weight="none"
           data-testid="security-empty-scan-now"
           class="text-xs font-medium px-3 py-1.5 dd-rounded transition-colors flex items-center gap-1.5"
           :class="
@@ -87,7 +89,7 @@ defineEmits<{
           <template v-else>
             Scan Now
           </template>
-        </button>
+        </AppButton>
       </span>
     </div>
   </div>
diff --git a/ui/src/components/StatusDot.vue b/ui/src/components/StatusDot.vue
new file mode 100644
index 000000000..be1dda9b4
--- /dev/null
+++ b/ui/src/components/StatusDot.vue
@@ -0,0 +1,46 @@
+<script setup lang="ts">
+import { computed } from 'vue';
+
+type Status = 'connected' | 'disconnected' | 'running' | 'stopped' | 'warning' | 'idle';
+
+interface Props {
+  status?: Status;
+  color?: string;
+  size?: 'sm' | 'md' | 'lg';
+  pulse?: boolean;
+}
+
+const props = withDefaults(defineProps<Props>(), {
+  size: 'md',
+  pulse: false,
+});
+
+const sizeClass: Record<string, string> = {
+  sm: 'w-1.5 h-1.5',
+  md: 'w-2 h-2',
+  lg: 'w-2.5 h-2.5',
+};
+
+const statusColorMap: Record<Status, string> = {
+  connected: 'var(--dd-success)',
+  running: 'var(--dd-success)',
+  disconnected: 'var(--dd-danger)',
+  stopped: 'var(--dd-danger)',
+  warning: 'var(--dd-warning)',
+  idle: 'var(--dd-text-muted)',
+};
+
+const resolvedColor = computed(() => {
+  if (props.color) return props.color;
+  if (props.status) return statusColorMap[props.status];
+  return 'var(--dd-text-muted)';
+});
+</script>
+
+<template>
+  <span
+    :class="['rounded-full shrink-0 inline-block', sizeClass[props.size], props.pulse && 'animate-pulse']"
+    :style="{ backgroundColor: resolvedColor }"
+    role="presentation"
+  />
+</template>
diff --git a/ui/src/components/ThemeToggle.vue b/ui/src/components/ThemeToggle.vue
index eb84f0f6c..034d46fe1 100644
--- a/ui/src/components/ThemeToggle.vue
+++ b/ui/src/components/ThemeToggle.vue
@@ -1,5 +1,6 @@
 <script setup lang="ts">
 import { computed, ref } from 'vue';
+import { iconButtonIconSizes, iconButtonPixels } from './appIconButtonSizes';
 import { useBreakpoints } from '../composables/useBreakpoints';
 import { useTheme } from '../theme/useTheme';
 
@@ -21,8 +22,8 @@ const variants = [
 
 const expanded = ref(false);
 
-const cellSize = computed(() => (props.size === 'md' ? 32 : 32));
-const iconSize = computed(() => (props.size === 'md' ? 14 : 15));
+const cellSize = computed(() => iconButtonPixels[props.size]);
+const iconSize = computed(() => iconButtonIconSizes[props.size]);
 
 const activeIndex = computed(() => variants.findIndex((v) => v.id === themeVariant.value));
 const activeVariant = computed(() => variants[activeIndex.value]);
diff --git a/ui/src/components/agents/AgentDetailConfigTab.vue b/ui/src/components/agents/AgentDetailConfigTab.vue
index 0ee512cc7..a7f993149 100644
--- a/ui/src/components/agents/AgentDetailConfigTab.vue
+++ b/ui/src/components/agents/AgentDetailConfigTab.vue
@@ -18,7 +18,7 @@ const props = defineProps<{
       class="flex items-center justify-between px-3 py-2 dd-rounded"
       :style="{ backgroundColor: 'var(--dd-bg-inset)' }"
     >
-      <span class="text-[0.625rem] font-semibold uppercase tracking-wider dd-text-muted">{{ field.label }}</span>
+      <span class="text-2xs font-semibold uppercase tracking-wider dd-text-muted">{{ field.label }}</span>
       <span class="text-xs font-mono" :class="field.muted ? 'dd-text-muted' : 'dd-text'">{{ field.value }}</span>
     </div>
   </div>
diff --git a/ui/src/components/agents/AgentDetailLogsTab.vue b/ui/src/components/agents/AgentDetailLogsTab.vue
index bc3405eab..56f4815b0 100644
--- a/ui/src/components/agents/AgentDetailLogsTab.vue
+++ b/ui/src/components/agents/AgentDetailLogsTab.vue
@@ -1,5 +1,6 @@
 <script setup lang="ts">
 import { computed } from 'vue';
+import AppIconButton from '../AppIconButton.vue';
 import LogViewer from '../LogViewer.vue';
 
 interface AgentLog {
@@ -61,15 +62,15 @@ function asLog(entry: unknown): AgentLog {
       :panel-style="{ backgroundColor: 'var(--dd-bg-code)' }"
       container-class="px-1"
       container-style="box-shadow: var(--dd-shadow-inset);"
-      error-class="mx-3 mt-3 text-[0.6875rem] px-3 py-2 dd-rounded"
-      empty-class="px-3 py-4 text-[0.6875rem] dd-text-muted text-center"
+      error-class="mx-3 mt-3 text-2xs-plus px-3 py-2 dd-rounded"
+      empty-class="px-3 py-4 text-2xs-plus dd-text-muted text-center"
     >
       <template #controls>
         <div class="px-3 py-2 flex flex-wrap items-center gap-2">
           <select
             v-model="logLevelFilterModel"
             data-testid="agent-log-level-filter"
-            class="px-2 py-1.5 dd-rounded text-[0.6875rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text"
+            class="px-2 py-1.5 dd-rounded text-2xs-plus font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text"
           >
             <option value="all">All Levels</option>
             <option value="debug">Debug</option>
@@ -81,7 +82,7 @@ function asLog(entry: unknown): AgentLog {
           <select
             v-model.number="tailModel"
             data-testid="agent-log-tail-filter"
-            class="px-2 py-1.5 dd-rounded text-[0.6875rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text"
+            class="px-2 py-1.5 dd-rounded text-2xs-plus font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text"
           >
             <option :value="50">Tail 50</option>
             <option :value="100">Tail 100</option>
@@ -94,53 +95,55 @@ function asLog(entry: unknown): AgentLog {
             data-testid="agent-log-component-filter"
             type="text"
             placeholder="Filter by component..."
-            class="flex-1 min-w-[160px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder"
+            class="flex-1 min-w-[160px] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder"
             @keyup.enter="emit('refresh')"
           />
 
-          <button
+          <AppButton size="none" variant="plain" weight="none"
             data-testid="agent-log-apply"
-            class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-bg-elevated dd-text hover:opacity-90"
+            class="px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors dd-bg-elevated dd-text hover:opacity-90"
             :class="props.loading ? 'opacity-50 pointer-events-none' : ''"
             @click="emit('refresh')"
           >
             Apply
-          </button>
-          <button
-            class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text"
+          </AppButton>
+          <AppButton size="none" variant="plain" weight="none"
+            class="px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors dd-text-muted hover:dd-text"
             :class="props.loading ? 'opacity-50 pointer-events-none' : ''"
             @click="emit('reset')"
           >
             Reset
-          </button>
-          <button
+          </AppButton>
+          <AppIconButton
+            icon="refresh"
+            size="toolbar"
+            variant="plain"
             data-testid="agent-log-refresh"
-            class="p-1.5 dd-rounded transition-colors dd-text-muted hover:dd-text"
-            :class="props.loading ? 'opacity-50 pointer-events-none' : ''"
-            v-tooltip.top="'Refresh'"
+            class="dd-text-muted hover:dd-text"
+            :class="props.loading ? 'pointer-events-none' : ''"
+            tooltip="Refresh"
+            :disabled="props.loading"
             @click="emit('refresh')"
-          >
-            <AppIcon name="refresh" :size="12" />
-          </button>
+          />
         </div>
       </template>
 
       <template #meta>
-        <div class="px-3 py-1 text-[0.625rem] dd-text-muted">
+        <div class="px-3 py-1 text-2xs dd-text-muted">
           Last fetched: {{ props.formatLastFetched(props.lastFetchedIso) }}
         </div>
       </template>
 
       <template #entry="{ entry }">
         <div
-          class="px-3 py-[3px] font-mono text-[0.6875rem] leading-relaxed flex gap-3 transition-colors"
+          class="px-3 py-[3px] font-mono text-2xs-plus leading-relaxed flex gap-3 transition-colors"
           :style="{ borderBottom: '1px solid var(--dd-log-line)' }"
         >
           <span class="shrink-0 tabular-nums" style="color: var(--dd-log-text-muted);">
             {{ props.formatTimestamp(asLog(entry).timestamp) }}
           </span>
           <span
-            class="shrink-0 w-11 text-right font-semibold uppercase text-[0.625rem]"
+            class="shrink-0 w-11 text-right font-semibold uppercase text-2xs"
             :style="{
               color: asLog(entry).level === 'error' ? 'var(--dd-danger)'
                    : asLog(entry).level === 'warn' ? 'var(--dd-warning)'
@@ -160,7 +163,7 @@ function asLog(entry: unknown): AgentLog {
           class="shrink-0 px-4 py-2 flex items-center justify-between"
           :style="{ borderTop: '1px solid var(--dd-log-divider)', backgroundColor: 'var(--dd-log-footer-bg)' }"
         >
-          <span class="text-[0.625rem] font-medium" style="color: var(--dd-log-text-muted);">
+          <span class="text-2xs font-medium" style="color: var(--dd-log-text-muted);">
             {{ props.logs.length }} entries
           </span>
           <div class="flex items-center gap-1.5">
@@ -169,7 +172,7 @@ function asLog(entry: unknown): AgentLog {
               :style="{ backgroundColor: props.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)' }"
             />
             <span
-              class="text-[0.625rem] font-semibold"
+              class="text-2xs font-semibold"
               :style="{ color: props.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)' }"
             >
               {{ props.status === 'connected' ? 'Live' : 'Offline' }}
diff --git a/ui/src/components/agents/AgentDetailOverviewTab.vue b/ui/src/components/agents/AgentDetailOverviewTab.vue
index 2b63ed6fd..1e7d1ad2b 100644
--- a/ui/src/components/agents/AgentDetailOverviewTab.vue
+++ b/ui/src/components/agents/AgentDetailOverviewTab.vue
@@ -20,32 +20,34 @@ const props = defineProps<{
   resourceFields: AgentDetailField[];
   systemFields: AgentDetailField[];
 }>();
+
+defineEmits<{ 'view-containers': [] }>();
 </script>
 
 <template>
   <div class="p-4 space-y-5">
     <div v-if="props.resourceFields.length > 0">
-      <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Resources</div>
+      <div class="text-2xs font-semibold uppercase tracking-wider mb-2 dd-text-muted">Resources</div>
       <div class="grid grid-cols-2 gap-2">
         <div
           v-for="field in props.resourceFields"
           :key="field.label"
-          class="px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+          class="px-2.5 py-1.5 dd-rounded text-2xs-plus"
           :style="{ backgroundColor: 'var(--dd-bg-inset)' }"
         >
-          <div class="text-[0.625rem] dd-text-muted">{{ field.label }}</div>
+          <div class="text-2xs dd-text-muted">{{ field.label }}</div>
           <div class="font-semibold" :class="field.muted ? 'dd-text-muted' : 'dd-text'">{{ field.value }}</div>
         </div>
       </div>
     </div>
 
     <div v-if="props.systemFields.length > 0">
-      <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">System</div>
+      <div class="text-2xs font-semibold uppercase tracking-wider mb-2 dd-text-muted">System</div>
       <div class="space-y-1">
         <div
           v-for="field in props.systemFields"
           :key="field.label"
-          class="flex items-center justify-between px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+          class="flex items-center justify-between px-2.5 py-1.5 dd-rounded text-2xs-plus"
           :style="{ backgroundColor: 'var(--dd-bg-inset)' }"
         >
           <span class="dd-text-muted">{{ field.label }}</span>
@@ -55,15 +57,15 @@ const props = defineProps<{
     </div>
 
     <div>
-      <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Containers</div>
+      <div class="text-2xs font-semibold uppercase tracking-wider mb-2 dd-text-muted">Containers</div>
       <div class="grid grid-cols-3 gap-2 text-center">
         <div class="px-2 py-2 dd-rounded" :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
           <div class="text-lg font-bold dd-text">{{ props.agent.containers.total }}</div>
-          <div class="text-[0.625rem] dd-text-muted">Total</div>
+          <div class="text-2xs dd-text-muted">Total</div>
         </div>
         <div class="px-2 py-2 dd-rounded" :style="{ backgroundColor: 'var(--dd-success-muted)' }">
           <div class="text-lg font-bold" :style="{ color: 'var(--dd-success)' }">{{ props.agent.containers.running }}</div>
-          <div class="text-[0.625rem]" :style="{ color: 'var(--dd-success)' }">Running</div>
+          <div class="text-2xs" :style="{ color: 'var(--dd-success)' }">Running</div>
         </div>
         <div
           class="px-2 py-2 dd-rounded"
@@ -76,51 +78,61 @@ const props = defineProps<{
             {{ props.agent.containers.stopped }}
           </div>
           <div
-            class="text-[0.625rem]"
+            class="text-2xs"
             :style="{ color: props.agent.containers.stopped > 0 ? 'var(--dd-danger)' : 'var(--dd-text-muted)' }"
           >
             Stopped
           </div>
         </div>
       </div>
+      <AppButton
+        v-if="props.agent.containers.total > 0"
+        size="none"
+        variant="plain"
+        weight="none"
+        class="mt-2 inline-flex items-center gap-1 text-2xs-plus font-medium transition-colors text-drydock-secondary hover:text-drydock-secondary-hover"
+        @click="$emit('view-containers')">
+        <AppIcon name="arrow-right" :size="10" />
+        View containers
+      </AppButton>
     </div>
 
     <div>
-      <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Automation</div>
+      <div class="text-2xs font-semibold uppercase tracking-wider mb-2 dd-text-muted">Automation</div>
       <div class="space-y-2">
-        <div class="px-2.5 py-2 dd-rounded text-[0.6875rem]" :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+        <div class="px-2.5 py-2 dd-rounded text-2xs-plus" :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
           <div class="flex items-center justify-between gap-2">
             <span class="font-semibold dd-text">Watchers</span>
-            <span class="text-[0.625rem] dd-text-muted">{{ props.agent.watchers.length }}</span>
+            <span class="text-2xs dd-text-muted">{{ props.agent.watchers.length }}</span>
           </div>
           <div class="mt-1.5 flex flex-wrap gap-1.5">
             <span
               v-for="watcherName in props.agent.watchers"
               :key="watcherName"
-              class="px-1.5 py-0.5 dd-rounded text-[0.625rem] font-mono dd-bg-elevated dd-text-secondary"
+              class="px-1.5 py-0.5 dd-rounded text-2xs font-mono dd-bg-elevated dd-text-secondary"
             >
               {{ watcherName }}
             </span>
-            <span v-if="props.agent.watchers.length === 0" class="text-[0.625rem] italic dd-text-muted">
+            <span v-if="props.agent.watchers.length === 0" class="text-2xs italic dd-text-muted">
               None
             </span>
           </div>
         </div>
 
-        <div class="px-2.5 py-2 dd-rounded text-[0.6875rem]" :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+        <div class="px-2.5 py-2 dd-rounded text-2xs-plus" :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
           <div class="flex items-center justify-between gap-2">
             <span class="font-semibold dd-text">Triggers</span>
-            <span class="text-[0.625rem] dd-text-muted">{{ props.agent.triggers.length }}</span>
+            <span class="text-2xs dd-text-muted">{{ props.agent.triggers.length }}</span>
           </div>
           <div class="mt-1.5 flex flex-wrap gap-1.5">
             <span
               v-for="triggerName in props.agent.triggers"
               :key="triggerName"
-              class="px-1.5 py-0.5 dd-rounded text-[0.625rem] font-mono dd-bg-elevated dd-text-secondary"
+              class="px-1.5 py-0.5 dd-rounded text-2xs font-mono dd-bg-elevated dd-text-secondary"
             >
               {{ triggerName }}
             </span>
-            <span v-if="props.agent.triggers.length === 0" class="text-[0.625rem] italic dd-text-muted">
+            <span v-if="props.agent.triggers.length === 0" class="text-2xs italic dd-text-muted">
               None
             </span>
           </div>
diff --git a/ui/src/components/appIconButtonSizes.ts b/ui/src/components/appIconButtonSizes.ts
new file mode 100644
index 000000000..d996c7d2f
--- /dev/null
+++ b/ui/src/components/appIconButtonSizes.ts
@@ -0,0 +1,25 @@
+export type IconButtonSize = 'toolbar' | 'xs' | 'sm' | 'md' | 'lg';
+
+export const iconButtonSizeClasses: Record<IconButtonSize, string> = {
+  toolbar: 'w-8 h-8',
+  xs: 'w-10 h-10',
+  sm: 'w-11 h-11',
+  md: 'w-12 h-12',
+  lg: 'w-14 h-14',
+};
+
+export const iconButtonPixels: Record<IconButtonSize, number> = {
+  toolbar: 32,
+  xs: 40,
+  sm: 44,
+  md: 48,
+  lg: 56,
+};
+
+export const iconButtonIconSizes: Record<IconButtonSize, number> = {
+  toolbar: 15,
+  xs: 16,
+  sm: 18,
+  md: 20,
+  lg: 24,
+};
diff --git a/ui/src/components/config/ConfigAppearanceTab.vue b/ui/src/components/config/ConfigAppearanceTab.vue
index 4e23d4c85..abf40507b 100644
--- a/ui/src/components/config/ConfigAppearanceTab.vue
+++ b/ui/src/components/config/ConfigAppearanceTab.vue
@@ -74,11 +74,11 @@ function handleFontSizeInput(event: Event) {
     >
       <div class="flex items-center gap-2 px-5 py-3" :style="{ borderBottom: '1px solid var(--dd-border)' }">
         <AppIcon name="settings" :size="14" class="text-drydock-secondary" />
-        <h2 class="text-sm font-semibold dd-text">Color Theme</h2>
+        <h2 class="dd-text-heading-section dd-text">Color Theme</h2>
       </div>
       <div class="p-4">
         <div class="grid grid-cols-2 gap-3">
-          <button
+          <AppButton size="none" variant="plain" weight="none"
             v-for="fam in props.themeFamilies"
             :key="fam.id"
             class="dd-rounded p-3 text-left transition-[color,background-color,border-color,opacity,transform,box-shadow] border"
@@ -104,10 +104,10 @@ function handleFontSizeInput(event: Event) {
                 {{ fam.label }}
               </span>
             </div>
-            <div class="text-[0.625rem] dd-text-muted">
+            <div class="text-2xs dd-text-muted">
               {{ fam.description }}
             </div>
-          </button>
+          </AppButton>
         </div>
       </div>
     </div>
@@ -121,11 +121,11 @@ function handleFontSizeInput(event: Event) {
     >
       <div class="px-5 py-3.5 flex items-center gap-2" :style="{ borderBottom: '1px solid var(--dd-border)' }">
         <AppIcon name="terminal" :size="14" class="text-drydock-secondary" />
-        <h2 class="text-sm font-semibold dd-text">Font Family</h2>
+        <h2 class="dd-text-heading-section dd-text">Font Family</h2>
       </div>
       <div class="p-5">
         <div class="grid grid-cols-1 sm:grid-cols-2 gap-2">
-          <button
+          <AppButton size="none" variant="plain" weight="none"
             v-for="font in props.fontOptions"
             :key="font.id"
             class="flex items-center gap-3 px-4 py-3 dd-rounded text-left transition-colors border"
@@ -142,7 +142,7 @@ function handleFontSizeInput(event: Event) {
             <div class="flex-1 min-w-0">
               <div class="flex items-center gap-1.5">
                 <span
-                  class="text-[0.8125rem] font-semibold truncate"
+                  class="text-xs-plus font-semibold truncate"
                   :style="props.isFontLoaded(font.id) ? { fontFamily: font.family } : {}"
                   :class="props.activeFont === font.id ? 'text-drydock-secondary' : 'dd-text'"
                 >
@@ -150,14 +150,14 @@ function handleFontSizeInput(event: Event) {
                 </span>
                 <span
                   v-if="font.bundled"
-                  class="text-[0.5rem] font-bold uppercase tracking-wider dd-text-muted px-1 py-0.5 dd-rounded-sm"
+                  class="text-4xs font-bold uppercase tracking-wider dd-text-muted px-1 py-0.5 dd-rounded-sm"
                   :style="{ backgroundColor: 'var(--dd-bg-elevated)' }"
                 >
                   default
                 </span>
               </div>
               <div
-                class="text-[0.625rem] mt-0.5 truncate dd-text-muted"
+                class="text-2xs mt-0.5 truncate dd-text-muted"
                 :style="props.isFontLoaded(font.id) ? { fontFamily: font.family } : {}"
               >
                 The quick brown fox jumps over the lazy dog
@@ -169,7 +169,7 @@ function handleFontSizeInput(event: Event) {
               :size="14"
               class="text-drydock-secondary shrink-0"
             />
-          </button>
+          </AppButton>
         </div>
       </div>
     </div>
@@ -183,11 +183,11 @@ function handleFontSizeInput(event: Event) {
     >
       <div class="px-5 py-3.5 flex items-center gap-2" :style="{ borderBottom: '1px solid var(--dd-border)' }">
         <AppIcon name="settings" :size="14" class="text-drydock-secondary" />
-        <h2 class="text-sm font-semibold dd-text">Font Size</h2>
+        <h2 class="dd-text-heading-section dd-text">Font Size</h2>
       </div>
       <div class="p-5">
         <div class="flex items-center gap-4">
-          <span class="text-[0.625rem] dd-text-muted font-semibold">A</span>
+          <span class="text-2xs dd-text-muted font-semibold">A</span>
           <input
             type="range"
             min="0.8"
@@ -200,7 +200,7 @@ function handleFontSizeInput(event: Event) {
           />
           <span class="text-base dd-text-muted font-semibold">A</span>
         </div>
-        <div class="text-center mt-2 text-[0.6875rem] dd-text-muted">
+        <div class="text-center mt-2 text-2xs-plus dd-text-muted">
           {{ Math.round(props.fontSize * 100) }}%
         </div>
       </div>
@@ -215,11 +215,11 @@ function handleFontSizeInput(event: Event) {
     >
       <div class="px-5 py-3.5 flex items-center gap-2" :style="{ borderBottom: '1px solid var(--dd-border)' }">
         <AppIcon name="dashboard" :size="14" class="text-drydock-secondary" />
-        <h2 class="text-sm font-semibold dd-text">Icon Library</h2>
+        <h2 class="dd-text-heading-section dd-text">Icon Library</h2>
       </div>
       <div class="p-5">
         <div class="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-3 gap-2">
-          <button
+          <AppButton size="none" variant="plain" weight="none"
             v-for="(label, lib) in props.libraryLabels"
             :key="lib"
             class="flex items-center gap-3 px-4 py-3 dd-rounded text-left transition-colors border"
@@ -247,14 +247,14 @@ function handleFontSizeInput(event: Event) {
               <div class="text-xs font-semibold" :class="props.iconLibrary === lib ? 'text-drydock-secondary' : 'dd-text'">
                 {{ label }}
               </div>
-              <div class="text-[0.625rem] dd-text-muted">
+              <div class="text-2xs dd-text-muted">
                 {{ lib }}
               </div>
             </div>
             <div v-if="props.iconLibrary === lib" class="ml-auto shrink-0">
               <AppIcon name="check" :size="14" class="text-drydock-secondary" />
             </div>
-          </button>
+          </AppButton>
         </div>
       </div>
     </div>
@@ -268,7 +268,7 @@ function handleFontSizeInput(event: Event) {
     >
       <div class="px-5 py-3.5 flex items-center gap-2" :style="{ borderBottom: '1px solid var(--dd-border)' }">
         <AppIcon name="containers" :size="14" class="text-drydock-secondary" />
-        <h2 class="text-sm font-semibold dd-text">Icon Size</h2>
+        <h2 class="dd-text-heading-section dd-text">Icon Size</h2>
       </div>
       <div class="p-5">
         <div class="flex items-center gap-4">
@@ -285,7 +285,7 @@ function handleFontSizeInput(event: Event) {
           />
           <AppIcon name="dashboard" :size="20" class="dd-text-muted" />
         </div>
-        <div class="text-center mt-2 text-[0.6875rem] dd-text-muted">
+        <div class="text-center mt-2 text-2xs-plus dd-text-muted">
           {{ Math.round(props.iconScale * 100) }}%
         </div>
       </div>
@@ -300,11 +300,11 @@ function handleFontSizeInput(event: Event) {
         class="px-5 py-3.5 flex items-center gap-2"
       >
         <AppIcon name="settings" :size="14" class="text-drydock-secondary" />
-        <h2 class="text-sm font-semibold dd-text">Border Radius</h2>
+        <h2 class="dd-text-heading-section dd-text">Border Radius</h2>
       </div>
       <div class="p-5">
         <div class="grid grid-cols-5 gap-2">
-          <button
+          <AppButton size="none" variant="plain" weight="none"
             v-for="p in props.radiusPresets"
             :key="p.id"
             class="flex flex-col items-center gap-2 px-3 py-3 dd-rounded transition-colors"
@@ -321,12 +321,12 @@ function handleFontSizeInput(event: Event) {
               :style="{ borderRadius: p.md + 'px', backgroundColor: props.activeRadius === p.id ? 'var(--dd-primary-muted)' : 'transparent' }"
             />
             <div
-              class="text-[0.6875rem] font-semibold"
+              class="text-2xs-plus font-semibold"
               :class="props.activeRadius === p.id ? 'text-drydock-secondary' : 'dd-text'"
             >
               {{ p.label }}
             </div>
-          </button>
+          </AppButton>
         </div>
       </div>
     </div>
diff --git a/ui/src/components/config/ConfigGeneralTab.vue b/ui/src/components/config/ConfigGeneralTab.vue
index 5d44cdf13..427eedc06 100644
--- a/ui/src/components/config/ConfigGeneralTab.vue
+++ b/ui/src/components/config/ConfigGeneralTab.vue
@@ -1,20 +1,11 @@
 <script setup lang="ts">
+import AppBadge from '@/components/AppBadge.vue';
+
 interface InfoField {
   label: string;
   value: string;
 }
 
-interface LegacyInputSourceSummary {
-  total: number;
-  keys: string[];
-}
-
-interface LegacyInputSummary {
-  total: number;
-  env: LegacyInputSourceSummary;
-  label: LegacyInputSourceSummary;
-}
-
 interface WebhookEndpoint {
   endpoint: string;
   description: string;
@@ -24,10 +15,6 @@ const props = defineProps<{
   loading: boolean;
   serverError: string;
   settingsError: string;
-  hasLegacyCompatibilityInputs: boolean;
-  legacyInputSummary: LegacyInputSummary | null;
-  legacyEnvKeysPreview: string;
-  legacyLabelKeysPreview: string;
   serverFields: InfoField[];
   storeFields: InfoField[];
   webhookEnabled: boolean;
@@ -37,11 +24,14 @@ const props = defineProps<{
   settingsLoading: boolean;
   cacheClearing: boolean;
   cacheCleared: number | null;
+  debugDumpDownloading: boolean;
+  debugDumpError: string;
 }>();
 
 const emit = defineEmits<{
   (e: 'toggle-internetless-mode'): void;
   (e: 'clear-icon-cache'): void;
+  (e: 'download-debug-dump'): void;
 }>();
 </script>
 
@@ -49,7 +39,7 @@ const emit = defineEmits<{
   <div class="space-y-6">
     <div
       v-if="props.serverError"
-      class="px-3 py-2 text-[0.6875rem] dd-rounded"
+      class="px-3 py-2 text-2xs-plus dd-rounded"
       :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }"
     >
       {{ props.serverError }}
@@ -57,65 +47,12 @@ const emit = defineEmits<{
 
     <div
       v-if="props.settingsError"
-      class="px-3 py-2 text-[0.6875rem] dd-rounded"
+      class="px-3 py-2 text-2xs-plus dd-rounded"
       :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }"
     >
       {{ props.settingsError }}
     </div>
 
-    <div
-      v-if="props.hasLegacyCompatibilityInputs"
-      data-testid="legacy-input-banner"
-      class="px-4 py-3 dd-rounded"
-      :style="{
-        backgroundColor: 'var(--dd-warning-muted)',
-        border: '1px solid var(--dd-warning)',
-      }"
-    >
-      <div class="flex items-start justify-between gap-3">
-        <div>
-          <div class="text-xs font-semibold" :style="{ color: 'var(--dd-warning)' }">
-            Legacy compatibility inputs detected
-          </div>
-          <p class="text-[0.6875rem] dd-text-secondary mt-1">
-            Deprecated <code class="font-mono">WUD_*</code> environment variables and
-            <code class="font-mono">wud.*</code> labels are still in use.
-          </p>
-        </div>
-        <span
-          class="px-2 py-1 text-[0.625rem] font-semibold dd-rounded"
-          :style="{
-            backgroundColor: 'var(--dd-bg-card)',
-            border: '1px solid var(--dd-warning)',
-            color: 'var(--dd-warning)',
-          }"
-        >
-          {{ props.legacyInputSummary?.total }} events
-        </span>
-      </div>
-      <div class="mt-2 space-y-1.5 text-[0.625rem] dd-text-secondary">
-        <div v-if="props.legacyInputSummary?.env.total">
-          Env keys ({{ props.legacyInputSummary?.env.total }}):
-          {{ props.legacyEnvKeysPreview }}
-        </div>
-        <div v-if="props.legacyInputSummary?.label.total">
-          Label keys ({{ props.legacyInputSummary?.label.total }}):
-          {{ props.legacyLabelKeysPreview }}
-        </div>
-      </div>
-      <p class="mt-2 text-[0.625rem] dd-text-secondary">
-        Run <code class="font-mono">node dist/index.js config migrate --dry-run</code> then
-        <code class="font-mono">node dist/index.js config migrate --file &lt;path&gt;</code>.
-        <a
-          href="https://getdrydock.com/docs/quickstart"
-          target="_blank"
-          rel="noopener noreferrer"
-          class="underline ml-1"
-          :style="{ color: 'var(--dd-warning)' }"
-        >Migration CLI docs</a>
-      </p>
-    </div>
-
     <div
       class="dd-rounded overflow-hidden"
       :style="{
@@ -126,7 +63,7 @@ const emit = defineEmits<{
         class="px-5 py-3.5 flex items-center gap-2"
       >
         <AppIcon name="settings" :size="14" class="text-drydock-secondary" />
-        <h2 class="text-sm font-semibold dd-text">Application</h2>
+        <h2 class="dd-text-heading-section dd-text">Application</h2>
       </div>
       <div class="p-5 space-y-4">
         <div v-if="props.loading" class="flex items-center justify-center gap-2 text-xs dd-text-muted py-4">
@@ -140,7 +77,7 @@ const emit = defineEmits<{
             class="flex items-center justify-between py-2"
             :style="{ borderBottom: '1px solid var(--dd-border)' }"
           >
-            <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">{{ field.label }}</span>
+            <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">{{ field.label }}</span>
             <span class="text-xs font-medium font-mono dd-text">{{ field.value }}</span>
           </div>
         </template>
@@ -157,7 +94,7 @@ const emit = defineEmits<{
         class="px-5 py-3.5 flex items-center gap-2"
       >
         <AppIcon name="server" :size="14" class="text-drydock-secondary" />
-        <h2 class="text-sm font-semibold dd-text">Store</h2>
+        <h2 class="dd-text-heading-section dd-text">Store</h2>
       </div>
       <div class="p-5 space-y-4">
         <div
@@ -166,7 +103,7 @@ const emit = defineEmits<{
           class="flex items-center justify-between py-2"
           :style="{ borderBottom: '1px solid var(--dd-border)' }"
         >
-          <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">{{ field.label }}</span>
+          <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">{{ field.label }}</span>
           <span class="text-xs font-medium font-mono dd-text">{{ field.value }}</span>
         </div>
       </div>
@@ -183,33 +120,24 @@ const emit = defineEmits<{
       >
         <div class="flex items-center gap-2">
           <AppIcon name="bolt" :size="14" class="text-drydock-secondary" />
-          <h2 class="text-sm font-semibold dd-text">Webhook API</h2>
+          <h2 class="dd-text-heading-section dd-text">Webhook API</h2>
         </div>
-        <span
-          class="px-2 py-1 text-[0.625rem] font-semibold uppercase tracking-wider dd-rounded"
-          :style="{
-            backgroundColor: props.webhookEnabled ? 'var(--dd-success-muted)' : 'var(--dd-bg-inset)',
-            color: props.webhookEnabled ? 'var(--dd-success)' : 'var(--dd-text-muted)',
-            border: props.webhookEnabled
-              ? '1px solid var(--dd-success)'
-              : '1px solid var(--dd-border-strong)',
-          }"
-        >
+        <AppBadge :tone="props.webhookEnabled ? 'success' : 'neutral'">
           {{ props.webhookEnabled ? 'Enabled' : 'Disabled' }}
-        </span>
+        </AppBadge>
       </div>
       <div class="p-5 space-y-4">
-        <p class="text-[0.6875rem] dd-text-muted">
+        <p class="text-2xs-plus dd-text-muted">
           Use these endpoints to trigger watch cycles and updates via HTTP.
           All requests require a Bearer token in the Authorization header.
         </p>
-        <p v-if="!props.webhookEnabled" class="text-[0.6875rem] dd-text-muted">
+        <p v-if="!props.webhookEnabled" class="text-2xs-plus dd-text-muted">
           Webhook API is disabled. Set <code class="font-mono">DD_SERVER_WEBHOOK_ENABLED=true</code> and
           configure at least one token (<code class="font-mono">DD_SERVER_WEBHOOK_TOKEN</code> or
           <code class="font-mono">DD_SERVER_WEBHOOK_TOKENS_*</code>) to enable it.
         </p>
         <div class="overflow-x-auto dd-rounded">
-          <table class="w-full text-left text-[0.6875rem]">
+          <table class="w-full text-left text-2xs-plus">
             <thead :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
               <tr>
                 <th class="px-3 py-2 font-semibold uppercase tracking-wider dd-text-muted">Endpoint</th>
@@ -223,7 +151,7 @@ const emit = defineEmits<{
                 :style="{ borderTop: '1px solid var(--dd-border)' }"
               >
                 <td class="px-3 py-2">
-                  <code class="text-[0.6875rem] font-mono dd-text">{{ entry.endpoint }}</code>
+                  <code class="text-2xs-plus font-mono dd-text">{{ entry.endpoint }}</code>
                 </td>
                 <td class="px-3 py-2 dd-text-secondary">{{ entry.description }}</td>
               </tr>
@@ -231,9 +159,9 @@ const emit = defineEmits<{
           </table>
         </div>
         <div>
-          <div class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted mb-1.5">Example</div>
+          <div class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted mb-1.5">Example</div>
           <pre
-            class="px-3 py-2 text-[0.6875rem] font-mono dd-rounded overflow-x-auto"
+            class="px-3 py-2 text-2xs-plus font-mono dd-rounded overflow-x-auto"
             :style="{
               backgroundColor: 'var(--dd-bg-inset)',
               color: 'var(--dd-text)',
@@ -253,13 +181,13 @@ const emit = defineEmits<{
         class="px-5 py-3.5 flex items-center gap-2"
       >
         <AppIcon name="globe" :size="14" class="text-drydock-secondary" />
-        <h2 class="text-sm font-semibold dd-text">Network</h2>
+        <h2 class="dd-text-heading-section dd-text">Network</h2>
       </div>
       <div class="p-5">
         <div class="flex items-center justify-between">
           <div>
             <div class="text-xs font-semibold dd-text">Internetless Mode</div>
-            <div class="text-[0.625rem] dd-text-muted mt-0.5">
+            <div class="text-2xs dd-text-muted mt-0.5">
               Block all outbound requests (container icons, external fetches)
             </div>
           </div>
@@ -282,22 +210,22 @@ const emit = defineEmits<{
         class="px-5 py-3.5 flex items-center gap-2"
       >
         <AppIcon name="containers" :size="14" class="text-drydock-secondary" />
-        <h2 class="text-sm font-semibold dd-text">Container Icon Cache</h2>
+        <h2 class="dd-text-heading-section dd-text">Container Icon Cache</h2>
       </div>
       <div class="p-5">
         <div class="flex items-center justify-between">
           <div>
             <div class="text-xs font-semibold dd-text">Cached Icons</div>
-            <div class="text-[0.625rem] dd-text-muted mt-0.5">
+            <div class="text-2xs dd-text-muted mt-0.5">
               Common icons are bundled; other icons are cached to disk on first fetch
             </div>
           </div>
           <div class="flex items-center gap-2">
-            <span v-if="props.cacheCleared !== null" class="text-[0.625rem] dd-text-success">
+            <span v-if="props.cacheCleared !== null" class="text-2xs dd-text-success">
               {{ props.cacheCleared }} cleared
             </span>
-            <button
-              class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors"
+            <AppButton size="none" variant="plain" weight="none"
+              class="px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors"
               :class="props.cacheClearing ? 'opacity-50 pointer-events-none' : ''"
               :style="{
                 backgroundColor: 'var(--dd-danger-muted)',
@@ -308,10 +236,54 @@ const emit = defineEmits<{
             >
               <AppIcon name="trash" :size="10" class="mr-1" />
               Clear Cache
-            </button>
+            </AppButton>
           </div>
         </div>
       </div>
     </div>
+
+    <div
+      class="dd-rounded overflow-hidden"
+      :style="{
+        backgroundColor: 'var(--dd-bg-card)',
+      }"
+    >
+      <div
+        class="px-5 py-3.5 flex items-center gap-2"
+      >
+        <AppIcon name="download" :size="14" class="text-drydock-secondary" />
+        <h2 class="dd-text-heading-section dd-text">Diagnostics</h2>
+      </div>
+      <div class="p-5 space-y-3">
+        <div class="flex items-center justify-between gap-3">
+          <div>
+            <div class="text-xs font-semibold dd-text">Diagnostic Debug Dump</div>
+            <div class="text-2xs dd-text-muted mt-0.5">
+              Download a redacted JSON snapshot of runtime state for troubleshooting
+            </div>
+          </div>
+          <AppButton
+            data-test="download-debug-dump"
+            size="none"
+            variant="plain"
+            weight="none"
+            class="px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors"
+            :class="props.debugDumpDownloading ? 'opacity-50 pointer-events-none' : ''"
+            :style="{
+              backgroundColor: 'var(--dd-bg-inset)',
+              color: 'var(--dd-text)',
+              border: '1px solid var(--dd-border-strong)',
+            }"
+            @click="emit('download-debug-dump')"
+          >
+            <AppIcon :name="props.debugDumpDownloading ? 'spinner' : 'download'" :size="10" class="mr-1" :class="props.debugDumpDownloading ? 'dd-spin' : ''" />
+            {{ props.debugDumpDownloading ? 'Preparing...' : 'Download Debug Dump' }}
+          </AppButton>
+        </div>
+        <div v-if="props.debugDumpError" class="text-2xs" :style="{ color: 'var(--dd-danger)' }">
+          {{ props.debugDumpError }}
+        </div>
+      </div>
+    </div>
   </div>
 </template>
diff --git a/ui/src/components/config/ConfigLogsTab.vue b/ui/src/components/config/ConfigLogsTab.vue
index e20817c6e..d605258d2 100644
--- a/ui/src/components/config/ConfigLogsTab.vue
+++ b/ui/src/components/config/ConfigLogsTab.vue
@@ -1,44 +1,35 @@
 <script setup lang="ts">
-import { computed } from 'vue';
-import type { LogAutoFetchIntervalOption } from '../../composables/useLogViewerBehavior';
-import LogViewer from '../LogViewer.vue';
-
-interface AppLogEntry {
-  timestamp?: string | number;
-  level?: string;
-  component?: string;
-  msg?: string;
-  message?: string;
-}
-
-const props = defineProps<{
-  logLevel: string;
-  entries: AppLogEntry[];
-  loading: boolean;
-  error: string;
-  logLevelFilter: string;
-  tail: number;
-  autoFetchInterval: number;
-  componentFilter: string;
-  autoFetchOptions: LogAutoFetchIntervalOption[];
-  scrollBlocked: boolean;
-  lastFetchedIso: string;
-  formatLastFetched: (iso: string) => string;
-  formatTimestamp: (value: string | number | undefined) => string;
-  messageForEntry: (entry: AppLogEntry) => string;
-  levelColor: (level: string | undefined) => string;
-}>();
+import { computed, ref } from 'vue';
+import StatusDot from '@/components/StatusDot.vue';
+import AppLogViewer from '../AppLogViewer.vue';
+import type { AppLogEntry } from '../../types/log-entry';
+
+const props = withDefaults(
+  defineProps<{
+    logLevel: string;
+    entries: AppLogEntry[];
+    loading: boolean;
+    error: string;
+    logLevelFilter: string;
+    tail: number;
+    componentFilter: string;
+    streamingEnabled?: boolean;
+    streamingConnected?: boolean;
+  }>(),
+  {
+    streamingEnabled: false,
+    streamingConnected: false,
+  },
+);
 
 const emit = defineEmits<{
   (e: 'update:logLevelFilter', value: string): void;
   (e: 'update:tail', value: number): void;
-  (e: 'update:autoFetchInterval', value: number): void;
   (e: 'update:componentFilter', value: string): void;
+  (e: 'update:streamingEnabled', value: boolean): void;
   (e: 'refresh'): void;
   (e: 'reset'): void;
-  (e: 'resume-auto-scroll'): void;
-  (e: 'log-scroll'): void;
-  (e: 'set-log-container', value: HTMLElement | null): void;
+  (e: 'toggle-pause'): void;
 }>();
 
 const logLevelFilterModel = computed({
@@ -51,18 +42,51 @@ const tailModel = computed({
   set: (value: number) => emit('update:tail', value),
 });
 
-const autoFetchIntervalModel = computed({
-  get: () => props.autoFetchInterval,
-  set: (value: number) => emit('update:autoFetchInterval', value),
-});
-
 const componentFilterModel = computed({
   get: () => props.componentFilter,
   set: (value: string) => emit('update:componentFilter', value),
 });
 
-function asEntry(entry: unknown): AppLogEntry {
-  return entry as AppLogEntry;
+const streamingEnabledModel = computed({
+  get: () => props.streamingEnabled,
+  set: (value: boolean) => emit('update:streamingEnabled', value),
+});
+
+const autoScrollPinned = ref(true);
+
+const viewerPaused = computed(() => !props.streamingEnabled);
+const statusLabel = computed(() => {
+  if (viewerPaused.value) {
+    return 'Paused';
+  }
+  return props.streamingConnected ? 'Live' : 'Offline';
+});
+const statusColor = computed(() => {
+  if (viewerPaused.value) {
+    return 'var(--dd-warning)';
+  }
+  return props.streamingConnected ? 'var(--dd-success)' : 'var(--dd-danger)';
+});
+
+function levelColor(level: string | null | undefined): string {
+  const value = (level || '').toLowerCase();
+  if (value === 'error' || value === 'fatal') {
+    return 'var(--dd-danger)';
+  }
+  if (value === 'warn' || value === 'warning') {
+    return 'var(--dd-warning)';
+  }
+  if (value === 'info') {
+    return 'var(--dd-info)';
+  }
+  if (value === 'debug' || value === 'trace') {
+    return 'var(--dd-text-secondary)';
+  }
+  return 'var(--dd-text-secondary)';
+}
+
+function togglePin() {
+  autoScrollPinned.value = !autoScrollPinned.value;
 }
 </script>
 
@@ -75,124 +99,106 @@ function asEntry(entry: unknown): AppLogEntry {
       }"
     >
       <div class="p-5 flex flex-col flex-1 min-h-0 gap-4">
-        <LogViewer
+        <div v-if="props.loading" class="text-xs dd-text-muted text-center py-6">Loading logs...</div>
+
+        <div
+          v-else-if="props.error"
+          class="text-2xs-plus px-3 py-2 dd-rounded"
+          :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }"
+        >
+          {{ props.error }}
+        </div>
+
+        <AppLogViewer
+          v-else
           class="flex-1 min-h-0"
           :entries="props.entries"
-          :loading="props.loading"
-          :error="props.error"
           empty-message="No log entries found for current filters."
-          container-class="dd-rounded overflow-auto flex-1 min-h-0 font-mono text-[0.6875rem]"
-          :container-style="{
-            backgroundColor: 'var(--dd-bg-inset)',
-          }"
-          @container-ready="(element) => emit('set-log-container', element)"
-          @scroll="emit('log-scroll')"
+          :paused="viewerPaused"
+          :auto-scroll-pinned="autoScrollPinned"
+          :status-label="statusLabel"
+          :status-color="statusColor"
+          :line-count="props.entries.length"
+          @toggle-pause="emit('toggle-pause')"
+          @toggle-pin="togglePin"
         >
-          <template #controls>
-            <div class="flex flex-wrap items-center gap-2">
-              <select
-                v-model="logLevelFilterModel"
-                class="px-2 py-1.5 dd-rounded text-[0.6875rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text"
-              >
-                <option value="all">All Levels</option>
-                <option value="debug">Debug</option>
-                <option value="info">Info</option>
-                <option value="warn">Warn</option>
-                <option value="error">Error</option>
-              </select>
-
-              <select
-                v-model.number="tailModel"
-                class="px-2 py-1.5 dd-rounded text-[0.6875rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text"
-              >
-                <option :value="50">Tail 50</option>
-                <option :value="100">Tail 100</option>
-                <option :value="500">Tail 500</option>
-                <option :value="1000">Tail 1000</option>
-              </select>
-
-              <select
-                v-model.number="autoFetchIntervalModel"
-                class="px-2 py-1.5 dd-rounded text-[0.6875rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text"
-              >
-                <option v-for="opt in props.autoFetchOptions" :key="opt.value" :value="opt.value">
-                  {{ opt.label }}
-                </option>
-              </select>
-
+          <template #toolbar-left>
+            <label
+              class="flex items-center gap-1.5 px-2 py-1.5 dd-rounded text-2xs-plus font-semibold uppercase tracking-wide cursor-pointer dd-bg dd-text select-none"
+            >
               <input
-                v-model="componentFilterModel"
-                type="text"
-                placeholder="Filter by component..."
-                class="flex-1 min-w-[180px] max-w-[280px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder"
-                @keyup.enter="emit('refresh')"
+                type="checkbox"
+                :checked="streamingEnabledModel"
+                class="accent-[var(--dd-success)]"
+                @change="streamingEnabledModel = ($event.target as HTMLInputElement).checked"
               />
+              <StatusDot
+                v-if="props.streamingConnected"
+                status="connected"
+                size="md"
+              />
+              Live
+            </label>
 
-              <button
-                class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-bg-elevated dd-text hover:opacity-90"
-                :class="props.loading ? 'opacity-50 pointer-events-none' : ''"
-                @click="emit('refresh')"
-              >
-                Apply
-              </button>
-              <button
-                class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text"
-                :class="props.loading ? 'opacity-50 pointer-events-none' : ''"
-                @click="emit('reset')"
-              >
-                Reset
-              </button>
-              <button
-                class="p-1.5 dd-rounded transition-colors dd-text-muted hover:dd-text"
-                :class="props.loading ? 'opacity-50 pointer-events-none' : ''"
-                v-tooltip.top="'Refresh'"
-                @click="emit('refresh')"
-              >
-                <AppIcon name="refresh" :size="12" />
-              </button>
-              <div class="ml-auto text-[0.625rem] dd-text-muted">
-                Server Level: <span class="font-semibold dd-text capitalize">{{ props.logLevel }}</span>
-              </div>
-            </div>
+            <select
+              v-model="logLevelFilterModel"
+              class="px-2 py-1.5 dd-rounded text-2xs-plus font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text"
+            >
+              <option value="all">All Levels</option>
+              <option value="debug">Debug</option>
+              <option value="info">Info</option>
+              <option value="warn">Warn</option>
+              <option value="error">Error</option>
+            </select>
+
+            <select
+              v-model.number="tailModel"
+              class="px-2 py-1.5 dd-rounded text-2xs-plus font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text"
+            >
+              <option :value="50">Tail 50</option>
+              <option :value="100">Tail 100</option>
+              <option :value="500">Tail 500</option>
+              <option :value="1000">Tail 1000</option>
+            </select>
+
+            <input
+              v-model="componentFilterModel"
+              type="text"
+              placeholder="Filter by component..."
+              class="flex-1 min-w-[160px] max-w-[260px] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder"
+              @keyup.enter="emit('refresh')"
+            />
           </template>
 
-          <template #meta>
-            <div class="text-[0.625rem] dd-text-muted">
-              Last fetched: {{ props.formatLastFetched(props.lastFetchedIso) }}
-            </div>
-          </template>
+          <template #filter-bar>
+            <AppButton size="none" variant="plain" weight="none"
+              class="px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors dd-bg-elevated dd-text hover:opacity-90"
+              :class="props.loading ? 'opacity-50 pointer-events-none' : ''"
+              @click="emit('refresh')"
+            >
+              Apply
+            </AppButton>
 
-          <template #entry="{ entry, index }">
-            <div
-              class="px-3 py-2 flex gap-3 items-start"
-              :style="{ backgroundColor: index % 2 === 0 ? 'var(--dd-bg-inset)' : 'var(--dd-bg-card)' }"
+            <AppButton size="none" variant="plain" weight="none"
+              class="px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors dd-text-muted hover:dd-text"
+              :class="props.loading ? 'opacity-50 pointer-events-none' : ''"
+              @click="emit('reset')"
             >
-              <span class="shrink-0 tabular-nums dd-text-muted">{{ props.formatTimestamp(asEntry(entry).timestamp) }}</span>
-              <span class="shrink-0 uppercase font-semibold" :style="{ color: props.levelColor(asEntry(entry).level) }">
-                {{ asEntry(entry).level || 'info' }}
-              </span>
-              <span class="shrink-0 dd-text-secondary">{{ asEntry(entry).component || '-' }}</span>
-              <span class="dd-text break-all">{{ props.messageForEntry(asEntry(entry)) }}</span>
+              Reset
+            </AppButton>
+
+            <div class="ml-auto text-2xs dd-text-muted">
+              Server Level: <span class="font-semibold dd-text capitalize">{{ props.logLevel }}</span>
             </div>
           </template>
 
-          <template #footer>
-            <div
-              v-if="props.scrollBlocked && props.autoFetchInterval > 0"
-              class="flex items-center justify-between px-3 py-2 text-[0.625rem]"
-              :style="{ backgroundColor: 'var(--dd-warning-muted)' }"
-            >
-              <span class="font-semibold" :style="{ color: 'var(--dd-warning)' }">Auto-scroll paused</span>
-              <button
-                class="px-2 py-0.5 dd-rounded text-[0.625rem] font-semibold transition-colors"
-                :style="{ backgroundColor: 'var(--dd-warning)', color: 'var(--dd-bg)' }"
-                @click="emit('resume-auto-scroll')"
-              >
-                Resume
-              </button>
-            </div>
+          <template #entry-prefix="{ entry }">
+            <span class="shrink-0 uppercase font-semibold text-2xs" :style="{ color: levelColor(entry.level) }">
+              {{ entry.level || 'info' }}
+            </span>
+            <span class="shrink-0 dd-text-secondary">{{ entry.component || '-' }}</span>
           </template>
-        </LogViewer>
+        </AppLogViewer>
       </div>
     </div>
   </div>
diff --git a/ui/src/components/config/ConfigProfileTab.vue b/ui/src/components/config/ConfigProfileTab.vue
index a0f4ecb54..622b1f6ab 100644
--- a/ui/src/components/config/ConfigProfileTab.vue
+++ b/ui/src/components/config/ConfigProfileTab.vue
@@ -35,12 +35,12 @@ const props = defineProps<{
         </div>
         <div class="min-w-0">
           <div class="text-sm font-bold dd-text truncate">{{ props.profileDisplayName }}</div>
-          <div class="text-[0.6875rem] dd-text-muted truncate">
+          <div class="text-2xs-plus dd-text-muted truncate">
             {{ props.profileData.email || props.profileData.username || '—' }}
           </div>
           <span
             v-if="props.profileData.role"
-            class="badge text-[0.5625rem] font-semibold mt-1 inline-flex"
+            class="badge text-3xs font-semibold mt-1 inline-flex"
             :style="{ backgroundColor: 'var(--dd-primary-muted)', color: 'var(--dd-primary)' }"
           >
             {{ props.profileData.role }}
@@ -54,34 +54,34 @@ const props = defineProps<{
         </div>
         <div
           v-else-if="props.profileError"
-          class="text-[0.6875rem] px-3 py-2 dd-rounded"
+          class="text-2xs-plus px-3 py-2 dd-rounded"
           :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }"
         >
           {{ props.profileError }}
         </div>
         <template v-else>
           <div class="flex items-center justify-between py-2" :style="{ borderBottom: '1px solid var(--dd-border)' }">
-            <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Username</span>
+            <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Username</span>
             <span class="text-xs font-medium font-mono dd-text">{{ props.profileData.username || '—' }}</span>
           </div>
           <div class="flex items-center justify-between py-2" :style="{ borderBottom: '1px solid var(--dd-border)' }">
-            <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Email</span>
+            <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Email</span>
             <span class="text-xs font-medium font-mono dd-text">{{ props.profileData.email || '—' }}</span>
           </div>
           <div class="flex items-center justify-between py-2" :style="{ borderBottom: '1px solid var(--dd-border)' }">
-            <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Role</span>
+            <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Role</span>
             <span class="text-xs font-medium font-mono dd-text">{{ props.profileData.role || '—' }}</span>
           </div>
           <div class="flex items-center justify-between py-2" :style="{ borderBottom: '1px solid var(--dd-border)' }">
-            <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Provider</span>
+            <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Provider</span>
             <span class="text-xs font-medium font-mono dd-text">{{ props.profileData.provider || '—' }}</span>
           </div>
           <div class="flex items-center justify-between py-2" :style="{ borderBottom: '1px solid var(--dd-border)' }">
-            <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Last Login</span>
+            <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Last Login</span>
             <span class="text-xs font-medium font-mono dd-text">{{ props.profileData.lastLogin || '—' }}</span>
           </div>
           <div class="flex items-center justify-between py-2">
-            <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Active Sessions</span>
+            <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Active Sessions</span>
             <span class="text-xs font-medium font-mono dd-text">{{ props.profileData.sessions }}</span>
           </div>
         </template>
diff --git a/ui/src/components/containers/ContainerFullPageActionsTab.vue b/ui/src/components/containers/ContainerFullPageActionsTab.vue
new file mode 100644
index 000000000..799ca6e36
--- /dev/null
+++ b/ui/src/components/containers/ContainerFullPageActionsTab.vue
@@ -0,0 +1,389 @@
+<script setup lang="ts">
+import AppButton from '../AppButton.vue';
+import { useContainersViewTemplateContext } from './containersViewTemplateContext';
+
+const {
+  selectedContainer,
+  previewLoading,
+  runContainerPreview,
+  actionInProgress,
+  policyInProgress,
+  skipCurrentForSelected,
+  snoozeSelected,
+  snoozeDateInput,
+  snoozeSelectedUntilDate,
+  selectedSnoozeUntil,
+  unsnoozeSelected,
+  selectedSkipTags,
+  selectedSkipDigests,
+  clearSkipsSelected,
+  selectedUpdatePolicy,
+  selectedHasMaturityPolicy,
+  selectedMaturityMode,
+  selectedMaturityMinAgeDays,
+  maturityModeInput,
+  maturityMinAgeDaysInput,
+  setMaturityPolicySelected,
+  clearMaturityPolicySelected,
+  confirmClearPolicy,
+  policyMessage,
+  policyError,
+  removeSkipTagSelected,
+  removeSkipDigestSelected,
+  detailPreview,
+  detailComposePreview,
+  previewError,
+  triggersLoading,
+  detailTriggers,
+  getTriggerKey,
+  triggerRunInProgress,
+  runAssociatedTrigger,
+  triggerMessage,
+  triggerError,
+  backupsLoading,
+  detailBackups,
+  rollbackInProgress,
+  confirmRollback,
+  rollbackMessage,
+  rollbackError,
+  updateOperationsLoading,
+  detailUpdateOperations,
+  getOperationStatusStyle,
+  formatOperationStatus,
+  formatOperationPhase,
+  formatRollbackReason,
+  updateOperationsError,
+  scanContainer,
+  confirmUpdate,
+  confirmForceUpdate,
+  formatTimestamp,
+} = useContainersViewTemplateContext();
+</script>
+
+<template>
+  <div class="grid grid-cols-1 xl:grid-cols-2 gap-4">
+    <div class="space-y-4">
+      <div class="dd-rounded overflow-hidden"
+            :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+        <div class="px-4 py-3 flex items-center gap-2">
+          <AppIcon name="updates" :size="12" class="dd-text-muted" />
+          <span class="dd-text-label dd-text-muted">Update Workflow</span>
+        </div>
+        <div class="p-4 space-y-4">
+          <!-- Actions group -->
+          <div>
+            <div class="text-3xs uppercase tracking-wider mb-1.5 dd-text-muted">Actions</div>
+            <div class="flex flex-wrap gap-2">
+              <AppButton size="md" variant="outlined" :disabled="previewLoading"
+                      @click="runContainerPreview">
+                {{ previewLoading ? 'Previewing...' : 'Preview Update' }}
+              </AppButton>
+              <AppButton v-if="selectedContainer.bouncer === 'blocked'" size="md" variant="plain" :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)', border: '1px solid var(--dd-danger)' }"
+                      :disabled="actionInProgress.has(selectedContainer.name)"
+                      @click="confirmForceUpdate(selectedContainer.name)">
+                <AppIcon name="lock" :size="10" class="mr-1 inline" />Force Update
+              </AppButton>
+              <AppButton v-else
+                      size="md"
+                      :disabled="!selectedContainer.newTag || actionInProgress.has(selectedContainer.name)"
+                      @click="confirmUpdate(selectedContainer.name)">
+                Update Now
+              </AppButton>
+              <AppButton size="md" variant="outlined" :disabled="actionInProgress.has(selectedContainer.name)"
+                      @click="scanContainer(selectedContainer.name)">
+                Scan Now
+              </AppButton>
+            </div>
+          </div>
+          <!-- Skip & Snooze group -->
+          <div>
+            <div class="text-3xs uppercase tracking-wider mb-1.5 dd-text-muted">Skip & Snooze</div>
+            <div class="flex flex-wrap gap-2">
+              <AppButton size="md" variant="outlined" :disabled="!selectedContainer.newTag || policyInProgress !== null"
+                      @click="skipCurrentForSelected">
+                Skip This Update
+              </AppButton>
+              <AppButton size="md" variant="outlined" :disabled="policyInProgress !== null"
+                      @click="snoozeSelected(1)">
+                Snooze 1d
+              </AppButton>
+              <AppButton size="md" variant="outlined" :disabled="policyInProgress !== null"
+                      @click="snoozeSelected(7)">
+                Snooze 7d
+              </AppButton>
+              <input
+                v-model="snoozeDateInput"
+                type="date"
+                class="px-2.5 py-1.5 dd-rounded text-2xs-plus outline-none dd-bg dd-text"
+                :disabled="policyInProgress !== null" />
+              <AppButton size="md" variant="outlined" :disabled="!snoozeDateInput || policyInProgress !== null"
+                      @click="snoozeSelectedUntilDate">
+                Snooze Until
+              </AppButton>
+              <AppButton size="md" variant="outlined" :disabled="!selectedSnoozeUntil || policyInProgress !== null"
+                      @click="unsnoozeSelected">
+                Unsnooze
+              </AppButton>
+            </div>
+          </div>
+          <!-- Maturity group -->
+          <div>
+            <div class="text-3xs uppercase tracking-wider mb-1.5 dd-text-muted">Maturity</div>
+            <div class="flex flex-wrap gap-2 items-center">
+              <select
+                v-model="maturityModeInput"
+                class="px-2.5 py-1.5 dd-rounded text-2xs-plus outline-none dd-bg dd-text"
+                :disabled="policyInProgress !== null"
+              >
+                <option value="all">Allow New + Mature</option>
+                <option value="mature">Mature Only</option>
+              </select>
+              <input
+                v-model.number="maturityMinAgeDaysInput"
+                type="number"
+                min="1"
+                max="365"
+                class="w-[104px] px-2.5 py-1.5 dd-rounded text-2xs-plus outline-none dd-bg dd-text"
+                :disabled="policyInProgress !== null"
+              />
+              <AppButton size="md" variant="outlined" :disabled="policyInProgress !== null"
+                      @click="setMaturityPolicySelected(maturityModeInput)">
+                Apply Maturity
+              </AppButton>
+              <AppButton size="md" variant="outlined" :disabled="!selectedHasMaturityPolicy || policyInProgress !== null"
+                      @click="clearMaturityPolicySelected">
+                Clear Maturity
+              </AppButton>
+            </div>
+          </div>
+          <!-- Reset group -->
+          <div>
+            <div class="text-3xs uppercase tracking-wider mb-1.5 dd-text-muted">Reset</div>
+            <div class="flex flex-wrap gap-2">
+              <AppButton size="md" variant="outlined" :disabled="(selectedSkipTags.length === 0 && selectedSkipDigests.length === 0) || policyInProgress !== null"
+                      @click="clearSkipsSelected">
+                Clear Skips
+              </AppButton>
+              <AppButton size="md" variant="outlined" :disabled="Object.keys(selectedUpdatePolicy).length === 0 || policyInProgress !== null"
+                      @click="confirmClearPolicy">
+                Clear Policy
+              </AppButton>
+            </div>
+          </div>
+          <div class="space-y-1 text-2xs-plus dd-text-muted">
+            <div v-if="selectedSnoozeUntil">
+              Snoozed until:
+              <span class="dd-text">{{ formatTimestamp(selectedSnoozeUntil) }}</span>
+            </div>
+            <div v-if="selectedHasMaturityPolicy">
+              Maturity mode:
+              <span class="dd-text">
+                {{ selectedMaturityMode === 'mature' ? `Mature only (${selectedMaturityMinAgeDays}d minimum)` : 'Allow all updates' }}
+              </span>
+            </div>
+            <div v-if="selectedSkipTags.length > 0">
+              Skipped tags:
+              <div class="mt-1 flex flex-wrap gap-1.5">
+                <span v-for="tag in selectedSkipTags" :key="`skip-tag-full-${tag}`"
+                      class="inline-flex items-center gap-1.5 px-2 py-1 dd-rounded text-2xs-plus font-mono"
+                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+                  <span class="dd-text">{{ tag }}</span>
+                  <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center justify-center w-4 h-4 dd-rounded-sm transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+                          tooltip="Remove skip"
+                          :disabled="policyInProgress !== null"
+                          @click="removeSkipTagSelected(tag)">
+                    <AppIcon name="xmark" :size="9" />
+                  </AppButton>
+                </span>
+              </div>
+            </div>
+            <div v-if="selectedSkipDigests.length > 0">
+              Skipped digests:
+              <div class="mt-1 flex flex-wrap gap-1.5">
+                <span v-for="digest in selectedSkipDigests" :key="`skip-digest-full-${digest}`"
+                      class="inline-flex items-center gap-1.5 px-2 py-1 dd-rounded text-2xs-plus font-mono"
+                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+                  <span class="dd-text">{{ digest }}</span>
+                  <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center justify-center w-4 h-4 dd-rounded-sm transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+                          tooltip="Remove skip"
+                          :disabled="policyInProgress !== null"
+                          @click="removeSkipDigestSelected(digest)">
+                    <AppIcon name="xmark" :size="9" />
+                  </AppButton>
+                </span>
+              </div>
+            </div>
+            <div v-if="!selectedSnoozeUntil && selectedSkipTags.length === 0 && selectedSkipDigests.length === 0 && !selectedHasMaturityPolicy"
+                  class="italic">
+              No active update policy.
+            </div>
+          </div>
+          <p v-if="policyMessage" class="text-2xs-plus" style="color: var(--dd-success);">{{ policyMessage }}</p>
+          <p v-if="policyError" class="text-2xs-plus" style="color: var(--dd-danger);">{{ policyError }}</p>
+        </div>
+      </div>
+
+      <div class="dd-rounded overflow-hidden"
+            :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+        <div class="px-4 py-3 flex items-center gap-2">
+          <AppIcon name="info" :size="12" class="dd-text-muted" />
+          <span class="dd-text-label dd-text-muted">Preview</span>
+        </div>
+        <div class="p-4 space-y-2 text-xs">
+          <div v-if="previewLoading" class="dd-text-muted">Generating preview...</div>
+          <div v-else-if="detailPreview" class="space-y-1">
+            <div v-if="detailPreview.error" style="color: var(--dd-danger);">{{ detailPreview.error }}</div>
+            <template v-else>
+              <div class="dd-text-muted">Current: <span class="dd-text font-mono">{{ detailPreview.currentImage || '-' }}</span></div>
+              <div class="dd-text-muted">New: <span class="dd-text font-mono">{{ detailPreview.newImage || '-' }}</span></div>
+              <div class="dd-text-muted">Update kind:
+                <span class="dd-text font-mono">{{ detailPreview.updateKind?.kind || detailPreview.updateKind || 'unknown' }}</span>
+              </div>
+              <div class="dd-text-muted">Running:
+                <span class="dd-text">{{ detailPreview.isRunning ? 'yes' : 'no' }}</span>
+              </div>
+              <div v-if="Array.isArray(detailPreview.networks)" class="dd-text-muted">
+                Networks: <span class="dd-text font-mono">{{ detailPreview.networks.join(', ') || '-' }}</span>
+              </div>
+              <div v-if="detailComposePreview?.files.length" class="dd-text-muted">
+                Compose file<span v-if="detailComposePreview.files.length > 1">s</span>:
+                <span class="dd-text font-mono">{{ detailComposePreview.files.join(', ') }}</span>
+              </div>
+              <div v-if="detailComposePreview?.service" class="dd-text-muted">
+                Compose service:
+                <span class="dd-text font-mono">{{ detailComposePreview.service }}</span>
+              </div>
+              <div v-if="detailComposePreview?.writableFile" class="dd-text-muted">
+                Writable file:
+                <span class="dd-text font-mono">{{ detailComposePreview.writableFile }}</span>
+              </div>
+              <div v-if="typeof detailComposePreview?.willWrite === 'boolean'" class="dd-text-muted">
+                Writes compose file:
+                <span class="dd-text">{{ detailComposePreview.willWrite ? 'yes' : 'no' }}</span>
+              </div>
+              <div v-if="detailComposePreview?.patch" class="dd-text-muted">
+                Patch preview:
+                <pre class="mt-1 p-2 dd-rounded whitespace-pre-wrap break-all text-2xs-plus dd-text font-mono"
+                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">{{ detailComposePreview.patch }}</pre>
+              </div>
+            </template>
+          </div>
+          <div v-else class="dd-text-muted italic">
+            Run a preview to inspect the planned update operations.
+          </div>
+          <p v-if="previewError" class="text-2xs-plus" style="color: var(--dd-danger);">{{ previewError }}</p>
+        </div>
+      </div>
+    </div>
+
+    <div class="space-y-4">
+      <div class="dd-rounded overflow-hidden"
+            :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+        <div class="px-4 py-3 flex items-center gap-2">
+          <AppIcon name="triggers" :size="12" class="dd-text-muted" />
+          <span class="dd-text-label dd-text-muted">Associated Triggers</span>
+        </div>
+        <div class="p-4 space-y-2">
+          <div v-if="triggersLoading" class="text-xs dd-text-muted">Loading triggers...</div>
+          <div v-else-if="detailTriggers.length > 0" class="space-y-2">
+            <div v-for="trigger in detailTriggers" :key="getTriggerKey(trigger)"
+                  class="flex items-center justify-between gap-3 px-3 py-2 dd-rounded"
+                  :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+              <div class="min-w-0">
+                <div class="text-xs font-semibold dd-text truncate">{{ trigger.type }}.{{ trigger.name }}</div>
+                <div v-if="trigger.agent" class="text-2xs-plus dd-text-muted">agent: {{ trigger.agent }}</div>
+              </div>
+              <AppButton size="md" variant="outlined" :disabled="triggerRunInProgress !== null"
+                      @click="runAssociatedTrigger(trigger)">
+                {{ triggerRunInProgress === getTriggerKey(trigger) ? 'Running...' : 'Run' }}
+              </AppButton>
+            </div>
+          </div>
+          <p v-else class="text-xs dd-text-muted italic">No triggers associated with this container</p>
+          <p v-if="triggerMessage" class="text-2xs-plus" style="color: var(--dd-success);">{{ triggerMessage }}</p>
+          <p v-if="triggerError" class="text-2xs-plus" style="color: var(--dd-danger);">{{ triggerError }}</p>
+        </div>
+      </div>
+
+      <div class="dd-rounded overflow-hidden"
+            :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+        <div class="px-4 py-3 flex items-center gap-2">
+          <AppIcon name="recent-updates" :size="12" class="dd-text-muted" />
+          <span class="dd-text-label dd-text-muted">Backups &amp; Rollback</span>
+        </div>
+        <div class="p-4 space-y-2">
+          <div>
+            <AppButton size="md" variant="outlined" :disabled="backupsLoading || detailBackups.length === 0 || rollbackInProgress !== null"
+                    @click="confirmRollback()">
+              {{ rollbackInProgress === 'latest' ? 'Rolling back...' : 'Rollback Latest' }}
+            </AppButton>
+          </div>
+          <div v-if="backupsLoading" class="text-xs dd-text-muted">Loading backups...</div>
+          <div v-else-if="detailBackups.length > 0" class="space-y-2">
+            <div v-for="backup in detailBackups" :key="backup.id"
+                  class="flex items-center justify-between gap-3 px-3 py-2 dd-rounded"
+                  :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+              <div class="min-w-0">
+                <div class="text-xs font-semibold dd-text font-mono truncate">{{ backup.imageName }}:{{ backup.imageTag }}</div>
+                <div class="text-2xs-plus dd-text-muted">{{ formatTimestamp(backup.timestamp) }}</div>
+              </div>
+              <AppButton size="md" variant="outlined" :disabled="rollbackInProgress !== null"
+                      @click="confirmRollback(backup.id)">
+                {{ rollbackInProgress === backup.id ? 'Rolling...' : 'Use' }}
+              </AppButton>
+            </div>
+          </div>
+          <p v-else class="text-xs dd-text-muted italic">No backups available yet</p>
+          <p v-if="rollbackMessage" class="text-2xs-plus" style="color: var(--dd-success);">{{ rollbackMessage }}</p>
+          <p v-if="rollbackError" class="text-2xs-plus" style="color: var(--dd-danger);">{{ rollbackError }}</p>
+        </div>
+      </div>
+
+      <div class="dd-rounded overflow-hidden"
+            :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+        <div class="px-4 py-3 flex items-center gap-2">
+          <AppIcon name="audit" :size="12" class="dd-text-muted" />
+          <span class="dd-text-label dd-text-muted">Update Operation History</span>
+        </div>
+        <div class="p-4 space-y-2">
+          <div v-if="updateOperationsLoading" class="text-xs dd-text-muted">Loading operation history...</div>
+          <div v-else-if="detailUpdateOperations.length > 0" class="space-y-2">
+            <div v-for="operation in detailUpdateOperations" :key="`full-${operation.id}`"
+                  class="space-y-1.5 px-3 py-2 dd-rounded"
+                  :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+              <div class="flex items-center justify-between gap-3">
+                <div class="text-2xs-plus font-mono dd-text-muted truncate">{{ operation.id }}</div>
+                <span class="badge text-2xs font-semibold uppercase"
+                      :style="getOperationStatusStyle(operation.status)">
+                  {{ formatOperationStatus(operation.status) }}
+                </span>
+              </div>
+              <div class="text-xs dd-text-muted">Phase:
+                <span class="dd-text font-mono">{{ formatOperationPhase(operation.phase) }}</span>
+              </div>
+              <div v-if="operation.fromVersion || operation.toVersion" class="text-xs dd-text-muted">
+                Version:
+                <span class="dd-text font-mono">{{ operation.fromVersion || '?' }}</span>
+                <span class="dd-text-muted"> → </span>
+                <span class="dd-text font-mono">{{ operation.toVersion || '?' }}</span>
+              </div>
+              <div v-if="operation.rollbackReason" class="text-xs dd-text-muted">
+                Rollback reason:
+                <span class="dd-text font-mono">{{ formatRollbackReason(operation.rollbackReason) }}</span>
+              </div>
+              <div v-if="operation.lastError" class="text-xs dd-text-muted">
+                Last error:
+                <span class="dd-text">{{ operation.lastError }}</span>
+              </div>
+              <div class="text-2xs-plus dd-text-muted">
+                {{ formatTimestamp(operation.updatedAt || operation.createdAt) }}
+              </div>
+            </div>
+          </div>
+          <p v-else class="text-xs dd-text-muted italic">No update operations recorded yet</p>
+          <p v-if="updateOperationsError" class="text-2xs-plus" style="color: var(--dd-danger);">{{ updateOperationsError }}</p>
+        </div>
+      </div>
+    </div>
+  </div>
+</template>
diff --git a/ui/src/components/containers/ContainerFullPageDetail.vue b/ui/src/components/containers/ContainerFullPageDetail.vue
index 4688effa5..374bab8fb 100644
--- a/ui/src/components/containers/ContainerFullPageDetail.vue
+++ b/ui/src/components/containers/ContainerFullPageDetail.vue
@@ -1,4 +1,8 @@
 <script setup lang="ts">
+import AppBadge from '@/components/AppBadge.vue';
+import AppIconButton from '@/components/AppIconButton.vue';
+import AppTabBar from '@/components/AppTabBar.vue';
+import StatusDot from '@/components/StatusDot.vue';
 import ContainerFullPageTabContent from './ContainerFullPageTabContent.vue';
 import { useContainersViewTemplateContext } from './containersViewTemplateContext';
 
@@ -24,7 +28,7 @@ const {
 </script>
 
 <template>
-  <div data-test="container-full-page-detail" class="flex flex-col flex-1 min-h-0 pr-2 sm:pr-[15px]">
+  <div data-test="container-full-page-detail" class="flex flex-col flex-1 min-h-0 overflow-hidden pr-2 sm:pr-[15px]">
     <div
       class="shrink-0 mb-4 dd-rounded overflow-hidden"
       :style="{
@@ -32,41 +36,37 @@ const {
       }">
       <div class="px-5 py-4 flex flex-col sm:flex-row sm:items-center sm:justify-between gap-3">
         <div class="flex items-center gap-4 min-w-0">
-          <button
-            class="flex items-center gap-2 px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated shrink-0"
+          <AppButton size="none" variant="plain" weight="none"
+            class="flex items-center gap-2 px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated shrink-0"
             @click="closeFullPage">
             <AppIcon name="arrow-left" :size="11" />
             Back
-          </button>
+          </AppButton>
           <div class="flex items-center gap-3 min-w-0">
-            <div
-              class="w-3 h-3 rounded-full shrink-0"
-              :style="{ backgroundColor: selectedContainer.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)' }" />
+            <StatusDot
+              :status="selectedContainer.status === 'running' ? 'running' : 'stopped'"
+              v-tooltip.top="selectedContainer.status"
+              size="lg" />
             <div class="min-w-0">
               <h1 class="text-base sm:text-lg font-bold truncate dd-text">
                 {{ selectedContainer.name }}
               </h1>
               <div class="flex items-center gap-2 mt-0.5 flex-wrap">
-                <span class="text-[0.6875rem] sm:text-xs font-mono dd-text-secondary truncate max-w-[180px] sm:max-w-none">
+                <span class="text-2xs-plus sm:text-xs font-mono dd-text-secondary truncate max-w-[180px] sm:max-w-none">
                   {{ selectedContainer.image }}:{{ selectedContainer.currentTag }}
                 </span>
-                <span
-                  class="badge text-[0.5625rem]"
-                  :style="{
-                    backgroundColor:
-                      selectedContainer.status === 'running'
-                        ? 'var(--dd-success-muted)'
-                        : 'var(--dd-danger-muted)',
-                    color: selectedContainer.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                  }">
+                <AppBadge
+                  :tone="selectedContainer.status === 'running' ? 'success' : 'danger'"
+                  size="xs">
                   {{ selectedContainer.status }}
-                </span>
-                <span
-                  class="badge text-[0.5625rem] uppercase font-bold max-sm:hidden"
-                  :style="{
-                    backgroundColor: registryColorBg(selectedContainer.registry),
-                    color: registryColorText(selectedContainer.registry),
-                  }">
+                </AppBadge>
+                <AppBadge
+                  size="xs"
+                  :custom="{
+                    bg: registryColorBg(selectedContainer.registry),
+                    text: registryColorText(selectedContainer.registry),
+                  }"
+                  class="max-sm:hidden">
                   {{
                     registryLabel(
                       selectedContainer.registry,
@@ -74,109 +74,102 @@ const {
                       selectedContainer.registryName,
                     )
                   }}
-                </span>
-                <span
+                </AppBadge>
+                <AppBadge
                   v-if="selectedContainer.newTag"
-                  class="badge text-[0.5625rem] max-sm:hidden"
-                  :style="{
-                    backgroundColor: updateKindColor(selectedContainer.updateKind).bg,
-                    color: updateKindColor(selectedContainer.updateKind).text,
-                  }">
+                  size="xs"
+                  :custom="{
+                    bg: updateKindColor(selectedContainer.updateKind).bg,
+                    text: updateKindColor(selectedContainer.updateKind).text,
+                  }"
+                  class="max-sm:hidden">
                   {{ selectedContainer.updateKind }} update: {{ selectedContainer.newTag }}
-                </span>
+                </AppBadge>
               </div>
             </div>
           </div>
         </div>
         <div class="flex items-center gap-2 shrink-0">
-          <button
+          <AppButton size="none" variant="plain" weight="none"
             v-if="selectedContainer.status === 'running'"
-            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors"
-            :class="actionInProgress === selectedContainer.name ? 'opacity-50 cursor-not-allowed' : ''"
+            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors"
+            :class="actionInProgress.has(selectedContainer.name) ? 'opacity-50 cursor-not-allowed' : ''"
             :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)', border: '1px solid var(--dd-danger)' }"
-            :disabled="actionInProgress === selectedContainer.name"
+            :disabled="actionInProgress.has(selectedContainer.name)"
             aria-label="Stop container"
             @click="confirmStop(selectedContainer.name)">
-            <AppIcon :name="actionInProgress === selectedContainer.name ? 'spinner' : 'stop'" :size="12" :class="actionInProgress === selectedContainer.name ? 'dd-spin' : ''" />
+            <AppIcon :name="actionInProgress.has(selectedContainer.name) ? 'spinner' : 'stop'" :size="12" :class="actionInProgress.has(selectedContainer.name) ? 'dd-spin' : ''" />
             Stop
-          </button>
-          <button
+          </AppButton>
+          <AppButton size="none" variant="plain" weight="none"
             v-else
-            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors"
-            :class="actionInProgress === selectedContainer.name ? 'opacity-50 cursor-not-allowed' : ''"
+            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors"
+            :class="actionInProgress.has(selectedContainer.name) ? 'opacity-50 cursor-not-allowed' : ''"
             :style="{ backgroundColor: 'var(--dd-success-muted)', color: 'var(--dd-success)', border: '1px solid var(--dd-success)' }"
-            :disabled="actionInProgress === selectedContainer.name"
+            :disabled="actionInProgress.has(selectedContainer.name)"
             aria-label="Start container"
             @click="startContainer(selectedContainer.name)">
-            <AppIcon :name="actionInProgress === selectedContainer.name ? 'spinner' : 'play'" :size="12" :class="actionInProgress === selectedContainer.name ? 'dd-spin' : ''" />
+            <AppIcon :name="actionInProgress.has(selectedContainer.name) ? 'spinner' : 'play'" :size="12" :class="actionInProgress.has(selectedContainer.name) ? 'dd-spin' : ''" />
             Start
-          </button>
-          <button
-            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors"
-            :class="actionInProgress === selectedContainer.name ? 'opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text'"
-            :disabled="actionInProgress === selectedContainer.name"
+          </AppButton>
+          <AppButton size="none" variant="plain" weight="none"
+            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors"
+            :class="actionInProgress.has(selectedContainer.name) ? 'opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text'"
+            :disabled="actionInProgress.has(selectedContainer.name)"
             aria-label="Restart container"
             @click="confirmRestart(selectedContainer.name)">
-            <AppIcon :name="actionInProgress === selectedContainer.name ? 'spinner' : 'restart'" :size="12" :class="actionInProgress === selectedContainer.name ? 'dd-spin' : ''" />
+            <AppIcon :name="actionInProgress.has(selectedContainer.name) ? 'spinner' : 'restart'" :size="12" :class="actionInProgress.has(selectedContainer.name) ? 'dd-spin' : ''" />
             Restart
-          </button>
-          <button
-            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors"
-            :class="actionInProgress === selectedContainer.name ? 'opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text'"
-            :disabled="actionInProgress === selectedContainer.name"
+          </AppButton>
+          <AppButton size="none" variant="plain" weight="none"
+            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors"
+            :class="actionInProgress.has(selectedContainer.name) ? 'opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text'"
+            :disabled="actionInProgress.has(selectedContainer.name)"
             aria-label="Scan container"
             @click="scanContainer(selectedContainer.name)">
-            <AppIcon :name="actionInProgress === selectedContainer.name ? 'spinner' : 'security'" :size="12" :class="actionInProgress === selectedContainer.name ? 'dd-spin' : ''" />
+            <AppIcon :name="actionInProgress.has(selectedContainer.name) ? 'spinner' : 'security'" :size="12" :class="actionInProgress.has(selectedContainer.name) ? 'dd-spin' : ''" />
             Scan
-          </button>
-          <button
+          </AppButton>
+          <AppButton size="none" variant="plain" weight="none"
             v-if="selectedContainer.newTag && selectedContainer.bouncer === 'blocked'"
-            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-[0.6875rem] font-bold transition-colors"
-            :class="actionInProgress === selectedContainer.name ? 'opacity-50 cursor-not-allowed' : ''"
+            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-2xs-plus font-bold transition-colors"
+            :class="actionInProgress.has(selectedContainer.name) ? 'opacity-50 cursor-not-allowed' : ''"
             :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)', border: '1px solid var(--dd-danger)' }"
-            :disabled="actionInProgress === selectedContainer.name"
+            :disabled="actionInProgress.has(selectedContainer.name)"
             aria-label="Update blocked by security scan"
             @click="confirmForceUpdate(selectedContainer.name)">
             <AppIcon name="lock" :size="12" />
             Blocked
-          </button>
-          <button
+          </AppButton>
+          <AppButton size="none" variant="plain" weight="none"
             v-else-if="selectedContainer.newTag"
-            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-[0.6875rem] font-bold transition-colors"
-            :class="actionInProgress === selectedContainer.name ? 'opacity-50 cursor-not-allowed' : ''"
+            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-2xs-plus font-bold transition-colors"
+            :class="actionInProgress.has(selectedContainer.name) ? 'opacity-50 cursor-not-allowed' : ''"
             :style="{ backgroundColor: 'var(--dd-success-muted)', color: 'var(--dd-success)', border: '1px solid var(--dd-success)' }"
-            :disabled="actionInProgress === selectedContainer.name"
+            :disabled="actionInProgress.has(selectedContainer.name)"
             aria-label="Update container"
             @click="confirmUpdate(selectedContainer.name)">
-            <AppIcon :name="actionInProgress === selectedContainer.name ? 'spinner' : 'cloud-download'" :size="12" :class="actionInProgress === selectedContainer.name ? 'dd-spin' : ''" />
+            <AppIcon :name="actionInProgress.has(selectedContainer.name) ? 'spinner' : 'cloud-download'" :size="12" :class="actionInProgress.has(selectedContainer.name) ? 'dd-spin' : ''" />
             Update
-          </button>
-          <button
-            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors"
-            :class="actionInProgress === selectedContainer.name ? 'opacity-50 cursor-not-allowed' : ''"
+          </AppButton>
+          <AppButton size="none" variant="plain" weight="none"
+            class="flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors"
+            :class="actionInProgress.has(selectedContainer.name) ? 'opacity-50 cursor-not-allowed' : ''"
             :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)', border: '1px solid var(--dd-danger)' }"
-            :disabled="actionInProgress === selectedContainer.name"
+            :disabled="actionInProgress.has(selectedContainer.name)"
             aria-label="Delete container"
             @click="confirmDelete(selectedContainer.name)">
-            <AppIcon :name="actionInProgress === selectedContainer.name ? 'spinner' : 'trash'" :size="12" :class="actionInProgress === selectedContainer.name ? 'dd-spin' : ''" />
+            <AppIcon :name="actionInProgress.has(selectedContainer.name) ? 'spinner' : 'trash'" :size="12" :class="actionInProgress.has(selectedContainer.name) ? 'dd-spin' : ''" />
             Delete
-          </button>
+          </AppButton>
         </div>
       </div>
 
-      <div class="flex overflow-x-auto scrollbar-hide px-5 gap-1" :style="{ borderTop: '1px solid var(--dd-border)' }">
-        <button
-          v-for="tab in detailTabs"
-          :key="tab.id"
-          class="whitespace-nowrap shrink-0 px-4 py-3 text-xs font-medium transition-colors relative"
-          :class="activeDetailTab === tab.id ? 'text-drydock-secondary' : 'dd-text-muted hover:dd-text'"
-          @click="activeDetailTab = tab.id">
-          <AppIcon :name="tab.icon" :size="12" class="mr-1.5" />
-          {{ tab.label }}
-          <div
-            v-if="activeDetailTab === tab.id"
-            class="absolute bottom-0 left-0 right-0 h-[2px] bg-drydock-secondary rounded-t-full" />
-        </button>
+      <div class="px-5">
+        <AppTabBar
+          :tabs="detailTabs"
+          :model-value="activeDetailTab"
+          @update:model-value="activeDetailTab = $event" />
       </div>
     </div>
 
@@ -186,9 +179,10 @@ const {
       :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)', border: '1px solid var(--dd-danger)' }">
       <AppIcon name="warning" :size="14" class="shrink-0" />
       <span class="min-w-0 break-words">{{ error }}</span>
-      <button class="ml-auto shrink-0 hover:opacity-70 transition-opacity" aria-label="Dismiss error" @click="error = null">
-        <AppIcon name="x" :size="12" />
-      </button>
+      <AppIconButton icon="x" size="toolbar" variant="plain"
+              class="ml-auto shrink-0 hover:opacity-70"
+              aria-label="Dismiss error"
+              @click="error = null" />
     </div>
 
     <ContainerFullPageTabContent />
diff --git a/ui/src/components/containers/ContainerFullPageEnvironmentTab.vue b/ui/src/components/containers/ContainerFullPageEnvironmentTab.vue
new file mode 100644
index 000000000..58f0706c3
--- /dev/null
+++ b/ui/src/components/containers/ContainerFullPageEnvironmentTab.vue
@@ -0,0 +1,111 @@
+<script setup lang="ts">
+import { reactive, ref } from 'vue';
+import AppButton from '../AppButton.vue';
+import { revealContainerEnv } from '../../services/container';
+import { errorMessage } from '../../utils/error';
+import { useContainersViewTemplateContext } from './containersViewTemplateContext';
+
+interface RevealEnvResponse {
+  env?: Array<{ key: string; value: string }>;
+}
+
+const revealedEnvCache = reactive(new Map<string, Map<string, string>>());
+const revealedKeys = reactive(new Set<string>());
+const envRevealLoading = ref(false);
+
+function revealCacheKey(containerId: string, key: string) {
+  return `${containerId}:${key}`;
+}
+
+async function toggleReveal(containerId: string, key: string) {
+  const cacheKey = revealCacheKey(containerId, key);
+
+  if (revealedKeys.has(cacheKey)) {
+    revealedKeys.delete(cacheKey);
+    return;
+  }
+
+  const cached = revealedEnvCache.get(containerId);
+  if (cached?.has(key)) {
+    revealedKeys.add(cacheKey);
+    return;
+  }
+
+  envRevealLoading.value = true;
+  try {
+    const result: RevealEnvResponse = await revealContainerEnv(containerId);
+    const envMap = new Map<string, string>();
+    for (const entry of result.env || []) {
+      envMap.set(entry.key, entry.value);
+    }
+    revealedEnvCache.set(containerId, envMap);
+    revealedKeys.add(cacheKey);
+  } catch (error: unknown) {
+    void errorMessage(error);
+    // silently fail - user can retry
+  } finally {
+    envRevealLoading.value = false;
+  }
+}
+
+function getRevealedValue(containerId: string, key: string): string | undefined {
+  const cacheKey = revealCacheKey(containerId, key);
+  if (!revealedKeys.has(cacheKey)) return undefined;
+  return revealedEnvCache.get(containerId)?.get(key);
+}
+
+const { selectedContainer } = useContainersViewTemplateContext();
+</script>
+
+<template>
+  <div class="grid grid-cols-1 lg:grid-cols-2 gap-4">
+    <div class="dd-rounded overflow-hidden"
+          :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+      <div class="px-4 py-3 flex items-center gap-2">
+        <AppIcon name="config" :size="12" class="dd-text-muted" />
+        <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Environment Variables</span>
+        <span class="badge text-3xs ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.env.length }}</span>
+      </div>
+      <div class="p-4">
+        <div v-if="selectedContainer.details.env.length > 0" class="space-y-1.5">
+          <div v-for="e in selectedContainer.details.env" :key="e.key"
+                class="flex items-center gap-2 px-3 py-2 dd-rounded text-xs font-mono"
+                :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+            <span class="font-semibold shrink-0 text-drydock-secondary">{{ e.key }}</span>
+            <span class="dd-text-muted">=</span>
+            <span v-if="!e.sensitive" class="truncate dd-text">{{ e.value }}</span>
+            <template v-else>
+              <span v-if="getRevealedValue(selectedContainer.id, e.key)" class="truncate dd-text">{{ getRevealedValue(selectedContainer.id, e.key) }}</span>
+              <span v-else class="truncate dd-text-muted">&#x2022;&#x2022;&#x2022;&#x2022;&#x2022;</span>
+              <AppButton size="none" variant="plain" weight="none" class="shrink-0 p-0.5 dd-text-muted hover:dd-text transition-colors"
+                      :disabled="envRevealLoading"
+                      @click="toggleReveal(selectedContainer.id, e.key)">
+                <AppIcon :name="getRevealedValue(selectedContainer.id, e.key) ? 'eye-slash' : 'eye'" :size="11" />
+              </AppButton>
+            </template>
+          </div>
+        </div>
+        <p v-else class="text-xs dd-text-muted italic">No environment variables configured</p>
+      </div>
+    </div>
+    <div class="dd-rounded overflow-hidden"
+          :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+      <div class="px-4 py-3 flex items-center gap-2">
+        <AppIcon name="hard-drive" :size="12" class="dd-text-muted" />
+        <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Volumes</span>
+        <span class="badge text-3xs ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.volumes.length }}</span>
+      </div>
+      <div class="p-4">
+        <div v-if="selectedContainer.details.volumes.length > 0" class="space-y-1.5">
+          <div v-for="vol in selectedContainer.details.volumes" :key="vol"
+                class="flex items-center gap-2 px-3 py-2 dd-rounded text-xs font-mono"
+                :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+            <AppIcon name="hard-drive" :size="10" class="dd-text-muted" />
+            <span class="truncate dd-text">{{ vol }}</span>
+          </div>
+        </div>
+        <p v-else class="text-xs dd-text-muted italic">No volumes mounted</p>
+      </div>
+    </div>
+  </div>
+</template>
diff --git a/ui/src/components/containers/ContainerFullPageLabelsTab.vue b/ui/src/components/containers/ContainerFullPageLabelsTab.vue
new file mode 100644
index 000000000..0780ab40b
--- /dev/null
+++ b/ui/src/components/containers/ContainerFullPageLabelsTab.vue
@@ -0,0 +1,31 @@
+<script setup lang="ts">
+import { useContainersViewTemplateContext } from './containersViewTemplateContext';
+
+const { selectedContainer } = useContainersViewTemplateContext();
+</script>
+
+<template>
+  <div>
+    <div class="dd-rounded overflow-hidden"
+          :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+      <div class="px-4 py-3 flex items-center gap-2">
+        <AppIcon name="containers" :size="12" class="dd-text-muted" />
+        <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Labels</span>
+        <span class="badge text-3xs ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.labels.length }}</span>
+      </div>
+      <div class="p-4">
+        <div v-if="selectedContainer.details.labels.length > 0" class="flex flex-wrap gap-2">
+          <span v-for="label in selectedContainer.details.labels" :key="label"
+                class="badge text-2xs-plus font-semibold px-3 py-1.5"
+                :style="{
+                  backgroundColor: 'var(--dd-neutral-muted)',
+                  color: 'var(--dd-text-secondary)',
+                }">
+            {{ label }}
+          </span>
+        </div>
+        <p v-else class="text-xs dd-text-muted italic">No labels assigned</p>
+      </div>
+    </div>
+  </div>
+</template>
diff --git a/ui/src/components/containers/ContainerFullPageOverviewTab.vue b/ui/src/components/containers/ContainerFullPageOverviewTab.vue
new file mode 100644
index 000000000..a62e04337
--- /dev/null
+++ b/ui/src/components/containers/ContainerFullPageOverviewTab.vue
@@ -0,0 +1,416 @@
+<script setup lang="ts">
+import AppButton from '../AppButton.vue';
+import UpdateMaturityBadge from './UpdateMaturityBadge.vue';
+import SuggestedTagBadge from './SuggestedTagBadge.vue';
+import ReleaseNotesLink from './ReleaseNotesLink.vue';
+import { useContainersViewTemplateContext } from './containersViewTemplateContext';
+
+const {
+  selectedContainer,
+  selectedRuntimeOrigins,
+  runtimeOriginStyle,
+  runtimeOriginLabel,
+  selectedRuntimeDriftWarnings,
+  selectedComposePaths,
+  selectedLifecycleHooks,
+  lifecycleHookTemplateVariables,
+  selectedAutoRollbackConfig,
+  formatTimestamp,
+  detailVulnerabilityLoading,
+  detailSbomLoading,
+  loadDetailSecurityData,
+  detailVulnerabilityError,
+  vulnerabilitySummary,
+  vulnerabilityTotal,
+  vulnerabilityPreview,
+  severityStyle,
+  normalizeSeverity,
+  getVulnerabilityPackage,
+  selectedSbomFormat,
+  loadDetailSbom,
+  detailSbomError,
+  sbomDocument,
+  sbomComponentCount,
+  sbomGeneratedAt,
+  registryColorBg,
+  registryColorText,
+  registryLabel,
+  updateKindColor,
+} = useContainersViewTemplateContext();
+</script>
+
+<template>
+  <div class="grid grid-cols-1 lg:grid-cols-2 gap-4">
+    <!-- Ports card -->
+    <div class="dd-rounded overflow-hidden"
+          :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+      <div class="px-4 py-3 flex items-center gap-2">
+        <AppIcon name="network" :size="12" class="dd-text-muted" />
+        <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Ports</span>
+        <span class="badge text-3xs ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.ports.length }}</span>
+      </div>
+      <div class="p-4">
+        <div v-if="selectedContainer.details.ports.length > 0" class="space-y-1.5">
+          <div v-for="port in selectedContainer.details.ports" :key="port"
+                class="flex items-center gap-2 px-3 py-2 dd-rounded text-xs font-mono"
+                :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+            <AppIcon name="network" :size="10" class="dd-text-muted" />
+            <span class="dd-text">{{ port }}</span>
+          </div>
+        </div>
+        <p v-else class="text-2xs-plus dd-text-muted italic">No ports exposed</p>
+      </div>
+    </div>
+
+    <!-- Volumes card -->
+    <div class="dd-rounded overflow-hidden"
+          :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+      <div class="px-4 py-3 flex items-center gap-2">
+        <AppIcon name="hard-drive" :size="12" class="dd-text-muted" />
+        <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Volumes</span>
+        <span class="badge text-3xs ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.volumes.length }}</span>
+      </div>
+      <div class="p-4">
+        <div v-if="selectedContainer.details.volumes.length > 0" class="space-y-1.5">
+          <div v-for="vol in selectedContainer.details.volumes" :key="vol"
+                class="flex items-center gap-2 px-3 py-2 dd-rounded text-xs font-mono"
+                :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+            <AppIcon name="hard-drive" :size="10" class="dd-text-muted" />
+            <span class="truncate dd-text">{{ vol }}</span>
+          </div>
+        </div>
+        <p v-else class="text-2xs-plus dd-text-muted italic">No volumes mounted</p>
+      </div>
+    </div>
+
+    <!-- Compose files card -->
+    <div v-if="selectedComposePaths.length > 0"
+          class="dd-rounded overflow-hidden"
+          :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+      <div class="px-4 py-3 flex items-center gap-2">
+        <AppIcon name="stack" :size="12" class="dd-text-muted" />
+        <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Compose Files</span>
+        <span class="badge text-3xs ml-auto dd-bg-elevated dd-text-muted">{{ selectedComposePaths.length }}</span>
+      </div>
+      <div class="p-4">
+        <div class="space-y-1.5">
+          <div
+            v-for="(composePath, index) in selectedComposePaths"
+            :key="`${composePath}-${index}`"
+            class="flex items-center gap-2 px-3 py-2 dd-rounded text-xs font-mono"
+            :style="{ backgroundColor: 'var(--dd-bg-inset)' }"
+          >
+            <span v-if="selectedComposePaths.length > 1" class="text-3xs dd-text-muted">#{{ index + 1 }}</span>
+            <span class="truncate dd-text">{{ composePath }}</span>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <!-- Version card -->
+    <div class="dd-rounded overflow-hidden"
+          :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+      <div class="px-4 py-3 flex items-center gap-2">
+        <AppIcon name="updates" :size="12" class="dd-text-muted" />
+        <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Version</span>
+      </div>
+      <div class="p-4 space-y-3">
+        <div class="flex items-center gap-3 px-3 py-2 dd-rounded text-xs font-mono"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+          <span class="dd-text-secondary">Current:</span>
+          <CopyableTag :tag="selectedContainer.currentTag" class="font-bold dd-text">{{ selectedContainer.currentTag }}</CopyableTag>
+        </div>
+        <div v-if="selectedContainer.newTag" class="flex items-center gap-3 px-3 py-2 dd-rounded text-xs font-mono"
+              :style="{ backgroundColor: 'var(--dd-success-muted)' }">
+          <span style="color: var(--dd-success);">Latest:</span>
+          <CopyableTag :tag="selectedContainer.newTag!" class="font-bold" style="color: var(--dd-success);">{{ selectedContainer.newTag }}</CopyableTag>
+          <span class="badge text-3xs"
+                :style="{ backgroundColor: updateKindColor(selectedContainer.updateKind).bg, color: updateKindColor(selectedContainer.updateKind).text }">
+            {{ selectedContainer.updateKind }}
+          </span>
+        </div>
+        <div v-else class="flex items-center gap-2 px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-success-muted)' }">
+          <AppIcon name="up-to-date" :size="11" style="color: var(--dd-success);" />
+          <span class="font-medium" style="color: var(--dd-success);">Up to date</span>
+        </div>
+        <div
+          v-if="!selectedContainer.newTag && selectedContainer.noUpdateReason"
+          class="flex items-start gap-2 px-3 py-2 dd-rounded text-xs"
+          :style="{ backgroundColor: 'var(--dd-warning-muted)' }"
+        >
+          <AppIcon name="warning" :size="12" class="shrink-0 mt-0.5" style="color: var(--dd-warning);" />
+          <span class="flex-1 min-w-0 whitespace-normal break-words" style="color: var(--dd-warning);">{{ selectedContainer.noUpdateReason }}</span>
+        </div>
+        <div v-if="selectedContainer.updateKind || selectedContainer.updateMaturity || selectedContainer.suggestedTag" class="flex items-center gap-1.5 flex-wrap">
+          <UpdateMaturityBadge :maturity="selectedContainer.updateMaturity" :tooltip="selectedContainer.updateMaturityTooltip" />
+          <SuggestedTagBadge :tag="selectedContainer.suggestedTag" :current-tag="selectedContainer.currentTag" />
+        </div>
+        <ReleaseNotesLink :release-notes="selectedContainer.releaseNotes" :release-link="selectedContainer.releaseLink" />
+        <div class="pt-1 space-y-1.5">
+          <div class="text-2xs font-semibold uppercase tracking-wider dd-text-muted">Tag Filters</div>
+          <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-2xs-plus"
+                :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+            <span class="dd-text-secondary shrink-0">Include:</span>
+            <span class="font-mono dd-text break-all">{{ selectedContainer.includeTags || 'Not set' }}</span>
+          </div>
+          <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-2xs-plus"
+                :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+            <span class="dd-text-secondary shrink-0">Exclude:</span>
+            <span class="font-mono dd-text break-all">{{ selectedContainer.excludeTags || 'Not set' }}</span>
+          </div>
+          <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-2xs-plus"
+                :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+            <span class="dd-text-secondary shrink-0">Transform:</span>
+            <span class="font-mono dd-text break-all">{{ selectedContainer.transformTags || 'Not set' }}</span>
+          </div>
+        </div>
+        <div class="pt-1 space-y-1.5">
+          <div class="text-2xs font-semibold uppercase tracking-wider dd-text-muted">Trigger Filters</div>
+          <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-2xs-plus"
+                :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+            <span class="dd-text-secondary shrink-0">Include:</span>
+            <span class="font-mono dd-text break-all">{{ selectedContainer.triggerInclude || 'Not set' }}</span>
+          </div>
+          <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-2xs-plus"
+                :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+            <span class="dd-text-secondary shrink-0">Exclude:</span>
+            <span class="font-mono dd-text break-all">{{ selectedContainer.triggerExclude || 'Not set' }}</span>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <!-- Registry card -->
+    <div class="dd-rounded overflow-hidden"
+          :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+      <div class="px-4 py-3 flex items-center gap-2">
+        <AppIcon name="registries" :size="12" class="dd-text-muted" />
+        <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Registry</span>
+      </div>
+      <div class="p-4">
+        <div class="flex items-center gap-3 px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+          <span class="badge text-3xs uppercase font-bold"
+                :style="{ backgroundColor: registryColorBg(selectedContainer.registry), color: registryColorText(selectedContainer.registry) }">
+            {{ registryLabel(selectedContainer.registry, selectedContainer.registryUrl, selectedContainer.registryName) }}
+          </span>
+          <span class="font-mono dd-text-secondary">{{ selectedContainer.image }}</span>
+        </div>
+        <div v-if="selectedContainer.registryError"
+              class="mt-3 flex items-start gap-2 px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-danger-muted)' }">
+          <AppIcon name="warning" :size="12" class="shrink-0 mt-0.5" style="color: var(--dd-danger);" />
+          <span class="flex-1 min-w-0 whitespace-normal break-words" style="color: var(--dd-danger);">{{ selectedContainer.registryError }}</span>
+        </div>
+      </div>
+    </div>
+
+    <!-- Runtime process card -->
+    <div class="dd-rounded overflow-hidden"
+          :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+      <div class="px-4 py-3 flex items-center gap-2">
+        <AppIcon name="terminal" :size="12" class="dd-text-muted" />
+        <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Runtime Process</span>
+      </div>
+      <div class="p-4 space-y-2">
+        <div class="flex items-center justify-between gap-3 px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+          <span class="dd-text-secondary">Entrypoint</span>
+          <span class="badge text-2xs font-bold uppercase"
+                :style="runtimeOriginStyle(selectedRuntimeOrigins.entrypoint)">
+            {{ runtimeOriginLabel(selectedRuntimeOrigins.entrypoint) }}
+          </span>
+        </div>
+        <div class="flex items-center justify-between gap-3 px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+          <span class="dd-text-secondary">Cmd</span>
+          <span class="badge text-2xs font-bold uppercase"
+                :style="runtimeOriginStyle(selectedRuntimeOrigins.cmd)">
+            {{ runtimeOriginLabel(selectedRuntimeOrigins.cmd) }}
+          </span>
+        </div>
+        <div v-if="selectedRuntimeDriftWarnings.length > 0" class="space-y-1.5">
+          <div v-for="warning in selectedRuntimeDriftWarnings" :key="warning"
+                class="flex items-start gap-2 px-3 py-2 dd-rounded text-xs"
+                :style="{ backgroundColor: 'var(--dd-warning-muted)' }">
+            <AppIcon name="warning" :size="12" class="shrink-0 mt-0.5" style="color: var(--dd-warning);" />
+            <span class="flex-1 min-w-0 whitespace-normal break-words" style="color: var(--dd-warning);">{{ warning }}</span>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <!-- Lifecycle hooks card -->
+    <div class="dd-rounded overflow-hidden"
+          :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+      <div class="px-4 py-3 flex items-center gap-2">
+        <AppIcon name="triggers" :size="12" class="dd-text-muted" />
+        <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Lifecycle Hooks</span>
+      </div>
+      <div class="p-4 space-y-2">
+        <div class="flex items-start justify-between gap-3 px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+          <span class="dd-text-secondary shrink-0">Pre-update</span>
+          <span class="font-mono dd-text text-right break-all">{{ selectedLifecycleHooks.preUpdate || 'Not configured' }}</span>
+        </div>
+        <div class="flex items-start justify-between gap-3 px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+          <span class="dd-text-secondary shrink-0">Post-update</span>
+          <span class="font-mono dd-text text-right break-all">{{ selectedLifecycleHooks.postUpdate || 'Not configured' }}</span>
+        </div>
+        <div class="flex items-center justify-between gap-3 px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+          <span class="dd-text-secondary">Timeout</span>
+          <span class="font-mono dd-text">{{ selectedLifecycleHooks.timeoutLabel }}</span>
+        </div>
+        <div v-if="selectedLifecycleHooks.preAbortBehavior"
+              class="px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-info-muted)' }">
+          <span style="color: var(--dd-info);">{{ selectedLifecycleHooks.preAbortBehavior }}</span>
+        </div>
+        <div class="px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+          <div class="dd-text-secondary mb-1">Template Variables</div>
+          <div class="space-y-1">
+            <div v-for="variable in lifecycleHookTemplateVariables" :key="variable.name"
+                  class="flex items-start justify-between gap-3">
+              <span class="font-mono dd-text">{{ variable.name }}</span>
+              <span class="dd-text-muted text-right">{{ variable.description }}</span>
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <!-- Auto-rollback card -->
+    <div class="dd-rounded overflow-hidden"
+          :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+      <div class="px-4 py-3 flex items-center gap-2">
+        <AppIcon name="recent-updates" :size="12" class="dd-text-muted" />
+        <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Auto-Rollback</span>
+      </div>
+      <div class="p-4 space-y-2">
+        <div class="flex items-center justify-between gap-3 px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+          <span class="dd-text-secondary">Status</span>
+          <span class="font-mono dd-text">{{ selectedAutoRollbackConfig.enabledLabel }}</span>
+        </div>
+        <div class="flex items-center justify-between gap-3 px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+          <span class="dd-text-secondary">Window</span>
+          <span class="font-mono dd-text">{{ selectedAutoRollbackConfig.windowLabel }}</span>
+        </div>
+        <div class="flex items-center justify-between gap-3 px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+          <span class="dd-text-secondary">Interval</span>
+          <span class="font-mono dd-text">{{ selectedAutoRollbackConfig.intervalLabel }}</span>
+        </div>
+      </div>
+    </div>
+
+    <!-- Security card -->
+    <div class="dd-rounded overflow-hidden"
+          :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+      <div class="px-4 py-3 flex items-center gap-2">
+        <AppIcon name="security" :size="12" class="dd-text-muted" />
+        <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Security</span>
+        <AppButton size="xs" class="ml-auto" :disabled="detailVulnerabilityLoading || detailSbomLoading"
+                @click="loadDetailSecurityData">
+          {{ detailVulnerabilityLoading || detailSbomLoading ? 'Refreshing...' : 'Refresh' }}
+        </AppButton>
+      </div>
+      <div class="p-4 space-y-3">
+        <div v-if="detailVulnerabilityLoading"
+              class="px-3 py-2 dd-rounded text-xs dd-text-muted"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+          Loading vulnerability data...
+        </div>
+        <div v-else-if="detailVulnerabilityError"
+              class="px-3 py-2 dd-rounded text-xs"
+              :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
+          {{ detailVulnerabilityError }}
+        </div>
+        <template v-else>
+          <div class="flex items-center gap-2 flex-wrap text-2xs-plus">
+            <span class="badge text-2xs font-bold"
+                  :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
+              critical {{ vulnerabilitySummary.critical }}
+            </span>
+            <span class="badge text-2xs font-bold"
+                  :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
+              high {{ vulnerabilitySummary.high }}
+            </span>
+            <span class="badge text-2xs font-bold"
+                  :style="{ backgroundColor: 'var(--dd-caution-muted)', color: 'var(--dd-caution)' }">
+              medium {{ vulnerabilitySummary.medium }}
+            </span>
+            <span class="badge text-2xs font-bold"
+                  :style="{ backgroundColor: 'var(--dd-info-muted)', color: 'var(--dd-info)' }">
+              low {{ vulnerabilitySummary.low }}
+            </span>
+            <span class="dd-text-muted ml-auto">{{ vulnerabilityTotal }} total</span>
+          </div>
+          <div v-if="vulnerabilityPreview.length > 0" class="space-y-1.5">
+            <div v-for="vulnerability in vulnerabilityPreview" :key="vulnerability.id"
+                  class="flex items-center gap-2 px-3 py-2 dd-rounded text-2xs-plus"
+                  :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+              <span class="badge text-3xs font-bold uppercase"
+                    :style="{
+                      backgroundColor: severityStyle(normalizeSeverity(vulnerability.severity)).bg,
+                      color: severityStyle(normalizeSeverity(vulnerability.severity)).text,
+                    }">
+                {{ normalizeSeverity(vulnerability.severity) }}
+              </span>
+              <span class="font-mono dd-text truncate">{{ vulnerability.id }}</span>
+              <span class="dd-text-muted truncate ml-auto">{{ getVulnerabilityPackage(vulnerability) }}</span>
+            </div>
+          </div>
+          <p v-else class="text-xs dd-text-muted italic">No vulnerabilities reported for this container.</p>
+        </template>
+
+        <div class="pt-1 space-y-1.5"
+              :style="{ borderTop: '1px solid var(--dd-border)' }">
+          <div class="flex items-center gap-2">
+            <select v-model="selectedSbomFormat"
+                    class="px-2 py-1 dd-rounded text-2xs font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
+              <option value="spdx-json">spdx-json</option>
+              <option value="cyclonedx-json">cyclonedx-json</option>
+            </select>
+            <AppButton size="xs" :disabled="detailSbomLoading"
+                    @click="loadDetailSbom">
+              {{ detailSbomLoading ? 'Loading SBOM...' : 'Refresh SBOM' }}
+            </AppButton>
+          </div>
+          <div v-if="detailSbomError"
+                class="px-3 py-2 dd-rounded text-xs"
+                :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
+            {{ detailSbomError }}
+          </div>
+          <div v-else-if="detailSbomLoading"
+                class="px-3 py-2 dd-rounded text-xs dd-text-muted"
+                :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+            Loading SBOM document...
+          </div>
+          <div v-else-if="sbomDocument"
+                class="px-3 py-2 dd-rounded text-2xs-plus space-y-1"
+                :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+            <div class="dd-text-muted">
+              format:
+              <span class="dd-text font-mono">{{ selectedSbomFormat }}</span>
+            </div>
+            <div v-if="typeof sbomComponentCount === 'number'" class="dd-text-muted">
+              components:
+              <span class="dd-text">{{ sbomComponentCount }}</span>
+            </div>
+            <div v-if="sbomGeneratedAt" class="dd-text-muted">
+              generated:
+              <span class="dd-text">{{ formatTimestamp(sbomGeneratedAt) }}</span>
+            </div>
+          </div>
+          <p v-else class="text-xs dd-text-muted italic">SBOM document is not available yet.</p>
+        </div>
+      </div>
+    </div>
+  </div>
+</template>
diff --git a/ui/src/components/containers/ContainerFullPageTabContent.vue b/ui/src/components/containers/ContainerFullPageTabContent.vue
index ff7c99add..560d9e4b4 100644
--- a/ui/src/components/containers/ContainerFullPageTabContent.vue
+++ b/ui/src/components/containers/ContainerFullPageTabContent.vue
@@ -1,8 +1,21 @@
 <script setup lang="ts">
 import { reactive, ref } from 'vue';
+import AppBadge from '@/components/AppBadge.vue';
+import AppButton from '../AppButton.vue';
+import ContainerLogs from './ContainerLogs.vue';
+import ContainerStats from './ContainerStats.vue';
+import UpdateMaturityBadge from './UpdateMaturityBadge.vue';
+import SuggestedTagBadge from './SuggestedTagBadge.vue';
+import FloatingTagBadge from './FloatingTagBadge.vue';
+import ReleaseNotesLink from './ReleaseNotesLink.vue';
 import { revealContainerEnv } from '../../services/container';
+import { errorMessage } from '../../utils/error';
 import { useContainersViewTemplateContext } from './containersViewTemplateContext';
 
+interface RevealEnvResponse {
+  env?: Array<{ key: string; value: string }>;
+}
+
 const revealedEnvCache = reactive(new Map<string, Map<string, string>>());
 const revealedKeys = reactive(new Set<string>());
 const envRevealLoading = ref(false);
@@ -27,14 +40,15 @@ async function toggleReveal(containerId: string, key: string) {
 
   envRevealLoading.value = true;
   try {
-    const result = await revealContainerEnv(containerId);
+    const result: RevealEnvResponse = await revealContainerEnv(containerId);
     const envMap = new Map<string, string>();
     for (const entry of result.env || []) {
       envMap.set(entry.key, entry.value);
     }
     revealedEnvCache.set(containerId, envMap);
     revealedKeys.add(cacheKey);
-  } catch {
+  } catch (error: unknown) {
+    void errorMessage(error);
     // silently fail — user can retry
   } finally {
     envRevealLoading.value = false;
@@ -76,13 +90,6 @@ const {
   sbomDocument,
   sbomComponentCount,
   sbomGeneratedAt,
-  LOG_AUTO_FETCH_INTERVALS,
-  containerAutoFetchInterval,
-  getContainerLogs,
-  containerLogRef,
-  containerHandleLogScroll,
-  containerScrollBlocked,
-  containerResumeAutoScroll,
   previewLoading,
   runContainerPreview,
   actionInProgress,
@@ -104,7 +111,7 @@ const {
   maturityMinAgeDaysInput,
   setMaturityPolicySelected,
   clearMaturityPolicySelected,
-  clearPolicySelected,
+  confirmClearPolicy,
   policyMessage,
   policyError,
   removeSkipTagSelected,
@@ -144,7 +151,11 @@ const {
 
 <template>
       <!-- Full-page tab content -->
-      <div class="flex-1 overflow-y-auto min-h-0" data-test="container-full-page-tab-content">
+      <div
+        class="flex-1 min-h-0"
+        :class="activeDetailTab === 'logs' ? 'flex flex-col overflow-hidden' : 'overflow-y-auto'"
+        data-test="container-full-page-tab-content"
+      >
 
         <!-- Overview tab (full page) -->
         <div v-if="activeDetailTab === 'overview'" class="grid grid-cols-1 lg:grid-cols-2 gap-4">
@@ -153,8 +164,8 @@ const {
                :style="{ backgroundColor: 'var(--dd-bg-card)' }">
             <div class="px-4 py-3 flex items-center gap-2">
               <AppIcon name="network" :size="12" class="dd-text-muted" />
-              <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Ports</span>
-              <span class="badge text-[0.5625rem] ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.ports.length }}</span>
+              <span class="dd-text-label dd-text-muted">Ports</span>
+              <span class="badge text-3xs ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.ports.length }}</span>
             </div>
             <div class="p-4">
               <div v-if="selectedContainer.details.ports.length > 0" class="space-y-1.5">
@@ -165,7 +176,7 @@ const {
                   <span class="dd-text">{{ port }}</span>
                 </div>
               </div>
-              <p v-else class="text-[0.6875rem] dd-text-muted italic">No ports exposed</p>
+              <p v-else class="text-2xs-plus dd-text-muted italic">No ports exposed</p>
             </div>
           </div>
 
@@ -174,8 +185,8 @@ const {
                :style="{ backgroundColor: 'var(--dd-bg-card)' }">
             <div class="px-4 py-3 flex items-center gap-2">
               <AppIcon name="hard-drive" :size="12" class="dd-text-muted" />
-              <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Volumes</span>
-              <span class="badge text-[0.5625rem] ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.volumes.length }}</span>
+              <span class="dd-text-label dd-text-muted">Volumes</span>
+              <span class="badge text-3xs ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.volumes.length }}</span>
             </div>
             <div class="p-4">
               <div v-if="selectedContainer.details.volumes.length > 0" class="space-y-1.5">
@@ -186,7 +197,7 @@ const {
                   <span class="truncate dd-text">{{ vol }}</span>
                 </div>
               </div>
-              <p v-else class="text-[0.6875rem] dd-text-muted italic">No volumes mounted</p>
+              <p v-else class="text-2xs-plus dd-text-muted italic">No volumes mounted</p>
             </div>
           </div>
 
@@ -196,8 +207,8 @@ const {
                :style="{ backgroundColor: 'var(--dd-bg-card)' }">
             <div class="px-4 py-3 flex items-center gap-2">
               <AppIcon name="stack" :size="12" class="dd-text-muted" />
-              <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Compose Files</span>
-              <span class="badge text-[0.5625rem] ml-auto dd-bg-elevated dd-text-muted">{{ selectedComposePaths.length }}</span>
+              <span class="dd-text-label dd-text-muted">Compose Files</span>
+              <span class="badge text-3xs ml-auto dd-bg-elevated dd-text-muted">{{ selectedComposePaths.length }}</span>
             </div>
             <div class="p-4">
               <div class="space-y-1.5">
@@ -207,7 +218,7 @@ const {
                   class="flex items-center gap-2 px-3 py-2 dd-rounded text-xs font-mono"
                   :style="{ backgroundColor: 'var(--dd-bg-inset)' }"
                 >
-                  <span v-if="selectedComposePaths.length > 1" class="text-[0.5625rem] dd-text-muted">#{{ index + 1 }}</span>
+                  <span v-if="selectedComposePaths.length > 1" class="text-3xs dd-text-muted">#{{ index + 1 }}</span>
                   <span class="truncate dd-text">{{ composePath }}</span>
                 </div>
               </div>
@@ -219,7 +230,7 @@ const {
                :style="{ backgroundColor: 'var(--dd-bg-card)' }">
             <div class="px-4 py-3 flex items-center gap-2">
               <AppIcon name="updates" :size="12" class="dd-text-muted" />
-              <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Version</span>
+              <span class="dd-text-label dd-text-muted">Version</span>
             </div>
             <div class="p-4 space-y-3">
               <div class="flex items-center gap-3 px-3 py-2 dd-rounded text-xs font-mono"
@@ -231,10 +242,9 @@ const {
                    :style="{ backgroundColor: 'var(--dd-success-muted)' }">
                 <span style="color: var(--dd-success);">Latest:</span>
                 <CopyableTag :tag="selectedContainer.newTag!" class="font-bold" style="color: var(--dd-success);">{{ selectedContainer.newTag }}</CopyableTag>
-                <span class="badge text-[0.5625rem]"
-                      :style="{ backgroundColor: updateKindColor(selectedContainer.updateKind).bg, color: updateKindColor(selectedContainer.updateKind).text }">
+                <AppBadge size="xs" :custom="updateKindColor(selectedContainer.updateKind)">
                   {{ selectedContainer.updateKind }}
-                </span>
+                </AppBadge>
               </div>
               <div v-else class="flex items-center gap-2 px-3 py-2 dd-rounded text-xs"
                    :style="{ backgroundColor: 'var(--dd-success-muted)' }">
@@ -249,42 +259,41 @@ const {
                 <AppIcon name="warning" :size="12" class="shrink-0 mt-0.5" style="color: var(--dd-warning);" />
                 <span class="flex-1 min-w-0 whitespace-normal break-words" style="color: var(--dd-warning);">{{ selectedContainer.noUpdateReason }}</span>
               </div>
-              <a
-                v-if="selectedContainer.releaseLink"
-                :href="selectedContainer.releaseLink"
-                target="_blank"
-                rel="noopener noreferrer"
-                class="inline-flex items-center text-xs underline hover:no-underline"
-                style="color: var(--dd-info);"
-              >
-                Release notes
-              </a>
+              <div v-if="selectedContainer.updateKind || selectedContainer.updateMaturity || selectedContainer.suggestedTag || (selectedContainer.tagPrecision === 'floating' && !selectedContainer.imageDigestWatch)" class="flex items-center gap-1.5 flex-wrap">
+                <UpdateMaturityBadge :maturity="selectedContainer.updateMaturity" :tooltip="selectedContainer.updateMaturityTooltip" />
+                <SuggestedTagBadge :tag="selectedContainer.suggestedTag" :current-tag="selectedContainer.currentTag" />
+                <FloatingTagBadge
+                  :tag-precision="selectedContainer.tagPrecision"
+                  :image-digest-watch="selectedContainer.imageDigestWatch"
+                />
+              </div>
+              <ReleaseNotesLink :release-notes="selectedContainer.releaseNotes" :release-link="selectedContainer.releaseLink" />
               <div class="pt-1 space-y-1.5">
-                <div class="text-[0.625rem] font-semibold uppercase tracking-wider dd-text-muted">Tag Filters</div>
-                <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-[0.6875rem]"
+                <div class="dd-text-label dd-text-muted">Tag Filters</div>
+                <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary shrink-0">Include:</span>
                   <span class="font-mono dd-text break-all">{{ selectedContainer.includeTags || 'Not set' }}</span>
                 </div>
-                <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-[0.6875rem]"
+                <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary shrink-0">Exclude:</span>
                   <span class="font-mono dd-text break-all">{{ selectedContainer.excludeTags || 'Not set' }}</span>
                 </div>
-                <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-[0.6875rem]"
+                <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary shrink-0">Transform:</span>
                   <span class="font-mono dd-text break-all">{{ selectedContainer.transformTags || 'Not set' }}</span>
                 </div>
               </div>
               <div class="pt-1 space-y-1.5">
-                <div class="text-[0.625rem] font-semibold uppercase tracking-wider dd-text-muted">Trigger Filters</div>
-                <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-[0.6875rem]"
+                <div class="dd-text-label dd-text-muted">Trigger Filters</div>
+                <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary shrink-0">Include:</span>
                   <span class="font-mono dd-text break-all">{{ selectedContainer.triggerInclude || 'Not set' }}</span>
                 </div>
-                <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-[0.6875rem]"
+                <div class="flex items-start gap-2 px-3 py-2 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary shrink-0">Exclude:</span>
                   <span class="font-mono dd-text break-all">{{ selectedContainer.triggerExclude || 'Not set' }}</span>
@@ -298,15 +307,14 @@ const {
                :style="{ backgroundColor: 'var(--dd-bg-card)' }">
             <div class="px-4 py-3 flex items-center gap-2">
               <AppIcon name="registries" :size="12" class="dd-text-muted" />
-              <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Registry</span>
+              <span class="dd-text-label dd-text-muted">Registry</span>
             </div>
             <div class="p-4">
               <div class="flex items-center gap-3 px-3 py-2 dd-rounded text-xs"
                    :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
-                <span class="badge text-[0.5625rem] uppercase font-bold"
-                      :style="{ backgroundColor: registryColorBg(selectedContainer.registry), color: registryColorText(selectedContainer.registry) }">
+                <AppBadge size="xs" :custom="{ bg: registryColorBg(selectedContainer.registry), text: registryColorText(selectedContainer.registry) }">
                   {{ registryLabel(selectedContainer.registry, selectedContainer.registryUrl, selectedContainer.registryName) }}
-                </span>
+                </AppBadge>
                 <span class="font-mono dd-text-secondary">{{ selectedContainer.image }}</span>
               </div>
               <div v-if="selectedContainer.registryError"
@@ -323,13 +331,13 @@ const {
                :style="{ backgroundColor: 'var(--dd-bg-card)' }">
             <div class="px-4 py-3 flex items-center gap-2">
               <AppIcon name="terminal" :size="12" class="dd-text-muted" />
-              <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Runtime Process</span>
+              <span class="dd-text-label dd-text-muted">Runtime Process</span>
             </div>
             <div class="p-4 space-y-2">
               <div class="flex items-center justify-between gap-3 px-3 py-2 dd-rounded text-xs"
                    :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                 <span class="dd-text-secondary">Entrypoint</span>
-                <span class="badge text-[0.625rem] font-bold uppercase"
+                <span class="badge text-2xs font-bold uppercase"
                       :style="runtimeOriginStyle(selectedRuntimeOrigins.entrypoint)">
                   {{ runtimeOriginLabel(selectedRuntimeOrigins.entrypoint) }}
                 </span>
@@ -337,7 +345,7 @@ const {
               <div class="flex items-center justify-between gap-3 px-3 py-2 dd-rounded text-xs"
                    :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                 <span class="dd-text-secondary">Cmd</span>
-                <span class="badge text-[0.625rem] font-bold uppercase"
+                <span class="badge text-2xs font-bold uppercase"
                       :style="runtimeOriginStyle(selectedRuntimeOrigins.cmd)">
                   {{ runtimeOriginLabel(selectedRuntimeOrigins.cmd) }}
                 </span>
@@ -358,7 +366,7 @@ const {
                :style="{ backgroundColor: 'var(--dd-bg-card)' }">
             <div class="px-4 py-3 flex items-center gap-2">
               <AppIcon name="triggers" :size="12" class="dd-text-muted" />
-              <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Lifecycle Hooks</span>
+              <span class="dd-text-label dd-text-muted">Lifecycle Hooks</span>
             </div>
             <div class="p-4 space-y-2">
               <div class="flex items-start justify-between gap-3 px-3 py-2 dd-rounded text-xs"
@@ -400,7 +408,7 @@ const {
                :style="{ backgroundColor: 'var(--dd-bg-card)' }">
             <div class="px-4 py-3 flex items-center gap-2">
               <AppIcon name="recent-updates" :size="12" class="dd-text-muted" />
-              <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Auto-Rollback</span>
+              <span class="dd-text-label dd-text-muted">Auto-Rollback</span>
             </div>
             <div class="p-4 space-y-2">
               <div class="flex items-center justify-between gap-3 px-3 py-2 dd-rounded text-xs"
@@ -426,13 +434,11 @@ const {
                :style="{ backgroundColor: 'var(--dd-bg-card)' }">
             <div class="px-4 py-3 flex items-center gap-2">
               <AppIcon name="security" :size="12" class="dd-text-muted" />
-              <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Security</span>
-              <button class="ml-auto px-2 py-1 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-
-                      :disabled="detailVulnerabilityLoading || detailSbomLoading"
+              <span class="dd-text-label dd-text-muted">Security</span>
+              <AppButton size="xs" class="ml-auto" :disabled="detailVulnerabilityLoading || detailSbomLoading"
                       @click="loadDetailSecurityData">
                 {{ detailVulnerabilityLoading || detailSbomLoading ? 'Refreshing...' : 'Refresh' }}
-              </button>
+              </AppButton>
             </div>
             <div class="p-4 space-y-3">
               <div v-if="detailVulnerabilityLoading"
@@ -446,36 +452,20 @@ const {
                 {{ detailVulnerabilityError }}
               </div>
               <template v-else>
-                <div class="flex items-center gap-2 flex-wrap text-[0.6875rem]">
-                  <span class="badge text-[0.625rem] font-bold"
-                        :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
-                    critical {{ vulnerabilitySummary.critical }}
-                  </span>
-                  <span class="badge text-[0.625rem] font-bold"
-                        :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
-                    high {{ vulnerabilitySummary.high }}
-                  </span>
-                  <span class="badge text-[0.625rem] font-bold"
-                        :style="{ backgroundColor: 'var(--dd-caution-muted)', color: 'var(--dd-caution)' }">
-                    medium {{ vulnerabilitySummary.medium }}
-                  </span>
-                  <span class="badge text-[0.625rem] font-bold"
-                        :style="{ backgroundColor: 'var(--dd-info-muted)', color: 'var(--dd-info)' }">
-                    low {{ vulnerabilitySummary.low }}
-                  </span>
+                <div class="flex items-center gap-2 flex-wrap text-2xs-plus">
+                  <AppBadge tone="danger" size="sm">critical {{ vulnerabilitySummary.critical }}</AppBadge>
+                  <AppBadge tone="warning" size="sm">high {{ vulnerabilitySummary.high }}</AppBadge>
+                  <AppBadge tone="caution" size="sm">medium {{ vulnerabilitySummary.medium }}</AppBadge>
+                  <AppBadge tone="info" size="sm">low {{ vulnerabilitySummary.low }}</AppBadge>
                   <span class="dd-text-muted ml-auto">{{ vulnerabilityTotal }} total</span>
                 </div>
                 <div v-if="vulnerabilityPreview.length > 0" class="space-y-1.5">
                   <div v-for="vulnerability in vulnerabilityPreview" :key="vulnerability.id"
-                       class="flex items-center gap-2 px-3 py-2 dd-rounded text-[0.6875rem]"
+                       class="flex items-center gap-2 px-3 py-2 dd-rounded text-2xs-plus"
                        :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
-                    <span class="badge text-[0.5625rem] font-bold uppercase"
-                          :style="{
-                            backgroundColor: severityStyle(normalizeSeverity(vulnerability.severity)).bg,
-                            color: severityStyle(normalizeSeverity(vulnerability.severity)).text,
-                          }">
+                    <AppBadge size="xs" :custom="severityStyle(normalizeSeverity(vulnerability.severity))">
                       {{ normalizeSeverity(vulnerability.severity) }}
-                    </span>
+                    </AppBadge>
                     <span class="font-mono dd-text truncate">{{ vulnerability.id }}</span>
                     <span class="dd-text-muted truncate ml-auto">{{ getVulnerabilityPackage(vulnerability) }}</span>
                   </div>
@@ -487,16 +477,14 @@ const {
                    :style="{ borderTop: '1px solid var(--dd-border)' }">
                 <div class="flex items-center gap-2">
                   <select v-model="selectedSbomFormat"
-                          class="px-2 py-1 dd-rounded text-[0.625rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
+                          class="px-2 py-1 dd-rounded text-2xs font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
                     <option value="spdx-json">spdx-json</option>
                     <option value="cyclonedx-json">cyclonedx-json</option>
                   </select>
-                  <button class="px-2 py-1 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-    
-                          :disabled="detailSbomLoading"
+                  <AppButton size="xs" :disabled="detailSbomLoading"
                           @click="loadDetailSbom">
                     {{ detailSbomLoading ? 'Loading SBOM...' : 'Refresh SBOM' }}
-                  </button>
+                  </AppButton>
                 </div>
                 <div v-if="detailSbomError"
                      class="px-3 py-2 dd-rounded text-xs"
@@ -509,7 +497,7 @@ const {
                   Loading SBOM document...
                 </div>
                 <div v-else-if="sbomDocument"
-                     class="px-3 py-2 dd-rounded text-[0.6875rem] space-y-1"
+                     class="px-3 py-2 dd-rounded text-2xs-plus space-y-1"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <div class="dd-text-muted">
                     format:
@@ -530,51 +518,17 @@ const {
           </div>
         </div>
 
+        <div v-if="activeDetailTab === 'stats'">
+          <ContainerStats :container-id="selectedContainer.id" />
+        </div>
+
         <!-- Logs tab (full page) -->
-        <div v-if="activeDetailTab === 'logs'">
-          <div class="dd-rounded overflow-hidden"
-               :style="{ backgroundColor: 'var(--dd-bg-code)' }">
-            <div class="px-4 py-3 flex items-center justify-between"
-                 style="border-bottom: 1px solid var(--dd-log-divider);">
-              <div class="flex items-center gap-2">
-                <AppIcon name="terminal" :size="11" :style="{ color: 'var(--dd-log-text-muted)' }" />
-                <span class="text-[0.6875rem] font-semibold uppercase tracking-wider" style="color: var(--dd-log-text-muted);">
-                  Container Logs
-                </span>
-                <span class="text-[0.6875rem] font-mono" style="color: var(--dd-primary);">{{ selectedContainer.name }}</span>
-              </div>
-              <div class="flex items-center gap-2">
-                <select v-model.number="containerAutoFetchInterval"
-                        class="px-1.5 py-1 dd-rounded text-[0.625rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
-                  <option v-for="opt in LOG_AUTO_FETCH_INTERVALS" :key="opt.value" :value="opt.value">
-                    {{ opt.label }}
-                  </option>
-                </select>
-                <span class="text-[0.625rem] font-mono" style="color: var(--dd-log-text-muted);">
-                  {{ getContainerLogs(selectedContainer.name).length }} lines
-                </span>
-              </div>
-            </div>
-            <div ref="containerLogRef" class="overflow-y-auto p-1" style="max-height: calc(100vh - 320px);"
-                 @scroll="containerHandleLogScroll">
-              <div v-for="(line, i) in getContainerLogs(selectedContainer.name)" :key="i"
-                   class="px-3 py-0.5 font-mono text-[0.6875rem] leading-relaxed whitespace-pre hover:bg-white/[0.02]"
-                   :style="{ borderBottom: i < getContainerLogs(selectedContainer.name).length - 1 ? '1px solid var(--dd-log-line)' : 'none' }">
-                <span style="color: var(--dd-log-text-muted);">{{ line.substring(0, 24) }}</span>
-                <span :style="{ color: line.includes('[error]') || line.includes('[crit]') || line.includes('[emerg]') ? 'var(--dd-danger)' : line.includes('[warn]') || line.includes('[hint]') ? 'var(--dd-warning)' : 'var(--dd-log-text)' }">{{ line.substring(24) }}</span>
-              </div>
-            </div>
-            <div v-if="containerScrollBlocked && containerAutoFetchInterval > 0"
-                 class="flex items-center justify-between px-3 py-1.5 text-[0.625rem]"
-                 style="border-top: 1px solid var(--dd-log-divider);">
-              <span class="font-semibold" style="color: var(--dd-warning);">Auto-scroll paused</span>
-              <button class="px-2 py-0.5 dd-rounded text-[0.625rem] font-semibold"
-                      :style="{ backgroundColor: 'var(--dd-warning)', color: 'var(--dd-bg)' }"
-                      @click="containerResumeAutoScroll">
-                Resume
-              </button>
-            </div>
-          </div>
+        <div v-if="activeDetailTab === 'logs'" class="flex flex-col flex-1 min-h-0 overflow-hidden">
+          <ContainerLogs
+            class="flex-1 min-h-0"
+            :container-id="selectedContainer.id"
+            :container-name="selectedContainer.name"
+          />
         </div>
 
         <!-- Environment tab (full page) -->
@@ -583,8 +537,8 @@ const {
                :style="{ backgroundColor: 'var(--dd-bg-card)' }">
             <div class="px-4 py-3 flex items-center gap-2">
               <AppIcon name="config" :size="12" class="dd-text-muted" />
-              <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Environment Variables</span>
-              <span class="badge text-[0.5625rem] ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.env.length }}</span>
+              <span class="dd-text-label dd-text-muted">Environment Variables</span>
+              <span class="badge text-3xs ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.env.length }}</span>
             </div>
             <div class="p-4">
               <div v-if="selectedContainer.details.env.length > 0" class="space-y-1.5">
@@ -597,11 +551,12 @@ const {
                   <template v-else>
                     <span v-if="getRevealedValue(selectedContainer.id, e.key)" class="truncate dd-text">{{ getRevealedValue(selectedContainer.id, e.key) }}</span>
                     <span v-else class="truncate dd-text-muted">&#x2022;&#x2022;&#x2022;&#x2022;&#x2022;</span>
-                    <button class="shrink-0 p-0.5 dd-text-muted hover:dd-text transition-colors"
+                    <AppButton size="none" variant="plain" weight="none" class="shrink-0 p-0.5 dd-text-muted hover:dd-text transition-colors"
+                            :tooltip="getRevealedValue(selectedContainer.id, e.key) ? 'Hide value' : 'Reveal value'"
                             :disabled="envRevealLoading"
                             @click="toggleReveal(selectedContainer.id, e.key)">
                       <AppIcon :name="getRevealedValue(selectedContainer.id, e.key) ? 'eye-slash' : 'eye'" :size="11" />
-                    </button>
+                    </AppButton>
                   </template>
                 </div>
               </div>
@@ -612,8 +567,8 @@ const {
                :style="{ backgroundColor: 'var(--dd-bg-card)' }">
             <div class="px-4 py-3 flex items-center gap-2">
               <AppIcon name="hard-drive" :size="12" class="dd-text-muted" />
-              <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Volumes</span>
-              <span class="badge text-[0.5625rem] ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.volumes.length }}</span>
+              <span class="dd-text-label dd-text-muted">Volumes</span>
+              <span class="badge text-3xs ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.volumes.length }}</span>
             </div>
             <div class="p-4">
               <div v-if="selectedContainer.details.volumes.length > 0" class="space-y-1.5">
@@ -635,19 +590,14 @@ const {
                :style="{ backgroundColor: 'var(--dd-bg-card)' }">
             <div class="px-4 py-3 flex items-center gap-2">
               <AppIcon name="containers" :size="12" class="dd-text-muted" />
-              <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Labels</span>
-              <span class="badge text-[0.5625rem] ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.labels.length }}</span>
+              <span class="dd-text-label dd-text-muted">Labels</span>
+              <span class="badge text-3xs ml-auto dd-bg-elevated dd-text-muted">{{ selectedContainer.details.labels.length }}</span>
             </div>
             <div class="p-4">
               <div v-if="selectedContainer.details.labels.length > 0" class="flex flex-wrap gap-2">
-                <span v-for="label in selectedContainer.details.labels" :key="label"
-                      class="badge text-[0.6875rem] font-semibold px-3 py-1.5"
-                      :style="{
-                        backgroundColor: 'var(--dd-neutral-muted)',
-                        color: 'var(--dd-text-secondary)',
-                      }">
+                <AppBadge v-for="label in selectedContainer.details.labels" :key="label" tone="neutral" size="md" class="px-3 py-1.5">
                   {{ label }}
-                </span>
+                </AppBadge>
               </div>
               <p v-else class="text-xs dd-text-muted italic">No labels assigned</p>
             </div>
@@ -661,89 +611,72 @@ const {
                  :style="{ backgroundColor: 'var(--dd-bg-card)' }">
               <div class="px-4 py-3 flex items-center gap-2">
                 <AppIcon name="updates" :size="12" class="dd-text-muted" />
-                <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Update Workflow</span>
+                <span class="dd-text-label dd-text-muted">Update Workflow</span>
               </div>
               <div class="p-4 space-y-4">
                 <!-- Actions group -->
                 <div>
-                  <div class="text-[0.5625rem] uppercase tracking-wider mb-1.5 dd-text-muted">Actions</div>
+                  <div class="text-3xs uppercase tracking-wider mb-1.5 dd-text-muted">Actions</div>
                   <div class="flex flex-wrap gap-2">
-                    <button class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-      
-                            :disabled="previewLoading"
+                    <AppButton size="md" :disabled="previewLoading"
                             @click="runContainerPreview">
                       {{ previewLoading ? 'Previewing...' : 'Preview Update' }}
-                    </button>
-                    <button v-if="selectedContainer.bouncer === 'blocked'"
-                            class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors"
-                            :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)', border: '1px solid var(--dd-danger)' }"
-                            :disabled="actionInProgress === selectedContainer.name"
+                    </AppButton>
+                    <AppButton v-if="selectedContainer.bouncer === 'blocked'" size="md" variant="plain" :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)', border: '1px solid var(--dd-danger)' }"
+                            :disabled="actionInProgress.has(selectedContainer.name)"
                             @click="confirmForceUpdate(selectedContainer.name)">
                       <AppIcon name="lock" :size="10" class="mr-1 inline" />Force Update
-                    </button>
-                    <button v-else
-                            class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-      
-                            :disabled="!selectedContainer.newTag || actionInProgress === selectedContainer.name"
+                    </AppButton>
+                    <AppButton v-else
+                            size="md"
+                            :disabled="!selectedContainer.newTag || actionInProgress.has(selectedContainer.name)"
                             @click="confirmUpdate(selectedContainer.name)">
                       Update Now
-                    </button>
-                    <button class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-      
-                            :disabled="actionInProgress === selectedContainer.name"
+                    </AppButton>
+                    <AppButton size="md" :disabled="actionInProgress.has(selectedContainer.name)"
                             @click="scanContainer(selectedContainer.name)">
                       Scan Now
-                    </button>
+                    </AppButton>
                   </div>
                 </div>
                 <!-- Skip & Snooze group -->
                 <div>
-                  <div class="text-[0.5625rem] uppercase tracking-wider mb-1.5 dd-text-muted">Skip & Snooze</div>
+                  <div class="text-3xs uppercase tracking-wider mb-1.5 dd-text-muted">Skip & Snooze</div>
                   <div class="flex flex-wrap gap-2">
-                    <button class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-      
-                            :disabled="!selectedContainer.newTag || policyInProgress !== null"
+                    <AppButton size="md" :disabled="!selectedContainer.newTag || policyInProgress !== null"
                             @click="skipCurrentForSelected">
                       Skip This Update
-                    </button>
-                    <button class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-      
-                            :disabled="policyInProgress !== null"
+                    </AppButton>
+                    <AppButton size="md" :disabled="policyInProgress !== null"
                             @click="snoozeSelected(1)">
                       Snooze 1d
-                    </button>
-                    <button class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-      
-                            :disabled="policyInProgress !== null"
+                    </AppButton>
+                    <AppButton size="md" :disabled="policyInProgress !== null"
                             @click="snoozeSelected(7)">
                       Snooze 7d
-                    </button>
+                    </AppButton>
                     <input
                       v-model="snoozeDateInput"
                       type="date"
-                      class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] outline-none dd-bg dd-text"
+                      class="px-2.5 py-1.5 dd-rounded text-2xs-plus outline-none dd-bg dd-text"
                       :disabled="policyInProgress !== null" />
-                    <button class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-      
-                            :disabled="!snoozeDateInput || policyInProgress !== null"
+                    <AppButton size="md" :disabled="!snoozeDateInput || policyInProgress !== null"
                             @click="snoozeSelectedUntilDate">
                       Snooze Until
-                    </button>
-                    <button class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-      
-                            :disabled="!selectedSnoozeUntil || policyInProgress !== null"
+                    </AppButton>
+                    <AppButton size="md" :disabled="!selectedSnoozeUntil || policyInProgress !== null"
                             @click="unsnoozeSelected">
                       Unsnooze
-                    </button>
+                    </AppButton>
                   </div>
                 </div>
                 <!-- Maturity group -->
                 <div>
-                  <div class="text-[0.5625rem] uppercase tracking-wider mb-1.5 dd-text-muted">Maturity</div>
+                  <div class="text-3xs uppercase tracking-wider mb-1.5 dd-text-muted">Maturity</div>
                   <div class="flex flex-wrap gap-2 items-center">
                     <select
                       v-model="maturityModeInput"
-                      class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] outline-none dd-bg dd-text"
+                      class="px-2.5 py-1.5 dd-rounded text-2xs-plus outline-none dd-bg dd-text"
                       :disabled="policyInProgress !== null"
                     >
                       <option value="all">Allow New + Mature</option>
@@ -754,40 +687,34 @@ const {
                       type="number"
                       min="1"
                       max="365"
-                      class="w-[104px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] outline-none dd-bg dd-text"
+                      class="w-[104px] px-2.5 py-1.5 dd-rounded text-2xs-plus outline-none dd-bg dd-text"
                       :disabled="policyInProgress !== null"
                     />
-                    <button class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                            :disabled="policyInProgress !== null"
+                    <AppButton size="md" :disabled="policyInProgress !== null"
                             @click="setMaturityPolicySelected(maturityModeInput)">
                       Apply Maturity
-                    </button>
-                    <button class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                            :disabled="!selectedHasMaturityPolicy || policyInProgress !== null"
+                    </AppButton>
+                    <AppButton size="md" :disabled="!selectedHasMaturityPolicy || policyInProgress !== null"
                             @click="clearMaturityPolicySelected">
                       Clear Maturity
-                    </button>
+                    </AppButton>
                   </div>
                 </div>
                 <!-- Reset group -->
                 <div>
-                  <div class="text-[0.5625rem] uppercase tracking-wider mb-1.5 dd-text-muted">Reset</div>
+                  <div class="text-3xs uppercase tracking-wider mb-1.5 dd-text-muted">Reset</div>
                   <div class="flex flex-wrap gap-2">
-                    <button class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-      
-                            :disabled="selectedSkipTags.length === 0 && selectedSkipDigests.length === 0"
+                    <AppButton size="md" :disabled="(selectedSkipTags.length === 0 && selectedSkipDigests.length === 0) || policyInProgress !== null"
                             @click="clearSkipsSelected">
                       Clear Skips
-                    </button>
-                    <button class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-      
-                            :disabled="Object.keys(selectedUpdatePolicy).length === 0"
-                            @click="clearPolicySelected">
+                    </AppButton>
+                    <AppButton size="md" :disabled="Object.keys(selectedUpdatePolicy).length === 0 || policyInProgress !== null"
+                            @click="confirmClearPolicy">
                       Clear Policy
-                    </button>
+                    </AppButton>
                   </div>
                 </div>
-                <div class="space-y-1 text-[0.6875rem] dd-text-muted">
+                <div class="space-y-1 text-2xs-plus dd-text-muted">
                   <div v-if="selectedSnoozeUntil">
                     Snoozed until:
                     <span class="dd-text">{{ formatTimestamp(selectedSnoozeUntil) }}</span>
@@ -802,14 +729,15 @@ const {
                     Skipped tags:
                     <div class="mt-1 flex flex-wrap gap-1.5">
                       <span v-for="tag in selectedSkipTags" :key="`skip-tag-full-${tag}`"
-                            class="inline-flex items-center gap-1.5 px-2 py-1 dd-rounded text-[0.6875rem] font-mono"
+                            class="inline-flex items-center gap-1.5 px-2 py-1 dd-rounded text-2xs-plus font-mono"
                             :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                         <span class="dd-text">{{ tag }}</span>
-                        <button class="inline-flex items-center justify-center w-4 h-4 dd-rounded-sm transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+                        <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center justify-center w-4 h-4 dd-rounded-sm transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+                                tooltip="Remove skip"
                                 :disabled="policyInProgress !== null"
                                 @click="removeSkipTagSelected(tag)">
                           <AppIcon name="xmark" :size="9" />
-                        </button>
+                        </AppButton>
                       </span>
                     </div>
                   </div>
@@ -817,14 +745,15 @@ const {
                     Skipped digests:
                     <div class="mt-1 flex flex-wrap gap-1.5">
                       <span v-for="digest in selectedSkipDigests" :key="`skip-digest-full-${digest}`"
-                            class="inline-flex items-center gap-1.5 px-2 py-1 dd-rounded text-[0.6875rem] font-mono"
+                            class="inline-flex items-center gap-1.5 px-2 py-1 dd-rounded text-2xs-plus font-mono"
                             :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                         <span class="dd-text">{{ digest }}</span>
-                        <button class="inline-flex items-center justify-center w-4 h-4 dd-rounded-sm transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+                        <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center justify-center w-4 h-4 dd-rounded-sm transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+                                tooltip="Remove skip"
                                 :disabled="policyInProgress !== null"
                                 @click="removeSkipDigestSelected(digest)">
                           <AppIcon name="xmark" :size="9" />
-                        </button>
+                        </AppButton>
                       </span>
                     </div>
                   </div>
@@ -833,8 +762,8 @@ const {
                     No active update policy.
                   </div>
                 </div>
-                <p v-if="policyMessage" class="text-[0.6875rem]" style="color: var(--dd-success);">{{ policyMessage }}</p>
-                <p v-if="policyError" class="text-[0.6875rem]" style="color: var(--dd-danger);">{{ policyError }}</p>
+                <p v-if="policyMessage" class="text-2xs-plus" style="color: var(--dd-success);">{{ policyMessage }}</p>
+                <p v-if="policyError" class="text-2xs-plus" style="color: var(--dd-danger);">{{ policyError }}</p>
               </div>
             </div>
 
@@ -842,7 +771,7 @@ const {
                  :style="{ backgroundColor: 'var(--dd-bg-card)' }">
               <div class="px-4 py-3 flex items-center gap-2">
                 <AppIcon name="info" :size="12" class="dd-text-muted" />
-                <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Preview</span>
+                <span class="dd-text-label dd-text-muted">Preview</span>
               </div>
               <div class="p-4 space-y-2 text-xs">
                 <div v-if="previewLoading" class="dd-text-muted">Generating preview...</div>
@@ -878,7 +807,7 @@ const {
                     </div>
                     <div v-if="detailComposePreview?.patch" class="dd-text-muted">
                       Patch preview:
-                      <pre class="mt-1 p-2 dd-rounded whitespace-pre-wrap break-all text-[0.6875rem] dd-text font-mono"
+                      <pre class="mt-1 p-2 dd-rounded whitespace-pre-wrap break-all text-2xs-plus dd-text font-mono"
                            :style="{ backgroundColor: 'var(--dd-bg-inset)' }">{{ detailComposePreview.patch }}</pre>
                     </div>
                   </template>
@@ -886,7 +815,7 @@ const {
                 <div v-else class="dd-text-muted italic">
                   Run a preview to inspect the planned update operations.
                 </div>
-                <p v-if="previewError" class="text-[0.6875rem]" style="color: var(--dd-danger);">{{ previewError }}</p>
+                <p v-if="previewError" class="text-2xs-plus" style="color: var(--dd-danger);">{{ previewError }}</p>
               </div>
             </div>
           </div>
@@ -896,7 +825,7 @@ const {
                  :style="{ backgroundColor: 'var(--dd-bg-card)' }">
               <div class="px-4 py-3 flex items-center gap-2">
                 <AppIcon name="triggers" :size="12" class="dd-text-muted" />
-                <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Associated Triggers</span>
+                <span class="dd-text-label dd-text-muted">Associated Triggers</span>
               </div>
               <div class="p-4 space-y-2">
                 <div v-if="triggersLoading" class="text-xs dd-text-muted">Loading triggers...</div>
@@ -906,19 +835,17 @@ const {
                        :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                     <div class="min-w-0">
                       <div class="text-xs font-semibold dd-text truncate">{{ trigger.type }}.{{ trigger.name }}</div>
-                      <div v-if="trigger.agent" class="text-[0.6875rem] dd-text-muted">agent: {{ trigger.agent }}</div>
+                      <div v-if="trigger.agent" class="text-2xs-plus dd-text-muted">agent: {{ trigger.agent }}</div>
                     </div>
-                    <button class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-      
-                            :disabled="triggerRunInProgress !== null"
+                    <AppButton size="md" :disabled="triggerRunInProgress !== null"
                             @click="runAssociatedTrigger(trigger)">
                       {{ triggerRunInProgress === getTriggerKey(trigger) ? 'Running...' : 'Run' }}
-                    </button>
+                    </AppButton>
                   </div>
                 </div>
                 <p v-else class="text-xs dd-text-muted italic">No triggers associated with this container</p>
-                <p v-if="triggerMessage" class="text-[0.6875rem]" style="color: var(--dd-success);">{{ triggerMessage }}</p>
-                <p v-if="triggerError" class="text-[0.6875rem]" style="color: var(--dd-danger);">{{ triggerError }}</p>
+                <p v-if="triggerMessage" class="text-2xs-plus" style="color: var(--dd-success);">{{ triggerMessage }}</p>
+                <p v-if="triggerError" class="text-2xs-plus" style="color: var(--dd-danger);">{{ triggerError }}</p>
               </div>
             </div>
 
@@ -926,16 +853,14 @@ const {
                  :style="{ backgroundColor: 'var(--dd-bg-card)' }">
               <div class="px-4 py-3 flex items-center gap-2">
                 <AppIcon name="recent-updates" :size="12" class="dd-text-muted" />
-                <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Backups &amp; Rollback</span>
+                <span class="dd-text-label dd-text-muted">Backups &amp; Rollback</span>
               </div>
               <div class="p-4 space-y-2">
                 <div>
-                  <button class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-    
-                          :disabled="backupsLoading || detailBackups.length === 0 || rollbackInProgress !== null"
+                  <AppButton size="md" :disabled="backupsLoading || detailBackups.length === 0 || rollbackInProgress !== null"
                           @click="confirmRollback()">
                     {{ rollbackInProgress === 'latest' ? 'Rolling back...' : 'Rollback Latest' }}
-                  </button>
+                  </AppButton>
                 </div>
                 <div v-if="backupsLoading" class="text-xs dd-text-muted">Loading backups...</div>
                 <div v-else-if="detailBackups.length > 0" class="space-y-2">
@@ -944,19 +869,17 @@ const {
                        :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                     <div class="min-w-0">
                       <div class="text-xs font-semibold dd-text font-mono truncate">{{ backup.imageName }}:{{ backup.imageTag }}</div>
-                      <div class="text-[0.6875rem] dd-text-muted">{{ formatTimestamp(backup.timestamp) }}</div>
+                      <div class="text-2xs-plus dd-text-muted">{{ formatTimestamp(backup.timestamp) }}</div>
                     </div>
-                    <button class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-      
-                            :disabled="rollbackInProgress !== null"
+                    <AppButton size="md" :disabled="rollbackInProgress !== null"
                             @click="confirmRollback(backup.id)">
                       {{ rollbackInProgress === backup.id ? 'Rolling...' : 'Use' }}
-                    </button>
+                    </AppButton>
                   </div>
                 </div>
                 <p v-else class="text-xs dd-text-muted italic">No backups available yet</p>
-                <p v-if="rollbackMessage" class="text-[0.6875rem]" style="color: var(--dd-success);">{{ rollbackMessage }}</p>
-                <p v-if="rollbackError" class="text-[0.6875rem]" style="color: var(--dd-danger);">{{ rollbackError }}</p>
+                <p v-if="rollbackMessage" class="text-2xs-plus" style="color: var(--dd-success);">{{ rollbackMessage }}</p>
+                <p v-if="rollbackError" class="text-2xs-plus" style="color: var(--dd-danger);">{{ rollbackError }}</p>
               </div>
             </div>
 
@@ -964,7 +887,7 @@ const {
                  :style="{ backgroundColor: 'var(--dd-bg-card)' }">
               <div class="px-4 py-3 flex items-center gap-2">
                 <AppIcon name="audit" :size="12" class="dd-text-muted" />
-                <span class="text-[0.6875rem] font-semibold uppercase tracking-wider dd-text-muted">Update Operation History</span>
+                <span class="dd-text-label dd-text-muted">Update Operation History</span>
               </div>
               <div class="p-4 space-y-2">
                 <div v-if="updateOperationsLoading" class="text-xs dd-text-muted">Loading operation history...</div>
@@ -973,8 +896,8 @@ const {
                        class="space-y-1.5 px-3 py-2 dd-rounded"
                        :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                     <div class="flex items-center justify-between gap-3">
-                      <div class="text-[0.6875rem] font-mono dd-text-muted truncate">{{ operation.id }}</div>
-                      <span class="badge text-[0.625rem] font-semibold uppercase"
+                      <div class="text-2xs-plus font-mono dd-text-muted truncate">{{ operation.id }}</div>
+                      <span class="badge text-2xs font-semibold uppercase"
                             :style="getOperationStatusStyle(operation.status)">
                         {{ formatOperationStatus(operation.status) }}
                       </span>
@@ -996,13 +919,13 @@ const {
                       Last error:
                       <span class="dd-text">{{ operation.lastError }}</span>
                     </div>
-                    <div class="text-[0.6875rem] dd-text-muted">
+                    <div class="text-2xs-plus dd-text-muted">
                       {{ formatTimestamp(operation.updatedAt || operation.createdAt) }}
                     </div>
                   </div>
                 </div>
                 <p v-else class="text-xs dd-text-muted italic">No update operations recorded yet</p>
-                <p v-if="updateOperationsError" class="text-[0.6875rem]" style="color: var(--dd-danger);">{{ updateOperationsError }}</p>
+                <p v-if="updateOperationsError" class="text-2xs-plus" style="color: var(--dd-danger);">{{ updateOperationsError }}</p>
               </div>
             </div>
           </div>
diff --git a/ui/src/components/containers/ContainerLogs.vue b/ui/src/components/containers/ContainerLogs.vue
new file mode 100644
index 000000000..bd2830060
--- /dev/null
+++ b/ui/src/components/containers/ContainerLogs.vue
@@ -0,0 +1,346 @@
+<script setup lang="ts">
+import { computed, onBeforeUnmount, onMounted, ref, watch } from 'vue';
+import AppLogViewer from '../AppLogViewer.vue';
+import {
+  createContainerLogStreamConnection,
+  downloadContainerLogs,
+  toLogTailValue,
+  type ContainerLogStreamConnection,
+  type ContainerLogStreamFrame,
+  type ContainerLogStreamStatus,
+} from '../../services/logs';
+import {
+  parseAnsiSegments,
+  parseJsonLogLine,
+  parseLogTimestampToUnixSeconds,
+  stripAnsiCodes,
+} from '../../utils/container-logs';
+import type { AppLogEntry } from '../../types/log-entry';
+
+type TailOption = 100 | 500 | 1000 | 'all';
+
+const props = withDefaults(
+  defineProps<{
+    containerId: string;
+    containerName: string;
+    compact?: boolean;
+  }>(),
+  {
+    compact: false,
+  },
+);
+
+const entries = ref<AppLogEntry[]>([]);
+const streamStatus = ref<ContainerLogStreamStatus>('disconnected');
+const streamPaused = ref(false);
+const autoScrollPinned = ref(true);
+const showStdout = ref(true);
+const showStderr = ref(true);
+const levelFilter = ref('all');
+const tailSize = ref<TailOption>(100);
+const downloadInProgress = ref(false);
+const downloadError = ref<string | null>(null);
+const nextEntryId = ref(1);
+const lastSince = ref<number | undefined>(undefined);
+
+let streamConnection: ContainerLogStreamConnection | null = null;
+
+const MAX_VISIBLE_LOGS = 5000;
+const TAIL_OPTIONS: ReadonlyArray<{ label: string; value: TailOption }> = [
+  { label: 'Tail 100', value: 100 },
+  { label: 'Tail 500', value: 500 },
+  { label: 'Tail 1000', value: 1000 },
+  { label: 'Tail All', value: 'all' },
+];
+
+const levelOptions = computed(() => {
+  const uniqueLevels = new Set<string>();
+  for (const entry of entries.value) {
+    if (entry.level) {
+      uniqueLevels.add(entry.level);
+    }
+  }
+  return ['all', ...Array.from(uniqueLevels).sort((left, right) => left.localeCompare(right))];
+});
+
+const hasJsonEntries = computed(() => entries.value.some((entry) => entry.json !== null));
+
+const visibleEntries = computed(() => {
+  return entries.value.filter((entry) => {
+    if (entry.channel === 'stdout' && !showStdout.value) {
+      return false;
+    }
+    if (entry.channel === 'stderr' && !showStderr.value) {
+      return false;
+    }
+    if (levelFilter.value !== 'all' && entry.level !== levelFilter.value) {
+      return false;
+    }
+    return true;
+  });
+});
+
+const statusLabel = computed(() => {
+  if (streamPaused.value) {
+    return 'Paused';
+  }
+  return streamStatus.value === 'connected' ? 'Live' : 'Offline';
+});
+
+const statusColor = computed(() => {
+  if (streamPaused.value) {
+    return 'var(--dd-warning)';
+  }
+  return streamStatus.value === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)';
+});
+
+function setStreamStatus(status: ContainerLogStreamStatus): void {
+  streamStatus.value = status;
+}
+
+function connectStream(): void {
+  if (!props.containerId) {
+    return;
+  }
+
+  streamConnection?.close();
+  streamConnection = createContainerLogStreamConnection({
+    containerId: props.containerId,
+    query: {
+      stdout: showStdout.value,
+      stderr: showStderr.value,
+      tail: toLogTailValue(tailSize.value),
+      since: lastSince.value,
+      follow: true,
+    },
+    onMessage: appendLogEntry,
+    onStatus: setStreamStatus,
+  });
+}
+
+function clearLogsAndReconnect(): void {
+  entries.value = [];
+  lastSince.value = undefined;
+  connectStream();
+}
+
+function appendLogEntry(frame: ContainerLogStreamFrame): void {
+  if (streamPaused.value) {
+    return;
+  }
+
+  const json = parseJsonLogLine(frame.line);
+  const entry: AppLogEntry = {
+    id: nextEntryId.value,
+    timestamp: frame.ts,
+    line: frame.line,
+    plainLine: stripAnsiCodes(frame.line),
+    ansiSegments: parseAnsiSegments(frame.line),
+    json,
+    level: json?.level ?? null,
+    channel: frame.type,
+  };
+  nextEntryId.value += 1;
+
+  entries.value.push(entry);
+  if (entries.value.length > MAX_VISIBLE_LOGS) {
+    entries.value = entries.value.slice(entries.value.length - MAX_VISIBLE_LOGS);
+  }
+
+  const parsedSince = parseLogTimestampToUnixSeconds(frame.ts);
+  if (
+    parsedSince !== undefined &&
+    (lastSince.value === undefined || parsedSince > lastSince.value)
+  ) {
+    lastSince.value = parsedSince;
+  }
+}
+
+function togglePause(): void {
+  if (!streamConnection) {
+    return;
+  }
+
+  streamPaused.value = !streamPaused.value;
+  if (streamPaused.value) {
+    streamConnection.pause();
+    streamStatus.value = 'disconnected';
+    return;
+  }
+
+  streamConnection.resume();
+}
+
+function togglePin(): void {
+  autoScrollPinned.value = !autoScrollPinned.value;
+}
+
+function sanitizeFileName(value: string): string {
+  const sanitizedValue = value.trim().replace(/[^a-zA-Z0-9._-]+/g, '-');
+  return sanitizedValue.length > 0 ? sanitizedValue : 'container';
+}
+
+function downloadBlob(blob: Blob, fileName: string): void {
+  const objectUrl = URL.createObjectURL(blob);
+  const link = document.createElement('a');
+  link.href = objectUrl;
+  link.download = fileName;
+  link.style.display = 'none';
+  document.body.appendChild(link);
+  link.click();
+  document.body.removeChild(link);
+  URL.revokeObjectURL(objectUrl);
+}
+
+async function downloadLogs(): Promise<void> {
+  if (downloadInProgress.value) {
+    return;
+  }
+
+  downloadInProgress.value = true;
+  downloadError.value = null;
+
+  try {
+    const logBlob = await downloadContainerLogs(props.containerId, {
+      stdout: showStdout.value,
+      stderr: showStderr.value,
+      tail: toLogTailValue(tailSize.value),
+      since: lastSince.value,
+    });
+
+    const fileName = `${sanitizeFileName(props.containerName)}-logs.log`;
+    downloadBlob(logBlob, fileName);
+  } catch {
+    downloadError.value = 'Unable to download logs';
+  } finally {
+    downloadInProgress.value = false;
+  }
+}
+
+watch([showStdout, showStderr], () => {
+  streamConnection?.update({
+    stdout: showStdout.value,
+    stderr: showStderr.value,
+    since: lastSince.value,
+    tail: toLogTailValue(tailSize.value),
+    follow: true,
+  });
+});
+
+watch(tailSize, () => {
+  clearLogsAndReconnect();
+});
+
+watch(
+  () => props.containerId,
+  () => {
+    entries.value = [];
+    nextEntryId.value = 1;
+    lastSince.value = undefined;
+    connectStream();
+  },
+);
+
+onMounted(() => {
+  connectStream();
+});
+
+onBeforeUnmount(() => {
+  streamConnection?.close();
+  streamConnection = null;
+});
+</script>
+
+<template>
+  <div data-test="container-logs" class="min-h-0 flex flex-col flex-1">
+    <AppLogViewer
+      :entries="visibleEntries"
+      :compact="props.compact"
+      :paused="streamPaused"
+      :auto-scroll-pinned="autoScrollPinned"
+      :status-label="statusLabel"
+      :status-color="statusColor"
+      :line-count="visibleEntries.length"
+      @toggle-pause="togglePause"
+      @toggle-pin="togglePin"
+    >
+      <template #toolbar-left>
+        <AppIcon name="terminal" :size="12" class="dd-text-muted" />
+        <span class="text-2xs-plus font-semibold uppercase tracking-wider dd-text-muted">Container Logs</span>
+        <span class="text-2xs-plus font-mono text-drydock-secondary truncate">{{ props.containerName }}</span>
+      </template>
+
+      <template #toolbar-right>
+        <AppButton size="none" variant="plain" weight="none"
+          type="button"
+          data-test="container-log-download"
+          class="px-2 py-1 dd-rounded text-2xs font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+          :class="downloadInProgress ? 'opacity-50 pointer-events-none' : ''"
+          @click="downloadLogs"
+        >
+          <span class="inline-flex items-center gap-1">
+            <AppIcon name="download" :size="11" />
+            Download
+          </span>
+        </AppButton>
+      </template>
+
+      <template #filter-bar>
+        <AppButton size="none" variant="plain" weight="none"
+          type="button"
+          class="px-2 py-1.5 dd-rounded text-2xs font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+          :class="showStdout ? 'ring-1 ring-white/10' : ''"
+          @click="showStdout = !showStdout"
+        >
+          <span class="inline-flex items-center gap-1" style="color: var(--dd-success)">
+            <span class="w-1.5 h-1.5 rounded-full" style="background-color: var(--dd-success)" />
+            stdout
+          </span>
+        </AppButton>
+
+        <AppButton size="none" variant="plain" weight="none"
+          type="button"
+          data-test="container-log-toggle-stderr"
+          class="px-2 py-1.5 dd-rounded text-2xs font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+          :class="showStderr ? 'ring-1 ring-white/10' : ''"
+          @click="showStderr = !showStderr"
+        >
+          <span class="inline-flex items-center gap-1" style="color: var(--dd-danger)">
+            <span class="w-1.5 h-1.5 rounded-full" style="background-color: var(--dd-danger)" />
+            stderr
+          </span>
+        </AppButton>
+
+        <select
+          v-model="tailSize"
+          class="px-2 py-1.5 dd-rounded text-2xs font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text"
+        >
+          <option v-for="option in TAIL_OPTIONS" :key="option.label" :value="option.value">{{ option.label }}</option>
+        </select>
+
+        <select
+          v-if="hasJsonEntries"
+          v-model="levelFilter"
+          class="px-2 py-1.5 dd-rounded text-2xs font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text"
+        >
+          <option v-for="option in levelOptions" :key="option" :value="option">
+            {{ option === 'all' ? 'All Levels' : option }}
+          </option>
+        </select>
+
+        <span v-if="downloadError" class="text-2xs" style="color: var(--dd-danger)">
+          {{ downloadError }}
+        </span>
+      </template>
+
+      <template #entry-prefix="{ entry }">
+        <span
+          class="shrink-0 font-semibold uppercase text-2xs"
+          :style="{ color: entry.channel === 'stderr' ? 'var(--dd-danger)' : 'var(--dd-success)' }"
+        >
+          {{ entry.channel || '-' }}
+        </span>
+      </template>
+    </AppLogViewer>
+  </div>
+</template>
diff --git a/ui/src/components/containers/ContainerSideDetail.vue b/ui/src/components/containers/ContainerSideDetail.vue
index 76dd06315..fbc543f48 100644
--- a/ui/src/components/containers/ContainerSideDetail.vue
+++ b/ui/src/components/containers/ContainerSideDetail.vue
@@ -1,4 +1,8 @@
 <script setup lang="ts">
+import AppIconButton from '@/components/AppIconButton.vue';
+import AppBadge from '@/components/AppBadge.vue';
+import AppTabBar from '@/components/AppTabBar.vue';
+import StatusDot from '@/components/StatusDot.vue';
 import ContainerSideTabContent from './ContainerSideTabContent.vue';
 import { useContainersViewTemplateContext } from './containersViewTemplateContext';
 
@@ -19,7 +23,6 @@ const {
   confirmUpdate,
   confirmForceUpdate,
   confirmDelete,
-  tt,
 } = useContainersViewTemplateContext();
 </script>
 
@@ -37,120 +40,93 @@ const {
       @full-page="openFullPage">
       <template #toolbar>
         <div class="flex items-center gap-0.5">
-          <button
+          <AppIconButton
             v-if="selectedContainer.status === 'running'"
-            class="w-7 h-7 dd-rounded flex items-center justify-center transition-[color,background-color,border-color,opacity,transform,box-shadow]"
-            :class="actionInProgress === selectedContainer.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-danger hover:dd-bg-hover hover:scale-110 active:scale-95'"
-            :disabled="actionInProgress === selectedContainer.name"
-            v-tooltip.top="tt('Stop')"
-            @click="confirmStop(selectedContainer.name)">
-            <AppIcon name="stop" :size="12" />
-          </button>
-          <button
+            icon="stop"
+            size="xs"
+            variant="danger"
+            :disabled="actionInProgress.has(selectedContainer.name)"
+            tooltip="Stop"
+            @click="confirmStop(selectedContainer.name)" />
+          <AppIconButton
             v-else
-            class="w-7 h-7 dd-rounded flex items-center justify-center transition-[color,background-color,border-color,opacity,transform,box-shadow]"
-            :class="actionInProgress === selectedContainer.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-success hover:dd-bg-hover hover:scale-110 active:scale-95'"
-            :disabled="actionInProgress === selectedContainer.name"
-            v-tooltip.top="tt('Start')"
-            @click="startContainer(selectedContainer.name)">
-            <AppIcon name="play" :size="12" />
-          </button>
-          <button
-            class="w-7 h-7 dd-rounded flex items-center justify-center transition-[color,background-color,border-color,opacity,transform,box-shadow]"
-            :class="actionInProgress === selectedContainer.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text hover:dd-bg-hover hover:scale-110 active:scale-95'"
-            :disabled="actionInProgress === selectedContainer.name"
-            v-tooltip.top="tt('Restart')"
-            @click="confirmRestart(selectedContainer.name)">
-            <AppIcon name="restart" :size="12" />
-          </button>
-          <button
-            class="w-7 h-7 dd-rounded flex items-center justify-center transition-[color,background-color,border-color,opacity,transform,box-shadow]"
-            :class="actionInProgress === selectedContainer.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-secondary hover:dd-bg-hover hover:scale-110 active:scale-95'"
-            :disabled="actionInProgress === selectedContainer.name"
-            v-tooltip.top="tt('Scan')"
-            @click="scanContainer(selectedContainer.name)">
-            <AppIcon name="security" :size="12" />
-          </button>
-          <button
+            icon="play"
+            size="xs"
+            variant="success"
+            :disabled="actionInProgress.has(selectedContainer.name)"
+            tooltip="Start"
+            @click="startContainer(selectedContainer.name)" />
+          <AppIconButton
+            icon="restart"
+            size="xs"
+            variant="muted"
+            :disabled="actionInProgress.has(selectedContainer.name)"
+            tooltip="Restart"
+            @click="confirmRestart(selectedContainer.name)" />
+          <AppIconButton
+            icon="security"
+            size="xs"
+            variant="secondary"
+            :disabled="actionInProgress.has(selectedContainer.name)"
+            tooltip="Scan"
+            @click="scanContainer(selectedContainer.name)" />
+          <AppIconButton
             v-if="selectedContainer.newTag && selectedContainer.bouncer === 'blocked'"
-            class="w-7 h-7 dd-rounded flex items-center justify-center transition-[color,background-color,border-color,opacity,transform,box-shadow]"
-            :class="actionInProgress === selectedContainer.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'hover:dd-bg-hover hover:scale-110 active:scale-95'"
-            :style="{ color: 'var(--dd-danger)' }"
-            :disabled="actionInProgress === selectedContainer.name"
-            v-tooltip.top="tt('Blocked — Force Update')"
-            @click="confirmForceUpdate(selectedContainer.name)">
-            <AppIcon name="lock" :size="12" />
-          </button>
-          <button
+            icon="lock"
+            size="xs"
+            variant="danger"
+            :disabled="actionInProgress.has(selectedContainer.name)"
+            tooltip="Blocked — Force Update"
+            @click="confirmForceUpdate(selectedContainer.name)" />
+          <AppIconButton
             v-else-if="selectedContainer.newTag"
-            class="w-7 h-7 dd-rounded flex items-center justify-center transition-[color,background-color,border-color,opacity,transform,box-shadow]"
-            :class="actionInProgress === selectedContainer.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-success hover:dd-bg-hover hover:scale-110 active:scale-95'"
-            :disabled="actionInProgress === selectedContainer.name"
-            v-tooltip.top="tt('Update')"
-            @click="confirmUpdate(selectedContainer.name)">
-            <AppIcon name="cloud-download" :size="14" />
-          </button>
-          <button
-            class="w-7 h-7 dd-rounded flex items-center justify-center transition-[color,background-color,border-color,opacity,transform,box-shadow]"
-            :class="actionInProgress === selectedContainer.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-danger hover:dd-bg-hover hover:scale-110 active:scale-95'"
-            :disabled="actionInProgress === selectedContainer.name"
-            v-tooltip.top="tt('Delete')"
-            @click="confirmDelete(selectedContainer.name)">
-            <AppIcon name="trash" :size="12" />
-          </button>
+            icon="cloud-download"
+            size="xs"
+            variant="success"
+            :disabled="actionInProgress.has(selectedContainer.name)"
+            tooltip="Update"
+            @click="confirmUpdate(selectedContainer.name)" />
+          <AppIconButton
+            icon="trash"
+            size="xs"
+            variant="danger"
+            :disabled="actionInProgress.has(selectedContainer.name)"
+            tooltip="Delete"
+            @click="confirmDelete(selectedContainer.name)" />
         </div>
       </template>
       <template #header>
         <div class="flex items-center gap-2 min-w-0">
-          <div
-            class="w-2.5 h-2.5 rounded-full shrink-0"
-            :style="{ backgroundColor: selectedContainer.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)' }" />
+          <StatusDot
+            :status="selectedContainer.status === 'running' ? 'running' : 'stopped'"
+            v-tooltip.top="selectedContainer.status"
+            size="lg" />
           <span class="text-sm font-bold truncate dd-text">
             {{ selectedContainer.name }}
           </span>
         </div>
       </template>
       <template #subtitle>
-        <span class="text-[0.6875rem] font-mono dd-text-secondary">
+        <span class="text-2xs-plus font-mono dd-text-secondary">
           {{ selectedContainer.image }}:{{ selectedContainer.currentTag }}
         </span>
-        <span
-          class="badge text-[0.5625rem]"
-          :style="{
-            backgroundColor:
-              selectedContainer.status === 'running'
-                ? 'var(--dd-success-muted)'
-                : 'var(--dd-danger-muted)',
-            color: selectedContainer.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)',
-          }">
+        <AppBadge
+          :tone="selectedContainer.status === 'running' ? 'success' : 'danger'"
+          size="xs">
           {{ selectedContainer.status }}
-        </span>
-        <span
-          class="badge text-[0.5625rem] font-medium"
-          :style="{ backgroundColor: 'var(--dd-neutral-muted)', color: 'var(--dd-text-secondary)' }">
+        </AppBadge>
+        <AppBadge tone="neutral" size="xs">
           {{ selectedContainer.server }}
-        </span>
+        </AppBadge>
       </template>
       <template #tabs>
-        <div
-          class="shrink-0 flex overflow-x-auto scrollbar-hide px-4 gap-1"
-          :style="{ borderBottom: '1px solid var(--dd-border)' }">
-          <button
-            v-for="tab in detailTabs"
-            :key="tab.id"
-            class="whitespace-nowrap shrink-0 py-2.5 text-[0.6875rem] font-medium transition-colors relative"
-            :class="[
-              activeDetailTab === tab.id ? 'text-drydock-secondary' : 'dd-text-muted hover:dd-text',
-              panelSize === 'sm' ? 'px-2' : 'px-3',
-            ]"
-            v-tooltip.top="panelSize === 'sm' ? tt(tab.label) : undefined"
-            @click="activeDetailTab = tab.id">
-            <AppIcon :name="tab.icon" :size="12" :class="panelSize === 'sm' ? '' : 'mr-1'" />
-            <template v-if="panelSize !== 'sm'">{{ tab.label }}</template>
-            <div
-              v-if="activeDetailTab === tab.id"
-              class="absolute bottom-0 left-0 right-0 h-[2px] bg-drydock-secondary rounded-t-full" />
-          </button>
+        <div class="shrink-0 px-4">
+          <AppTabBar
+            :tabs="detailTabs"
+            :model-value="activeDetailTab"
+            :size="panelSize === 'sm' ? 'compact' : 'default'"
+            :icon-only="panelSize === 'sm'"
+            @update:model-value="activeDetailTab = $event" />
         </div>
       </template>
 
diff --git a/ui/src/components/containers/ContainerSideTabContent.vue b/ui/src/components/containers/ContainerSideTabContent.vue
index 8a9eb4cd6..6903517fd 100644
--- a/ui/src/components/containers/ContainerSideTabContent.vue
+++ b/ui/src/components/containers/ContainerSideTabContent.vue
@@ -1,5 +1,12 @@
 <script setup lang="ts">
 import { reactive, ref } from 'vue';
+import AppBadge from '@/components/AppBadge.vue';
+import ContainerLogs from './ContainerLogs.vue';
+import ContainerStats from './ContainerStats.vue';
+import UpdateMaturityBadge from './UpdateMaturityBadge.vue';
+import SuggestedTagBadge from './SuggestedTagBadge.vue';
+import FloatingTagBadge from './FloatingTagBadge.vue';
+import ReleaseNotesLink from './ReleaseNotesLink.vue';
 import { revealContainerEnv } from '../../services/container';
 import { errorMessage } from '../../utils/error';
 import { useContainersViewTemplateContext } from './containersViewTemplateContext';
@@ -9,11 +16,11 @@ const revealedKeys = reactive(new Set<string>());
 const envRevealLoading = ref(false);
 const envRevealError = ref<string | null>(null);
 
-function revealCacheKey(containerId: string, key: string) {
+function revealCacheKey(containerId: string, key: string): string {
   return `${containerId}:${key}`;
 }
 
-async function toggleReveal(containerId: string, key: string) {
+async function toggleReveal(containerId: string, key: string): Promise<void> {
   const cacheKey = revealCacheKey(containerId, key);
 
   if (revealedKeys.has(cacheKey)) {
@@ -79,13 +86,6 @@ const {
   sbomDocument,
   sbomComponentCount,
   sbomGeneratedAt,
-  LOG_AUTO_FETCH_INTERVALS,
-  containerAutoFetchInterval,
-  getContainerLogs,
-  containerLogRef,
-  containerHandleLogScroll,
-  containerScrollBlocked,
-  containerResumeAutoScroll,
   previewLoading,
   runContainerPreview,
   actionInProgress,
@@ -107,7 +107,7 @@ const {
   maturityMinAgeDaysInput,
   setMaturityPolicySelected,
   clearMaturityPolicySelected,
-  clearPolicySelected,
+  confirmClearPolicy,
   policyMessage,
   policyError,
   removeSkipTagSelected,
@@ -138,6 +138,7 @@ const {
   scanContainer,
   confirmUpdate,
   confirmForceUpdate,
+  updateKindColor,
   registryColorBg,
   registryColorText,
   registryLabel,
@@ -146,16 +147,19 @@ const {
 
 <template>
         <!-- Tab content -->
-        <div class="p-4" data-test="container-side-tab-content">
+        <div
+          :class="activeDetailTab === 'logs' ? 'flex flex-col flex-1 min-h-0 overflow-hidden p-2' : 'p-4'"
+          data-test="container-side-tab-content"
+        >
 
           <!-- Overview tab -->
           <div v-if="activeDetailTab === 'overview'" class="space-y-5">
             <!-- Ports -->
             <div v-if="selectedContainer.details.ports.length > 0">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Ports</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Ports</div>
               <div class="space-y-1">
                 <div v-for="port in selectedContainer.details.ports" :key="port"
-                     class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-mono"
+                     class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus font-mono"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <AppIcon name="network" :size="11" class="dd-text-muted" />
                   <span class="dd-text">{{ port }}</span>
@@ -165,10 +169,10 @@ const {
 
             <!-- Volumes -->
             <div v-if="selectedContainer.details.volumes.length > 0">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Volumes</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Volumes</div>
               <div class="space-y-1">
                 <div v-for="vol in selectedContainer.details.volumes" :key="vol"
-                     class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-mono"
+                     class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus font-mono"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <AppIcon name="hard-drive" :size="11" class="dd-text-muted" />
                   <span class="truncate dd-text">{{ vol }}</span>
@@ -178,17 +182,17 @@ const {
 
             <!-- Compose files -->
             <div v-if="selectedComposePaths.length > 0">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Compose Files</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Compose Files</div>
               <div class="space-y-1">
                 <div
                   v-for="(composePath, index) in selectedComposePaths"
                   :key="`${composePath}-${index}`"
-                  class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-mono"
+                  class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus font-mono"
                   :style="{ backgroundColor: 'var(--dd-bg-inset)' }"
                   data-test="compose-path-row"
                 >
                   <AppIcon name="stack" :size="11" class="dd-text-muted" />
-                  <span v-if="selectedComposePaths.length > 1" class="text-[0.5625rem] dd-text-muted">#{{ index + 1 }}</span>
+                  <span v-if="selectedComposePaths.length > 1" class="text-3xs dd-text-muted">#{{ index + 1 }}</span>
                   <span class="truncate dd-text">{{ composePath }}</span>
                 </div>
               </div>
@@ -196,8 +200,8 @@ const {
 
             <!-- Version info -->
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Version</div>
-              <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-mono"
+              <div class="dd-text-label mb-2 dd-text-muted">Version</div>
+              <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus font-mono"
                    :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                 <span class="dd-text-secondary">Current:</span>
                 <CopyableTag :tag="selectedContainer.currentTag" class="font-bold dd-text">{{ selectedContainer.currentTag }}</CopyableTag>
@@ -208,39 +212,43 @@ const {
               </div>
               <div
                 v-if="!selectedContainer.newTag && selectedContainer.noUpdateReason"
-                class="mt-2 flex items-start gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                class="mt-2 flex items-start gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                 :style="{ backgroundColor: 'var(--dd-warning-muted)' }"
               >
                 <AppIcon name="warning" :size="11" class="shrink-0 mt-0.5" style="color: var(--dd-warning);" />
                 <span class="flex-1 min-w-0 whitespace-normal break-words" style="color: var(--dd-warning);">{{ selectedContainer.noUpdateReason }}</span>
               </div>
-              <a
-                v-if="selectedContainer.releaseLink"
-                :href="selectedContainer.releaseLink"
-                target="_blank"
-                rel="noopener noreferrer"
-                class="mt-2 inline-flex items-center text-[0.6875rem] underline hover:no-underline"
-                style="color: var(--dd-info);"
-              >
-                Release notes
-              </a>
+              <div v-if="selectedContainer.updateKind || selectedContainer.updateMaturity || selectedContainer.suggestedTag || (selectedContainer.tagPrecision === 'floating' && !selectedContainer.imageDigestWatch)" class="mt-2 flex items-center gap-1.5 flex-wrap">
+                <AppBadge v-if="selectedContainer.updateKind" size="xs" :custom="updateKindColor(selectedContainer.updateKind)">
+                  {{ selectedContainer.updateKind }}
+                </AppBadge>
+                <UpdateMaturityBadge :maturity="selectedContainer.updateMaturity" :tooltip="selectedContainer.updateMaturityTooltip" />
+                <SuggestedTagBadge :tag="selectedContainer.suggestedTag" :current-tag="selectedContainer.currentTag" />
+                <FloatingTagBadge
+                  :tag-precision="selectedContainer.tagPrecision"
+                  :image-digest-watch="selectedContainer.imageDigestWatch"
+                />
+              </div>
+              <div class="mt-2">
+                <ReleaseNotesLink :release-notes="selectedContainer.releaseNotes" :release-link="selectedContainer.releaseLink" />
+              </div>
             </div>
 
             <!-- Tag filter regex -->
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Tag Filters</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Tag Filters</div>
               <div class="space-y-1">
-                <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary shrink-0">Include:</span>
                   <span class="font-mono dd-text break-all">{{ selectedContainer.includeTags || 'Not set' }}</span>
                 </div>
-                <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary shrink-0">Exclude:</span>
                   <span class="font-mono dd-text break-all">{{ selectedContainer.excludeTags || 'Not set' }}</span>
                 </div>
-                <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary shrink-0">Transform:</span>
                   <span class="font-mono dd-text break-all">{{ selectedContainer.transformTags || 'Not set' }}</span>
@@ -250,14 +258,14 @@ const {
 
             <!-- Trigger filter include/exclude -->
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Trigger Filters</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Trigger Filters</div>
               <div class="space-y-1">
-                <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary shrink-0">Include:</span>
                   <span class="font-mono dd-text break-all">{{ selectedContainer.triggerInclude || 'Not set' }}</span>
                 </div>
-                <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary shrink-0">Exclude:</span>
                   <span class="font-mono dd-text break-all">{{ selectedContainer.triggerExclude || 'Not set' }}</span>
@@ -267,17 +275,16 @@ const {
 
             <!-- Registry -->
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Registry</div>
-              <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+              <div class="dd-text-label mb-2 dd-text-muted">Registry</div>
+              <div class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                    :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
-                <span class="badge text-[0.5625rem] uppercase font-bold"
-                      :style="{ backgroundColor: registryColorBg(selectedContainer.registry), color: registryColorText(selectedContainer.registry) }">
+                <AppBadge size="xs" :custom="{ bg: registryColorBg(selectedContainer.registry), text: registryColorText(selectedContainer.registry) }">
                   {{ registryLabel(selectedContainer.registry, selectedContainer.registryUrl, selectedContainer.registryName) }}
-                </span>
+                </AppBadge>
                 <span class="font-mono dd-text-secondary">{{ selectedContainer.image }}</span>
               </div>
               <div v-if="selectedContainer.registryError"
-                   class="mt-2 flex items-start gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                   class="mt-2 flex items-start gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                    :style="{ backgroundColor: 'var(--dd-danger-muted)' }">
                 <AppIcon name="warning" :size="11" class="shrink-0 mt-0.5" style="color: var(--dd-danger);" />
                 <span class="flex-1 min-w-0 whitespace-normal break-words" style="color: var(--dd-danger);">{{ selectedContainer.registryError }}</span>
@@ -286,20 +293,20 @@ const {
 
             <!-- Runtime process -->
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Runtime Process</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Runtime Process</div>
               <div class="space-y-1">
-                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary">Entrypoint</span>
-                  <span class="badge text-[0.5625rem] font-bold uppercase"
+                  <span class="badge text-3xs font-bold uppercase"
                         :style="runtimeOriginStyle(selectedRuntimeOrigins.entrypoint)">
                     {{ runtimeOriginLabel(selectedRuntimeOrigins.entrypoint) }}
                   </span>
                 </div>
-                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary">Cmd</span>
-                  <span class="badge text-[0.5625rem] font-bold uppercase"
+                  <span class="badge text-3xs font-bold uppercase"
                         :style="runtimeOriginStyle(selectedRuntimeOrigins.cmd)">
                     {{ runtimeOriginLabel(selectedRuntimeOrigins.cmd) }}
                   </span>
@@ -307,7 +314,7 @@ const {
               </div>
               <div v-if="selectedRuntimeDriftWarnings.length > 0" class="mt-2 space-y-1">
                 <div v-for="warning in selectedRuntimeDriftWarnings" :key="warning"
-                     class="flex items-start gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                     class="flex items-start gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-warning-muted)' }">
                   <AppIcon name="warning" :size="11" class="shrink-0 mt-0.5" style="color: var(--dd-warning);" />
                   <span class="flex-1 min-w-0 whitespace-normal break-words" style="color: var(--dd-warning);">{{ warning }}</span>
@@ -317,30 +324,30 @@ const {
 
             <!-- Lifecycle hooks -->
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Lifecycle Hooks</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Lifecycle Hooks</div>
               <div class="space-y-1">
-                <div class="flex items-start justify-between gap-3 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-start justify-between gap-3 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary shrink-0">Pre-update</span>
                   <span class="font-mono dd-text text-right break-all">{{ selectedLifecycleHooks.preUpdate || 'Not configured' }}</span>
                 </div>
-                <div class="flex items-start justify-between gap-3 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-start justify-between gap-3 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary shrink-0">Post-update</span>
                   <span class="font-mono dd-text text-right break-all">{{ selectedLifecycleHooks.postUpdate || 'Not configured' }}</span>
                 </div>
-                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary">Timeout</span>
                   <span class="font-mono dd-text">{{ selectedLifecycleHooks.timeoutLabel }}</span>
                 </div>
               </div>
               <div v-if="selectedLifecycleHooks.preAbortBehavior"
-                   class="mt-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                   class="mt-2 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                    :style="{ backgroundColor: 'var(--dd-info-muted)' }">
                 <span style="color: var(--dd-info);">{{ selectedLifecycleHooks.preAbortBehavior }}</span>
               </div>
-              <div class="mt-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+              <div class="mt-2 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                    :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                 <div class="dd-text-secondary mb-1">Template Variables</div>
                 <div class="space-y-1">
@@ -355,19 +362,19 @@ const {
 
             <!-- Auto-rollback -->
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Auto-Rollback</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Auto-Rollback</div>
               <div class="space-y-1">
-                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary">Status</span>
                   <span class="font-mono dd-text">{{ selectedAutoRollbackConfig.enabledLabel }}</span>
                 </div>
-                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary">Window</span>
                   <span class="font-mono dd-text">{{ selectedAutoRollbackConfig.windowLabel }}</span>
                 </div>
-                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary">Interval</span>
                   <span class="font-mono dd-text">{{ selectedAutoRollbackConfig.intervalLabel }}</span>
@@ -377,26 +384,26 @@ const {
 
             <!-- Image metadata -->
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Image Metadata</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Image Metadata</div>
               <div class="space-y-1">
-                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary">Architecture</span>
                   <span class="font-mono dd-text">{{ selectedImageMetadata.architecture || 'Unknown' }}</span>
                 </div>
-                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary">OS</span>
                   <span class="font-mono dd-text">{{ selectedImageMetadata.os || 'Unknown' }}</span>
                 </div>
-                <div class="px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <div class="dd-text-secondary">Digest</div>
                   <div class="font-mono dd-text break-all">
                     {{ selectedImageMetadata.digest || 'Unknown' }}
                   </div>
                 </div>
-                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                <div class="flex items-center justify-between gap-3 px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="dd-text-secondary">Created</span>
                   <span class="font-mono dd-text">
@@ -409,60 +416,44 @@ const {
             <!-- Security -->
             <div>
               <div class="flex items-center justify-between gap-2 mb-2">
-                <div class="text-[0.625rem] font-semibold uppercase tracking-wider dd-text-muted">Security</div>
-                <button class="px-2 py-1 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"                        :disabled="detailVulnerabilityLoading || detailSbomLoading"
+                <div class="dd-text-label dd-text-muted">Security</div>
+                <AppButton size="xs" :disabled="detailVulnerabilityLoading || detailSbomLoading"
                         @click="loadDetailSecurityData">
                   {{ detailVulnerabilityLoading || detailSbomLoading ? 'Refreshing...' : 'Refresh' }}
-                </button>
+                </AppButton>
               </div>
 
               <div v-if="detailVulnerabilityLoading"
-                   class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] dd-text-muted"
+                   class="px-2.5 py-1.5 dd-rounded text-2xs-plus dd-text-muted"
                    :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                 Loading vulnerability data...
               </div>
               <div v-else-if="detailVulnerabilityError"
-                   class="px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                   class="px-2.5 py-1.5 dd-rounded text-2xs-plus"
                    :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
                 {{ detailVulnerabilityError }}
               </div>
               <div v-else class="space-y-1.5">
-                <div class="flex items-center gap-1.5 flex-wrap text-[0.625rem]">
-                  <span class="badge text-[0.5625rem] font-bold"
-                        :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
-                    critical {{ vulnerabilitySummary.critical }}
-                  </span>
-                  <span class="badge text-[0.5625rem] font-bold"
-                        :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
-                    high {{ vulnerabilitySummary.high }}
-                  </span>
-                  <span class="badge text-[0.5625rem] font-bold"
-                        :style="{ backgroundColor: 'var(--dd-caution-muted)', color: 'var(--dd-caution)' }">
-                    medium {{ vulnerabilitySummary.medium }}
-                  </span>
-                  <span class="badge text-[0.5625rem] font-bold"
-                        :style="{ backgroundColor: 'var(--dd-info-muted)', color: 'var(--dd-info)' }">
-                    low {{ vulnerabilitySummary.low }}
-                  </span>
-                  <span class="text-[0.625rem] dd-text-muted ml-auto">{{ vulnerabilityTotal }} total</span>
+                <div class="flex items-center gap-1.5 flex-wrap text-2xs">
+                  <AppBadge tone="danger" size="xs">critical {{ vulnerabilitySummary.critical }}</AppBadge>
+                  <AppBadge tone="warning" size="xs">high {{ vulnerabilitySummary.high }}</AppBadge>
+                  <AppBadge tone="caution" size="xs">medium {{ vulnerabilitySummary.medium }}</AppBadge>
+                  <AppBadge tone="info" size="xs">low {{ vulnerabilitySummary.low }}</AppBadge>
+                  <span class="text-2xs dd-text-muted ml-auto">{{ vulnerabilityTotal }} total</span>
                 </div>
 
                 <div v-if="vulnerabilityPreview.length > 0" class="space-y-1">
                   <div v-for="vulnerability in vulnerabilityPreview" :key="vulnerability.id"
-                       class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-[0.625rem]"
+                       class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-2xs"
                        :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
-                    <span class="badge text-[0.5625rem] font-bold uppercase"
-                          :style="{
-                            backgroundColor: severityStyle(normalizeSeverity(vulnerability.severity)).bg,
-                            color: severityStyle(normalizeSeverity(vulnerability.severity)).text,
-                          }">
+                    <AppBadge size="xs" :custom="severityStyle(normalizeSeverity(vulnerability.severity))">
                       {{ normalizeSeverity(vulnerability.severity) }}
-                    </span>
+                    </AppBadge>
                     <span class="font-mono dd-text truncate">{{ vulnerability.id }}</span>
                     <span class="dd-text-muted truncate ml-auto">{{ getVulnerabilityPackage(vulnerability) }}</span>
                   </div>
                 </div>
-                <div v-else class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] dd-text-muted italic"
+                <div v-else class="px-2.5 py-1.5 dd-rounded text-2xs-plus dd-text-muted italic"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   No vulnerabilities reported for this container.
                 </div>
@@ -471,29 +462,28 @@ const {
               <div class="mt-2 space-y-1.5">
                 <div class="flex items-center gap-2">
                   <select v-model="selectedSbomFormat"
-                          class="px-2 py-1 dd-rounded text-[0.625rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
+                          class="px-2 py-1 dd-rounded text-2xs font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
                     <option value="spdx-json">spdx-json</option>
                     <option value="cyclonedx-json">cyclonedx-json</option>
                   </select>
-                  <button class="px-2 py-1 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
+                  <AppButton size="xs"
                           :disabled="detailSbomLoading"
                           @click="loadDetailSbom">
                     {{ detailSbomLoading ? 'Loading SBOM...' : 'Refresh SBOM' }}
-                  </button>
+                  </AppButton>
                 </div>
                 <div v-if="detailSbomError"
-                     class="px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                     class="px-2.5 py-1.5 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
                   {{ detailSbomError }}
                 </div>
                 <div v-else-if="detailSbomLoading"
-                     class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] dd-text-muted"
+                     class="px-2.5 py-1.5 dd-rounded text-2xs-plus dd-text-muted"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   Loading SBOM document...
                 </div>
                 <div v-else-if="sbomDocument"
-                     class="px-2.5 py-1.5 dd-rounded text-[0.625rem] space-y-0.5"
+                     class="px-2.5 py-1.5 dd-rounded text-2xs space-y-0.5"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <div class="dd-text-muted">
                     format:
@@ -509,7 +499,7 @@ const {
                   </div>
                 </div>
                 <div v-else
-                     class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] dd-text-muted italic"
+                     class="px-2.5 py-1.5 dd-rounded text-2xs-plus dd-text-muted italic"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   SBOM document is not available yet.
                 </div>
@@ -517,56 +507,28 @@ const {
             </div>
           </div>
 
+          <!-- Stats tab -->
+          <div v-if="activeDetailTab === 'stats'">
+            <ContainerStats :container-id="selectedContainer.id" compact />
+          </div>
+
           <!-- Logs tab -->
-          <div v-if="activeDetailTab === 'logs'">
-            <div class="dd-rounded overflow-hidden"
-                 :style="{ backgroundColor: 'var(--dd-bg-code)' }">
-              <div class="px-3 py-2 flex items-center justify-between gap-2"
-                   style="border-bottom: 1px solid var(--dd-log-divider);">
-                <span class="text-[0.625rem] font-semibold uppercase tracking-wider" style="color: var(--dd-log-text-muted);">
-                  Container Logs
-                </span>
-                <div class="flex items-center gap-2">
-                  <select v-model.number="containerAutoFetchInterval"
-                          class="px-1.5 py-1 dd-rounded text-[0.5625rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
-                    <option v-for="opt in LOG_AUTO_FETCH_INTERVALS" :key="opt.value" :value="opt.value">
-                      {{ opt.label }}
-                    </option>
-                  </select>
-                  <span class="text-[0.5625rem] font-mono" style="color: var(--dd-log-text-muted);">
-                    {{ getContainerLogs(selectedContainer.name).length }} lines
-                  </span>
-                </div>
-              </div>
-              <div ref="containerLogRef" class="overflow-auto" style="max-height: calc(100vh - 400px);"
-                   @scroll="containerHandleLogScroll">
-                <div v-for="(line, i) in getContainerLogs(selectedContainer.name)" :key="i"
-                     class="px-3 py-0.5 font-mono text-[0.625rem] leading-relaxed whitespace-pre"
-                     :style="{ borderBottom: i < getContainerLogs(selectedContainer.name).length - 1 ? '1px solid var(--dd-log-line)' : 'none' }">
-                  <span style="color: var(--dd-log-text-muted);">{{ line.substring(0, 24) }}</span>
-                  <span :style="{ color: line.includes('[error]') || line.includes('[crit]') || line.includes('[emerg]') ? 'var(--dd-danger)' : line.includes('[warn]') ? 'var(--dd-warning)' : 'var(--dd-log-text)' }">{{ line.substring(24) }}</span>
-                </div>
-              </div>
-              <div v-if="containerScrollBlocked && containerAutoFetchInterval > 0"
-                   class="flex items-center justify-between px-3 py-1.5 text-[0.5625rem]"
-                   style="border-top: 1px solid var(--dd-log-divider);">
-                <span class="font-semibold" style="color: var(--dd-warning);">Auto-scroll paused</span>
-                <button class="px-2 py-0.5 dd-rounded text-[0.5625rem] font-semibold"
-                        :style="{ backgroundColor: 'var(--dd-warning)', color: 'var(--dd-bg)' }"
-                        @click="containerResumeAutoScroll">
-                  Resume
-                </button>
-              </div>
-            </div>
+          <div v-if="activeDetailTab === 'logs'" class="flex flex-col flex-1 min-h-0 overflow-hidden">
+            <ContainerLogs
+              class="flex-1 min-h-0"
+              :container-id="selectedContainer.id"
+              :container-name="selectedContainer.name"
+              compact
+            />
           </div>
 
           <!-- Environment tab -->
           <div v-if="activeDetailTab === 'environment'" class="space-y-5">
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Environment Variables</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Environment Variables</div>
               <div v-if="selectedContainer.details.env.length > 0" class="space-y-1">
                 <div v-for="e in selectedContainer.details.env" :key="e.key"
-                     class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-mono"
+                     class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus font-mono"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <span class="font-semibold shrink-0 text-drydock-secondary">{{ e.key }}</span>
                   <span class="dd-text-muted">=</span>
@@ -574,131 +536,118 @@ const {
                   <template v-else>
                     <span v-if="getRevealedValue(selectedContainer.id, e.key)" class="truncate dd-text">{{ getRevealedValue(selectedContainer.id, e.key) }}</span>
                     <span v-else class="truncate dd-text-muted">&#x2022;&#x2022;&#x2022;&#x2022;&#x2022;</span>
-                    <button class="shrink-0 p-0.5 dd-text-muted hover:dd-text transition-colors"
+                    <AppButton size="none" variant="plain" weight="none" class="shrink-0 p-0.5 dd-text-muted hover:dd-text transition-colors"
+                            :tooltip="getRevealedValue(selectedContainer.id, e.key) ? 'Hide value' : 'Reveal value'"
                             :disabled="envRevealLoading"
                             @click="toggleReveal(selectedContainer.id, e.key)">
                       <AppIcon :name="getRevealedValue(selectedContainer.id, e.key) ? 'eye-slash' : 'eye'" :size="11" />
-                    </button>
+                    </AppButton>
                   </template>
                 </div>
               </div>
-              <p v-else class="text-[0.6875rem] dd-text-muted italic">No environment variables configured</p>
-              <p v-if="envRevealError" class="mt-2 text-[0.625rem]" style="color: var(--dd-danger);">{{ envRevealError }}</p>
+              <p v-else class="text-2xs-plus dd-text-muted italic">No environment variables configured</p>
+              <p v-if="envRevealError" class="mt-2 text-2xs" style="color: var(--dd-danger);">{{ envRevealError }}</p>
             </div>
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Volumes</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Volumes</div>
               <div v-if="selectedContainer.details.volumes.length > 0" class="space-y-1">
                 <div v-for="vol in selectedContainer.details.volumes" :key="vol"
-                     class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-mono"
+                     class="flex items-center gap-2 px-2.5 py-1.5 dd-rounded text-2xs-plus font-mono"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <AppIcon name="hard-drive" :size="11" class="dd-text-muted" />
                   <span class="truncate dd-text">{{ vol }}</span>
                 </div>
               </div>
-              <p v-else class="text-[0.6875rem] dd-text-muted italic">No volumes mounted</p>
+              <p v-else class="text-2xs-plus dd-text-muted italic">No volumes mounted</p>
             </div>
           </div>
 
           <!-- Labels tab -->
           <div v-if="activeDetailTab === 'labels'">
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Labels</div>
+            <div class="dd-text-label mb-2 dd-text-muted">Labels</div>
             <div v-if="selectedContainer.details.labels.length > 0" class="flex flex-wrap gap-1.5">
-              <span v-for="label in selectedContainer.details.labels" :key="label"
-                    class="badge text-[0.625rem] font-semibold"
-                    :style="{
-                      backgroundColor: 'var(--dd-neutral-muted)',
-                      color: 'var(--dd-text-secondary)',
-                    }">
+              <AppBadge v-for="label in selectedContainer.details.labels" :key="label" tone="neutral" size="sm">
                 {{ label }}
-              </span>
+              </AppBadge>
             </div>
-            <p v-else class="text-[0.6875rem] dd-text-muted italic">No labels assigned</p>
+            <p v-else class="text-2xs-plus dd-text-muted italic">No labels assigned</p>
           </div>
 
           <!-- Actions tab -->
           <div v-if="activeDetailTab === 'actions'" class="space-y-5">
             <div class="space-y-3">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider dd-text-muted">Update Workflow</div>
+              <div class="dd-text-label dd-text-muted">Update Workflow</div>
               <!-- Actions group -->
               <div>
-                <div class="text-[0.5625rem] uppercase tracking-wider mb-1.5 dd-text-muted">Actions</div>
+                <div class="text-3xs uppercase tracking-wider mb-1.5 dd-text-muted">Actions</div>
                 <div class="flex flex-wrap gap-1.5">
-                  <button class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
+                  <AppButton size="sm" variant="outlined"
                           :disabled="previewLoading"
                           @click="runContainerPreview">
                     {{ previewLoading ? 'Previewing...' : 'Preview Update' }}
-                  </button>
-                  <button v-if="selectedContainer.bouncer === 'blocked'"
-                          class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors"
-                          :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)', border: '1px solid var(--dd-danger)' }"
-                          :disabled="actionInProgress === selectedContainer.name"
+                  </AppButton>
+                  <AppButton v-if="selectedContainer.bouncer === 'blocked'" size="sm" variant="plain" :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)', border: '1px solid var(--dd-danger)' }"
+                          :disabled="actionInProgress.has(selectedContainer.name)"
                           @click="confirmForceUpdate(selectedContainer.name)">
                     <AppIcon name="lock" :size="10" class="mr-1 inline" />Force Update
-                  </button>
-                  <button v-else
-                          class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
-                          :disabled="!selectedContainer.newTag || actionInProgress === selectedContainer.name"
+                  </AppButton>
+                  <AppButton v-else
+                          size="sm"
+
+                          :disabled="!selectedContainer.newTag || actionInProgress.has(selectedContainer.name)"
                           @click="confirmUpdate(selectedContainer.name)">
                     Update Now
-                  </button>
-                  <button class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
-                          :disabled="actionInProgress === selectedContainer.name"
+                  </AppButton>
+                  <AppButton size="sm" variant="outlined"
+                          :disabled="actionInProgress.has(selectedContainer.name)"
                           @click="scanContainer(selectedContainer.name)">
                     Scan Now
-                  </button>
+                  </AppButton>
                 </div>
               </div>
               <!-- Skip & Snooze group -->
               <div>
-                <div class="text-[0.5625rem] uppercase tracking-wider mb-1.5 dd-text-muted">Skip & Snooze</div>
+                <div class="text-3xs uppercase tracking-wider mb-1.5 dd-text-muted">Skip & Snooze</div>
                 <div class="flex flex-wrap gap-1.5">
-                  <button class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
+                  <AppButton size="sm" variant="outlined"
                           :disabled="!selectedContainer.newTag || policyInProgress !== null"
                           @click="skipCurrentForSelected">
                     Skip This Update
-                  </button>
-                  <button class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
+                  </AppButton>
+                  <AppButton size="sm" variant="outlined"
                           :disabled="policyInProgress !== null"
                           @click="snoozeSelected(1)">
                     Snooze 1d
-                  </button>
-                  <button class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
+                  </AppButton>
+                  <AppButton size="sm" variant="outlined"
                           :disabled="policyInProgress !== null"
                           @click="snoozeSelected(7)">
                     Snooze 7d
-                  </button>
+                  </AppButton>
                   <input
                     v-model="snoozeDateInput"
                     type="date"
-                    class="px-2 py-1.5 dd-rounded text-[0.625rem] outline-none dd-bg dd-text"
+                    class="px-2 py-1.5 dd-rounded text-2xs outline-none dd-bg dd-text"
                     :disabled="policyInProgress !== null" />
-                  <button class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
+                  <AppButton size="sm" variant="outlined"
                           :disabled="!snoozeDateInput || policyInProgress !== null"
                           @click="snoozeSelectedUntilDate">
                     Snooze Until
-                  </button>
-                  <button class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
+                  </AppButton>
+                  <AppButton size="sm" variant="outlined"
                           :disabled="!selectedSnoozeUntil || policyInProgress !== null"
                           @click="unsnoozeSelected">
                     Unsnooze
-                  </button>
+                  </AppButton>
                 </div>
               </div>
               <!-- Maturity group -->
               <div>
-                <div class="text-[0.5625rem] uppercase tracking-wider mb-1.5 dd-text-muted">Maturity</div>
+                <div class="text-3xs uppercase tracking-wider mb-1.5 dd-text-muted">Maturity</div>
                 <div class="flex flex-wrap gap-1.5 items-center">
                   <select
                     v-model="maturityModeInput"
-                    class="px-2 py-1.5 dd-rounded text-[0.625rem] outline-none dd-bg dd-text"
+                    class="px-2 py-1.5 dd-rounded text-2xs outline-none dd-bg dd-text"
                     :disabled="policyInProgress !== null"
                   >
                     <option value="all">Allow New + Mature</option>
@@ -709,42 +658,38 @@ const {
                     type="number"
                     min="1"
                     max="365"
-                    class="w-[92px] px-2 py-1.5 dd-rounded text-[0.625rem] outline-none dd-bg dd-text"
+                    class="w-[92px] px-2 py-1.5 dd-rounded text-2xs outline-none dd-bg dd-text"
                     :disabled="policyInProgress !== null"
                   />
-                  <button class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
+                  <AppButton size="sm" variant="outlined"
                           :disabled="policyInProgress !== null"
                           @click="setMaturityPolicySelected(maturityModeInput)">
                     Apply Maturity
-                  </button>
-                  <button class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
+                  </AppButton>
+                  <AppButton size="sm" variant="outlined"
                           :disabled="!selectedHasMaturityPolicy || policyInProgress !== null"
                           @click="clearMaturityPolicySelected">
                     Clear Maturity
-                  </button>
+                  </AppButton>
                 </div>
               </div>
               <!-- Reset group -->
               <div>
-                <div class="text-[0.5625rem] uppercase tracking-wider mb-1.5 dd-text-muted">Reset</div>
+                <div class="text-3xs uppercase tracking-wider mb-1.5 dd-text-muted">Reset</div>
                 <div class="flex flex-wrap gap-1.5">
-                  <button class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
-                          :disabled="selectedSkipTags.length === 0 && selectedSkipDigests.length === 0"
+                  <AppButton size="sm" variant="outlined"
+                          :disabled="(selectedSkipTags.length === 0 && selectedSkipDigests.length === 0) || policyInProgress !== null"
                           @click="clearSkipsSelected">
                     Clear Skips
-                  </button>
-                  <button class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
-                          :disabled="Object.keys(selectedUpdatePolicy).length === 0"
-                          @click="clearPolicySelected">
+                  </AppButton>
+                  <AppButton size="sm" variant="outlined"
+                          :disabled="Object.keys(selectedUpdatePolicy).length === 0 || policyInProgress !== null"
+                          @click="confirmClearPolicy">
                     Clear Policy
-                  </button>
+                  </AppButton>
                 </div>
               </div>
-              <div class="mt-2 space-y-1 text-[0.625rem] dd-text-muted">
+              <div class="mt-2 space-y-1 text-2xs dd-text-muted">
                 <div v-if="selectedSnoozeUntil">
                   Snoozed until:
                   <span class="dd-text">{{ formatTimestamp(selectedSnoozeUntil) }}</span>
@@ -759,14 +704,15 @@ const {
                   Skipped tags:
                   <div class="mt-1 flex flex-wrap gap-1">
                     <span v-for="tag in selectedSkipTags" :key="`skip-tag-${tag}`"
-                          class="inline-flex items-center gap-1 px-1.5 py-0.5 dd-rounded text-[0.625rem] font-mono"
+                          class="inline-flex items-center gap-1 px-1.5 py-0.5 dd-rounded text-2xs font-mono"
                           :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                       <span class="dd-text">{{ tag }}</span>
-                      <button class="inline-flex items-center justify-center w-4 h-4 dd-rounded-sm transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+                      <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center justify-center w-4 h-4 dd-rounded-sm transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+                              tooltip="Remove skip"
                               :disabled="policyInProgress !== null"
                               @click="removeSkipTagSelected(tag)">
                         <AppIcon name="xmark" :size="9" />
-                      </button>
+                      </AppButton>
                     </span>
                   </div>
                 </div>
@@ -774,14 +720,15 @@ const {
                   Skipped digests:
                   <div class="mt-1 flex flex-wrap gap-1">
                     <span v-for="digest in selectedSkipDigests" :key="`skip-digest-${digest}`"
-                          class="inline-flex items-center gap-1 px-1.5 py-0.5 dd-rounded text-[0.625rem] font-mono"
+                          class="inline-flex items-center gap-1 px-1.5 py-0.5 dd-rounded text-2xs font-mono"
                           :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                       <span class="dd-text">{{ digest }}</span>
-                      <button class="inline-flex items-center justify-center w-4 h-4 dd-rounded-sm transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+                      <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center justify-center w-4 h-4 dd-rounded-sm transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+                              tooltip="Remove skip"
                               :disabled="policyInProgress !== null"
                               @click="removeSkipDigestSelected(digest)">
                         <AppIcon name="xmark" :size="9" />
-                      </button>
+                      </AppButton>
                     </span>
                   </div>
                 </div>
@@ -790,18 +737,18 @@ const {
                   No active update policy.
                 </div>
               </div>
-              <p v-if="policyMessage" class="mt-2 text-[0.625rem]" style="color: var(--dd-success);">{{ policyMessage }}</p>
-              <p v-if="policyError" class="mt-2 text-[0.625rem]" style="color: var(--dd-danger);">{{ policyError }}</p>
+              <p v-if="policyMessage" class="mt-2 text-2xs" style="color: var(--dd-success);">{{ policyMessage }}</p>
+              <p v-if="policyError" class="mt-2 text-2xs" style="color: var(--dd-danger);">{{ policyError }}</p>
             </div>
 
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Preview</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Preview</div>
               <div class="space-y-1.5">
-                <div v-if="previewLoading" class="px-2.5 py-2 dd-rounded text-[0.6875rem] dd-text-muted"
+                <div v-if="previewLoading" class="px-2.5 py-2 dd-rounded text-2xs-plus dd-text-muted"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   Generating preview...
                 </div>
-                <div v-else-if="detailPreview" class="px-2.5 py-2 dd-rounded text-[0.6875rem] space-y-1"
+                <div v-else-if="detailPreview" class="px-2.5 py-2 dd-rounded text-2xs-plus space-y-1"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <div v-if="detailPreview.error" style="color: var(--dd-danger);">{{ detailPreview.error }}</div>
                   <template v-else>
@@ -834,83 +781,81 @@ const {
                     </div>
                     <div v-if="detailComposePreview?.patch" class="dd-text-muted">
                       Patch preview:
-                      <pre class="mt-1 p-2 dd-rounded whitespace-pre-wrap break-all text-[0.625rem] dd-text font-mono"
+                      <pre class="mt-1 p-2 dd-rounded whitespace-pre-wrap break-all text-2xs dd-text font-mono"
                            :style="{ backgroundColor: 'var(--dd-bg)' }">{{ detailComposePreview.patch }}</pre>
                     </div>
                   </template>
                 </div>
-                <div v-else class="px-2.5 py-2 dd-rounded text-[0.6875rem] dd-text-muted italic"
+                <div v-else class="px-2.5 py-2 dd-rounded text-2xs-plus dd-text-muted italic"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   Run a preview to see what update actions will be executed.
                 </div>
               </div>
-              <p v-if="previewError" class="mt-2 text-[0.625rem]" style="color: var(--dd-danger);">{{ previewError }}</p>
+              <p v-if="previewError" class="mt-2 text-2xs" style="color: var(--dd-danger);">{{ previewError }}</p>
             </div>
 
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Associated Triggers</div>
-              <div v-if="triggersLoading" class="text-[0.6875rem] dd-text-muted">Loading triggers...</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Associated Triggers</div>
+              <div v-if="triggersLoading" class="text-2xs-plus dd-text-muted">Loading triggers...</div>
               <div v-else-if="detailTriggers.length > 0" class="space-y-1.5">
                 <div v-for="trigger in detailTriggers" :key="getTriggerKey(trigger)"
-                     class="flex items-center justify-between gap-2 px-2.5 py-2 dd-rounded text-[0.6875rem]"
+                     class="flex items-center justify-between gap-2 px-2.5 py-2 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <div class="min-w-0">
                     <div class="font-semibold dd-text truncate">{{ trigger.type }}.{{ trigger.name }}</div>
-                    <div v-if="trigger.agent" class="text-[0.625rem] dd-text-muted">agent: {{ trigger.agent }}</div>
+                    <div v-if="trigger.agent" class="text-2xs dd-text-muted">agent: {{ trigger.agent }}</div>
                   </div>
-                  <button class="px-2 py-1 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
+                  <AppButton size="xs"
                           :disabled="triggerRunInProgress !== null"
                           @click="runAssociatedTrigger(trigger)">
                     {{ triggerRunInProgress === getTriggerKey(trigger) ? 'Running...' : 'Run' }}
-                  </button>
+                  </AppButton>
                 </div>
               </div>
-              <p v-else class="text-[0.6875rem] dd-text-muted italic">No triggers associated with this container</p>
-              <p v-if="triggerMessage" class="mt-2 text-[0.625rem]" style="color: var(--dd-success);">{{ triggerMessage }}</p>
-              <p v-if="triggerError" class="mt-2 text-[0.625rem]" style="color: var(--dd-danger);">{{ triggerError }}</p>
+              <p v-else class="text-2xs-plus dd-text-muted italic">No triggers associated with this container</p>
+              <p v-if="triggerMessage" class="mt-2 text-2xs" style="color: var(--dd-success);">{{ triggerMessage }}</p>
+              <p v-if="triggerError" class="mt-2 text-2xs" style="color: var(--dd-danger);">{{ triggerError }}</p>
             </div>
 
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Backups &amp; Rollback</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Backups &amp; Rollback</div>
               <div class="mb-2">
-                <button class="px-2.5 py-1.5 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"                        :disabled="backupsLoading || detailBackups.length === 0 || rollbackInProgress !== null"
+                <AppButton size="sm" variant="outlined" :disabled="backupsLoading || detailBackups.length === 0 || rollbackInProgress !== null"
                         @click="confirmRollback()">
                   {{ rollbackInProgress === 'latest' ? 'Rolling back...' : 'Rollback Latest' }}
-                </button>
+                </AppButton>
               </div>
-              <div v-if="backupsLoading" class="text-[0.6875rem] dd-text-muted">Loading backups...</div>
+              <div v-if="backupsLoading" class="text-2xs-plus dd-text-muted">Loading backups...</div>
               <div v-else-if="detailBackups.length > 0" class="space-y-1.5">
                 <div v-for="backup in detailBackups" :key="backup.id"
-                     class="flex items-center justify-between gap-2 px-2.5 py-2 dd-rounded text-[0.6875rem]"
+                     class="flex items-center justify-between gap-2 px-2.5 py-2 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <div class="min-w-0">
                     <div class="font-semibold dd-text font-mono truncate">{{ backup.imageName }}:{{ backup.imageTag }}</div>
-                    <div class="text-[0.625rem] dd-text-muted">{{ formatTimestamp(backup.timestamp) }}</div>
+                    <div class="text-2xs dd-text-muted">{{ formatTimestamp(backup.timestamp) }}</div>
                   </div>
-                  <button class="px-2 py-1 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                          :style="{}"
+                  <AppButton size="xs"
                           :disabled="rollbackInProgress !== null"
                           @click="confirmRollback(backup.id)">
                     {{ rollbackInProgress === backup.id ? 'Rolling...' : 'Use' }}
-                  </button>
+                  </AppButton>
                 </div>
               </div>
-              <p v-else class="text-[0.6875rem] dd-text-muted italic">No backups available yet</p>
-              <p v-if="rollbackMessage" class="mt-2 text-[0.625rem]" style="color: var(--dd-success);">{{ rollbackMessage }}</p>
-              <p v-if="rollbackError" class="mt-2 text-[0.625rem]" style="color: var(--dd-danger);">{{ rollbackError }}</p>
+              <p v-else class="text-2xs-plus dd-text-muted italic">No backups available yet</p>
+              <p v-if="rollbackMessage" class="mt-2 text-2xs" style="color: var(--dd-success);">{{ rollbackMessage }}</p>
+              <p v-if="rollbackError" class="mt-2 text-2xs" style="color: var(--dd-danger);">{{ rollbackError }}</p>
             </div>
 
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Update Operation History</div>
-              <div v-if="updateOperationsLoading" class="text-[0.6875rem] dd-text-muted">Loading operation history...</div>
+              <div class="dd-text-label mb-2 dd-text-muted">Update Operation History</div>
+              <div v-if="updateOperationsLoading" class="text-2xs-plus dd-text-muted">Loading operation history...</div>
               <div v-else-if="detailUpdateOperations.length > 0" class="space-y-1.5">
                 <div v-for="operation in detailUpdateOperations" :key="operation.id"
-                     class="space-y-1 px-2.5 py-2 dd-rounded text-[0.6875rem]"
+                     class="space-y-1 px-2.5 py-2 dd-rounded text-2xs-plus"
                      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
                   <div class="flex items-center justify-between gap-2">
-                    <div class="font-mono text-[0.625rem] dd-text-muted truncate">{{ operation.id }}</div>
-                    <span class="badge text-[0.5625rem] font-semibold uppercase"
+                    <div class="font-mono text-2xs dd-text-muted truncate">{{ operation.id }}</div>
+                    <span class="badge text-3xs font-semibold uppercase"
                           :style="getOperationStatusStyle(operation.status)">
                       {{ formatOperationStatus(operation.status) }}
                     </span>
@@ -932,13 +877,13 @@ const {
                     Last error:
                     <span class="dd-text">{{ operation.lastError }}</span>
                   </div>
-                  <div class="text-[0.625rem] dd-text-muted">
+                  <div class="text-2xs dd-text-muted">
                     {{ formatTimestamp(operation.updatedAt || operation.createdAt) }}
                   </div>
                 </div>
               </div>
-              <p v-else class="text-[0.6875rem] dd-text-muted italic">No update operations recorded yet</p>
-              <p v-if="updateOperationsError" class="mt-2 text-[0.625rem]" style="color: var(--dd-danger);">{{ updateOperationsError }}</p>
+              <p v-else class="text-2xs-plus dd-text-muted italic">No update operations recorded yet</p>
+              <p v-if="updateOperationsError" class="mt-2 text-2xs" style="color: var(--dd-danger);">{{ updateOperationsError }}</p>
             </div>
           </div>
 
diff --git a/ui/src/components/containers/ContainerStats.vue b/ui/src/components/containers/ContainerStats.vue
new file mode 100644
index 000000000..d7cf2aae2
--- /dev/null
+++ b/ui/src/components/containers/ContainerStats.vue
@@ -0,0 +1,427 @@
+<script setup lang="ts">
+import { computed, onMounted, onUnmounted, ref, watch } from 'vue';
+import type { ContainerStatsSnapshot, ContainerStatsStreamController } from '../../services/stats';
+import { connectContainerStatsStream, getContainerStats } from '../../services/stats';
+import { buildSparklinePoints } from '../../utils/stats-sparkline';
+import { getUsageThresholdColor } from '../../utils/stats-thresholds';
+import { errorMessage } from '../../utils/error';
+
+const SPARKLINE_WIDTH = 160;
+const SPARKLINE_HEIGHT = 34;
+
+const props = withDefaults(
+  defineProps<{
+    containerId: string;
+    compact?: boolean;
+  }>(),
+  {
+    compact: false,
+  },
+);
+
+const loading = ref(false);
+const loadError = ref<string | null>(null);
+const streamPaused = ref(false);
+const snapshots = ref<ContainerStatsSnapshot[]>([]);
+const lastHeartbeatAt = ref<string | null>(null);
+
+let streamController: ContainerStatsStreamController | undefined;
+let loadRequestId = 0;
+
+function parseTimestamp(timestamp: string): number {
+  const parsed = Date.parse(timestamp);
+  return Number.isNaN(parsed) ? 0 : parsed;
+}
+
+function toFiniteNumber(value: number): number {
+  return Number.isFinite(value) ? value : 0;
+}
+
+function clampPercent(value: number): number {
+  return Math.min(100, Math.max(0, toFiniteNumber(value)));
+}
+
+function appendSnapshot(snapshot: ContainerStatsSnapshot): void {
+  snapshots.value = [...snapshots.value, snapshot];
+}
+
+function replaceSnapshotHistory(
+  history: ContainerStatsSnapshot[],
+  latest: ContainerStatsSnapshot | null,
+) {
+  const nextHistory = [...history];
+  if (latest) {
+    const hasLatest = history.some((entry) => entry.timestamp === latest.timestamp);
+    if (!hasLatest) {
+      nextHistory.push(latest);
+    }
+  }
+  nextHistory.sort(
+    (left, right) => parseTimestamp(left.timestamp) - parseTimestamp(right.timestamp),
+  );
+  snapshots.value = nextHistory;
+}
+
+function stopStream() {
+  streamController?.disconnect();
+  streamController = undefined;
+}
+
+function connectStream() {
+  stopStream();
+  streamController = connectContainerStatsStream(
+    props.containerId,
+    {
+      onSnapshot: (snapshot) => {
+        appendSnapshot(snapshot);
+      },
+      onHeartbeat: () => {
+        lastHeartbeatAt.value = new Date().toISOString();
+      },
+    },
+    {
+      reconnectDelayMs: 2000,
+    },
+  );
+  streamPaused.value = false;
+}
+
+async function loadStats() {
+  const requestId = ++loadRequestId;
+  loading.value = true;
+  loadError.value = null;
+  lastHeartbeatAt.value = null;
+  try {
+    const response = await getContainerStats(props.containerId);
+    if (requestId !== loadRequestId) {
+      return;
+    }
+    replaceSnapshotHistory(response.history, response.data);
+    connectStream();
+  } catch (error: unknown) {
+    if (requestId !== loadRequestId) {
+      return;
+    }
+    loadError.value = errorMessage(error, 'Failed to load container stats');
+    stopStream();
+  } finally {
+    if (requestId === loadRequestId) {
+      loading.value = false;
+    }
+  }
+}
+
+function toggleStream() {
+  if (!streamController) {
+    return;
+  }
+  if (streamPaused.value) {
+    streamController.resume();
+    streamPaused.value = false;
+    return;
+  }
+  streamController.pause();
+  streamPaused.value = true;
+}
+
+function buildRateHistory(
+  history: ContainerStatsSnapshot[],
+  getter: (snapshot: ContainerStatsSnapshot) => number,
+): number[] {
+  if (history.length === 0) {
+    return [];
+  }
+  if (history.length === 1) {
+    return [0];
+  }
+
+  const rates = [0];
+  for (let index = 1; index < history.length; index += 1) {
+    const previous = history[index - 1];
+    const current = history[index];
+    const deltaTimeMs = parseTimestamp(current.timestamp) - parseTimestamp(previous.timestamp);
+    if (deltaTimeMs <= 0) {
+      rates.push(0);
+      continue;
+    }
+    const deltaBytes = toFiniteNumber(getter(current)) - toFiniteNumber(getter(previous));
+    rates.push(Math.max(0, deltaBytes / (deltaTimeMs / 1000)));
+  }
+  return rates;
+}
+
+function getCurrentValue(values: number[]): number {
+  if (values.length === 0) {
+    return 0;
+  }
+  return toFiniteNumber(values[values.length - 1]);
+}
+
+function normalizeMeterPercent(currentValue: number, values: number[]): number {
+  const maxValue = Math.max(1, ...values.map((entry) => toFiniteNumber(entry)));
+  return clampPercent((toFiniteNumber(currentValue) / maxValue) * 100);
+}
+
+function formatPercent(value: number): string {
+  return `${toFiniteNumber(value).toFixed(1)}%`;
+}
+
+function formatBytes(value: number): string {
+  const units = ['B', 'KB', 'MB', 'GB', 'TB'];
+  let nextValue = Math.max(0, toFiniteNumber(value));
+  let unitIndex = 0;
+  while (nextValue >= 1024 && unitIndex < units.length - 1) {
+    nextValue /= 1024;
+    unitIndex += 1;
+  }
+  const precision = unitIndex === 0 ? 0 : 1;
+  return `${nextValue.toFixed(precision)} ${units[unitIndex]}`;
+}
+
+function formatRate(bytesPerSecond: number): string {
+  return `${formatBytes(bytesPerSecond)}/s`;
+}
+
+const latestSnapshot = computed<ContainerStatsSnapshot | null>(() => {
+  if (snapshots.value.length === 0) {
+    return null;
+  }
+  return snapshots.value[snapshots.value.length - 1];
+});
+
+const cpuHistory = computed(() => snapshots.value.map((snapshot) => snapshot.cpuPercent));
+const memoryHistory = computed(() => snapshots.value.map((snapshot) => snapshot.memoryPercent));
+const networkRxRateHistory = computed(() =>
+  buildRateHistory(snapshots.value, (snapshot) => snapshot.networkRxBytes),
+);
+const networkTxRateHistory = computed(() =>
+  buildRateHistory(snapshots.value, (snapshot) => snapshot.networkTxBytes),
+);
+const blockReadRateHistory = computed(() =>
+  buildRateHistory(snapshots.value, (snapshot) => snapshot.blockReadBytes),
+);
+const blockWriteRateHistory = computed(() =>
+  buildRateHistory(snapshots.value, (snapshot) => snapshot.blockWriteBytes),
+);
+const networkCombinedRateHistory = computed(() =>
+  networkRxRateHistory.value.map(
+    (value, index) => value + (networkTxRateHistory.value[index] ?? 0),
+  ),
+);
+const blockCombinedRateHistory = computed(() =>
+  blockReadRateHistory.value.map(
+    (value, index) => value + (blockWriteRateHistory.value[index] ?? 0),
+  ),
+);
+
+const currentCpuPercent = computed(() => clampPercent(latestSnapshot.value?.cpuPercent ?? 0));
+const currentMemoryPercent = computed(() => clampPercent(latestSnapshot.value?.memoryPercent ?? 0));
+const currentMemoryUsageBytes = computed(() => latestSnapshot.value?.memoryUsageBytes ?? 0);
+const currentMemoryLimitBytes = computed(() => latestSnapshot.value?.memoryLimitBytes ?? 0);
+const currentNetworkRxRate = computed(() => getCurrentValue(networkRxRateHistory.value));
+const currentNetworkTxRate = computed(() => getCurrentValue(networkTxRateHistory.value));
+const currentBlockReadRate = computed(() => getCurrentValue(blockReadRateHistory.value));
+const currentBlockWriteRate = computed(() => getCurrentValue(blockWriteRateHistory.value));
+
+const currentNetworkMeterPercent = computed(() =>
+  normalizeMeterPercent(
+    currentNetworkRxRate.value + currentNetworkTxRate.value,
+    networkCombinedRateHistory.value,
+  ),
+);
+const currentBlockMeterPercent = computed(() =>
+  normalizeMeterPercent(
+    currentBlockReadRate.value + currentBlockWriteRate.value,
+    blockCombinedRateHistory.value,
+  ),
+);
+
+const cpuSparklinePoints = computed(() =>
+  buildSparklinePoints(cpuHistory.value, SPARKLINE_WIDTH, SPARKLINE_HEIGHT),
+);
+const memorySparklinePoints = computed(() =>
+  buildSparklinePoints(memoryHistory.value, SPARKLINE_WIDTH, SPARKLINE_HEIGHT),
+);
+const networkSparklinePoints = computed(() =>
+  buildSparklinePoints(networkCombinedRateHistory.value, SPARKLINE_WIDTH, SPARKLINE_HEIGHT),
+);
+const blockSparklinePoints = computed(() =>
+  buildSparklinePoints(blockCombinedRateHistory.value, SPARKLINE_WIDTH, SPARKLINE_HEIGHT),
+);
+
+watch(
+  () => props.containerId,
+  () => {
+    void loadStats();
+  },
+);
+
+onMounted(() => {
+  void loadStats();
+});
+
+onUnmounted(() => {
+  stopStream();
+});
+</script>
+
+<template>
+  <div class="space-y-4" data-test="container-stats">
+    <div class="flex items-center justify-between gap-3">
+      <div class="flex items-center gap-2">
+        <div
+          class="h-2.5 w-2.5 rounded-full"
+          :style="{ backgroundColor: streamPaused ? 'var(--dd-warning)' : 'var(--dd-success)' }" />
+        <span class="text-2xs-plus font-semibold dd-text-secondary">
+          {{ streamPaused ? 'Paused' : 'Live' }}
+        </span>
+        <span v-if="lastHeartbeatAt" class="text-2xs dd-text-muted">
+          heartbeat active
+        </span>
+      </div>
+
+      <AppButton size="none" variant="plain" weight="none"
+        type="button"
+        class="px-2.5 py-1 text-2xs font-semibold dd-rounded transition-colors hover:opacity-90"
+        :style="{
+          backgroundColor: streamPaused ? 'var(--dd-success-muted)' : 'var(--dd-warning-muted)',
+          color: streamPaused ? 'var(--dd-success)' : 'var(--dd-warning)',
+        }"
+        data-test="stats-toggle-stream"
+        @click="toggleStream">
+        {{ streamPaused ? 'Resume' : 'Pause' }}
+      </AppButton>
+    </div>
+
+    <div
+      v-if="loading"
+      class="p-3 text-2xs-plus dd-rounded dd-text-muted"
+      :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+      Loading container stats...
+    </div>
+
+    <div
+      v-else-if="loadError"
+      class="p-3 text-2xs-plus dd-rounded"
+      :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
+      {{ loadError }}
+    </div>
+
+    <div v-else-if="!latestSnapshot" class="p-3 text-2xs-plus dd-rounded dd-text-muted" :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+      Stats stream has not produced data yet.
+    </div>
+
+    <div v-else :class="props.compact ? 'grid grid-cols-1 gap-3' : 'grid grid-cols-1 xl:grid-cols-2 gap-3'">
+      <article class="p-3 dd-rounded space-y-2" :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+        <div class="flex items-center justify-between gap-3">
+          <span class="text-2xs font-semibold uppercase tracking-wider dd-text-muted">CPU</span>
+          <span class="text-sm font-semibold dd-text" data-test="metric-cpu-value">
+            {{ formatPercent(currentCpuPercent) }}
+          </span>
+        </div>
+        <div class="h-2 dd-rounded overflow-hidden" :style="{ backgroundColor: 'var(--dd-bg-elevated)' }">
+          <div
+            class="h-full dd-rounded transition-[width,color,background-color]"
+            :style="{
+              width: `${currentCpuPercent}%`,
+              backgroundColor: getUsageThresholdColor(currentCpuPercent),
+            }" />
+        </div>
+        <svg :viewBox="`0 0 ${SPARKLINE_WIDTH} ${SPARKLINE_HEIGHT}`" class="h-8 w-full">
+          <polyline
+            data-test="sparkline-cpu"
+            fill="none"
+            stroke-width="2"
+            stroke-linecap="round"
+            stroke-linejoin="round"
+            :stroke="getUsageThresholdColor(currentCpuPercent)"
+            :points="cpuSparklinePoints" />
+        </svg>
+      </article>
+
+      <article class="p-3 dd-rounded space-y-2" :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+        <div class="flex items-center justify-between gap-3">
+          <span class="text-2xs font-semibold uppercase tracking-wider dd-text-muted">Memory</span>
+          <span class="text-sm font-semibold dd-text" data-test="metric-memory-value">
+            {{ formatPercent(currentMemoryPercent) }}
+          </span>
+        </div>
+        <div class="text-2xs dd-text-secondary">
+          {{ formatBytes(currentMemoryUsageBytes) }} / {{ formatBytes(currentMemoryLimitBytes) }}
+        </div>
+        <div class="h-2 dd-rounded overflow-hidden" :style="{ backgroundColor: 'var(--dd-bg-elevated)' }">
+          <div
+            class="h-full dd-rounded transition-[width,color,background-color]"
+            :style="{
+              width: `${currentMemoryPercent}%`,
+              backgroundColor: getUsageThresholdColor(currentMemoryPercent),
+            }" />
+        </div>
+        <svg :viewBox="`0 0 ${SPARKLINE_WIDTH} ${SPARKLINE_HEIGHT}`" class="h-8 w-full">
+          <polyline
+            data-test="sparkline-memory"
+            fill="none"
+            stroke-width="2"
+            stroke-linecap="round"
+            stroke-linejoin="round"
+            :stroke="getUsageThresholdColor(currentMemoryPercent)"
+            :points="memorySparklinePoints" />
+        </svg>
+      </article>
+
+      <article class="p-3 dd-rounded space-y-2" :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+        <div class="flex items-center justify-between gap-3">
+          <span class="text-2xs font-semibold uppercase tracking-wider dd-text-muted">Network RX/TX</span>
+          <span class="text-2xs-plus font-semibold dd-text">
+            {{ formatRate(currentNetworkRxRate) }} / {{ formatRate(currentNetworkTxRate) }}
+          </span>
+        </div>
+        <div class="h-2 dd-rounded overflow-hidden" :style="{ backgroundColor: 'var(--dd-bg-elevated)' }">
+          <div
+            class="h-full dd-rounded transition-[width,color,background-color]"
+            :style="{
+              width: `${currentNetworkMeterPercent}%`,
+              backgroundColor: getUsageThresholdColor(currentNetworkMeterPercent),
+            }" />
+        </div>
+        <svg :viewBox="`0 0 ${SPARKLINE_WIDTH} ${SPARKLINE_HEIGHT}`" class="h-8 w-full">
+          <polyline
+            data-test="sparkline-network"
+            fill="none"
+            stroke-width="2"
+            stroke-linecap="round"
+            stroke-linejoin="round"
+            :stroke="getUsageThresholdColor(currentNetworkMeterPercent)"
+            :points="networkSparklinePoints" />
+        </svg>
+      </article>
+
+      <article class="p-3 dd-rounded space-y-2" :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+        <div class="flex items-center justify-between gap-3">
+          <span class="text-2xs font-semibold uppercase tracking-wider dd-text-muted">Block I/O</span>
+          <span class="text-2xs-plus font-semibold dd-text">
+            {{ formatRate(currentBlockReadRate) }} / {{ formatRate(currentBlockWriteRate) }}
+          </span>
+        </div>
+        <div class="h-2 dd-rounded overflow-hidden" :style="{ backgroundColor: 'var(--dd-bg-elevated)' }">
+          <div
+            class="h-full dd-rounded transition-[width,color,background-color]"
+            :style="{
+              width: `${currentBlockMeterPercent}%`,
+              backgroundColor: getUsageThresholdColor(currentBlockMeterPercent),
+            }" />
+        </div>
+        <svg :viewBox="`0 0 ${SPARKLINE_WIDTH} ${SPARKLINE_HEIGHT}`" class="h-8 w-full">
+          <polyline
+            data-test="sparkline-block"
+            fill="none"
+            stroke-width="2"
+            stroke-linecap="round"
+            stroke-linejoin="round"
+            :stroke="getUsageThresholdColor(currentBlockMeterPercent)"
+            :points="blockSparklinePoints" />
+        </svg>
+      </article>
+    </div>
+  </div>
+</template>
diff --git a/ui/src/components/containers/ContainersGroupedViews.vue b/ui/src/components/containers/ContainersGroupedViews.vue
index c77ed5a1f..1e4f14687 100644
--- a/ui/src/components/containers/ContainersGroupedViews.vue
+++ b/ui/src/components/containers/ContainersGroupedViews.vue
@@ -1,6 +1,13 @@
 <script setup lang="ts">
+import { computed } from 'vue';
+import AppBadge from '../AppBadge.vue';
+import AppIconButton from '../AppIconButton.vue';
 import { useContainersViewTemplateContext } from './containersViewTemplateContext';
 import { getContainerViewKey } from '../../utils/container-view-key';
+import { imageAge } from '../../utils/audit-helpers';
+import UpdateMaturityBadge from './UpdateMaturityBadge.vue';
+import SuggestedTagBadge from './SuggestedTagBadge.vue';
+import ReleaseNotesLink from './ReleaseNotesLink.vue';
 
 const {
   filteredContainers,
@@ -36,7 +43,6 @@ const {
   displayContainers,
   actionsMenuStyle,
   updateKindColor,
-  maturityColor,
   hasRegistryError,
   registryErrorTooltip,
   containerPolicyTooltip,
@@ -51,15 +57,10 @@ const {
   clearFilters,
 } = useContainersViewTemplateContext();
 
-function updateMaturityLabel(maturity: 'fresh' | 'settled' | null): 'NEW' | 'MATURE' {
-  return maturity === 'fresh' ? 'NEW' : 'MATURE';
-}
-
-function updateMaturityFallbackTooltip(
-  maturity: 'fresh' | 'settled' | null,
-): 'New update' | 'Mature update' {
-  return maturity === 'fresh' ? 'New update' : 'Mature update';
-}
+const openActionsContainer = computed(
+  () =>
+    displayContainers.value.find((container) => container.name === openActionsMenu.value) ?? null,
+);
 </script>
 
 <template>
@@ -80,27 +81,26 @@ function updateMaturityFallbackTooltip(
           <AppIcon :name="collapsedGroups.has(group.key) ? 'chevron-right' : 'chevron-down'" :size="10" class="dd-text-muted shrink-0" />
           <AppIcon name="stack" :size="12" class="dd-text-muted shrink-0" />
           <span class="text-xs font-semibold dd-text">{{ group.name ?? 'Ungrouped' }}</span>
-          <span class="badge text-[0.5625rem] font-bold dd-bg-elevated dd-text-muted">{{ group.containerCount }}</span>
-          <span v-if="group.updatesAvailable > 0" class="badge text-[0.5625rem] font-bold"
-                :style="{ backgroundColor: 'var(--dd-success-muted)', color: 'var(--dd-success)' }">
+          <AppBadge size="xs" :custom="{ bg: 'var(--dd-bg-elevated)', text: 'var(--dd-text-muted)' }">{{ group.containerCount }}</AppBadge>
+          <AppBadge v-if="group.updatesAvailable > 0" tone="success" size="xs">
             {{ group.updatesAvailable }} update{{ group.updatesAvailable === 1 ? '' : 's' }}
-          </span>
-          <button
+          </AppBadge>
+          <AppButton size="none" variant="plain" weight="none"
             v-if="group.updatableCount > 0 || !containerActionsEnabled"
-            class="ml-auto inline-flex items-center justify-center px-2 py-1 dd-rounded border text-[0.625rem] font-semibold transition-colors"
-            :class="!containerActionsEnabled || groupUpdateInProgress.has(group.key) || actionInProgress
+            class="ml-auto inline-flex items-center justify-center px-2 py-1 dd-rounded border text-2xs font-semibold transition-colors"
+            :class="!containerActionsEnabled || groupUpdateInProgress.has(group.key)
               ? 'dd-text-muted cursor-not-allowed opacity-60'
               : 'dd-text hover:dd-bg-elevated'"
-            :disabled="!containerActionsEnabled || groupUpdateInProgress.has(group.key) || actionInProgress !== null"
+            :disabled="!containerActionsEnabled || groupUpdateInProgress.has(group.key)"
             v-tooltip.top="tt(containerActionsEnabled ? 'Update all in group' : containerActionsDisabledReason)"
             @click.stop="updateAllInGroup(group)">
             <AppIcon
               :name="!containerActionsEnabled ? 'lock' : groupUpdateInProgress.has(group.key) ? 'spinner' : 'cloud-download'"
-              :size="11"
+              :size="14"
               class="mr-1"
               :class="!containerActionsEnabled ? '' : groupUpdateInProgress.has(group.key) ? 'dd-spin' : ''" />
             {{ containerActionsEnabled ? 'Update all' : 'Actions disabled' }}
-          </button>
+          </AppButton>
         </div>
 
         <!-- Group body (collapsible) -->
@@ -116,12 +116,13 @@ function updateMaturityFallbackTooltip(
                  :selected-key="selectedContainer ? getContainerViewKey(selectedContainer) : null"
                  :show-actions="true"
                  :virtual-scroll="false"
+                 :row-class="(row) => actionInProgress.has(row.name) || groupUpdateInProgress.has(group.key) ? 'opacity-50 pointer-events-none transition-opacity duration-300' : ''"
                  @update:sort-key="containerSortKey = $event"
                  @update:sort-asc="containerSortAsc = $event"
                  @row-click="selectContainer($event)">
         <!-- Container icon (own column) -->
         <template #cell-icon="{ row: c }">
-          <AppIcon v-if="c._pending || actionInProgress === c.name" name="spinner" :size="14" class="dd-spin dd-text-muted" />
+          <AppIcon v-if="c._pending || actionInProgress.has(c.name)" name="spinner" :size="14" class="dd-spin dd-text-muted" v-tooltip.top="tt('Action in progress')" />
           <ContainerIcon v-else :icon="c.icon" :size="20" />
         </template>
 
@@ -131,17 +132,17 @@ function updateMaturityFallbackTooltip(
               <div class="flex items-center gap-2">
                 <div class="font-medium truncate dd-text flex-1">{{ c.name }}</div>
               </div>
-              <div class="text-[0.625rem] mt-0.5 truncate dd-text-muted">{{ c.image }}</div>
+              <div class="text-2xs mt-0.5 truncate dd-text-muted">{{ c.image }}</div>
               <!-- Compact mode: folded badge row -->
               <div v-if="isCompact" class="flex items-center gap-1.5 mt-1.5 min-w-0 overflow-hidden">
-                <span v-if="c.newTag" class="inline-flex items-center gap-0.5 text-[0.5625rem] font-semibold dd-text-secondary min-w-0">
+                <span v-if="c.newTag" class="inline-flex items-center gap-0.5 text-3xs font-semibold dd-text-secondary min-w-0">
                   <span class="truncate max-w-[80px]">{{ c.currentTag }}</span>
-                  <AppIcon name="arrow-right" :size="11" class="dd-text-muted mx-0.5 shrink-0" />
+                  <AppIcon name="arrow-right" :size="14" class="dd-text-muted mx-0.5 shrink-0" />
                   <CopyableTag :tag="c.newTag" class="truncate max-w-[100px]" style="color: var(--dd-primary);" @click.stop>{{ c.newTag }}</CopyableTag>
                 </span>
                 <span
                   v-else-if="c.noUpdateReason"
-                  class="inline-flex items-center gap-1 text-[0.5625rem] min-w-0"
+                  class="inline-flex items-center gap-1 text-3xs min-w-0"
                   style="color: var(--dd-warning);"
                   v-tooltip.top="c.noUpdateReason"
                 >
@@ -149,66 +150,54 @@ function updateMaturityFallbackTooltip(
                   <span class="truncate max-w-[130px]">{{ c.noUpdateReason }}</span>
                 </span>
                 <div class="flex items-center gap-1.5 ml-auto shrink-0">
-                <span v-if="c.updateKind" class="badge px-1.5 py-0 text-[0.5625rem]"
-                      :style="{ backgroundColor: updateKindColor(c.updateKind).bg, color: updateKindColor(c.updateKind).text }"
+                <AppBadge v-if="c.updateKind" size="xs" :custom="{ bg: updateKindColor(c.updateKind).bg, text: updateKindColor(c.updateKind).text }"
+                      class="px-1.5 py-0"
                       v-tooltip.top="tt(c.updateKind)">
                   <AppIcon :name="c.updateKind === 'major' ? 'chevrons-up' : c.updateKind === 'minor' ? 'chevron-up' : c.updateKind === 'patch' ? 'hashtag' : 'fingerprint'" :size="12" />
-                </span>
-                <span v-if="c.updateMaturity" class="badge px-1.5 py-0 text-[0.5625rem] inline-flex items-center gap-1"
-                      :style="{ backgroundColor: maturityColor(c.updateMaturity).bg, color: maturityColor(c.updateMaturity).text }"
-                      v-tooltip.top="tt(c.updateMaturityTooltip ?? updateMaturityFallbackTooltip(c.updateMaturity))">
-                  <AppIcon :name="c.updateMaturity === 'fresh' ? 'flame' : 'clock'" :size="12" />
-                  <span class="uppercase font-bold tracking-wide leading-none">{{ updateMaturityLabel(c.updateMaturity) }}</span>
-                </span>
-                <span v-if="c.bouncer === 'blocked'" class="badge px-1.5 py-0 text-[0.5625rem]"
-                      style="background: var(--dd-danger-muted); color: var(--dd-danger);"
+                </AppBadge>
+                <UpdateMaturityBadge :maturity="c.updateMaturity" :tooltip="c.updateMaturityTooltip" size="sm" />
+                <SuggestedTagBadge :tag="c.suggestedTag" :current-tag="c.currentTag" />
+                <AppBadge v-if="c.bouncer === 'blocked'" tone="danger" size="xs" class="px-1.5 py-0"
                       v-tooltip.top="tt('Blocked')">
                   <AppIcon name="blocked" :size="12" />
-                </span>
-                <span v-else-if="c.bouncer !== 'safe'" class="badge px-1.5 py-0 text-[0.5625rem]"
-                      style="background: var(--dd-warning-muted); color: var(--dd-warning);"
+                </AppBadge>
+                <AppBadge v-else-if="c.bouncer !== 'safe'" tone="warning" size="xs" class="px-1.5 py-0"
                       v-tooltip.top="tt(c.bouncer)">
                   <AppIcon name="warning" :size="12" />
-                </span>
-                <span v-if="hasRegistryError(c)" class="badge px-1.5 py-0 text-[0.5625rem]"
-                      style="background: var(--dd-danger-muted); color: var(--dd-danger);"
+                </AppBadge>
+                <AppBadge v-if="hasRegistryError(c)" tone="danger" size="xs" class="px-1.5 py-0"
                       aria-label="Registry error"
                       v-tooltip.top="tt(registryErrorTooltip(c))">
                   <AppIcon name="warning" :size="12" />
-                </span>
-                <span v-if="getContainerListPolicyState(c.name).snoozed"
-                      class="badge px-1.5 py-0 text-[0.5625rem]"
-                      style="background: var(--dd-info-muted); color: var(--dd-info);"
+                </AppBadge>
+                <AppBadge v-if="getContainerListPolicyState(c.name).snoozed"
+                      tone="info" size="xs" class="px-1.5 py-0"
                       aria-label="Snoozed updates"
                       v-tooltip.top="tt(containerPolicyTooltip(c.name, 'snoozed'))">
                   <AppIcon name="pause" :size="12" />
-                </span>
-                <span v-if="getContainerListPolicyState(c.name).skipped"
-                      class="badge px-1.5 py-0 text-[0.5625rem]"
-                      style="background: var(--dd-warning-muted); color: var(--dd-warning);"
+                </AppBadge>
+                <AppBadge v-if="getContainerListPolicyState(c.name).skipped"
+                      tone="warning" size="xs" class="px-1.5 py-0"
                       aria-label="Skipped updates"
                       v-tooltip.top="tt(containerPolicyTooltip(c.name, 'skipped'))">
                   <AppIcon name="skip-forward" :size="12" />
-                </span>
-                <span v-if="getContainerListPolicyState(c.name).maturityBlocked"
-                      class="badge px-1.5 py-0 text-[0.5625rem]"
-                      style="background: var(--dd-primary-muted); color: var(--dd-primary);"
+                </AppBadge>
+                <AppBadge v-if="getContainerListPolicyState(c.name).maturityBlocked"
+                      tone="primary" size="xs" class="px-1.5 py-0"
                       aria-label="Maturity-blocked updates"
                       v-tooltip.top="tt(containerPolicyTooltip(c.name, 'maturity'))">
                   <AppIcon name="clock" :size="12" />
-                </span>
-                <span class="badge px-1.5 py-0 text-[0.5625rem]"
-                      :style="{
-                        backgroundColor: c.status === 'running' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                        color: c.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                      }"
+                </AppBadge>
+                <AppBadge size="xs" class="px-1.5 py-0"
+                      :tone="c.status === 'running' ? 'success' : 'danger'"
                       v-tooltip.top="tt(c.status)">
                   <AppIcon :name="c.status === 'running' ? 'play' : 'stop'" :size="12" />
-                </span>
-                <span class="badge px-1.5 py-0 text-[0.5625rem]"
-                      :style="{ backgroundColor: serverBadgeColor(c.server).bg, color: serverBadgeColor(c.server).text }">
+                </AppBadge>
+                <AppBadge size="xs" class="px-1.5 py-0"
+                      :custom="{ bg: serverBadgeColor(c.server).bg, text: serverBadgeColor(c.server).text }"
+                      v-tooltip.top="tt(c.server)">
                   <AppIcon :name="parseServer(c.server).name === 'Local' ? 'home' : 'remote'" :size="12" />
-                </span>
+                </AppBadge>
                 </div>
               </div>
           </div>
@@ -216,12 +205,12 @@ function updateMaturityFallbackTooltip(
         <!-- Version comparison -->
         <template #cell-version="{ row: c }">
           <div v-if="c.newTag" class="flex items-center justify-center gap-1.5 min-w-0 max-w-[260px]">
-            <span class="text-[0.6875rem] dd-text-secondary truncate shrink-0 max-w-[100px]" v-tooltip.top="c.currentTag">{{ c.currentTag }}</span>
+            <span class="text-2xs-plus dd-text-secondary truncate shrink-0 max-w-[100px]" v-tooltip.top="c.currentTag">{{ c.currentTag }}</span>
             <AppIcon name="arrow-right" :size="8" class="dd-text-muted shrink-0" />
-            <CopyableTag :tag="c.newTag" class="text-[0.6875rem] font-semibold truncate max-w-[140px]" style="color: var(--dd-primary);" @click.stop>{{ c.newTag }}</CopyableTag>
+            <CopyableTag :tag="c.newTag" class="text-2xs-plus font-semibold truncate max-w-[140px]" style="color: var(--dd-primary);" @click.stop>{{ c.newTag }}</CopyableTag>
           </div>
           <div v-else class="text-center">
-            <span class="text-[0.6875rem] dd-text-secondary truncate block max-w-[140px] mx-auto" v-tooltip.top="c.currentTag">{{ c.currentTag }}</span>
+            <span class="text-2xs-plus dd-text-secondary truncate block max-w-[140px] mx-auto" v-tooltip.top="c.currentTag">{{ c.currentTag }}</span>
             <div v-if="getContainerListPolicyState(c.name).snoozed || getContainerListPolicyState(c.name).skipped || getContainerListPolicyState(c.name).maturityBlocked"
                  class="mt-1 inline-flex items-center justify-center gap-1">
               <span v-if="getContainerListPolicyState(c.name).snoozed"
@@ -229,26 +218,26 @@ function updateMaturityFallbackTooltip(
                     style="color: var(--dd-info);"
                     aria-label="Snoozed updates"
                     v-tooltip.top="tt(containerPolicyTooltip(c.name, 'snoozed'))">
-                <AppIcon name="pause" :size="11" />
+                <AppIcon name="pause" :size="14" />
               </span>
               <span v-if="getContainerListPolicyState(c.name).skipped"
                     class="inline-flex items-center justify-center"
                     style="color: var(--dd-warning);"
                     aria-label="Skipped updates"
                     v-tooltip.top="tt(containerPolicyTooltip(c.name, 'skipped'))">
-                <AppIcon name="skip-forward" :size="11" />
+                <AppIcon name="skip-forward" :size="14" />
               </span>
               <span v-if="getContainerListPolicyState(c.name).maturityBlocked"
                     class="inline-flex items-center justify-center"
                     style="color: var(--dd-primary);"
                     aria-label="Maturity-blocked updates"
                     v-tooltip.top="tt(containerPolicyTooltip(c.name, 'maturity'))">
-                <AppIcon name="clock" :size="11" />
+                <AppIcon name="clock" :size="14" />
               </span>
             </div>
             <div
               v-if="c.noUpdateReason"
-              class="mt-1 inline-flex items-center gap-1 text-[0.625rem] max-w-[220px] justify-center"
+              class="mt-1 inline-flex items-center gap-1 text-2xs max-w-[220px] justify-center"
               style="color: var(--dd-warning);"
               v-tooltip.top="c.noUpdateReason"
             >
@@ -260,55 +249,48 @@ function updateMaturityFallbackTooltip(
         <!-- Kind badge -->
         <template #cell-kind="{ row: c }">
           <div class="inline-flex items-center gap-1">
-          <span v-if="c.updateKind" class="badge text-[0.5625rem] uppercase font-bold"
-                :style="{ backgroundColor: updateKindColor(c.updateKind).bg, color: updateKindColor(c.updateKind).text }">
+          <AppBadge v-if="c.updateKind" size="xs" :custom="{ bg: updateKindColor(c.updateKind).bg, text: updateKindColor(c.updateKind).text }">
             {{ c.updateKind }}
-          </span>
-          <span v-else class="text-[0.625rem] dd-text-muted">&mdash;</span>
-          <span v-if="c.updateMaturity" class="badge text-[0.5625rem] uppercase font-bold inline-flex items-center gap-1"
-                :style="{ backgroundColor: maturityColor(c.updateMaturity).bg, color: maturityColor(c.updateMaturity).text }"
-                v-tooltip.top="tt(c.updateMaturityTooltip ?? updateMaturityFallbackTooltip(c.updateMaturity))">
-            <AppIcon :name="c.updateMaturity === 'fresh' ? 'flame' : 'clock'" :size="11" />
-            <span class="tracking-wide leading-none">{{ updateMaturityLabel(c.updateMaturity) }}</span>
-          </span>
+          </AppBadge>
+          <AppBadge v-else-if="getContainerListPolicyState(c.name).skipped" size="xs" v-tooltip.top="'Pinned'" :custom="{ bg: 'var(--dd-success-muted)', text: 'var(--dd-success)' }">
+            <AppIcon name="pin" :size="12" />
+          </AppBadge>
+          <AppBadge v-else-if="!c.updateKind && !c.updateMaturity && !c.suggestedTag" size="xs" v-tooltip.top="'Up to date'" :custom="{ bg: 'var(--dd-success-muted)', text: 'var(--dd-success)' }">
+            <AppIcon name="up-to-date" :size="12" />
+          </AppBadge>
+          <UpdateMaturityBadge :maturity="c.updateMaturity" :tooltip="c.updateMaturityTooltip" />
+          <SuggestedTagBadge :tag="c.suggestedTag" :current-tag="c.currentTag" />
           </div>
         </template>
         <!-- Status -->
         <template #cell-status="{ row: c }">
           <AppIcon :name="c.status === 'running' ? 'play' : 'stop'" :size="13" class="shrink-0 md:!hidden"
-                   :style="{ color: c.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)' }" />
-          <span class="badge text-[0.5625rem] font-bold max-md:!hidden"
-                :style="{
-                  backgroundColor: c.status === 'running' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                  color: c.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                }">
+                   :style="{ color: c.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)' }"
+                   v-tooltip.top="tt(c.status)" />
+          <AppBadge class="max-md:!hidden" size="xs" :tone="c.status === 'running' ? 'success' : 'danger'">
             {{ c.status }}
-          </span>
+          </AppBadge>
         </template>
-        <!-- Bouncer icon -->
-        <template #cell-bouncer="{ row: c }">
-          <span v-if="c.bouncer === 'safe'" class="dd-text-muted">–</span>
-          <span v-else-if="c.bouncer === 'blocked'" v-tooltip.top="tt('Blocked')" class="cursor-default">
-            <AppIcon name="blocked" :size="14" style="color: var(--dd-danger);" />
-          </span>
-          <span v-else v-tooltip.top="tt(c.bouncer)" class="cursor-default">
-            <AppIcon name="warning" :size="14" style="color: var(--dd-warning);" />
+        <!-- Bouncer column removed — blocked state integrated into update button -->
+        <!-- Image Age -->
+        <template #cell-imageAge="{ row: c }">
+          <span class="text-2xs-plus dd-text-secondary whitespace-nowrap"
+                v-tooltip.top="c.imageCreated ? tt(new Date(c.imageCreated).toLocaleString()) : undefined">
+            {{ imageAge(c.imageCreated) }}
           </span>
         </template>
         <!-- Server -->
         <template #cell-server="{ row: c }">
-          <span class="badge text-[0.5625rem] font-bold"
-                :style="{ backgroundColor: serverBadgeColor(c.server).bg, color: serverBadgeColor(c.server).text }">
+          <AppBadge size="xs" :custom="{ bg: serverBadgeColor(c.server).bg, text: serverBadgeColor(c.server).text }">
             {{ c.server }}
-          </span>
+          </AppBadge>
         </template>
         <!-- Registry badge -->
         <template #cell-registry="{ row: c }">
           <div class="inline-flex items-center justify-center gap-1.5">
-            <span class="badge text-[0.5625rem] uppercase tracking-wide font-bold"
-                  :style="{ backgroundColor: registryColorBg(c.registry), color: registryColorText(c.registry) }">
+            <AppBadge size="xs" :custom="{ bg: registryColorBg(c.registry), text: registryColorText(c.registry) }">
               {{ registryLabel(c.registry, c.registryUrl, c.registryName) }}
-            </span>
+            </AppBadge>
             <span v-if="hasRegistryError(c)"
                   class="inline-flex items-center justify-center"
                   style="color: var(--dd-danger);"
@@ -322,55 +304,44 @@ function updateMaturityFallbackTooltip(
         <template #actions="{ row: c }">
           <template v-if="!containerActionsEnabled">
             <div class="flex items-center justify-end gap-2">
-              <span class="text-[0.625rem] dd-text-muted">Actions disabled</span>
-              <button
-                class="w-8 h-8 dd-rounded flex items-center justify-center cursor-not-allowed dd-text-muted opacity-60"
+              <span class="text-2xs dd-text-muted">Actions disabled</span>
+              <AppIconButton icon="lock" size="sm" variant="muted"
+                class="cursor-not-allowed opacity-60"
                 :disabled="true"
-                v-tooltip.top="tt(containerActionsDisabledReason)"
-                @click.stop
-              >
-                <AppIcon name="lock" :size="13" />
-              </button>
+                :tooltip="tt(containerActionsDisabledReason)"
+                @click.stop />
             </div>
           </template>
           <!-- Icon-style actions (compact) -->
           <template v-else-if="tableActionStyle === 'icons'">
             <div class="flex items-center justify-end gap-0.5">
-              <button v-if="c.newTag && c.bouncer === 'blocked'"
-                      class="w-8 h-8 dd-rounded flex items-center justify-center transition-[color,background-color,border-color,opacity,transform,box-shadow] cursor-not-allowed dd-text-muted opacity-50"
-                      v-tooltip.top="tt('Blocked by Bouncer')" @click.stop>
-                <AppIcon name="lock" :size="13" />
-              </button>
-              <button v-else-if="c.newTag"
-                      class="w-8 h-8 dd-rounded flex items-center justify-center transition-[color,background-color,border-color,opacity,transform,box-shadow]"
-                      :class="actionInProgress === c.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-success hover:dd-bg-hover hover:scale-110 active:scale-95'"
-                      :disabled="actionInProgress === c.name"
-                      v-tooltip.top="tt('Update')" @click.stop="confirmUpdate(c.name)">
-                <AppIcon name="cloud-download" :size="16" />
-              </button>
-              <button v-else-if="c.status === 'running'"
-                      class="w-8 h-8 dd-rounded flex items-center justify-center transition-[color,background-color,border-color,opacity,transform,box-shadow]"
-                      :class="actionInProgress === c.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-danger hover:dd-bg-hover hover:scale-110 active:scale-95'"
-                      :disabled="actionInProgress === c.name"
-                      v-tooltip.top="tt('Stop')" @click.stop="confirmStop(c.name)">
-                <AppIcon name="stop" :size="14" />
-              </button>
-              <button v-else
-                      class="w-8 h-8 dd-rounded flex items-center justify-center transition-[color,background-color,border-color,opacity,transform,box-shadow]"
-                      :class="actionInProgress === c.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-success hover:dd-bg-hover hover:scale-110 active:scale-95'"
-                      :disabled="actionInProgress === c.name"
-                      v-tooltip.top="tt('Start')" @click.stop="startContainer(c.name)">
-                <AppIcon name="play" :size="14" />
-              </button>
-              <button class="w-8 h-8 dd-rounded flex items-center justify-center transition-[color,background-color,border-color,opacity,transform,box-shadow]"
+              <AppIconButton v-if="c.newTag && c.bouncer === 'blocked'" icon="lock" size="sm" variant="muted"
+                      class="cursor-not-allowed opacity-50"
+                      :disabled="true"
+                      :tooltip="tt('Blocked by Bouncer')" @click.stop />
+              <AppIconButton v-else-if="c.newTag" icon="cloud-download" size="sm" variant="muted"
+                      class="transition-[color,background-color,border-color,opacity,transform,box-shadow]"
+                      :class="actionInProgress.has(c.name) ? 'opacity-50 cursor-not-allowed' : 'hover:dd-text-success hover:dd-bg-hover hover:scale-110 active:scale-95'"
+                      :disabled="actionInProgress.has(c.name)"
+                      :tooltip="tt('Update')" @click.stop="confirmUpdate(c.name)" />
+              <AppIconButton v-else-if="c.status === 'running'" icon="stop" size="sm" variant="muted"
+                      class="transition-[color,background-color,border-color,opacity,transform,box-shadow]"
+                      :class="actionInProgress.has(c.name) ? 'opacity-50 cursor-not-allowed' : 'hover:dd-text-danger hover:dd-bg-hover hover:scale-110 active:scale-95'"
+                      :disabled="actionInProgress.has(c.name)"
+                      :tooltip="tt('Stop')" @click.stop="confirmStop(c.name)" />
+              <AppIconButton v-else icon="play" size="sm" variant="muted"
+                      class="transition-[color,background-color,border-color,opacity,transform,box-shadow]"
+                      :class="actionInProgress.has(c.name) ? 'opacity-50 cursor-not-allowed' : 'hover:dd-text-success hover:dd-bg-hover hover:scale-110 active:scale-95'"
+                      :disabled="actionInProgress.has(c.name)"
+                      :tooltip="tt('Start')" @click.stop="startContainer(c.name)" />
+              <AppIconButton icon="more" size="sm" variant="muted"
+                      class="transition-[color,background-color,border-color,opacity,transform,box-shadow]"
                       :class="[
-                        actionInProgress === c.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text hover:dd-bg-hover hover:scale-110 active:scale-95',
-                        openActionsMenu === c.name && actionInProgress !== c.name ? 'dd-bg-elevated dd-text' : '',
+                        actionInProgress.has(c.name) ? 'opacity-50 cursor-not-allowed' : 'hover:dd-text hover:dd-bg-hover hover:scale-110 active:scale-95',
+                        openActionsMenu === c.name && !actionInProgress.has(c.name) ? 'dd-bg-elevated dd-text' : '',
                       ]"
-                      :disabled="actionInProgress === c.name"
-                      v-tooltip.top="tt('More')" @click.stop="toggleActionsMenu(c.name, $event)">
-                <AppIcon name="more" :size="13" />
-              </button>
+                      :disabled="actionInProgress.has(c.name)"
+                      :tooltip="tt('More')" @click.stop="toggleActionsMenu(c.name, $event)" />
             </div>
           </template>
           <!-- Button-style actions (full) -->
@@ -379,129 +350,54 @@ function updateMaturityFallbackTooltip(
               <!-- Blocked: muted split button -->
               <div v-if="c.bouncer === 'blocked'" class="inline-flex dd-rounded overflow-hidden" style="min-width: 110px;"
 >
-                <button class="inline-flex items-center justify-center flex-1 whitespace-nowrap px-3 py-1.5 text-[0.6875rem] font-bold tracking-wide cursor-not-allowed"
+                <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center justify-center flex-1 whitespace-nowrap px-3 py-1.5 text-2xs-plus font-bold tracking-wide cursor-not-allowed"
                         :style="{ backgroundColor: 'var(--dd-bg)', color: 'var(--dd-text-muted)' }">
-                  <AppIcon name="lock" :size="11" class="mr-1" /> Blocked
-                </button>
-                <button class="inline-flex items-center justify-center w-7 transition-colors dd-text-muted hover:dd-text hover:dd-bg-hover"
+                  <AppIcon name="lock" :size="14" class="mr-1" /> Blocked
+                </AppButton>
+                <AppIconButton icon="chevron-down" size="toolbar" variant="plain"
+                        class="transition-colors dd-text-muted hover:dd-text hover:dd-bg-hover"
                         :style="{ backgroundColor: 'var(--dd-bg)' }"
                         :class="openActionsMenu === c.name ? 'dd-bg-elevated dd-text' : ''"
-                        @click.stop="toggleActionsMenu(c.name, $event)">
-                  <AppIcon name="chevron-down" :size="11" />
-                </button>
+                        aria-label="Open actions menu"
+                        @click.stop="toggleActionsMenu(c.name, $event)" />
               </div>
               <!-- Updatable: split button -->
               <div v-else class="inline-flex dd-rounded overflow-hidden"
-                   :class="actionInProgress === c.name ? 'opacity-50' : ''"
+                   :class="actionInProgress.has(c.name) ? 'opacity-50' : ''"
                    :style="{ border: '1px solid var(--dd-success)' }">
-                <button class="inline-flex items-center justify-center whitespace-nowrap px-3 py-1.5 text-[0.6875rem] font-bold tracking-wide transition-colors"
-                        :class="actionInProgress === c.name ? 'cursor-not-allowed' : ''"
+                <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center justify-center whitespace-nowrap px-3 py-1.5 text-2xs-plus font-bold tracking-wide transition-colors"
+                        :class="actionInProgress.has(c.name) ? 'cursor-not-allowed' : ''"
                         :style="{ backgroundColor: 'var(--dd-success-muted)', color: 'var(--dd-success)' }"
-                        :disabled="actionInProgress === c.name"
+                        :disabled="actionInProgress.has(c.name)"
                         @click.stop="confirmUpdate(c.name)">
-                  <AppIcon name="cloud-download" :size="11" class="mr-1" /> Update
-                </button>
-                <button class="inline-flex items-center justify-center w-7 transition-colors"
-                        :class="actionInProgress === c.name ? 'cursor-not-allowed' : openActionsMenu === c.name ? 'brightness-125' : ''"
+                  <AppIcon name="cloud-download" :size="14" class="mr-1" /> Update
+                </AppButton>
+                <AppIconButton icon="chevron-down" size="toolbar" variant="plain"
+                        class="transition-colors"
+                        :class="actionInProgress.has(c.name) ? 'cursor-not-allowed' : openActionsMenu === c.name ? 'brightness-125' : ''"
                         :style="{ backgroundColor: 'var(--dd-success-muted)', color: 'var(--dd-success)', borderLeft: '1px solid var(--dd-success)' }"
-                        :disabled="actionInProgress === c.name"
-                        @click.stop="toggleActionsMenu(c.name, $event)">
-                  <AppIcon name="chevron-down" :size="11" />
-                </button>
+                        :disabled="actionInProgress.has(c.name)"
+                        aria-label="Open update actions menu"
+                        @click.stop="toggleActionsMenu(c.name, $event)" />
               </div>
             </div>
             <div v-else class="flex items-center justify-end gap-1">
-              <button v-if="c.status === 'running'"
-                      class="w-6 h-6 dd-rounded-sm flex items-center justify-center transition-colors"
-                      :class="actionInProgress === c.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-danger hover:dd-bg-hover'"
-                      :disabled="actionInProgress === c.name"
-                      v-tooltip.top="tt('Stop')" @click.stop="confirmStop(c.name)">
-                <AppIcon name="stop" :size="11" />
-              </button>
-              <button v-else
-                      class="w-6 h-6 dd-rounded-sm flex items-center justify-center transition-colors"
-                      :class="actionInProgress === c.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-success hover:dd-bg-hover'"
-                      :disabled="actionInProgress === c.name"
-                      v-tooltip.top="tt('Start')" @click.stop="startContainer(c.name)">
-                <AppIcon name="play" :size="11" />
-              </button>
-              <button class="w-6 h-6 dd-rounded-sm flex items-center justify-center transition-colors"
-                      :class="actionInProgress === c.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text hover:dd-bg-hover'"
-                      :disabled="actionInProgress === c.name"
-                      v-tooltip.top="tt('Restart')" @click.stop="confirmRestart(c.name)">
-                <AppIcon name="restart" :size="11" />
-              </button>
+              <AppIconButton v-if="c.status === 'running'"
+                      icon="stop" size="toolbar" variant="danger"
+                      :disabled="actionInProgress.has(c.name)"
+                      :tooltip="tt('Stop')" @click.stop="confirmStop(c.name)" />
+              <AppIconButton v-else
+                      icon="play" size="toolbar" variant="success"
+                      :disabled="actionInProgress.has(c.name)"
+                      :tooltip="tt('Start')" @click.stop="startContainer(c.name)" />
+              <AppIconButton icon="restart" size="toolbar" variant="muted"
+                      :disabled="actionInProgress.has(c.name)"
+                      :tooltip="tt('Restart')" @click.stop="confirmRestart(c.name)" />
             </div>
           </template>
         </template>
       </DataTable>
 
-      <!-- Actions dropdown (teleported to body so it renders in all view modes) -->
-      <Teleport to="body">
-        <template v-for="c in displayContainers" :key="'menu-' + getContainerViewKey(c)">
-          <div v-if="containerActionsEnabled && openActionsMenu === c.name"
-               class="z-[200] min-w-[160px] py-1 dd-rounded shadow-lg"
-               :style="{
-                 ...actionsMenuStyle,
-                 backgroundColor: 'var(--dd-bg-card)',
-                 border: '1px solid var(--dd-border-strong)',
-                 boxShadow: 'var(--dd-shadow-lg)',
-               }"
-               @click.stop>
-            <button v-if="c.status === 'running'" class="w-full text-left px-3 py-1.5 text-[0.6875rem] font-medium transition-colors flex items-center gap-2 dd-text hover:dd-bg-elevated"
-                    @click="closeActionsMenu(); confirmStop(c.name)">
-              <AppIcon name="stop" :size="12" class="w-3 text-center inline-flex justify-center" :style="{ color: 'var(--dd-danger)' }" />
-              Stop
-            </button>
-            <button v-else class="w-full text-left px-3 py-1.5 text-[0.6875rem] font-medium transition-colors flex items-center gap-2 dd-text hover:dd-bg-elevated"
-                    @click="closeActionsMenu(); startContainer(c.name)">
-              <AppIcon name="play" :size="12" class="w-3 text-center inline-flex justify-center" :style="{ color: 'var(--dd-success)' }" />
-              Start
-            </button>
-            <button class="w-full text-left px-3 py-1.5 text-[0.6875rem] font-medium transition-colors flex items-center gap-2 dd-text hover:dd-bg-elevated"
-                    @click="closeActionsMenu(); confirmRestart(c.name)">
-              <AppIcon name="restart" :size="12" class="w-3 text-center inline-flex justify-center dd-text-muted" />
-              Restart
-            </button>
-            <button class="w-full text-left px-3 py-1.5 text-[0.6875rem] font-medium transition-colors flex items-center gap-2 dd-text hover:dd-bg-elevated"
-                    @click="closeActionsMenu(); scanContainer(c.name)">
-              <AppIcon name="security" :size="12" class="w-3 text-center inline-flex justify-center" :style="{ color: 'var(--dd-secondary)' }" />
-              Scan
-            </button>
-            <!-- Force update for blocked containers (even without newTag) -->
-            <template v-if="c.bouncer === 'blocked' && !c.newTag">
-              <div class="my-1" :style="{ borderTop: '1px solid var(--dd-border)' }" />
-              <button class="w-full text-left px-3 py-1.5 text-[0.6875rem] font-medium transition-colors flex items-center gap-2 dd-text hover:dd-bg-elevated"
-                      @click="closeActionsMenu(); confirmForceUpdate(c.name)">
-                <AppIcon name="bolt" :size="12" class="w-3 text-center inline-flex justify-center" :style="{ color: 'var(--dd-warning)' }" />
-                Force update
-              </button>
-            </template>
-            <template v-if="c.newTag">
-              <div class="my-1" :style="{ borderTop: '1px solid var(--dd-border)' }" />
-              <button v-if="c.bouncer === 'blocked'"
-                      class="w-full text-left px-3 py-1.5 text-[0.6875rem] font-medium transition-colors flex items-center gap-2 dd-text hover:dd-bg-elevated"
-                      @click="closeActionsMenu(); confirmForceUpdate(c.name)">
-                <AppIcon name="bolt" :size="12" class="w-3 text-center inline-flex justify-center" :style="{ color: 'var(--dd-warning)' }" />
-                Force update
-              </button>
-              <button class="w-full text-left px-3 py-1.5 text-[0.6875rem] font-medium transition-colors flex items-center gap-2 dd-text hover:dd-bg-elevated"
-                      @click="skipUpdate(c.name); closeActionsMenu()">
-                <AppIcon name="skip-forward" :size="12" class="w-3 text-center inline-flex justify-center dd-text-muted" />
-                Skip this update
-              </button>
-            </template>
-            <div class="my-1" :style="{ borderTop: '1px solid var(--dd-border)' }" />
-            <button class="w-full text-left px-3 py-1.5 text-[0.6875rem] font-medium transition-colors flex items-center gap-2 hover:dd-bg-elevated"
-                    style="color: var(--dd-danger);"
-                    @click="closeActionsMenu(); confirmDelete(c.name)">
-              <AppIcon name="trash" :size="12" class="w-3 text-center inline-flex justify-center" />
-              Delete
-            </button>
-          </div>
-        </template>
-      </Teleport>
-
       <!-- CONTAINER CARD GRID -->
       <DataCardGrid v-if="containerViewMode === 'cards'"
                     :items="group.containers"
@@ -510,24 +406,23 @@ function updateMaturityFallbackTooltip(
                     @item-click="selectContainer($event)">
         <template #card="{ item: c }">
           <!-- Card header -->
-          <div class="px-4 pt-4 pb-2 flex items-start justify-between" :class="{ 'opacity-50': c._pending }">
+          <div class="px-4 pt-4 pb-2 flex items-start justify-between" :class="{ 'opacity-50': c._pending || actionInProgress.has(c.name) || groupUpdateInProgress.has(group.key) }">
             <div class="flex items-center gap-2.5 min-w-0">
               <AppIcon v-if="c._pending" name="spinner" :size="16" class="dd-spin dd-text-muted shrink-0" />
               <ContainerIcon v-else :icon="c.icon" :size="24" class="shrink-0" />
               <div class="min-w-0">
-                <div class="text-[0.9375rem] font-semibold truncate dd-text">
+                <div class="text-sm-plus font-semibold truncate dd-text">
                   {{ c.name }}
                 </div>
-                <div class="text-[0.6875rem] truncate mt-0.5 dd-text-muted">
+                <div class="text-2xs-plus truncate mt-0.5 dd-text-muted">
                   {{ c.image }}:{{ c.currentTag }} <span class="dd-text-secondary">&middot;</span> {{ parseServer(c.server).name }}<template v-if="parseServer(c.server).env"> <span class="dd-text-secondary">({{ parseServer(c.server).env }})</span></template>
                 </div>
               </div>
             </div>
             <div class="flex items-center gap-1.5 shrink-0 ml-2">
-              <span class="badge text-[0.5625rem] uppercase tracking-wide font-bold"
-                    :style="{ backgroundColor: registryColorBg(c.registry), color: registryColorText(c.registry) }">
+              <AppBadge size="xs" :custom="{ bg: registryColorBg(c.registry), text: registryColorText(c.registry) }">
                 {{ registryLabel(c.registry, c.registryUrl, c.registryName) }}
-              </span>
+              </AppBadge>
               <span v-if="hasRegistryError(c)"
                     class="inline-flex items-center justify-center"
                     style="color: var(--dd-danger);"
@@ -560,33 +455,28 @@ function updateMaturityFallbackTooltip(
           </div>
 
           <!-- Card body -- inline Current / Latest -->
-          <div class="px-4 py-3 min-w-0">
+          <div class="px-4 py-3 min-w-0" :class="{ 'opacity-50': actionInProgress.has(c.name) || groupUpdateInProgress.has(group.key) }">
             <div class="flex items-center gap-2 flex-wrap min-w-0">
-              <span class="text-[0.6875rem] dd-text-muted shrink-0">Current</span>
+              <span class="text-2xs-plus dd-text-muted shrink-0">Current</span>
               <CopyableTag :tag="c.currentTag" class="text-xs font-bold dd-text truncate max-w-[120px]" @click.stop>
                 {{ c.currentTag }}
               </CopyableTag>
               <template v-if="c.newTag">
-                <span class="text-[0.6875rem] ml-1 dd-text-muted shrink-0">Latest</span>
+                <span class="text-2xs-plus ml-1 dd-text-muted shrink-0">Latest</span>
                 <CopyableTag :tag="c.newTag" class="text-xs font-bold truncate max-w-[140px]"
                       :style="{ color: updateKindColor(c.updateKind).text }" @click.stop>
                   {{ c.newTag }}
                 </CopyableTag>
-                <span v-if="c.updateMaturity" class="badge text-[0.5625rem] ml-1 shrink-0 uppercase font-bold inline-flex items-center gap-1"
-                      :style="{ backgroundColor: maturityColor(c.updateMaturity).bg, color: maturityColor(c.updateMaturity).text }"
-                      v-tooltip.top="tt(c.updateMaturityTooltip ?? updateMaturityFallbackTooltip(c.updateMaturity))">
-                  <AppIcon :name="c.updateMaturity === 'fresh' ? 'flame' : 'clock'" :size="11" />
-                  <span class="tracking-wide leading-none">{{ updateMaturityLabel(c.updateMaturity) }}</span>
-                </span>
+                <span class="ml-1 shrink-0"><UpdateMaturityBadge :maturity="c.updateMaturity" :tooltip="c.updateMaturityTooltip" /></span>
               </template>
               <template v-else>
                 <span
                   v-if="c.noUpdateReason"
-                  class="inline-flex items-center gap-1 ml-1 px-1.5 py-0.5 dd-rounded-sm text-[0.625rem] max-w-[220px]"
+                  class="inline-flex items-center gap-1 ml-1 px-1.5 py-0.5 dd-rounded-sm text-2xs max-w-[220px]"
                   :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }"
                   v-tooltip.top="c.noUpdateReason"
                 >
-                  <AppIcon name="warning" :size="11" class="shrink-0" />
+                  <AppIcon name="warning" :size="14" class="shrink-0" />
                   <span class="truncate">{{ c.noUpdateReason }}</span>
                 </span>
                 <template v-else-if="getContainerListPolicyState(c.name).snoozed || getContainerListPolicyState(c.name).skipped || getContainerListPolicyState(c.name).maturityBlocked">
@@ -612,9 +502,13 @@ function updateMaturityFallbackTooltip(
                     <AppIcon name="clock" :size="13" />
                   </span>
                 </template>
-                <AppIcon v-else name="check" :size="14" class="ml-1" style="color: var(--dd-success);" />
+                <AppIcon v-else name="check" :size="14" class="ml-1" style="color: var(--dd-success);" v-tooltip.top="tt('Up to date')" />
               </template>
             </div>
+            <div v-if="c.suggestedTag || c.releaseNotes || c.releaseLink" class="flex items-center gap-2 flex-wrap mt-2">
+              <SuggestedTagBadge :tag="c.suggestedTag" :current-tag="c.currentTag" />
+              <ReleaseNotesLink :release-notes="c.releaseNotes" :release-link="c.releaseLink" />
+            </div>
           </div>
 
           <!-- Card footer -->
@@ -623,60 +517,46 @@ function updateMaturityFallbackTooltip(
                  borderTop: '1px solid var(--dd-border)',
                  backgroundColor: 'var(--dd-bg-elevated)',
                }">
-            <span class="badge px-1.5 py-0 text-[0.5625rem] md:!hidden"
-                  :style="{ backgroundColor: c.status === 'running' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)', color: c.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)' }">
+            <AppBadge class="px-1.5 py-0 md:!hidden" size="xs" :tone="c.status === 'running' ? 'success' : 'danger'" v-tooltip.top="tt(c.status)">
               <AppIcon :name="c.status === 'running' ? 'play' : 'stop'" :size="12" />
-            </span>
-            <span class="badge text-[0.5625rem] font-bold max-md:!hidden"
-                  :style="{ backgroundColor: c.status === 'running' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)', color: c.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)' }">
+            </AppBadge>
+            <AppBadge class="max-md:!hidden" size="xs" :tone="c.status === 'running' ? 'success' : 'danger'">
               {{ c.status }}
-            </span>
+            </AppBadge>
             <div class="flex items-center gap-1.5">
               <template v-if="containerActionsEnabled">
-                <button v-if="c.status === 'running'"
-                        class="w-7 h-7 dd-rounded-sm flex items-center justify-center transition-colors"
-                        :class="actionInProgress === c.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-danger hover:dd-bg-elevated'"
-                        :disabled="actionInProgress === c.name"
-                        v-tooltip.top="tt('Stop')" @click.stop="confirmStop(c.name)">
-                  <AppIcon name="stop" :size="14" />
-                </button>
-                <button v-else
-                        class="w-7 h-7 dd-rounded-sm flex items-center justify-center transition-colors"
-                        :class="actionInProgress === c.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-success hover:dd-bg-elevated'"
-                        :disabled="actionInProgress === c.name"
-                        v-tooltip.top="tt('Start')" @click.stop="startContainer(c.name)">
-                  <AppIcon name="play" :size="14" />
-                </button>
-                <button class="w-7 h-7 dd-rounded-sm flex items-center justify-center transition-colors"
-                        :class="actionInProgress === c.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text hover:dd-bg-elevated'"
-                        :disabled="actionInProgress === c.name"
-                        v-tooltip.top="tt('Restart')" @click.stop="confirmRestart(c.name)">
-                  <AppIcon name="restart" :size="14" />
-                </button>
-                <button class="w-7 h-7 dd-rounded-sm flex items-center justify-center transition-colors"
-                        :class="actionInProgress === c.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-secondary hover:dd-bg-elevated'"
-                        :disabled="actionInProgress === c.name"
-                        v-tooltip.top="tt('Scan')" @click.stop="scanContainer(c.name)">
-                  <AppIcon name="security" :size="14" />
-                </button>
-                <button v-if="c.newTag"
-                        class="w-7 h-7 dd-rounded-sm flex items-center justify-center transition-colors"
-                        :class="actionInProgress === c.name ? 'dd-text-muted opacity-50 cursor-not-allowed' : 'dd-text-muted hover:dd-text-success hover:dd-bg-elevated'"
-                        :disabled="actionInProgress === c.name"
-                        v-tooltip.top="tt('Update')" @click.stop="confirmUpdate(c.name)">
-                  <AppIcon name="cloud-download" :size="14" />
-                </button>
+                <AppIconButton v-if="c.status === 'running'" icon="stop" size="xs" variant="muted"
+                        :class="actionInProgress.has(c.name) ? 'opacity-50 cursor-not-allowed' : 'hover:dd-text-danger hover:dd-bg-elevated'"
+                        :disabled="actionInProgress.has(c.name)"
+                        :tooltip="tt('Stop')" @click.stop="confirmStop(c.name)" />
+                <AppIconButton v-else icon="play" size="xs" variant="muted"
+                        :class="actionInProgress.has(c.name) ? 'opacity-50 cursor-not-allowed' : 'hover:dd-text-success hover:dd-bg-elevated'"
+                        :disabled="actionInProgress.has(c.name)"
+                        :tooltip="tt('Start')" @click.stop="startContainer(c.name)" />
+                <AppIconButton icon="restart" size="xs" variant="muted"
+                        :class="actionInProgress.has(c.name) ? 'opacity-50 cursor-not-allowed' : 'hover:dd-text hover:dd-bg-elevated'"
+                        :disabled="actionInProgress.has(c.name)"
+                        :tooltip="tt('Restart')" @click.stop="confirmRestart(c.name)" />
+                <AppIconButton icon="security" size="xs" variant="muted"
+                        :class="actionInProgress.has(c.name) ? 'opacity-50 cursor-not-allowed' : 'hover:dd-text-secondary hover:dd-bg-elevated'"
+                        :disabled="actionInProgress.has(c.name)"
+                        :tooltip="tt('Scan')" @click.stop="scanContainer(c.name)" />
+                <AppIconButton v-if="c.newTag && c.bouncer === 'blocked'" icon="lock" size="xs" variant="muted"
+                        class="opacity-60 cursor-not-allowed"
+                        :disabled="true"
+                        :tooltip="tt('Security blocked')" />
+                <AppIconButton v-else-if="c.newTag" icon="cloud-download" size="xs" variant="muted"
+                        :class="actionInProgress.has(c.name) ? 'opacity-50 cursor-not-allowed' : 'hover:dd-text-success hover:dd-bg-elevated'"
+                        :disabled="actionInProgress.has(c.name)"
+                        :tooltip="tt('Update')" @click.stop="confirmUpdate(c.name)" />
               </template>
               <template v-else>
-                <span class="text-[0.625rem] dd-text-muted">Actions disabled</span>
-                <button
-                  class="w-7 h-7 dd-rounded-sm flex items-center justify-center cursor-not-allowed dd-text-muted opacity-60"
+                <span class="text-2xs dd-text-muted">Actions disabled</span>
+                <AppIconButton icon="lock" size="xs" variant="muted"
+                  class="cursor-not-allowed opacity-60"
                   :disabled="true"
-                  v-tooltip.top="tt(containerActionsDisabledReason)"
-                  @click.stop
-                >
-                  <AppIcon name="lock" :size="14" />
-                </button>
+                  :tooltip="tt(containerActionsDisabledReason)"
+                  @click.stop />
               </template>
             </div>
           </div>
@@ -694,10 +574,10 @@ function updateMaturityFallbackTooltip(
           <ContainerIcon v-else :icon="c.icon" :size="18" class="shrink-0" />
           <div class="min-w-0 flex-1" :class="{ 'opacity-50': c._pending }">
             <div class="text-sm font-semibold truncate dd-text">{{ c.name }}</div>
-            <div class="text-[0.625rem] mt-0.5 truncate dd-text-muted" v-tooltip.top="`${c.image}:${c.currentTag}`">{{ c.image }}:{{ c.currentTag }}</div>
+            <div class="text-2xs mt-0.5 truncate dd-text-muted" v-tooltip.top="`${c.image}:${c.currentTag}`">{{ c.image }}:{{ c.currentTag }}</div>
             <div
               v-if="!c.newTag && c.noUpdateReason"
-              class="text-[0.625rem] mt-0.5 truncate"
+              class="text-2xs mt-0.5 truncate"
               style="color: var(--dd-warning);"
               v-tooltip.top="c.noUpdateReason"
             >
@@ -706,30 +586,23 @@ function updateMaturityFallbackTooltip(
           </div>
           <div class="flex items-center gap-1.5 shrink-0">
             <!-- Update kind: icon on mobile, badge on desktop -->
-            <span v-if="c.updateKind" class="badge px-1.5 py-0 text-[0.5625rem] md:!hidden"
-                  :style="{ backgroundColor: updateKindColor(c.updateKind).bg, color: updateKindColor(c.updateKind).text }">
+            <AppBadge v-if="c.updateKind" size="xs" class="px-1.5 py-0 md:!hidden"
+                  v-tooltip.top="tt(c.updateKind)"
+                  :custom="{ bg: updateKindColor(c.updateKind).bg, text: updateKindColor(c.updateKind).text }">
               <AppIcon :name="c.updateKind === 'major' ? 'chevrons-up' : c.updateKind === 'minor' ? 'chevron-up' : c.updateKind === 'patch' ? 'hashtag' : 'fingerprint'" :size="12" />
-            </span>
-            <span v-if="c.updateKind" class="badge text-[0.5625rem] uppercase font-bold max-md:!hidden"
-                  :style="{ backgroundColor: updateKindColor(c.updateKind).bg, color: updateKindColor(c.updateKind).text }">
+            </AppBadge>
+            <AppBadge v-if="c.updateKind" size="xs" class="max-md:!hidden"
+                  :custom="{ bg: updateKindColor(c.updateKind).bg, text: updateKindColor(c.updateKind).text }">
               {{ c.updateKind }}
-            </span>
-            <span v-if="c.updateMaturity" class="badge text-[0.5625rem] uppercase font-bold inline-flex items-center gap-1"
-                  :style="{ backgroundColor: maturityColor(c.updateMaturity).bg, color: maturityColor(c.updateMaturity).text }"
-                  v-tooltip.top="tt(c.updateMaturityTooltip ?? updateMaturityFallbackTooltip(c.updateMaturity))">
-              <AppIcon :name="c.updateMaturity === 'fresh' ? 'flame' : 'clock'" :size="11" />
-              <span class="tracking-wide leading-none">{{ updateMaturityLabel(c.updateMaturity) }}</span>
-            </span>
+            </AppBadge>
+            <UpdateMaturityBadge :maturity="c.updateMaturity" :tooltip="c.updateMaturityTooltip" />
             <!-- Status: icon on mobile, badge on desktop -->
             <AppIcon :name="c.status === 'running' ? 'play' : 'stop'" :size="13" class="shrink-0 md:!hidden"
+                     v-tooltip.top="tt(c.status)"
                      :style="{ color: c.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)' }" />
-            <span class="badge text-[0.5625rem] font-bold max-md:!hidden"
-                  :style="{
-                    backgroundColor: c.status === 'running' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                    color: c.status === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                  }">
+            <AppBadge class="max-md:!hidden" size="xs" :tone="c.status === 'running' ? 'success' : 'danger'">
               {{ c.status }}
-            </span>
+            </AppBadge>
             <span v-if="hasRegistryError(c)"
                   class="inline-flex items-center justify-center"
                   style="color: var(--dd-danger);"
@@ -759,16 +632,14 @@ function updateMaturityFallbackTooltip(
               <AppIcon name="clock" :size="12" />
             </span>
             <!-- Bouncer: icon in badge -->
-            <span v-if="c.bouncer === 'blocked'" class="badge px-1.5 py-0 text-[0.5625rem]"
-                  style="background: var(--dd-danger-muted); color: var(--dd-danger);">
+            <AppBadge v-if="c.bouncer === 'blocked'" tone="danger" size="xs" class="px-1.5 py-0" v-tooltip.top="tt('Blocked by Bouncer')">
               <AppIcon name="blocked" :size="12" />
-            </span>
+            </AppBadge>
             <!-- Server: icon on mobile, badge on desktop -->
-            <AppIcon :name="parseServer(c.server).name === 'Local' ? 'home' : 'remote'" :size="12" class="shrink-0 dd-text-muted md:!hidden" />
-            <span class="badge text-[0.4375rem] font-bold max-md:!hidden"
-                  :style="{ backgroundColor: serverBadgeColor(c.server).bg, color: serverBadgeColor(c.server).text }">
+            <AppIcon :name="parseServer(c.server).name === 'Local' ? 'home' : 'remote'" :size="12" class="shrink-0 dd-text-muted md:!hidden" v-tooltip.top="tt(parseServer(c.server).name)" />
+            <AppBadge class="max-md:!hidden" size="xs" :custom="{ bg: serverBadgeColor(c.server).bg, text: serverBadgeColor(c.server).text }">
               {{ parseServer(c.server).name }}
-            </span>
+            </AppBadge>
           </div>
         </template>
       </DataListAccordion>
@@ -777,6 +648,69 @@ function updateMaturityFallbackTooltip(
       </template><!-- /v-for group -->
       </template><!-- /filteredContainers.length > 0 -->
 
+      <!-- Actions dropdown (teleported to body so it renders in all view modes) -->
+      <Teleport to="body">
+        <div v-if="containerActionsEnabled && openActionsContainer"
+             class="z-modal min-w-[160px] py-1 dd-rounded shadow-lg"
+             :style="{
+               ...actionsMenuStyle,
+               backgroundColor: 'var(--dd-bg-card)',
+               border: '1px solid var(--dd-border-strong)',
+               boxShadow: 'var(--dd-shadow-tooltip)',
+             }"
+             @click.stop>
+          <AppButton size="md" variant="plain" weight="medium" class="w-full text-left flex items-center gap-2 dd-text" v-if="openActionsContainer.status === 'running'"
+                  @click="confirmStop(openActionsContainer.name); closeActionsMenu()">
+            <AppIcon name="stop" :size="12" class="w-3 text-center inline-flex justify-center" :style="{ color: 'var(--dd-danger)' }" />
+            Stop
+          </AppButton>
+          <AppButton size="md" variant="plain" weight="medium" class="w-full text-left flex items-center gap-2 dd-text" v-else
+                  @click="startContainer(openActionsContainer.name); closeActionsMenu()">
+            <AppIcon name="play" :size="12" class="w-3 text-center inline-flex justify-center" :style="{ color: 'var(--dd-success)' }" />
+            Start
+          </AppButton>
+          <AppButton size="md" variant="plain" weight="medium" class="w-full text-left flex items-center gap-2 dd-text" @click="confirmRestart(openActionsContainer.name); closeActionsMenu()">
+            <AppIcon name="restart" :size="12" class="w-3 text-center inline-flex justify-center dd-text-muted" />
+            Restart
+          </AppButton>
+          <AppButton size="md" variant="plain" weight="medium" class="w-full text-left flex items-center gap-2 dd-text" @click="scanContainer(openActionsContainer.name); closeActionsMenu()">
+            <AppIcon name="security" :size="12" class="w-3 text-center inline-flex justify-center" :style="{ color: 'var(--dd-secondary)' }" />
+            Scan
+          </AppButton>
+          <!-- Force update for blocked containers (even without newTag) -->
+          <template v-if="openActionsContainer.bouncer === 'blocked' && !openActionsContainer.newTag">
+            <div class="my-1" :style="{ borderTop: '1px solid var(--dd-border)' }" />
+            <AppButton size="md" variant="plain" weight="medium" class="w-full text-left flex items-center gap-2 dd-text" @click="confirmForceUpdate(openActionsContainer.name); closeActionsMenu()">
+              <AppIcon name="bolt" :size="12" class="w-3 text-center inline-flex justify-center" :style="{ color: 'var(--dd-warning)' }" />
+              Force update
+            </AppButton>
+          </template>
+          <template v-if="openActionsContainer.newTag">
+            <div class="my-1" :style="{ borderTop: '1px solid var(--dd-border)' }" />
+            <AppButton size="md" variant="plain" weight="medium" class="w-full text-left flex items-center gap-2 dd-text" v-if="openActionsContainer.bouncer === 'blocked'"
+                    @click="confirmForceUpdate(openActionsContainer.name); closeActionsMenu()">
+              <AppIcon name="bolt" :size="12" class="w-3 text-center inline-flex justify-center" :style="{ color: 'var(--dd-warning)' }" />
+              Force update
+            </AppButton>
+            <AppButton v-if="openActionsContainer.bouncer !== 'blocked'" size="md" variant="plain" weight="medium" class="w-full text-left flex items-center gap-2 dd-text"
+                    @click="confirmUpdate(openActionsContainer.name); closeActionsMenu()">
+              <AppIcon name="cloud-download" :size="12" class="w-3 text-center inline-flex justify-center" :style="{ color: 'var(--dd-success)' }" />
+              Update
+            </AppButton>
+            <AppButton size="md" variant="plain" weight="medium" class="w-full text-left flex items-center gap-2 dd-text" @click="skipUpdate(openActionsContainer.name); closeActionsMenu()">
+              <AppIcon name="skip-forward" :size="12" class="w-3 text-center inline-flex justify-center dd-text-muted" />
+              Skip this update
+            </AppButton>
+          </template>
+          <div class="my-1" :style="{ borderTop: '1px solid var(--dd-border)' }" />
+          <AppButton size="md" variant="plain" weight="medium" class="w-full text-left flex items-center gap-2" style="color: var(--dd-danger);"
+                  @click="confirmDelete(openActionsContainer.name); closeActionsMenu()">
+            <AppIcon name="trash" :size="12" class="w-3 text-center inline-flex justify-center" />
+            Delete
+          </AppButton>
+        </div>
+      </Teleport>
+
       <!-- EMPTY STATE -->
       <EmptyState v-if="filteredContainers.length === 0"
                   icon="filter"
diff --git a/ui/src/components/containers/ContainersListContent.vue b/ui/src/components/containers/ContainersListContent.vue
index 7eb6a7b16..c8383fad7 100644
--- a/ui/src/components/containers/ContainersListContent.vue
+++ b/ui/src/components/containers/ContainersListContent.vue
@@ -1,6 +1,12 @@
 <script setup lang="ts">
+import AppIconButton from '../AppIconButton.vue';
 import ContainersGroupedViews from './ContainersGroupedViews.vue';
-import { useContainersViewTemplateContext } from './containersViewTemplateContext';
+import {
+  type ContainersViewTemplateContext,
+  useContainersViewTemplateContext,
+} from './containersViewTemplateContext';
+
+const templateContext: ContainersViewTemplateContext = useContainersViewTemplateContext();
 
 const {
   error,
@@ -28,19 +34,19 @@ const {
   groupByStack,
   rechecking,
   recheckAll,
-} = useContainersViewTemplateContext();
+} = templateContext;
 </script>
 
 <template>
   <div class="contents" data-test="containers-list-content">
     <div
       v-if="error"
-      class="mb-3 px-3 py-2 text-[0.6875rem] dd-rounded"
+      class="mb-3 px-3 py-2 text-2xs-plus dd-rounded"
       :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
       {{ error }}
     </div>
 
-    <div v-if="loading" class="text-[0.6875rem] dd-text-muted py-3 px-1">Loading containers...</div>
+    <div v-if="loading" class="text-2xs-plus dd-text-muted py-3 px-1">Loading containers...</div>
 
     <DataFilterBar
       v-model="containerViewMode"
@@ -53,17 +59,17 @@ const {
           v-model="filterSearch"
           type="text"
           placeholder="Search name or image..."
-          class="flex-1 min-w-[140px] max-w-[260px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder" />
+          class="flex-1 min-w-[140px] max-w-[260px] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder" />
         <select
           v-model="filterStatus"
-          class="px-2 py-1.5 dd-rounded text-[0.6875rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
+          class="px-2 py-1.5 dd-rounded text-2xs-plus font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
           <option value="all">Status</option>
           <option value="running">Running</option>
           <option value="stopped">Stopped</option>
         </select>
         <select
           v-model="filterBouncer"
-          class="px-2 py-1.5 dd-rounded text-[0.6875rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
+          class="px-2 py-1.5 dd-rounded text-2xs-plus font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
           <option value="all">Bouncer</option>
           <option value="safe">Safe</option>
           <option value="unsafe">Unsafe</option>
@@ -71,7 +77,7 @@ const {
         </select>
         <select
           v-model="filterRegistry"
-          class="px-2 py-1.5 dd-rounded text-[0.6875rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
+          class="px-2 py-1.5 dd-rounded text-2xs-plus font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
           <option value="all">Registry</option>
           <option value="dockerhub">Docker Hub</option>
           <option value="ghcr">GHCR</option>
@@ -79,7 +85,7 @@ const {
         </select>
         <select
           v-model="filterServer"
-          class="px-2 py-1.5 dd-rounded text-[0.6875rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
+          class="px-2 py-1.5 dd-rounded text-2xs-plus font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
           <option value="all">Host</option>
           <option v-for="serverName in serverNames" :key="serverName" :value="serverName">
             {{ serverName }}
@@ -87,7 +93,7 @@ const {
         </select>
         <select
           v-model="filterKind"
-          class="px-2 py-1.5 dd-rounded text-[0.6875rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
+          class="px-2 py-1.5 dd-rounded text-2xs-plus font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
           <option value="all">Update</option>
           <option value="any">Has Update</option>
           <option value="major">Major</option>
@@ -95,66 +101,59 @@ const {
           <option value="patch">Patch</option>
           <option value="digest">Digest</option>
         </select>
-        <button
+        <AppButton size="none" variant="plain" weight="none"
           v-if="activeFilterCount > 0 || filterSearch"
-          class="text-[0.625rem] font-medium px-2 py-1 dd-rounded transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+          class="text-2xs font-medium px-2 py-1 dd-rounded transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
           @click="clearFilters">
           Clear all
-        </button>
+        </AppButton>
       </template>
       <template #extra-buttons>
         <div v-if="containerViewMode === 'table'">
-          <button
-            class="w-7 h-7 dd-rounded flex items-center justify-center text-[0.6875rem] transition-colors"
-            :class="showColumnPicker ? 'dd-text dd-bg-elevated' : 'dd-text-secondary hover:dd-text hover:dd-bg-elevated'"
-            v-tooltip.top="tt('Toggle columns')"
-            @click.stop="toggleColumnPicker($event)">
-            <AppIcon name="config" :size="12" />
-          </button>
+          <AppIconButton icon="config" size="toolbar" variant="secondary"
+            :class="showColumnPicker ? 'dd-text dd-bg-elevated' : ''"
+            :tooltip="tt('Toggle columns')"
+            @click.stop="toggleColumnPicker($event)" />
         </div>
       </template>
       <template #left>
-        <button
-          class="w-7 h-7 dd-rounded flex items-center justify-center text-[0.6875rem] transition-colors"
-          :class="groupByStack ? 'dd-text dd-bg-elevated' : 'dd-text-secondary hover:dd-text hover:dd-bg-elevated'"
-          v-tooltip.top="tt('Group by stack')"
-          @click="groupByStack = !groupByStack">
-          <AppIcon name="stack" :size="13" />
-        </button>
-        <button
-          class="w-7 h-7 dd-rounded flex items-center justify-center text-[0.6875rem] transition-colors"
-          :class="rechecking ? 'dd-text-muted cursor-wait' : 'dd-text-secondary hover:dd-text hover:dd-bg-elevated'"
+        <AppIconButton icon="stack" size="toolbar" variant="secondary"
+          :class="groupByStack ? 'dd-text dd-bg-elevated' : ''"
+          :tooltip="tt('Group by stack')"
+          @click="groupByStack = !groupByStack" />
+        <AppIconButton icon="restart" size="toolbar" variant="secondary"
+          :class="rechecking ? 'dd-text-muted cursor-wait' : ''"
           :disabled="rechecking"
-          v-tooltip.top="tt('Recheck for updates')"
-          @click="recheckAll">
-          <AppIcon name="restart" :size="13" :class="{ 'animate-spin': rechecking }" />
-        </button>
+          :loading="rechecking"
+          :tooltip="tt('Recheck for updates')"
+          @click="recheckAll" />
       </template>
     </DataFilterBar>
 
     <div
       v-if="showColumnPicker"
-      class="z-50 min-w-[160px] py-1.5 dd-rounded shadow-lg"
+      class="min-w-[160px] py-1.5 dd-rounded shadow-lg"
       :style="{
         ...columnPickerStyle,
+        zIndex: 'var(--z-popover)',
         backgroundColor: 'var(--dd-bg-card)',
         border: '1px solid var(--dd-border-strong)',
-        boxShadow: 'var(--dd-shadow-lg)',
+        boxShadow: 'var(--dd-shadow-tooltip)',
       }"
       @click.stop>
-      <div class="px-3 py-1 text-[0.5625rem] font-bold uppercase tracking-wider dd-text-muted">Columns</div>
-      <button
+      <div class="px-3 py-1 text-3xs font-bold uppercase tracking-wider dd-text-muted">Columns</div>
+      <AppButton size="none" variant="plain" weight="none"
         v-for="column in allColumns.filter((columnItem) => columnItem.label)"
         :key="column.key"
-        class="w-full text-left px-3 py-1.5 text-[0.6875rem] font-medium transition-colors flex items-center gap-2 hover:dd-bg-elevated"
+        class="w-full text-left px-3 py-1.5 text-2xs-plus font-medium transition-colors flex items-center gap-2 hover:dd-bg-elevated"
         :class="column.required ? 'dd-text-muted cursor-not-allowed' : 'dd-text'"
         @click="toggleColumn(column.key)">
         <AppIcon
           :name="visibleColumns.has(column.key) ? 'check' : 'square'"
-          :size="10"
+          :size="13"
           :style="visibleColumns.has(column.key) ? { color: 'var(--dd-primary)' } : {}" />
         {{ column.label }}
-      </button>
+      </AppButton>
     </div>
 
     <ContainersGroupedViews />
diff --git a/ui/src/components/containers/FloatingTagBadge.vue b/ui/src/components/containers/FloatingTagBadge.vue
new file mode 100644
index 000000000..73e0eaaed
--- /dev/null
+++ b/ui/src/components/containers/FloatingTagBadge.vue
@@ -0,0 +1,25 @@
+<script setup lang="ts">
+import { computed } from 'vue';
+import AppBadge from '@/components/AppBadge.vue';
+
+const props = defineProps<{
+  tagPrecision?: 'specific' | 'floating';
+  imageDigestWatch?: boolean;
+}>();
+
+const FLOATING_TAG_TOOLTIP =
+  'This tag may be updated in-place by the registry. Enable dd.watch.digest=true or use a full semver tag for complete update detection.';
+
+const shouldRender = computed(() => props.tagPrecision === 'floating' && !props.imageDigestWatch);
+</script>
+
+<template>
+  <span
+    v-if="shouldRender"
+    data-test="floating-tag-badge"
+    v-tooltip.top="FLOATING_TAG_TOOLTIP"
+    class="cursor-help"
+  >
+    <AppBadge tone="caution" size="xs">floating tag</AppBadge>
+  </span>
+</template>
diff --git a/ui/src/components/containers/ReleaseNotesLink.vue b/ui/src/components/containers/ReleaseNotesLink.vue
new file mode 100644
index 000000000..766731d58
--- /dev/null
+++ b/ui/src/components/containers/ReleaseNotesLink.vue
@@ -0,0 +1,67 @@
+<script setup lang="ts">
+import { ref } from 'vue';
+import type { ContainerReleaseNotes } from '../../types/container';
+
+const props = defineProps<{
+  releaseNotes?: ContainerReleaseNotes | null;
+  releaseLink?: string;
+}>();
+
+const expanded = ref(false);
+
+function toggleExpand() {
+  expanded.value = !expanded.value;
+}
+
+function truncateBody(body: string, maxLength: number = 200): string {
+  if (body.length <= maxLength) return body;
+  return `${body.slice(0, maxLength)}...`;
+}
+</script>
+
+<template>
+  <!-- Inline release notes with expandable preview -->
+  <div v-if="props.releaseNotes" class="inline-flex flex-col" data-test="release-notes-link">
+    <AppButton size="none" variant="plain" weight="none"
+      class="inline-flex items-center gap-1 text-2xs-plus underline hover:no-underline transition-colors"
+      style="color: var(--dd-info);"
+      @click.stop="toggleExpand"
+    >
+      <AppIcon name="file-text" :size="12" />
+      Release notes
+      <AppIcon :name="expanded ? 'chevron-up' : 'chevron-down'" :size="10" />
+    </AppButton>
+    <div
+      v-if="expanded"
+      class="mt-2 px-2.5 py-2 dd-rounded text-2xs-plus space-y-1.5"
+      :style="{ backgroundColor: 'var(--dd-bg-inset)' }"
+      @click.stop
+    >
+      <div class="font-semibold dd-text">{{ props.releaseNotes.title }}</div>
+      <div class="dd-text-secondary whitespace-pre-line break-words">{{ truncateBody(props.releaseNotes.body) }}</div>
+      <a
+        :href="props.releaseNotes.url"
+        target="_blank"
+        rel="noopener noreferrer"
+        class="inline-flex items-center gap-1 text-2xs underline hover:no-underline"
+        style="color: var(--dd-info);"
+      >
+        View full notes
+        <AppIcon name="external-link" :size="10" />
+      </a>
+    </div>
+  </div>
+  <!-- Fallback: simple external release link -->
+  <a
+    v-else-if="props.releaseLink"
+    :href="props.releaseLink"
+    target="_blank"
+    rel="noopener noreferrer"
+    class="inline-flex items-center gap-1 text-2xs-plus underline hover:no-underline"
+    style="color: var(--dd-info);"
+    data-test="release-link"
+  >
+    <AppIcon name="file-text" :size="12" />
+    Release notes
+  </a>
+</template>
diff --git a/ui/src/components/containers/SuggestedTagBadge.vue b/ui/src/components/containers/SuggestedTagBadge.vue
new file mode 100644
index 000000000..543a7e32c
--- /dev/null
+++ b/ui/src/components/containers/SuggestedTagBadge.vue
@@ -0,0 +1,36 @@
+<script setup lang="ts">
+import { computed } from 'vue';
+import { suggestedTagColor } from '../../utils/display';
+
+const props = defineProps<{
+  tag: string | undefined;
+  currentTag: string;
+}>();
+
+const isLatestOrUntagged = computed(() => {
+  const t = (props.currentTag ?? '').toLowerCase();
+  return t === 'latest' || t === '';
+});
+
+const shouldShow = computed(() => !!props.tag && isLatestOrUntagged.value);
+
+const tooltip = computed(() => {
+  const hint = 'Best stable semver tag available \u2014 consider pinning';
+  return props.tag && props.tag.length > 24 ? `${props.tag}\n${hint}` : hint;
+});
+
+const colors = suggestedTagColor();
+</script>
+
+<template>
+  <span
+    v-if="shouldShow"
+    class="badge text-3xs font-bold inline-flex items-center gap-1 max-w-[200px]"
+    :style="{ backgroundColor: colors.bg, color: colors.text }"
+    v-tooltip.top="tooltip"
+    data-test="suggested-tag-badge"
+  >
+    <AppIcon name="tag" :size="10" class="shrink-0" />
+    <span class="truncate">Suggested: {{ props.tag }}</span>
+  </span>
+</template>
diff --git a/ui/src/components/containers/UpdateMaturityBadge.vue b/ui/src/components/containers/UpdateMaturityBadge.vue
new file mode 100644
index 000000000..61ba0a60e
--- /dev/null
+++ b/ui/src/components/containers/UpdateMaturityBadge.vue
@@ -0,0 +1,34 @@
+<script setup lang="ts">
+import { maturityColor } from '../../utils/display';
+
+const props = withDefaults(
+  defineProps<{
+    maturity: 'fresh' | 'settled' | null;
+    tooltip?: string;
+    size?: 'sm' | 'md';
+  }>(),
+  { size: 'md' },
+);
+
+function maturityLabel(maturity: 'fresh' | 'settled' | null): 'NEW' | 'MATURE' {
+  return maturity === 'fresh' ? 'NEW' : 'MATURE';
+}
+
+function fallbackTooltip(maturity: 'fresh' | 'settled' | null): string {
+  return maturity === 'fresh' ? 'New update' : 'Mature update';
+}
+</script>
+
+<template>
+  <span
+    v-if="props.maturity"
+    class="badge uppercase font-bold inline-flex items-center gap-1"
+    :class="props.size === 'sm' ? 'px-1.5 py-0 text-3xs' : 'text-3xs'"
+    :style="{ backgroundColor: maturityColor(props.maturity).bg, color: maturityColor(props.maturity).text }"
+    v-tooltip.top="props.tooltip ?? fallbackTooltip(props.maturity)"
+    data-test="update-maturity-badge"
+  >
+    <AppIcon :name="props.maturity === 'fresh' ? 'flame' : 'clock'" :size="props.size === 'sm' ? 10 : 11" />
+    <span class="tracking-wide leading-none">{{ maturityLabel(props.maturity) }}</span>
+  </span>
+</template>
diff --git a/ui/src/components/stories/sampleData.ts b/ui/src/components/stories/sampleData.ts
new file mode 100644
index 000000000..2016be624
--- /dev/null
+++ b/ui/src/components/stories/sampleData.ts
@@ -0,0 +1,59 @@
+export interface SampleServiceCard {
+  id: string;
+  name: string;
+  server: string;
+  status: 'healthy' | 'degraded' | 'offline';
+  updates: number;
+}
+
+export interface SampleWatcherItem {
+  id: string;
+  name: string;
+  endpoint: string;
+  status: 'connected' | 'disconnected';
+  containers: number;
+}
+
+interface SampleContainerRow {
+  id: string;
+  name: string;
+  status: 'running' | 'stopped';
+  server: string;
+  updates: number;
+}
+
+export const sampleServiceCards: SampleServiceCard[] = [
+  { id: 'gateway', name: 'API Gateway', server: 'edge-1', status: 'healthy', updates: 0 },
+  { id: 'worker', name: 'Background Worker', server: 'edge-2', status: 'degraded', updates: 2 },
+  { id: 'reports', name: 'Reports Service', server: 'edge-3', status: 'offline', updates: 1 },
+];
+
+export const sampleWatcherItems: SampleWatcherItem[] = [
+  {
+    id: 'local',
+    name: 'Local Docker',
+    endpoint: 'unix:///var/run/docker.sock',
+    status: 'connected',
+    containers: 18,
+  },
+  {
+    id: 'edge-1',
+    name: 'Edge Cluster 1',
+    endpoint: 'tcp://10.42.0.12:2376',
+    status: 'connected',
+    containers: 9,
+  },
+  {
+    id: 'edge-2',
+    name: 'Edge Cluster 2',
+    endpoint: 'tcp://10.42.0.13:2376',
+    status: 'disconnected',
+    containers: 0,
+  },
+];
+
+export const sampleContainerRows: SampleContainerRow[] = [
+  { id: 'api', name: 'drydock-api', status: 'running', server: 'local', updates: 0 },
+  { id: 'web', name: 'drydock-web', status: 'running', server: 'edge-1', updates: 2 },
+  { id: 'db', name: 'postgres', status: 'stopped', server: 'edge-2', updates: 1 },
+];
diff --git a/ui/src/composables/useColumnVisibility.ts b/ui/src/composables/useColumnVisibility.ts
index 80541cfe0..2e7363846 100644
--- a/ui/src/composables/useColumnVisibility.ts
+++ b/ui/src/composables/useColumnVisibility.ts
@@ -35,13 +35,7 @@ const allColumns: ColumnDef[] = [
   },
   { key: 'kind', label: 'Kind', px: 'px-3', style: '', required: false },
   { key: 'status', label: 'Status', px: 'px-3', style: '', required: false },
-  {
-    key: 'bouncer',
-    label: 'Bouncer',
-    px: 'px-3',
-    style: '',
-    required: false,
-  },
+  { key: 'imageAge', label: 'Image Age', px: 'px-3', style: '', required: false },
   { key: 'server', label: 'Host', px: 'px-3', style: '', required: false },
   {
     key: 'registry',
diff --git a/ui/src/composables/useContainerFilters.ts b/ui/src/composables/useContainerFilters.ts
index 700f98443..1751c81d2 100644
--- a/ui/src/composables/useContainerFilters.ts
+++ b/ui/src/composables/useContainerFilters.ts
@@ -23,7 +23,15 @@ interface PersistedFilterRefs {
   kind: Ref<string>;
 }
 
-function getPersistedFilterValues(filters: PersistedFilterRefs) {
+interface PersistedFilterValues {
+  status: string;
+  registry: string;
+  bouncer: string;
+  server: string;
+  kind: string;
+}
+
+function getPersistedFilterValues(filters: PersistedFilterRefs): PersistedFilterValues {
   return {
     status: filters.status.value,
     registry: filters.registry.value,
@@ -33,7 +41,7 @@ function getPersistedFilterValues(filters: PersistedFilterRefs) {
   };
 }
 
-function persistFilterValues(values: ReturnType<typeof getPersistedFilterValues>): void {
+function persistFilterValues(values: PersistedFilterValues): void {
   preferences.containers.filters.status = values.status;
   preferences.containers.filters.registry = values.registry;
   preferences.containers.filters.bouncer = values.bouncer;
@@ -86,7 +94,7 @@ function matchesContainerFilters(container: Container, criteria: ContainerFilter
   return CONTAINER_FILTER_MATCHERS.every((matcher) => matcher(container, criteria));
 }
 
-export function useContainerFilters(containers: { value: Container[] }) {
+export function useContainerFilters(containers: Ref<Container[]>) {
   const filterSearch = ref('');
   const filterStatus = ref(preferences.containers.filters.status);
   const filterRegistry = ref(preferences.containers.filters.registry);
@@ -94,7 +102,7 @@ export function useContainerFilters(containers: { value: Container[] }) {
   const filterServer = ref(preferences.containers.filters.server);
   const filterKind = ref(preferences.containers.filters.kind);
   const showFilters = ref(false);
-  const persistedFilterRefs = {
+  const persistedFilterRefs: PersistedFilterRefs = {
     status: filterStatus,
     registry: filterRegistry,
     bouncer: filterBouncer,
diff --git a/ui/src/composables/useDeprecationBanner.ts b/ui/src/composables/useDeprecationBanner.ts
new file mode 100644
index 000000000..be940ab2e
--- /dev/null
+++ b/ui/src/composables/useDeprecationBanner.ts
@@ -0,0 +1,42 @@
+import { computed, type Ref, ref } from 'vue';
+import { useStorageRef } from './useStorageRef';
+
+export interface DeprecationBanner {
+  /** Whether the banner should be visible (detected AND not dismissed). */
+  visible: Ref<boolean>;
+  /** Set to `true` when the condition that triggers the banner is detected. */
+  detected: Ref<boolean>;
+  /** Dismiss for the current browser session only. */
+  dismissForSession: () => void;
+  /** Dismiss permanently (persisted to localStorage). */
+  dismissPermanently: () => void;
+}
+
+/**
+ * Encapsulates the session + permanent dismiss logic for a deprecation banner.
+ *
+ * @param storageKey  A versioned localStorage key, e.g. `'dd-banner-foo-v1'`.
+ */
+export function useDeprecationBanner(storageKey: string): DeprecationBanner {
+  const detected = ref(false);
+  const hiddenForSession = ref(false);
+  const hiddenPermanently = useStorageRef<boolean>(
+    storageKey,
+    false,
+    (value): value is boolean => typeof value === 'boolean',
+  );
+
+  const visible = computed(
+    () => detected.value && !hiddenForSession.value && !hiddenPermanently.value,
+  );
+
+  function dismissForSession() {
+    hiddenForSession.value = true;
+  }
+
+  function dismissPermanently() {
+    hiddenPermanently.value = true;
+  }
+
+  return { visible, detected, dismissForSession, dismissPermanently };
+}
diff --git a/ui/src/composables/useDetailPanel.ts b/ui/src/composables/useDetailPanel.ts
index 082a12866..070465cb8 100644
--- a/ui/src/composables/useDetailPanel.ts
+++ b/ui/src/composables/useDetailPanel.ts
@@ -36,11 +36,16 @@ export function useDetailPanel() {
   const containerFullPage = ref(false);
 
   const panelFlex = computed(() =>
-    panelSize.value === 'sm' ? '0 0 420px' : panelSize.value === 'md' ? '0 0 560px' : '0 0 720px',
+    panelSize.value === 'sm'
+      ? '0 0 var(--dd-layout-panel-width-sm)'
+      : panelSize.value === 'md'
+        ? '0 0 var(--dd-layout-panel-width-md)'
+        : '0 0 var(--dd-layout-panel-width-lg)',
   );
 
   const detailTabs = [
     { id: 'overview', label: 'Overview', icon: 'info' },
+    { id: 'stats', label: 'Stats', icon: 'uptime' },
     { id: 'logs', label: 'Logs', icon: 'logs' },
     { id: 'environment', label: 'Environment', icon: 'config' },
     { id: 'labels', label: 'Labels', icon: 'containers' },
diff --git a/ui/src/composables/useLogSearch.ts b/ui/src/composables/useLogSearch.ts
new file mode 100644
index 000000000..c3bbaa1d3
--- /dev/null
+++ b/ui/src/composables/useLogSearch.ts
@@ -0,0 +1,135 @@
+import { type ComputedRef, computed, type Ref, ref, watch } from 'vue';
+
+interface SearchableLogEntry {
+  id: number;
+  timestamp: string;
+  plainLine: string;
+}
+
+interface UseLogSearchOptions<TEntry extends SearchableLogEntry> {
+  visibleEntries: Ref<TEntry[]> | ComputedRef<TEntry[]>;
+  lineElements: Map<number, HTMLElement>;
+  searchTextForEntry?: (entry: TEntry) => string;
+}
+
+function escapeRegExp(value: string): string {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+export function useLogSearch<TEntry extends SearchableLogEntry>(
+  options: UseLogSearchOptions<TEntry>,
+) {
+  const searchQuery = ref('');
+  const regexSearch = ref(false);
+  const searchError = ref<string | null>(null);
+  const currentMatchIndex = ref(0);
+
+  const searchPattern = computed<RegExp | null>(() => {
+    const rawQuery = searchQuery.value;
+    if (!rawQuery) {
+      searchError.value = null;
+      return null;
+    }
+
+    try {
+      const source = regexSearch.value ? rawQuery : escapeRegExp(rawQuery);
+      const pattern = new RegExp(source, 'i');
+      searchError.value = null;
+      return pattern;
+    } catch {
+      searchError.value = regexSearch.value ? 'Invalid regular expression' : null;
+      return null;
+    }
+  });
+
+  const matchedEntryIds = computed<number[]>(() => {
+    const pattern = searchPattern.value;
+    if (!pattern) {
+      return [];
+    }
+
+    const toSearchText =
+      options.searchTextForEntry ?? ((entry: TEntry) => `${entry.timestamp} ${entry.plainLine}`);
+
+    return options.visibleEntries.value
+      .filter((entry) => pattern.test(toSearchText(entry)))
+      .map((entry) => entry.id);
+  });
+
+  const currentMatchEntryId = computed<number | null>(() => {
+    const ids = matchedEntryIds.value;
+    if (ids.length === 0) {
+      return null;
+    }
+
+    const safeIndex =
+      currentMatchIndex.value >= 0 && currentMatchIndex.value < ids.length
+        ? currentMatchIndex.value
+        : 0;
+    return ids[safeIndex] ?? null;
+  });
+
+  const matchLabel = computed(() => {
+    const count = matchedEntryIds.value.length;
+    if (count === 0) {
+      return '0 / 0';
+    }
+    return `${currentMatchIndex.value + 1} / ${count}`;
+  });
+
+  function jumpToMatch(direction: 'next' | 'prev'): void {
+    const ids = matchedEntryIds.value;
+    if (ids.length === 0) {
+      return;
+    }
+
+    if (direction === 'next') {
+      currentMatchIndex.value = (currentMatchIndex.value + 1) % ids.length;
+    } else {
+      currentMatchIndex.value = (currentMatchIndex.value - 1 + ids.length) % ids.length;
+    }
+
+    const targetId = ids[currentMatchIndex.value];
+    const targetElement = options.lineElements.get(targetId);
+    if (targetElement && typeof targetElement.scrollIntoView === 'function') {
+      targetElement.scrollIntoView({ block: 'center' });
+    }
+  }
+
+  function isMatchedEntry(entryId: number): boolean {
+    return matchedEntryIds.value.includes(entryId);
+  }
+
+  function isCurrentMatch(entryId: number): boolean {
+    return currentMatchEntryId.value === entryId;
+  }
+
+  watch(searchPattern, () => {
+    currentMatchIndex.value = 0;
+  });
+
+  watch(matchedEntryIds, (matches) => {
+    if (matches.length === 0) {
+      currentMatchIndex.value = 0;
+      return;
+    }
+
+    if (currentMatchIndex.value >= matches.length) {
+      currentMatchIndex.value = 0;
+    }
+  });
+
+  return {
+    searchQuery,
+    regexSearch,
+    searchError,
+    searchPattern,
+    matchedEntryIds,
+    currentMatchIndex,
+    currentMatchEntryId,
+    matchLabel,
+    jumpToMatch,
+    isMatchedEntry,
+    isCurrentMatch,
+  };
+}
diff --git a/ui/src/composables/useLogViewerBehavior.ts b/ui/src/composables/useLogViewerBehavior.ts
index 57d8eec42..2562beadd 100644
--- a/ui/src/composables/useLogViewerBehavior.ts
+++ b/ui/src/composables/useLogViewerBehavior.ts
@@ -72,6 +72,12 @@ export function useAutoFetchLogs(options: AutoFetchOptions) {
     else stopAutoFetch();
   });
 
+  // Register stopAutoFetch cleanup BEFORE the visibility listener so that
+  // onScopeDispose (which runs in reverse order) tears down the timer AFTER
+  // the visibility listener is removed — preventing a late visibilitychange
+  // event from restarting the interval during disposal.
+  onScopeDispose(() => stopAutoFetch());
+
   if (typeof document !== 'undefined') {
     const handleVisibilityChange = () => {
       if (isTabHidden()) stopAutoFetch();
@@ -81,7 +87,5 @@ export function useAutoFetchLogs(options: AutoFetchOptions) {
     onScopeDispose(() => document.removeEventListener('visibilitychange', handleVisibilityChange));
   }
 
-  onScopeDispose(() => stopAutoFetch());
-
   return { autoFetchInterval };
 }
diff --git a/ui/src/composables/useSystemLogStream.ts b/ui/src/composables/useSystemLogStream.ts
new file mode 100644
index 000000000..c5469acf9
--- /dev/null
+++ b/ui/src/composables/useSystemLogStream.ts
@@ -0,0 +1,72 @@
+import { onScopeDispose, ref } from 'vue';
+import {
+  createSystemLogStreamConnection,
+  type SystemLogEntry,
+  type SystemLogStreamConnection,
+  type SystemLogStreamQuery,
+  type SystemLogStreamStatus,
+} from '../services/system-log-stream';
+
+const MAX_ENTRIES = 2000;
+
+export function useSystemLogStream(options?: {
+  webSocketFactory?: (url: string) => WebSocket;
+  location?: Location;
+}) {
+  const entries = ref<SystemLogEntry[]>([]);
+  const status = ref<SystemLogStreamStatus>('disconnected');
+  let connection: SystemLogStreamConnection | undefined;
+
+  function connect(query?: SystemLogStreamQuery) {
+    disconnect();
+    entries.value = [];
+    connection = createSystemLogStreamConnection({
+      query,
+      onMessage(entry) {
+        entries.value.push(entry);
+        if (entries.value.length > MAX_ENTRIES) {
+          entries.value.splice(0, entries.value.length - MAX_ENTRIES);
+        }
+      },
+      onStatus(newStatus) {
+        status.value = newStatus;
+      },
+      webSocketFactory: options?.webSocketFactory,
+      location: options?.location,
+    });
+  }
+
+  function disconnect() {
+    if (connection) {
+      connection.close();
+      connection = undefined;
+      status.value = 'disconnected';
+    }
+  }
+
+  function updateFilters(query: SystemLogStreamQuery) {
+    if (!connection) {
+      connect(query);
+      return;
+    }
+    entries.value = [];
+    connection.update(query);
+  }
+
+  function clear() {
+    entries.value = [];
+  }
+
+  onScopeDispose(() => {
+    disconnect();
+  });
+
+  return {
+    entries,
+    status,
+    connect,
+    disconnect,
+    updateFilters,
+    clear,
+  };
+}
diff --git a/ui/src/composables/useToast.ts b/ui/src/composables/useToast.ts
new file mode 100644
index 000000000..b24677a63
--- /dev/null
+++ b/ui/src/composables/useToast.ts
@@ -0,0 +1,41 @@
+import { ref } from 'vue';
+
+export type ToastTone = 'error' | 'success' | 'warning' | 'info';
+
+export interface Toast {
+  id: number;
+  title: string;
+  body?: string;
+  tone: ToastTone;
+}
+
+const AUTO_DISMISS_MS = 6_000;
+
+let nextId = 0;
+const toasts = ref<Toast[]>([]);
+
+function addToast(title: string, options?: { body?: string; tone?: ToastTone; duration?: number }) {
+  const id = nextId++;
+  const tone = options?.tone ?? 'info';
+  const duration = options?.duration ?? AUTO_DISMISS_MS;
+  toasts.value = [...toasts.value, { id, title, body: options?.body, tone }];
+  if (duration > 0) {
+    setTimeout(() => dismissToast(id), duration);
+  }
+}
+
+function dismissToast(id: number) {
+  toasts.value = toasts.value.filter((t) => t.id !== id);
+}
+
+export function useToast() {
+  return {
+    toasts,
+    addToast,
+    dismissToast,
+    error: (title: string, body?: string) => addToast(title, { tone: 'error', body }),
+    success: (title: string, body?: string) => addToast(title, { tone: 'success', body }),
+    warning: (title: string, body?: string) => addToast(title, { tone: 'warning', body }),
+    info: (title: string, body?: string) => addToast(title, { tone: 'info', body }),
+  };
+}
diff --git a/ui/src/directives/tooltip.ts b/ui/src/directives/tooltip.ts
index 34be98f1e..4fe976c3e 100644
--- a/ui/src/directives/tooltip.ts
+++ b/ui/src/directives/tooltip.ts
@@ -82,8 +82,8 @@ function showTooltip(el: HTMLElement, state: TooltipState) {
   // Position after the element is in the DOM so we can measure it
   positionTooltip(el, tip);
 
-  // Force reflow before adding visible class for CSS transition
-  tip.offsetHeight; // eslint-disable-line @typescript-eslint/no-unused-expressions
+  // Force a layout read before adding visible class for CSS transition.
+  tip.getBoundingClientRect();
   tip.classList.add('dd-tooltip-visible');
 }
 
diff --git a/ui/src/env.d.ts b/ui/src/env.d.ts
index 3a7bb3fba..e683603dd 100644
--- a/ui/src/env.d.ts
+++ b/ui/src/env.d.ts
@@ -2,12 +2,11 @@
 
 declare module '*.vue' {
   import type { DefineComponent } from 'vue';
-  // biome-ignore lint/complexity/noBannedTypes: standard Vue SFC type declaration
-  const component: DefineComponent<{}, {}, any>;
+  const component: DefineComponent<any, any, any>;
   export default component;
 }
 
 declare module '*.svg' {
-  const content: any;
+  const content: string;
   export default content;
 }
diff --git a/ui/src/icons.ts b/ui/src/icons.ts
index a6de9e32d..3a618d83c 100644
--- a/ui/src/icons.ts
+++ b/ui/src/icons.ts
@@ -288,6 +288,15 @@ export const iconMap: Record<string, Record<IconLibrary, string>> = {
     heroicons: 'heroicons:check-circle',
     iconoir: 'iconoir:check-circle',
   },
+  pin: {
+    'fa6-solid': 'fa6-solid:thumbtack',
+    ph: 'ph:push-pin',
+    'ph-duotone': 'ph:push-pin-duotone',
+    lucide: 'lucide:pin',
+    tabler: 'tabler:pin',
+    heroicons: 'heroicons:map-pin',
+    iconoir: 'iconoir:pin',
+  },
   stop: {
     'fa6-solid': 'fa6-solid:stop',
     ph: 'ph:stop',
@@ -738,4 +747,31 @@ export const iconMap: Record<string, Record<IconLibrary, string>> = {
     heroicons: 'heroicons:clock',
     iconoir: 'iconoir:clock',
   },
+  tag: {
+    'fa6-solid': 'fa6-solid:tag',
+    ph: 'ph:tag',
+    'ph-duotone': 'ph:tag-duotone',
+    lucide: 'lucide:tag',
+    tabler: 'tabler:tag',
+    heroicons: 'heroicons:tag',
+    iconoir: 'iconoir:label',
+  },
+  'file-text': {
+    'fa6-solid': 'fa6-solid:file-lines',
+    ph: 'ph:file-text',
+    'ph-duotone': 'ph:file-text-duotone',
+    lucide: 'lucide:file-text',
+    tabler: 'tabler:file-text',
+    heroicons: 'heroicons:document-text',
+    iconoir: 'iconoir:page',
+  },
+  'external-link': {
+    'fa6-solid': 'fa6-solid:arrow-up-right-from-square',
+    ph: 'ph:arrow-square-out',
+    'ph-duotone': 'ph:arrow-square-out-duotone',
+    lucide: 'lucide:external-link',
+    tabler: 'tabler:external-link',
+    heroicons: 'heroicons:arrow-top-right-on-square',
+    iconoir: 'iconoir:open-new-window',
+  },
 };
diff --git a/ui/src/layouts/AppLayout.vue b/ui/src/layouts/AppLayout.vue
index 89a19752b..670c8032b 100644
--- a/ui/src/layouts/AppLayout.vue
+++ b/ui/src/layouts/AppLayout.vue
@@ -3,8 +3,10 @@ import { computed, nextTick, onMounted, onUnmounted, ref, watch } from 'vue';
 import { useRoute, useRouter } from 'vue-router';
 import whaleLogo from '@/assets/whale-logo.png?inline';
 import AnnouncementBanner from '@/components/AnnouncementBanner.vue';
+import AppIconButton from '@/components/AppIconButton.vue';
 import NotificationBell from '@/components/NotificationBell.vue';
 import { useBreakpoints } from '@/composables/useBreakpoints';
+import { useDeprecationBanner } from '@/composables/useDeprecationBanner';
 import { useIcons } from '@/composables/useIcons';
 import { useStorageRef } from '@/composables/useStorageRef';
 import { loadRecentItems, saveRecentItems } from '@/layouts/recentStorage';
@@ -18,6 +20,7 @@ import { getAllContainers } from '@/services/container';
 import { getEffectiveDisplayIcon } from '@/services/image-icon';
 import { getAllNotificationRules } from '@/services/notification';
 import { getAllRegistries } from '@/services/registry';
+import { getServer } from '@/services/server';
 import sseService from '@/services/sse';
 import { getAllTriggers } from '@/services/trigger';
 import { getAllWatchers } from '@/services/watcher';
@@ -52,7 +55,7 @@ watch(isMobile, (val) => {
   if (!val) isMobileMenuOpen.value = false;
 });
 
-// Close mobile menu on any route change (safety net for non-sidebar navigation)
+// Close mobile menu on route changes (safety net for non-sidebar navigation)
 watch(
   () => route.path,
   () => {
@@ -210,8 +213,18 @@ const staticSearchResults = computed<SearchResultItem[]>(() => {
 
 // User menu
 const showUserMenu = ref(false);
-function toggleUserMenu() {
+const userMenuStyle = ref<Record<string, string>>({});
+function toggleUserMenu(event: MouseEvent) {
   showUserMenu.value = !showUserMenu.value;
+  if (showUserMenu.value) {
+    const button = event.currentTarget as HTMLElement;
+    const rect = button.getBoundingClientRect();
+    userMenuStyle.value = {
+      position: 'fixed',
+      top: `${rect.bottom + 4}px`,
+      right: `${window.innerWidth - rect.right}px`,
+    };
+  }
 }
 function handleUserMenuClickOutside(e: PointerEvent) {
   const target = e.target as HTMLElement;
@@ -254,6 +267,32 @@ const hideLegacyHashBannerPermanently = useStorageRef<boolean>(
   false,
   (value): value is boolean => typeof value === 'boolean',
 );
+
+interface LegacyInputSourceSummary {
+  total: number;
+  keys: string[];
+}
+
+interface LegacyInputSummary {
+  total: number;
+  env: LegacyInputSourceSummary;
+  label: LegacyInputSourceSummary;
+  api?: LegacyInputSourceSummary;
+}
+
+const LEGACY_KEY_PREVIEW_LIMIT = 6;
+const stackedBannerInlineStyle = {
+  position: 'static',
+  top: 'auto',
+  left: 'auto',
+  translate: 'none',
+  width: '100%',
+  maxWidth: 'none',
+} as const;
+const legacyInputSummary = ref<LegacyInputSummary | null>(null);
+const legacyConfigDeprecationBanner = useDeprecationBanner('dd-banner-legacy-config-v1');
+const legacyApiPathDeprecationBanner = useDeprecationBanner('dd-banner-legacy-api-paths-v1');
+
 type SearchScope = 'all' | 'pages' | 'containers' | 'runtime' | 'config';
 type SearchPrefix = '/' | '@' | '#';
 interface SearchScopeOption {
@@ -561,6 +600,74 @@ function isHttpOidcDiscovery(authentication: unknown): boolean {
   }
 }
 
+function normalizeLegacyInputSourceSummary(rawValue: unknown): LegacyInputSourceSummary {
+  const parsedTotal = Number((rawValue as { total?: unknown })?.total);
+  const parsedKeys = Array.isArray((rawValue as { keys?: unknown })?.keys)
+    ? (rawValue as { keys: unknown[] }).keys.filter(
+        (value): value is string => typeof value === 'string',
+      )
+    : [];
+  const uniqueKeys = Array.from(new Set(parsedKeys)).sort((left, right) =>
+    left.localeCompare(right),
+  );
+  const total =
+    Number.isFinite(parsedTotal) && parsedTotal >= 0
+      ? Math.max(Math.floor(parsedTotal), uniqueKeys.length)
+      : uniqueKeys.length;
+  return { total, keys: uniqueKeys };
+}
+
+function normalizeLegacyInputSummary(rawValue: unknown): LegacyInputSummary | null {
+  if (!rawValue || typeof rawValue !== 'object') {
+    return null;
+  }
+
+  const env = normalizeLegacyInputSourceSummary((rawValue as { env?: unknown }).env);
+  const label = normalizeLegacyInputSourceSummary((rawValue as { label?: unknown }).label);
+  const apiSource =
+    (rawValue as { api?: unknown }).api ??
+    (rawValue as { path?: unknown }).path ??
+    (rawValue as { paths?: unknown }).paths;
+  const api = normalizeLegacyInputSourceSummary(apiSource);
+  const parsedTotal = Number((rawValue as { total?: unknown }).total);
+  const totalFromSources = env.total + label.total + api.total;
+  const total =
+    Number.isFinite(parsedTotal) && parsedTotal >= 0
+      ? Math.max(Math.floor(parsedTotal), totalFromSources)
+      : totalFromSources;
+
+  if (total <= 0) {
+    return null;
+  }
+
+  const summary: LegacyInputSummary = { total, env, label };
+  if (api.total > 0 || api.keys.length > 0) {
+    summary.api = api;
+  }
+  return summary;
+}
+
+function summarizeLegacyKeys(keys: string[]): string {
+  if (keys.length === 0) {
+    return '';
+  }
+  const previewKeys = keys.slice(0, LEGACY_KEY_PREVIEW_LIMIT);
+  const hiddenCount = keys.length - previewKeys.length;
+  return hiddenCount > 0
+    ? `${previewKeys.join(', ')} (+${hiddenCount} more)`
+    : previewKeys.join(', ');
+}
+
+const legacyEnvKeysPreview = computed(() =>
+  summarizeLegacyKeys(legacyInputSummary.value?.env.keys ?? []),
+);
+const legacyLabelKeysPreview = computed(() =>
+  summarizeLegacyKeys(legacyInputSummary.value?.label.keys ?? []),
+);
+const legacyApiPathKeysPreview = computed(() =>
+  summarizeLegacyKeys(legacyInputSummary.value?.api?.keys ?? []),
+);
+
 const showOidcHttpCompatibilityBanner = computed(
   () =>
     oidcHttpDiscoveryDetected.value &&
@@ -598,6 +705,29 @@ const showLegacyHashDeprecationBanner = computed(
     !hideLegacyHashBannerPermanently.value,
 );
 
+const showLegacyConfigDeprecationBanner = computed(
+  () => legacyConfigDeprecationBanner.visible.value,
+);
+const showLegacyApiPathDeprecationBanner = computed(
+  () => legacyApiPathDeprecationBanner.visible.value,
+);
+const legacyConfigBannerTitle = computed(() => {
+  const envCount = legacyInputSummary.value?.env.total ?? 0;
+  const labelCount = legacyInputSummary.value?.label.total ?? 0;
+  const total = envCount + labelCount;
+  return `${total} legacy configuration alias${total !== 1 ? 'es' : ''} detected`;
+});
+const legacyApiPathBannerTitle = computed(
+  () => `${legacyInputSummary.value?.api?.total ?? 0} legacy API paths detected`,
+);
+const hasVisibleAnnouncementBanners = computed(
+  () =>
+    showOidcHttpCompatibilityBanner.value ||
+    showLegacyHashDeprecationBanner.value ||
+    showLegacyConfigDeprecationBanner.value ||
+    showLegacyApiPathDeprecationBanner.value,
+);
+
 function dismissLegacyHashBannerForSession() {
   hideLegacyHashBannerForSession.value = true;
 }
@@ -606,6 +736,15 @@ function dismissLegacyHashBannerPermanently() {
   hideLegacyHashBannerPermanently.value = true;
 }
 
+async function refreshLegacyInputSummary() {
+  const serverData = await getServer().catch(() => null);
+  const summary = normalizeLegacyInputSummary(serverData?.compatibility?.legacyInputs);
+  legacyInputSummary.value = summary;
+  legacyConfigDeprecationBanner.detected.value =
+    (summary?.env.total ?? 0) > 0 || (summary?.label.total ?? 0) > 0;
+  legacyApiPathDeprecationBanner.detected.value = (summary?.api?.total ?? 0) > 0;
+}
+
 async function refreshSearchResources() {
   searchResourcesLoading.value = true;
   try {
@@ -1072,9 +1211,10 @@ onMounted(async () => {
   });
   // Fetch sidebar badge data and user info
   try {
-    const [, , user, appInfos] = await Promise.all([
+    const [, , , user, appInfos] = await Promise.all([
       refreshSidebarData(),
       refreshSearchResources(),
+      refreshLegacyInputSummary(),
       getUser().catch(() => null),
       getAppInfos().catch(() => null),
     ]);
@@ -1094,7 +1234,7 @@ onUnmounted(() => {
 
 <template>
   <div :class="[isDark ? 'dark' : 'light']"
-       class="h-dvh flex overflow-hidden font-mono"
+       class="h-dvh flex overflow-clip font-mono"
        :style="{ background: 'var(--dd-bg)' }">
 
     <!-- Mobile overlay -->
@@ -1111,10 +1251,10 @@ onUnmounted(() => {
         isCollapsed ? 'sidebar-collapsed' : '',
       ]"
       :style="{
-        width: isCollapsed ? '56px' : '240px',
-        minWidth: isCollapsed ? '56px' : '240px',
+        width: isCollapsed ? 'var(--dd-layout-sidebar-collapsed-width)' : 'var(--dd-layout-sidebar-expanded-width)',
+        minWidth: isCollapsed ? 'var(--dd-layout-sidebar-collapsed-width)' : 'var(--dd-layout-sidebar-expanded-width)',
         backgroundColor: 'var(--dd-bg-sidebar)',
-        overflowX: 'hidden',
+        overflowX: 'clip',
       }">
 
       <!-- Logo -->
@@ -1125,21 +1265,23 @@ onUnmounted(() => {
                class="h-5 w-auto shrink-0 transition-transform duration-300"
                :style="[isCollapsed ? { transform: 'scaleX(-1)' } : {}, isDark ? { filter: 'invert(1)' } : {}]" />
           <span class="sidebar-label font-bold text-sm tracking-widest dd-text"
-                style="letter-spacing:0.15em;">DRYDOCK</span>
+                style="letter-spacing: var(--dd-letter-spacing-brand);">DRYDOCK</span>
         </div>
-        <button v-if="isMobile"
+        <AppIconButton v-if="isMobile"
+                icon="xmark"
+                size="xs"
+                variant="muted"
+                tooltip="Close menu"
                 aria-label="Close menu"
-                class="p-1 dd-text-muted hover:dd-text transition-colors"
-                @click="isMobileMenuOpen = false">
-          <AppIcon name="close" :size="14" />
-        </button>
+                @click="isMobileMenuOpen = false"
+        />
       </div>
 
       <!-- Nav groups -->
       <nav class="flex-1 overflow-y-auto overflow-x-hidden py-3 px-2 space-y-4">
         <div v-for="group in navGroups" :key="group.label">
           <div v-if="group.label && !isCollapsed"
-               class="px-2 mb-1 text-[0.625rem] font-semibold uppercase tracking-wider dd-text-muted">
+               class="px-2 mb-1 text-2xs font-semibold uppercase tracking-wider dd-text-muted">
             {{ group.label }}
           </div>
           <div v-else-if="group.label" class="flex justify-center py-1 w-9 mx-auto">
@@ -1150,17 +1292,16 @@ onUnmounted(() => {
                class="nav-item-wrapper relative mt-0.5"
                @click="navigateTo(item.route)">
             <div
-              class="nav-item flex items-center gap-3 dd-rounded cursor-pointer relative"
+              class="nav-item flex items-center gap-3 dd-rounded cursor-pointer relative py-[var(--dd-space-6)] px-[var(--dd-space-12)]"
               :class="[
                 route.path === item.route
                   ? 'bg-drydock-secondary/10 dark:bg-drydock-secondary/15 text-drydock-secondary'
                   : 'dd-text-secondary hover:dd-bg-elevated hover:dd-text',
-              ]"
-              style="padding: 6px 12px;">
+              ]">
               <AppIcon :name="item.icon" :size="16" class="shrink-0" style="width:20px; text-align:center;" />
-              <span class="sidebar-label text-[0.8125rem] font-medium">{{ item.label }}</span>
+              <span class="sidebar-label text-xs-plus font-medium">{{ item.label }}</span>
               <span v-if="item.badge && !isCollapsed"
-                    class="sidebar-label ml-auto badge text-[0.625rem]"
+                    class="sidebar-label ml-auto badge text-2xs"
                     :style="{
                       backgroundColor: item.badgeColor === 'red'
                         ? 'var(--dd-danger-muted)'
@@ -1174,7 +1315,7 @@ onUnmounted(() => {
                  :style="{
                    backgroundColor: 'var(--dd-bg-card)',
                    color: 'var(--dd-text)',
-                   boxShadow: 'var(--dd-shadow-sm)',
+                   boxShadow: 'var(--dd-shadow-tooltip)',
                  }">
               {{ item.label }}
             </div>
@@ -1184,7 +1325,7 @@ onUnmounted(() => {
 
       <!-- Sidebar search -->
       <div class="shrink-0 pt-3 pb-3" :class="isCollapsed ? 'px-2' : 'px-3'">
-        <button aria-label="Search"
+        <AppButton size="none" variant="plain" weight="none" aria-label="Search"
                 class="w-full flex items-center dd-rounded text-xs transition-colors dd-bg-card dd-text-secondary hover:dd-bg-elevated hover:dd-text"
                 :class="isCollapsed ? 'justify-center py-2.5' : 'gap-2 px-3 py-2'"
                 :style="{ border: 'none' }"
@@ -1192,60 +1333,64 @@ onUnmounted(() => {
           <AppIcon name="search" :size="12" class="shrink-0" />
           <template v-if="!isCollapsed">
             <span class="sidebar-label">Search</span>
-            <kbd class="sidebar-label ml-auto px-1.5 py-0.5 dd-rounded-sm text-[0.625rem] font-medium dd-text-secondary" style="background: var(--dd-border);">
-              <span class="text-[0.5625rem]">&#8984;</span>K
+            <kbd class="sidebar-label ml-auto px-1.5 py-0.5 dd-rounded-sm text-2xs font-medium dd-text-secondary" style="background: var(--dd-border);">
+              <span class="text-3xs">&#8984;</span>K
             </kbd>
           </template>
-        </button>
+        </AppButton>
       </div>
 
       <!-- Sidebar footer -->
       <div class="shrink-0 px-3 py-2.5 flex items-center gap-1"
            :class="isCollapsed ? 'flex-col' : 'flex-row justify-between'">
-        <button aria-label="About Drydock"
-                class="flex items-center justify-center w-7 h-7 dd-rounded text-xs transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                v-tooltip.top="'About Drydock'"
-                @click="showAbout = true">
-          <AppIcon name="info" :size="14" />
-        </button>
-        <button v-if="!isMobile"
+        <AppIconButton
+                icon="info"
+                size="xs"
+                variant="muted"
+                tooltip="About Drydock"
+                aria-label="About Drydock"
+                @click="showAbout = true"
+        />
+        <AppIconButton v-if="!isMobile"
+                :icon="sidebarCollapsed ? 'sidebar-expand' : 'sidebar-collapse'"
+                size="xs"
+                variant="muted"
+                :tooltip="sidebarCollapsed ? 'Expand sidebar' : 'Collapse sidebar'"
                 :aria-label="sidebarCollapsed ? 'Expand sidebar' : 'Collapse sidebar'"
-                class="flex items-center justify-center w-7 h-7 dd-rounded text-xs transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                v-tooltip.top="sidebarCollapsed ? 'Expand sidebar' : 'Collapse sidebar'"
-                @click="sidebarCollapsed = !sidebarCollapsed">
-          <AppIcon :name="sidebarCollapsed ? 'sidebar-expand' : 'sidebar-collapse'" :size="14" />
-        </button>
+                @click="sidebarCollapsed = !sidebarCollapsed"
+        />
       </div>
     </aside>
 
     <!-- MAIN AREA -->
-    <div class="flex-1 flex flex-col min-w-0 overflow-hidden">
+    <div class="flex-1 flex flex-col min-w-0 overflow-hidden" :style="{ backgroundColor: 'var(--dd-bg-sidebar)' }">
 
       <!-- TOP BAR -->
       <header class="h-12 grid items-center px-4 shrink-0"
               style="grid-template-columns: 1fr auto 1fr;"
               :style="{
-                backgroundColor: 'var(--dd-bg)',
-                borderBottom: '1px solid var(--dd-border)',
+                backgroundColor: 'var(--dd-bg-sidebar)',
               }">
         <!-- Left: hamburger + breadcrumb -->
         <div class="flex items-center gap-3">
-          <button v-if="isMobile"
-                  aria-label="Toggle menu"
+          <AppButton size="none" variant="plain" weight="none" v-if="isMobile"
+                  :tooltip="isMobileMenuOpen ? 'Close menu' : 'Open menu'"
+                  :aria-label="isMobileMenuOpen ? 'Close menu' : 'Open menu'"
                   :aria-expanded="String(isMobileMenuOpen)"
                   class="flex flex-col items-center justify-center w-8 h-8 gap-1 rounded-md transition-colors hover:dd-bg-elevated"
                   @click="isMobileMenuOpen = !isMobileMenuOpen">
             <span class="hamburger-line block w-4 h-[2px] rounded-full" style="background: var(--dd-text-muted)" />
             <span class="hamburger-line block w-4 h-[2px] rounded-full" style="background: var(--dd-text-muted)" />
             <span class="hamburger-line block w-4 h-[2px] rounded-full" style="background: var(--dd-text-muted)" />
-          </button>
+          </AppButton>
 
-          <nav class="flex items-center gap-1.5 text-[0.8125rem]">
+          <nav class="flex items-center gap-1.5 text-xs-plus">
             <AppIcon :name="currentPageIcon" :size="16" class="leading-none dd-text-muted" />
             <AppIcon name="chevron-right" :size="13" class="leading-none dd-text-muted" />
             <span class="font-medium leading-none dd-text">
               {{ currentPageLabel }}
             </span>
+            <div id="breadcrumb-actions" class="flex items-center" />
           </nav>
         </div>
 
@@ -1258,7 +1403,7 @@ onUnmounted(() => {
           <NotificationBell />
 
           <div class="relative user-menu-wrapper">
-            <button aria-label="User menu"
+            <AppButton size="none" variant="plain" weight="none" tooltip="User menu" aria-label="User menu"
                     :aria-expanded="String(showUserMenu)"
                     class="flex items-center gap-2 dd-rounded px-1.5 py-1 transition-colors hover:dd-bg-elevated"
                     @click="toggleUserMenu">
@@ -1267,63 +1412,114 @@ onUnmounted(() => {
                 {{ userInitials }}
               </div>
               <AppIcon name="chevron-down" :size="12" class="dd-text-muted" />
-            </button>
+            </AppButton>
             <Transition name="menu-fade">
               <div v-if="showUserMenu"
-                   class="absolute right-0 top-full mt-1 min-w-[160px] py-1 dd-rounded-lg shadow-lg z-50"
-                   :style="{ backgroundColor: 'var(--dd-bg-card)', border: '1px solid var(--dd-border-strong)', boxShadow: 'var(--dd-shadow-lg)' }">
-                <div class="px-3 py-1.5 text-[0.625rem] font-semibold uppercase tracking-wider dd-text-muted"
+                   class="min-w-[160px] py-1 dd-rounded-lg shadow-lg"
+                   :style="{ ...userMenuStyle, zIndex: 'var(--z-popover)', backgroundColor: 'var(--dd-bg-card)', border: '1px solid var(--dd-border-strong)', boxShadow: 'var(--dd-shadow-tooltip)' }">
+                <div class="px-3 py-1.5 text-2xs font-semibold uppercase tracking-wider dd-text-muted"
                      :style="{ borderBottom: '1px solid var(--dd-border)' }">
                   {{ currentUser?.username || 'User' }}
                 </div>
-                <button class="w-full text-left px-3 py-1.5 text-[0.6875rem] font-medium transition-colors flex items-center gap-2 dd-text hover:dd-bg-elevated"
-                        @click="showUserMenu = false; router.push({ path: ROUTES.CONFIG, query: { tab: 'profile' } })">
+                <AppButton size="md" variant="plain" weight="medium" class="w-full text-left flex items-center gap-2 dd-text" @click="showUserMenu = false; router.push({ path: ROUTES.CONFIG, query: { tab: 'profile' } })">
                   <AppIcon name="user" :size="11" class="dd-text-muted" />
                   Profile
-                </button>
+                </AppButton>
                 <div class="my-0.5" :style="{ borderTop: '1px solid var(--dd-border)' }" />
-                <button class="w-full text-left px-3 py-1.5 text-[0.6875rem] font-medium transition-colors flex items-center gap-2 hover:dd-bg-elevated"
-                        style="color: var(--dd-danger);"
+                <AppButton size="md" variant="plain" weight="medium" class="w-full text-left flex items-center gap-2" style="color: var(--dd-danger);"
                         @click="handleSignOut">
                   <AppIcon name="sign-out" :size="11" />
                   Sign out
-                </button>
+                </AppButton>
               </div>
             </Transition>
           </div>
         </div>
       </header>
 
-      <AnnouncementBanner
-        v-if="showOidcHttpCompatibilityBanner"
-        data-testid="oidc-http-compat-banner"
-        title="HTTP OIDC discovery detected"
-        permanent-dismiss-label="Don't show again"
-        @dismiss="dismissOidcHttpBannerForSession"
-        @dismiss-permanent="dismissOidcHttpBannerPermanently">
-        One or more OIDC providers use an insecure
-        <code class="px-1 py-0.5 dd-rounded-sm" :style="{ backgroundColor: 'var(--dd-bg)', color: 'var(--dd-warning)' }">http://</code>
-        discovery URL. HTTP discovery is deprecated and will be removed in v1.6.0.
-        <a href="https://getdrydock.com/docs/configuration/authentications/oidc"
-           target="_blank"
-           rel="noopener noreferrer"
-           class="underline font-medium"
-           :style="{ color: 'var(--dd-warning)' }">Migrate your IdP to HTTPS.</a>
-      </AnnouncementBanner>
-
-      <AnnouncementBanner
-        v-if="showLegacyHashDeprecationBanner"
-        data-testid="sha-hash-deprecation-banner"
-        title="Legacy password hash detected"
-        permanent-dismiss-label="Don't show again"
-        @dismiss="dismissLegacyHashBannerForSession"
-        @dismiss-permanent="dismissLegacyHashBannerPermanently">
-        Your basic authentication uses a legacy password hash format. Legacy v1.3.9 formats are deprecated and will be removed in v1.6.0. Migrate to argon2id hashing.
-      </AnnouncementBanner>
+      <div
+        v-if="hasVisibleAnnouncementBanners"
+        class="fixed top-3 left-1/2 -translate-x-1/2 z-50 w-[calc(100%-2rem)] max-w-4xl flex flex-col gap-2"
+      >
+        <AnnouncementBanner
+          v-if="showOidcHttpCompatibilityBanner"
+          data-testid="oidc-http-compat-banner"
+          title="HTTP OIDC discovery detected"
+          permanent-dismiss-label="Don't show again"
+          link-href="https://getdrydock.com/docs/configuration/authentications/oidc"
+          link-label="Migration guide"
+          :style="stackedBannerInlineStyle"
+          @dismiss="dismissOidcHttpBannerForSession"
+          @dismiss-permanent="dismissOidcHttpBannerPermanently">
+          One or more OIDC providers use an insecure
+          <code class="px-1 py-0.5 dd-rounded-sm" :style="{ backgroundColor: 'var(--dd-bg)', color: 'var(--dd-warning)' }">http://</code>
+          discovery URL. HTTP discovery is deprecated and will be removed in v1.6.0.
+        </AnnouncementBanner>
+
+        <AnnouncementBanner
+          v-if="showLegacyHashDeprecationBanner"
+          data-testid="sha-hash-deprecation-banner"
+          title="Legacy password hash detected"
+          permanent-dismiss-label="Don't show again"
+          link-href="https://getdrydock.com/docs/deprecations#legacy-password-hash-formats"
+          link-label="Migration guide"
+          :style="stackedBannerInlineStyle"
+          @dismiss="dismissLegacyHashBannerForSession"
+          @dismiss-permanent="dismissLegacyHashBannerPermanently">
+          Your basic authentication uses a legacy password hash format. Legacy v1.3.9 formats are deprecated and will be removed in v1.6.0.
+        </AnnouncementBanner>
+
+        <AnnouncementBanner
+          v-if="showLegacyConfigDeprecationBanner"
+          data-testid="legacy-config-deprecation-banner"
+          :title="legacyConfigBannerTitle"
+          permanent-dismiss-label="Don't show again"
+          link-href="https://getdrydock.com/docs/deprecations#removal-in-v160"
+          link-label="Migration guide"
+          :style="stackedBannerInlineStyle"
+          @dismiss="legacyConfigDeprecationBanner.dismissForSession"
+          @dismiss-permanent="legacyConfigDeprecationBanner.dismissPermanently">
+          Deprecated configuration aliases are in use. Rename
+          <code class="px-1 py-0.5 dd-rounded-sm" :style="{ backgroundColor: 'var(--dd-bg)', color: 'var(--dd-warning)' }">WUD_*</code>
+          vars to
+          <code class="px-1 py-0.5 dd-rounded-sm" :style="{ backgroundColor: 'var(--dd-bg)', color: 'var(--dd-warning)' }">DD_*</code>
+          and
+          <code class="px-1 py-0.5 dd-rounded-sm" :style="{ backgroundColor: 'var(--dd-bg)', color: 'var(--dd-warning)' }">DD_TRIGGER_*</code>
+          to
+          <code class="px-1 py-0.5 dd-rounded-sm" :style="{ backgroundColor: 'var(--dd-bg)', color: 'var(--dd-warning)' }">DD_ACTION_*</code>
+          or
+          <code class="px-1 py-0.5 dd-rounded-sm" :style="{ backgroundColor: 'var(--dd-bg)', color: 'var(--dd-warning)' }">DD_NOTIFICATION_*</code>.
+          <span v-if="legacyEnvKeysPreview" class="block mt-1 truncate">
+            Env keys ({{ legacyInputSummary?.env.total }}): {{ legacyEnvKeysPreview }}
+          </span>
+          <span v-if="legacyLabelKeysPreview" class="block mt-1 truncate">
+            Label keys ({{ legacyInputSummary?.label.total }}): {{ legacyLabelKeysPreview }}
+          </span>
+        </AnnouncementBanner>
+
+        <AnnouncementBanner
+          v-if="showLegacyApiPathDeprecationBanner"
+          data-testid="legacy-api-path-deprecation-banner"
+          :title="legacyApiPathBannerTitle"
+          permanent-dismiss-label="Don't show again"
+          link-href="https://getdrydock.com/docs/deprecations"
+          link-label="Migration guide"
+          :style="stackedBannerInlineStyle"
+          @dismiss="legacyApiPathDeprecationBanner.dismissForSession"
+          @dismiss-permanent="legacyApiPathDeprecationBanner.dismissPermanently">
+          Unversioned API paths are deprecated. Migrate from
+          <code class="px-1 py-0.5 dd-rounded-sm" :style="{ backgroundColor: 'var(--dd-bg)', color: 'var(--dd-warning)' }">/api/*</code>
+          to
+          <code class="px-1 py-0.5 dd-rounded-sm" :style="{ backgroundColor: 'var(--dd-bg)', color: 'var(--dd-warning)' }">/api/v1/*</code>.
+          <span v-if="legacyApiPathKeysPreview" class="block mt-1 truncate">
+            API paths ({{ legacyInputSummary?.api?.total }}): {{ legacyApiPathKeysPreview }}
+          </span>
+        </AnnouncementBanner>
+      </div>
 
       <!-- MAIN CONTENT -->
-      <main class="flex-1 min-h-0 overflow-hidden flex flex-col pl-4 pr-2 py-4 sm:pl-6 sm:pr-[9px] sm:py-6"
-            :style="{ backgroundColor: 'var(--dd-bg)' }">
+      <main class="flex-1 min-h-0 overflow-clip flex flex-col pl-4 pr-2 py-4 sm:pl-6 sm:pr-[9px] sm:py-6"
+            :style="{ backgroundColor: 'var(--dd-bg)', borderTopLeftRadius: 'var(--dd-radius-lg)' }">
         <router-view />
       </main>
 
@@ -1332,28 +1528,32 @@ onUnmounted(() => {
     <!-- About Modal -->
     <Teleport to="body">
       <div v-if="showAbout"
-           class="fixed inset-0 z-[100] bg-black/50 backdrop-blur-sm"
+           class="fixed inset-0 z-overlay bg-black/50 backdrop-blur-sm"
            @pointerdown.self="showAbout = false">
         <div class="flex items-start justify-center pt-[20vh] min-h-full px-4"
              @pointerdown.self="showAbout = false">
           <div role="dialog"
                aria-modal="true"
                aria-labelledby="about-dialog-title"
-               class="relative w-full max-w-[340px] dd-rounded-lg overflow-hidden shadow-2xl"
+               class="relative w-full max-w-[var(--dd-layout-about-max-width)] dd-rounded-lg overflow-hidden shadow-2xl"
                :style="{ backgroundColor: 'var(--dd-bg-card)', border: '1px solid var(--dd-border-strong)' }">
-            <button aria-label="Close"
-                    class="absolute top-3 right-3 z-10 w-6 h-6 flex items-center justify-center dd-rounded transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
-                    @click="showAbout = false">
-              <AppIcon name="xmark" :size="12" />
-            </button>
+            <AppIconButton
+                    icon="xmark"
+                    size="xs"
+                    variant="muted"
+                    tooltip="Close"
+                    aria-label="Close"
+                    class="absolute top-3 right-3 z-10"
+                    @click="showAbout = false"
+            />
             <div class="flex flex-col items-center pt-6 pb-4 px-6">
               <div class="-mx-6 w-[calc(100%+3rem)] h-12 mb-3 relative pointer-events-none">
                 <img :src="whaleLogo" alt="Drydock" class="h-10 w-[65px] absolute top-1 about-swim"
                      :style="isDark ? { filter: 'invert(1)' } : {}" />
               </div>
               <h2 id="about-dialog-title" class="text-base font-bold dd-text">Drydock</h2>
-              <span class="text-[0.6875rem] dd-text-muted mt-0.5">Docker Container Update Manager</span>
-              <span v-if="appVersion" class="badge text-[0.625rem] font-semibold mt-2 dd-bg-elevated dd-text-secondary">v{{ appVersion }}</span>
+              <span class="text-2xs-plus dd-text-muted mt-0.5">Docker Container Update Manager</span>
+              <span v-if="appVersion" class="badge text-2xs font-semibold mt-2 dd-bg-elevated dd-text-secondary">v{{ appVersion }}</span>
             </div>
             <div class="px-6 pb-5 flex flex-col gap-2"
                  :style="{ borderTop: '1px solid var(--dd-border)' }">
@@ -1383,14 +1583,14 @@ onUnmounted(() => {
     <!-- Search Modal -->
     <Teleport to="body">
       <div v-if="showSearch"
-           class="fixed inset-0 z-[100] bg-black/50 backdrop-blur-sm"
+           class="fixed inset-0 z-overlay bg-black/50 backdrop-blur-sm"
            @pointerdown.self="showSearch = false">
         <div class="flex items-start justify-center pt-[15vh] min-h-full px-4"
              @pointerdown.self="showSearch = false">
           <div role="dialog"
                aria-modal="true"
                aria-label="Search"
-               class="relative w-full max-w-[560px] dd-rounded-lg overflow-hidden shadow-2xl"
+               class="relative w-full max-w-[var(--dd-layout-search-max-width)] dd-rounded-lg overflow-hidden shadow-2xl"
                :style="{ backgroundColor: 'var(--dd-bg-card)', border: '1px solid var(--dd-border-strong)' }">
             <div class="flex items-center gap-3 px-4 py-3"
                  :style="{ borderBottom: '1px solid var(--dd-border)' }">
@@ -1403,34 +1603,34 @@ onUnmounted(() => {
                      @keydown.escape="showSearch = false"
                      @keydown="handleSearchInputKeydown" />
               <span v-if="scopePrefixLabel"
-                    class="px-1.5 py-0.5 text-[0.625rem] uppercase tracking-wide font-semibold dd-rounded-sm dd-bg-elevated dd-text-secondary">
+                    class="px-1.5 py-0.5 text-2xs uppercase tracking-wide font-semibold dd-rounded-sm dd-bg-elevated dd-text-secondary">
                 {{ scopePrefixLabel }}
               </span>
-              <kbd class="px-1.5 py-0.5 dd-rounded-sm text-[0.625rem] font-medium dd-bg-elevated dd-text-muted">ESC</kbd>
+              <kbd class="px-1.5 py-0.5 dd-rounded-sm text-2xs font-medium dd-bg-elevated dd-text-muted">ESC</kbd>
             </div>
             <div class="px-3 py-2 flex items-center gap-1.5"
                  :style="{ borderBottom: '1px solid var(--dd-border)' }">
-              <button
+              <AppButton size="none" variant="plain" weight="none"
                 v-for="scopeOption in SEARCH_SCOPE_OPTIONS"
                 :key="scopeOption.id"
-                class="inline-flex items-center gap-1 px-2 py-1 text-[0.625rem] uppercase tracking-wide font-semibold border dd-rounded transition-colors"
+                class="inline-flex items-center gap-1 px-2 py-1 text-2xs uppercase tracking-wide font-semibold border dd-rounded transition-colors"
                 :aria-pressed="String(scopeOption.id === effectiveSearchScope)"
                 :style="searchScopeChipStyles(scopeOption.id, scopeOption.id === effectiveSearchScope)"
                 @click="applySearchScope(scopeOption.id)">
                 {{ scopeOption.label }}
-                <span class="text-[0.5625rem] opacity-80">{{ searchScopeCounts[scopeOption.id] }}</span>
-              </button>
-              <span class="ml-auto text-[0.625rem] dd-text-muted">
+                <span class="text-3xs opacity-80">{{ searchScopeCounts[scopeOption.id] }}</span>
+              </AppButton>
+              <span class="ml-auto text-2xs dd-text-muted">
                 {{ searchResults.length }} shown
               </span>
             </div>
             <div class="max-h-[360px] overflow-y-auto py-1">
               <template v-for="(group, groupIndex) in groupedSearchResults" :key="group.id">
-                <div class="px-4 py-1.5 text-[0.625rem] font-bold uppercase tracking-[0.12em] dd-text-muted"
+                <div class="px-4 py-1.5 text-2xs font-bold uppercase tracking-[var(--dd-letter-spacing-section)] dd-text-muted"
                      :style="groupIndex > 0 ? { borderTop: '1px solid var(--dd-border)' } : {}">
                   {{ group.label }}
                 </div>
-                <button
+                <AppButton size="none" variant="plain" weight="none"
                   v-for="result in group.items"
                   :key="result.id"
                   class="w-full px-4 py-2.5 text-left flex items-center gap-3 transition-colors"
@@ -1447,10 +1647,10 @@ onUnmounted(() => {
                   </div>
                   <div class="min-w-0 flex-1">
                     <div class="text-xs font-semibold truncate dd-text">{{ result.title }}</div>
-                    <div class="text-[0.625rem] truncate dd-text-muted">{{ result.subtitle }}</div>
+                    <div class="text-2xs truncate dd-text-muted">{{ result.subtitle }}</div>
                   </div>
                   <AppIcon name="chevron-right" :size="11" class="dd-text-muted shrink-0" />
-                </button>
+                </AppButton>
               </template>
               <div v-if="searchResults.length === 0"
                    class="px-4 py-6 text-center text-xs dd-text-muted">
@@ -1459,7 +1659,7 @@ onUnmounted(() => {
                 <span v-else>Type to search pages, containers, agents, triggers, watchers, and settings.</span>
               </div>
             </div>
-            <div class="px-4 py-2.5 flex items-center justify-between text-[0.625rem] dd-text-muted"
+            <div class="px-4 py-2.5 flex items-center justify-between text-2xs dd-text-muted"
                  :style="{ borderTop: '1px solid var(--dd-border)' }">
               <span>
                 <span v-if="scopePrefixLabel">Prefix scope active; use </span>
@@ -1487,8 +1687,9 @@ onUnmounted(() => {
     <Teleport to="body">
       <Transition name="menu-fade">
         <div v-if="connectionLost"
-             class="fixed inset-0 z-[200] bg-black/70 backdrop-blur-sm flex items-center justify-center">
-          <div class="w-full max-w-[320px] mx-4 dd-rounded-lg overflow-hidden shadow-2xl text-center"
+             class="fixed inset-0 bg-black/70 backdrop-blur-sm flex items-center justify-center"
+             style="z-index: var(--z-modal, 200)">
+          <div class="w-full max-w-[var(--dd-layout-overlay-max-width)] mx-4 dd-rounded-lg overflow-hidden shadow-2xl text-center"
                :style="{ backgroundColor: 'var(--dd-bg-card)', border: '1px solid var(--dd-border-strong)' }">
             <div class="flex flex-col items-center px-6 py-8 gap-3">
               <div class="disconnect-bounce h-10 mb-1">
@@ -1496,12 +1697,12 @@ onUnmounted(() => {
                      :style="[{ transform: 'rotate(180deg) scaleX(-1)' }, isDark ? { filter: 'invert(1)' } : {}]" />
               </div>
               <h2 class="text-sm font-bold dd-text">{{ connectionOverlayTitle }}</h2>
-              <p class="text-[0.6875rem] dd-text-muted leading-relaxed">
+              <p class="text-2xs-plus dd-text-muted leading-relaxed">
                 {{ connectionOverlayMessage }}
               </p>
               <div class="flex items-center gap-2 mt-1">
                 <AppIcon name="spinner" :size="12" class="dd-spin dd-text-muted" />
-                <span class="text-[0.625rem] dd-text-muted">{{ connectionOverlayStatus }}</span>
+                <span class="text-2xs dd-text-muted">{{ connectionOverlayStatus }}</span>
               </div>
             </div>
           </div>
@@ -1520,13 +1721,13 @@ onUnmounted(() => {
   100% { left: 0; transform: scaleX(-1); }
 }
 .about-swim {
-  animation: swim 6s ease-in-out infinite;
+  animation: swim var(--dd-duration-decorative) ease-in-out infinite;
 }
 .disconnect-bounce {
-  animation: disconnect-bounce 2s ease-in-out infinite;
+  animation: disconnect-bounce var(--dd-duration-pulse) ease-in-out infinite;
 }
 @keyframes disconnect-bounce {
   0%, 100% { transform: translateY(0); }
-  50% { transform: translateY(-8px); }
+  50% { transform: translateY(var(--dd-motion-bounce-y)); }
 }
 </style>
diff --git a/ui/src/main.ts b/ui/src/main.ts
index f197c64d5..960a27ef5 100644
--- a/ui/src/main.ts
+++ b/ui/src/main.ts
@@ -1,7 +1,9 @@
 import { createApp } from 'vue';
 import App from './App.vue';
 import { disableIconifyApi, registerIcons } from './boot/icons';
+import AppButton from './components/AppButton.vue';
 import AppIcon from './components/AppIcon.vue';
+import AppToast from './components/AppToast.vue';
 import ConfirmDialog from './components/ConfirmDialog.vue';
 import ContainerIcon from './components/ContainerIcon.vue';
 import CopyableTag from './components/CopyableTag.vue';
@@ -54,6 +56,7 @@ void loadServerFeatures();
 
 const app = createApp(App);
 app.component('AppIcon', AppIcon);
+app.component('AppButton', AppButton);
 app.component('AppLayout', AppLayout);
 app.component('ContainerIcon', ContainerIcon);
 app.component('ThemeToggle', ThemeToggle);
@@ -65,6 +68,7 @@ app.component('DataListAccordion', DataListAccordion);
 app.component('DataViewLayout', DataViewLayout);
 app.component('DetailPanel', DetailPanel);
 app.component('EmptyState', EmptyState);
+app.component('AppToast', AppToast);
 app.component('ConfirmDialog', ConfirmDialog);
 app.component('CopyableTag', CopyableTag);
 app.directive('tooltip', Tooltip);
diff --git a/ui/src/preferences/index.ts b/ui/src/preferences/index.ts
index eec78c5ff..9290f6454 100644
--- a/ui/src/preferences/index.ts
+++ b/ui/src/preferences/index.ts
@@ -1,17 +1,8 @@
 export const PREFERENCES_API_VERSION = 1;
 
 export { mergeDefaults, migrate, migrateFromLegacyKeys } from './migrate';
-export type { PreferencesSchema, ViewMode } from './schema';
 export { DEFAULTS } from './schema';
 export { flushPreferences, preferences, resetPreferences } from './store';
 export { usePreference } from './usePreference';
 export { useViewMode } from './useViewMode';
-export {
-  isValidScale,
-  isViewMode,
-  RADIUS_PRESETS,
-  TABLE_ACTIONS,
-  THEME_FAMILIES,
-  THEME_VARIANTS,
-  VIEW_MODES,
-} from './validators';
+export { isValidScale, isViewMode } from './validators';
diff --git a/ui/src/preferences/migrate.ts b/ui/src/preferences/migrate.ts
index ea3d93fe8..0643e348f 100644
--- a/ui/src/preferences/migrate.ts
+++ b/ui/src/preferences/migrate.ts
@@ -1,5 +1,10 @@
 import { deepMerge } from './deepMerge';
-import { DEFAULTS, type PreferencesSchema } from './schema';
+import {
+  CONTAINER_TABLE_COLUMN_KEYS,
+  CONTAINER_TABLE_REQUIRED_COLUMN_KEYS,
+  DEFAULTS,
+  type PreferencesSchema,
+} from './schema';
 import {
   FONT_FAMILIES,
   ICON_LIBRARIES,
@@ -66,6 +71,19 @@ function sanitize(data: Record<string, unknown>): void {
     const c = containers as Record<string, unknown>;
     if ('viewMode' in c && !isViewMode(c.viewMode)) delete c.viewMode;
     deleteIfInvalid(c, 'tableActions', TABLE_ACTIONS);
+
+    if ('columns' in c) {
+      if (!isStringArray(c.columns)) {
+        delete c.columns;
+      } else {
+        const visible = new Set(c.columns);
+        c.columns = CONTAINER_TABLE_COLUMN_KEYS.filter(
+          (key) =>
+            visible.has(key) ||
+            (CONTAINER_TABLE_REQUIRED_COLUMN_KEYS as readonly string[]).includes(key),
+        );
+      }
+    }
   }
 }
 
@@ -310,26 +328,40 @@ function migrateDashboardPreference(): { widgetOrder: string[] } | undefined {
   return undefined;
 }
 
-function migrateSecurityViewPreference(): Record<string, unknown> | undefined {
-  const secView = readString('dd-security-view-v1');
-  const secSortField = readString('dd-security-sort-field-v1');
-  const secSortAsc = readJSON('dd-security-sort-asc-v1', isBoolean);
-  if (!secView && secSortField === undefined && secSortAsc === undefined) {
+function migrateSortableViewPreference(args: {
+  viewKey: string;
+  sortFieldKey: string;
+  sortFieldOutputKey: string;
+  sortAscKey: string;
+}): Record<string, unknown> | undefined {
+  const view = readString(args.viewKey);
+  const sortField = readString(args.sortFieldKey);
+  const sortAsc = readJSON(args.sortAscKey, isBoolean);
+  if (!view && sortField === undefined && sortAsc === undefined) {
     return undefined;
   }
 
-  const security: Record<string, unknown> = {};
-  if (secView && isViewMode(secView)) {
-    security.mode = secView;
+  const preference: Record<string, unknown> = {};
+  if (view && isViewMode(view)) {
+    preference.mode = view;
   }
-  if (secSortField !== undefined) {
-    security.sortField = secSortField;
+  if (sortField !== undefined) {
+    preference[args.sortFieldOutputKey] = sortField;
   }
-  if (secSortAsc !== undefined) {
-    security.sortAsc = secSortAsc;
+  if (sortAsc !== undefined) {
+    preference.sortAsc = sortAsc;
   }
 
-  return Object.keys(security).length > 0 ? security : undefined;
+  return Object.keys(preference).length > 0 ? preference : undefined;
+}
+
+function migrateSecurityViewPreference(): Record<string, unknown> | undefined {
+  return migrateSortableViewPreference({
+    viewKey: 'dd-security-view-v1',
+    sortFieldKey: 'dd-security-sort-field-v1',
+    sortFieldOutputKey: 'sortField',
+    sortAscKey: 'dd-security-sort-asc-v1',
+  });
 }
 
 function migrateAuditViewPreference(): { mode: string } | undefined {
@@ -341,25 +373,12 @@ function migrateAuditViewPreference(): { mode: string } | undefined {
 }
 
 function migrateAgentsViewPreference(): Record<string, unknown> | undefined {
-  const agentsView = readString('dd-agents-view-v1');
-  const agentsSortKey = readString('dd-agents-sort-key-v1');
-  const agentsSortAsc = readJSON('dd-agents-sort-asc-v1', isBoolean);
-  if (!agentsView && agentsSortKey === undefined && agentsSortAsc === undefined) {
-    return undefined;
-  }
-
-  const agents: Record<string, unknown> = {};
-  if (agentsView && isViewMode(agentsView)) {
-    agents.mode = agentsView;
-  }
-  if (agentsSortKey !== undefined) {
-    agents.sortKey = agentsSortKey;
-  }
-  if (agentsSortAsc !== undefined) {
-    agents.sortAsc = agentsSortAsc;
-  }
-
-  return Object.keys(agents).length > 0 ? agents : undefined;
+  return migrateSortableViewPreference({
+    viewKey: 'dd-agents-view-v1',
+    sortFieldKey: 'dd-agents-sort-key-v1',
+    sortFieldOutputKey: 'sortKey',
+    sortAscKey: 'dd-agents-sort-asc-v1',
+  });
 }
 
 function migrateSimpleViewModePreferences(): Record<string, { mode: string }> {
@@ -452,6 +471,7 @@ export function migrateFromLegacyKeys(): PreferencesSchema {
     prefs.views = views;
   }
 
+  sanitize(prefs);
   const result = mergeDefaults(prefs);
   persistMigratedPreferences(result);
   return result;
diff --git a/ui/src/preferences/schema.ts b/ui/src/preferences/schema.ts
index e8b0c5cf9..3decfb681 100644
--- a/ui/src/preferences/schema.ts
+++ b/ui/src/preferences/schema.ts
@@ -3,6 +3,14 @@ import type { RadiusPresetId } from './radius';
 
 export type ViewMode = 'table' | 'cards' | 'list';
 
+export interface PersistedLayoutItem {
+  i: string;
+  x: number;
+  y: number;
+  w: number;
+  h: number;
+}
+
 export interface PreferencesSchema {
   schemaVersion: number;
   theme: { family: ThemeFamily; variant: string };
@@ -24,7 +32,7 @@ export interface PreferencesSchema {
     };
     columns: string[];
   };
-  dashboard: { widgetOrder: string[] };
+  dashboard: { widgetOrder: string[]; hiddenWidgets: string[]; gridLayout: PersistedLayoutItem[] };
   views: {
     security: { mode: ViewMode; sortField: string; sortAsc: boolean };
     audit: { mode: ViewMode };
@@ -38,6 +46,19 @@ export interface PreferencesSchema {
   };
 }
 
+export const CONTAINER_TABLE_COLUMN_KEYS = [
+  'icon',
+  'name',
+  'version',
+  'kind',
+  'status',
+  'imageAge',
+  'server',
+  'registry',
+] as const;
+
+export const CONTAINER_TABLE_REQUIRED_COLUMN_KEYS = ['icon', 'name'] as const;
+
 export const DEFAULTS: PreferencesSchema = {
   schemaVersion: 1,
   theme: { family: 'one-dark', variant: 'dark' },
@@ -57,7 +78,7 @@ export const DEFAULTS: PreferencesSchema = {
       server: 'all',
       kind: 'all',
     },
-    columns: ['icon', 'name', 'version', 'kind', 'status', 'bouncer', 'server', 'registry'],
+    columns: [...CONTAINER_TABLE_COLUMN_KEYS],
   },
   dashboard: {
     widgetOrder: [
@@ -67,9 +88,12 @@ export const DEFAULTS: PreferencesSchema = {
       'stat-registries',
       'recent-updates',
       'security-overview',
+      'resource-usage',
       'host-status',
       'update-breakdown',
     ],
+    hiddenWidgets: [],
+    gridLayout: [],
   },
   views: {
     security: { mode: 'table', sortField: 'critical', sortAsc: false },
diff --git a/ui/src/router/index.ts b/ui/src/router/index.ts
index 7c3354328..5d8c8383a 100644
--- a/ui/src/router/index.ts
+++ b/ui/src/router/index.ts
@@ -23,10 +23,15 @@ const viewLoaders = {
   notifications: () => import('../views/NotificationsView.vue'),
   audit: () => import('../views/AuditView.vue'),
   logs: () => import('../views/LogsView.vue'),
+  containerLogs: () => import('../views/ContainerLogsView.vue'),
 };
 
-function createLazyRoute(path: string, name: keyof typeof viewLoaders): RouteRecordRaw {
-  return { path, name, component: viewLoaders[name] };
+function createLazyRoute(
+  path: string,
+  viewName: keyof typeof viewLoaders,
+  routeName: string = viewName,
+): RouteRecordRaw {
+  return { path, name: routeName, component: viewLoaders[viewName] };
 }
 
 const routes: RouteRecordRaw[] = [
@@ -37,6 +42,7 @@ const routes: RouteRecordRaw[] = [
     children: [
       createLazyRoute('', 'dashboard'),
       createLazyRoute(ROUTES.CONTAINERS, 'containers'),
+      createLazyRoute(ROUTES.CONTAINER_LOGS, 'containerLogs', 'container-logs'),
       createLazyRoute(ROUTES.SECURITY, 'security'),
       createLazyRoute(ROUTES.SERVERS, 'servers'),
       createLazyRoute(ROUTES.CONFIG, 'config'),
diff --git a/ui/src/router/routes.ts b/ui/src/router/routes.ts
index 898cb9b7d..7f1d0b086 100644
--- a/ui/src/router/routes.ts
+++ b/ui/src/router/routes.ts
@@ -5,6 +5,9 @@
  *  - `?q=`          — search term (standard across all list views)
  *  - `?tab=`        — section tab (ConfigView: appearance | profile)
  *  - `?filterKind=` — update kind filter (ContainersView)
+ *  - `?filterStatus=` / `?filterRegistry=` / `?filterBouncer=` / `?filterServer=` — container filters (ContainersView)
+ *  - `?sort=`       — container sort (ContainersView)
+ *  - `?groupByStack=` — group containers by stack labels (ContainersView)
  *  - `?view=`       — view mode (AuditView)
  *  - `?page=`       — pagination (AuditView)
  *  - `?action=`     — action filter (AuditView)
@@ -20,6 +23,7 @@ export const ROUTES = {
   LOGIN: '/login',
   DASHBOARD: '/',
   CONTAINERS: '/containers',
+  CONTAINER_LOGS: '/containers/:id/logs',
   SECURITY: '/security',
   SERVERS: '/servers',
   CONFIG: '/config',
@@ -32,5 +36,3 @@ export const ROUTES = {
   AUDIT: '/audit',
   LOGS: '/logs',
 } as const;
-
-export type RoutePath = (typeof ROUTES)[keyof typeof ROUTES];
diff --git a/ui/src/services/agent.ts b/ui/src/services/agent.ts
index acaf0af82..b25cd430b 100644
--- a/ui/src/services/agent.ts
+++ b/ui/src/services/agent.ts
@@ -2,7 +2,7 @@ import { extractCollectionData } from '../utils/api';
 
 const BASE_URL = '/api/v1/agents';
 
-export interface ApiAgent {
+interface ApiAgent {
   name: string;
   connected: boolean;
   host?: string;
diff --git a/ui/src/services/audit.ts b/ui/src/services/audit.ts
index 393b436d6..8f6fb1961 100644
--- a/ui/src/services/audit.ts
+++ b/ui/src/services/audit.ts
@@ -6,6 +6,7 @@ export async function getAuditLog(
     offset?: number;
     limit?: number;
     action?: string;
+    actions?: string[];
     container?: string;
     from?: string;
     to?: string;
@@ -24,6 +25,7 @@ export async function getAuditLog(
   if (offset !== undefined) query.set('offset', String(offset));
   query.set('limit', String(limit));
   if (params.action) query.set('action', params.action);
+  if (params.actions && params.actions.length > 0) query.set('actions', params.actions.join(','));
   if (params.container) query.set('container', params.container);
   if (params.from) query.set('from', params.from);
   if (params.to) query.set('to', params.to);
diff --git a/ui/src/services/auth.ts b/ui/src/services/auth.ts
index afe6864ab..da517aae9 100644
--- a/ui/src/services/auth.ts
+++ b/ui/src/services/auth.ts
@@ -7,6 +7,18 @@ import { errorMessage } from '../utils/error';
 // Current logged user
 let user = undefined;
 
+function getPayloadErrorMessage(payload: unknown): string {
+  if (typeof payload !== 'object' || payload === null) {
+    return '';
+  }
+  if (!('error' in payload)) {
+    return '';
+  }
+
+  const error = payload.error;
+  return typeof error === 'string' ? error.trim() : '';
+}
+
 /**
  * Get auth provider status.
  * @returns {Promise<unknown>}
@@ -64,14 +76,26 @@ async function loginBasic(username: string, password: string, remember: boolean
     body: JSON.stringify({ remember }),
   });
   if (!response.ok) {
-    throw new Error('Username or password error');
+    let message = '';
+    try {
+      const payload: unknown = await response.json();
+      message = getPayloadErrorMessage(payload);
+    } catch {
+      // Ignore response parsing errors and fallback to a generic credential error.
+    }
+
+    if (response.status === 401 || message.toLowerCase() === 'unauthorized') {
+      throw new Error('Username or password error');
+    }
+
+    throw new Error(message || 'Username or password error');
   }
   user = await response.json();
   return user;
 }
 
 /**
- * Store remember-me preference in the session before any auth flow.
+ * Store remember-me preference in the session before auth flows.
  */
 async function setRememberMe(remember: boolean) {
   await fetch('/auth/remember', {
diff --git a/ui/src/services/container.ts b/ui/src/services/container.ts
index 2aea024c5..6981d35b6 100644
--- a/ui/src/services/container.ts
+++ b/ui/src/services/container.ts
@@ -345,6 +345,21 @@ async function scanContainer(containerId: string, signal?: AbortSignal) {
   return response.json();
 }
 
+async function getContainerReleaseNotes(containerId: string) {
+  const response = await fetch(`/api/v1/containers/${containerId}/release-notes`, {
+    credentials: 'include',
+  });
+  if (response.status === 404) {
+    return null;
+  }
+  if (!response.ok) {
+    throw new Error(
+      `Failed to get release notes for container ${containerId}: ${response.statusText}`,
+    );
+  }
+  return response.json();
+}
+
 async function revealContainerEnv(containerId: string) {
   const response = await fetch(`/api/v1/containers/${containerId}/env/reveal`, {
     method: 'POST',
@@ -363,6 +378,7 @@ export {
   getContainerGroups,
   getContainerLogs,
   getContainerRecentStatus,
+  getContainerReleaseNotes,
   getContainerSbom,
   getContainerSummary,
   getContainerTriggers,
diff --git a/ui/src/services/debug.ts b/ui/src/services/debug.ts
new file mode 100644
index 000000000..3a8d06add
--- /dev/null
+++ b/ui/src/services/debug.ts
@@ -0,0 +1,68 @@
+interface DebugDumpDownload {
+  blob: Blob;
+  filename: string;
+}
+
+const DEFAULT_DEBUG_DUMP_FILENAME = 'drydock-debug-dump.json';
+
+function parseFilenameFromContentDisposition(
+  contentDispositionHeader: string | null,
+): string | undefined {
+  if (!contentDispositionHeader) {
+    return undefined;
+  }
+
+  const utf8FilenameMatch = contentDispositionHeader.match(/filename\*\s*=\s*UTF-8''([^;]+)/i);
+  if (utf8FilenameMatch?.[1]) {
+    try {
+      return decodeURIComponent(utf8FilenameMatch[1].replace(/^"|"$/g, ''));
+    } catch {
+      return utf8FilenameMatch[1].replace(/^"|"$/g, '');
+    }
+  }
+
+  const quotedFilenameMatch = contentDispositionHeader.match(/filename\s*=\s*"([^"]+)"/i);
+  if (quotedFilenameMatch?.[1]) {
+    return quotedFilenameMatch[1];
+  }
+
+  const plainFilenameMatch = contentDispositionHeader.match(/filename\s*=\s*([^;]+)/i);
+  if (plainFilenameMatch?.[1]) {
+    return plainFilenameMatch[1].trim().replace(/^"|"$/g, '');
+  }
+
+  return undefined;
+}
+
+async function getApiErrorMessage(response: Response): Promise<string> {
+  try {
+    const payload = (await response.json()) as { error?: unknown };
+    if (typeof payload.error === 'string' && payload.error.trim().length > 0) {
+      return payload.error;
+    }
+  } catch {
+    // Ignore parse errors and fallback to status-based message.
+  }
+
+  return `HTTP ${response.status}`;
+}
+
+export async function downloadDebugDump(): Promise<DebugDumpDownload> {
+  const response = await fetch('/api/v1/debug/dump', {
+    credentials: 'include',
+    headers: {
+      Accept: 'application/json',
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error(await getApiErrorMessage(response));
+  }
+
+  const blob = await response.blob();
+  const filename =
+    parseFilenameFromContentDisposition(response.headers.get('Content-Disposition')) ||
+    DEFAULT_DEBUG_DUMP_FILENAME;
+
+  return { blob, filename };
+}
diff --git a/ui/src/services/logs.ts b/ui/src/services/logs.ts
new file mode 100644
index 000000000..0821706f0
--- /dev/null
+++ b/ui/src/services/logs.ts
@@ -0,0 +1,236 @@
+type LogStreamTail = number | 'all';
+
+export interface ContainerLogFrame {
+  type: 'stdout' | 'stderr';
+  ts: string;
+  line: string;
+}
+
+export type ContainerLogStreamFrame = ContainerLogFrame;
+export type ContainerLogStreamStatus = 'connected' | 'disconnected';
+
+export interface ContainerLogQuery {
+  stdout?: boolean;
+  stderr?: boolean;
+  tail?: LogStreamTail;
+  since?: string | number;
+  follow?: boolean;
+}
+
+interface ContainerLogStreamConnectionOptions {
+  containerId: string;
+  query?: ContainerLogQuery;
+  onMessage: (frame: ContainerLogStreamFrame) => void;
+  onStatus?: (status: ContainerLogStreamStatus) => void;
+  webSocketFactory?: (url: string) => WebSocket;
+  location?: Location;
+}
+
+export interface ContainerLogStreamConnection {
+  update: (query: Partial<ContainerLogQuery>) => void;
+  pause: () => void;
+  resume: () => void;
+  close: () => void;
+  isPaused: () => boolean;
+}
+
+const ALL_TAIL_VALUE = 2147483647;
+
+function isLogFrame(payload: unknown): payload is ContainerLogFrame {
+  if (!payload || typeof payload !== 'object') {
+    return false;
+  }
+  const frame = payload as Record<string, unknown>;
+  return (
+    (frame.type === 'stdout' || frame.type === 'stderr') &&
+    typeof frame.ts === 'string' &&
+    typeof frame.line === 'string'
+  );
+}
+
+function parseLogFrameMessage(data: unknown): ContainerLogFrame | null {
+  if (typeof data !== 'string') {
+    return null;
+  }
+
+  try {
+    const payload = JSON.parse(data);
+    return isLogFrame(payload) ? payload : null;
+  } catch {
+    // Ignore malformed stream frames.
+    return null;
+  }
+}
+
+export function toLogTailValue(value: LogStreamTail): number {
+  return value === 'all' ? ALL_TAIL_VALUE : value;
+}
+
+function normalizeQuery(
+  query: ContainerLogQuery = {},
+): Required<Omit<ContainerLogQuery, 'since'>> & Pick<ContainerLogQuery, 'since'> {
+  return {
+    stdout: query.stdout ?? true,
+    stderr: query.stderr ?? true,
+    tail: query.tail ?? 100,
+    since: query.since,
+    follow: query.follow ?? true,
+  };
+}
+
+export function buildContainerLogStreamUrl(
+  containerId: string,
+  query: ContainerLogQuery = {},
+  locationRef: Location = window.location,
+): string {
+  const normalized = normalizeQuery(query);
+  const protocol = locationRef.protocol === 'https:' ? 'wss:' : 'ws:';
+  const params = new URLSearchParams();
+  params.set('stdout', `${normalized.stdout}`);
+  params.set('stderr', `${normalized.stderr}`);
+  params.set('tail', `${toLogTailValue(normalized.tail)}`);
+
+  if (normalized.since) {
+    params.set('since', `${normalized.since}`);
+  }
+  params.set('follow', `${normalized.follow}`);
+
+  return `${protocol}//${locationRef.host}/api/v1/containers/${encodeURIComponent(containerId)}/logs/stream?${params.toString()}`;
+}
+
+export function createContainerLogStreamConnection(
+  options: ContainerLogStreamConnectionOptions,
+): ContainerLogStreamConnection {
+  const webSocketFactory = options.webSocketFactory ?? ((url) => new WebSocket(url));
+  const locationRef = options.location ?? window.location;
+  let query: ContainerLogQuery = { ...options.query };
+  let paused = false;
+  let closed = false;
+  let socket: WebSocket | undefined;
+
+  function closeSocket(code: number, reason: string) {
+    if (!socket) {
+      return;
+    }
+
+    const activeSocket = socket;
+    socket = undefined;
+    activeSocket.close(code, reason);
+  }
+
+  function isActiveSocket(candidate: WebSocket): boolean {
+    return socket === candidate;
+  }
+
+  function notifyDisconnectedIfActive(candidate: WebSocket) {
+    if (!isActiveSocket(candidate) || paused || closed) {
+      return;
+    }
+    options.onStatus?.('disconnected');
+  }
+
+  function connect() {
+    if (closed || paused) {
+      return;
+    }
+
+    const streamUrl = buildContainerLogStreamUrl(options.containerId, query, locationRef);
+    const nextSocket = webSocketFactory(streamUrl);
+    socket = nextSocket;
+
+    nextSocket.onopen = () => {
+      if (!isActiveSocket(nextSocket)) {
+        return;
+      }
+      options.onStatus?.('connected');
+    };
+    nextSocket.onmessage = (event) => {
+      if (!isActiveSocket(nextSocket)) {
+        return;
+      }
+
+      const frame = parseLogFrameMessage(event.data);
+      if (frame) {
+        options.onMessage(frame);
+      }
+    };
+    nextSocket.onerror = () => {
+      notifyDisconnectedIfActive(nextSocket);
+    };
+    nextSocket.onclose = () => {
+      if (!isActiveSocket(nextSocket)) {
+        return;
+      }
+      const shouldNotify = !paused && !closed;
+      socket = undefined;
+      if (shouldNotify) {
+        options.onStatus?.('disconnected');
+      }
+    };
+  }
+
+  connect();
+
+  return {
+    update(nextQuery) {
+      query = {
+        ...query,
+        ...nextQuery,
+      };
+      closeSocket(1000, 'reconnect');
+      connect();
+    },
+    pause() {
+      if (paused || closed) {
+        return;
+      }
+      paused = true;
+      closeSocket(1000, 'pause');
+    },
+    resume() {
+      if (!paused || closed) {
+        return;
+      }
+      paused = false;
+      connect();
+    },
+    close() {
+      if (closed) {
+        return;
+      }
+      closed = true;
+      closeSocket(1000, 'manual-close');
+    },
+    isPaused() {
+      return paused;
+    },
+  };
+}
+
+export async function downloadContainerLogs(
+  containerId: string,
+  query: Pick<ContainerLogQuery, 'stdout' | 'stderr' | 'tail' | 'since'> = {},
+): Promise<Blob> {
+  const params = new URLSearchParams();
+  params.set('stdout', `${query.stdout ?? true}`);
+  params.set('stderr', `${query.stderr ?? true}`);
+  params.set('tail', `${toLogTailValue(query.tail ?? 100)}`);
+  if (query.since) {
+    params.set('since', `${query.since}`);
+  }
+
+  const response = await fetch(
+    `/api/v1/containers/${encodeURIComponent(containerId)}/logs?${params.toString()}`,
+    {
+      credentials: 'include',
+      headers: {
+        Accept: 'text/plain',
+      },
+    },
+  );
+  if (!response.ok) {
+    throw new Error(`Failed to download logs for container ${containerId}: ${response.statusText}`);
+  }
+
+  return response.blob();
+}
diff --git a/ui/src/services/stats.ts b/ui/src/services/stats.ts
new file mode 100644
index 000000000..c2a4618ad
--- /dev/null
+++ b/ui/src/services/stats.ts
@@ -0,0 +1,323 @@
+import { extractCollectionData } from '../utils/api';
+
+export interface ContainerStatsSnapshot {
+  containerId: string;
+  cpuPercent: number;
+  memoryUsageBytes: number;
+  memoryLimitBytes: number;
+  memoryPercent: number;
+  networkRxBytes: number;
+  networkTxBytes: number;
+  blockReadBytes: number;
+  blockWriteBytes: number;
+  timestamp: string;
+}
+
+interface ContainerStatsResponse {
+  data: ContainerStatsSnapshot | null;
+  history: ContainerStatsSnapshot[];
+}
+
+export interface ContainerStatsSummaryItem {
+  id: string;
+  name: string;
+  status?: string;
+  watcher?: string;
+  agent?: string;
+  stats: ContainerStatsSnapshot | null;
+}
+
+interface ContainerStatsStreamEventHandlers {
+  onOpen?: () => void;
+  onSnapshot?: (snapshot: ContainerStatsSnapshot) => void;
+  onHeartbeat?: () => void;
+  onError?: () => void;
+}
+
+interface ContainerStatsStreamOptions {
+  reconnectDelayMs?: number;
+}
+
+export interface ContainerStatsStreamController {
+  pause: () => void;
+  resume: () => void;
+  disconnect: () => void;
+  isPaused: () => boolean;
+}
+
+const DEFAULT_RECONNECT_DELAY_MS = 3000;
+
+interface StreamConnectionState {
+  eventSource?: EventSource;
+  reconnectTimer?: ReturnType<typeof globalThis.setTimeout>;
+  paused: boolean;
+  disconnected: boolean;
+}
+
+function toFiniteNumber(value: unknown): number | undefined {
+  return typeof value === 'number' && Number.isFinite(value) ? value : undefined;
+}
+
+function parseSnapshot(rawSnapshot: unknown): ContainerStatsSnapshot | null {
+  if (!rawSnapshot || typeof rawSnapshot !== 'object') {
+    return null;
+  }
+
+  const snapshot = rawSnapshot as Record<string, unknown>;
+  const containerId =
+    typeof snapshot.containerId === 'string' && snapshot.containerId.length > 0
+      ? snapshot.containerId
+      : undefined;
+  const timestamp =
+    typeof snapshot.timestamp === 'string' && snapshot.timestamp.length > 0
+      ? snapshot.timestamp
+      : undefined;
+
+  if (!containerId || !timestamp) {
+    return null;
+  }
+
+  const numericFields = {
+    cpuPercent: toFiniteNumber(snapshot.cpuPercent),
+    memoryUsageBytes: toFiniteNumber(snapshot.memoryUsageBytes),
+    memoryLimitBytes: toFiniteNumber(snapshot.memoryLimitBytes),
+    memoryPercent: toFiniteNumber(snapshot.memoryPercent),
+    networkRxBytes: toFiniteNumber(snapshot.networkRxBytes),
+    networkTxBytes: toFiniteNumber(snapshot.networkTxBytes),
+    blockReadBytes: toFiniteNumber(snapshot.blockReadBytes),
+    blockWriteBytes: toFiniteNumber(snapshot.blockWriteBytes),
+  };
+
+  if (Object.values(numericFields).some((value) => value === undefined)) {
+    return null;
+  }
+
+  const {
+    cpuPercent,
+    memoryUsageBytes,
+    memoryLimitBytes,
+    memoryPercent,
+    networkRxBytes,
+    networkTxBytes,
+    blockReadBytes,
+    blockWriteBytes,
+  } = numericFields as Record<keyof typeof numericFields, number>;
+
+  return {
+    containerId,
+    cpuPercent,
+    memoryUsageBytes,
+    memoryLimitBytes,
+    memoryPercent,
+    networkRxBytes,
+    networkTxBytes,
+    blockReadBytes,
+    blockWriteBytes,
+    timestamp,
+  };
+}
+
+function parseHistory(rawHistory: unknown): ContainerStatsSnapshot[] {
+  if (!Array.isArray(rawHistory)) {
+    return [];
+  }
+
+  const snapshots: ContainerStatsSnapshot[] = [];
+  for (const rawSnapshot of rawHistory) {
+    const snapshot = parseSnapshot(rawSnapshot);
+    if (snapshot) {
+      snapshots.push(snapshot);
+    }
+  }
+
+  return snapshots;
+}
+
+function parseSummaryItem(rawItem: unknown): ContainerStatsSummaryItem | null {
+  if (!rawItem || typeof rawItem !== 'object') {
+    return null;
+  }
+
+  const item = rawItem as Record<string, unknown>;
+  if (typeof item.id !== 'string' || typeof item.name !== 'string') {
+    return null;
+  }
+
+  const status = typeof item.status === 'string' ? item.status : undefined;
+  const watcher = typeof item.watcher === 'string' ? item.watcher : undefined;
+  const agent = typeof item.agent === 'string' ? item.agent : undefined;
+  const stats = item.stats === null ? null : parseSnapshot(item.stats);
+
+  return {
+    id: item.id,
+    name: item.name,
+    status,
+    watcher,
+    agent,
+    stats,
+  };
+}
+
+async function parseJson(response: Response): Promise<unknown> {
+  return response.json();
+}
+
+export async function getContainerStats(containerId: string): Promise<ContainerStatsResponse> {
+  const response = await fetch(`/api/v1/containers/${encodeURIComponent(containerId)}/stats`, {
+    credentials: 'include',
+  });
+  if (!response.ok) {
+    throw new Error(`Failed to get container stats: ${response.statusText}`);
+  }
+
+  const payload = await parseJson(response);
+  const envelope =
+    payload && typeof payload === 'object' ? (payload as Record<string, unknown>) : {};
+  const data = envelope.data === null ? null : parseSnapshot(envelope.data);
+
+  return {
+    data,
+    history: parseHistory(envelope.history),
+  };
+}
+
+export async function getAllContainerStats(): Promise<ContainerStatsSummaryItem[]> {
+  const response = await fetch('/api/v1/containers/stats', {
+    credentials: 'include',
+  });
+  if (!response.ok) {
+    throw new Error(`Failed to get container stats: ${response.statusText}`);
+  }
+
+  const payload = await parseJson(response);
+  const summaryItems: ContainerStatsSummaryItem[] = [];
+  for (const rawItem of extractCollectionData(payload)) {
+    const item = parseSummaryItem(rawItem);
+    if (item) {
+      summaryItems.push(item);
+    }
+  }
+
+  return summaryItems;
+}
+
+function parseSnapshotEvent(rawData: unknown): ContainerStatsSnapshot | null {
+  if (typeof rawData !== 'string') {
+    return null;
+  }
+
+  try {
+    return parseSnapshot(JSON.parse(rawData));
+  } catch {
+    return null;
+  }
+}
+
+function clearReconnectTimer(state: StreamConnectionState): void {
+  if (state.reconnectTimer) {
+    globalThis.clearTimeout(state.reconnectTimer);
+    state.reconnectTimer = undefined;
+  }
+}
+
+function closeSource(state: StreamConnectionState): void {
+  if (state.eventSource) {
+    state.eventSource.close();
+    state.eventSource = undefined;
+  }
+}
+
+function createEventSource(
+  streamUrl: string,
+  handlers: ContainerStatsStreamEventHandlers,
+  onError: () => void,
+): EventSource {
+  const source = new EventSource(streamUrl);
+  source.addEventListener('open', () => {
+    handlers.onOpen?.();
+  });
+  source.addEventListener('dd:heartbeat', () => {
+    handlers.onHeartbeat?.();
+  });
+  source.addEventListener('dd:container-stats', (event: Event) => {
+    const messageEvent = event as MessageEvent;
+    const snapshot = parseSnapshotEvent(messageEvent.data);
+    if (snapshot) {
+      handlers.onSnapshot?.(snapshot);
+    }
+  });
+  source.onerror = onError;
+  return source;
+}
+
+function scheduleReconnect(
+  state: StreamConnectionState,
+  reconnectDelayMs: number,
+  reconnect: () => void,
+): void {
+  clearReconnectTimer(state);
+  state.reconnectTimer = globalThis.setTimeout(() => {
+    state.reconnectTimer = undefined;
+    reconnect();
+  }, reconnectDelayMs);
+}
+
+export function connectContainerStatsStream(
+  containerId: string,
+  handlers: ContainerStatsStreamEventHandlers = {},
+  options: ContainerStatsStreamOptions = {},
+): ContainerStatsStreamController {
+  const reconnectDelayMs = Math.max(1, options.reconnectDelayMs ?? DEFAULT_RECONNECT_DELAY_MS);
+  const streamUrl = `/api/v1/containers/${encodeURIComponent(containerId)}/stats/stream`;
+  const state: StreamConnectionState = {
+    paused: false,
+    disconnected: false,
+  };
+
+  function handleError(): void {
+    handlers.onError?.();
+    if (state.paused || state.disconnected) {
+      return;
+    }
+
+    closeSource(state);
+    scheduleReconnect(state, reconnectDelayMs, connect);
+  }
+
+  function connect(): void {
+    closeSource(state);
+    state.eventSource = createEventSource(streamUrl, handlers, handleError);
+  }
+
+  connect();
+
+  return {
+    pause() {
+      if (state.paused || state.disconnected) {
+        return;
+      }
+      state.paused = true;
+      clearReconnectTimer(state);
+      closeSource(state);
+    },
+    resume() {
+      if (!state.paused || state.disconnected) {
+        return;
+      }
+      state.paused = false;
+      connect();
+    },
+    disconnect() {
+      if (state.disconnected) {
+        return;
+      }
+      state.disconnected = true;
+      state.paused = true;
+      clearReconnectTimer(state);
+      closeSource(state);
+    },
+    isPaused() {
+      return state.paused;
+    },
+  };
+}
diff --git a/ui/src/services/system-log-stream.ts b/ui/src/services/system-log-stream.ts
new file mode 100644
index 000000000..6e9f0fc5e
--- /dev/null
+++ b/ui/src/services/system-log-stream.ts
@@ -0,0 +1,176 @@
+export interface SystemLogEntry {
+  timestamp: number;
+  level: string;
+  component: string;
+  msg: string;
+}
+
+export type SystemLogStreamStatus = 'connected' | 'disconnected';
+
+export interface SystemLogStreamQuery {
+  level?: string;
+  component?: string;
+  tail?: number;
+}
+
+interface SystemLogStreamConnectionOptions {
+  query?: SystemLogStreamQuery;
+  onMessage: (entry: SystemLogEntry) => void;
+  onStatus?: (status: SystemLogStreamStatus) => void;
+  webSocketFactory?: (url: string) => WebSocket;
+  location?: Location;
+}
+
+export interface SystemLogStreamConnection {
+  update: (query: Partial<SystemLogStreamQuery>) => void;
+  pause: () => void;
+  resume: () => void;
+  close: () => void;
+  isPaused: () => boolean;
+}
+
+function isSystemLogEntry(payload: unknown): payload is SystemLogEntry {
+  if (!payload || typeof payload !== 'object') {
+    return false;
+  }
+  const entry = payload as Record<string, unknown>;
+  return (
+    typeof entry.timestamp === 'number' &&
+    typeof entry.level === 'string' &&
+    typeof entry.component === 'string' &&
+    typeof entry.msg === 'string'
+  );
+}
+
+function parseSystemLogMessage(data: unknown): SystemLogEntry | null {
+  if (typeof data !== 'string') {
+    return null;
+  }
+  try {
+    const payload = JSON.parse(data);
+    return isSystemLogEntry(payload) ? payload : null;
+  } catch {
+    return null;
+  }
+}
+
+export function buildSystemLogStreamUrl(
+  query: SystemLogStreamQuery = {},
+  locationRef: Location = window.location,
+): string {
+  const protocol = locationRef.protocol === 'https:' ? 'wss:' : 'ws:';
+  const params = new URLSearchParams();
+  if (query.level && query.level !== 'all') {
+    params.set('level', query.level);
+  }
+  if (query.component) {
+    params.set('component', query.component);
+  }
+  params.set('tail', `${query.tail ?? 100}`);
+
+  return `${protocol}//${locationRef.host}/api/v1/log/stream?${params.toString()}`;
+}
+
+export function createSystemLogStreamConnection(
+  options: SystemLogStreamConnectionOptions,
+): SystemLogStreamConnection {
+  const webSocketFactory = options.webSocketFactory ?? ((url) => new WebSocket(url));
+  const locationRef = options.location ?? window.location;
+  let query: SystemLogStreamQuery = { ...options.query };
+  let paused = false;
+  let closed = false;
+  let socket: WebSocket | undefined;
+
+  function closeSocket(code: number, reason: string) {
+    if (!socket) {
+      return;
+    }
+    const activeSocket = socket;
+    socket = undefined;
+    activeSocket.close(code, reason);
+  }
+
+  function isActiveSocket(candidate: WebSocket): boolean {
+    return socket === candidate;
+  }
+
+  function notifyDisconnectedIfActive(candidate: WebSocket) {
+    if (!isActiveSocket(candidate) || paused || closed) {
+      return;
+    }
+    options.onStatus?.('disconnected');
+  }
+
+  function connect() {
+    if (closed || paused) {
+      return;
+    }
+
+    const streamUrl = buildSystemLogStreamUrl(query, locationRef);
+    const nextSocket = webSocketFactory(streamUrl);
+    socket = nextSocket;
+
+    nextSocket.onopen = () => {
+      if (!isActiveSocket(nextSocket)) {
+        return;
+      }
+      options.onStatus?.('connected');
+    };
+    nextSocket.onmessage = (event) => {
+      if (!isActiveSocket(nextSocket)) {
+        return;
+      }
+      const entry = parseSystemLogMessage(event.data);
+      if (entry) {
+        options.onMessage(entry);
+      }
+    };
+    nextSocket.onerror = () => {
+      notifyDisconnectedIfActive(nextSocket);
+    };
+    nextSocket.onclose = () => {
+      if (!isActiveSocket(nextSocket)) {
+        return;
+      }
+      const shouldNotify = !paused && !closed;
+      socket = undefined;
+      if (shouldNotify) {
+        options.onStatus?.('disconnected');
+      }
+    };
+  }
+
+  connect();
+
+  return {
+    update(nextQuery) {
+      query = { ...query, ...nextQuery };
+      closeSocket(1000, 'reconnect');
+      connect();
+    },
+    pause() {
+      if (paused || closed) {
+        return;
+      }
+      paused = true;
+      closeSocket(1000, 'pause');
+    },
+    resume() {
+      if (!paused || closed) {
+        return;
+      }
+      paused = false;
+      connect();
+    },
+    close() {
+      if (closed) {
+        return;
+      }
+      closed = true;
+      closeSocket(1000, 'manual-close');
+    },
+    isPaused() {
+      return paused;
+    },
+  };
+}
diff --git a/ui/src/style.css b/ui/src/style.css
index 0203cfc2a..6bab262e3 100644
--- a/ui/src/style.css
+++ b/ui/src/style.css
@@ -1,4 +1,3 @@
-/* biome-ignore-all lint/correctness/noUnknownTypeSelector: view-transition pseudo-elements use (root) selector */
 @import "tailwindcss";
 @import "@fontsource/ibm-plex-mono/300.css";
 @import "@fontsource/ibm-plex-mono/400.css";
@@ -21,6 +20,32 @@ body {
   --dd-radius-sm: 2px; /* Small elements (badges, chips) */
   --dd-radius-lg: 4px; /* Large panels (modals, detail panels) */
   --dd-font-size: 1; /* Font size scale factor (1 = 100% = default) */
+  --dd-space-4: 4px;
+  --dd-space-6: 6px;
+  --dd-space-8: 8px;
+  --dd-space-12: 12px;
+  --dd-letter-spacing-brand: 0.15em;
+  --dd-letter-spacing-section: 0.12em;
+  --dd-letter-spacing-badge: 0.02em;
+  --dd-opacity-dim: 0.75;
+  --dd-opacity-handle-idle: 0.8;
+  --dd-motion-hover-lift-y: -2px;
+  --dd-motion-panel-enter-x: 20px;
+  --dd-motion-menu-enter-y: -4px;
+  --dd-motion-bounce-y: -8px;
+  --dd-motion-card-enter-y: 8px;
+  --dd-layout-sidebar-collapsed-width: 56px;
+  --dd-layout-sidebar-expanded-width: 240px;
+  --dd-layout-filter-max-width: 240px;
+  --dd-layout-main-viewport-offset: 96px;
+  --dd-layout-panel-width-sm: 420px;
+  --dd-layout-panel-width-md: 560px;
+  --dd-layout-panel-width-lg: 720px;
+  --dd-layout-dialog-max-width: 420px;
+  --dd-layout-dialog-min-width: 340px;
+  --dd-layout-about-max-width: 340px;
+  --dd-layout-search-max-width: 560px;
+  --dd-layout-overlay-max-width: 320px;
   --drydock-font: "IBM Plex Mono", monospace;
   background-color: var(--dd-bg);
   color: var(--dd-text);
@@ -123,6 +148,28 @@ html.dd-font-comic-mono {
   --color-drydock-secondary: var(--dd-primary);
   --color-drydock-accent: var(--dd-success);
   --font-mono: var(--drydock-font, "IBM Plex Mono", monospace);
+  --text-5xs: 0.4375rem; /* 7px */
+  --text-4xs: 0.5rem; /* 8px */
+  --text-3xs: 0.5625rem; /* 9px */
+  --text-2xs: 0.625rem; /* 10px */
+  --text-2xs-plus: 0.6875rem; /* 11px */
+  --text-xs-plus: 0.8125rem; /* 13px */
+  --text-sm-plus: 0.9375rem; /* 15px */
+  --z-popover: 60;
+  --z-overlay: 100;
+  --z-modal: 200;
+  --dd-duration-fast: 0.15s;
+  --dd-duration-standard: 0.25s;
+  --dd-duration-enter: 0.3s;
+  --dd-duration-emphasis: 0.35s;
+  --dd-duration-slow: 0.6s;
+  --dd-duration-spinner-fast: 0.8s;
+  --dd-duration-spinner: 1.5s;
+  --dd-duration-pulse: 2s;
+  --dd-duration-spinner-slow: 2.5s;
+  --dd-duration-decorative: 6s;
+  --dd-duration-short: 0.2s;
+  --dd-duration-delay: 0.05s;
 }
 
 /* Utility: apply global radius token via Tailwind-style class */
@@ -168,6 +215,73 @@ html.dd-font-comic-mono {
   color: var(--dd-text-muted);
 }
 
+/* ─── Semantic typography ─── */
+@utility dd-text-body {
+  font-size: var(--text-2xs-plus); /* 11px — primary body text */
+}
+@utility dd-text-body-sm {
+  font-size: var(--text-2xs); /* 10px — secondary/compact body */
+}
+@utility dd-text-caption {
+  font-size: var(--text-2xs); /* 10px */
+  color: var(--dd-text-muted);
+}
+@utility dd-text-label {
+  font-size: var(--text-2xs); /* 10px */
+  font-weight: 600;
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+}
+@utility dd-text-badge {
+  font-size: var(--text-3xs); /* 9px */
+  font-weight: 700;
+  text-transform: uppercase;
+}
+@utility dd-text-badge-lg {
+  font-size: var(--text-2xs); /* 10px */
+  font-weight: 600;
+}
+@utility dd-text-value {
+  font-size: var(--text-xs); /* 12px */
+  font-family: var(--font-mono);
+}
+@utility dd-text-value-sm {
+  font-size: var(--text-2xs-plus); /* 11px */
+  font-family: var(--font-mono);
+}
+@utility dd-text-code {
+  font-size: var(--text-2xs); /* 10px */
+  font-family: var(--font-mono);
+}
+@utility dd-text-heading-section {
+  font-size: var(--text-sm); /* 14px */
+  font-weight: 600;
+}
+@utility dd-text-heading-panel {
+  font-size: var(--text-sm); /* 14px */
+  font-weight: 700;
+}
+@utility dd-text-heading-page {
+  font-size: var(--text-base); /* 16px */
+  font-weight: 700;
+}
+@utility dd-text-nav {
+  font-size: var(--text-xs); /* 12px */
+  font-weight: 500;
+}
+@utility dd-text-tab {
+  font-size: var(--text-2xs-plus); /* 11px */
+  font-weight: 600;
+  text-transform: uppercase;
+  letter-spacing: 0.04em;
+}
+@utility dd-text-column {
+  font-size: var(--text-2xs); /* 10px */
+  font-weight: 600;
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+}
+
 /* Border */
 .dd-border {
   border-color: var(--dd-border);
@@ -353,19 +467,19 @@ body.dd-col-resizing {
   white-space: nowrap;
   font-size: 11px;
   line-height: 1.1;
-  padding: 4px 8px;
+  padding: var(--dd-space-4) var(--dd-space-8);
   border-radius: var(--dd-radius-sm);
   border: 1px solid var(--dd-border-strong);
-  box-shadow: 0 4px 12px rgb(0 0 0 / 20%);
+  box-shadow: var(--dd-shadow-tooltip);
   background: var(--dd-bg-card);
   color: var(--dd-text);
-  transition: opacity 0.15s ease;
+  transition: opacity var(--dd-duration-fast) ease;
 }
 .dd-tooltip-popup.dd-tooltip-visible {
   opacity: 1;
 }
 
-/* Scrollbar styling — overlay so scrollbars never shift layout */
+/* Scrollbar styling */
 * {
   scrollbar-width: thin;
   scrollbar-color: var(--dd-scrollbar) transparent;
@@ -379,18 +493,19 @@ body.dd-col-resizing {
 }
 ::-webkit-scrollbar-thumb {
   background: var(--dd-scrollbar);
-  border-radius: 3px;
+  border-radius: var(--dd-radius-sm);
 }
-@supports (overflow: overlay) {
-  .overflow-auto {
-    overflow: overlay;
-  }
-  .overflow-y-auto {
-    overflow-y: overlay;
-  }
-  .overflow-x-auto {
-    overflow-x: overlay;
-  }
+
+/* Prevent layout shifts when scrollbars appear/disappear in bounded scroll areas */
+.dd-scroll-stable {
+  scrollbar-gutter: stable;
+}
+
+/* Allow vertical page scroll to pass through widget scroll containers on touch devices.
+   Ensures swiping vertically on a widget boundary scrolls the dashboard, not the widget. */
+.dd-touch-scroll {
+  touch-action: pan-y;
+  -webkit-overflow-scrolling: touch;
 }
 
 /* Hidden scrollbar utility (for horizontal tab bars) */
@@ -405,29 +520,29 @@ body.dd-col-resizing {
 /* Sidebar transitions */
 .sidebar-transition {
   transition:
-    width 0.25s cubic-bezier(0.4, 0, 0.2, 1),
-    min-width 0.25s cubic-bezier(0.4, 0, 0.2, 1),
-    transform 0.25s cubic-bezier(0.4, 0, 0.2, 1);
+    width var(--dd-duration-standard) cubic-bezier(0.4, 0, 0.2, 1),
+    min-width var(--dd-duration-standard) cubic-bezier(0.4, 0, 0.2, 1),
+    transform var(--dd-duration-standard) cubic-bezier(0.4, 0, 0.2, 1);
 }
 
 /* Nav item transitions */
 .nav-item {
   transition:
-    background-color 0.15s ease,
-    color 0.15s ease,
-    padding 0.15s ease;
+    background-color var(--dd-duration-fast) ease,
+    color var(--dd-duration-fast) ease,
+    padding var(--dd-duration-fast) ease;
 }
 
 /* Overlay backdrop */
 .sidebar-overlay {
-  transition: opacity 0.25s ease;
+  transition: opacity var(--dd-duration-standard) ease;
 }
 
 /* Fade text in sidebar */
 .sidebar-label {
   transition:
-    opacity 0.2s ease 0.05s,
-    max-width 0.2s ease;
+    opacity var(--dd-duration-short) ease var(--dd-duration-delay),
+    max-width var(--dd-duration-short) ease;
   white-space: nowrap;
   overflow: hidden;
 }
@@ -436,7 +551,7 @@ body.dd-col-resizing {
   max-width: 0;
   transition:
     opacity 0.1s ease,
-    max-width 0.15s ease;
+    max-width var(--dd-duration-fast) ease;
 }
 
 /* Stat card left border */
@@ -446,18 +561,18 @@ body.dd-col-resizing {
 
 /* Spinner speeds */
 .dd-spin {
-  animation: spin 1.5s linear infinite;
+  animation: spin var(--dd-duration-spinner) linear infinite;
 }
 .dd-spin-slow {
-  animation: spin 2.5s linear infinite;
+  animation: spin var(--dd-duration-spinner-slow) linear infinite;
 }
 .dd-spin-fast {
-  animation: spin 0.8s linear infinite;
+  animation: spin var(--dd-duration-spinner-fast) linear infinite;
 }
 
 /* Donut chart */
 .donut-ring {
-  transition: stroke-dasharray 0.6s ease;
+  transition: stroke-dasharray var(--dd-duration-slow) ease;
 }
 
 /* Badge pulse */
@@ -471,7 +586,7 @@ body.dd-col-resizing {
   }
 }
 .badge-pulse {
-  animation: pulse-badge 2s ease-in-out infinite;
+  animation: pulse-badge var(--dd-duration-pulse) ease-in-out infinite;
 }
 
 /* Tooltip for collapsed sidebar */
@@ -484,7 +599,7 @@ body.dd-col-resizing {
   white-space: nowrap;
   pointer-events: none;
   opacity: 0;
-  transition: opacity 0.15s ease;
+  transition: opacity var(--dd-duration-fast) ease;
   z-index: 1000;
 }
 .sidebar-collapsed .nav-item-wrapper:hover .nav-tooltip {
@@ -499,40 +614,40 @@ body.dd-col-resizing {
   border-radius: var(--dd-radius-sm);
   font-size: 0.6875rem;
   font-weight: 600;
-  letter-spacing: 0.02em;
+  letter-spacing: var(--dd-letter-spacing-badge);
 }
 
 /* Hamburger line */
 .hamburger-line {
   transition:
-    transform 0.2s ease,
-    opacity 0.2s ease;
+    transform var(--dd-duration-short) ease,
+    opacity var(--dd-duration-short) ease;
 }
 
 /* Search modal */
 .search-backdrop {
-  transition: opacity 0.2s ease;
+  transition: opacity var(--dd-duration-short) ease;
 }
 
 /* Container card hover */
 .container-card {
   transition:
-    transform 0.2s ease,
-    box-shadow 0.2s ease;
+    transform var(--dd-duration-short) ease,
+    box-shadow var(--dd-duration-short) ease;
 }
 .container-card:hover {
-  transform: translateY(-2px);
+  transform: translateY(var(--dd-motion-hover-lift-y));
   box-shadow: var(--dd-shadow-lg);
 }
 
 /* Detail panel inline */
 .detail-panel-inline {
-  animation: panel-slide-in 0.25s ease-out;
+  animation: panel-slide-in var(--dd-duration-standard) ease-out;
 }
 @keyframes panel-slide-in {
   from {
     opacity: 0;
-    transform: translateX(20px);
+    transform: translateX(var(--dd-motion-panel-enter-x));
   }
   to {
     opacity: 1;
@@ -552,23 +667,19 @@ select {
 }
 
 /* ── View Transition: Circular Reveal (theme switch only) ── */
-html.dd-transitioning::view-transition-old(root),
-html.dd-transitioning::view-transition-new(root) {
+html.dd-transitioning::view-transition-old(*),
+html.dd-transitioning::view-transition-new(*) {
   animation: none;
   mix-blend-mode: normal;
 }
 
-html.dd-transitioning::view-transition-old(root) {
+html.dd-transitioning::view-transition-old(*) {
   z-index: 1;
-  opacity: 1;
 }
 
-html.dd-transitioning::view-transition-new(root) {
-  z-index: 10;
-  animation-name: theme-circle-reveal;
-  animation-duration: 600ms;
-  animation-timing-function: ease-out;
-  animation-fill-mode: both;
+html.dd-transitioning::view-transition-new(*) {
+  z-index: 9999;
+  animation: theme-circle-reveal 0.4s ease-in-out;
 }
 
 @keyframes theme-circle-reveal {
@@ -581,8 +692,8 @@ html.dd-transitioning::view-transition-new(root) {
 }
 
 @supports not (clip-path: circle(0% at 50% 50%)) {
-  html.dd-transitioning::view-transition-new(root) {
-    animation: theme-fade-in 600ms ease-out;
+  html.dd-transitioning::view-transition-new(*) {
+    animation: theme-fade-in var(--dd-duration-slow) ease-out;
   }
 
   @keyframes theme-fade-in {
@@ -599,11 +710,11 @@ html.dd-transitioning::view-transition-new(root) {
 .menu-fade-enter-active,
 .menu-fade-leave-active {
   transition:
-    opacity 0.15s ease,
-    transform 0.15s ease;
+    opacity var(--dd-duration-fast) ease,
+    transform var(--dd-duration-fast) ease;
 }
 .menu-fade-enter-from,
 .menu-fade-leave-to {
   opacity: 0;
-  transform: translateY(-4px);
+  transform: translateY(var(--dd-motion-menu-enter-y));
 }
diff --git a/ui/src/theme/tokens.css b/ui/src/theme/tokens.css
index 92651c7cc..a2870db5d 100644
--- a/ui/src/theme/tokens.css
+++ b/ui/src/theme/tokens.css
@@ -28,8 +28,10 @@
   --dd-primary-muted: color-mix(in srgb, var(--dd-primary) 15%, transparent);
   --dd-alt-muted: color-mix(in srgb, var(--dd-alt) 15%, transparent);
   --dd-neutral-muted: color-mix(in srgb, var(--dd-neutral) 15%, transparent);
-  --dd-shadow-sm: 0 2px 8px color-mix(in srgb, #020617 30%, transparent);
-  --dd-shadow-lg: 0 8px 24px color-mix(in srgb, #020617 24%, transparent);
+  --dd-shadow-tooltip: 0 2px 8px color-mix(in srgb, #020617 30%, transparent);
+  --dd-shadow-modal: 0 8px 24px color-mix(in srgb, #020617 24%, transparent);
+  --dd-shadow-sm: var(--dd-shadow-tooltip);
+  --dd-shadow-lg: var(--dd-shadow-modal);
   --dd-shadow-inset: inset 0 8px 16px -8px color-mix(in srgb, #020617 40%, transparent);
   --dd-hover-overlay: color-mix(in srgb, var(--dd-text) 8%, transparent);
   --dd-log-text: #abb2bf;
diff --git a/ui/src/types/container.d.ts b/ui/src/types/container.d.ts
index c75c9a8ee..bb3634d4c 100644
--- a/ui/src/types/container.d.ts
+++ b/ui/src/types/container.d.ts
@@ -25,6 +25,14 @@ export interface ContainerSecurityDelta {
   newHigh: number;
 }
 
+export interface ContainerReleaseNotes {
+  title: string;
+  body: string;
+  url: string;
+  publishedAt: string;
+  provider: string;
+}
+
 export interface Container {
   id: string;
   name: string;
@@ -36,7 +44,11 @@ export interface Container {
   imageVariant?: string;
   imageDigestWatch?: boolean;
   imageTagSemver?: boolean;
+  tagPrecision?: 'specific' | 'floating';
   releaseLink?: string;
+  suggestedTag?: string;
+  sourceRepo?: string;
+  releaseNotes?: ContainerReleaseNotes | null;
   status: 'running' | 'stopped';
   registry: 'dockerhub' | 'ghcr' | 'custom';
   registryName?: string;
@@ -56,6 +68,7 @@ export interface Container {
   updateSecurityScanState?: 'scanned' | 'not-scanned';
   updateSecuritySummary?: ContainerSecuritySummary;
   securityDelta?: ContainerSecurityDelta;
+  imageCreated?: string;
   server: string;
   includeTags?: string;
   excludeTags?: string;
diff --git a/ui/src/types/log-entry.ts b/ui/src/types/log-entry.ts
new file mode 100644
index 000000000..41eb21872
--- /dev/null
+++ b/ui/src/types/log-entry.ts
@@ -0,0 +1,13 @@
+import type { AnsiTextSegment, ParsedJsonLogLine } from '../utils/container-logs';
+
+export interface AppLogEntry {
+  id: number;
+  timestamp: string;
+  line: string;
+  plainLine: string;
+  ansiSegments: AnsiTextSegment[];
+  json: ParsedJsonLogLine | null;
+  level?: string | null;
+  channel?: 'stdout' | 'stderr';
+  component?: string;
+}
diff --git a/ui/src/utils/audit-helpers.ts b/ui/src/utils/audit-helpers.ts
index c4a26959d..efe4ae308 100644
--- a/ui/src/utils/audit-helpers.ts
+++ b/ui/src/utils/audit-helpers.ts
@@ -83,3 +83,24 @@ export function timeAgo(isoString: string): string {
   ];
   return `${months[d.getMonth()]} ${d.getDate()}`;
 }
+
+/** Format an ISO timestamp as a compact relative age string (e.g. "3d", "2w", "5mo", "1y"). */
+export function imageAge(isoString: string | undefined): string {
+  if (!isoString) return '\u2014';
+  const then = new Date(isoString).getTime();
+  if (Number.isNaN(then)) return '\u2014';
+  const diffMs = Date.now() - then;
+  if (diffMs < 0) return 'now';
+  const diffMin = Math.floor(diffMs / 60_000);
+  if (diffMin < 60) return `${Math.max(1, diffMin)}m`;
+  const diffHr = Math.floor(diffMin / 60);
+  if (diffHr < 24) return `${diffHr}h`;
+  const diffDay = Math.floor(diffHr / 24);
+  if (diffDay < 14) return `${diffDay}d`;
+  const diffWeek = Math.floor(diffDay / 7);
+  if (diffDay < 60) return `${diffWeek}w`;
+  const diffMonth = Math.floor(diffDay / 30.44);
+  if (diffMonth < 12) return `${diffMonth}mo`;
+  const diffYear = Math.floor(diffDay / 365.25);
+  return `${diffYear}y`;
+}
diff --git a/ui/src/utils/container-logs.ts b/ui/src/utils/container-logs.ts
new file mode 100644
index 000000000..6ed5216df
--- /dev/null
+++ b/ui/src/utils/container-logs.ts
@@ -0,0 +1,200 @@
+export type AnsiColor =
+  | 'black'
+  | 'red'
+  | 'green'
+  | 'yellow'
+  | 'blue'
+  | 'magenta'
+  | 'cyan'
+  | 'white'
+  | null;
+
+export interface AnsiTextSegment {
+  text: string;
+  color: AnsiColor;
+  bold: boolean;
+  dim: boolean;
+}
+
+export interface ParsedJsonLogLine {
+  level: string | null;
+  pretty: string;
+  value: Record<string, unknown>;
+}
+
+const ANSI_ESCAPE = String.fromCharCode(27);
+const ANSI_PATTERN = new RegExp(`${ANSI_ESCAPE}\\[([0-9;]*)m`, 'g');
+const ANSI_STRIP_PATTERN = new RegExp(`${ANSI_ESCAPE}\\[[0-9;]*m`, 'g');
+
+const COLOR_BY_CODE: Record<number, Exclude<AnsiColor, null>> = {
+  30: 'black',
+  31: 'red',
+  32: 'green',
+  33: 'yellow',
+  34: 'blue',
+  35: 'magenta',
+  36: 'cyan',
+  37: 'white',
+};
+
+function applyAnsiCode(
+  code: number,
+  state: {
+    color: AnsiColor;
+    bold: boolean;
+    dim: boolean;
+  },
+): void {
+  if (code === 0) {
+    state.color = null;
+    state.bold = false;
+    state.dim = false;
+    return;
+  }
+  if (code === 1) {
+    state.bold = true;
+    return;
+  }
+  if (code === 2) {
+    state.dim = true;
+    return;
+  }
+  if (code === 22) {
+    state.bold = false;
+    state.dim = false;
+    return;
+  }
+  if (code === 39) {
+    state.color = null;
+    return;
+  }
+  const color = COLOR_BY_CODE[code];
+  if (color) {
+    state.color = color;
+  }
+}
+
+export function parseAnsiSegments(input: string): AnsiTextSegment[] {
+  const segments: AnsiTextSegment[] = [];
+  const state = {
+    color: null as AnsiColor,
+    bold: false,
+    dim: false,
+  };
+
+  let lastIndex = 0;
+  for (const match of input.matchAll(ANSI_PATTERN)) {
+    const matchIndex = match.index as number;
+    const text = input.slice(lastIndex, matchIndex);
+    if (text.length > 0) {
+      segments.push({
+        text,
+        color: state.color,
+        bold: state.bold,
+        dim: state.dim,
+      });
+    }
+
+    const rawCodes = match[1]?.length ? match[1].split(';') : ['0'];
+    for (const rawCode of rawCodes) {
+      const code = Number.parseInt(rawCode, 10);
+      if (Number.isFinite(code)) {
+        applyAnsiCode(code, state);
+      }
+    }
+
+    lastIndex = matchIndex + match[0].length;
+  }
+
+  const tail = input.slice(lastIndex);
+  if (tail.length > 0) {
+    segments.push({
+      text: tail,
+      color: state.color,
+      bold: state.bold,
+      dim: state.dim,
+    });
+  }
+
+  return segments.filter((segment) => segment.text.length > 0);
+}
+
+export function stripAnsiCodes(input: string): string {
+  return input.replace(ANSI_STRIP_PATTERN, '');
+}
+
+function normalizeLevel(rawLevel: unknown): string | null {
+  if (typeof rawLevel === 'number' && Number.isFinite(rawLevel)) {
+    if (rawLevel === 10) return 'trace';
+    if (rawLevel === 20) return 'debug';
+    if (rawLevel === 30) return 'info';
+    if (rawLevel === 40) return 'warn';
+    if (rawLevel === 50) return 'error';
+    if (rawLevel === 60) return 'fatal';
+    return `${rawLevel}`;
+  }
+
+  if (typeof rawLevel === 'string') {
+    const trimmed = rawLevel.trim();
+    return trimmed.length > 0 ? trimmed.toLowerCase() : null;
+  }
+
+  return null;
+}
+
+export function extractJsonLogLevel(value: unknown): string | null {
+  if (!value || typeof value !== 'object') {
+    return null;
+  }
+
+  const logObject = value as Record<string, unknown>;
+  const levelKeys = ['level', 'severity', 'logLevel', 'log_level', 'lvl'] as const;
+
+  for (const key of levelKeys) {
+    if (key in logObject) {
+      const normalized = normalizeLevel(logObject[key]);
+      if (normalized !== null) {
+        return normalized;
+      }
+    }
+  }
+
+  return null;
+}
+
+export function parseJsonLogLine(input: string): ParsedJsonLogLine | null {
+  const stripped = stripAnsiCodes(input).trim();
+  if (stripped.length === 0) {
+    return null;
+  }
+
+  try {
+    const parsed = JSON.parse(stripped);
+    if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+      return null;
+    }
+    const value = parsed as Record<string, unknown>;
+    return {
+      level: extractJsonLogLevel(value),
+      pretty: JSON.stringify(value, null, 2),
+      value,
+    };
+  } catch {
+    return null;
+  }
+}
+
+export function parseLogTimestampToUnixSeconds(timestamp: unknown): number | undefined {
+  if (typeof timestamp === 'number' && Number.isFinite(timestamp)) {
+    return Math.floor(timestamp);
+  }
+  if (typeof timestamp !== 'string' || timestamp.trim().length === 0) {
+    return undefined;
+  }
+
+  const parsedMs = Date.parse(timestamp);
+  if (Number.isNaN(parsedMs)) {
+    return undefined;
+  }
+  return Math.floor(parsedMs / 1000);
+}
diff --git a/ui/src/utils/container-mapper.ts b/ui/src/utils/container-mapper.ts
index 646daf838..5d5f670d5 100644
--- a/ui/src/utils/container-mapper.ts
+++ b/ui/src/utils/container-mapper.ts
@@ -17,6 +17,7 @@
 import { getEffectiveDisplayIcon } from '../services/image-icon';
 import type {
   Container,
+  ContainerReleaseNotes,
   ContainerSecurityDelta,
   ContainerSecuritySummary,
 } from '../types/container';
@@ -31,6 +32,7 @@ import { formatUpdateAge, getUpdateMaturity } from './update-maturity';
 interface ApiContainerImage {
   name?: unknown;
   variant?: unknown;
+  created?: unknown;
   registry?: {
     name?: unknown;
     url?: unknown;
@@ -38,17 +40,28 @@ interface ApiContainerImage {
   tag?: {
     value?: unknown;
     semver?: unknown;
+    tagPrecision?: unknown;
   } | null;
   digest?: {
     watch?: unknown;
   } | null;
 }
 
+interface ApiContainerReleaseNotes {
+  title?: unknown;
+  body?: unknown;
+  url?: unknown;
+  publishedAt?: unknown;
+  provider?: unknown;
+}
+
 interface ApiContainerResult {
   tag?: unknown;
+  suggestedTag?: unknown;
   digest?: unknown;
   link?: unknown;
   noUpdateReason?: unknown;
+  releaseNotes?: ApiContainerReleaseNotes | null;
 }
 
 interface ApiContainerUpdateKind {
@@ -122,6 +135,7 @@ export interface ApiContainerInput {
   transformTags?: unknown;
   triggerInclude?: unknown;
   triggerExclude?: unknown;
+  sourceRepo?: unknown;
   error?: { message?: unknown } | null;
   ports?: unknown;
   volumes?: unknown;
@@ -247,12 +261,16 @@ function deriveSecuritySummaryFromScan(
   return normalizeSecuritySummary(scan?.summary);
 }
 
-/** Derive `bouncer` (security gate verdict) from current-image scan data. */
+/** Derive `bouncer` (security gate verdict) from current-image OR update-image scan data.
+ * If either scan shows blocked, the container is blocked. The update scan takes
+ * precedence since it reflects the SecurityGate verdict during the last update attempt. */
 function deriveBouncer(apiContainer: ApiContainerInput): BouncerStatus {
+  const updateScan = getSecurityScan(apiContainer, 'updateScan');
+  if (updateScan?.status === 'blocked') return 'blocked';
   return deriveBouncerFromScan(getSecurityScan(apiContainer, 'scan'));
 }
 
-/** Derive whether a container has any persisted security scan result. */
+/** Derive whether a container has a persisted security scan result. */
 function deriveSecurityScanState(apiContainer: ApiContainerInput): 'scanned' | 'not-scanned' {
   return deriveSecurityScanStateFromScan(getSecurityScan(apiContainer, 'scan'));
 }
@@ -270,7 +288,7 @@ function deriveUpdateBouncer(apiContainer: ApiContainerInput): BouncerStatus | u
   return deriveBouncerFromScan(updateScan);
 }
 
-/** Derive whether a container has any persisted update security scan result. */
+/** Derive whether a container has a persisted update security scan result. */
 function deriveUpdateSecurityScanState(
   apiContainer: ApiContainerInput,
 ): 'scanned' | 'not-scanned' | undefined {
@@ -343,6 +361,14 @@ function deriveReleaseLink(apiContainer: ApiContainerInput): string | undefined
   return trimmed;
 }
 
+function deriveImageCreated(apiContainer: ApiContainerInput): string | undefined {
+  const value = asNonEmptyString(apiContainer.image?.created);
+  if (!value) return undefined;
+  const parsedAt = Date.parse(value);
+  if (Number.isNaN(parsedAt)) return undefined;
+  return new Date(parsedAt).toISOString();
+}
+
 function deriveUpdateDetectedAt(apiContainer: ApiContainerInput): string | undefined {
   const value = asNonEmptyString(apiContainer.updateDetectedAt);
   if (!value) return undefined;
@@ -512,6 +538,19 @@ function deriveRuntimeDetails(
   };
 }
 
+/** Derive inline release notes summary from API result. */
+function deriveReleaseNotes(apiContainer: ApiContainerInput): ContainerReleaseNotes | null {
+  const rn = apiContainer.result?.releaseNotes;
+  if (!rn || typeof rn !== 'object') return null;
+  const title = asNonEmptyString(rn.title);
+  const body = asNonEmptyString(rn.body);
+  const url = asNonEmptyString(rn.url);
+  const publishedAt = asNonEmptyString(rn.publishedAt);
+  const provider = asNonEmptyString(rn.provider);
+  if (!title || !body || !url || !publishedAt || !provider) return null;
+  return { title, body, url, publishedAt, provider };
+}
+
 /** Map a single API container to the UI Container type. */
 export function mapApiContainer(apiContainer: ApiContainerInput): Container {
   const runtimeDetails = deriveRuntimeDetails(apiContainer);
@@ -524,6 +563,7 @@ export function mapApiContainer(apiContainer: ApiContainerInput): Container {
   const currentTag = asNonEmptyString(apiContainer.image?.tag?.value) ?? 'latest';
   const currentSummary = deriveSecuritySummary(apiContainer);
   const updateSummary = deriveUpdateSecuritySummary(apiContainer);
+  const detectedAt = deriveUpdateDetectedAt(apiContainer);
 
   return {
     id,
@@ -536,16 +576,14 @@ export function mapApiContainer(apiContainer: ApiContainerInput): Container {
     imageVariant: asNonEmptyString(apiContainer.image?.variant),
     imageDigestWatch: asOptionalBoolean(apiContainer.image?.digest?.watch),
     imageTagSemver: asOptionalBoolean(apiContainer.image?.tag?.semver),
+    tagPrecision: apiContainer.image?.tag?.tagPrecision as 'specific' | 'floating' | undefined,
+    suggestedTag: asNonEmptyString(apiContainer.result?.suggestedTag),
+    sourceRepo: asNonEmptyString(apiContainer.sourceRepo),
+    releaseNotes: deriveReleaseNotes(apiContainer),
     releaseLink: deriveReleaseLink(apiContainer),
-    updateDetectedAt: deriveUpdateDetectedAt(apiContainer),
-    updateMaturity: getUpdateMaturity(
-      deriveUpdateDetectedAt(apiContainer),
-      !!apiContainer.updateAvailable,
-    ),
-    updateMaturityTooltip: formatUpdateAge(
-      deriveUpdateDetectedAt(apiContainer),
-      !!apiContainer.updateAvailable,
-    ),
+    updateDetectedAt: detectedAt,
+    updateMaturity: getUpdateMaturity(detectedAt, !!apiContainer.updateAvailable),
+    updateMaturityTooltip: formatUpdateAge(detectedAt, !!apiContainer.updateAvailable),
     updatePolicyState,
     suppressedUpdateTag: deriveSuppressedUpdateTag(apiContainer, updatePolicyState),
     status: apiContainer.status === 'running' ? 'running' : 'stopped',
@@ -562,6 +600,7 @@ export function mapApiContainer(apiContainer: ApiContainerInput): Container {
     updateSecurityScanState: deriveUpdateSecurityScanState(apiContainer),
     updateSecuritySummary: updateSummary,
     securityDelta: computeSecurityDelta(currentSummary, updateSummary),
+    imageCreated: deriveImageCreated(apiContainer),
     server: deriveServer(apiContainer),
     includeTags: asNonEmptyString(apiContainer.includeTags),
     excludeTags: asNonEmptyString(apiContainer.excludeTags),
diff --git a/ui/src/utils/display.ts b/ui/src/utils/display.ts
index 9ff105368..13cb5b25c 100644
--- a/ui/src/utils/display.ts
+++ b/ui/src/utils/display.ts
@@ -79,3 +79,7 @@ export function maturityColor(maturity: string | null) {
   }
   return { bg: 'transparent', text: 'transparent' };
 }
+
+export function suggestedTagColor() {
+  return { bg: 'var(--dd-alt-muted)', text: 'var(--dd-alt)' };
+}
diff --git a/ui/src/utils/json-tokenizer.ts b/ui/src/utils/json-tokenizer.ts
new file mode 100644
index 000000000..17cde77f9
--- /dev/null
+++ b/ui/src/utils/json-tokenizer.ts
@@ -0,0 +1,101 @@
+export interface JsonToken {
+  text: string;
+  type: 'key' | 'string' | 'number' | 'boolean' | 'null' | 'punctuation' | 'text';
+}
+
+const TOKEN_CACHE_MAX = 500;
+const tokenCache = new Map<string, JsonToken[]>();
+
+export function tokenizeJson(prettyJson: string): JsonToken[] {
+  const cached = tokenCache.get(prettyJson);
+  if (cached) return cached;
+
+  const tokens: JsonToken[] = [];
+  let cursor = 0;
+  const numberPattern = /^-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?/;
+
+  while (cursor < prettyJson.length) {
+    const character = prettyJson[cursor];
+
+    if (/\s/u.test(character)) {
+      let end = cursor + 1;
+      while (end < prettyJson.length && /\s/u.test(prettyJson[end])) {
+        end += 1;
+      }
+      tokens.push({ text: prettyJson.slice(cursor, end), type: 'text' });
+      cursor = end;
+      continue;
+    }
+
+    if ('{}[],:'.includes(character)) {
+      tokens.push({ text: character, type: 'punctuation' });
+      cursor += 1;
+      continue;
+    }
+
+    if (character === '"') {
+      let end = cursor + 1;
+      while (end < prettyJson.length) {
+        if (prettyJson[end] === '"') {
+          let backslashes = 0;
+          while (end - 1 - backslashes > cursor && prettyJson[end - 1 - backslashes] === '\\') {
+            backslashes += 1;
+          }
+          if (backslashes % 2 === 0) {
+            end += 1;
+            break;
+          }
+        }
+        end += 1;
+      }
+
+      let lookAhead = end;
+      while (lookAhead < prettyJson.length && /\s/u.test(prettyJson[lookAhead])) {
+        lookAhead += 1;
+      }
+
+      tokens.push({
+        text: prettyJson.slice(cursor, end),
+        type: prettyJson[lookAhead] === ':' ? 'key' : 'string',
+      });
+      cursor = end;
+      continue;
+    }
+
+    const remaining = prettyJson.slice(cursor);
+    if (remaining.startsWith('true') || remaining.startsWith('false')) {
+      const value = remaining.startsWith('true') ? 'true' : 'false';
+      tokens.push({ text: value, type: 'boolean' });
+      cursor += value.length;
+      continue;
+    }
+
+    if (remaining.startsWith('null')) {
+      tokens.push({ text: 'null', type: 'null' });
+      cursor += 4;
+      continue;
+    }
+
+    const numberMatch = remaining.match(numberPattern);
+    if (numberMatch?.[0]) {
+      tokens.push({ text: numberMatch[0], type: 'number' });
+      cursor += numberMatch[0].length;
+      continue;
+    }
+
+    tokens.push({ text: character, type: 'text' });
+    cursor += 1;
+  }
+
+  if (tokenCache.size >= TOKEN_CACHE_MAX) {
+    const firstKey = tokenCache.keys().next().value!;
+    tokenCache.delete(firstKey);
+  }
+  tokenCache.set(prettyJson, tokens);
+
+  return tokens;
+}
+
+export function clearTokenCache() {
+  tokenCache.clear();
+}
diff --git a/ui/src/utils/maturity-policy.ts b/ui/src/utils/maturity-policy.ts
index 14d62c734..c5b0a0802 100644
--- a/ui/src/utils/maturity-policy.ts
+++ b/ui/src/utils/maturity-policy.ts
@@ -3,7 +3,7 @@ export const MATURITY_MIN_AGE_DAYS_MIN = 1;
 export const MATURITY_MIN_AGE_DAYS_MAX = 365;
 export const MS_PER_DAY = 24 * 60 * 60 * 1000;
 
-export type MaturityMode = 'all' | 'mature';
+type MaturityMode = 'all' | 'mature';
 
 export function normalizeMaturityMode(value: unknown): MaturityMode | undefined {
   if (typeof value !== 'string') {
diff --git a/ui/src/utils/stats-sparkline.ts b/ui/src/utils/stats-sparkline.ts
new file mode 100644
index 000000000..9ce75b27a
--- /dev/null
+++ b/ui/src/utils/stats-sparkline.ts
@@ -0,0 +1,43 @@
+function toFinite(value: number): number {
+  return Number.isFinite(value) ? value : 0;
+}
+
+function formatCoordinate(value: number): string {
+  return Number.parseFloat(value.toFixed(2)).toString();
+}
+
+export function buildSparklinePoints(values: number[], width: number, height: number): string {
+  if (values.length === 0) {
+    return '';
+  }
+
+  const finiteValues = values.map(toFinite);
+  const minValue = Math.min(...finiteValues);
+  const maxValue = Math.max(...finiteValues);
+  const valueRange = maxValue - minValue;
+
+  if (valueRange === 0) {
+    const middleY = formatCoordinate(height / 2);
+    if (values.length === 1) {
+      return `0,${middleY}`;
+    }
+    const denominator = values.length - 1;
+    const points: string[] = [];
+    for (let index = 0; index < values.length; index += 1) {
+      const x = (index / denominator) * width;
+      points.push(`${formatCoordinate(x)},${middleY}`);
+    }
+    return points.join(' ');
+  }
+
+  const points: string[] = [];
+  const denominator = values.length - 1;
+
+  for (let index = 0; index < finiteValues.length; index += 1) {
+    const x = (index / denominator) * width;
+    const y = height - ((finiteValues[index] - minValue) / valueRange) * height;
+    points.push(`${formatCoordinate(x)},${formatCoordinate(y)}`);
+  }
+
+  return points.join(' ');
+}
diff --git a/ui/src/utils/stats-summary.ts b/ui/src/utils/stats-summary.ts
new file mode 100644
index 000000000..41c90cb87
--- /dev/null
+++ b/ui/src/utils/stats-summary.ts
@@ -0,0 +1,93 @@
+import type { ContainerStatsSummaryItem } from '../services/stats';
+
+export interface ResourceUsageRow {
+  id: string;
+  name: string;
+  status: string | undefined;
+  cpuPercent: number;
+  memoryPercent: number;
+  memoryUsageBytes: number;
+  memoryLimitBytes: number;
+}
+
+export interface ResourceUsageSummary {
+  topCpu: ResourceUsageRow[];
+  topMemory: ResourceUsageRow[];
+  totalCpuPercent: number;
+  totalMemoryPercent: number;
+  totalMemoryUsageBytes: number;
+  totalMemoryLimitBytes: number;
+  watchedContainers: number;
+}
+
+function toFiniteNumber(value: number): number {
+  return Number.isFinite(value) ? value : 0;
+}
+
+function roundMetric(value: number): number {
+  return Number.parseFloat(value.toFixed(2));
+}
+
+function normalizeUsageRow(item: ContainerStatsSummaryItem): ResourceUsageRow | undefined {
+  if (!item.stats) {
+    return undefined;
+  }
+
+  return {
+    id: item.id,
+    name: item.name,
+    status: item.status,
+    cpuPercent: toFiniteNumber(item.stats.cpuPercent),
+    memoryPercent: toFiniteNumber(item.stats.memoryPercent),
+    memoryUsageBytes: toFiniteNumber(item.stats.memoryUsageBytes),
+    memoryLimitBytes: toFiniteNumber(item.stats.memoryLimitBytes),
+  };
+}
+
+function sortByMetric(
+  rows: ResourceUsageRow[],
+  metric: 'cpuPercent' | 'memoryPercent',
+): ResourceUsageRow[] {
+  return [...rows].sort((left, right) => {
+    if (right[metric] !== left[metric]) {
+      return right[metric] - left[metric];
+    }
+    return left.name.localeCompare(right.name);
+  });
+}
+
+export function summarizeContainerResourceUsage(
+  items: ContainerStatsSummaryItem[],
+  limit = 5,
+): ResourceUsageSummary {
+  const normalizedLimit = Math.max(1, Math.floor(limit));
+  const rows: ResourceUsageRow[] = [];
+
+  for (const item of items) {
+    const row = normalizeUsageRow(item);
+    if (row) {
+      rows.push(row);
+    }
+  }
+
+  const totalMemoryUsageBytes = rows.reduce((sum, row) => sum + row.memoryUsageBytes, 0);
+  const totalMemoryLimitBytes = rows.reduce((sum, row) => sum + row.memoryLimitBytes, 0);
+  const totalCpuRaw = rows.reduce((sum, row) => sum + row.cpuPercent, 0);
+
+  const totalCpuPercent =
+    rows.length > 0 ? roundMetric(Math.min(100, totalCpuRaw / rows.length)) : 0;
+  const totalMemoryPercent =
+    totalMemoryLimitBytes > 0
+      ? roundMetric(Math.min(100, (totalMemoryUsageBytes / totalMemoryLimitBytes) * 100))
+      : 0;
+
+  return {
+    topCpu: sortByMetric(rows, 'cpuPercent').slice(0, normalizedLimit),
+    topMemory: sortByMetric(rows, 'memoryPercent').slice(0, normalizedLimit),
+    totalCpuPercent,
+    totalMemoryPercent,
+    totalMemoryUsageBytes,
+    totalMemoryLimitBytes,
+    watchedContainers: rows.length,
+  };
+}
diff --git a/ui/src/utils/stats-thresholds.ts b/ui/src/utils/stats-thresholds.ts
new file mode 100644
index 000000000..18262c23c
--- /dev/null
+++ b/ui/src/utils/stats-thresholds.ts
@@ -0,0 +1,40 @@
+type UsageThreshold = 'healthy' | 'warning' | 'critical';
+
+function isFiniteNumber(value: number): boolean {
+  return Number.isFinite(value);
+}
+
+export function getUsageThreshold(percent: number): UsageThreshold {
+  if (!isFiniteNumber(percent)) {
+    return 'healthy';
+  }
+  if (percent < 60) {
+    return 'healthy';
+  }
+  if (percent <= 85) {
+    return 'warning';
+  }
+  return 'critical';
+}
+
+export function getUsageThresholdColor(percent: number): string {
+  const threshold = getUsageThreshold(percent);
+  if (threshold === 'healthy') {
+    return 'var(--dd-success)';
+  }
+  if (threshold === 'warning') {
+    return 'var(--dd-warning)';
+  }
+  return 'var(--dd-danger)';
+}
+
+export function getUsageThresholdMutedColor(percent: number): string {
+  const threshold = getUsageThreshold(percent);
+  if (threshold === 'healthy') {
+    return 'var(--dd-success-muted)';
+  }
+  if (threshold === 'warning') {
+    return 'var(--dd-warning-muted)';
+  }
+  return 'var(--dd-danger-muted)';
+}
diff --git a/ui/src/utils/system-log-adapter.ts b/ui/src/utils/system-log-adapter.ts
new file mode 100644
index 000000000..0f1ed131f
--- /dev/null
+++ b/ui/src/utils/system-log-adapter.ts
@@ -0,0 +1,41 @@
+import type { SystemLogEntry } from '../services/system-log-stream';
+import type { AppLogEntry } from '../types/log-entry';
+import { parseAnsiSegments, parseJsonLogLine, stripAnsiCodes } from './container-logs';
+
+function formatTimestamp(timestamp: number): string {
+  if (!Number.isFinite(timestamp)) {
+    return '-';
+  }
+
+  const date = new Date(timestamp);
+  if (Number.isNaN(date.getTime())) {
+    return '-';
+  }
+
+  return date.toISOString();
+}
+
+function normalizeLevel(level: string): string | null {
+  const trimmed = level.trim();
+  if (trimmed.length === 0) {
+    return null;
+  }
+  return trimmed.toLowerCase();
+}
+
+export function toAppLogEntry(entry: SystemLogEntry, id: number): AppLogEntry {
+  const line = entry.msg;
+  const json = parseJsonLogLine(line);
+  const fallbackLevel = normalizeLevel(entry.level);
+
+  return {
+    id,
+    timestamp: formatTimestamp(entry.timestamp),
+    line,
+    plainLine: stripAnsiCodes(line),
+    ansiSegments: parseAnsiSegments(line),
+    json,
+    level: json?.level ?? fallbackLevel,
+    component: entry.component,
+  };
+}
diff --git a/ui/src/utils/update-maturity.ts b/ui/src/utils/update-maturity.ts
index 20c6ba7db..a0a67aabf 100644
--- a/ui/src/utils/update-maturity.ts
+++ b/ui/src/utils/update-maturity.ts
@@ -1,7 +1,7 @@
 /** Update maturity classification based on how long an update has been available. */
 import { daysToMs, MS_PER_DAY } from './maturity-policy';
 
-export type UpdateMaturity = 'fresh' | 'settled' | null;
+type UpdateMaturity = 'fresh' | 'settled' | null;
 
 const DEFAULT_MATURITY_THRESHOLD_MS = daysToMs(7);
 
diff --git a/ui/src/views/AgentsView.vue b/ui/src/views/AgentsView.vue
index 411a9396b..7e84d42ea 100644
--- a/ui/src/views/AgentsView.vue
+++ b/ui/src/views/AgentsView.vue
@@ -1,9 +1,15 @@
 <script setup lang="ts">
 import { computed, onMounted, onUnmounted, ref, watch } from 'vue';
-import { useRoute } from 'vue-router';
+import { useRoute, useRouter } from 'vue-router';
+import { ROUTES } from '../router/routes';
 import AgentDetailConfigTab from '../components/agents/AgentDetailConfigTab.vue';
 import AgentDetailLogsTab from '../components/agents/AgentDetailLogsTab.vue';
 import AgentDetailOverviewTab from '../components/agents/AgentDetailOverviewTab.vue';
+import AppBadge from '../components/AppBadge.vue';
+import AppTabBar from '../components/AppTabBar.vue';
+import AppIconButton from '../components/AppIconButton.vue';
+import DetailField from '../components/DetailField.vue';
+import StatusDot from '../components/StatusDot.vue';
 import { useBreakpoints } from '../composables/useBreakpoints';
 import { preferences } from '../preferences/store';
 import { usePreference } from '../preferences/usePreference';
@@ -45,6 +51,7 @@ interface AgentLog {
 
 const { isMobile, windowNarrow: isCompact } = useBreakpoints();
 const route = useRoute();
+const router = useRouter();
 let activeAgentStatusListener: EventListener | null = null;
 
 const loading = ref(true);
@@ -223,7 +230,8 @@ async function fetchAgentLogs(
     if (!options.silent) {
       agentLogsLastFetched.value = new Date().toISOString();
     }
-  } catch {
+  } catch (e: unknown) {
+    void errorMessage(e, 'Failed to load agent logs');
     if (!options.silent) {
       agentLogsError.value = 'Failed to load agent logs';
     }
@@ -321,6 +329,19 @@ const agentAllColumns = [
 
 const agentVisibleColumns = ref<Set<string>>(new Set(agentAllColumns.map((c) => c.key)));
 const showAgentColumnPicker = ref(false);
+const agentColumnPickerStyle = ref<Record<string, string>>({});
+function toggleAgentColumnPicker(event: MouseEvent) {
+  showAgentColumnPicker.value = !showAgentColumnPicker.value;
+  if (showAgentColumnPicker.value) {
+    const button = event.currentTarget as HTMLElement;
+    const rect = button.getBoundingClientRect();
+    agentColumnPickerStyle.value = {
+      position: 'fixed',
+      top: `${rect.bottom + 4}px`,
+      left: `${rect.left}px`,
+    };
+  }
+}
 
 function toggleAgentColumn(key: string) {
   const col = agentAllColumns.find((c) => c.key === key);
@@ -448,12 +469,12 @@ function getConfigFields(agent: Agent): AgentDetailField[] {
 <template>
   <DataViewLayout>
           <div v-if="error"
-               class="mb-3 px-3 py-2 text-[0.6875rem] dd-rounded"
+               class="mb-3 px-3 py-2 text-2xs-plus dd-rounded"
                :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
             {{ error }}
           </div>
 
-          <div v-if="loading" class="text-[0.6875rem] dd-text-muted py-3 px-1">Loading agents...</div>
+          <div v-if="loading" class="text-2xs-plus dd-text-muted py-3 px-1">Loading agents...</div>
 
           <!-- Filter bar -->
           <DataFilterBar
@@ -466,42 +487,45 @@ function getConfigFields(agent: Agent): AgentDetailField[] {
               <input v-model="searchQuery"
                      type="text"
                      placeholder="Filter by name..."
-                     class="flex-1 min-w-[120px] max-w-[240px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder" />
-              <button v-if="searchQuery"
-                      class="text-[0.625rem] dd-text-muted hover:dd-text transition-colors"
+                     class="flex-1 min-w-[120px] max-w-[var(--dd-layout-filter-max-width)] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder" />
+              <AppButton size="none" variant="text-muted" weight="medium" class="text-2xs" v-if="searchQuery"
+                      
                       @click="searchQuery = ''">
                 Clear
-              </button>
+              </AppButton>
             </template>
             <template #extra-buttons>
-              <div v-if="agentViewMode === 'table'" class="relative">
-                <button class="w-7 h-7 dd-rounded flex items-center justify-center text-[0.6875rem] transition-colors"
+              <div v-if="agentViewMode === 'table'">
+                <AppIconButton icon="config" size="toolbar" variant="plain" class="text-2xs-plus"
                         :class="showAgentColumnPicker ? 'dd-text dd-bg-elevated' : 'dd-text-secondary hover:dd-text hover:dd-bg-elevated'"
+                        aria-label="Toggle columns"
                         v-tooltip.top="'Toggle columns'"
-                        @click.stop="showAgentColumnPicker = !showAgentColumnPicker">
-                  <AppIcon name="config" :size="12" />
-                </button>
-                <div v-if="showAgentColumnPicker" @click.stop
-                     class="absolute right-0 top-9 z-50 min-w-[160px] py-1.5 dd-rounded shadow-lg"
-                     :style="{
-                       backgroundColor: 'var(--dd-bg-card)',
-                       border: '1px solid var(--dd-border-strong)',
-                       boxShadow: 'var(--dd-shadow-lg)',
-                     }">
-                  <div class="px-3 py-1 text-[0.5625rem] font-bold uppercase tracking-wider dd-text-muted">Columns</div>
-                  <button v-for="col in agentAllColumns" :key="col.key"
-                          class="w-full text-left px-3 py-1.5 text-[0.6875rem] font-medium transition-colors flex items-center gap-2 hover:dd-bg-elevated"
-                          :class="col.required ? 'dd-text-muted cursor-not-allowed' : 'dd-text'"
-                          @click="toggleAgentColumn(col.key)">
-                    <AppIcon :name="agentVisibleColumns.has(col.key) ? 'check' : 'square'" :size="10"
-                             :style="agentVisibleColumns.has(col.key) ? { color: 'var(--dd-primary)' } : {}" />
-                    {{ col.label }}
-                  </button>
-                </div>
+                        @click.stop="toggleAgentColumnPicker" />
               </div>
             </template>
           </DataFilterBar>
 
+          <!-- Column picker popover (rendered outside DataFilterBar to avoid overflow clipping) -->
+          <div v-if="showAgentColumnPicker" @click.stop
+               class="min-w-[160px] py-1.5 dd-rounded shadow-lg"
+               :style="{
+                 ...agentColumnPickerStyle,
+                 zIndex: 'var(--z-popover)',
+                 backgroundColor: 'var(--dd-bg-card)',
+                 border: '1px solid var(--dd-border-strong)',
+                 boxShadow: 'var(--dd-shadow-tooltip)',
+               }">
+            <div class="px-3 py-1 text-3xs font-bold uppercase tracking-wider dd-text-muted">Columns</div>
+            <AppButton size="md" variant="plain" weight="medium" class="w-full text-left flex items-center gap-2" v-for="col in agentAllColumns" :key="col.key"
+
+                    :class="col.required ? 'dd-text-muted cursor-not-allowed' : 'dd-text'"
+                    @click="toggleAgentColumn(col.key)">
+              <AppIcon :name="agentVisibleColumns.has(col.key) ? 'check' : 'square'" :size="10"
+                       :style="agentVisibleColumns.has(col.key) ? { color: 'var(--dd-primary)' } : {}" />
+              {{ col.label }}
+            </AppButton>
+          </div>
+
           <!-- Table view -->
           <DataTable v-if="agentViewMode === 'table' && !loading"
                      :columns="agentActiveColumns"
@@ -515,36 +539,27 @@ function getConfigFields(agent: Agent): AgentDetailField[] {
                      @row-click="selectAgent($event)">
             <template #cell-name="{ row }">
               <div class="flex items-start gap-2 min-w-0">
-                <div class="w-2 h-2 rounded-full shrink-0 mt-1.5"
-                     :style="{ backgroundColor: row.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)' }" />
+                <StatusDot :status="row.status" size="md" class="mt-1.5" v-tooltip.top="row.status === 'connected' ? 'Connected' : 'Disconnected'" />
                 <div class="min-w-0 flex-1">
                   <div class="font-medium truncate dd-text">{{ row.name }}</div>
-                  <div class="text-[0.625rem] mt-0.5 truncate dd-text-muted">{{ row.host }}</div>
+                  <div class="text-2xs mt-0.5 truncate dd-text-muted">{{ row.host }}</div>
                   <!-- Compact mode: folded badge row -->
                   <div v-if="isCompact" class="flex items-center gap-1.5 mt-1.5">
-                    <span class="badge px-1.5 py-0 text-[0.5625rem] hidden md:inline-flex"
-                          :style="{
-                            backgroundColor: row.status === 'connected' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                            color: row.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                          }">
+                    <AppBadge :tone="row.status === 'connected' ? 'success' : 'danger'" size="xs" class="px-1.5 py-0 hidden md:inline-flex">
                       {{ row.status }}
-                    </span>
-                    <span class="text-[0.5625rem] dd-text-secondary">
+                    </AppBadge>
+                    <span class="text-3xs dd-text-secondary">
                       {{ row.containers.running }}/{{ row.containers.total }}
                     </span>
-                    <span class="text-[0.5625rem] dd-text-muted ml-auto">{{ row.lastSeen }}</span>
+                    <span class="text-3xs dd-text-muted ml-auto">{{ row.lastSeen }}</span>
                   </div>
                 </div>
               </div>
             </template>
             <template #cell-status="{ row }">
-              <span class="badge text-[0.5625rem] font-bold hidden md:inline-flex"
-                    :style="{
-                      backgroundColor: row.status === 'connected' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                      color: row.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                    }">
+              <AppBadge :tone="row.status === 'connected' ? 'success' : 'danger'" size="xs" class="hidden md:inline-flex">
                 {{ row.status }}
-              </span>
+              </AppBadge>
             </template>
             <template #cell-containers="{ row }">
               <span class="font-bold" style="color: var(--dd-success);">{{ row.containers.running }}</span>
@@ -560,7 +575,7 @@ function getConfigFields(agent: Agent): AgentDetailField[] {
             </template>
             <template #cell-version="{ row }">
               <span v-if="!row.version" class="dd-text-muted">-</span>
-              <span v-else class="px-1.5 py-0.5 dd-rounded-sm text-[0.625rem] font-medium dd-bg-elevated dd-text-secondary">
+              <span v-else class="px-1.5 py-0.5 dd-rounded-sm text-2xs font-medium dd-bg-elevated dd-text-secondary">
                 v{{ row.version }}
               </span>
             </template>
@@ -585,24 +600,19 @@ function getConfigFields(agent: Agent): AgentDetailField[] {
               <!-- Card header -->
               <div class="px-4 pt-4 pb-2 flex items-start justify-between">
                 <div class="flex items-center gap-2.5 min-w-0">
-                  <div class="w-2.5 h-2.5 rounded-full shrink-0 mt-1"
-                       :style="{ backgroundColor: agent.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)' }" />
+                  <StatusDot :status="agent.status" size="lg" class="mt-1" v-tooltip.top="agent.status === 'connected' ? 'Connected' : 'Disconnected'" />
                   <div class="min-w-0">
-                    <div class="text-[0.9375rem] font-semibold truncate dd-text">{{ agent.name }}</div>
-                    <div class="text-[0.6875rem] truncate mt-0.5 dd-text-muted">{{ agent.host }}</div>
+                    <div class="text-sm-plus font-semibold truncate dd-text">{{ agent.name }}</div>
+                    <div class="text-2xs-plus truncate mt-0.5 dd-text-muted">{{ agent.host }}</div>
                   </div>
                 </div>
-                <span class="badge text-[0.5625rem] uppercase tracking-wide font-bold shrink-0 ml-2 hidden md:inline-flex"
-                      :style="{
-                        backgroundColor: agent.status === 'connected' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                        color: agent.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                      }">
+                <AppBadge :tone="agent.status === 'connected' ? 'success' : 'danger'" size="xs" class="tracking-wide shrink-0 ml-2 hidden md:inline-flex">
                   {{ agent.status }}
-                </span>
+                </AppBadge>
               </div>
               <!-- Card body -->
               <div class="px-4 py-3">
-                <div class="grid grid-cols-2 gap-2 text-[0.6875rem]">
+                <div class="grid grid-cols-2 gap-2 text-2xs-plus">
                   <div>
                     <span class="dd-text-muted">Docker</span>
                     <span class="ml-1 font-semibold" :class="agent.dockerVersion ? 'dd-text' : 'dd-text-muted'">{{ agent.dockerVersion ?? '—' }}</span>
@@ -627,7 +637,7 @@ function getConfigFields(agent: Agent): AgentDetailField[] {
                      borderTop: '1px solid var(--dd-border)',
                      backgroundColor: 'var(--dd-bg-elevated)',
                    }">
-                <div class="flex items-center gap-3 text-[0.6875rem]">
+                <div class="flex items-center gap-3 text-2xs-plus">
                   <span>
                     <span class="font-bold" style="color: var(--dd-success);">{{ agent.containers.running }}</span>
                     <span class="dd-text-muted"> running</span>
@@ -637,7 +647,7 @@ function getConfigFields(agent: Agent): AgentDetailField[] {
                     <span class="dd-text-muted"> stopped</span>
                   </span>
                 </div>
-                <span class="text-[0.625rem] dd-text-muted">{{ agent.lastSeen }}</span>
+                <span class="text-2xs dd-text-muted">{{ agent.lastSeen }}</span>
               </div>
             </template>
           </DataCardGrid>
@@ -648,65 +658,52 @@ function getConfigFields(agent: Agent): AgentDetailField[] {
                              item-key="id"
                              :selected-key="selectedAgent?.id ?? null">
             <template #header="{ item: agent }">
-              <div class="w-2.5 h-2.5 rounded-full shrink-0"
-                   :style="{ backgroundColor: agent.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)' }" />
+              <StatusDot :status="agent.status" size="lg" v-tooltip.top="agent.status === 'connected' ? 'Connected' : 'Disconnected'" />
               <div class="min-w-0 flex-1">
                 <div class="text-sm font-semibold truncate dd-text">{{ agent.name }}</div>
-                <div class="text-[0.625rem] mt-0.5 truncate dd-text-muted">{{ agent.host }}</div>
+                <div class="text-2xs mt-0.5 truncate dd-text-muted">{{ agent.host }}</div>
               </div>
               <div class="flex items-center gap-1.5 shrink-0">
-                <span class="badge text-[0.5625rem] font-bold hidden md:inline-flex"
-                      :style="{
-                        backgroundColor: agent.status === 'connected' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                        color: agent.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                      }">
+                <AppBadge :tone="agent.status === 'connected' ? 'success' : 'danger'" size="xs" class="hidden md:inline-flex">
                   {{ agent.status }}
-                </span>
-                <span class="text-[0.625rem] dd-text-secondary">
+                </AppBadge>
+                <span class="text-2xs dd-text-secondary">
                   {{ agent.containers.running }}/{{ agent.containers.total }}
                 </span>
-                <span class="text-[0.625rem] dd-text-muted">{{ agent.lastSeen }}</span>
+                <span class="text-2xs dd-text-muted">{{ agent.lastSeen }}</span>
               </div>
             </template>
             <template #details="{ item: agent }">
               <div class="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-3 gap-x-8 gap-y-3 mt-2">
-                <div>
-                  <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Docker</div>
-                  <div class="text-xs font-mono" :class="agent.dockerVersion ? 'dd-text' : 'dd-text-muted'">{{ agent.dockerVersion ?? '—' }}</div>
-                </div>
-                <div>
-                  <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">OS</div>
-                  <div class="text-xs" :class="agent.os ? 'dd-text' : 'dd-text-muted'">{{ agent.os ?? '—' }}</div>
-                </div>
-                <div>
-                  <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Architecture</div>
-                  <div class="text-xs" :class="agent.arch ? 'dd-text' : 'dd-text-muted'">{{ agent.arch ?? '—' }}</div>
-                </div>
-                <div>
-                  <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Version</div>
-                  <div class="text-xs font-mono" :class="agent.version ? 'dd-text' : 'dd-text-muted'">{{ agent.version ? `v${agent.version}` : '—' }}</div>
-                </div>
-                <div>
-                  <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Uptime</div>
-                  <div class="text-xs" :class="agent.uptime ? 'dd-text' : 'dd-text-muted'">{{ agent.uptime ?? '—' }}</div>
-                </div>
-                <div>
-                  <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Containers</div>
-                  <div class="text-xs dd-text">
-                    <span class="font-bold" style="color: var(--dd-success);">{{ agent.containers.running }}</span>
-                    <span class="dd-text-muted"> running / </span>
-                    <span>{{ agent.containers.total }}</span>
-                    <span class="dd-text-muted"> total</span>
-                  </div>
-                </div>
+                <DetailField label="Docker" mono compact>
+                  <span :class="agent.dockerVersion ? '' : 'dd-text-muted'">{{ agent.dockerVersion ?? '—' }}</span>
+                </DetailField>
+                <DetailField label="OS" compact>
+                  <span :class="agent.os ? '' : 'dd-text-muted'">{{ agent.os ?? '—' }}</span>
+                </DetailField>
+                <DetailField label="Architecture" compact>
+                  <span :class="agent.arch ? '' : 'dd-text-muted'">{{ agent.arch ?? '—' }}</span>
+                </DetailField>
+                <DetailField label="Version" mono compact>
+                  <span :class="agent.version ? '' : 'dd-text-muted'">{{ agent.version ? `v${agent.version}` : '—' }}</span>
+                </DetailField>
+                <DetailField label="Uptime" compact>
+                  <span :class="agent.uptime ? '' : 'dd-text-muted'">{{ agent.uptime ?? '—' }}</span>
+                </DetailField>
+                <DetailField label="Containers" compact>
+                  <span class="font-bold" style="color: var(--dd-success);">{{ agent.containers.running }}</span>
+                  <span class="dd-text-muted"> running / </span>
+                  <span>{{ agent.containers.total }}</span>
+                  <span class="dd-text-muted"> total</span>
+                </DetailField>
               </div>
               <!-- Action buttons -->
               <div class="mt-4 pt-3 flex items-center gap-2" :style="{ borderTop: '1px solid var(--dd-border)' }">
-                <button class="inline-flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-[0.6875rem] font-medium transition-colors dd-text-secondary hover:dd-text hover:dd-bg-elevated"
+                <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-2xs-plus font-medium transition-colors dd-text-secondary hover:dd-text hover:dd-bg-elevated"
                         @click.stop="selectAgent(agent)">
                   <AppIcon name="info" :size="11" />
                   Details
-                </button>
+                </AppButton>
               </div>
             </template>
           </DataListAccordion>
@@ -729,38 +726,24 @@ function getConfigFields(agent: Agent): AgentDetailField[] {
           @update:open="agentPanelOpen = $event; if (!$event) selectedAgent = null">
           <template #header>
             <div class="flex items-center gap-2.5 min-w-0">
-              <div class="w-2.5 h-2.5 rounded-full shrink-0"
-                   :style="{ backgroundColor: selectedAgent?.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)' }" />
+              <StatusDot :status="selectedAgent?.status === 'connected' ? 'connected' : 'disconnected'" size="lg" v-tooltip.top="selectedAgent?.status === 'connected' ? 'Connected' : 'Disconnected'" />
               <span class="text-sm font-bold truncate dd-text">{{ selectedAgent?.name }}</span>
-              <span class="badge text-[0.5625rem] uppercase font-bold shrink-0"
-                    :style="{
-                      backgroundColor: selectedAgent?.status === 'connected' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                      color: selectedAgent?.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                    }">
+              <AppBadge :tone="selectedAgent?.status === 'connected' ? 'success' : 'danger'" size="xs" class="shrink-0">
                 {{ selectedAgent?.status }}
-              </span>
+              </AppBadge>
             </div>
           </template>
 
           <template #subtitle>
-            <span class="text-[0.6875rem] font-mono dd-text-secondary">{{ selectedAgent?.host }}</span>
+            <span class="text-2xs-plus font-mono dd-text-secondary">{{ selectedAgent?.host }}</span>
           </template>
 
           <template #tabs>
-            <div class="shrink-0 flex px-4 gap-1"
-                 :style="{ borderBottom: '1px solid var(--dd-border)' }">
-              <button v-for="tab in agentDetailTabs" :key="tab.id"
-                      class="px-3 py-2.5 text-[0.6875rem] font-medium transition-colors relative"
-                      :class="agentDetailTab === tab.id
-                        ? 'text-drydock-secondary'
-                        : 'dd-text-muted hover:dd-text'"
-                      @click="agentDetailTab = tab.id">
-                <AppIcon :name="tab.icon" :size="12" class="mr-1" />
-                {{ tab.label }}
-                <div v-if="agentDetailTab === tab.id"
-                     class="absolute bottom-0 left-0 right-0 h-[2px] bg-drydock-secondary rounded-t-full" />
-              </button>
-            </div>
+            <AppTabBar
+              :tabs="agentDetailTabs"
+              :model-value="agentDetailTab"
+              @update:model-value="agentDetailTab = $event"
+            />
           </template>
 
           <!-- Tab content -->
@@ -770,6 +753,7 @@ function getConfigFields(agent: Agent): AgentDetailField[] {
               :agent="selectedAgent"
               :resource-fields="getResourceFields(selectedAgent)"
               :system-fields="getSystemFields(selectedAgent)"
+              @view-containers="router.push({ path: ROUTES.CONTAINERS, query: { filterServer: selectedAgent.name } })"
             />
 
             <AgentDetailLogsTab
diff --git a/ui/src/views/AuditView.vue b/ui/src/views/AuditView.vue
index 85fba1577..15fcf78dc 100644
--- a/ui/src/views/AuditView.vue
+++ b/ui/src/views/AuditView.vue
@@ -1,6 +1,9 @@
 <script setup lang="ts">
 import { computed, onMounted, ref, watch } from 'vue';
 import { useRoute } from 'vue-router';
+import AppBadge from '../components/AppBadge.vue';
+import AppIconButton from '../components/AppIconButton.vue';
+import DetailField from '../components/DetailField.vue';
 import { useBreakpoints } from '../composables/useBreakpoints';
 import { useViewMode } from '../preferences/useViewMode';
 import { getAuditLog } from '../services/audit';
@@ -212,12 +215,12 @@ onMounted(fetchAudit);
 <template>
   <DataViewLayout>
     <div v-if="error"
-         class="mb-3 px-3 py-2 text-[0.6875rem] dd-rounded"
+         class="mb-3 px-3 py-2 text-2xs-plus dd-rounded"
          :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
       {{ error }}
     </div>
 
-    <div v-if="loading" class="text-[0.6875rem] dd-text-muted py-3 px-1">Loading audit log...</div>
+    <div v-if="loading" class="text-2xs-plus dd-text-muted py-3 px-1">Loading audit log...</div>
 
     <!-- Filter bar -->
     <DataFilterBar
@@ -231,14 +234,14 @@ onMounted(fetchAudit);
         <input v-model="searchQuery"
                type="text"
                placeholder="Filter by target or event..."
-               class="flex-1 min-w-[120px] max-w-[240px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder" />
+               class="flex-1 min-w-[120px] max-w-[var(--dd-layout-filter-max-width)] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder" />
         <input v-model="containerFilter"
                name="container-name"
                type="text"
                placeholder="Container name..."
-               class="min-w-[140px] max-w-[220px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder" />
+               class="min-w-[140px] max-w-[220px] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder" />
         <select v-model="actionFilter"
-                class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text">
+                class="px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text">
           <option value="">All events</option>
           <option v-for="a in actionTypes" :key="a" :value="a">{{ actionLabel(a) }}</option>
         </select>
@@ -246,17 +249,17 @@ onMounted(fetchAudit);
                name="from-date"
                type="date"
                aria-label="From date"
-               class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text" />
+               class="px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text" />
         <input v-model="toDateFilter"
                name="to-date"
                type="date"
                aria-label="To date"
-               class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text" />
-        <button v-if="activeFilterCount > 0"
-                class="text-[0.625rem] dd-text-muted hover:dd-text transition-colors"
+               class="px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text" />
+        <AppButton size="none" variant="plain" weight="none" v-if="activeFilterCount > 0"
+                class="text-2xs dd-text-muted hover:dd-text transition-colors"
                 @click="clearFilters">
           Clear
-        </button>
+        </AppButton>
       </template>
     </DataFilterBar>
 
@@ -270,30 +273,30 @@ onMounted(fetchAudit);
       @row-click="openDetail($event)"
     >
       <template #cell-timestamp="{ row }">
-        <span class="whitespace-nowrap text-[0.625rem] font-mono dd-text-secondary">{{ formatTimestamp(row.timestamp) }}</span>
+        <span class="whitespace-nowrap text-2xs font-mono dd-text-secondary">{{ formatTimestamp(row.timestamp) }}</span>
       </template>
       <template #cell-action="{ row }">
         <div class="flex items-center gap-2">
           <AppIcon :name="actionIcon(row.action)" :size="12" class="dd-text-secondary shrink-0" />
-          <span class="font-medium text-[0.6875rem] dd-text">{{ actionLabel(row.action) }}</span>
+          <span class="font-medium text-2xs-plus dd-text">{{ actionLabel(row.action) }}</span>
         </div>
       </template>
       <template #cell-containerName="{ row }">
-        <span class="font-mono text-[0.6875rem] dd-text">{{ row.containerName }}</span>
+        <span class="font-mono text-2xs-plus dd-text">{{ row.containerName }}</span>
       </template>
       <template #cell-status="{ row }">
         <AppIcon :name="row.status === 'success' ? 'check' : row.status === 'error' ? 'xmark' : 'info'" :size="13" class="shrink-0 md:!hidden"
-                 :style="{ color: statusColor(row.status) }" />
-        <span class="badge text-[0.5625rem] font-bold max-md:!hidden"
-              :style="{ backgroundColor: statusBg(row.status), color: statusColor(row.status) }">
+                 :style="{ color: statusColor(row.status) }"
+                 v-tooltip.top="row.status" />
+        <AppBadge :custom="{ bg: statusBg(row.status), text: statusColor(row.status) }" size="xs" class="max-md:!hidden">
           {{ row.status }}
-        </span>
+        </AppBadge>
       </template>
       <template #cell-details="{ row }">
-        <span v-if="row.fromVersion || row.toVersion" class="text-[0.625rem] font-mono dd-text-secondary whitespace-nowrap">
+        <span v-if="row.fromVersion || row.toVersion" class="text-2xs font-mono dd-text-secondary whitespace-nowrap">
           {{ row.fromVersion }}{{ row.fromVersion && row.toVersion ? ' → ' : '' }}{{ row.toVersion }}
         </span>
-        <span v-else-if="row.details" class="text-[0.625rem] dd-text-muted truncate max-w-[200px] inline-block">{{ row.details }}</span>
+        <span v-else-if="row.details" class="text-2xs dd-text-muted truncate max-w-[200px] inline-block">{{ row.details }}</span>
         <span v-else class="dd-text-muted">—</span>
       </template>
     </DataTable>
@@ -312,16 +315,15 @@ onMounted(fetchAudit);
             <AppIcon :name="actionIcon(entry.action)" :size="14" class="dd-text-secondary shrink-0 mt-0.5" />
             <div class="min-w-0">
               <div class="text-sm font-semibold truncate dd-text">{{ actionLabel(entry.action) }}</div>
-              <div class="text-[0.6875rem] truncate mt-0.5 dd-text-muted font-mono">{{ entry.containerName }}</div>
+              <div class="text-2xs-plus truncate mt-0.5 dd-text-muted font-mono">{{ entry.containerName }}</div>
             </div>
           </div>
-          <span class="badge text-[0.5625rem] font-bold shrink-0 ml-2"
-                :style="{ backgroundColor: statusBg(entry.status), color: statusColor(entry.status) }">
+          <AppBadge :custom="{ bg: statusBg(entry.status), text: statusColor(entry.status) }" size="xs" class="shrink-0 ml-2">
             {{ entry.status }}
-          </span>
+          </AppBadge>
         </div>
         <div class="px-4 py-3">
-          <div class="grid grid-cols-2 gap-2 text-[0.6875rem]">
+          <div class="grid grid-cols-2 gap-2 text-2xs-plus">
             <div>
               <span class="dd-text-muted">Time</span>
               <span class="ml-1 font-semibold dd-text">{{ formatTimestamp(entry.timestamp) }}</span>
@@ -334,7 +336,7 @@ onMounted(fetchAudit);
         </div>
         <div class="px-4 py-2.5 mt-auto"
              :style="{ borderTop: '1px solid var(--dd-border)', backgroundColor: 'var(--dd-bg-elevated)' }">
-          <span class="text-[0.625rem] dd-text-muted font-mono">{{ formatTimestamp(entry.timestamp) }}</span>
+          <span class="text-2xs dd-text-muted font-mono">{{ formatTimestamp(entry.timestamp) }}</span>
         </div>
       </template>
     </DataCardGrid>
@@ -351,40 +353,21 @@ onMounted(fetchAudit);
         <AppIcon :name="actionIcon(entry.action)" :size="14" class="dd-text-secondary shrink-0" />
         <div class="flex-1 min-w-0">
           <div class="text-sm font-semibold truncate dd-text">{{ actionLabel(entry.action) }}</div>
-          <div class="text-[0.625rem] font-mono dd-text-muted truncate mt-0.5">{{ entry.containerName }}</div>
+          <div class="text-2xs font-mono dd-text-muted truncate mt-0.5">{{ entry.containerName }}</div>
         </div>
-        <span class="text-[0.625rem] font-mono dd-text-muted shrink-0 hidden md:inline">{{ formatTimestamp(entry.timestamp) }}</span>
-        <span class="badge text-[0.5625rem] font-bold shrink-0"
-              :style="{ backgroundColor: statusBg(entry.status), color: statusColor(entry.status) }">
+        <span class="text-2xs font-mono dd-text-muted shrink-0 hidden md:inline">{{ formatTimestamp(entry.timestamp) }}</span>
+        <AppBadge :custom="{ bg: statusBg(entry.status), text: statusColor(entry.status) }" size="xs" class="shrink-0">
           {{ entry.status }}
-        </span>
+        </AppBadge>
       </template>
       <template #details="{ item: entry }">
         <div class="grid grid-cols-1 sm:grid-cols-2 gap-x-8 gap-y-3 mt-2">
-          <div>
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Timestamp</div>
-            <div class="text-xs font-mono dd-text">{{ formatTimestamp(entry.timestamp) }}</div>
-          </div>
-          <div>
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">{{ targetLabel(entry.action) }}</div>
-            <div class="text-xs font-mono dd-text">{{ entry.containerName }}</div>
-          </div>
-          <div v-if="entry.containerImage">
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Image</div>
-            <div class="text-xs font-mono dd-text">{{ entry.containerImage }}</div>
-          </div>
-          <div v-if="entry.fromVersion">
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">From Version</div>
-            <div class="text-xs font-mono dd-text">{{ entry.fromVersion }}</div>
-          </div>
-          <div v-if="entry.toVersion">
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">To Version</div>
-            <div class="text-xs font-mono dd-text">{{ entry.toVersion }}</div>
-          </div>
-          <div v-if="entry.details">
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Details</div>
-            <div class="text-xs font-mono dd-text">{{ entry.details }}</div>
-          </div>
+          <DetailField label="Timestamp" mono compact>{{ formatTimestamp(entry.timestamp) }}</DetailField>
+          <DetailField :label="targetLabel(entry.action)" mono compact>{{ entry.containerName }}</DetailField>
+          <DetailField v-if="entry.containerImage" label="Image" mono compact>{{ entry.containerImage }}</DetailField>
+          <DetailField v-if="entry.fromVersion" label="From Version" mono compact>{{ entry.fromVersion }}</DetailField>
+          <DetailField v-if="entry.toVersion" label="To Version" mono compact>{{ entry.toVersion }}</DetailField>
+          <DetailField v-if="entry.details" label="Details" mono compact>{{ entry.details }}</DetailField>
         </div>
       </template>
     </DataListAccordion>
@@ -392,20 +375,20 @@ onMounted(fetchAudit);
     <!-- Pagination -->
     <div v-if="total > limit" class="flex items-center justify-between px-4 py-2.5"
          :style="{ borderTop: '1px solid var(--dd-border)' }">
-      <span class="text-[0.6875rem] dd-text-muted">
+      <span class="text-2xs-plus dd-text-muted">
         Page {{ page }} of {{ totalPages }} ({{ total }} entries)
       </span>
       <div class="flex items-center gap-1.5">
-        <button class="px-2.5 py-1 dd-rounded text-[0.6875rem] font-medium dd-bg dd-text disabled:opacity-40"
+        <AppIconButton icon="chevron-left" size="toolbar" variant="plain"
+                class="dd-bg dd-text hover:dd-bg-elevated"
                 :disabled="page <= 1"
-                @click="prevPage">
-          <AppIcon name="chevron-left" :size="11" />
-        </button>
-        <button class="px-2.5 py-1 dd-rounded text-[0.6875rem] font-medium dd-bg dd-text disabled:opacity-40"
+                v-tooltip.top="'Previous page'"
+                @click="prevPage" />
+        <AppIconButton icon="chevron-right" size="toolbar" variant="plain"
+                class="dd-bg dd-text hover:dd-bg-elevated"
                 :disabled="page >= totalPages"
-                @click="nextPage">
-          <AppIcon name="chevron-right" :size="11" />
-        </button>
+                v-tooltip.top="'Next page'"
+                @click="nextPage" />
       </div>
     </div>
 
@@ -430,51 +413,38 @@ onMounted(fetchAudit);
           <div class="flex items-center gap-2.5 min-w-0">
             <AppIcon v-if="selectedEntry" :name="actionIcon(selectedEntry.action)" :size="14" class="dd-text-secondary shrink-0" />
             <span class="text-sm font-bold truncate dd-text">{{ selectedEntry ? actionLabel(selectedEntry.action) : '' }}</span>
-            <span v-if="selectedEntry" class="badge text-[0.5625rem] font-bold shrink-0"
-                  :style="{ backgroundColor: statusBg(selectedEntry.status), color: statusColor(selectedEntry.status) }">
+            <AppBadge v-if="selectedEntry" :custom="{ bg: statusBg(selectedEntry.status), text: statusColor(selectedEntry.status) }" size="xs" class="shrink-0">
               {{ selectedEntry.status }}
-            </span>
+            </AppBadge>
           </div>
         </template>
 
         <template #subtitle>
-          <span class="text-[0.6875rem] font-mono dd-text-secondary">{{ selectedEntry?.containerName }}</span>
+          <span class="text-2xs-plus font-mono dd-text-secondary">{{ selectedEntry?.containerName }}</span>
         </template>
 
         <template v-if="selectedEntry" #default>
           <div class="p-4 space-y-5">
-            <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">Timestamp</div>
-              <div class="text-xs font-mono dd-text">{{ formatTimestamp(selectedEntry.timestamp) }}</div>
-            </div>
-            <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">Event</div>
-              <div class="text-xs font-medium dd-text">{{ actionLabel(selectedEntry.action) }}</div>
-            </div>
-            <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">{{ targetLabel(selectedEntry.action) }}</div>
-              <div class="text-xs font-mono dd-text break-all">{{ selectedEntry.containerName }}</div>
-            </div>
-            <div v-if="selectedEntry.containerImage">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">Image</div>
-              <div class="text-xs font-mono dd-text break-all">{{ selectedEntry.containerImage }}</div>
-            </div>
-            <div v-if="selectedEntry.fromVersion">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">From Version</div>
-              <div class="text-xs font-mono dd-text break-all">{{ selectedEntry.fromVersion }}</div>
-            </div>
-            <div v-if="selectedEntry.toVersion">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">To Version</div>
-              <div class="text-xs font-mono dd-text break-all">{{ selectedEntry.toVersion }}</div>
-            </div>
-            <div v-if="selectedEntry.triggerName">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">Trigger</div>
-              <div class="text-xs font-mono dd-text">{{ selectedEntry.triggerName }}</div>
-            </div>
-            <div v-if="selectedEntry.details">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">Details</div>
-              <div class="text-xs font-mono dd-text break-all">{{ selectedEntry.details }}</div>
-            </div>
+            <DetailField label="Timestamp" mono>{{ formatTimestamp(selectedEntry.timestamp) }}</DetailField>
+            <DetailField label="Event">
+              <span class="font-medium">{{ actionLabel(selectedEntry.action) }}</span>
+            </DetailField>
+            <DetailField :label="targetLabel(selectedEntry.action)" mono>
+              <span class="break-all">{{ selectedEntry.containerName }}</span>
+            </DetailField>
+            <DetailField v-if="selectedEntry.containerImage" label="Image" mono>
+              <span class="break-all">{{ selectedEntry.containerImage }}</span>
+            </DetailField>
+            <DetailField v-if="selectedEntry.fromVersion" label="From Version" mono>
+              <span class="break-all">{{ selectedEntry.fromVersion }}</span>
+            </DetailField>
+            <DetailField v-if="selectedEntry.toVersion" label="To Version" mono>
+              <span class="break-all">{{ selectedEntry.toVersion }}</span>
+            </DetailField>
+            <DetailField v-if="selectedEntry.triggerName" label="Trigger" mono>{{ selectedEntry.triggerName }}</DetailField>
+            <DetailField v-if="selectedEntry.details" label="Details" mono>
+              <span class="break-all">{{ selectedEntry.details }}</span>
+            </DetailField>
           </div>
         </template>
       </DetailPanel>
diff --git a/ui/src/views/AuthView.vue b/ui/src/views/AuthView.vue
index 0312bec6a..2cb949e34 100644
--- a/ui/src/views/AuthView.vue
+++ b/ui/src/views/AuthView.vue
@@ -1,6 +1,8 @@
 <script setup lang="ts">
 import { computed, onMounted, ref, watch } from 'vue';
 import { useRoute } from 'vue-router';
+import AppBadge from '../components/AppBadge.vue';
+import DetailField from '../components/DetailField.vue';
 import { useBreakpoints } from '../composables/useBreakpoints';
 import { useViewMode } from '../preferences/useViewMode';
 import { getAllAuthentications, getAuthentication } from '../services/authentication';
@@ -122,12 +124,12 @@ onMounted(async () => {
 <template>
   <DataViewLayout>
       <div v-if="error"
-           class="mb-3 px-3 py-2 text-[0.6875rem] dd-rounded"
+           class="mb-3 px-3 py-2 text-2xs-plus dd-rounded"
            :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
         {{ error }}
       </div>
 
-      <div v-if="loading" class="text-[0.6875rem] dd-text-muted py-3 px-1">
+      <div v-if="loading" class="text-2xs-plus dd-text-muted py-3 px-1">
         Loading authentication providers...
       </div>
 
@@ -142,12 +144,12 @@ onMounted(async () => {
           <input v-model="searchQuery"
                  type="text"
                  placeholder="Filter by name..."
-                 class="flex-1 min-w-[120px] max-w-[240px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder" />
-          <button v-if="searchQuery"
-                  class="text-[0.625rem] dd-text-muted hover:dd-text transition-colors"
+                 class="flex-1 min-w-[120px] max-w-[var(--dd-layout-filter-max-width)] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder" />
+          <AppButton size="none" variant="text-muted" weight="medium" class="text-2xs" v-if="searchQuery"
+                  
                   @click="searchQuery = ''">
             Clear
-          </button>
+          </AppButton>
         </template>
       </DataFilterBar>
 
@@ -163,21 +165,16 @@ onMounted(async () => {
           <span class="font-medium dd-text">{{ row.name }}</span>
         </template>
         <template #cell-type="{ row }">
-          <span class="badge text-[0.5625rem] uppercase font-bold"
-                :style="{ backgroundColor: authTypeBadge(row.type).bg, color: authTypeBadge(row.type).text }">
+          <AppBadge :custom="{ bg: authTypeBadge(row.type).bg, text: authTypeBadge(row.type).text }" size="xs">
             {{ authTypeBadge(row.type).label }}
-          </span>
+          </AppBadge>
         </template>
         <template #cell-status="{ row }">
           <AppIcon :name="row.status === 'active' ? 'check' : 'xmark'" :size="13" class="shrink-0 md:!hidden"
                    :style="{ color: row.status === 'active' ? 'var(--dd-success)' : 'var(--dd-neutral)' }" />
-          <span class="badge text-[0.5625rem] font-bold max-md:!hidden"
-                :style="{
-                  backgroundColor: row.status === 'active' ? 'var(--dd-success-muted)' : 'var(--dd-neutral-muted)',
-                  color: row.status === 'active' ? 'var(--dd-success)' : 'var(--dd-neutral)',
-                }">
+          <AppBadge :tone="row.status === 'active' ? 'success' : 'neutral'" size="xs" class="max-md:!hidden">
             {{ row.status }}
-          </span>
+          </AppBadge>
         </template>
         <template #empty>
           <EmptyState icon="filter" message="No providers match your filters" :show-clear="activeFilterCount > 0" @clear="searchQuery = ''" />
@@ -194,18 +191,17 @@ onMounted(async () => {
         <template #card="{ item: auth }">
           <div class="px-4 pt-4 pb-2 flex items-start justify-between">
             <div class="min-w-0">
-              <div class="text-[0.9375rem] font-semibold truncate dd-text">{{ auth.name }}</div>
+              <div class="text-sm-plus font-semibold truncate dd-text">{{ auth.name }}</div>
             </div>
-            <span class="badge text-[0.5625rem] uppercase font-bold shrink-0 ml-2"
-                  :style="{ backgroundColor: authTypeBadge(auth.type).bg, color: authTypeBadge(auth.type).text }">
+            <AppBadge :custom="{ bg: authTypeBadge(auth.type).bg, text: authTypeBadge(auth.type).text }" size="xs" class="shrink-0 ml-2">
               {{ authTypeBadge(auth.type).label }}
-            </span>
+            </AppBadge>
           </div>
           <div class="px-4 py-3">
-            <div class="grid grid-cols-1 gap-2 text-[0.6875rem]">
+            <div class="grid grid-cols-1 gap-2 text-2xs-plus">
               <div v-for="(val, key) in auth.config" :key="key">
                 <span class="dd-text-muted">{{ key }}</span>
-                <div class="font-semibold truncate dd-text font-mono text-[0.625rem]">{{ val }}</div>
+                <div class="font-semibold truncate dd-text font-mono text-2xs">{{ val }}</div>
               </div>
             </div>
           </div>
@@ -213,13 +209,9 @@ onMounted(async () => {
                :style="{ borderTop: '1px solid var(--dd-border)', backgroundColor: 'var(--dd-bg-elevated)' }">
             <AppIcon :name="auth.status === 'active' ? 'check' : 'xmark'" :size="13" class="shrink-0 md:!hidden"
                      :style="{ color: auth.status === 'active' ? 'var(--dd-success)' : 'var(--dd-neutral)' }" />
-            <span class="badge text-[0.5625rem] font-bold max-md:!hidden"
-                  :style="{
-                    backgroundColor: auth.status === 'active' ? 'var(--dd-success-muted)' : 'var(--dd-neutral-muted)',
-                    color: auth.status === 'active' ? 'var(--dd-success)' : 'var(--dd-neutral)',
-                  }">
+            <AppBadge :tone="auth.status === 'active' ? 'success' : 'neutral'" size="xs" class="max-md:!hidden">
               {{ auth.status }}
-            </span>
+            </AppBadge>
           </div>
         </template>
       </DataCardGrid>
@@ -234,25 +226,16 @@ onMounted(async () => {
         <template #header="{ item: auth }">
           <AppIcon name="auth" :size="14" class="dd-text-secondary" />
           <span class="text-sm font-semibold flex-1 min-w-0 truncate dd-text">{{ auth.name }}</span>
-          <span class="badge text-[0.5625rem] uppercase font-bold shrink-0"
-                :style="{ backgroundColor: authTypeBadge(auth.type).bg, color: authTypeBadge(auth.type).text }">
+          <AppBadge :custom="{ bg: authTypeBadge(auth.type).bg, text: authTypeBadge(auth.type).text }" size="xs" class="shrink-0">
             {{ authTypeBadge(auth.type).label }}
-          </span>
+          </AppBadge>
         </template>
         <template #details="{ item: auth }">
           <div class="grid grid-cols-1 sm:grid-cols-2 gap-x-8 gap-y-3 mt-2">
-            <div v-for="(val, key) in auth.config" :key="key">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">{{ key }}</div>
-              <div class="text-xs font-mono dd-text">{{ val }}</div>
-            </div>
-            <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Status</div>
-              <span class="badge text-[0.625rem] font-semibold"
-                    :style="{
-                      backgroundColor: auth.status === 'active' ? 'var(--dd-success-muted)' : 'var(--dd-neutral-muted)',
-                      color: auth.status === 'active' ? 'var(--dd-success)' : 'var(--dd-neutral)',
-                    }">{{ auth.status }}</span>
-            </div>
+            <DetailField v-for="(val, key) in auth.config" :key="key" :label="String(key)" mono compact>{{ val }}</DetailField>
+            <DetailField label="Status" compact>
+              <AppBadge :tone="auth.status === 'active' ? 'success' : 'neutral'" size="sm" :uppercase="false">{{ auth.status }}</AppBadge>
+            </DetailField>
           </div>
         </template>
       </DataListAccordion>
@@ -276,40 +259,34 @@ onMounted(async () => {
         <template #header>
           <div class="flex items-center gap-2.5 min-w-0">
             <span class="text-sm font-bold truncate dd-text">{{ selectedAuth?.name }}</span>
-            <span v-if="selectedAuth" class="badge text-[0.5625rem] uppercase font-bold shrink-0"
-                  :style="{ backgroundColor: authTypeBadge(selectedAuth.type).bg, color: authTypeBadge(selectedAuth.type).text }">
+            <AppBadge v-if="selectedAuth" :custom="{ bg: authTypeBadge(selectedAuth.type).bg, text: authTypeBadge(selectedAuth.type).text }" size="xs" class="shrink-0">
               {{ authTypeBadge(selectedAuth.type).label }}
-            </span>
+            </AppBadge>
           </div>
         </template>
 
         <template #subtitle>
-          <span v-if="selectedAuth" class="badge text-[0.5625rem] font-bold"
-                :style="{
-                  backgroundColor: selectedAuth.status === 'active' ? 'var(--dd-success-muted)' : 'var(--dd-neutral-muted)',
-                  color: selectedAuth.status === 'active' ? 'var(--dd-success)' : 'var(--dd-neutral)',
-                }">
+          <AppBadge v-if="selectedAuth" :tone="selectedAuth.status === 'active' ? 'success' : 'neutral'" size="xs">
             {{ selectedAuth.status }}
-          </span>
+          </AppBadge>
         </template>
 
         <template v-if="selectedAuth" #default>
           <div class="p-4 space-y-5">
-            <div v-if="detailLoading" class="text-[0.6875rem] dd-text-muted">
+            <div v-if="detailLoading" class="text-2xs-plus dd-text-muted">
               Refreshing authentication details...
             </div>
             <div v-if="detailError"
-                 class="px-3 py-2 text-[0.6875rem] dd-rounded"
+                 class="px-3 py-2 text-2xs-plus dd-rounded"
                  :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
               {{ detailError }}
             </div>
 
-            <div v-for="(val, key) in selectedAuth.config" :key="key">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">{{ key }}</div>
-              <div class="text-xs font-mono dd-text break-all">{{ val }}</div>
-            </div>
+            <DetailField v-for="(val, key) in selectedAuth.config" :key="key" :label="String(key)" mono>
+              <span class="break-all">{{ val }}</span>
+            </DetailField>
             <div v-if="Object.keys(selectedAuth.config).length === 0">
-              <div class="text-[0.6875rem] dd-text-muted">No configuration properties</div>
+              <div class="text-2xs-plus dd-text-muted">No configuration properties</div>
             </div>
           </div>
         </template>
diff --git a/ui/src/views/ConfigView.vue b/ui/src/views/ConfigView.vue
index 4e9f4d014..aab784bf4 100644
--- a/ui/src/views/ConfigView.vue
+++ b/ui/src/views/ConfigView.vue
@@ -4,6 +4,7 @@ import { useRoute, useRouter } from 'vue-router';
 import { disableIconifyApi } from '../boot/icons';
 import { type FontId, fontOptions, useFont } from '../composables/useFont';
 import { useIcons } from '../composables/useIcons';
+import AppTabBar from '../components/AppTabBar.vue';
 import ConfigAppearanceTab from '../components/config/ConfigAppearanceTab.vue';
 import ConfigGeneralTab from '../components/config/ConfigGeneralTab.vue';
 import ConfigProfileTab from '../components/config/ConfigProfileTab.vue';
@@ -11,6 +12,7 @@ import { type IconLibrary, iconMap, libraryLabels } from '../icons';
 import { themeFamilies } from '../theme/palettes';
 import { getAppInfos } from '../services/app';
 import { getUser } from '../services/auth';
+import { downloadDebugDump } from '../services/debug';
 import { getServer } from '../services/server';
 import { clearIconCache, getSettings, updateSettings } from '../services/settings';
 import { getStore } from '../services/store';
@@ -119,73 +121,6 @@ const internetlessMode = ref(false);
 const settingsLoading = ref(false);
 const settingsError = ref('');
 
-interface LegacyInputSourceSummary {
-  total: number;
-  keys: string[];
-}
-
-interface LegacyInputSummary {
-  total: number;
-  env: LegacyInputSourceSummary;
-  label: LegacyInputSourceSummary;
-}
-
-const LEGACY_KEY_PREVIEW_LIMIT = 6;
-const legacyInputSummary = ref<LegacyInputSummary | null>(null);
-const hasLegacyCompatibilityInputs = computed(() => (legacyInputSummary.value?.total ?? 0) > 0);
-const legacyEnvKeysPreview = computed(() =>
-  summarizeLegacyKeys(legacyInputSummary.value?.env.keys ?? []),
-);
-const legacyLabelKeysPreview = computed(() =>
-  summarizeLegacyKeys(legacyInputSummary.value?.label.keys ?? []),
-);
-
-function normalizeLegacyInputSourceSummary(rawValue: unknown): LegacyInputSourceSummary {
-  const parsedTotal = Number((rawValue as { total?: unknown })?.total);
-  const parsedKeys = Array.isArray((rawValue as { keys?: unknown })?.keys)
-    ? (rawValue as { keys: unknown[] }).keys.filter(
-        (value): value is string => typeof value === 'string',
-      )
-    : [];
-  const uniqueKeys = Array.from(new Set(parsedKeys)).sort((a, b) => a.localeCompare(b));
-  const total =
-    Number.isFinite(parsedTotal) && parsedTotal >= 0
-      ? Math.max(Math.floor(parsedTotal), uniqueKeys.length)
-      : uniqueKeys.length;
-  return { total, keys: uniqueKeys };
-}
-
-function normalizeLegacyInputSummary(rawValue: unknown): LegacyInputSummary | null {
-  if (!rawValue || typeof rawValue !== 'object') {
-    return null;
-  }
-  const env = normalizeLegacyInputSourceSummary((rawValue as { env?: unknown }).env);
-  const label = normalizeLegacyInputSourceSummary((rawValue as { label?: unknown }).label);
-  const parsedTotal = Number((rawValue as { total?: unknown }).total);
-  const totalFromKeys = env.total + label.total;
-  const total =
-    Number.isFinite(parsedTotal) && parsedTotal >= 0
-      ? Math.max(Math.floor(parsedTotal), totalFromKeys)
-      : totalFromKeys;
-
-  if (total <= 0) {
-    return null;
-  }
-
-  return { total, env, label };
-}
-
-function summarizeLegacyKeys(keys: string[]): string {
-  if (keys.length === 0) {
-    return '';
-  }
-  const previewKeys = keys.slice(0, LEGACY_KEY_PREVIEW_LIMIT);
-  const hiddenCount = keys.length - previewKeys.length;
-  return hiddenCount > 0
-    ? `${previewKeys.join(', ')} (+${hiddenCount} more)`
-    : previewKeys.join(', ');
-}
-
 // Profile state
 interface ProfileData {
   username: string;
@@ -248,7 +183,6 @@ async function loadGeneralSettingsData() {
       getSettings().catch(() => null),
     ]);
     const config = serverData?.configuration ?? {};
-    legacyInputSummary.value = normalizeLegacyInputSummary(serverData?.compatibility?.legacyInputs);
     const storeConfig = storeData?.configuration ?? {};
     webhookEnabled.value = Boolean(config.webhook?.enabled);
     const fields = [
@@ -274,7 +208,6 @@ async function loadGeneralSettingsData() {
     }
   } catch (e: unknown) {
     serverError.value = errorMessage(e, 'Failed to load server info');
-    legacyInputSummary.value = null;
     webhookEnabled.value = false;
     serverFields.value = [{ label: 'Error', value: 'Failed to load server info' }];
   } finally {
@@ -328,6 +261,8 @@ async function toggleInternetlessMode() {
 
 const cacheClearing = ref(false);
 const cacheCleared = ref<number | null>(null);
+const debugDumpDownloading = ref(false);
+const debugDumpError = ref('');
 
 async function handleClearIconCache() {
   settingsError.value = '';
@@ -343,6 +278,41 @@ async function handleClearIconCache() {
   }
 }
 
+function triggerBlobDownload(blob: Blob, filename: string): void {
+  const createObjectUrl = globalThis.URL?.createObjectURL;
+  if (typeof createObjectUrl !== 'function') {
+    throw new Error('Browser does not support file downloads');
+  }
+
+  const objectUrl = createObjectUrl(blob);
+  const link = document.createElement('a');
+  link.href = objectUrl;
+  link.download = filename;
+  link.style.display = 'none';
+  document.body.appendChild(link);
+  link.click();
+  document.body.removeChild(link);
+  URL.revokeObjectURL(objectUrl);
+}
+
+async function handleDownloadDebugDump() {
+  if (debugDumpDownloading.value) {
+    return;
+  }
+
+  debugDumpDownloading.value = true;
+  debugDumpError.value = '';
+
+  try {
+    const { blob, filename } = await downloadDebugDump();
+    triggerBlobDownload(blob, filename);
+  } catch (e: unknown) {
+    debugDumpError.value = errorMessage(e, 'Unable to download debug dump');
+  } finally {
+    debugDumpDownloading.value = false;
+  }
+}
+
 function handleSelectThemeFamily(familyId: string, event: Event) {
   transitionTheme(
     () => setThemeFamily(familyId as (typeof availableThemeFamilies)[number]['id']),
@@ -361,32 +331,18 @@ function handleSelectIconLibrary(library: string) {
 
 <template>
   <DataViewLayout>
-    <div class="flex gap-1 mb-6" :style="{ borderBottom: '1px solid var(--dd-border)' }">
-      <button
-        v-for="tab in settingsTabs"
-        :key="tab.id"
-        class="px-4 py-2.5 text-xs font-semibold transition-colors relative"
-        :class="activeSettingsTab === tab.id ? 'text-drydock-secondary' : 'dd-text-muted hover:dd-text'"
-        @click="router.replace({ query: { tab: tab.id } })"
-      >
-        <AppIcon :name="tab.icon" :size="12" class="mr-1.5" />
-        {{ tab.label }}
-        <div
-          v-if="activeSettingsTab === tab.id"
-          class="absolute bottom-0 left-0 right-0 h-[2px] bg-drydock-secondary rounded-t-full"
-        />
-      </button>
-    </div>
+    <AppTabBar
+      :tabs="settingsTabs"
+      :model-value="activeSettingsTab"
+      class="mb-6"
+      @update:model-value="router.replace({ query: { tab: $event } })"
+    />
 
     <ConfigGeneralTab
       v-if="activeSettingsTab === 'general'"
       :loading="loading"
       :server-error="serverError"
       :settings-error="settingsError"
-      :has-legacy-compatibility-inputs="hasLegacyCompatibilityInputs"
-      :legacy-input-summary="legacyInputSummary"
-      :legacy-env-keys-preview="legacyEnvKeysPreview"
-      :legacy-label-keys-preview="legacyLabelKeysPreview"
       :server-fields="serverFields"
       :store-fields="storeFields"
       :webhook-enabled="webhookEnabled"
@@ -396,8 +352,11 @@ function handleSelectIconLibrary(library: string) {
       :settings-loading="settingsLoading"
       :cache-clearing="cacheClearing"
       :cache-cleared="cacheCleared"
+      :debug-dump-downloading="debugDumpDownloading"
+      :debug-dump-error="debugDumpError"
       @toggle-internetless-mode="toggleInternetlessMode"
       @clear-icon-cache="handleClearIconCache"
+      @download-debug-dump="handleDownloadDebugDump"
     />
 
     <ConfigAppearanceTab
diff --git a/ui/src/views/ContainerLogsView.vue b/ui/src/views/ContainerLogsView.vue
new file mode 100644
index 000000000..7148c6432
--- /dev/null
+++ b/ui/src/views/ContainerLogsView.vue
@@ -0,0 +1,110 @@
+<script setup lang="ts">
+import { computed, onMounted, ref } from 'vue';
+import { useRoute, useRouter } from 'vue-router';
+import AppIconButton from '../components/AppIconButton.vue';
+import ContainerLogs from '../components/containers/ContainerLogs.vue';
+import { getAllContainers } from '../services/container';
+import type { Container } from '../types/container';
+import { mapApiContainer } from '../utils/container-mapper';
+import { ROUTES } from '../router/routes';
+
+const route = useRoute();
+const router = useRouter();
+
+const containerId = computed(() => {
+  const raw = route.params.id;
+  return typeof raw === 'string' ? raw : Array.isArray(raw) ? (raw[0] ?? '') : '';
+});
+
+const container = ref<Container | null>(null);
+const loading = ref(true);
+const error = ref('');
+
+async function loadContainer() {
+  loading.value = true;
+  error.value = '';
+  try {
+    const all = await getAllContainers();
+    const match = all.find((c) => c.id === containerId.value || c.name === containerId.value);
+    if (match) {
+      container.value = mapApiContainer(match);
+    } else {
+      error.value = `Container "${containerId.value}" not found`;
+    }
+  } catch {
+    error.value = 'Failed to load container info';
+  } finally {
+    loading.value = false;
+  }
+}
+
+onMounted(() => {
+  void loadContainer();
+});
+
+const containerName = computed(() => container.value?.name ?? containerId.value);
+const containerImage = computed(() => container.value?.image ?? '');
+const containerStatus = computed(() => container.value?.status ?? 'unknown');
+
+function goBack() {
+  router.push(ROUTES.CONTAINERS);
+}
+</script>
+
+<template>
+  <div class="flex-1 min-h-0 min-w-0 overflow-y-auto pr-2 sm:pr-[15px]">
+    <!-- Header -->
+    <div class="flex items-center gap-3 mb-3">
+      <AppIconButton
+        icon="arrow-left"
+        size="toolbar"
+        variant="plain"
+        class="dd-text-muted hover:dd-text"
+        tooltip="Back to containers"
+        aria-label="Back to containers"
+        @click="goBack"
+      />
+
+      <div class="flex flex-col gap-0.5 min-w-0">
+        <div class="flex items-center gap-2">
+          <h1 class="text-sm font-bold dd-text truncate">{{ containerName }}</h1>
+          <span
+            v-if="!loading"
+            class="shrink-0 px-1.5 py-0.5 dd-rounded text-3xs font-bold uppercase tracking-wider"
+            :style="{
+              backgroundColor: containerStatus === 'running' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
+              color: containerStatus === 'running' ? 'var(--dd-success)' : 'var(--dd-danger)',
+            }"
+          >{{ containerStatus }}</span>
+        </div>
+        <span v-if="containerImage" class="text-2xs dd-text-muted truncate">{{ containerImage }}</span>
+      </div>
+
+      <div class="ml-auto text-2xs-plus font-semibold dd-text-muted uppercase tracking-wider">
+        Container Logs
+      </div>
+    </div>
+
+    <!-- Loading -->
+    <div v-if="loading" class="flex-1 flex items-center justify-center dd-text-muted text-xs">
+      Loading container...
+    </div>
+
+    <!-- Error -->
+    <div
+      v-else-if="error"
+      class="px-4 py-3 dd-rounded text-2xs-plus"
+      :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }"
+    >
+      {{ error }}
+    </div>
+
+    <!-- Log viewer (full height) -->
+    <ContainerLogs
+      v-else
+      class="flex-1 min-h-0"
+      :container-id="containerId"
+      :container-name="containerName"
+    />
+  </div>
+</template>
diff --git a/ui/src/views/ContainersView.vue b/ui/src/views/ContainersView.vue
index 19133c0ed..5bed5cb71 100644
--- a/ui/src/views/ContainersView.vue
+++ b/ui/src/views/ContainersView.vue
@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { computed, onMounted, onUnmounted, provide, ref, watch } from 'vue';
-import { useRoute } from 'vue-router';
+import { useRoute, useRouter } from 'vue-router';
 import ContainerFullPageDetail from '../components/containers/ContainerFullPageDetail.vue';
 import ContainerSideDetail from '../components/containers/ContainerSideDetail.vue';
 import ContainersListContent from '../components/containers/ContainersListContent.vue';
@@ -196,6 +196,7 @@ const {
   clearPolicySelected,
   clearMaturityPolicySelected,
   clearSkipsSelected,
+  confirmClearPolicy,
   confirmDelete,
   confirmForceUpdate,
   confirmUpdate,
@@ -291,45 +292,188 @@ const {
   clearFilters,
 } = useContainerFilters(containers);
 const route = useRoute();
-const VALID_FILTER_KINDS = new Set(['all', 'any', 'major', 'minor', 'patch', 'digest']);
+const router = useRouter();
+const VALID_FILTER_KIND_VALUES = ['all', 'a\u006Ey', 'major', 'minor', 'patch', 'digest'] as const;
+type FilterKindQueryValue = (typeof VALID_FILTER_KIND_VALUES)[number];
+const DEFAULT_FILTER_KIND: FilterKindQueryValue = 'all';
+const VALID_FILTER_KINDS: ReadonlySet<FilterKindQueryValue> = new Set(VALID_FILTER_KIND_VALUES);
+const DEFAULT_FILTER_VALUE = 'all';
+const QUERY_SYNC_KEYS = new Set([
+  'q',
+  'filterKind',
+  'filterStatus',
+  'filterRegistry',
+  'filterBouncer',
+  'filterServer',
+  'groupByStack',
+  'sort',
+] as const);
+const VALID_CONTAINER_SORT_KEYS = [
+  'name',
+  'image',
+  'status',
+  'server',
+  'registry',
+  'bouncer',
+  'kind',
+  'version',
+  'imageAge',
+] as const;
+type ContainerSortKey = (typeof VALID_CONTAINER_SORT_KEYS)[number];
+const DEFAULT_CONTAINER_SORT_KEY: ContainerSortKey = 'name';
+const DEFAULT_CONTAINER_SORT_ASC = true;
+const VALID_CONTAINER_SORT_KEYS_SET = new Set<string>(VALID_CONTAINER_SORT_KEYS);
+const isSyncingRouteFromState = ref(false);
+
+function isFilterKindQueryValue(value: string): value is FilterKindQueryValue {
+  return VALID_FILTER_KINDS.has(value as FilterKindQueryValue);
+}
+
+function firstQueryValue(value: unknown): string | undefined {
+  const raw = Array.isArray(value) ? value[0] : value;
+  return typeof raw === 'string' ? raw : undefined;
+}
+
+function isContainerSortKey(value: string): value is ContainerSortKey {
+  return VALID_CONTAINER_SORT_KEYS_SET.has(value);
+}
+
+function parseSortFromQuery(queryValue: unknown):
+  | {
+      key: ContainerSortKey;
+      asc: boolean;
+    }
+  | undefined {
+  const raw = firstQueryValue(queryValue);
+  if (!raw) {
+    return undefined;
+  }
+  if (raw === 'oldest-first') {
+    return { key: 'imageAge', asc: true };
+  }
+  if (raw === 'newest-first') {
+    return { key: 'imageAge', asc: false };
+  }
+  if (raw.endsWith('-desc')) {
+    const key = raw.slice(0, -5);
+    if (isContainerSortKey(key)) {
+      return { key, asc: false };
+    }
+    return undefined;
+  }
+  if (isContainerSortKey(raw)) {
+    return { key: raw, asc: true };
+  }
+  return undefined;
+}
+
+function encodeSortQueryValue(key: string, asc: boolean): string | undefined {
+  if (!isContainerSortKey(key)) {
+    return undefined;
+  }
+  if (key === DEFAULT_CONTAINER_SORT_KEY && asc === DEFAULT_CONTAINER_SORT_ASC) {
+    return undefined;
+  }
+  if (key === 'imageAge') {
+    return asc ? 'oldest-first' : 'newest-first';
+  }
+  return asc ? key : `${key}-desc`;
+}
+
+function resolveRouteParamId(rawValue: unknown): string | undefined {
+  if (Array.isArray(rawValue)) {
+    return typeof rawValue[0] === 'string' ? rawValue[0] : undefined;
+  }
+  return typeof rawValue === 'string' ? rawValue : undefined;
+}
+
+const isContainerLogsRoute = computed(() => route.name === 'container-logs');
+
+function syncRouteDrivenContainerLogsView(): void {
+  if (!isContainerLogsRoute.value) {
+    return;
+  }
+
+  const containerIdFromRoute = resolveRouteParamId((route.params as Record<string, unknown>)?.id);
+  if (!containerIdFromRoute) {
+    return;
+  }
+
+  const targetContainer =
+    containers.value.find((container) => container.id === containerIdFromRoute) ??
+    containers.value.find(
+      (container) => containerIdMap.value[container.name] === containerIdFromRoute,
+    );
+
+  if (!targetContainer) {
+    return;
+  }
+
+  selectedContainer.value = targetContainer;
+  activeDetailTab.value = 'logs';
+  detailPanelOpen.value = false;
+  containerFullPage.value = true;
+}
 
 function applyFilterKindFromQuery(queryValue: unknown) {
-  const raw = Array.isArray(queryValue) ? queryValue[0] : queryValue;
-  if (raw === undefined || raw === null) {
-    filterKind.value = 'all';
+  const raw = firstQueryValue(queryValue);
+  if (raw === undefined) {
     return;
   }
-  if (typeof raw !== 'string') {
-    filterKind.value = 'all';
+  if (!raw) {
+    filterKind.value = DEFAULT_FILTER_KIND;
     return;
   }
-  filterKind.value = VALID_FILTER_KINDS.has(raw) ? raw : 'all';
+  filterKind.value = isFilterKindQueryValue(raw) ? raw : DEFAULT_FILTER_KIND;
 }
 
-function applyFilterSearchFromQuery(queryValue: unknown) {
-  const raw = Array.isArray(queryValue) ? queryValue[0] : queryValue;
+function applyFilterSearchFromQuery(
+  queryValue: unknown,
+  options?: { clearDropdownFilters?: boolean },
+) {
+  const raw = firstQueryValue(queryValue);
   filterSearch.value = typeof raw === 'string' ? raw : '';
+  if (!options?.clearDropdownFilters) {
+    return;
+  }
   // When navigating with a search query (e.g. from Ctrl+K), clear persisted
   // dropdown filters so the target container is always visible.
   if (filterSearch.value) {
-    filterStatus.value = 'all';
-    filterRegistry.value = 'all';
-    filterBouncer.value = 'all';
-    filterServer.value = 'all';
-    filterKind.value = 'all';
+    filterStatus.value = DEFAULT_FILTER_VALUE;
+    filterRegistry.value = DEFAULT_FILTER_VALUE;
+    filterBouncer.value = DEFAULT_FILTER_VALUE;
+    filterServer.value = DEFAULT_FILTER_VALUE;
+    filterKind.value = DEFAULT_FILTER_KIND;
   }
 }
 
-applyFilterSearchFromQuery(route.query.q);
-watch(
-  () => route.query.q,
-  (value) => applyFilterSearchFromQuery(value),
-);
+function applyOptionalFilterValueFromQuery(
+  queryValue: unknown,
+  setter: (value: string) => void,
+  fallback: string,
+) {
+  const raw = firstQueryValue(queryValue);
+  if (raw === undefined) {
+    return;
+  }
+  setter(raw || fallback);
+}
+
+function applySortFromQuery(queryValue: unknown) {
+  const sort = parseSortFromQuery(queryValue);
+  if (!sort) {
+    return;
+  }
+  containerSortKey.value = sort.key;
+  containerSortAsc.value = sort.asc;
+}
 
-applyFilterKindFromQuery(route.query.filterKind);
 watch(
-  () => route.query.filterKind,
-  (value) => applyFilterKindFromQuery(value),
+  [() => route.name, () => route.path, () => route.params, () => containers.value.length],
+  () => {
+    syncRouteDrivenContainerLogsView();
+  },
+  { immediate: true },
 );
 
 const serverNames = computed(() => [
@@ -348,6 +492,167 @@ const containerSortAsc = usePreference(
     preferences.containers.sort.asc = value;
   },
 );
+const groupByStack = usePreference(
+  () => preferences.containers.groupByStack,
+  (value) => {
+    preferences.containers.groupByStack = value;
+  },
+);
+
+function applyGroupByStackFromQuery(queryValue: unknown) {
+  const raw = firstQueryValue(queryValue);
+  if (raw === undefined) {
+    return;
+  }
+  groupByStack.value = raw === 'true' || raw === '1';
+}
+
+watch(
+  () => [
+    route.query.q,
+    route.query.filterKind,
+    route.query.filterStatus,
+    route.query.filterRegistry,
+    route.query.filterBouncer,
+    route.query.filterServer,
+    route.query.groupByStack,
+    route.query.sort,
+  ],
+  ([
+    querySearch,
+    queryFilterKind,
+    queryFilterStatus,
+    queryFilterRegistry,
+    queryFilterBouncer,
+    queryFilterServer,
+    queryGroupByStack,
+    querySort,
+  ]) => {
+    applyFilterSearchFromQuery(querySearch, {
+      clearDropdownFilters: !isSyncingRouteFromState.value,
+    });
+    applyFilterKindFromQuery(queryFilterKind);
+    applyOptionalFilterValueFromQuery(
+      queryFilterStatus,
+      (value) => {
+        filterStatus.value = value;
+      },
+      DEFAULT_FILTER_VALUE,
+    );
+    applyOptionalFilterValueFromQuery(
+      queryFilterRegistry,
+      (value) => {
+        filterRegistry.value = value;
+      },
+      DEFAULT_FILTER_VALUE,
+    );
+    applyOptionalFilterValueFromQuery(
+      queryFilterBouncer,
+      (value) => {
+        filterBouncer.value = value;
+      },
+      DEFAULT_FILTER_VALUE,
+    );
+    applyOptionalFilterValueFromQuery(
+      queryFilterServer,
+      (value) => {
+        filterServer.value = value;
+      },
+      DEFAULT_FILTER_VALUE,
+    );
+    applyGroupByStackFromQuery(queryGroupByStack);
+    applySortFromQuery(querySort);
+  },
+  { immediate: true },
+);
+
+function normalizeQueryRecord(query: Record<string, unknown>): Record<string, string> {
+  const normalized: Record<string, string> = {};
+  for (const [key, value] of Object.entries(query)) {
+    const normalizedValue = firstQueryValue(value);
+    if (normalizedValue !== undefined) {
+      normalized[key] = normalizedValue;
+    }
+  }
+  return normalized;
+}
+
+function buildSyncedRouteQuery(): Record<string, string> {
+  const nextQuery = normalizeQueryRecord(route.query as Record<string, unknown>);
+  for (const key of QUERY_SYNC_KEYS) {
+    delete nextQuery[key];
+  }
+
+  if (filterSearch.value) {
+    nextQuery.q = filterSearch.value;
+  }
+  if (filterKind.value !== DEFAULT_FILTER_KIND) {
+    nextQuery.filterKind = filterKind.value;
+  }
+  if (filterStatus.value !== DEFAULT_FILTER_VALUE) {
+    nextQuery.filterStatus = filterStatus.value;
+  }
+  if (filterRegistry.value !== DEFAULT_FILTER_VALUE) {
+    nextQuery.filterRegistry = filterRegistry.value;
+  }
+  if (filterBouncer.value !== DEFAULT_FILTER_VALUE) {
+    nextQuery.filterBouncer = filterBouncer.value;
+  }
+  if (filterServer.value !== DEFAULT_FILTER_VALUE) {
+    nextQuery.filterServer = filterServer.value;
+  }
+  if (groupByStack.value) {
+    nextQuery.groupByStack = 'true';
+  }
+  const sortQuery = encodeSortQueryValue(containerSortKey.value, containerSortAsc.value);
+  if (sortQuery) {
+    nextQuery.sort = sortQuery;
+  }
+  return nextQuery;
+}
+
+function areQueriesEqual(left: Record<string, string>, right: Record<string, string>): boolean {
+  const leftKeys = Object.keys(left);
+  const rightKeys = Object.keys(right);
+  if (leftKeys.length !== rightKeys.length) {
+    return false;
+  }
+  return leftKeys.every((key) => left[key] === right[key]);
+}
+
+async function syncRouteQueryFromState() {
+  if (isContainerLogsRoute.value) {
+    return;
+  }
+  const currentQuery = normalizeQueryRecord(route.query as Record<string, unknown>);
+  const nextQuery = buildSyncedRouteQuery();
+  if (areQueriesEqual(currentQuery, nextQuery)) {
+    return;
+  }
+  isSyncingRouteFromState.value = true;
+  try {
+    await router.replace({ query: nextQuery });
+  } finally {
+    isSyncingRouteFromState.value = false;
+  }
+}
+
+watch(
+  [
+    filterSearch,
+    filterKind,
+    filterStatus,
+    filterRegistry,
+    filterBouncer,
+    filterServer,
+    groupByStack,
+    containerSortKey,
+    containerSortAsc,
+  ],
+  () => {
+    void syncRouteQueryFromState();
+  },
+);
 
 function toggleContainerSort(key: string) {
   if (containerSortKey.value === key) {
@@ -389,6 +694,10 @@ const sortedContainers = computed(() => {
     } else if (key === 'version') {
       leftValue = left.currentTag;
       rightValue = right.currentTag;
+    } else if (key === 'imageAge') {
+      const leftMs = left.imageCreated ? new Date(left.imageCreated).getTime() : 0;
+      const rightMs = right.imageCreated ? new Date(right.imageCreated).getTime() : 0;
+      return leftMs < rightMs ? -dir : leftMs > rightMs ? dir : 0;
     } else {
       return 0;
     }
@@ -414,12 +723,6 @@ const displayContainers = computed(() => {
   return [...live, ...ghosts];
 });
 
-const groupByStack = usePreference(
-  () => preferences.containers.groupByStack,
-  (value) => {
-    preferences.containers.groupByStack = value;
-  },
-);
 const groupMembershipMap = ref<Record<string, string>>({});
 const collapsedGroups = ref(new Set<string>());
 
@@ -432,20 +735,6 @@ watch(
   },
 );
 
-function applyGroupByStackFromQuery(queryValue: unknown) {
-  const raw = Array.isArray(queryValue) ? queryValue[0] : queryValue;
-  if (typeof raw !== 'string') {
-    return;
-  }
-  groupByStack.value = raw === 'true' || raw === '1';
-}
-
-applyGroupByStackFromQuery(route.query.groupByStack);
-watch(
-  () => route.query.groupByStack,
-  (value) => applyGroupByStackFromQuery(value),
-);
-
 function toggleGroupCollapse(key: string) {
   const next = new Set(collapsedGroups.value);
   if (next.has(key)) {
@@ -495,6 +784,17 @@ const groupedContainers = computed<RenderGroup[]>(() => {
     }
     buckets[key].push(container);
   }
+  // Flatten single-container stacks into the ungrouped bucket so they render
+  // without a collapsible group header (GitHub Discussion #179).
+  for (const key of Object.keys(buckets)) {
+    if (key !== '__ungrouped__' && buckets[key].length === 1) {
+      if (!buckets.__ungrouped__) {
+        buckets.__ungrouped__ = [];
+      }
+      buckets.__ungrouped__.push(...buckets[key]);
+      delete buckets[key];
+    }
+  }
   const named: RenderGroup[] = [];
   let ungrouped: RenderGroup | null = null;
   for (const [key, groupContainers] of Object.entries(buckets)) {
@@ -554,6 +854,10 @@ const tableColumns = computed(() =>
 );
 
 onMounted(() => {
+  if (isContainerLogsRoute.value) {
+    return;
+  }
+
   const saved = detailPanelStorage.read();
   if (!saved) {
     return;
@@ -766,6 +1070,7 @@ provide(containersViewTemplateContextKey, {
   maturityMinAgeDaysInput,
   setMaturityPolicySelected,
   clearMaturityPolicySelected,
+  confirmClearPolicy,
   clearPolicySelected,
   policyMessage,
   policyError,
@@ -800,7 +1105,6 @@ provide(containersViewTemplateContextKey, {
 </script>
 
 <template>
-  <ConfirmDialog />
   <DataViewLayout v-if="!containerFullPage">
     <ContainersListContent />
     <template #panel>
diff --git a/ui/src/views/DashboardView.vue b/ui/src/views/DashboardView.vue
index 7ed69fb1f..17d4daa13 100644
--- a/ui/src/views/DashboardView.vue
+++ b/ui/src/views/DashboardView.vue
@@ -1,16 +1,38 @@
 <script setup lang="ts">
-import { computed, ref } from 'vue';
+import { computed, nextTick, onMounted, onUnmounted, ref } from 'vue';
 import { type RouteLocationRaw, useRouter } from 'vue-router';
+import { GridItem, GridLayout } from 'grid-layout-plus';
+import AppIconButton from '@/components/AppIconButton.vue';
+import { useBreakpoints } from '../composables/useBreakpoints';
 import { useConfirmDialog } from '../composables/useConfirmDialog';
 import { ROUTES } from '../router/routes';
 import { updateContainer } from '../services/container-actions';
 import { errorMessage } from '../utils/error';
+import { summarizeContainerResourceUsage } from '../utils/stats-summary';
+import DashboardHostStatusWidget from './dashboard/components/DashboardHostStatusWidget.vue';
+import DashboardRecentUpdatesWidget from './dashboard/components/DashboardRecentUpdatesWidget.vue';
+import DashboardResourceUsageWidget from './dashboard/components/DashboardResourceUsageWidget.vue';
+import DashboardSecurityOverviewWidget from './dashboard/components/DashboardSecurityOverviewWidget.vue';
+import DashboardUpdateBreakdownWidget from './dashboard/components/DashboardUpdateBreakdownWidget.vue';
+import {
+  DASHBOARD_WIDGET_META,
+  type DashboardWidgetId,
+  type RecentUpdateRow,
+} from './dashboard/dashboardTypes';
+import { GRID_BREAKPOINTS, GRID_COLS, WIDGET_CONSTRAINTS } from './dashboard/dashboardWidgetLayout';
 import { useDashboardComputed } from './dashboard/useDashboardComputed';
 import { useDashboardData } from './dashboard/useDashboardData';
 import { useDashboardWidgetOrder } from './dashboard/useDashboardWidgetOrder';
 
 const router = useRouter();
 const confirm = useConfirmDialog();
+const { isMobile, windowNarrow } = useBreakpoints();
+// Responsive grid margins: slightly wider vertical gaps on touch screens for scroll room
+const gridMargin = computed<[number, number]>(() => {
+  if (isMobile.value) return [10, 20]; // < 768px: tighter horizontal, taller vertical for touch
+  if (windowNarrow.value) return [14, 18]; // < 1024px: tablet
+  return [16, 16]; // desktop
+});
 const dashboardUpdateInProgress = ref<string | null>(null);
 const dashboardUpdateAllInProgress = ref(false);
 const dashboardUpdateError = ref<string | null>(null);
@@ -19,19 +41,67 @@ function navigateTo(route: RouteLocationRaw) {
   router.push(route);
 }
 
+// Delay enabling grid transitions to prevent fly-in on initial load
+const gridReady = ref(false);
+let gridReadyTimer: ReturnType<typeof setTimeout> | undefined;
+onMounted(() => {
+  gridReadyTimer = setTimeout(() => {
+    gridReady.value = true;
+  }, 300);
+});
+onUnmounted(() => {
+  clearTimeout(gridReadyTimer);
+});
+
 const {
-  draggedWidgetId,
   onWidgetDragEnd,
   onWidgetDragOver,
   onWidgetDragStart,
   onWidgetDrop,
+  editMode,
+  isWidgetVisible,
+  layout,
+  resetAll,
+  toggleEditMode,
+  toggleWidgetVisibility,
   widgetOrderIndex,
-  widgetOrderStyle,
 } = useDashboardWidgetOrder();
 
+// Widget panel visibility (separate from edit mode so it's opt-in on mobile)
+const showWidgetPanel = ref(false);
+
+function handleToggleEditMode() {
+  toggleEditMode();
+  // On desktop, auto-open panel when entering edit mode; on mobile, leave it closed
+  showWidgetPanel.value = editMode.value && !isMobile.value;
+}
+
+function toggleWidgetPanel() {
+  showWidgetPanel.value = !showWidgetPanel.value;
+}
+
+function closeWidgetPanel() {
+  showWidgetPanel.value = false;
+}
+
+// Exit edit mode on Escape key
+function onKeydown(event: KeyboardEvent) {
+  if (event.key === 'Escape' && editMode.value) {
+    editMode.value = false;
+    showWidgetPanel.value = false;
+  }
+}
+onMounted(() => {
+  window.addEventListener('keydown', onKeydown);
+});
+onUnmounted(() => {
+  window.removeEventListener('keydown', onKeydown);
+});
+
 const {
   agents,
   containerSummary,
+  containerStats,
   containers,
   error,
   fetchDashboardData,
@@ -43,6 +113,8 @@ const {
   watchers,
 } = useDashboardData();
 
+const resourceUsage = computed(() => summarizeContainerResourceUsage(containerStats.value));
+
 const {
   DONUT_CIRCUMFERENCE,
   getUpdateKindColor,
@@ -74,9 +146,52 @@ const {
   watchers,
 });
 
-const pendingUpdates = computed(() => recentUpdates.value.filter((r) => r.status === 'pending'));
+const pendingUpdates = computed(() =>
+  recentUpdates.value.filter((r) => r.status === 'pending' && !r.blocked),
+);
+
+// Stat card data lookup by widget id
+const statById = computed(() => {
+  const map = new Map<string, (typeof stats.value)[number]>();
+  for (const s of stats.value) map.set(s.id, s);
+  return map;
+});
+
+// Widget metadata for customize panel
+const allWidgetMeta = DASHBOARD_WIDGET_META;
+
+function widgetSizes(id: DashboardWidgetId): string[] {
+  const meta = DASHBOARD_WIDGET_META.find((w) => w.id === id);
+  if (!meta) return ['M'];
+  if (meta.category === 'stat') return ['S'];
+  const sizes: string[] = [];
+  // Can it shrink to compact/stat-card size?
+  if (meta.minW <= 3 && meta.minH <= 4) sizes.push('S');
+  // Standard widget
+  sizes.push('M');
+  // Can it stretch wide?
+  if (meta.canStretch || meta.maxW >= 8) sizes.push('L');
+  return sizes;
+}
+
+function sizeColor(size: string): { bg: string; fg: string } {
+  if (size === 'S') return { bg: 'var(--dd-info-muted)', fg: 'var(--dd-info)' };
+  if (size === 'L') return { bg: 'var(--dd-warning-muted)', fg: 'var(--dd-warning)' };
+  return { bg: 'var(--dd-neutral-muted)', fg: 'var(--dd-neutral)' };
+}
 
-function confirmDashboardUpdate(row: { id: string; name: string }) {
+function handleStatClick(id: DashboardWidgetId) {
+  if (editMode.value) return;
+  const route = statById.value.get(id)?.route;
+  if (route) navigateTo(route);
+}
+
+// Check if a widget is a stat card
+function isStatWidget(id: string): boolean {
+  return id.startsWith('stat-');
+}
+
+function confirmDashboardUpdate(row: Pick<RecentUpdateRow, 'id' | 'name'>) {
   confirm.require({
     header: 'Update Container',
     message: `Update ${row.name} now? This will apply the latest discovered image.`,
@@ -129,500 +244,408 @@ function confirmDashboardUpdateAll() {
 </script>
 
 <template>
-  <div class="flex-1 min-h-0 min-w-0 overflow-y-auto pr-2 sm:pr-[15px]">
-      <!-- LOADING STATE -->
+  <div class="flex flex-col flex-1 min-h-0">
+    <div class="flex gap-2 min-w-0 flex-1 min-h-0">
+    <!-- Main dashboard content -->
+    <div class="flex-1 min-h-0 min-w-0 overflow-y-auto overflow-x-hidden px-1 sm:pr-[15px] dd-touch-scroll">
       <div v-if="loading" class="flex items-center justify-center py-16">
         <div class="text-sm dd-text-muted">Loading dashboard...</div>
       </div>
 
-      <!-- ERROR STATE -->
       <div v-else-if="error" class="flex flex-col items-center justify-center py-16">
         <div class="text-sm font-medium dd-text-danger mb-2">Failed to load dashboard</div>
         <div class="text-xs dd-text-muted">{{ error }}</div>
-        <button
-          class="mt-4 px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-bg-elevated dd-text hover:opacity-90"
+        <AppButton
+          size="none" variant="plain" weight="none"
+          class="mt-4 px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors dd-bg-elevated dd-text hover:opacity-90"
           @click="fetchDashboardData">
           Retry
-        </button>
+        </AppButton>
       </div>
 
       <template v-else>
-      <!-- STAT CARDS -->
-      <div class="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-4 gap-4 mb-4">
-        <component
-          :is="stat.route ? 'button' : 'div'"
-          v-for="stat in stats"
-          :key="stat.id"
-          :data-widget-id="stat.id"
-          :data-widget-order="widgetOrderIndex(stat.id)"
-          draggable="true"
-          :aria-label="stat.label + ': ' + stat.value"
-          :type="stat.route ? 'button' : undefined"
-          class="stat-card dd-rounded p-4 text-left w-full"
-          :class="[
-            stat.route ? 'cursor-pointer transition-colors hover:dd-bg-elevated' : '',
-            { 'opacity-60': draggedWidgetId === stat.id },
-          ]"
-          :style="{
-            ...widgetOrderStyle(stat.id),
-            backgroundColor: 'var(--dd-bg-card)',
-          }"
-          @click="stat.route && navigateTo(stat.route)"
-          @dragstart="onWidgetDragStart(stat.id, $event)"
-          @dragover="onWidgetDragOver(stat.id, $event)"
-          @drop="onWidgetDrop(stat.id, $event)"
-          @dragend="onWidgetDragEnd">
-          <div class="flex items-center justify-between mb-2">
-            <span class="text-[0.6875rem] font-medium uppercase tracking-wider dd-text-muted">
-              {{ stat.label }}
-            </span>
-            <div class="w-9 h-9 dd-rounded flex items-center justify-center"
-                 :style="{ backgroundColor: stat.colorMuted, color: stat.color }">
-              <AppIcon :name="stat.icon" :size="20" />
-            </div>
-          </div>
-          <div class="text-2xl font-bold dd-text">
-            {{ stat.value }}
-          </div>
-          <div v-if="stat.detail" class="mt-1 text-[0.625rem] font-medium dd-text-muted">
-            {{ stat.detail }}
-          </div>
-        </component>
-      </div>
-
-      <!-- WIDGET GRID -->
-      <div class="grid grid-cols-1 xl:grid-cols-3 gap-4 min-w-0">
-
-        <!-- Recent Updates Widget (2/3) -->
-        <div
-             data-widget-id="recent-updates"
-             :data-widget-order="widgetOrderIndex('recent-updates')"
-             draggable="true"
-             aria-label="Updates Available widget"
-             class="dashboard-widget xl:col-span-2 dd-rounded overflow-hidden min-w-0 flex flex-col"
-             :class="{ 'opacity-60': draggedWidgetId === 'recent-updates' }"
-             :style="{
-               ...widgetOrderStyle('recent-updates'),
-               backgroundColor: 'var(--dd-bg-card)',
-             }"
-             @dragstart="onWidgetDragStart('recent-updates', $event)"
-             @dragover="onWidgetDragOver('recent-updates', $event)"
-             @drop="onWidgetDrop('recent-updates', $event)"
-             @dragend="onWidgetDragEnd">
-          <div class="flex items-center justify-between px-5 py-3.5"
-               :style="{ borderBottom: '1px solid var(--dd-border)' }">
-            <div class="flex items-center gap-2">
-              <AppIcon name="recent-updates" :size="14" class="text-drydock-secondary" />
-              <h2 class="text-xs font-semibold dd-text">
-                Updates Available
-              </h2>
-            </div>
-            <div class="flex items-center gap-3">
-              <button v-if="pendingUpdates.length > 0"
-                      data-test="dashboard-update-all-btn"
-                      class="inline-flex items-center justify-center px-2 py-1 dd-rounded border text-[0.625rem] font-semibold transition-colors"
-                      :class="dashboardUpdateAllInProgress
-                        ? 'dd-text-muted cursor-not-allowed opacity-60'
-                        : 'dd-text hover:dd-bg-elevated'"
-                      :disabled="dashboardUpdateAllInProgress"
-                      @click="confirmDashboardUpdateAll()">
-                <AppIcon
-                  :name="dashboardUpdateAllInProgress ? 'spinner' : 'cloud-download'"
-                  :size="11"
-                  class="mr-1"
-                  :class="dashboardUpdateAllInProgress ? 'dd-spin' : ''" />
-                Update all
-              </button>
-              <button class="text-[0.6875rem] font-medium text-drydock-secondary hover:underline"
-                      @click="navigateTo({ path: ROUTES.CONTAINERS, query: { filterKind: 'any' } })">View all &rarr;</button>
-            </div>
+        <!-- Pencil icon teleported to breadcrumb header -->
+        <Teleport to="#breadcrumb-actions">
+          <div class="flex items-center">
+            <AppIconButton
+              v-if="editMode && !showWidgetPanel"
+              data-test="dashboard-widget-panel-toggle"
+              icon="ph:sliders-horizontal"
+              size="xs"
+              variant="muted"
+              class="ml-2"
+              tooltip="Show widget panel"
+              @click="toggleWidgetPanel" />
+            <AppIconButton
+              data-test="dashboard-edit-toggle"
+              :icon="editMode ? 'check' : 'ph:pencil-simple'"
+              size="xs"
+              :variant="editMode ? 'plain' : 'muted'"
+              :class="editMode ? 'dd-bg-elevated dd-text ml-2' : 'ml-2'"
+              :tooltip="editMode ? 'Done customizing' : 'Customize dashboard'"
+              @click="handleToggleEditMode" />
           </div>
+        </Teleport>
 
-          <div v-if="dashboardUpdateError"
-               data-test="dashboard-update-error"
-               class="mx-5 mt-3 px-3 py-2 text-[0.6875rem] dd-rounded"
-               :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
-            {{ dashboardUpdateError }}
-          </div>
+        <!-- Grid Layout -->
+        <GridLayout
+          v-model:layout="layout"
+          :col-num="12"
+          :row-height="30"
+          :margin="gridMargin"
+          :responsive="true"
+          :breakpoints="GRID_BREAKPOINTS"
+          :cols="GRID_COLS"
+          :class="{ 'dd-grid-ready': gridReady }"
+          :is-draggable="editMode"
+          :is-resizable="editMode"
+          :vertical-compact="true"
+          :use-css-transforms="true">
+          <GridItem
+            v-for="item in layout"
+            v-show="isWidgetVisible(item.i as DashboardWidgetId)"
+            :key="item.i"
+            :data-widget-id="item.i"
+            :data-widget-order="widgetOrderIndex(item.i as DashboardWidgetId)"
+            :draggable="editMode"
+            :x="item.x"
+            :y="item.y"
+            :w="item.w"
+            :h="item.h"
+            :i="item.i"
+            :min-w="WIDGET_CONSTRAINTS[item.i as DashboardWidgetId]?.minW ?? 2"
+            :min-h="WIDGET_CONSTRAINTS[item.i as DashboardWidgetId]?.minH ?? 2"
+            :max-w="WIDGET_CONSTRAINTS[item.i as DashboardWidgetId]?.maxW ?? 12"
+            :max-h="WIDGET_CONSTRAINTS[item.i as DashboardWidgetId]?.maxH ?? 20"
+            drag-ignore-from="input, textarea, button, a, select, .no-drag"
+            class="dd-grid-item"
+            @dragstart="onWidgetDragStart(item.i as DashboardWidgetId, $event)"
+            @dragover="onWidgetDragOver(item.i as DashboardWidgetId, $event)"
+            @drop="onWidgetDrop(item.i as DashboardWidgetId, $event)"
+            @dragend="onWidgetDragEnd"
+            :class="editMode ? 'dd-grid-edit' : ''">
 
-          <div class="flex-1 min-h-0 overflow-y-auto">
-          <DataTable
-            :columns="[
-              { key: 'icon', label: '', icon: true },
-              { key: 'container', label: 'Container', sortable: false },
-              { key: 'version', label: 'Version', sortable: false, align: 'text-center' },
-              { key: 'type', label: 'Type', sortable: false },
-              { key: 'actions', label: 'Actions', sortable: false },
-            ]"
-            :rows="recentUpdates"
-            row-key="id"
-            compact
-          >
-            <template #cell-icon="{ row }">
-              <ContainerIcon :icon="row.icon" :size="28" />
-            </template>
-
-            <template #cell-container="{ row }">
-              <div class="font-medium dd-text leading-tight">{{ row.name }}</div>
-              <div class="text-[0.625rem] dd-text-muted mt-0.5 truncate">{{ row.image }}</div>
-              <div v-if="row.registryError" class="text-[0.625rem] mt-0.5 truncate" style="color: var(--dd-danger);">
-                {{ row.registryError }}
+            <!-- Stat Cards -->
+            <component
+              :is="!editMode && statById.get(item.i as DashboardWidgetId)?.route ? 'button' : 'div'"
+              v-if="isStatWidget(item.i)"
+              :type="!editMode && statById.get(item.i as DashboardWidgetId)?.route ? 'button' : undefined"
+              :aria-label="(statById.get(item.i as DashboardWidgetId)?.label ?? '') + ': ' + (statById.get(item.i as DashboardWidgetId)?.value ?? '')"
+              class="stat-card dd-rounded px-4 py-2.5 text-left cursor-default relative w-full"
+              :class="[
+                editMode ? 'm-[3px] h-[calc(100%-6px)]' : 'h-full',
+                !editMode && statById.get(item.i as DashboardWidgetId)?.route ? 'cursor-pointer hover:dd-bg-elevated' : '',
+              ]"
+              :style="{ backgroundColor: 'var(--dd-bg-card)' }"
+              @click="handleStatClick(item.i as DashboardWidgetId)">
+              <div v-if="editMode" class="drag-handle dd-drag-handle absolute top-1.5 left-1/2 -translate-x-1/2 z-10" v-tooltip.top="'Drag to reorder'">
+                <AppIcon name="ph:dots-six" :size="14" />
               </div>
-              <a
-                v-if="row.releaseLink"
-                :href="row.releaseLink"
-                target="_blank"
-                rel="noopener noreferrer"
-                class="text-[0.625rem] mt-0.5 inline-flex underline hover:no-underline"
-                style="color: var(--dd-info);"
-              >
-                Release notes
-              </a>
-            </template>
-
-            <template #cell-version="{ row }">
-              <!-- Desktop: horizontal old → new -->
-              <div class="hidden sm:flex items-center justify-center gap-1.5 min-w-0">
-                <CopyableTag :tag="row.oldVer" class="text-[0.6875rem] dd-text-secondary truncate max-w-[100px]">
-                  {{ row.oldVer }}
-                </CopyableTag>
-                <AppIcon name="arrow-right" :size="8" class="dd-text-muted shrink-0" />
-                <CopyableTag :tag="row.newVer" class="text-[0.6875rem] font-semibold truncate max-w-[120px]"
-                      :style="{ color: getUpdateKindColor(row.updateKind) }">
-                  {{ row.newVer }}
-                </CopyableTag>
+              <div class="flex items-center justify-between mb-2">
+                <span class="text-2xs-plus font-medium uppercase tracking-wider dd-text-muted">
+                  {{ statById.get(item.i as DashboardWidgetId)?.label }}
+                </span>
+                <div class="w-9 h-9 dd-rounded flex items-center justify-center"
+                     :style="{ backgroundColor: statById.get(item.i as DashboardWidgetId)?.colorMuted, color: statById.get(item.i as DashboardWidgetId)?.color }">
+                  <AppIcon :name="statById.get(item.i as DashboardWidgetId)?.icon ?? 'dashboard'" :size="20" />
+                </div>
               </div>
-              <!-- Mobile: stacked old ↓ new -->
-              <div class="flex sm:hidden flex-col items-start gap-0.5 min-w-0">
-                <CopyableTag :tag="row.oldVer" class="text-[0.5625rem] dd-text-secondary break-all leading-tight">
-                  {{ row.oldVer }}
-                </CopyableTag>
-                <CopyableTag :tag="row.newVer" class="text-[0.5625rem] font-semibold break-all leading-tight"
-                      :style="{ color: getUpdateKindColor(row.updateKind) }">
-                  {{ row.newVer }}
-                </CopyableTag>
+              <div class="text-2xl font-bold dd-text">
+                {{ statById.get(item.i as DashboardWidgetId)?.value }}
               </div>
-            </template>
-
-            <template #cell-type="{ row }">
-              <!-- Mobile: icon-only badge -->
-              <span class="badge px-1.5 py-0 text-[0.5625rem] sm:!hidden"
-                    :style="{
-                      backgroundColor: getUpdateKindMutedColor(row.updateKind),
-                      color: getUpdateKindColor(row.updateKind),
-                    }">
-                <AppIcon :name="getUpdateKindIcon(row.updateKind)" :size="12" />
-              </span>
-              <!-- Desktop: icon + text badge -->
-              <span class="badge max-sm:!hidden"
-                    :style="{
-                      backgroundColor: getUpdateKindMutedColor(row.updateKind),
-                      color: getUpdateKindColor(row.updateKind),
-                    }">
-                <AppIcon :name="getUpdateKindIcon(row.updateKind)"
-                   :size="12" class="mr-1" />
-                {{ row.updateKind ?? 'unknown' }}
-              </span>
-            </template>
-
-            <template #cell-actions="{ row }">
-              <button v-if="row.status === 'pending'"
-                      data-test="dashboard-update-btn"
-                      class="w-7 h-7 dd-rounded-sm flex items-center justify-center transition-colors"
-                      :class="dashboardUpdateInProgress === row.id || dashboardUpdateAllInProgress
-                        ? 'dd-text-muted opacity-50 cursor-not-allowed'
-                        : 'dd-text-muted hover:dd-text-success hover:dd-bg-elevated'"
-                      :disabled="dashboardUpdateInProgress === row.id || dashboardUpdateAllInProgress"
-                      @click.stop="confirmDashboardUpdate(row)">
-                <AppIcon
-                  :name="dashboardUpdateInProgress === row.id ? 'spinner' : 'cloud-download'"
-                  :size="14"
-                  :class="dashboardUpdateInProgress === row.id ? 'dd-spin' : ''" />
-              </button>
-            </template>
-
-            <template #empty>
-              <div class="px-4 py-6 text-center text-[0.6875rem] dd-text-muted">
-                No updates available
+              <div v-if="statById.get(item.i as DashboardWidgetId)?.detail" class="mt-1 text-2xs font-medium dd-text-muted">
+                {{ statById.get(item.i as DashboardWidgetId)?.detail }}
               </div>
-            </template>
-          </DataTable>
-          </div>
-        </div>
+            </component>
 
-        <!-- Security Summary Widget (1/3) -->
-        <div
-             data-widget-id="security-overview"
-             :data-widget-order="widgetOrderIndex('security-overview')"
-             draggable="true"
-             aria-label="Security Overview widget"
-             class="dashboard-widget dd-rounded overflow-hidden"
-             :class="{ 'opacity-60': draggedWidgetId === 'security-overview' }"
-             :style="{
-               ...widgetOrderStyle('security-overview'),
-               backgroundColor: 'var(--dd-bg-card)',
-             }"
-             @dragstart="onWidgetDragStart('security-overview', $event)"
-             @dragover="onWidgetDragOver('security-overview', $event)"
-             @drop="onWidgetDrop('security-overview', $event)"
-             @dragend="onWidgetDragEnd">
-          <div class="flex items-center justify-between px-5 py-3.5"
-               :style="{ borderBottom: '1px solid var(--dd-border)' }">
-            <div class="flex items-center gap-2">
-              <AppIcon name="security" :size="14" class="text-drydock-accent" />
-              <h2 class="text-xs font-semibold dd-text">
-                Security Overview
-              </h2>
-            </div>
-            <button class="text-[0.6875rem] font-medium text-drydock-secondary hover:underline"
-                    @click="navigateTo(ROUTES.SECURITY)">View all &rarr;</button>
-          </div>
+            <!-- Grid Widgets -->
+            <DashboardRecentUpdatesWidget
+              v-else-if="item.i === 'recent-updates'"
+              class="h-full"
+              :recent-updates="recentUpdates"
+              :pending-updates-count="pendingUpdates.length"
+              :dashboard-update-error="dashboardUpdateError"
+              :dashboard-update-in-progress="dashboardUpdateInProgress"
+              :dashboard-update-all-in-progress="dashboardUpdateAllInProgress"
+              :get-update-kind-color="getUpdateKindColor"
+              :get-update-kind-icon="getUpdateKindIcon"
+              :get-update-kind-muted-color="getUpdateKindMutedColor"
+              :edit-mode="editMode"
+              @confirm-update="confirmDashboardUpdate"
+              @confirm-update-all="confirmDashboardUpdateAll"
+              @view-all="navigateTo({ path: ROUTES.CONTAINERS, query: { filterKind: 'any' } })" />
 
-          <div class="p-5">
-            <!-- Donut chart -->
-            <div class="flex items-center justify-center mb-5">
-              <div class="relative" style="width: 140px; height: 140px;">
-                <svg viewBox="0 0 120 120" class="w-full h-full" style="transform: rotate(-90deg);">
-                  <circle cx="60" cy="60" r="48" fill="none"
-                          stroke="var(--dd-border-strong)" stroke-width="14" />
-                  <circle cx="60" cy="60" r="48" fill="none" stroke="var(--dd-success)" stroke-width="14"
-                          stroke-linecap="round" class="donut-ring"
-                          :stroke-dasharray="securityCleanArcLength + ' ' + DONUT_CIRCUMFERENCE" />
-                  <circle v-if="securityIssueCount > 0" cx="60" cy="60" r="48" fill="none" stroke="var(--dd-danger)" stroke-width="14"
-                          stroke-linecap="round" class="donut-ring"
-                          :stroke-dasharray="securityIssueArcLength + ' ' + DONUT_CIRCUMFERENCE"
-                          :stroke-dashoffset="-securityCleanArcLength" />
-                  <circle v-if="securityNotScannedCount > 0" cx="60" cy="60" r="48" fill="none" stroke="var(--dd-neutral)" stroke-width="14"
-                          stroke-linecap="round" class="donut-ring"
-                          :stroke-dasharray="securityNotScannedArcLength + ' ' + DONUT_CIRCUMFERENCE"
-                          :stroke-dashoffset="-(securityCleanArcLength + securityIssueArcLength)" />
-                </svg>
-                <div class="absolute inset-0 flex flex-col items-center justify-center">
-                  <span class="text-xl font-bold dd-text">{{ securityTotalCount }}</span>
-                  <span class="text-[0.625rem] dd-text-muted">images</span>
-                </div>
-              </div>
-            </div>
+            <DashboardSecurityOverviewWidget
+              v-else-if="item.i === 'security-overview'"
+              class="h-full"
+              :donut-circumference="DONUT_CIRCUMFERENCE"
+              :security-clean-arc-length="securityCleanArcLength"
+              :security-clean-count="securityCleanCount"
+              :security-issue-arc-length="securityIssueArcLength"
+              :security-issue-count="securityIssueCount"
+              :security-not-scanned-arc-length="securityNotScannedArcLength"
+              :security-not-scanned-count="securityNotScannedCount"
+              :security-severity-totals="securitySeverityTotals"
+              :security-total-count="securityTotalCount"
+              :show-security-severity-breakdown="showSecuritySeverityBreakdown"
+              :vulnerabilities="vulnerabilities"
+              :edit-mode="editMode"
+              @view-all="navigateTo(ROUTES.SECURITY)" />
 
-            <!-- Legend -->
-            <div class="flex justify-center gap-5 mb-5">
-              <div class="flex items-center gap-1.5">
-                <div class="w-2.5 h-2.5 rounded-full" style="background:var(--dd-success);" />
-                <span class="text-[0.6875rem] dd-text-secondary">{{ securityCleanCount }} Clean</span>
-              </div>
-              <div v-if="securityIssueCount > 0" class="flex items-center gap-1.5">
-                <div class="w-2.5 h-2.5 rounded-full" style="background:var(--dd-danger);" />
-                <span class="text-[0.6875rem] dd-text-secondary">{{ securityIssueCount }} Issues</span>
-              </div>
-              <div v-if="securityNotScannedCount > 0" class="flex items-center gap-1.5">
-                <div class="w-2.5 h-2.5 rounded-full" style="background:var(--dd-neutral);" />
-                <span class="text-[0.6875rem] dd-text-secondary">
-                  {{ securityNotScannedCount }} Not Scanned
-                </span>
-              </div>
-            </div>
+            <DashboardResourceUsageWidget
+              v-else-if="item.i === 'resource-usage'"
+              class="h-full"
+              :resource-usage="resourceUsage"
+              :edit-mode="editMode"
+              @view-all="navigateTo(ROUTES.CONTAINERS)" />
 
-            <div v-if="showSecuritySeverityBreakdown"
-                 data-test="security-severity-breakdown"
-                 class="mb-5">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">
-                Severity Breakdown
-              </div>
-              <div class="grid grid-cols-2 gap-2">
-                <div class="flex items-center justify-between px-2 py-1.5 dd-rounded"
-                     :style="{ backgroundColor: 'var(--dd-danger-muted)' }">
-                  <span class="text-[0.625rem] font-semibold" style="color: var(--dd-danger);">
-                    {{ securitySeverityTotals.critical }} Critical
-                  </span>
-                </div>
-                <div class="flex items-center justify-between px-2 py-1.5 dd-rounded"
-                     :style="{ backgroundColor: 'var(--dd-warning-muted)' }">
-                  <span class="text-[0.625rem] font-semibold" style="color: var(--dd-warning);">
-                    {{ securitySeverityTotals.high }} High
-                  </span>
-                </div>
-                <div class="flex items-center justify-between px-2 py-1.5 dd-rounded"
-                     :style="{ backgroundColor: 'var(--dd-caution-muted)' }">
-                  <span class="text-[0.625rem] font-semibold" style="color: var(--dd-caution);">
-                    {{ securitySeverityTotals.medium }} Medium
-                  </span>
-                </div>
-                <div class="flex items-center justify-between px-2 py-1.5 dd-rounded"
-                     :style="{ backgroundColor: 'var(--dd-info-muted)' }">
-                  <span class="text-[0.625rem] font-semibold" style="color: var(--dd-info);">
-                    {{ securitySeverityTotals.low }} Low
-                  </span>
-                </div>
-              </div>
-            </div>
-
-            <div class="mb-4" :style="{ borderTop: '1px solid var(--dd-border)' }" />
-
-            <!-- Top vulnerabilities -->
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-3 dd-text-muted">
-              Top Vulnerabilities
-            </div>
-            <div class="space-y-2.5 overflow-y-auto max-h-[200px]">
-              <div v-for="vuln in vulnerabilities" :key="vuln.id"
-                   class="flex items-start gap-3 p-2.5 dd-rounded"
-                   :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
-                <div class="shrink-0 mt-0.5">
-                  <span class="badge px-1.5 py-0 text-[0.5625rem] md:!hidden"
-                        :style="{
-                          backgroundColor: vuln.severity === 'CRITICAL'
-                            ? 'var(--dd-danger-muted)'
-                            : 'var(--dd-warning-muted)',
-                          color: vuln.severity === 'CRITICAL' ? 'var(--dd-danger)' : 'var(--dd-warning)',
-                        }">
-                    <AppIcon :name="vuln.severity === 'CRITICAL' ? 'warning' : 'chevrons-up'" :size="12" />
-                  </span>
-                  <span class="badge text-[0.5625rem] max-md:!hidden"
-                        :style="{
-                          backgroundColor: vuln.severity === 'CRITICAL'
-                            ? 'var(--dd-danger-muted)'
-                            : 'var(--dd-warning-muted)',
-                          color: vuln.severity === 'CRITICAL' ? 'var(--dd-danger)' : 'var(--dd-warning)',
-                        }">
-                    {{ vuln.severity }}
-                  </span>
-                </div>
-                <div class="flex-1 min-w-0">
-                  <div class="text-[0.6875rem] font-semibold truncate dd-text">
-                    {{ vuln.id }}
-                  </div>
-                  <div class="text-[0.625rem] mt-0.5 truncate dd-text-muted">
-                    {{ vuln.package }} &middot; {{ vuln.image }}
-                  </div>
-                </div>
-              </div>
-              <div v-if="vulnerabilities.length === 0"
-                   class="p-2.5 dd-rounded text-[0.6875rem] text-center dd-text-muted"
-                   :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
-                No vulnerabilities reported
-              </div>
-            </div>
-          </div>
-        </div>
+            <DashboardHostStatusWidget
+              v-else-if="item.i === 'host-status'"
+              class="h-full"
+              :servers="servers"
+              :edit-mode="editMode"
+              @view-all="navigateTo(ROUTES.SERVERS)" />
 
-        <!-- Host Status Widget (1/3) -->
-        <div
-             data-widget-id="host-status"
-             :data-widget-order="widgetOrderIndex('host-status')"
-             draggable="true"
-             aria-label="Host Status widget"
-             class="dashboard-widget dd-rounded overflow-hidden"
-             :class="{ 'opacity-60': draggedWidgetId === 'host-status' }"
-             :style="{
-               ...widgetOrderStyle('host-status'),
-               backgroundColor: 'var(--dd-bg-card)',
-             }"
-             @dragstart="onWidgetDragStart('host-status', $event)"
-             @dragover="onWidgetDragOver('host-status', $event)"
-             @drop="onWidgetDrop('host-status', $event)"
-             @dragend="onWidgetDragEnd">
-          <div class="flex items-center justify-between px-5 py-3.5"
-               :style="{ borderBottom: '1px solid var(--dd-border)' }">
-            <div class="flex items-center gap-2">
-              <AppIcon name="servers" :size="14" class="text-drydock-secondary" />
-              <h2 class="text-sm font-semibold dd-text">
-                Host Status
-              </h2>
-            </div>
-            <button class="text-[0.6875rem] font-medium text-drydock-secondary hover:underline"
-                    @click="navigateTo(ROUTES.SERVERS)">View all &rarr;</button>
-          </div>
+            <DashboardUpdateBreakdownWidget
+              v-else-if="item.i === 'update-breakdown'"
+              class="h-full"
+              :total-updates="totalUpdates"
+              :update-breakdown-buckets="updateBreakdownBuckets"
+              :edit-mode="editMode"
+              @view-all="navigateTo({ path: ROUTES.CONTAINERS, query: { filterKind: 'any' } })" />
+          </GridItem>
+        </GridLayout>
+      </template>
+    </div>
 
-          <div class="p-4 space-y-3">
-            <div v-for="server in servers" :key="server.name"
-                 class="flex items-center gap-3 p-3 dd-rounded cursor-pointer transition-colors hover:dd-bg-elevated"
-                 :style="{ backgroundColor: 'var(--dd-bg-inset)' }"
-                 @click="navigateTo(ROUTES.SERVERS)">
-              <span class="badge px-1.5 py-0 text-[0.5625rem] max-md:!hidden"
-                    :style="{
-                      backgroundColor: server.status === 'connected' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                      color: server.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                    }">
-                <AppIcon :name="server.status === 'connected' ? 'check' : 'xmark'" :size="12" />
-              </span>
-              <div class="flex-1 min-w-0">
-                <div class="text-xs font-semibold truncate dd-text">{{ server.name }}</div>
-                <div v-if="server.host" class="text-[0.625rem] font-mono dd-text-muted truncate mt-0.5">
-                  {{ server.host }}
-                </div>
-                <div class="text-[0.625rem] dd-text-muted">{{ server.containers.running }}/{{ server.containers.total }} containers</div>
-              </div>
-              <span class="badge px-1.5 py-0 text-[0.5625rem] md:!hidden"
-                    :style="{
-                      backgroundColor: server.status === 'connected' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                      color: server.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                    }">
-                <AppIcon :name="server.status === 'connected' ? 'check' : 'xmark'" :size="12" />
-              </span>
-              <span class="badge text-[0.5625rem] uppercase font-bold max-md:!hidden"
-                    :style="{
-                      backgroundColor: server.status === 'connected' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                      color: server.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                    }">
-                {{ server.statusLabel ?? server.status }}
-              </span>
-            </div>
-          </div>
+    <!-- Customize panel: mobile overlay backdrop -->
+    <div v-if="showWidgetPanel && isMobile"
+         class="fixed inset-0 bg-black/50 z-40"
+         @click="closeWidgetPanel" />
+
+    <!-- Customize panel -->
+    <aside
+      v-if="showWidgetPanel"
+      class="shrink-0 flex flex-col dd-rounded overflow-hidden"
+      :class="isMobile ? 'fixed top-0 right-0 z-50' : 'sticky top-0 mr-2'"
+      :style="{
+        width: isMobile ? '100%' : 'var(--dd-layout-sidebar-expanded-width)',
+        minWidth: isMobile ? undefined : 'var(--dd-layout-sidebar-expanded-width)',
+        maxWidth: isMobile ? '100%' : undefined,
+        backgroundColor: 'var(--dd-bg-card)',
+        height: isMobile ? '100vh' : 'calc(100vh - var(--dd-layout-main-viewport-offset))',
+      }">
+      <div class="shrink-0 px-4 py-3 flex items-center justify-between"
+           :style="{ borderBottom: '1px solid var(--dd-border)' }">
+        <div class="flex items-center gap-2">
+          <AppIcon name="ph:pencil-simple" :size="12" class="dd-text-muted" />
+          <span class="text-2xs-plus font-semibold dd-text">Widgets</span>
         </div>
+        <AppIconButton
+          icon="xmark"
+          size="xs"
+          variant="muted"
+          tooltip="Close panel"
+          aria-label="Close panel"
+          @click="closeWidgetPanel" />
+      </div>
 
-        <!-- Update Breakdown Widget (2/3) -->
-        <div
-             data-widget-id="update-breakdown"
-             :data-widget-order="widgetOrderIndex('update-breakdown')"
-             draggable="true"
-             aria-label="Update Breakdown widget"
-             class="dashboard-widget xl:col-span-2 dd-rounded overflow-hidden"
-             :class="{ 'opacity-60': draggedWidgetId === 'update-breakdown' }"
-             :style="{
-               ...widgetOrderStyle('update-breakdown'),
-               backgroundColor: 'var(--dd-bg-card)',
-             }"
-             @dragstart="onWidgetDragStart('update-breakdown', $event)"
-             @dragover="onWidgetDragOver('update-breakdown', $event)"
-             @drop="onWidgetDrop('update-breakdown', $event)"
-             @dragend="onWidgetDragEnd">
-          <div class="flex items-center justify-between px-5 py-3.5"
-               :style="{ borderBottom: '1px solid var(--dd-border)' }">
-            <div class="flex items-center gap-2">
-              <AppIcon name="updates" :size="14" class="text-drydock-secondary" />
-              <h2 class="text-sm font-semibold dd-text">
-                Update Breakdown
-              </h2>
-            </div>
-            <button class="text-[0.6875rem] font-medium text-drydock-secondary hover:underline"
-                    @click="navigateTo({ path: ROUTES.CONTAINERS, query: { filterKind: 'any' } })">View all &rarr;</button>
-          </div>
+      <div class="flex-1 overflow-y-auto p-3 space-y-1">
+        <label
+          v-for="widget in allWidgetMeta"
+          :key="widget.id"
+          class="flex items-center gap-2.5 px-2.5 py-1.5 dd-rounded cursor-pointer transition-colors hover:dd-bg-elevated">
+          <input
+            type="checkbox"
+            :checked="isWidgetVisible(widget.id)"
+            class="shrink-0 w-3.5 h-3.5 dd-rounded-sm cursor-pointer"
+            @change="toggleWidgetVisibility(widget.id)" />
+          <span class="flex-1 text-2xs-plus dd-text">{{ widget.label }}</span>
+          <span class="shrink-0 flex items-center gap-0.5">
+            <span
+              v-for="size in widgetSizes(widget.id)"
+              :key="size"
+              class="px-1 py-0.5 dd-rounded text-4xs font-bold uppercase tracking-wider"
+              :style="{ backgroundColor: sizeColor(size).bg, color: sizeColor(size).fg }">
+              {{ size }}
+            </span>
+          </span>
+        </label>
 
-          <div class="p-5">
-            <div v-if="totalUpdates === 0"
-                 class="p-3 dd-rounded text-[0.6875rem] text-center dd-text-muted"
-                 :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
-              No updates to categorize
-            </div>
-            <div v-else class="grid grid-cols-2 sm:grid-cols-4 gap-4">
-              <div v-for="kind in updateBreakdownBuckets" :key="kind.label"
-                   class="text-center p-3 dd-rounded"
-                   :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
-                <div class="w-9 h-9 mx-auto dd-rounded flex items-center justify-center mb-2"
-                     :style="{ backgroundColor: kind.colorMuted, color: kind.color }">
-                  <AppIcon :name="kind.icon" :size="20" />
-                </div>
-                <div class="text-xl font-bold dd-text">{{ kind.count }}</div>
-                <div class="text-[0.625rem] font-medium uppercase tracking-wider mt-0.5 dd-text-muted">{{ kind.label }}</div>
-                <!-- Mini bar -->
-                <div class="mt-2 h-1.5 dd-rounded-sm overflow-hidden" style="background: var(--dd-bg-elevated);">
-                  <div class="h-full dd-rounded-sm transition-[color,background-color,border-color,opacity,transform,box-shadow]"
-                       :style="{ width: Math.max(kind.count / Math.max(totalUpdates, 1) * 100, 4) + '%', backgroundColor: kind.color }" />
-                </div>
-              </div>
-            </div>
-          </div>
+        <div class="pt-3 mt-2" :style="{ borderTop: '1px solid var(--dd-border)' }">
+          <AppButton
+            size="none" variant="plain" weight="none"
+            class="w-full px-2.5 py-1.5 dd-rounded text-2xs font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated text-center"
+            @click="resetAll">
+            Reset to Default
+          </AppButton>
         </div>
       </div>
-      </template>
+    </aside>
+    </div>
   </div>
 </template>
+
+<style>
+/*
+ * grid-layout-plus overrides
+ *
+ * The library exposes CSS custom properties on .vgl-layout for theming.
+ * We set those instead of using !important where possible.
+ * The 3 remaining !important declarations override inline transition
+ * styles that the library sets via JS during mount and drag — there
+ * is no custom property for these.
+ */
+
+/* Theme the library's built-in placeholder and resizer via its CSS vars */
+.vgl-layout {
+  --vgl-placeholder-bg: var(--dd-success);
+  --vgl-placeholder-opacity: 15%;
+  --vgl-resizer-border-color: var(--dd-text-secondary);
+  --vgl-resizer-border-width: 1.5px;
+  --vgl-resizer-size: 20px;
+  /* Grid library adds outer-edge margins equal to the item gap.
+     Pull top and left flush to align with page content.
+     Vertical stays at -16px (works at all breakpoints).
+     Horizontal must match the responsive gridMargin[0]. */
+  margin-top: -16px;
+  margin-left: -10px;  /* mobile: gridMargin [10, 20] */
+}
+
+@media (min-width: 768px) {
+  .vgl-layout {
+    margin-left: -14px;  /* tablet: gridMargin [14, 18] */
+  }
+}
+
+@media (min-width: 1024px) {
+  .vgl-layout {
+    margin-left: -16px;  /* desktop: gridMargin [16, 16] */
+  }
+}
+
+/* Disable the initial fly-in — library sets inline transition styles */
+.vgl-layout:not(.dd-grid-ready) {
+  transition: none !important;
+}
+
+.vgl-layout:not(.dd-grid-ready) .vgl-item {
+  transition: none !important;
+}
+
+.vgl-item--dragging {
+  transition: none !important;
+}
+
+/* Grid item content fills its cell */
+.dd-grid-item > div:not(.stat-card) {
+  height: 100%;
+  overflow: hidden;
+}
+
+.dd-grid-item .dashboard-widget {
+  height: 100%;
+  display: flex;
+  flex-direction: column;
+}
+
+/* Edit mode — dashed border + grab cursor, disable interactive content.
+   Uses an inset pseudo-element instead of outline because CSS outlines
+   are clipped by ancestor overflow-hidden on items at the grid edges. */
+.dd-grid-edit {
+  cursor: grab;
+  position: relative;
+}
+
+.dd-grid-edit::before {
+  content: '';
+  position: absolute;
+  inset: 0;
+  border: 2px dashed var(--dd-border-strong);
+  border-radius: var(--dd-radius);
+  pointer-events: none;
+  z-index: 1;
+}
+
+.dd-grid-edit:active {
+  cursor: grabbing;
+}
+
+/* Block ALL clicks on card content in edit mode — only drag handles and resize work */
+.dd-grid-edit > * {
+  pointer-events: none;
+}
+
+/* Re-enable pointer events on drag handles so they can be grabbed */
+.dd-grid-edit .drag-handle {
+  pointer-events: auto;
+}
+
+/* Re-enable pointer events on resize handle */
+.dd-grid-edit .vgl-item__resizer {
+  pointer-events: auto;
+}
+
+/* Drag handle pill */
+.dd-drag-handle {
+  cursor: grab;
+  color: var(--dd-neutral);
+  background: var(--dd-neutral-muted);
+  border-radius: var(--dd-radius);
+  padding: 2px 6px;
+  opacity: 0.8;
+  transition: opacity 150ms ease, background-color 150ms ease, color 150ms ease;
+}
+
+.dd-grid-edit:hover .dd-drag-handle,
+.dd-drag-handle:hover {
+  opacity: 1;
+  color: var(--dd-text);
+  background: var(--dd-border-strong);
+}
+
+.dd-drag-handle:active {
+  cursor: grabbing;
+}
+
+/* Resize handle pill — matches drag handle style */
+.vgl-item .vgl-item__resizer {
+  opacity: 0;
+  cursor: se-resize;
+  background-color: var(--dd-neutral-muted);
+  border-radius: var(--dd-radius);
+  right: 6px;
+  bottom: 6px;
+  transition: opacity 150ms ease, background-color 150ms ease;
+}
+
+.vgl-item .vgl-item__resizer::before {
+  border-color: var(--dd-neutral);
+  width: 7px;
+  height: 7px;
+  border-width: 0;
+  border-right-width: 1.5px;
+  border-bottom-width: 1.5px;
+  inset: auto 4px 4px auto;
+}
+
+.dd-grid-edit.vgl-item .vgl-item__resizer {
+  opacity: var(--dd-opacity-handle-idle);
+}
+
+/* Card hover darkens both handles */
+.dd-grid-edit.vgl-item:hover .vgl-item__resizer {
+  opacity: 1;
+  background-color: var(--dd-border-strong);
+}
+
+.dd-grid-edit.vgl-item:hover .vgl-item__resizer::before {
+  border-color: var(--dd-text);
+}
+
+/* Placeholder border during drag/resize */
+.vgl-item--placeholder {
+  border-radius: var(--dd-radius);
+  border: 2px dashed var(--dd-success);
+}
+</style>
diff --git a/ui/src/views/LoginView.vue b/ui/src/views/LoginView.vue
index 4b6e0a737..236e4f1fe 100644
--- a/ui/src/views/LoginView.vue
+++ b/ui/src/views/LoginView.vue
@@ -5,6 +5,7 @@ import { ROUTES } from '../router/routes';
 import whaleLogo from '../assets/whale-logo.png?inline';
 import { getOidcRedirection, getStrategies, loginBasic, setRememberMe } from '../services/auth';
 import { useTheme } from '../theme/useTheme';
+import { errorMessage } from '../utils/error';
 
 const router = useRouter();
 const route = useRoute();
@@ -21,6 +22,40 @@ interface AuthProviderError {
   error: string;
 }
 
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === 'object' && value !== null;
+}
+
+function isStrategy(value: unknown): value is Strategy {
+  if (!isRecord(value)) {
+    return false;
+  }
+  if (typeof value.type !== 'string' || typeof value.name !== 'string') {
+    return false;
+  }
+  return typeof value.redirect === 'undefined' || typeof value.redirect === 'boolean';
+}
+
+function isAuthProviderError(value: unknown): value is AuthProviderError {
+  return isRecord(value) && typeof value.provider === 'string' && typeof value.error === 'string';
+}
+
+function parseStrategies(value: unknown): Strategy[] {
+  return Array.isArray(value) ? value.filter(isStrategy) : [];
+}
+
+function parseAuthProviderErrors(value: unknown): AuthProviderError[] {
+  return Array.isArray(value) ? value.filter(isAuthProviderError) : [];
+}
+
+function extractOidcRedirect(value: unknown): string | undefined {
+  if (!isRecord(value)) {
+    return undefined;
+  }
+  const redirect = value.redirect ?? value.url;
+  return typeof redirect === 'string' ? redirect : undefined;
+}
+
 const strategies = ref<Strategy[]>([]);
 const loading = ref(true);
 const error = ref('');
@@ -80,8 +115,17 @@ async function handleBasicLogin() {
   try {
     await loginBasic(username.value, password.value, rememberMe.value);
     navigateAfterLogin();
-  } catch {
-    error.value = 'Invalid username or password';
+  } catch (loginError: unknown) {
+    const loginErrorMessage = errorMessage(loginError).trim();
+    if (
+      loginErrorMessage.length === 0 ||
+      loginErrorMessage === 'Username or password error' ||
+      loginErrorMessage === 'Unauthorized'
+    ) {
+      error.value = 'Invalid username or password';
+    } else {
+      error.value = loginErrorMessage;
+    }
   } finally {
     submitting.value = false;
   }
@@ -91,11 +135,7 @@ async function handleOidc(name: string) {
   try {
     await setRememberMe(rememberMe.value);
     const result = await getOidcRedirection(name);
-    const redirect =
-      result && typeof result === 'object'
-        ? ((result as { redirect?: unknown; url?: unknown }).redirect ??
-          (result as { redirect?: unknown; url?: unknown }).url)
-        : undefined;
+    const redirect = extractOidcRedirect(result);
 
     if (typeof redirect === 'string') {
       const parsedUrl = new URL(redirect, globalThis.location.origin);
@@ -123,11 +163,11 @@ function oidcIcon(name: string): string {
 
 async function loadStrategies() {
   const response = await getStrategies();
-  const data = response.providers as Strategy[];
+  const data = parseStrategies(response.providers);
   strategies.value = data;
   hasBasic.value = data.some((s: Strategy) => s.type === 'basic');
   oidcStrategies.value = data.filter((s: Strategy) => s.type === 'oidc');
-  authErrors.value = response.errors ?? [];
+  authErrors.value = parseAuthProviderErrors(response.errors);
   error.value = '';
   connectionLost.value = false;
   retryDelayMs = INITIAL_RETRY_DELAY_MS;
@@ -196,7 +236,7 @@ onUnmounted(() => {
       <div
         v-if="!loading"
         class="w-full dd-rounded-lg overflow-hidden"
-        style="max-width: 420px; background-color: var(--dd-bg-card); box-shadow: 0 8px 32px rgba(0, 0, 0, 0.12);"
+        style="max-width: var(--dd-layout-dialog-max-width); background-color: var(--dd-bg-card); box-shadow: var(--dd-shadow-modal);"
       >
       <div class="p-8">
         <!-- Logo -->
@@ -220,7 +260,7 @@ onUnmounted(() => {
         <!-- Basic auth form -->
         <form v-if="hasBasic" @submit.prevent="handleBasicLogin" class="space-y-5">
           <div>
-            <label class="block text-[0.6875rem] font-medium uppercase tracking-wider mb-2.5 dd-text-muted">
+            <label class="block text-2xs-plus font-medium uppercase tracking-wider mb-2.5 dd-text-muted">
               Username
             </label>
             <input
@@ -235,7 +275,7 @@ onUnmounted(() => {
           </div>
 
           <div>
-            <label class="block text-[0.6875rem] font-medium uppercase tracking-wider mb-2.5 dd-text-muted">
+            <label class="block text-2xs-plus font-medium uppercase tracking-wider mb-2.5 dd-text-muted">
               Password
             </label>
             <input
@@ -249,7 +289,7 @@ onUnmounted(() => {
             />
           </div>
 
-          <button
+          <AppButton size="none" variant="plain" weight="none"
             type="submit"
             :disabled="submitting"
             class="w-full py-2.5 text-sm font-semibold dd-rounded transition-colors cursor-pointer"
@@ -260,19 +300,19 @@ onUnmounted(() => {
               Signing in...
             </template>
             <template v-else>Sign in</template>
-          </button>
+          </AppButton>
         </form>
 
         <!-- OIDC separator (only if both basic and OIDC exist) -->
         <div v-if="hasBasic && oidcStrategies.length > 0" class="flex items-center gap-3 my-6">
           <div class="flex-1 h-px" style="background-color: var(--dd-border-strong);" />
-          <span class="text-[0.6875rem] dd-text-muted">or continue with</span>
+          <span class="text-2xs-plus dd-text-muted">or continue with</span>
           <div class="flex-1 h-px" style="background-color: var(--dd-border-strong);" />
         </div>
 
         <!-- OIDC provider buttons -->
         <div v-if="oidcStrategies.length > 0" :class="oidcLayoutClass">
-          <button
+          <AppButton size="none" variant="plain" weight="none"
             v-for="strategy in oidcStrategies"
             :key="strategy.name"
             type="button"
@@ -282,10 +322,10 @@ onUnmounted(() => {
           >
             <AppIcon :name="oidcIcon(strategy.name)" :size="13" />
             {{ strategy.name }}
-          </button>
+          </AppButton>
         </div>
 
-        <!-- Remember me (shown for any auth method) -->
+        <!-- Remember me (shown for all auth methods) -->
         <label v-if="hasBasic || oidcStrategies.length > 0"
                class="flex items-center gap-2 mt-4 cursor-pointer select-none">
           <input
@@ -293,7 +333,7 @@ onUnmounted(() => {
             type="checkbox"
             class="w-3.5 h-3.5 dd-rounded-sm accent-[var(--dd-primary)]"
           />
-          <span class="text-[0.6875rem] dd-text-muted">Remember me</span>
+          <span class="text-2xs-plus dd-text-muted">Remember me</span>
         </label>
 
         <!-- No strategies available -->
@@ -316,8 +356,8 @@ onUnmounted(() => {
     <!-- Connection Lost Overlay -->
     <Transition name="fade">
       <div v-if="connectionLost"
-           class="fixed inset-0 z-[200] bg-black/70 backdrop-blur-sm flex items-center justify-center">
-        <div class="w-full max-w-[320px] mx-4 dd-rounded-lg overflow-hidden shadow-2xl text-center"
+           class="fixed inset-0 z-modal bg-black/70 backdrop-blur-sm flex items-center justify-center">
+        <div class="w-full max-w-[var(--dd-layout-overlay-max-width)] mx-4 dd-rounded-lg overflow-hidden shadow-2xl text-center"
              :style="{ backgroundColor: 'var(--dd-bg-card)', border: '1px solid var(--dd-border-strong)' }">
           <div class="flex flex-col items-center px-6 py-8 gap-3">
             <div class="disconnect-bounce h-10 mb-1">
@@ -325,12 +365,12 @@ onUnmounted(() => {
                    :style="[{ transform: 'rotate(180deg) scaleX(-1)' }, isDark ? { filter: 'invert(1)' } : {}]" />
             </div>
             <h2 class="text-sm font-bold dd-text">Connection Lost</h2>
-            <p class="text-[0.6875rem] dd-text-muted leading-relaxed">
+            <p class="text-2xs-plus dd-text-muted leading-relaxed">
               The server is unreachable. Waiting for it to come back online...
             </p>
             <div class="flex items-center gap-2 mt-1">
               <AppIcon name="spinner" :size="12" class="dd-spin dd-text-muted" />
-              <span class="text-[0.625rem] dd-text-muted">Reconnecting</span>
+              <span class="text-2xs dd-text-muted">Reconnecting</span>
             </div>
           </div>
         </div>
@@ -341,26 +381,26 @@ onUnmounted(() => {
 
 <style scoped>
 .login-logo {
-  animation: bounce 2s ease-in-out infinite;
+  animation: bounce var(--dd-duration-pulse) ease-in-out infinite;
 }
 @keyframes bounce {
   0%, 100% { transform: translateY(0); }
-  50% { transform: translateY(-8px); }
+  50% { transform: translateY(var(--dd-motion-bounce-y)); }
 }
 .login-card-enter-active {
-  transition: opacity 0.35s ease, transform 0.35s ease;
+  transition: opacity var(--dd-duration-emphasis) ease, transform var(--dd-duration-emphasis) ease;
 }
 .login-card-enter-from {
   opacity: 0;
-  transform: translateY(8px);
+  transform: translateY(var(--dd-motion-card-enter-y));
 }
 .fade-enter-active, .fade-leave-active {
-  transition: opacity 0.3s ease;
+  transition: opacity var(--dd-duration-enter) ease;
 }
 .fade-enter-from, .fade-leave-to {
   opacity: 0;
 }
 .disconnect-bounce {
-  animation: bounce 2s ease-in-out infinite;
+  animation: bounce var(--dd-duration-pulse) ease-in-out infinite;
 }
 </style>
diff --git a/ui/src/views/LogsView.vue b/ui/src/views/LogsView.vue
index 84ebaa06b..e6dd5516a 100644
--- a/ui/src/views/LogsView.vue
+++ b/ui/src/views/LogsView.vue
@@ -1,15 +1,14 @@
 <script setup lang="ts">
-import { nextTick, onMounted, ref } from 'vue';
-import {
-  LOG_AUTO_FETCH_INTERVALS,
-  useAutoFetchLogs,
-  useLogViewport,
-} from '../composables/useLogViewerBehavior';
+import { computed, onMounted, ref, watch } from 'vue';
 import ConfigLogsTab from '../components/config/ConfigLogsTab.vue';
+import { useSystemLogStream } from '../composables/useSystemLogStream';
 import { getLog, getLogEntries } from '../services/log';
+import type { SystemLogEntry } from '../services/system-log-stream';
+import type { AppLogEntry } from '../types/log-entry';
 import { errorMessage } from '../utils/error';
+import { toAppLogEntry } from '../utils/system-log-adapter';
 
-interface AppLogEntry {
+interface ApiLogEntry {
   timestamp?: string | number;
   level?: string;
   component?: string;
@@ -17,13 +16,15 @@ interface AppLogEntry {
   message?: string;
 }
 
-const { logContainer, scrollBlocked, scrollToBottom, handleLogScroll, resumeAutoScroll } =
-  useLogViewport();
-const { autoFetchInterval } = useAutoFetchLogs({
-  fetchFn: refreshAppLogs,
-  scrollToBottom,
-  scrollBlocked,
-});
+const streamingEnabled = ref(true);
+const {
+  entries: streamEntries,
+  status: streamStatus,
+  connect: streamConnect,
+  disconnect: streamDisconnect,
+  updateFilters: streamUpdateFilters,
+  clear: streamClear,
+} = useSystemLogStream();
 
 const appLogLevel = ref('unknown');
 const appLogEntries = ref<AppLogEntry[]>([]);
@@ -32,44 +33,57 @@ const appLogsError = ref('');
 const appLogLevelFilter = ref('all');
 const appLogTail = ref(100);
 const appLogComponent = ref('');
-const appLogsLastFetched = ref('');
 
-function formatLogTimestamp(timestamp: string | number | undefined): string {
-  if (timestamp === undefined || timestamp === null) {
-    return 'unknown';
-  }
-  const date = new Date(timestamp);
-  if (Number.isNaN(date.getTime())) {
-    return String(timestamp);
+const isStreaming = computed(() => streamingEnabled.value && streamStatus.value === 'connected');
+
+const streamAppEntries = computed<AppLogEntry[]>(() => {
+  return streamEntries.value.map((entry, index) => toAppLogEntry(entry, index + 1));
+});
+
+const displayEntries = computed<AppLogEntry[]>(() => {
+  if (streamingEnabled.value) {
+    return streamAppEntries.value;
   }
-  return date.toLocaleString();
-}
+  return appLogEntries.value;
+});
 
-function formatLastFetched(iso: string): string {
-  if (!iso) {
-    return 'never';
+function toTimestampMs(value: string | number | undefined): number {
+  if (typeof value === 'number' && Number.isFinite(value)) {
+    return value;
   }
-  const date = new Date(iso);
-  if (Number.isNaN(date.getTime())) {
-    return 'never';
+  if (typeof value !== 'string') {
+    return Number.NaN;
   }
-  return date.toLocaleTimeString();
+
+  const parsed = Date.parse(value);
+  return Number.isNaN(parsed) ? Number.NaN : parsed;
+}
+
+function toSystemLogEntry(entry: ApiLogEntry): SystemLogEntry {
+  return {
+    timestamp: toTimestampMs(entry.timestamp),
+    level: entry.level || 'info',
+    component: entry.component || '-',
+    msg: entry.msg || entry.message || '',
+  };
 }
 
-function logMessage(entry: AppLogEntry): string {
-  return entry.msg || entry.message || '';
+function buildStreamQuery() {
+  return {
+    level: appLogLevelFilter.value !== 'all' ? appLogLevelFilter.value : undefined,
+    component: appLogComponent.value.trim() || undefined,
+    tail: appLogTail.value,
+  };
 }
 
-function getLevelColor(level: string | undefined): string {
-  const value = (level || '').toLowerCase();
-  if (value === 'error') return 'var(--dd-danger)';
-  if (value === 'warn' || value === 'warning') return 'var(--dd-warning)';
-  if (value === 'info') return 'var(--dd-info)';
-  if (value === 'debug') return 'var(--dd-text-secondary)';
-  return 'var(--dd-text-secondary)';
+function startStreaming() {
+  streamConnect(buildStreamQuery());
 }
 
 async function refreshAppLogs() {
+  if (streamingEnabled.value) {
+    return;
+  }
   appLogsLoading.value = true;
   appLogsError.value = '';
   try {
@@ -81,12 +95,13 @@ async function refreshAppLogs() {
         tail: appLogTail.value,
       }),
     ]);
+
     appLogLevel.value = logInfo?.level ?? 'unknown';
-    appLogEntries.value = Array.isArray(entries) ? entries : [];
-    appLogsLastFetched.value = new Date().toISOString();
-    if (!scrollBlocked.value) {
-      void nextTick(() => scrollToBottom());
-    }
+    appLogEntries.value = Array.isArray(entries)
+      ? entries.map((entry, index) =>
+          toAppLogEntry(toSystemLogEntry(entry as ApiLogEntry), index + 1),
+        )
+      : [];
   } catch (e: unknown) {
     appLogsError.value = errorMessage(e, 'Failed to load application logs');
     appLogEntries.value = [];
@@ -95,49 +110,70 @@ async function refreshAppLogs() {
   }
 }
 
+function applyFilters() {
+  if (streamingEnabled.value) {
+    streamUpdateFilters(buildStreamQuery());
+  } else {
+    void refreshAppLogs();
+  }
+}
+
 function resetLogFilters() {
   appLogLevelFilter.value = 'all';
   appLogTail.value = 100;
   appLogComponent.value = '';
-  void refreshAppLogs();
+  applyFilters();
 }
 
-function setAppLogContainer(element: HTMLElement | null) {
-  logContainer.value = element;
+function toggleStreamingPause() {
+  streamingEnabled.value = !streamingEnabled.value;
 }
 
+watch(streamingEnabled, (enabled) => {
+  if (enabled) {
+    startStreaming();
+  } else {
+    streamDisconnect();
+    streamClear();
+    void refreshAppLogs();
+  }
+});
+
 onMounted(() => {
-  void refreshAppLogs();
+  void getLog()
+    .then((logInfo) => {
+      appLogLevel.value = logInfo?.level ?? 'unknown';
+    })
+    .catch(() => {
+      appLogLevel.value = 'unknown';
+    });
+  if (streamingEnabled.value) {
+    startStreaming();
+  } else {
+    void refreshAppLogs();
+  }
 });
 </script>
 
 <template>
-  <div class="flex flex-col flex-1 min-h-0 overflow-hidden pr-2 sm:pr-[15px]">
+  <div class="flex-1 min-h-0 min-w-0 overflow-y-auto pr-2 sm:pr-[15px]">
     <ConfigLogsTab
       :log-level="appLogLevel"
-      :entries="appLogEntries"
+      :entries="displayEntries"
       :loading="appLogsLoading"
       :error="appLogsError"
       :log-level-filter="appLogLevelFilter"
       :tail="appLogTail"
-      :auto-fetch-interval="autoFetchInterval"
       :component-filter="appLogComponent"
-      :auto-fetch-options="LOG_AUTO_FETCH_INTERVALS"
-      :scroll-blocked="scrollBlocked"
-      :last-fetched-iso="appLogsLastFetched"
-      :format-last-fetched="formatLastFetched"
-      :format-timestamp="formatLogTimestamp"
-      :message-for-entry="logMessage"
-      :level-color="getLevelColor"
+      :streaming-enabled="streamingEnabled"
+      :streaming-connected="isStreaming"
       @update:log-level-filter="appLogLevelFilter = $event"
       @update:tail="appLogTail = $event"
-      @update:auto-fetch-interval="autoFetchInterval = $event"
       @update:component-filter="appLogComponent = $event"
-      @refresh="refreshAppLogs"
+      @update:streaming-enabled="streamingEnabled = $event"
+      @refresh="applyFilters"
       @reset="resetLogFilters"
-      @resume-auto-scroll="resumeAutoScroll"
-      @log-scroll="handleLogScroll"
-      @set-log-container="setAppLogContainer"
+      @toggle-pause="toggleStreamingPause"
     />
   </div>
 </template>
diff --git a/ui/src/views/NotificationsView.vue b/ui/src/views/NotificationsView.vue
index ad5e70232..61857f4c6 100644
--- a/ui/src/views/NotificationsView.vue
+++ b/ui/src/views/NotificationsView.vue
@@ -1,8 +1,9 @@
 <script setup lang="ts">
 import { computed, onMounted, ref, watch } from 'vue';
 import { useRoute } from 'vue-router';
-import { useBreakpoints } from '../composables/useBreakpoints';
+import AppBadge from '../components/AppBadge.vue';
 import ToggleSwitch from '../components/ToggleSwitch.vue';
+import { useBreakpoints } from '../composables/useBreakpoints';
 import { useViewMode } from '../preferences/useViewMode';
 import type { NotificationRule, NotificationRuleUpdate } from '../services/notification';
 import { getAllNotificationRules, updateNotificationRule } from '../services/notification';
@@ -283,13 +284,13 @@ onMounted(async () => {
 <template>
   <DataViewLayout>
     <div v-if="error"
-         class="mb-3 px-3 py-2 text-[0.6875rem] dd-rounded"
+         class="mb-3 px-3 py-2 text-2xs-plus dd-rounded"
          :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
       {{ error }}
     </div>
 
     <div v-if="saveError"
-         class="mb-3 px-3 py-2 text-[0.6875rem] dd-rounded"
+         class="mb-3 px-3 py-2 text-2xs-plus dd-rounded"
          :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
       {{ saveError }}
     </div>
@@ -304,16 +305,16 @@ onMounted(async () => {
         <input v-model="searchQuery"
                type="text"
                placeholder="Filter by name, description, or trigger..."
-               class="flex-1 min-w-[120px] max-w-[320px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder" />
-        <button v-if="searchQuery"
-                class="text-[0.625rem] dd-text-muted hover:dd-text transition-colors"
+               class="flex-1 min-w-[120px] max-w-[320px] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder" />
+        <AppButton size="none" variant="text-muted" weight="medium" class="text-2xs" v-if="searchQuery"
+                
                 @click="clearFilters">
           Clear
-        </button>
+        </AppButton>
       </template>
     </DataFilterBar>
 
-    <div v-if="loading" class="text-[0.6875rem] dd-text-muted py-3 px-1">Loading notification rules...</div>
+    <div v-if="loading" class="text-2xs-plus dd-text-muted py-3 px-1">Loading notification rules...</div>
 
     <DataTable
       v-if="notificationsViewMode === 'table' && !loading"
@@ -337,16 +338,15 @@ onMounted(async () => {
       </template>
       <template #cell-name="{ row }">
         <div class="font-medium dd-text">{{ row.name }}</div>
-        <div class="text-[0.625rem] mt-0.5 dd-text-muted">{{ row.description }}</div>
+        <div class="text-2xs mt-0.5 dd-text-muted">{{ row.description }}</div>
       </template>
       <template #cell-triggers="{ row }">
         <div class="flex flex-wrap gap-1 justify-end">
-          <span v-for="triggerId in row.triggers" :key="triggerId"
-                class="badge text-[0.5625rem] font-semibold"
-                :style="{ backgroundColor: 'var(--dd-neutral-muted)', color: 'var(--dd-text-secondary)' }">
+          <AppBadge v-for="triggerId in row.triggers" :key="triggerId"
+                    :custom="{ bg: 'var(--dd-neutral-muted)', text: 'var(--dd-text-secondary)' }" size="xs" :uppercase="false">
             {{ triggerNameById(triggerId) }}
-          </span>
-          <span v-if="row.triggers.length === 0" class="text-[0.625rem] italic dd-text-muted">None</span>
+          </AppBadge>
+          <span v-if="row.triggers.length === 0" class="text-2xs italic dd-text-muted">None</span>
         </div>
       </template>
       <template #empty>
@@ -366,8 +366,8 @@ onMounted(async () => {
       <template #card="{ item: notif }">
         <div class="px-4 pt-4 pb-2 flex items-start justify-between gap-3">
           <div class="min-w-0 flex-1">
-            <div class="text-[0.9375rem] font-semibold truncate dd-text">{{ notif.name }}</div>
-            <div class="text-[0.6875rem] mt-0.5 dd-text-muted">{{ notif.description }}</div>
+            <div class="text-sm-plus font-semibold truncate dd-text">{{ notif.name }}</div>
+            <div class="text-2xs-plus mt-0.5 dd-text-muted">{{ notif.description }}</div>
           </div>
           <ToggleSwitch
             :model-value="notif.enabled"
@@ -383,12 +383,11 @@ onMounted(async () => {
         </div>
         <div class="px-4 py-2.5 flex flex-wrap gap-1.5 mt-auto"
              :style="{ borderTop: '1px solid var(--dd-border)', backgroundColor: 'var(--dd-bg-elevated)' }">
-          <span v-for="triggerId in notif.triggers" :key="triggerId"
-                class="badge text-[0.5625rem] font-semibold"
-                :style="{ backgroundColor: 'var(--dd-neutral-muted)', color: 'var(--dd-text-secondary)' }">
+          <AppBadge v-for="triggerId in notif.triggers" :key="triggerId"
+                    :custom="{ bg: 'var(--dd-neutral-muted)', text: 'var(--dd-text-secondary)' }" size="xs" :uppercase="false">
             {{ triggerNameById(triggerId) }}
-          </span>
-          <span v-if="notif.triggers.length === 0" class="text-[0.625rem] italic dd-text-muted">
+          </AppBadge>
+          <span v-if="notif.triggers.length === 0" class="text-2xs italic dd-text-muted">
             No triggers
           </span>
         </div>
@@ -415,16 +414,15 @@ onMounted(async () => {
         />
         <span class="text-sm font-semibold flex-1 min-w-0 truncate dd-text">{{ notif.name }}</span>
         <div class="flex flex-wrap gap-1.5 shrink-0 max-w-[320px] justify-end">
-          <span v-for="triggerId in notif.triggers" :key="triggerId"
-                class="badge text-[0.5625rem] font-semibold"
-                :style="{ backgroundColor: 'var(--dd-neutral-muted)', color: 'var(--dd-text-secondary)' }">
+          <AppBadge v-for="triggerId in notif.triggers" :key="triggerId"
+                    :custom="{ bg: 'var(--dd-neutral-muted)', text: 'var(--dd-text-secondary)' }" size="xs" :uppercase="false">
             {{ triggerNameById(triggerId) }}
-          </span>
-          <span v-if="notif.triggers.length === 0" class="text-[0.625rem] italic dd-text-muted">No triggers</span>
+          </AppBadge>
+          <span v-if="notif.triggers.length === 0" class="text-2xs italic dd-text-muted">No triggers</span>
         </div>
       </template>
       <template #details="{ item: notif }">
-        <div class="text-[0.6875rem] dd-text-muted">{{ notif.description }}</div>
+        <div class="text-2xs-plus dd-text-muted">{{ notif.description }}</div>
       </template>
     </DataListAccordion>
 
@@ -450,23 +448,18 @@ onMounted(async () => {
         </template>
 
         <template #subtitle>
-          <span v-if="selectedRule"
-                class="badge text-[0.5625rem] font-bold"
-                :style="{
-                  backgroundColor: selectedRule.enabled ? 'var(--dd-success-muted)' : 'var(--dd-neutral-muted)',
-                  color: selectedRule.enabled ? 'var(--dd-success)' : 'var(--dd-neutral)',
-                }">
+          <AppBadge v-if="selectedRule" :tone="selectedRule.enabled ? 'success' : 'neutral'" size="xs">
             {{ selectedRule.enabled ? 'enabled' : 'disabled' }}
-          </span>
-          <span v-if="selectedRule" class="text-[0.625rem] font-mono dd-text-muted">{{ selectedRule.id }}</span>
+          </AppBadge>
+          <span v-if="selectedRule" class="text-2xs font-mono dd-text-muted">{{ selectedRule.id }}</span>
         </template>
 
         <template v-if="selectedRule" #default>
           <div class="p-4 space-y-5">
-            <div class="text-[0.6875rem] dd-text-muted">{{ selectedRule.description }}</div>
+            <div class="text-2xs-plus dd-text-muted">{{ selectedRule.description }}</div>
 
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">Rule status</div>
+              <div class="text-2xs font-semibold uppercase tracking-wider mb-2 dd-text-muted">Rule status</div>
               <ToggleSwitch
                 :model-value="detailEnabled"
                 :disabled="detailSaving"
@@ -475,16 +468,16 @@ onMounted(async () => {
                 off-color="var(--dd-border-strong)"
                 @update:model-value="detailEnabled = $event"
               />
-              <div class="text-[0.625rem] mt-1 dd-text-muted">
+              <div class="text-2xs mt-1 dd-text-muted">
                 {{ detailEnabled ? 'Enabled: notifications can fire for this event.' : 'Disabled: notifications are suppressed for this event.' }}
               </div>
             </div>
 
             <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-2 dd-text-muted">
+              <div class="text-2xs font-semibold uppercase tracking-wider mb-2 dd-text-muted">
                 Assigned Triggers
               </div>
-              <div v-if="triggersSorted.length === 0" class="text-[0.6875rem] dd-text-muted">
+              <div v-if="triggersSorted.length === 0" class="text-2xs-plus dd-text-muted">
                 No triggers configured. Add triggers on the <RouterLink to="/triggers"
                 class="underline hover:no-underline">Triggers page</RouterLink>.
               </div>
@@ -498,29 +491,28 @@ onMounted(async () => {
                          @change="toggleDetailTrigger(trigger.id)" />
                   <div class="flex-1 min-w-0">
                     <div class="text-xs font-semibold truncate dd-text">{{ trigger.name }}</div>
-                    <div class="text-[0.625rem] font-mono dd-text-muted">{{ trigger.id }}</div>
+                    <div class="text-2xs font-mono dd-text-muted">{{ trigger.id }}</div>
                   </div>
-                  <span class="badge text-[0.5625rem] uppercase font-bold shrink-0"
-                        :style="{ backgroundColor: triggerTypeBadge(trigger.type).bg, color: triggerTypeBadge(trigger.type).text }">
+                  <AppBadge :custom="{ bg: triggerTypeBadge(trigger.type).bg, text: triggerTypeBadge(trigger.type).text }" size="xs" class="shrink-0">
                     {{ triggerTypeBadge(trigger.type).label }}
-                  </span>
+                  </AppBadge>
                 </label>
               </div>
             </div>
 
             <div class="pt-2 flex items-center gap-2">
-              <button class="inline-flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors disabled:opacity-50 disabled:pointer-events-none"
+              <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors disabled:opacity-50 disabled:pointer-events-none"
                       :style="{ backgroundColor: 'var(--dd-primary)', color: 'white' }"
                       :disabled="detailSaving || !detailHasChanges"
                       @click="saveSelectedRule">
                 <AppIcon :name="detailSaving ? 'pending' : 'check'" :size="12" />
                 {{ detailSaving ? 'Saving...' : 'Save changes' }}
-              </button>
-              <button class="px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated disabled:opacity-50 disabled:pointer-events-none"
+              </AppButton>
+              <AppButton size="none" variant="plain" weight="none" class="px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated disabled:opacity-50 disabled:pointer-events-none"
                       :disabled="detailSaving || !detailHasChanges"
                       @click="syncDetailDraftFromRule">
                 Reset
-              </button>
+              </AppButton>
             </div>
           </div>
         </template>
diff --git a/ui/src/views/RegistriesView.vue b/ui/src/views/RegistriesView.vue
index 8833ac011..eaf265654 100644
--- a/ui/src/views/RegistriesView.vue
+++ b/ui/src/views/RegistriesView.vue
@@ -1,6 +1,8 @@
 <script setup lang="ts">
 import { computed, onMounted, ref, watch } from 'vue';
 import { useRoute } from 'vue-router';
+import AppBadge from '@/components/AppBadge.vue';
+import DetailField from '@/components/DetailField.vue';
 import { useBreakpoints } from '../composables/useBreakpoints';
 import { useViewMode } from '../preferences/useViewMode';
 import { getAllRegistries, getRegistry } from '../services/registry';
@@ -157,12 +159,12 @@ onMounted(async () => {
 <template>
   <DataViewLayout>
       <div v-if="error"
-           class="mb-3 px-3 py-2 text-[0.6875rem] dd-rounded"
+           class="mb-3 px-3 py-2 text-2xs-plus dd-rounded"
            :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
         {{ error }}
       </div>
 
-      <div v-if="loading" class="text-[0.6875rem] dd-text-muted py-3 px-1">Loading registries...</div>
+      <div v-if="loading" class="text-2xs-plus dd-text-muted py-3 px-1">Loading registries...</div>
 
       <!-- Filter bar -->
       <DataFilterBar
@@ -175,12 +177,12 @@ onMounted(async () => {
           <input v-model="searchQuery"
                  type="text"
                  placeholder="Filter by name or type..."
-                 class="flex-1 min-w-[120px] max-w-[240px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder" />
-          <button v-if="searchQuery"
-                  class="text-[0.625rem] dd-text-muted hover:dd-text transition-colors"
+                 class="flex-1 min-w-[120px] max-w-[var(--dd-layout-filter-max-width)] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder" />
+          <AppButton size="none" variant="text-muted" weight="medium" class="text-2xs" v-if="searchQuery"
+                  
                   @click="searchQuery = ''">
             Clear
-          </button>
+          </AppButton>
         </template>
       </DataFilterBar>
 
@@ -195,30 +197,21 @@ onMounted(async () => {
           <span class="font-medium dd-text">{{ registryTypeBadge(row.type).label }}</span>
         </template>
         <template #cell-type="{ row }">
-          <span v-if="isPrivate(row)" class="badge text-[0.5625rem] font-bold max-md:!hidden"
-                :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
-            Private
-          </span>
-          <span v-else class="badge text-[0.5625rem] font-bold max-md:!hidden"
-                :style="{ backgroundColor: 'var(--dd-neutral-muted)', color: 'var(--dd-neutral)' }">
-            Public
-          </span>
-          <span v-if="isPrivate(row)" class="badge px-1.5 py-0 text-[0.5625rem] md:!hidden" style="background: var(--dd-warning-muted); color: var(--dd-warning);"><AppIcon name="lock" :size="12" /></span>
-          <span v-else class="badge px-1.5 py-0 text-[0.5625rem] md:!hidden" style="background: var(--dd-neutral-muted); color: var(--dd-neutral);"><AppIcon name="eye" :size="12" /></span>
+          <AppBadge v-if="isPrivate(row)" tone="warning" size="xs" class="max-md:!hidden">Private</AppBadge>
+          <AppBadge v-else tone="neutral" size="xs" class="max-md:!hidden">Public</AppBadge>
+          <AppBadge v-if="isPrivate(row)" v-tooltip.top="'Private'" tone="warning" size="xs" class="px-1.5 py-0 md:!hidden"><AppIcon name="lock" :size="12" /></AppBadge>
+          <AppBadge v-else v-tooltip.top="'Public'" tone="neutral" size="xs" class="px-1.5 py-0 md:!hidden"><AppIcon name="eye" :size="12" /></AppBadge>
         </template>
         <template #cell-status="{ row }">
           <AppIcon :name="row.status === 'connected' ? 'check' : row.status === 'error' ? 'xmark' : 'warning'" :size="13" class="shrink-0 md:!hidden"
+                   v-tooltip.top="row.status"
                    :style="{ color: row.status === 'connected' ? 'var(--dd-success)' : row.status === 'error' ? 'var(--dd-danger)' : 'var(--dd-warning)' }" />
-          <span class="badge text-[0.5625rem] font-bold max-md:!hidden"
-                :style="{
-                  backgroundColor: row.status === 'connected' ? 'var(--dd-success-muted)' : row.status === 'error' ? 'var(--dd-danger-muted)' : 'var(--dd-warning-muted)',
-                  color: row.status === 'connected' ? 'var(--dd-success)' : row.status === 'error' ? 'var(--dd-danger)' : 'var(--dd-warning)',
-                }">
+          <AppBadge :tone="row.status === 'connected' ? 'success' : row.status === 'error' ? 'danger' : 'warning'" size="xs" class="max-md:!hidden">
             {{ row.status }}
-          </span>
+          </AppBadge>
         </template>
         <template #cell-url="{ row }">
-          <span class="whitespace-nowrap font-mono text-[0.625rem] dd-text-secondary">
+          <span class="whitespace-nowrap font-mono text-2xs dd-text-secondary">
             {{ resolveUrl(row) }}
           </span>
         </template>
@@ -240,15 +233,14 @@ onMounted(async () => {
           <div class="px-4 pt-4 pb-2 flex items-start justify-between">
             <div class="min-w-0">
               <div class="text-sm font-semibold truncate dd-text">{{ reg.name }}</div>
-              <div class="text-[0.625rem] truncate mt-0.5 dd-text-muted font-mono">{{ resolveUrl(reg) }}</div>
+              <div class="text-2xs truncate mt-0.5 dd-text-muted font-mono">{{ resolveUrl(reg) }}</div>
             </div>
-            <span class="badge text-[0.5625rem] uppercase font-bold shrink-0 ml-2"
-                  :style="{ backgroundColor: registryTypeBadge(reg.type).bg, color: registryTypeBadge(reg.type).text }">
+            <AppBadge :custom="{ bg: registryTypeBadge(reg.type).bg, text: registryTypeBadge(reg.type).text }" size="xs" class="shrink-0 ml-2">
               {{ registryTypeBadge(reg.type).label }}
-            </span>
+            </AppBadge>
           </div>
           <div class="px-4 py-3">
-            <div class="grid grid-cols-2 gap-2 text-[0.6875rem]">
+            <div class="grid grid-cols-2 gap-2 text-2xs-plus">
               <div>
                 <span class="dd-text-muted">Auth</span>
                 <span class="ml-1 font-semibold" :style="{ color: isPrivate(reg) ? 'var(--dd-warning)' : 'var(--dd-text-muted)' }">
@@ -265,7 +257,7 @@ onMounted(async () => {
           </div>
           <div class="px-4 py-2.5 mt-auto"
                :style="{ borderTop: '1px solid var(--dd-border)', backgroundColor: 'var(--dd-bg-elevated)' }">
-            <span class="text-[0.625rem] dd-text-muted font-mono truncate">{{ resolveUrl(reg) }}</span>
+            <span class="text-2xs dd-text-muted font-mono truncate">{{ resolveUrl(reg) }}</span>
           </div>
         </template>
       </DataCardGrid>
@@ -277,29 +269,25 @@ onMounted(async () => {
                          :selected-key="selectedRegistry?.id"
                          @item-click="openDetail($event)">
         <template #header="{ item: reg }">
-          <span class="badge text-[0.5625rem] uppercase font-bold shrink-0"
-                :style="{ backgroundColor: registryTypeBadge(reg.type).bg, color: registryTypeBadge(reg.type).text }">
+          <AppBadge :custom="{ bg: registryTypeBadge(reg.type).bg, text: registryTypeBadge(reg.type).text }" size="xs" class="shrink-0">
             {{ registryTypeBadge(reg.type).label }}
-          </span>
+          </AppBadge>
           <div class="flex-1 min-w-0">
             <div class="text-sm font-semibold truncate dd-text">{{ reg.name }}</div>
-            <div class="text-[0.625rem] font-mono dd-text-muted truncate mt-0.5">{{ resolveUrl(reg) }}</div>
+            <div class="text-2xs font-mono dd-text-muted truncate mt-0.5">{{ resolveUrl(reg) }}</div>
           </div>
           <div class="flex items-center gap-3 shrink-0">
-            <span class="text-[0.6875rem] hidden md:inline font-medium" :style="{ color: isPrivate(reg) ? 'var(--dd-warning)' : 'var(--dd-text-muted)' }">
+            <span class="text-2xs-plus hidden md:inline font-medium" :style="{ color: isPrivate(reg) ? 'var(--dd-warning)' : 'var(--dd-text-muted)' }">
               {{ isPrivate(reg) ? 'Private' : 'Public' }}
             </span>
-            <span v-if="isPrivate(reg)" class="badge px-1.5 py-0 text-[0.5625rem] md:!hidden" style="background: var(--dd-warning-muted); color: var(--dd-warning);"><AppIcon name="lock" :size="12" /></span>
-            <span v-else class="badge px-1.5 py-0 text-[0.5625rem] md:!hidden" style="background: var(--dd-neutral-muted); color: var(--dd-neutral);"><AppIcon name="eye" :size="12" /></span>
+            <AppBadge v-if="isPrivate(reg)" v-tooltip.top="'Private'" tone="warning" size="xs" class="px-1.5 py-0 md:!hidden"><AppIcon name="lock" :size="12" /></AppBadge>
+            <AppBadge v-else v-tooltip.top="'Public'" tone="neutral" size="xs" class="px-1.5 py-0 md:!hidden"><AppIcon name="eye" :size="12" /></AppBadge>
             <AppIcon :name="reg.status === 'connected' ? 'check' : 'xmark'" :size="13" class="shrink-0 md:!hidden"
+                     v-tooltip.top="reg.status"
                      :style="{ color: reg.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)' }" />
-            <span class="badge text-[0.5625rem] font-bold max-md:!hidden"
-                  :style="{
-                    backgroundColor: reg.status === 'connected' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                    color: reg.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                  }">
+            <AppBadge :tone="reg.status === 'connected' ? 'success' : 'danger'" size="xs" class="max-md:!hidden">
               {{ reg.status }}
-            </span>
+            </AppBadge>
           </div>
         </template>
       </DataListAccordion>
@@ -321,60 +309,47 @@ onMounted(async () => {
       >
         <template #header>
           <div class="flex items-center gap-2.5 min-w-0">
-            <span class="badge text-[0.5625rem] uppercase font-bold shrink-0"
-                  :style="{ backgroundColor: selectedRegistry ? registryTypeBadge(selectedRegistry.type).bg : undefined, color: selectedRegistry ? registryTypeBadge(selectedRegistry.type).text : undefined }">
-              {{ selectedRegistry ? registryTypeBadge(selectedRegistry.type).label : '' }}
-            </span>
+            <AppBadge v-if="selectedRegistry" :custom="{ bg: registryTypeBadge(selectedRegistry.type).bg, text: registryTypeBadge(selectedRegistry.type).text }" size="xs" class="shrink-0">
+              {{ registryTypeBadge(selectedRegistry.type).label }}
+            </AppBadge>
             <span class="text-sm font-bold truncate dd-text">{{ selectedRegistry?.name }}</span>
           </div>
         </template>
 
         <template #subtitle>
-          <span class="text-[0.6875rem] font-mono dd-text-secondary">{{ selectedRegistry ? resolveUrl(selectedRegistry) : '' }}</span>
+          <span class="text-2xs-plus font-mono dd-text-secondary">{{ selectedRegistry ? resolveUrl(selectedRegistry) : '' }}</span>
         </template>
 
         <template v-if="selectedRegistry" #default>
           <div class="p-4 space-y-5">
-            <div v-if="detailLoading" class="text-[0.6875rem] dd-text-muted">Refreshing registry details...</div>
+            <div v-if="detailLoading" class="text-2xs-plus dd-text-muted">Refreshing registry details...</div>
             <div v-if="detailError"
-                 class="px-3 py-2 text-[0.6875rem] dd-rounded"
+                 class="px-3 py-2 text-2xs-plus dd-rounded"
                  :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
               {{ detailError }}
             </div>
 
             <!-- Status -->
-            <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">Status</div>
-              <span class="badge text-[0.625rem] font-semibold"
-                    :style="{
-                      backgroundColor: selectedRegistry.status === 'connected' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                      color: selectedRegistry.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                    }">
+            <DetailField label="Status">
+              <AppBadge :tone="selectedRegistry.status === 'connected' ? 'success' : 'danger'" size="sm">
                 {{ selectedRegistry.status }}
-              </span>
-            </div>
+              </AppBadge>
+            </DetailField>
 
             <!-- Auth type -->
-            <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">Authentication</div>
+            <DetailField label="Authentication">
               <div class="flex items-center gap-1.5 text-xs">
                 <AppIcon v-if="isPrivate(selectedRegistry)" name="lock" :size="12" style="color: var(--dd-warning);" />
                 <AppIcon v-else name="eye" :size="12" class="dd-text-muted" />
                 <span class="dd-text font-medium">{{ isPrivate(selectedRegistry) ? 'Private' : 'Public' }}</span>
               </div>
-            </div>
+            </DetailField>
 
             <!-- URL -->
-            <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">URL</div>
-              <div class="text-xs font-mono dd-text break-all">{{ resolveUrl(selectedRegistry) }}</div>
-            </div>
+            <DetailField label="URL" mono>{{ resolveUrl(selectedRegistry) }}</DetailField>
 
             <!-- Configuration -->
-            <div v-for="(val, key) in selectedRegistry.config" :key="key">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">{{ key }}</div>
-              <div class="text-xs font-mono dd-text break-all">{{ val }}</div>
-            </div>
+            <DetailField v-for="(val, key) in selectedRegistry.config" :key="key" :label="String(key)" mono>{{ val }}</DetailField>
           </div>
         </template>
       </DetailPanel>
diff --git a/ui/src/views/SecurityView.vue b/ui/src/views/SecurityView.vue
index 5db1c6793..1514d78f0 100644
--- a/ui/src/views/SecurityView.vue
+++ b/ui/src/views/SecurityView.vue
@@ -1,7 +1,10 @@
 <script setup lang="ts">
 import { computed, onMounted, onUnmounted, ref } from 'vue';
+import AppBadge from '../components/AppBadge.vue';
+import AppIconButton from '../components/AppIconButton.vue';
 import ScanProgressBanner from '../components/ScanProgressBanner.vue';
 import SecurityEmptyState from '../components/SecurityEmptyState.vue';
+import StatusDot from '../components/StatusDot.vue';
 import { useBreakpoints } from '../composables/useBreakpoints';
 import { useSbomDetail } from '../composables/useSbomDetail';
 import { useScanProgress } from '../composables/useScanProgress';
@@ -204,12 +207,12 @@ onUnmounted(() => {
 <template>
   <DataViewLayout>
       <div v-if="error"
-           class="mb-3 px-3 py-2 text-[0.6875rem] dd-rounded"
+           class="mb-3 px-3 py-2 text-2xs-plus dd-rounded"
            :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
         {{ error }}
       </div>
 
-      <div v-if="loading" class="text-[0.6875rem] dd-text-muted py-3 px-1">Loading vulnerability data...</div>
+      <div v-if="loading" class="text-2xs-plus dd-text-muted py-3 px-1">Loading vulnerability data...</div>
 
       <!-- Filter bar -->
       <DataFilterBar
@@ -221,7 +224,7 @@ onUnmounted(() => {
         :count-label="displayCountLabel">
         <template #filters>
           <select v-model="secFilterSeverity"
-                  class="px-2 py-1.5 dd-rounded text-[0.6875rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
+                  class="px-2 py-1.5 dd-rounded text-2xs-plus font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
             <option value="all">Severity</option>
             <option value="CRITICAL">Critical</option>
             <option value="HIGH">High</option>
@@ -229,65 +232,72 @@ onUnmounted(() => {
             <option value="LOW">Low</option>
           </select>
           <select v-model="secFilterFix"
-                  class="px-2 py-1.5 dd-rounded text-[0.6875rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
+                  class="px-2 py-1.5 dd-rounded text-2xs-plus font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text">
             <option value="all">Fix Available</option>
             <option value="yes">Yes</option>
             <option value="no">No</option>
           </select>
-          <button v-if="activeSecFilterCount > 0"
-                  class="text-[0.625rem] font-medium px-2 py-1 dd-rounded transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
+          <AppButton size="none" variant="plain" weight="none" v-if="activeSecFilterCount > 0"
+                  class="text-2xs font-medium px-2 py-1 dd-rounded transition-colors dd-text-muted hover:dd-text hover:dd-bg-elevated"
                   @click="clearSecFilters">
             Clear all
-          </button>
+          </AppButton>
         </template>
         <template #left>
           <template v-if="runtimeStatus">
             <!-- Compact: single combined badge -->
-            <span v-if="isCompact"
-                  class="badge text-[0.5625rem] font-bold uppercase cursor-default flex items-center gap-1"
-                  :style="{ backgroundColor: statusBadgeTone(runtimeStatus.scanner.status).bg, color: statusBadgeTone(runtimeStatus.scanner.status).text }"
+            <AppBadge v-if="isCompact"
+                  :custom="{ bg: statusBadgeTone(runtimeStatus.scanner.status).bg, text: statusBadgeTone(runtimeStatus.scanner.status).text }"
+                  size="xs" class="cursor-default flex items-center gap-1"
                   v-tooltip.top="`Trivy: ${runtimeStatus.scanner.message} · Cosign: ${runtimeStatus.signature.message} · SBOM: ${runtimeStatus.sbom.enabled ? 'enabled' : 'disabled'}`">
-              <span class="w-1.5 h-1.5 rounded-full" :style="{ backgroundColor: statusBadgeTone(runtimeStatus.scanner.status).text }" />
-              <span class="w-1.5 h-1.5 rounded-full" :style="{ backgroundColor: statusBadgeTone(runtimeStatus.signature.status).text }" />
-              <span class="w-1.5 h-1.5 rounded-full" :style="{ backgroundColor: runtimeStatus.sbom.enabled ? 'var(--dd-info)' : 'var(--dd-neutral)' }" />
-            </span>
+              <StatusDot :color="statusBadgeTone(runtimeStatus.scanner.status).text" size="sm" />
+              <StatusDot :color="statusBadgeTone(runtimeStatus.signature.status).text" size="sm" />
+              <StatusDot :color="runtimeStatus.sbom.enabled ? 'var(--dd-info)' : 'var(--dd-neutral)'" size="sm" />
+            </AppBadge>
             <!-- Full: individual badges -->
             <template v-else>
-              <span class="badge text-[0.5625rem] font-bold uppercase cursor-default"
-                    :style="{ backgroundColor: statusBadgeTone(runtimeStatus.scanner.status).bg, color: statusBadgeTone(runtimeStatus.scanner.status).text }"
+              <AppBadge :custom="{ bg: statusBadgeTone(runtimeStatus.scanner.status).bg, text: statusBadgeTone(runtimeStatus.scanner.status).text }"
+                    size="xs" class="cursor-default"
                     v-tooltip.top="runtimeStatus.scanner.message + (runtimeStatus.scanner.server ? ' · server: ' + runtimeStatus.scanner.server : '')">
                 trivy
-              </span>
-              <span class="badge text-[0.5625rem] font-bold uppercase cursor-default"
-                    :style="{ backgroundColor: statusBadgeTone(runtimeStatus.signature.status).bg, color: statusBadgeTone(runtimeStatus.signature.status).text }"
+              </AppBadge>
+              <AppBadge :custom="{ bg: statusBadgeTone(runtimeStatus.signature.status).bg, text: statusBadgeTone(runtimeStatus.signature.status).text }"
+                    size="xs" class="cursor-default"
                     v-tooltip.top="runtimeStatus.signature.message">
                 cosign
-              </span>
-              <span class="badge text-[0.5625rem] font-bold uppercase cursor-default"
-                    :style="{
-                      backgroundColor: runtimeStatus.sbom.enabled ? 'var(--dd-info-muted)' : 'var(--dd-neutral-muted)',
-                      color: runtimeStatus.sbom.enabled ? 'var(--dd-info)' : 'var(--dd-neutral)',
-                    }"
+              </AppBadge>
+              <AppBadge :tone="runtimeStatus.sbom.enabled ? 'info' : 'neutral'"
+                    size="xs" class="cursor-default"
                     v-tooltip.top="runtimeStatus.sbom.enabled ? 'SBOM generation enabled (' + runtimeStatus.sbom.formats.join(', ') + ')' : 'SBOM generation disabled'">
                 sbom
-              </span>
+              </AppBadge>
             </template>
           </template>
         </template>
         <template #center>
           <span class="inline-flex" v-tooltip.top="scanDisabledReason">
-            <button class="h-7 dd-rounded flex items-center justify-center gap-1.5 text-[0.6875rem] font-semibold transition-colors"
+            <AppIconButton v-if="isCompact"
+                    icon="restart" size="toolbar" variant="plain"
+                    :class="[
+                      scanning || runtimeLoading || !scannerReady
+                        ? 'dd-text-muted'
+                        : 'dd-text-secondary hover:dd-text hover:dd-bg-elevated',
+                    ]"
+                    :loading="scanning"
+                    aria-label="Scan all containers"
+                    :disabled="scanning || runtimeLoading || !scannerReady"
+                    @click="scanAllContainers" />
+            <AppButton v-else size="none" variant="plain" weight="none" class="dd-rounded flex items-center justify-center gap-1.5 px-3 text-2xs-plus font-semibold transition-colors h-8"
                     :class="[
                       scanning || runtimeLoading || !scannerReady
                         ? 'dd-text-muted cursor-not-allowed'
                         : 'dd-text-secondary hover:dd-text hover:dd-bg-elevated',
-                      isCompact ? 'w-7' : 'px-3',
                     ]"
                     :disabled="scanning || runtimeLoading || !scannerReady"
                     @click="scanAllContainers">
-              <AppIcon name="restart" :size="11" :class="{ 'animate-spin': scanning }" />
-              <span v-if="!isCompact">Scan Now</span>
-            </button>
+              <AppIcon name="restart" :size="11" :class="{ 'animate-spin': scanning }" v-tooltip.top="scanning ? 'Scanning...' : undefined" />
+              <span>Scan Now</span>
+            </AppButton>
           </span>
         </template>
       </DataFilterBar>
@@ -307,65 +317,59 @@ onUnmounted(() => {
         <template #cell-image="{ row }">
           <div class="flex items-center gap-2 min-w-0">
             <AppIcon :name="severityIcon(highestSeverity(row))" :size="13" class="shrink-0 md:!hidden"
-                     :style="{ color: severityColor(highestSeverity(row)).text }" />
+                     :style="{ color: severityColor(highestSeverity(row)).text }"
+                     v-tooltip.top="highestSeverity(row)" />
             <span class="font-medium dd-text truncate">{{ row.image }}</span>
-            <span v-if="row.delta && row.delta.fixed > 0 && row.delta.new === 0"
-                  class="badge text-[0.5rem] font-bold px-1.5 py-0 shrink-0"
-                  :style="{ backgroundColor: 'var(--dd-success-muted)', color: 'var(--dd-success)' }"
+            <AppBadge v-if="row.delta && row.delta.fixed > 0 && row.delta.new === 0"
+                  tone="success" size="xs" class="px-1.5 py-0 shrink-0"
                   v-tooltip.top="`Update fixes ${row.delta.fixed} vulnerability${row.delta.fixed !== 1 ? 'ies' : 'y'}`">
               <AppIcon name="trending-down" :size="9" class="mr-0.5" />{{ row.delta.fixed }} fixed
-            </span>
-            <span v-else-if="row.delta && row.delta.new > 0 && row.delta.fixed === 0"
-                  class="badge text-[0.5rem] font-bold px-1.5 py-0 shrink-0"
-                  :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }"
+            </AppBadge>
+            <AppBadge v-else-if="row.delta && row.delta.new > 0 && row.delta.fixed === 0"
+                  tone="warning" size="xs" class="px-1.5 py-0 shrink-0"
                   v-tooltip.top="`Update introduces ${row.delta.new} new vulnerability${row.delta.new !== 1 ? 'ies' : 'y'}`">
               <AppIcon name="trending-up" :size="9" class="mr-0.5" />{{ row.delta.new }} new
-            </span>
-            <span v-else-if="row.delta && (row.delta.fixed > 0 || row.delta.new > 0)"
-                  class="badge text-[0.5rem] font-bold px-1.5 py-0 shrink-0"
-                  :style="{ backgroundColor: 'var(--dd-caution-muted)', color: 'var(--dd-caution)' }"
+            </AppBadge>
+            <AppBadge v-else-if="row.delta && (row.delta.fixed > 0 || row.delta.new > 0)"
+                  tone="caution" size="xs" class="px-1.5 py-0 shrink-0"
                   v-tooltip.top="`Update: ${row.delta.fixed} fixed, ${row.delta.new} new`">
               {{ row.delta.fixed }} fixed, {{ row.delta.new }} new
-            </span>
+            </AppBadge>
           </div>
         </template>
         <template #cell-critical="{ row }">
-          <span v-if="row.critical > 0" class="badge text-[0.5625rem] font-bold"
-                :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
+          <AppBadge v-if="row.critical > 0" tone="danger" size="xs">
             {{ row.critical }}
-          </span>
-          <span v-else class="text-[0.625rem] dd-text-muted">&mdash;</span>
+          </AppBadge>
+          <span v-else class="text-2xs dd-text-muted">&mdash;</span>
         </template>
         <template #cell-high="{ row }">
-          <span v-if="row.high > 0" class="badge text-[0.5625rem] font-bold"
-                :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
+          <AppBadge v-if="row.high > 0" tone="warning" size="xs">
             {{ row.high }}
-          </span>
-          <span v-else class="text-[0.625rem] dd-text-muted">&mdash;</span>
+          </AppBadge>
+          <span v-else class="text-2xs dd-text-muted">&mdash;</span>
         </template>
         <template #cell-medium="{ row }">
-          <span v-if="row.medium > 0" class="badge text-[0.5625rem] font-bold"
-                :style="{ backgroundColor: 'var(--dd-caution-muted)', color: 'var(--dd-caution)' }">
+          <AppBadge v-if="row.medium > 0" tone="caution" size="xs">
             {{ row.medium }}
-          </span>
-          <span v-else class="text-[0.625rem] dd-text-muted">&mdash;</span>
+          </AppBadge>
+          <span v-else class="text-2xs dd-text-muted">&mdash;</span>
         </template>
         <template #cell-low="{ row }">
-          <span v-if="row.low > 0" class="badge text-[0.5625rem] font-bold"
-                :style="{ backgroundColor: 'var(--dd-info-muted)', color: 'var(--dd-info)' }">
+          <AppBadge v-if="row.low > 0" tone="info" size="xs">
             {{ row.low }}
-          </span>
-          <span v-else class="text-[0.625rem] dd-text-muted">&mdash;</span>
+          </AppBadge>
+          <span v-else class="text-2xs dd-text-muted">&mdash;</span>
         </template>
         <template #cell-fixable="{ row }">
-          <span v-if="row.fixable > 0" class="text-[0.625rem] font-medium"
+          <span v-if="row.fixable > 0" class="text-2xs font-medium"
                 :style="{ color: fixableColor(row.fixable, row.total) }">
             {{ fixablePercent(row.fixable, row.total) }}%
           </span>
-          <span v-else class="text-[0.625rem] dd-text-muted">0%</span>
+          <span v-else class="text-2xs dd-text-muted">0%</span>
         </template>
         <template #cell-total="{ row }">
-          <span class="text-[0.6875rem] font-semibold dd-text">{{ row.total }}</span>
+          <span class="text-2xs-plus font-semibold dd-text">{{ row.total }}</span>
         </template>
         <template #empty>
           <SecurityEmptyState
@@ -396,55 +400,48 @@ onUnmounted(() => {
           <div class="px-4 pt-4 pb-2 flex items-start justify-between">
             <div class="min-w-0">
               <div class="text-sm font-semibold truncate dd-text">{{ summary.image }}</div>
-              <div class="text-[0.625rem] mt-0.5 dd-text-muted">{{ summary.total }} vulnerabilities</div>
+              <div class="text-2xs mt-0.5 dd-text-muted">{{ summary.total }} vulnerabilities</div>
             </div>
             <AppIcon :name="severityIcon(highestSeverity(summary))" :size="16" class="shrink-0 ml-2"
-                     :style="{ color: severityColor(highestSeverity(summary)).text }" />
+                     :style="{ color: severityColor(highestSeverity(summary)).text }"
+                     v-tooltip.top="highestSeverity(summary)" />
           </div>
           <div class="px-4 py-3">
             <div class="flex items-center gap-1.5 flex-wrap">
-              <span v-if="summary.critical > 0" class="badge text-[0.5625rem] font-bold"
-                    :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
+              <AppBadge v-if="summary.critical > 0" tone="danger" size="xs">
                 {{ summary.critical }} Critical
-              </span>
-              <span v-if="summary.high > 0" class="badge text-[0.5625rem] font-bold"
-                    :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
+              </AppBadge>
+              <AppBadge v-if="summary.high > 0" tone="warning" size="xs">
                 {{ summary.high }} High
-              </span>
-              <span v-if="summary.medium > 0" class="badge text-[0.5625rem] font-bold"
-                    :style="{ backgroundColor: 'var(--dd-caution-muted)', color: 'var(--dd-caution)' }">
+              </AppBadge>
+              <AppBadge v-if="summary.medium > 0" tone="caution" size="xs">
                 {{ summary.medium }} Medium
-              </span>
-              <span v-if="summary.low > 0" class="badge text-[0.5625rem] font-bold"
-                    :style="{ backgroundColor: 'var(--dd-info-muted)', color: 'var(--dd-info)' }">
+              </AppBadge>
+              <AppBadge v-if="summary.low > 0" tone="info" size="xs">
                 {{ summary.low }} Low
-              </span>
+              </AppBadge>
             </div>
           </div>
           <div v-if="summary.delta && (summary.delta.fixed > 0 || summary.delta.new > 0)"
                class="px-4 py-2 flex items-center gap-1.5"
                :style="{ borderTop: '1px solid var(--dd-border)' }">
-            <span v-if="summary.delta.fixed > 0"
-                  class="badge text-[0.5rem] font-bold px-1.5 py-0"
-                  :style="{ backgroundColor: 'var(--dd-success-muted)', color: 'var(--dd-success)' }">
+            <AppBadge v-if="summary.delta.fixed > 0" tone="success" size="xs" class="px-1.5 py-0">
               {{ summary.delta.fixed }} fixed
-            </span>
-            <span v-if="summary.delta.new > 0"
-                  class="badge text-[0.5rem] font-bold px-1.5 py-0"
-                  :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
+            </AppBadge>
+            <AppBadge v-if="summary.delta.new > 0" tone="warning" size="xs" class="px-1.5 py-0">
               {{ summary.delta.new }} new
-            </span>
-            <span class="text-[0.5625rem] dd-text-muted ml-auto">vs update</span>
+            </AppBadge>
+            <span class="text-3xs dd-text-muted ml-auto">vs update</span>
           </div>
           <div class="px-4 py-2.5 flex items-center justify-between mt-auto"
                :style="{ borderTop: '1px solid var(--dd-border)', backgroundColor: 'var(--dd-bg-elevated)' }">
-            <span v-if="summary.fixable > 0" class="text-[0.6875rem] font-medium flex items-center gap-1"
+            <span v-if="summary.fixable > 0" class="text-2xs-plus font-medium flex items-center gap-1"
                   :style="{ color: fixableColor(summary.fixable, summary.total) }">
               <AppIcon name="check" :size="11" />
               {{ fixablePercent(summary.fixable, summary.total) }}% fixable
             </span>
-            <span v-else class="text-[0.6875rem] dd-text-muted">No fixes available</span>
-            <span class="text-[0.625rem] dd-text-muted">{{ summary.total }} total</span>
+            <span v-else class="text-2xs-plus dd-text-muted">No fixes available</span>
+            <span class="text-2xs dd-text-muted">{{ summary.total }} total</span>
           </div>
         </template>
       </DataCardGrid>
@@ -474,34 +471,30 @@ onUnmounted(() => {
                          @item-click="openDetail($event)">
         <template #header="{ item: summary }">
           <AppIcon :name="severityIcon(highestSeverity(summary))" :size="13" class="shrink-0"
-                   :style="{ color: severityColor(highestSeverity(summary)).text }" />
+                   :style="{ color: severityColor(highestSeverity(summary)).text }"
+                   v-tooltip.top="highestSeverity(summary)" />
           <div class="flex-1 min-w-0">
             <div class="text-sm font-semibold truncate dd-text">{{ summary.image }}</div>
-            <div class="text-[0.625rem] dd-text-muted mt-0.5">{{ summary.total }} vulnerabilities</div>
+            <div class="text-2xs dd-text-muted mt-0.5">{{ summary.total }} vulnerabilities</div>
           </div>
           <div class="flex items-center gap-1.5 shrink-0">
-            <span v-if="summary.critical > 0" class="badge text-[0.5rem] font-bold px-1.5 py-0"
-                  :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
+            <AppBadge v-if="summary.critical > 0" tone="danger" size="xs" class="px-1.5 py-0">
               {{ summary.critical }}C
-            </span>
-            <span v-if="summary.high > 0" class="badge text-[0.5rem] font-bold px-1.5 py-0"
-                  :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
+            </AppBadge>
+            <AppBadge v-if="summary.high > 0" tone="warning" size="xs" class="px-1.5 py-0">
               {{ summary.high }}H
-            </span>
-            <span v-if="summary.fixable > 0" class="badge text-[0.5rem] font-bold px-1.5 py-0"
-                  :style="{ backgroundColor: 'var(--dd-success-muted)', color: 'var(--dd-success)' }">
+            </AppBadge>
+            <AppBadge v-if="summary.fixable > 0" tone="success" size="xs" class="px-1.5 py-0">
               {{ summary.fixable }} fix
-            </span>
-            <span v-if="summary.delta && summary.delta.fixed > 0 && summary.delta.new === 0"
-                  class="badge text-[0.5rem] font-bold px-1.5 py-0"
-                  :style="{ backgroundColor: 'var(--dd-success-muted)', color: 'var(--dd-success)' }">
+            </AppBadge>
+            <AppBadge v-if="summary.delta && summary.delta.fixed > 0 && summary.delta.new === 0"
+                  tone="success" size="xs" class="px-1.5 py-0">
               {{ summary.delta.fixed }} fixed
-            </span>
-            <span v-else-if="summary.delta && summary.delta.new > 0"
-                  class="badge text-[0.5rem] font-bold px-1.5 py-0"
-                  :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
+            </AppBadge>
+            <AppBadge v-else-if="summary.delta && summary.delta.new > 0"
+                  tone="warning" size="xs" class="px-1.5 py-0">
               {{ summary.delta.new }} new
-            </span>
+            </AppBadge>
           </div>
         </template>
       </DataListAccordion>
@@ -541,23 +534,19 @@ onUnmounted(() => {
 
         <template #subtitle>
           <div class="flex items-center gap-2 flex-wrap">
-            <span v-if="selectedImage?.critical" class="badge text-[0.5625rem] font-bold"
-                  :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
+            <AppBadge v-if="selectedImage?.critical" tone="danger" size="xs">
               {{ selectedImage.critical }} Critical
-            </span>
-            <span v-if="selectedImage?.high" class="badge text-[0.5625rem] font-bold"
-                  :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
+            </AppBadge>
+            <AppBadge v-if="selectedImage?.high" tone="warning" size="xs">
               {{ selectedImage.high }} High
-            </span>
-            <span v-if="selectedImage?.medium" class="badge text-[0.5625rem] font-bold"
-                  :style="{ backgroundColor: 'var(--dd-caution-muted)', color: 'var(--dd-caution)' }">
+            </AppBadge>
+            <AppBadge v-if="selectedImage?.medium" tone="caution" size="xs">
               {{ selectedImage.medium }} Medium
-            </span>
-            <span v-if="selectedImage?.low" class="badge text-[0.5625rem] font-bold"
-                  :style="{ backgroundColor: 'var(--dd-info-muted)', color: 'var(--dd-info)' }">
+            </AppBadge>
+            <AppBadge v-if="selectedImage?.low" tone="info" size="xs">
               {{ selectedImage.low }} Low
-            </span>
-            <span class="text-[0.625rem] dd-text-muted ml-auto">{{ selectedImage?.total }} total</span>
+            </AppBadge>
+            <span class="text-2xs dd-text-muted ml-auto">{{ selectedImage?.total }} total</span>
           </div>
         </template>
 
@@ -569,30 +558,28 @@ onUnmounted(() => {
               <div class="flex items-center gap-2 mb-1.5">
                 <AppIcon :name="severityIcon(vuln.severity)" :size="12"
                          :style="{ color: severityColor(vuln.severity).text }" />
-                <span class="badge text-[0.5rem] uppercase font-bold"
-                      :style="{ backgroundColor: severityColor(vuln.severity).bg, color: severityColor(vuln.severity).text }">
+                <AppBadge :custom="{ bg: severityColor(vuln.severity).bg, text: severityColor(vuln.severity).text }" size="xs" class="px-1.5 py-0">
                   {{ vuln.severity }}
-                </span>
-                <span class="font-mono text-[0.6875rem] font-semibold dd-text truncate">{{ vuln.id }}</span>
+                </AppBadge>
+                <span class="font-mono text-2xs-plus font-semibold dd-text truncate">{{ vuln.id }}</span>
               </div>
-              <div class="flex items-center gap-2 text-[0.6875rem] ml-5">
+              <div class="flex items-center gap-2 text-2xs-plus ml-5">
                 <span class="font-medium dd-text">{{ vuln.package }}</span>
                 <span class="dd-text-muted">{{ vuln.version }}</span>
-                <span v-if="vuln.fixedIn" class="ml-auto badge text-[0.5rem] font-bold px-1.5 py-0"
-                      style="background: var(--dd-success-muted); color: var(--dd-success);">
+                <AppBadge v-if="vuln.fixedIn" tone="success" size="xs" class="ml-auto px-1.5 py-0">
                   <AppIcon name="check" :size="9" class="mr-0.5" />
                   {{ vuln.fixedIn }}
-                </span>
-                <span v-else class="ml-auto text-[0.625rem] dd-text-muted">No fix</span>
+                </AppBadge>
+                <span v-else class="ml-auto text-2xs dd-text-muted">No fix</span>
               </div>
               <div
                 v-if="vuln.title || vuln.target || vuln.primaryUrl"
                 class="ml-5 mt-1.5 space-y-1"
               >
-                <div v-if="vuln.title" class="text-[0.625rem] dd-text">
+                <div v-if="vuln.title" class="text-2xs dd-text">
                   {{ vuln.title }}
                 </div>
-                <div v-if="vuln.target" class="text-[0.625rem] dd-text-muted">
+                <div v-if="vuln.target" class="text-2xs dd-text-muted">
                   Target:
                   <span class="font-mono dd-text">{{ vuln.target }}</span>
                 </div>
@@ -601,7 +588,7 @@ onUnmounted(() => {
                   :href="vuln.primaryUrl"
                   target="_blank"
                   rel="noopener noreferrer"
-                  class="inline-flex text-[0.625rem] underline hover:no-underline break-all"
+                  class="inline-flex text-2xs underline hover:no-underline break-all"
                   style="color: var(--dd-info);"
                 >
                   {{ vuln.primaryUrl }}
@@ -612,42 +599,39 @@ onUnmounted(() => {
 
           <div class="px-4 py-3 space-y-2" :style="{ borderTop: '1px solid var(--dd-border)' }">
             <div class="flex items-center gap-2 flex-wrap">
-              <span class="text-[0.625rem] font-semibold uppercase tracking-wide dd-text-muted">SBOM</span>
+              <span class="text-2xs font-semibold uppercase tracking-wide dd-text-muted">SBOM</span>
               <select v-model="selectedSbomFormat"
-                      class="px-2 py-1 dd-rounded text-[0.625rem] font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text"
+                      class="px-2 py-1 dd-rounded text-2xs font-semibold uppercase tracking-wide outline-none cursor-pointer dd-bg dd-text"
                       @change="loadDetailSbom">
                 <option value="spdx-json">spdx-json</option>
                 <option value="cyclonedx-json">cyclonedx-json</option>
               </select>
-              <button class="px-2 py-1 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-secondary hover:dd-text hover:dd-bg-elevated"
-                      :disabled="detailSbomLoading"
+              <AppButton size="xs" variant="secondary" :disabled="detailSbomLoading"
                       @click="loadDetailSbom">
                 {{ detailSbomLoading ? 'Loading SBOM...' : 'Refresh SBOM' }}
-              </button>
-              <button class="px-2 py-1 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-secondary hover:dd-text hover:dd-bg-elevated"
-                      :disabled="!detailSbomDocument"
+              </AppButton>
+              <AppButton size="xs" variant="secondary" :disabled="!detailSbomDocument"
                       @click="showSbomDocument = !showSbomDocument">
                 {{ showSbomDocument ? 'Hide SBOM' : 'View SBOM' }}
-              </button>
-              <button class="px-2 py-1 dd-rounded text-[0.625rem] font-semibold transition-colors dd-text-secondary hover:dd-text hover:dd-bg-elevated"
-                      :disabled="!detailSbomDocument"
+              </AppButton>
+              <AppButton size="xs" variant="secondary" :disabled="!detailSbomDocument"
                       @click="downloadDetailSbom">
                 Download SBOM
-              </button>
+              </AppButton>
             </div>
 
             <div v-if="detailSbomError"
-                 class="px-2.5 py-1.5 dd-rounded text-[0.6875rem]"
+                 class="px-2.5 py-1.5 dd-rounded text-2xs-plus"
                  :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
               {{ detailSbomError }}
             </div>
             <div v-else-if="detailSbomLoading"
-                 class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] dd-text-muted"
+                 class="px-2.5 py-1.5 dd-rounded text-2xs-plus dd-text-muted"
                  :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
               Loading SBOM document...
             </div>
             <div v-else-if="detailSbomDocument"
-                 class="px-2.5 py-1.5 dd-rounded text-[0.625rem] space-y-0.5"
+                 class="px-2.5 py-1.5 dd-rounded text-2xs space-y-0.5"
                  :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
               <div class="dd-text-muted">
                 format:
@@ -663,13 +647,13 @@ onUnmounted(() => {
               </div>
             </div>
             <div v-else
-                 class="px-2.5 py-1.5 dd-rounded text-[0.6875rem] dd-text-muted italic"
+                 class="px-2.5 py-1.5 dd-rounded text-2xs-plus dd-text-muted italic"
                  :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
               SBOM document is not available yet.
             </div>
 
             <pre v-if="showSbomDocument && detailSbomDocumentJson"
-                 class="p-2 dd-rounded text-[0.625rem] overflow-auto max-h-64 font-mono"
+                 class="p-2 dd-rounded text-2xs overflow-auto max-h-64 font-mono"
                  :style="{ backgroundColor: 'var(--dd-bg-code)' }">{{ detailSbomDocumentJson }}</pre>
           </div>
         </template>
diff --git a/ui/src/views/ServersView.vue b/ui/src/views/ServersView.vue
index aa4892e26..9713aaf4c 100644
--- a/ui/src/views/ServersView.vue
+++ b/ui/src/views/ServersView.vue
@@ -1,5 +1,7 @@
 <script setup lang="ts">
 import { computed, onMounted, ref } from 'vue';
+import AppBadge from '@/components/AppBadge.vue';
+import DetailField from '@/components/DetailField.vue';
 import { useBreakpoints } from '../composables/useBreakpoints';
 import { useViewMode } from '../preferences/useViewMode';
 import { getAgents } from '../services/agent';
@@ -49,13 +51,6 @@ function closeDetail() {
   selectedServer.value = null;
 }
 
-function statusColor(status: string) {
-  return status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)';
-}
-function statusBg(status: string) {
-  return status === 'connected' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)';
-}
-
 const tableColumns = [
   { key: 'name', label: 'Host', width: '30%', sortable: false },
   { key: 'host', label: 'Address', width: '30%', sortable: false },
@@ -180,12 +175,12 @@ onMounted(fetchServers);
 <template>
   <DataViewLayout>
     <div v-if="error"
-         class="mb-3 px-3 py-2 text-[0.6875rem] dd-rounded"
+         class="mb-3 px-3 py-2 text-2xs-plus dd-rounded"
          :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
       {{ error }}
     </div>
 
-    <div v-if="loading" class="text-[0.6875rem] dd-text-muted py-3 px-1">Loading server data...</div>
+    <div v-if="loading" class="text-2xs-plus dd-text-muted py-3 px-1">Loading server data...</div>
 
     <!-- Filter bar -->
     <DataFilterBar
@@ -199,12 +194,12 @@ onMounted(fetchServers);
         <input v-model="searchQuery"
                type="text"
                placeholder="Filter by name or address..."
-               class="flex-1 min-w-[120px] max-w-[240px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder" />
-        <button v-if="searchQuery"
-                class="text-[0.625rem] dd-text-muted hover:dd-text transition-colors"
+               class="flex-1 min-w-[120px] max-w-[var(--dd-layout-filter-max-width)] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder" />
+        <AppButton size="none" variant="text-muted" weight="medium" class="text-2xs" v-if="searchQuery"
+                
                 @click="searchQuery = ''">
           Clear
-        </button>
+        </AppButton>
       </template>
     </DataFilterBar>
 
@@ -224,22 +219,20 @@ onMounted(fetchServers);
             </div>
           </template>
           <template #cell-host="{ row }">
-            <span class="font-mono text-[0.625rem] dd-text-secondary">{{ row.host }}</span>
+            <span class="font-mono text-2xs dd-text-secondary">{{ row.host }}</span>
           </template>
           <template #cell-status="{ row }">
-            <span class="badge px-1.5 py-0 text-[0.5625rem] md:!hidden"
-                  :style="{ backgroundColor: statusBg(row.status), color: statusColor(row.status) }">
+            <AppBadge :tone="row.status === 'connected' ? 'success' : 'danger'" size="xs" class="px-1.5 py-0 md:!hidden" v-tooltip.top="row.status === 'connected' ? 'Connected' : 'Disconnected'">
               <AppIcon :name="row.status === 'connected' ? 'check' : 'xmark'" :size="12" />
-            </span>
-            <span class="badge text-[0.5625rem] font-bold uppercase max-md:!hidden"
-                  :style="{ backgroundColor: statusBg(row.status), color: statusColor(row.status) }">
+            </AppBadge>
+            <AppBadge :tone="row.status === 'connected' ? 'success' : 'danger'" size="xs" class="max-md:!hidden">
               {{ row.status }}
-            </span>
+            </AppBadge>
           </template>
           <template #cell-containers="{ row }">
             <div class="flex items-center justify-center gap-2">
               <span class="font-semibold dd-text">{{ row.containers.total }}</span>
-              <span class="text-[0.625rem]" :style="{ color: row.containers.running > 0 ? 'var(--dd-success)' : 'var(--dd-text-muted)' }">
+              <span class="text-2xs" :style="{ color: row.containers.running > 0 ? 'var(--dd-success)' : 'var(--dd-text-muted)' }">
                 {{ row.containers.running }} running
               </span>
             </div>
@@ -264,21 +257,19 @@ onMounted(fetchServers);
               <div class="flex items-center gap-2.5 min-w-0">
                 <AppIcon name="servers" :size="14" class="dd-text-secondary shrink-0 mt-1" />
                 <div class="min-w-0">
-                  <div class="text-[0.9375rem] font-semibold truncate dd-text">{{ server.name }}</div>
-                  <div class="text-[0.6875rem] truncate mt-0.5 dd-text-muted font-mono">{{ server.host }}</div>
+                  <div class="text-sm-plus font-semibold truncate dd-text">{{ server.name }}</div>
+                  <div class="text-2xs-plus truncate mt-0.5 dd-text-muted font-mono">{{ server.host }}</div>
                 </div>
               </div>
-              <span class="badge px-1.5 py-0 text-[0.5625rem] shrink-0 ml-2 md:!hidden"
-                    :style="{ backgroundColor: statusBg(server.status), color: statusColor(server.status) }">
+              <AppBadge :tone="server.status === 'connected' ? 'success' : 'danger'" size="xs" class="px-1.5 py-0 shrink-0 ml-2 md:!hidden" v-tooltip.top="server.status === 'connected' ? 'Connected' : 'Disconnected'">
                 <AppIcon :name="server.status === 'connected' ? 'check' : 'xmark'" :size="12" />
-              </span>
-              <span class="badge text-[0.5625rem] uppercase font-bold shrink-0 ml-2 max-md:!hidden"
-                    :style="{ backgroundColor: statusBg(server.status), color: statusColor(server.status) }">
+              </AppBadge>
+              <AppBadge :tone="server.status === 'connected' ? 'success' : 'danger'" size="xs" class="shrink-0 ml-2 max-md:!hidden">
                 {{ server.status }}
-              </span>
+              </AppBadge>
             </div>
             <div class="px-4 py-3">
-              <div class="grid grid-cols-2 gap-2 text-[0.6875rem]">
+              <div class="grid grid-cols-2 gap-2 text-2xs-plus">
                 <div>
                   <span class="dd-text-muted">Containers</span>
                   <span class="ml-1 font-semibold dd-text">{{ server.containers.total }}</span>
@@ -303,7 +294,7 @@ onMounted(fetchServers);
             </div>
             <div class="px-4 py-2.5 mt-auto"
                  :style="{ borderTop: '1px solid var(--dd-border)', backgroundColor: 'var(--dd-bg-elevated)' }">
-              <span class="text-[0.625rem]"
+              <span class="text-2xs"
                     :style="{ color: server.containers.running > 0 ? 'var(--dd-success)' : 'var(--dd-text-muted)' }">
                 {{ server.containers.running }}/{{ server.containers.total }} running
               </span>
@@ -323,20 +314,19 @@ onMounted(fetchServers);
             <AppIcon name="servers" :size="14" class="dd-text-secondary" />
             <div class="flex-1 min-w-0">
               <div class="text-sm font-semibold truncate dd-text">{{ server.name }}</div>
-              <div class="text-[0.625rem] font-mono dd-text-muted truncate mt-0.5">{{ server.host }}</div>
+              <div class="text-2xs font-mono dd-text-muted truncate mt-0.5">{{ server.host }}</div>
             </div>
             <div class="flex items-center gap-3 shrink-0">
-              <span class="text-[0.6875rem] dd-text-muted hidden md:inline">
+              <span class="text-2xs-plus dd-text-muted hidden md:inline">
                 <span class="font-semibold dd-text">{{ server.containers.total }}</span> containers
               </span>
-              <span class="text-[0.6875rem] hidden md:inline"
+              <span class="text-2xs-plus hidden md:inline"
                     :class="server.status === 'connected' ? 'dd-text-muted' : 'dd-text-danger'">
                 {{ server.lastSeen }}
               </span>
-              <span class="badge text-[0.5625rem] uppercase font-bold hidden md:inline-flex"
-                    :style="{ backgroundColor: statusBg(server.status), color: statusColor(server.status) }">
+              <AppBadge :tone="server.status === 'connected' ? 'success' : 'danger'" size="xs" class="hidden md:inline-flex">
                 {{ server.status }}
-              </span>
+              </AppBadge>
             </div>
           </template>
         </DataListAccordion>
@@ -362,60 +352,51 @@ onMounted(fetchServers);
         <template #header>
           <div class="flex items-center gap-2.5 min-w-0">
             <span class="text-sm font-bold truncate dd-text">{{ selectedServer?.name }}</span>
-            <span class="badge text-[0.5625rem] uppercase font-bold shrink-0"
-                  :style="{
-                    backgroundColor: selectedServer ? statusBg(selectedServer.status) : undefined,
-                    color: selectedServer ? statusColor(selectedServer.status) : undefined,
-                  }">
-              {{ selectedServer?.status }}
-            </span>
+            <AppBadge v-if="selectedServer" :tone="selectedServer.status === 'connected' ? 'success' : 'danger'" size="xs" class="shrink-0">
+              {{ selectedServer.status }}
+            </AppBadge>
           </div>
         </template>
 
         <template #subtitle>
-          <span class="text-[0.6875rem] font-mono dd-text-secondary">{{ selectedServer?.host }}</span>
+          <span class="text-2xs-plus font-mono dd-text-secondary">{{ selectedServer?.host }}</span>
         </template>
 
         <template v-if="selectedServer" #default>
           <div class="p-4 space-y-5">
             <!-- Containers -->
-            <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">Containers</div>
+            <DetailField label="Containers">
               <div class="flex items-baseline gap-3 mt-1">
                 <span class="text-lg font-bold dd-text">{{ selectedServer.containers.total }}</span>
-                <span class="text-[0.6875rem] font-medium" :style="{ color: 'var(--dd-success)' }">
+                <span class="text-2xs-plus font-medium" :style="{ color: 'var(--dd-success)' }">
                   {{ selectedServer.containers.running }} running
                 </span>
                 <span v-if="selectedServer.containers.stopped > 0"
-                      class="text-[0.6875rem] font-medium" style="color: var(--dd-danger);">
+                      class="text-2xs-plus font-medium" style="color: var(--dd-danger);">
                   {{ selectedServer.containers.stopped }} stopped
                 </span>
               </div>
-            </div>
+            </DetailField>
 
             <!-- Images -->
-            <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">Images</div>
-              <div class="text-xs font-mono dd-text">{{ selectedServer.images }}</div>
-            </div>
+            <DetailField label="Images" mono>{{ selectedServer.images }}</DetailField>
 
             <!-- Last Seen -->
-            <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">Last Seen</div>
+            <DetailField label="Last Seen">
               <div class="text-xs font-medium"
                    :class="selectedServer.status === 'connected' ? 'dd-text' : 'dd-text-danger'">
                 {{ selectedServer.lastSeen }}
               </div>
-            </div>
+            </DetailField>
 
             <!-- Actions -->
             <div class="pt-2 flex gap-2"
                  :style="{ borderTop: '1px solid var(--dd-border)' }">
-              <button class="inline-flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-[0.6875rem] font-semibold transition-colors dd-text-secondary hover:dd-text hover:dd-bg-elevated"
+              <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-2xs-plus font-semibold transition-colors dd-text-secondary hover:dd-text hover:dd-bg-elevated"
                       @click="fetchServers()">
                 <AppIcon name="restart" :size="11" />
                 Refresh
-              </button>
+              </AppButton>
             </div>
           </div>
         </template>
diff --git a/ui/src/views/TriggersView.vue b/ui/src/views/TriggersView.vue
index 2dac14ae1..f0f6437be 100644
--- a/ui/src/views/TriggersView.vue
+++ b/ui/src/views/TriggersView.vue
@@ -1,6 +1,8 @@
 <script setup lang="ts">
 import { computed, onMounted, ref, watch } from 'vue';
 import { useRoute } from 'vue-router';
+import AppBadge from '@/components/AppBadge.vue';
+import DetailField from '@/components/DetailField.vue';
 import { useBreakpoints } from '../composables/useBreakpoints';
 import { useViewMode } from '../preferences/useViewMode';
 import { getAllTriggers, getTrigger, runTrigger } from '../services/trigger';
@@ -187,12 +189,12 @@ onMounted(async () => {
 <template>
   <DataViewLayout>
     <div v-if="error"
-         class="mb-3 px-3 py-2 text-[0.6875rem] dd-rounded"
+         class="mb-3 px-3 py-2 text-2xs-plus dd-rounded"
          :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
       {{ error }}
     </div>
 
-    <div v-if="loading" class="text-[0.6875rem] dd-text-muted py-3 px-1">Loading triggers...</div>
+    <div v-if="loading" class="text-2xs-plus dd-text-muted py-3 px-1">Loading triggers...</div>
 
     <!-- Filter bar -->
     <DataFilterBar
@@ -206,12 +208,12 @@ onMounted(async () => {
         <input v-model="searchQuery"
                type="text"
                placeholder="Filter by name..."
-               class="flex-1 min-w-[120px] max-w-[240px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder" />
-        <button v-if="searchQuery"
-                class="text-[0.625rem] dd-text-muted hover:dd-text transition-colors"
+               class="flex-1 min-w-[120px] max-w-[var(--dd-layout-filter-max-width)] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder" />
+        <AppButton size="none" variant="text-muted" weight="medium" class="text-2xs" v-if="searchQuery"
+                
                 @click="clearFilters">
           Clear
-        </button>
+        </AppButton>
       </template>
     </DataFilterBar>
 
@@ -228,21 +230,17 @@ onMounted(async () => {
         <span class="font-medium dd-text">{{ row.name }}</span>
       </template>
       <template #cell-type="{ row }">
-        <span class="badge text-[0.5625rem] uppercase font-bold"
-              :style="{ backgroundColor: triggerTypeBadge(row.type).bg, color: triggerTypeBadge(row.type).text }">
+        <AppBadge :custom="{ bg: triggerTypeBadge(row.type).bg, text: triggerTypeBadge(row.type).text }" size="xs">
           {{ triggerTypeBadge(row.type).label }}
-        </span>
+        </AppBadge>
       </template>
       <template #cell-status="{ row }">
         <AppIcon :name="row.status === 'active' ? 'check' : 'xmark'" :size="13" class="shrink-0 md:!hidden"
+                 v-tooltip.top="row.status === 'active' ? 'Active' : 'Inactive'"
                  :style="{ color: row.status === 'active' ? 'var(--dd-success)' : 'var(--dd-danger)' }" />
-        <span class="badge text-[0.5625rem] font-bold max-md:!hidden"
-              :style="{
-                backgroundColor: row.status === 'active' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                color: row.status === 'active' ? 'var(--dd-success)' : 'var(--dd-danger)',
-              }">
+        <AppBadge :tone="row.status === 'active' ? 'success' : 'danger'" size="xs" class="max-md:!hidden">
           {{ row.status }}
-        </span>
+        </AppBadge>
       </template>
       <template #empty>
         <EmptyState icon="triggers" message="No triggers match your filters" show-clear @clear="clearFilters" />
@@ -260,18 +258,17 @@ onMounted(async () => {
       <template #card="{ item }">
         <div class="px-4 pt-4 pb-2 flex items-start justify-between">
           <div class="min-w-0">
-            <div class="text-[0.9375rem] font-semibold truncate dd-text">{{ item.name }}</div>
+            <div class="text-sm-plus font-semibold truncate dd-text">{{ item.name }}</div>
           </div>
-          <span class="badge text-[0.5625rem] uppercase font-bold shrink-0 ml-2"
-                :style="{ backgroundColor: triggerTypeBadge(item.type).bg, color: triggerTypeBadge(item.type).text }">
+          <AppBadge :custom="{ bg: triggerTypeBadge(item.type).bg, text: triggerTypeBadge(item.type).text }" size="xs" class="shrink-0 ml-2">
             {{ triggerTypeBadge(item.type).label }}
-          </span>
+          </AppBadge>
         </div>
         <div class="px-4 py-3">
-          <div class="grid grid-cols-1 gap-2 text-[0.6875rem]">
+          <div class="grid grid-cols-1 gap-2 text-2xs-plus">
             <div v-for="(val, key) in item.config" :key="key">
               <span class="dd-text-muted">{{ key }}</span>
-              <div class="font-semibold truncate dd-text font-mono text-[0.625rem]">{{ val }}</div>
+              <div class="font-semibold truncate dd-text font-mono text-2xs">{{ val }}</div>
             </div>
           </div>
         </div>
@@ -279,25 +276,23 @@ onMounted(async () => {
              :style="{ borderTop: '1px solid var(--dd-border)', backgroundColor: 'var(--dd-bg-elevated)' }">
           <div class="flex items-center justify-between">
             <AppIcon :name="item.status === 'active' ? 'check' : 'xmark'" :size="13" class="shrink-0 md:!hidden"
+                     v-tooltip.top="item.status === 'active' ? 'Active' : 'Inactive'"
                      :style="{ color: item.status === 'active' ? 'var(--dd-success)' : 'var(--dd-danger)' }" />
-            <span class="badge text-[0.5625rem] font-bold max-md:!hidden"
-                  :style="{
-                    backgroundColor: item.status === 'active' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                    color: item.status === 'active' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                  }">
+            <AppBadge :tone="item.status === 'active' ? 'success' : 'danger'" size="xs" class="max-md:!hidden">
               {{ item.status }}
-            </span>
-            <button class="inline-flex items-center gap-1 px-2 py-1 dd-rounded text-[0.625rem] font-bold transition-[color,background-color,border-color,opacity,transform,box-shadow] text-white"
+            </AppBadge>
+            <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center gap-1 px-2 py-1 dd-rounded text-2xs font-bold transition-[color,background-color,border-color,opacity,transform,box-shadow] text-white"
                     :style="{ background: testResult?.id === item.id
                       ? (testResult.success ? 'var(--dd-success)' : 'var(--dd-danger)')
                       : 'linear-gradient(135deg, var(--dd-primary), var(--dd-info))' }"
                     :disabled="testingTrigger !== null"
                     @click.stop="testTrigger(item)">
-              <AppIcon :name="testingTrigger === item.id ? 'pending' : testResult?.id === item.id ? (testResult.success ? 'check' : 'xmark') : 'play'" :size="11" />
+              <AppIcon :name="testingTrigger === item.id ? 'pending' : testResult?.id === item.id ? (testResult.success ? 'check' : 'xmark') : 'play'" :size="11"
+                       v-tooltip.top="testingTrigger === item.id ? 'Testing...' : testResult?.id === item.id ? (testResult.success ? 'Test passed' : 'Test failed') : 'Run test'" />
               {{ testingTrigger === item.id ? 'Testing...' : testResult?.id === item.id ? (testResult.success ? 'Sent!' : 'Failed') : 'Test' }}
-            </button>
+            </AppButton>
           </div>
-          <p v-if="testError?.id === item.id" class="mt-2 text-[0.625rem] break-words" style="color: var(--dd-danger);">
+          <p v-if="testError?.id === item.id" class="mt-2 text-2xs break-words" style="color: var(--dd-danger);">
             {{ testError.message }}
           </p>
         </div>
@@ -315,38 +310,30 @@ onMounted(async () => {
       <template #header="{ item }">
         <AppIcon name="triggers" :size="14" class="dd-text-secondary" />
         <span class="text-sm font-semibold flex-1 min-w-0 truncate dd-text">{{ item.name }}</span>
-        <span class="badge text-[0.5625rem] uppercase font-bold shrink-0"
-              :style="{ backgroundColor: triggerTypeBadge(item.type).bg, color: triggerTypeBadge(item.type).text }">
+        <AppBadge :custom="{ bg: triggerTypeBadge(item.type).bg, text: triggerTypeBadge(item.type).text }" size="xs" class="shrink-0">
           {{ triggerTypeBadge(item.type).label }}
-        </span>
+        </AppBadge>
       </template>
       <template #details="{ item }">
         <div class="grid grid-cols-1 sm:grid-cols-2 gap-x-8 gap-y-3 mt-2">
-          <div v-for="(val, key) in item.config" :key="key">
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">{{ key }}</div>
-            <div class="text-xs font-mono dd-text">{{ val }}</div>
-          </div>
-          <div>
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Status</div>
-            <span class="badge text-[0.625rem] font-semibold"
-                  :style="{
-                    backgroundColor: item.status === 'active' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                    color: item.status === 'active' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                  }">{{ item.status }}</span>
-          </div>
+          <DetailField v-for="(val, key) in item.config" :key="key" :label="String(key)" compact mono>{{ val }}</DetailField>
+          <DetailField label="Status" compact>
+            <AppBadge :tone="item.status === 'active' ? 'success' : 'danger'" size="sm">{{ item.status }}</AppBadge>
+          </DetailField>
         </div>
         <div class="mt-4 pt-3" :style="{ borderTop: '1px solid var(--dd-border)' }">
-          <button class="inline-flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-[0.6875rem] font-bold tracking-wide transition-[color,background-color,border-color,opacity,transform,box-shadow] text-white"
+          <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-2xs-plus font-bold tracking-wide transition-[color,background-color,border-color,opacity,transform,box-shadow] text-white"
                   :style="{ background: testResult?.id === item.id
                     ? (testResult.success ? 'var(--dd-success)' : 'var(--dd-danger)')
-                    : 'linear-gradient(135deg, var(--dd-primary), var(--dd-info))',
-                    boxShadow: '0 1px 3px rgba(0,150,199,0.3)' }"
+                      : 'linear-gradient(135deg, var(--dd-primary), var(--dd-info))',
+                    boxShadow: 'var(--dd-shadow-sm)' }"
                   :disabled="testingTrigger !== null"
                   @click.stop="testTrigger(item)">
-            <AppIcon :name="testingTrigger === item.id ? 'pending' : testResult?.id === item.id ? (testResult.success ? 'check' : 'xmark') : 'play'" :size="10" />
+            <AppIcon :name="testingTrigger === item.id ? 'pending' : testResult?.id === item.id ? (testResult.success ? 'check' : 'xmark') : 'play'" :size="10"
+                     v-tooltip.top="testingTrigger === item.id ? 'Testing...' : testResult?.id === item.id ? (testResult.success ? 'Test passed' : 'Test failed') : 'Run test'" />
             {{ testingTrigger === item.id ? 'Testing...' : testResult?.id === item.id ? (testResult.success ? 'Sent!' : 'Failed') : 'Test' }}
-          </button>
-          <p v-if="testError?.id === item.id" class="mt-2 text-[0.625rem] break-words" style="color: var(--dd-danger);">
+          </AppButton>
+          <p v-if="testError?.id === item.id" class="mt-2 text-2xs break-words" style="color: var(--dd-danger);">
             {{ testError.message }}
           </p>
         </div>
@@ -373,54 +360,47 @@ onMounted(async () => {
         <template #header>
           <div class="flex items-center gap-2.5 min-w-0">
             <span class="text-sm font-bold truncate dd-text">{{ selectedTrigger?.name }}</span>
-            <span v-if="selectedTrigger" class="badge text-[0.5625rem] uppercase font-bold shrink-0"
-                  :style="{ backgroundColor: triggerTypeBadge(selectedTrigger.type).bg, color: triggerTypeBadge(selectedTrigger.type).text }">
+            <AppBadge v-if="selectedTrigger" :custom="{ bg: triggerTypeBadge(selectedTrigger.type).bg, text: triggerTypeBadge(selectedTrigger.type).text }" size="xs" class="shrink-0">
               {{ triggerTypeBadge(selectedTrigger.type).label }}
-            </span>
+            </AppBadge>
           </div>
         </template>
 
         <template #subtitle>
-          <span v-if="selectedTrigger" class="badge text-[0.5625rem] font-bold"
-                :style="{
-                  backgroundColor: selectedTrigger.status === 'active' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
-                  color: selectedTrigger.status === 'active' ? 'var(--dd-success)' : 'var(--dd-danger)',
-                }">
+          <AppBadge v-if="selectedTrigger" :tone="selectedTrigger.status === 'active' ? 'success' : 'danger'" size="xs">
             {{ selectedTrigger.status }}
-          </span>
+          </AppBadge>
         </template>
 
         <template v-if="selectedTrigger" #default>
           <div class="p-4 space-y-5">
-            <div v-if="detailLoading" class="text-[0.6875rem] dd-text-muted">Refreshing trigger details...</div>
+            <div v-if="detailLoading" class="text-2xs-plus dd-text-muted">Refreshing trigger details...</div>
             <div v-if="detailError"
-                 class="px-3 py-2 text-[0.6875rem] dd-rounded"
+                 class="px-3 py-2 text-2xs-plus dd-rounded"
                  :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
               {{ detailError }}
             </div>
 
-            <div v-for="(val, key) in selectedTrigger.config" :key="key">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">{{ key }}</div>
-              <div class="text-xs font-mono dd-text break-all">{{ val }}</div>
-            </div>
+            <DetailField v-for="(val, key) in selectedTrigger.config" :key="key" :label="String(key)" mono>{{ val }}</DetailField>
             <div v-if="Object.keys(selectedTrigger.config).length === 0">
-              <div class="text-[0.6875rem] dd-text-muted">No configuration properties</div>
+              <div class="text-2xs-plus dd-text-muted">No configuration properties</div>
             </div>
 
             <!-- Test trigger button -->
             <div class="pt-2" :style="{ borderTop: '1px solid var(--dd-border)' }">
-              <button class="inline-flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-[0.6875rem] font-bold tracking-wide transition-[color,background-color,border-color,opacity,transform,box-shadow] text-white"
+              <AppButton size="none" variant="plain" weight="none" class="inline-flex items-center gap-1.5 px-3 py-1.5 dd-rounded text-2xs-plus font-bold tracking-wide transition-[color,background-color,border-color,opacity,transform,box-shadow] text-white"
                       :style="{ background: testResult?.id === selectedTrigger.id
                         ? (testResult.success ? 'var(--dd-success)' : 'var(--dd-danger)')
                         : 'linear-gradient(135deg, var(--dd-primary), var(--dd-info))',
-                        boxShadow: '0 1px 3px rgba(0,150,199,0.3)' }"
+                        boxShadow: 'var(--dd-shadow-sm)' }"
                       :disabled="testingTrigger !== null"
                       @click.stop="testTrigger(selectedTrigger)">
-                <AppIcon :name="testingTrigger === selectedTrigger.id ? 'pending' : testResult?.id === selectedTrigger.id ? (testResult.success ? 'check' : 'xmark') : 'play'" :size="11" />
+                <AppIcon :name="testingTrigger === selectedTrigger.id ? 'pending' : testResult?.id === selectedTrigger.id ? (testResult.success ? 'check' : 'xmark') : 'play'" :size="11"
+                         v-tooltip.top="testingTrigger === selectedTrigger.id ? 'Testing...' : testResult?.id === selectedTrigger.id ? (testResult.success ? 'Test passed' : 'Test failed') : 'Run test'" />
                 {{ testingTrigger === selectedTrigger.id ? 'Testing...' : testResult?.id === selectedTrigger.id ? (testResult.success ? 'Sent!' : 'Failed') : 'Test Trigger' }}
-              </button>
+              </AppButton>
               <p v-if="testError?.id === selectedTrigger.id"
-                 class="mt-2 text-[0.625rem] break-words"
+                 class="mt-2 text-2xs break-words"
                  style="color: var(--dd-danger);">
                 {{ testError.message }}
               </p>
diff --git a/ui/src/views/WatchersView.vue b/ui/src/views/WatchersView.vue
index 5c89ccb0b..7b16d599f 100644
--- a/ui/src/views/WatchersView.vue
+++ b/ui/src/views/WatchersView.vue
@@ -1,14 +1,26 @@
 <script setup lang="ts">
 import { computed, onMounted, ref, watch } from 'vue';
-import { useRoute } from 'vue-router';
+import { useRoute, useRouter } from 'vue-router';
+import AppBadge from '@/components/AppBadge.vue';
+import DetailField from '@/components/DetailField.vue';
+import StatusDot from '@/components/StatusDot.vue';
 import { useBreakpoints } from '../composables/useBreakpoints';
 import { useViewMode } from '../preferences/useViewMode';
 import { getAllContainers } from '../services/container';
 import { getAllWatchers, getWatcher } from '../services/watcher';
 import type { ApiComponent } from '../types/api';
+import { ROUTES } from '../router/routes';
+import { timeAgo } from '../utils/audit-helpers';
+
+function watcherServerName(name: unknown): string {
+  const s = String(name || '');
+  if (s === 'local') return 'Local';
+  return s.charAt(0).toUpperCase() + s.slice(1);
+}
 
 const { isMobile } = useBreakpoints();
 const route = useRoute();
+const router = useRouter();
 const watchersViewMode = useViewMode('watchers');
 const selectedWatcher = ref<Record<string, unknown> | null>(null);
 const detailOpen = ref(false);
@@ -65,7 +77,7 @@ function mapWatcher(watcher: ApiComponent, status = 'watching') {
     status,
     containers: containerCounts.value[watcher.name] ?? 0,
     cron: watcher.configuration?.cron ?? '',
-    lastRun: '\u2014',
+    lastRun: watcher.metadata?.lastRunAt ? timeAgo(String(watcher.metadata.lastRunAt)) : '\u2014',
     config: Object.fromEntries(
       Object.entries(watcher.configuration ?? {}).sort(([a], [b]) => a.localeCompare(b)),
     ),
@@ -138,12 +150,12 @@ onMounted(async () => {
 <template>
   <DataViewLayout>
     <div v-if="error"
-         class="mb-3 px-3 py-2 text-[0.6875rem] dd-rounded"
+         class="mb-3 px-3 py-2 text-2xs-plus dd-rounded"
          :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
       {{ error }}
     </div>
 
-    <div v-if="loading" class="text-[0.6875rem] dd-text-muted py-3 px-1">Loading watchers...</div>
+    <div v-if="loading" class="text-2xs-plus dd-text-muted py-3 px-1">Loading watchers...</div>
 
     <!-- Filter bar -->
     <DataFilterBar
@@ -157,12 +169,12 @@ onMounted(async () => {
         <input v-model="searchQuery"
                type="text"
                placeholder="Filter by name..."
-               class="flex-1 min-w-[120px] max-w-[240px] px-2.5 py-1.5 dd-rounded text-[0.6875rem] font-medium outline-none dd-bg dd-text dd-placeholder" />
-        <button v-if="searchQuery"
-                class="text-[0.625rem] dd-text-muted hover:dd-text transition-colors"
+               class="flex-1 min-w-[120px] max-w-[var(--dd-layout-filter-max-width)] px-2.5 py-1.5 dd-rounded text-2xs-plus font-medium outline-none dd-bg dd-text dd-placeholder" />
+        <AppButton size="none" variant="text-muted" weight="medium" class="text-2xs" v-if="searchQuery"
+                
                 @click="searchQuery = ''">
           Clear
-        </button>
+        </AppButton>
       </template>
     </DataFilterBar>
 
@@ -177,27 +189,23 @@ onMounted(async () => {
     >
       <template #cell-name="{ row }">
         <div class="flex items-center gap-2">
-          <div class="w-2 h-2 rounded-full shrink-0"
-               :style="{ backgroundColor: watcherStatusColor(row.status) }" />
+          <StatusDot :color="watcherStatusColor(row.status)" v-tooltip.top="row.status === 'watching' ? 'Watching' : 'Paused'" />
           <span class="font-medium dd-text">{{ row.name }}</span>
         </div>
       </template>
       <template #cell-status="{ row }">
         <AppIcon :name="row.status === 'watching' ? 'watchers' : 'pause'" :size="13" class="shrink-0 md:!hidden"
+                 v-tooltip.top="row.status === 'watching' ? 'Watching' : 'Paused'"
                  :style="{ color: watcherStatusColor(row.status) }" />
-        <span class="badge text-[0.5625rem] font-bold max-md:!hidden"
-              :style="{
-                backgroundColor: row.status === 'watching' ? 'var(--dd-success-muted)' : 'var(--dd-warning-muted)',
-                color: row.status === 'watching' ? 'var(--dd-success)' : 'var(--dd-warning)',
-              }">
+        <AppBadge :tone="row.status === 'watching' ? 'success' : 'warning'" size="xs" class="max-md:!hidden">
           {{ row.status }}
-        </span>
+        </AppBadge>
       </template>
       <template #cell-containers="{ row }">
         <span class="dd-text-secondary">{{ row.containers }}</span>
       </template>
       <template #cell-cron="{ row }">
-        <span class="font-mono text-[0.625rem] dd-text-secondary">{{ row.cron }}</span>
+        <span class="font-mono text-2xs dd-text-secondary">{{ row.cron }}</span>
       </template>
       <template #cell-lastRun="{ row }">
         <span class="dd-text-muted">{{ row.lastRun }}</span>
@@ -215,25 +223,21 @@ onMounted(async () => {
       <template #card="{ item: watcher }">
         <div class="px-4 pt-4 pb-2 flex items-start justify-between">
           <div class="flex items-center gap-2.5 min-w-0">
-            <div class="w-2.5 h-2.5 rounded-full shrink-0 mt-1"
-                 :style="{ backgroundColor: watcherStatusColor(watcher.status) }" />
+            <StatusDot :color="watcherStatusColor(watcher.status)" size="lg" class="mt-1" v-tooltip.top="watcher.status === 'watching' ? 'Watching' : 'Paused'" />
             <div class="min-w-0">
-              <div class="text-[0.9375rem] font-semibold truncate dd-text">{{ watcher.name }}</div>
-              <div class="text-[0.6875rem] truncate mt-0.5 dd-text-muted font-mono">{{ watcher.cron }}</div>
+              <div class="text-sm-plus font-semibold truncate dd-text">{{ watcher.name }}</div>
+              <div class="text-2xs-plus truncate mt-0.5 dd-text-muted font-mono">{{ watcher.cron }}</div>
             </div>
           </div>
           <AppIcon :name="watcher.status === 'watching' ? 'watchers' : 'pause'" :size="13" class="shrink-0 ml-2 md:!hidden"
+                   v-tooltip.top="watcher.status === 'watching' ? 'Watching' : 'Paused'"
                    :style="{ color: watcherStatusColor(watcher.status) }" />
-          <span class="badge text-[0.5625rem] uppercase font-bold shrink-0 ml-2 max-md:!hidden"
-                :style="{
-                  backgroundColor: watcher.status === 'watching' ? 'var(--dd-success-muted)' : 'var(--dd-warning-muted)',
-                  color: watcher.status === 'watching' ? 'var(--dd-success)' : 'var(--dd-warning)',
-                }">
+          <AppBadge :tone="watcher.status === 'watching' ? 'success' : 'warning'" size="xs" class="shrink-0 ml-2 max-md:!hidden">
             {{ watcher.status }}
-          </span>
+          </AppBadge>
         </div>
         <div class="px-4 py-3">
-          <div class="grid grid-cols-2 gap-2 text-[0.6875rem]">
+          <div class="grid grid-cols-2 gap-2 text-2xs-plus">
             <div>
               <span class="dd-text-muted">Containers</span>
               <span class="ml-1 font-semibold dd-text">{{ watcher.containers }}</span>
@@ -246,7 +250,7 @@ onMounted(async () => {
         </div>
         <div class="px-4 py-2.5 mt-auto"
              :style="{ borderTop: '1px solid var(--dd-border)', backgroundColor: 'var(--dd-bg-elevated)' }">
-          <span class="text-[0.625rem] dd-text-muted">{{ watcher.containers }} containers watched</span>
+          <span class="text-2xs dd-text-muted">{{ watcher.containers }} containers watched</span>
         </div>
       </template>
     </DataCardGrid>
@@ -260,43 +264,25 @@ onMounted(async () => {
       @item-click="openDetail($event)"
     >
       <template #header="{ item: watcher }">
-        <div class="w-2.5 h-2.5 rounded-full shrink-0"
-             :style="{ backgroundColor: watcherStatusColor(watcher.status) }" />
+        <StatusDot :color="watcherStatusColor(watcher.status)" size="lg" v-tooltip.top="watcher.status === 'watching' ? 'Watching' : 'Paused'" />
         <AppIcon name="watchers" :size="14" class="dd-text-secondary" />
         <span class="text-sm font-semibold flex-1 min-w-0 truncate dd-text">{{ watcher.name }}</span>
         <AppIcon :name="watcher.status === 'watching' ? 'watchers' : 'pause'" :size="13" class="shrink-0 md:!hidden"
+                 v-tooltip.top="watcher.status === 'watching' ? 'Watching' : 'Paused'"
                  :style="{ color: watcherStatusColor(watcher.status) }" />
-        <span class="badge text-[0.5625rem] uppercase font-bold shrink-0 max-md:!hidden"
-              :style="{
-                backgroundColor: watcher.status === 'watching' ? 'var(--dd-success-muted)' : 'var(--dd-warning-muted)',
-                color: watcher.status === 'watching' ? 'var(--dd-success)' : 'var(--dd-warning)',
-              }">
+        <AppBadge :tone="watcher.status === 'watching' ? 'success' : 'warning'" size="xs" class="shrink-0 max-md:!hidden">
           {{ watcher.status }}
-        </span>
-        <span v-if="watcher.config.maintenanceWindow"
-              class="badge text-[0.5625rem] uppercase font-bold shrink-0"
-              :style="{ backgroundColor: 'var(--dd-alt-muted)', color: 'var(--dd-alt)' }">
+        </AppBadge>
+        <AppBadge v-if="watcher.config.maintenanceWindow" tone="alt" size="xs" class="shrink-0">
           Maint
-        </span>
+        </AppBadge>
       </template>
       <template #details="{ item: watcher }">
         <div class="grid grid-cols-1 sm:grid-cols-2 gap-x-8 gap-y-3 mt-2">
-          <div>
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Cron</div>
-            <div class="text-xs font-mono dd-text">{{ watcher.cron }}</div>
-          </div>
-          <div>
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Last Run</div>
-            <div class="text-xs font-mono dd-text">{{ watcher.lastRun }}</div>
-          </div>
-          <div>
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">Containers Watched</div>
-            <div class="text-xs font-mono dd-text">{{ watcher.containers }}</div>
-          </div>
-          <div v-for="(val, key) in watcher.config" :key="key">
-            <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-0.5 dd-text-muted">{{ key }}</div>
-            <div class="text-xs font-mono dd-text">{{ val }}</div>
-          </div>
+          <DetailField label="Cron" compact mono>{{ watcher.cron }}</DetailField>
+          <DetailField label="Last Run" compact mono>{{ watcher.lastRun }}</DetailField>
+          <DetailField label="Containers Watched" compact mono>{{ watcher.containers }}</DetailField>
+          <DetailField v-for="(val, key) in watcher.config" :key="key" :label="String(key)" compact mono>{{ val }}</DetailField>
         </div>
       </template>
     </DataListAccordion>
@@ -321,45 +307,41 @@ onMounted(async () => {
         <template #header>
           <div class="flex items-center gap-2.5 min-w-0">
             <span class="text-sm font-bold truncate dd-text">{{ selectedWatcher?.name }}</span>
-            <span v-if="selectedWatcher" class="badge text-[0.5625rem] font-bold shrink-0"
-                  :style="{
-                    backgroundColor: selectedWatcher.status === 'watching' ? 'var(--dd-success-muted)' : 'var(--dd-warning-muted)',
-                    color: selectedWatcher.status === 'watching' ? 'var(--dd-success)' : 'var(--dd-warning)',
-                  }">
+            <AppBadge v-if="selectedWatcher" :tone="selectedWatcher.status === 'watching' ? 'success' : 'warning'" size="xs" class="shrink-0">
               {{ selectedWatcher.status }}
-            </span>
+            </AppBadge>
           </div>
         </template>
 
         <template #subtitle>
-          <span class="text-[0.6875rem] font-mono dd-text-secondary">{{ selectedWatcher?.type }}</span>
+          <span class="text-2xs-plus font-mono dd-text-secondary">{{ selectedWatcher?.type }}</span>
         </template>
 
         <template v-if="selectedWatcher" #default>
           <div class="p-4 space-y-5">
-            <div v-if="detailLoading" class="text-[0.6875rem] dd-text-muted">Refreshing watcher details...</div>
+            <div v-if="detailLoading" class="text-2xs-plus dd-text-muted">Refreshing watcher details...</div>
             <div v-if="detailError"
-                 class="px-3 py-2 text-[0.6875rem] dd-rounded"
+                 class="px-3 py-2 text-2xs-plus dd-rounded"
                  :style="{ backgroundColor: 'var(--dd-warning-muted)', color: 'var(--dd-warning)' }">
               {{ detailError }}
             </div>
 
-            <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">Containers</div>
+            <DetailField label="Containers">
               <div class="text-lg font-bold dd-text">{{ selectedWatcher.containers }}</div>
-            </div>
-            <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">Schedule</div>
-              <div class="text-xs font-mono dd-text">{{ selectedWatcher.cron || '\u2014' }}</div>
-            </div>
-            <div>
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">Last Run</div>
-              <div class="text-xs dd-text">{{ selectedWatcher.lastRun }}</div>
-            </div>
-            <div v-for="(val, key) in selectedWatcher.config" :key="key">
-              <div class="text-[0.625rem] font-semibold uppercase tracking-wider mb-1 dd-text-muted">{{ key }}</div>
-              <div class="text-xs font-mono dd-text break-all">{{ val }}</div>
-            </div>
+              <AppButton
+                v-if="selectedWatcher.containers > 0"
+                size="none"
+                variant="plain"
+                weight="none"
+                class="mt-1 inline-flex items-center gap-1 text-2xs-plus font-medium transition-colors text-drydock-secondary hover:text-drydock-secondary-hover"
+                @click="router.push({ path: ROUTES.CONTAINERS, query: { filterServer: watcherServerName(selectedWatcher.name) } })">
+                <AppIcon name="arrow-right" :size="10" />
+                View containers
+              </AppButton>
+            </DetailField>
+            <DetailField label="Schedule" mono>{{ selectedWatcher.cron || '\u2014' }}</DetailField>
+            <DetailField label="Last Run">{{ selectedWatcher.lastRun }}</DetailField>
+            <DetailField v-for="(val, key) in selectedWatcher.config" :key="key" :label="String(key)" mono>{{ val }}</DetailField>
           </div>
         </template>
       </DetailPanel>
diff --git a/ui/src/views/containers/loadContainerDetailListState.ts b/ui/src/views/containers/loadContainerDetailListState.ts
new file mode 100644
index 000000000..deb661b19
--- /dev/null
+++ b/ui/src/views/containers/loadContainerDetailListState.ts
@@ -0,0 +1,27 @@
+import type { Ref } from 'vue';
+import { errorMessage } from '../../utils/error';
+
+export async function loadContainerDetailListState(args: {
+  containerId: string | undefined;
+  loading: Ref<boolean>;
+  error: Ref<string | null>;
+  value: Ref<Record<string, unknown>[]>;
+  loader: (containerId: string) => Promise<unknown[]>;
+  failureMessage: string;
+}) {
+  if (!args.containerId) {
+    args.value.value = [];
+    return;
+  }
+
+  args.loading.value = true;
+  args.error.value = null;
+  try {
+    args.value.value = (await args.loader(args.containerId)) as Record<string, unknown>[];
+  } catch (e: unknown) {
+    args.value.value = [];
+    args.error.value = errorMessage(e, args.failureMessage);
+  } finally {
+    args.loading.value = false;
+  }
+}
diff --git a/ui/src/views/containers/useContainerActions.ts b/ui/src/views/containers/useContainerActions.ts
index ec88073c5..2309a63b9 100644
--- a/ui/src/views/containers/useContainerActions.ts
+++ b/ui/src/views/containers/useContainerActions.ts
@@ -1,6 +1,7 @@
 import { computed, onUnmounted, type Ref, ref, watch } from 'vue';
 import { useConfirmDialog } from '../../composables/useConfirmDialog';
 import { useServerFeatures } from '../../composables/useServerFeatures';
+import { useToast } from '../../composables/useToast';
 import {
   deleteContainer as apiDeleteContainer,
   scanContainer as apiScanContainer,
@@ -43,8 +44,9 @@ async function executeContainerActionState(args: {
   containerActionsEnabled: boolean;
   containerActionsDisabledReason: string;
   containerIdMap: Record<string, string>;
+  containerId?: string;
   name: string;
-  actionInProgress: Ref<string | null>;
+  actionInProgress: Ref<Set<string>>;
   inputError: Ref<string | null>;
   containers: Readonly<Ref<Container[]>>;
   action: (id: string) => Promise<unknown>;
@@ -55,16 +57,19 @@ async function executeContainerActionState(args: {
   selectedContainerName: string | undefined;
   activeDetailTab: string;
   refreshActionTabData: () => Promise<void>;
+  successMessage?: string;
 }): Promise<boolean> {
   if (!args.containerActionsEnabled) {
     args.inputError.value = args.containerActionsDisabledReason;
     return false;
   }
-  const containerId = args.containerIdMap[args.name];
-  if (!containerId || args.actionInProgress.value) {
+  const containerId = args.containerId ?? args.containerIdMap[args.name];
+  if (!containerId || args.actionInProgress.value.has(args.name)) {
     return false;
   }
-  args.actionInProgress.value = args.name;
+  const next = new Set(args.actionInProgress.value);
+  next.add(args.name);
+  args.actionInProgress.value = next;
   args.inputError.value = null;
   const shouldReloadContainers = args.reloadContainers ?? true;
   const snapshot = args.containers.value.find((container) => container.name === args.name);
@@ -81,12 +86,24 @@ async function executeContainerActionState(args: {
     if (args.selectedContainerName === args.name && args.activeDetailTab === 'actions') {
       await args.refreshActionTabData();
     }
+    if (args.successMessage) {
+      const toast = useToast();
+      toast.success(args.successMessage);
+    }
     return true;
   } catch (e: unknown) {
-    args.inputError.value = errorMessage(e, `Action failed for ${args.name}`);
+    const msg = errorMessage(e, `Action failed for ${args.name}`);
+    args.inputError.value = msg;
+    const toast = useToast();
+    toast.error(`Update failed: ${args.name}`, msg);
+    if (shouldReloadContainers) {
+      await args.loadContainers();
+    }
     return false;
   } finally {
-    args.actionInProgress.value = null;
+    const next = new Set(args.actionInProgress.value);
+    next.delete(args.name);
+    args.actionInProgress.value = next;
   }
 }
 
@@ -107,13 +124,15 @@ function setGroupUpdateStateValue(
 async function updateAllInGroupState(args: {
   containerActionsEnabled: boolean;
   containerActionsDisabledReason: string;
+  containerIdMap: Record<string, string>;
+  containers: Readonly<Ref<Container[]>>;
   inputError: Ref<string | null>;
   groupUpdateInProgress: Ref<Set<string>>;
   group: ContainerActionGroup;
   executeAction: (
     name: string,
     action: (id: string) => Promise<unknown>,
-    options?: { reloadContainers?: boolean },
+    options?: { containerId?: string; reloadContainers?: boolean; successMessage?: string },
   ) => Promise<boolean>;
   loadContainers: () => Promise<void>;
 }) {
@@ -127,22 +146,46 @@ async function updateAllInGroupState(args: {
   const updatableContainers = args.group.containers.filter((container) => {
     return container.newTag && container.bouncer !== 'blocked';
   });
-  if (updatableContainers.length === 0) {
+  const frozenUpdateTargets = updatableContainers
+    .map((container) => ({
+      name: container.name,
+      containerId: args.containerIdMap[container.name],
+    }))
+    .filter(
+      (
+        target,
+      ): target is {
+        name: string;
+        containerId: string;
+      } => typeof target.containerId === 'string' && target.containerId.length > 0,
+    );
+  if (frozenUpdateTargets.length === 0) {
     return;
   }
   setGroupUpdateStateValue(args.groupUpdateInProgress, args.group.key, true);
   try {
     let updatedAny = false;
-    for (const container of updatableContainers) {
-      const updated = await args.executeAction(container.name, apiUpdateContainer, {
+    for (const target of frozenUpdateTargets) {
+      const currentContainer = args.containers.value.find(
+        (container) => container.id === target.containerId,
+      );
+      if (!currentContainer || currentContainer.name !== target.name) {
+        continue;
+      }
+
+      const updated = await args.executeAction(target.name, apiUpdateContainer, {
+        containerId: target.containerId,
         reloadContainers: false,
       });
       if (updated) {
         updatedAny = true;
       }
     }
+    await args.loadContainers();
     if (updatedAny) {
-      await args.loadContainers();
+      const toast = useToast();
+      const count = frozenUpdateTargets.length;
+      toast.success(`Updated ${count} container${count === 1 ? '' : 's'} in ${args.group.key}`);
     }
   } finally {
     setGroupUpdateStateValue(args.groupUpdateInProgress, args.group.key, false);
@@ -154,7 +197,7 @@ async function deleteContainerState(args: {
   containerActionsDisabledReason: string;
   containerIdMap: Record<string, string>;
   name: string;
-  actionInProgress: Ref<string | null>;
+  actionInProgress: Ref<Set<string>>;
   inputError: Ref<string | null>;
   skippedUpdates: Ref<Set<string>>;
   selectedContainerName: string | undefined;
@@ -167,10 +210,12 @@ async function deleteContainerState(args: {
     return false;
   }
   const containerId = args.containerIdMap[args.name];
-  if (!containerId || args.actionInProgress.value) {
+  if (!containerId || args.actionInProgress.value.has(args.name)) {
     return false;
   }
-  args.actionInProgress.value = args.name;
+  const next = new Set(args.actionInProgress.value);
+  next.add(args.name);
+  args.actionInProgress.value = next;
   try {
     await apiDeleteContainer(containerId);
     args.skippedUpdates.value.delete(args.name);
@@ -179,12 +224,19 @@ async function deleteContainerState(args: {
       args.closePanel();
     }
     await args.loadContainers();
+    const toast = useToast();
+    toast.success(`Deleted: ${args.name}`);
     return true;
   } catch (e: unknown) {
-    args.inputError.value = errorMessage(e, `Failed to delete ${args.name}`);
+    const msg = errorMessage(e, `Failed to delete ${args.name}`);
+    args.inputError.value = msg;
+    const toast = useToast();
+    toast.error(`Delete failed: ${args.name}`, msg);
     return false;
   } finally {
-    args.actionInProgress.value = null;
+    const next = new Set(args.actionInProgress.value);
+    next.delete(args.name);
+    args.actionInProgress.value = next;
   }
 }
 
@@ -270,10 +322,11 @@ function createConfirmHandlers(args: {
   executeAction: (
     name: string,
     action: (id: string) => Promise<unknown>,
-    options?: { reloadContainers?: boolean },
+    options?: { containerId?: string; reloadContainers?: boolean; successMessage?: string },
   ) => Promise<boolean>;
   forceUpdate: (name: string) => Promise<void>;
   deleteContainer: (name: string) => Promise<boolean>;
+  clearPolicySelected: () => Promise<void>;
   selectedContainer: Readonly<Ref<Container | null | undefined>>;
   rollbackToBackup: (backupId?: string) => Promise<void>;
 }) {
@@ -284,7 +337,10 @@ function createConfirmHandlers(args: {
       rejectLabel: 'Cancel',
       acceptLabel: 'Stop',
       severity: 'danger',
-      accept: () => args.executeAction(name, apiStopContainer) as unknown as Promise<void>,
+      accept: () =>
+        args.executeAction(name, apiStopContainer, {
+          successMessage: `Stopped: ${name}`,
+        }) as unknown as Promise<void>,
     });
   }
 
@@ -295,7 +351,10 @@ function createConfirmHandlers(args: {
       rejectLabel: 'Cancel',
       acceptLabel: 'Restart',
       severity: 'warn',
-      accept: () => args.executeAction(name, apiRestartContainer) as unknown as Promise<void>,
+      accept: () =>
+        args.executeAction(name, apiRestartContainer, {
+          successMessage: `Restarted: ${name}`,
+        }) as unknown as Promise<void>,
     });
   }
 
@@ -311,13 +370,27 @@ function createConfirmHandlers(args: {
   }
 
   function confirmUpdate(name: string) {
+    const container = args.selectedContainer.value;
+    let message = `Update ${name} now? This will apply the latest discovered image.`;
+    if (container && container.currentTag && container.newTag) {
+      const isTagChange = container.updateKind !== 'digest';
+      if (isTagChange) {
+        const kind = container.updateKind ? ` (${container.updateKind})` : '';
+        message = `Update ${name}? This will change the image tag from :${container.currentTag} to :${container.newTag}${kind}.`;
+      } else {
+        message = `Update ${name}? A newer build of :${container.currentTag} is available (digest change).`;
+      }
+    }
     args.confirm.require({
       header: 'Update Container',
-      message: `Update ${name} now? This will apply the latest discovered image.`,
+      message,
       rejectLabel: 'Cancel',
       acceptLabel: 'Update',
       severity: 'warn',
-      accept: () => args.executeAction(name, apiUpdateContainer) as unknown as Promise<void>,
+      accept: () =>
+        args.executeAction(name, apiUpdateContainer, {
+          successMessage: `Updated: ${name}`,
+        }) as unknown as Promise<void>,
     });
   }
 
@@ -332,6 +405,21 @@ function createConfirmHandlers(args: {
     });
   }
 
+  function confirmClearPolicy() {
+    const containerName = args.selectedContainer.value?.name;
+    if (!containerName) {
+      return;
+    }
+    args.confirm.require({
+      header: 'Clear Update Policy',
+      message: `Clear all update policy for ${containerName}? This removes skips, snooze, and maturity settings.`,
+      rejectLabel: 'Cancel',
+      acceptLabel: 'Clear Policy',
+      severity: 'warn',
+      accept: () => args.clearPolicySelected(),
+    });
+  }
+
   function confirmRollback(backupId?: string) {
     const containerName = args.selectedContainer.value?.name;
     if (!containerName) {
@@ -349,6 +437,7 @@ function createConfirmHandlers(args: {
   }
 
   return {
+    confirmClearPolicy,
     confirmDelete,
     confirmForceUpdate,
     confirmRestart,
@@ -362,7 +451,7 @@ function createContainerActionHandlers(args: {
   executeAction: (
     name: string,
     action: (id: string) => Promise<unknown>,
-    options?: { reloadContainers?: boolean },
+    options?: { containerId?: string; reloadContainers?: boolean; successMessage?: string },
   ) => Promise<boolean>;
   applyPolicy: (
     name: string,
@@ -376,15 +465,17 @@ function createContainerActionHandlers(args: {
   refreshActionTabData: () => Promise<void>;
 }) {
   async function startContainer(name: string) {
-    await args.executeAction(name, apiStartContainer);
+    await args.executeAction(name, apiStartContainer, { successMessage: `Started: ${name}` });
   }
 
   async function updateContainer(name: string) {
-    await args.executeAction(name, apiUpdateContainer);
+    await args.executeAction(name, apiUpdateContainer, { successMessage: `Updated: ${name}` });
   }
 
   async function scanContainer(name: string) {
-    await args.executeAction(name, apiScanContainer);
+    await args.executeAction(name, apiScanContainer, {
+      successMessage: `Scan triggered: ${name}`,
+    });
   }
 
   async function skipUpdate(name: string) {
@@ -404,7 +495,9 @@ function createContainerActionHandlers(args: {
 
   async function forceUpdate(name: string) {
     await args.applyPolicy(name, 'clear', {}, `Cleared update policy for ${name}`);
-    await args.executeAction(name, apiUpdateContainer);
+    await args.executeAction(name, apiUpdateContainer, {
+      successMessage: `Force updated: ${name}`,
+    });
   }
 
   return {
@@ -509,7 +602,7 @@ export function useContainerActions(input: UseContainerActionsInput) {
     { immediate: true },
   );
 
-  const actionInProgress = ref<string | null>(null);
+  const actionInProgress = ref(new Set<string>());
   const actionPending = ref<Map<string, Container>>(new Map());
   const actionPendingStartTimes = ref<Map<string, number>>(new Map());
   const pendingActionsPollTimer = ref<ReturnType<typeof setInterval> | null>(null);
@@ -558,12 +651,13 @@ export function useContainerActions(input: UseContainerActionsInput) {
   async function executeAction(
     name: string,
     action: (id: string) => Promise<unknown>,
-    options?: { reloadContainers?: boolean },
+    options?: { containerId?: string; reloadContainers?: boolean; successMessage?: string },
   ) {
     return executeContainerActionState({
       containerActionsEnabled: containerActionsEnabled.value,
       containerActionsDisabledReason: containerActionsDisabledReason.value,
       containerIdMap: input.containerIdMap.value,
+      containerId: options?.containerId,
       name,
       actionInProgress,
       inputError: input.error,
@@ -576,6 +670,7 @@ export function useContainerActions(input: UseContainerActionsInput) {
       selectedContainerName: input.selectedContainer.value?.name,
       activeDetailTab: input.activeDetailTab.value,
       refreshActionTabData,
+      successMessage: options?.successMessage,
     });
   }
 
@@ -583,6 +678,8 @@ export function useContainerActions(input: UseContainerActionsInput) {
     await updateAllInGroupState({
       containerActionsEnabled: containerActionsEnabled.value,
       containerActionsDisabledReason: containerActionsDisabledReason.value,
+      containerIdMap: input.containerIdMap.value,
+      containers: input.containers,
       inputError: input.error,
       groupUpdateInProgress,
       group,
@@ -618,6 +715,7 @@ export function useContainerActions(input: UseContainerActionsInput) {
   }
 
   const {
+    confirmClearPolicy,
     confirmDelete,
     confirmForceUpdate,
     confirmRestart,
@@ -629,6 +727,7 @@ export function useContainerActions(input: UseContainerActionsInput) {
     executeAction,
     forceUpdate,
     deleteContainer,
+    clearPolicySelected: policy.clearPolicySelected,
     selectedContainer: input.selectedContainer,
     rollbackToBackup: backups.rollbackToBackup,
   });
@@ -639,6 +738,7 @@ export function useContainerActions(input: UseContainerActionsInput) {
     backupsLoading: backups.backupsLoading,
     containerActionsDisabledReason,
     containerActionsEnabled,
+    confirmClearPolicy,
     clearPolicySelected: policy.clearPolicySelected,
     clearMaturityPolicySelected: policy.clearMaturityPolicySelected,
     clearSkipsSelected: policy.clearSkipsSelected,
diff --git a/ui/src/views/containers/useContainerBackups.ts b/ui/src/views/containers/useContainerBackups.ts
index 5c7ebd93a..5996900c3 100644
--- a/ui/src/views/containers/useContainerBackups.ts
+++ b/ui/src/views/containers/useContainerBackups.ts
@@ -1,7 +1,9 @@
 import { type Ref, ref } from 'vue';
+import { useToast } from '../../composables/useToast';
 import { getBackups, rollback } from '../../services/backup';
 import { getContainerUpdateOperations as fetchContainerUpdateOperations } from '../../services/container';
 import { errorMessage } from '../../utils/error';
+import { loadContainerDetailListState } from './loadContainerDetailListState';
 
 interface UseContainerBackupsInput {
   selectedContainerId: Readonly<Ref<string | undefined>>;
@@ -68,31 +70,6 @@ export function getOperationStatusStyle(status: unknown) {
   };
 }
 
-async function loadContainerDetailListState(args: {
-  containerId: string | undefined;
-  loading: Ref<boolean>;
-  error: Ref<string | null>;
-  value: Ref<Record<string, unknown>[]>;
-  loader: (containerId: string) => Promise<unknown[]>;
-  failureMessage: string;
-}) {
-  if (!args.containerId) {
-    args.value.value = [];
-    return;
-  }
-
-  args.loading.value = true;
-  args.error.value = null;
-  try {
-    args.value.value = (await args.loader(args.containerId)) as Record<string, unknown>[];
-  } catch (e: unknown) {
-    args.value.value = [];
-    args.error.value = errorMessage(e, args.failureMessage);
-  } finally {
-    args.loading.value = false;
-  }
-}
-
 async function loadDetailUpdateOperationsState(args: {
   containerId: string | undefined;
   detailUpdateOperations: Ref<Record<string, unknown>[]>;
@@ -146,14 +123,20 @@ async function rollbackToBackupState(args: {
   args.rollbackError.value = null;
   try {
     await rollback(args.containerId, args.backupId);
-    args.rollbackMessage.value = args.backupId
+    const successMessage = args.backupId
       ? 'Rollback completed from selected backup'
       : 'Rollback completed from latest backup';
+    args.rollbackMessage.value = successMessage;
+    const toast = useToast();
+    toast.success(successMessage);
     args.skippedUpdates.value.delete(args.selectedContainerName || '');
     await args.loadContainers();
     await Promise.all([args.loadDetailBackups(), args.loadDetailUpdateOperations()]);
   } catch (e: unknown) {
-    args.rollbackError.value = errorMessage(e, 'Rollback failed');
+    const msg = errorMessage(e, 'Rollback failed');
+    args.rollbackError.value = msg;
+    const toast = useToast();
+    toast.error('Rollback failed', msg);
   } finally {
     args.rollbackInProgress.value = null;
   }
diff --git a/ui/src/views/containers/useContainerPolicy.ts b/ui/src/views/containers/useContainerPolicy.ts
index 3551fbdd9..aea35e7b9 100644
--- a/ui/src/views/containers/useContainerPolicy.ts
+++ b/ui/src/views/containers/useContainerPolicy.ts
@@ -1,4 +1,5 @@
 import { computed, type Ref, ref, watch } from 'vue';
+import { useToast } from '../../composables/useToast';
 import { updateContainerPolicy } from '../../services/container';
 import type { Container } from '../../types/container';
 import { errorMessage } from '../../utils/error';
@@ -226,10 +227,15 @@ async function applyPolicyState(args: {
   try {
     await updateContainerPolicy(containerId, args.action, args.payload);
     args.policyMessage.value = args.message;
+    const toast = useToast();
+    toast.success(args.message);
     await args.loadContainers();
     return true;
   } catch (e: unknown) {
-    args.policyError.value = errorMessage(e, 'Failed to update policy');
+    const msg = errorMessage(e, 'Failed to update policy');
+    args.policyError.value = msg;
+    const toast = useToast();
+    toast.error(`Policy update failed: ${args.name}`, msg);
     return false;
   } finally {
     args.policyInProgress.value = null;
diff --git a/ui/src/views/containers/useContainerPreview.ts b/ui/src/views/containers/useContainerPreview.ts
index 71ec2808f..8a785c459 100644
--- a/ui/src/views/containers/useContainerPreview.ts
+++ b/ui/src/views/containers/useContainerPreview.ts
@@ -1,4 +1,5 @@
 import { computed, type Ref, ref } from 'vue';
+import { useToast } from '../../composables/useToast';
 import type { ContainerComposePreview, ContainerPreviewPayload } from '../../services/preview';
 import { previewContainer } from '../../services/preview';
 import { errorMessage } from '../../utils/error';
@@ -71,7 +72,10 @@ async function runContainerPreviewState(args: {
     args.detailPreview.value = await previewContainer(args.containerId);
   } catch (e: unknown) {
     args.detailPreview.value = null;
-    args.previewError.value = errorMessage(e, 'Failed to generate update preview');
+    const msg = errorMessage(e, 'Failed to generate update preview');
+    args.previewError.value = msg;
+    const toast = useToast();
+    toast.error('Preview failed', msg);
   } finally {
     args.previewLoading.value = false;
   }
diff --git a/ui/src/views/containers/useContainerTriggers.ts b/ui/src/views/containers/useContainerTriggers.ts
index 1c8e3626a..34fb90e2d 100644
--- a/ui/src/views/containers/useContainerTriggers.ts
+++ b/ui/src/views/containers/useContainerTriggers.ts
@@ -1,7 +1,9 @@
 import { type Ref, ref } from 'vue';
+import { useToast } from '../../composables/useToast';
 import { getContainerTriggers, runTrigger as runContainerTrigger } from '../../services/container';
 import type { ApiContainerTrigger } from '../../types/api';
 import { errorMessage } from '../../utils/error';
+import { loadContainerDetailListState } from './loadContainerDetailListState';
 
 interface UseContainerTriggersInput {
   selectedContainerId: Readonly<Ref<string | undefined>>;
@@ -11,31 +13,6 @@ interface UseContainerTriggersInput {
   refreshActionTabData: () => Promise<void>;
 }
 
-async function loadContainerDetailListState(args: {
-  containerId: string | undefined;
-  loading: Ref<boolean>;
-  error: Ref<string | null>;
-  value: Ref<Record<string, unknown>[]>;
-  loader: (containerId: string) => Promise<unknown[]>;
-  failureMessage: string;
-}) {
-  if (!args.containerId) {
-    args.value.value = [];
-    return;
-  }
-
-  args.loading.value = true;
-  args.error.value = null;
-  try {
-    args.value.value = (await args.loader(args.containerId)) as Record<string, unknown>[];
-  } catch (e: unknown) {
-    args.value.value = [];
-    args.error.value = errorMessage(e, args.failureMessage);
-  } finally {
-    args.loading.value = false;
-  }
-}
-
 export function getTriggerKey(trigger: ApiContainerTrigger): string {
   if (trigger.id) {
     return trigger.id;
@@ -75,10 +52,15 @@ async function runAssociatedTriggerState(args: {
       triggerAgent: args.trigger.agent,
     });
     args.triggerMessage.value = `Trigger ${triggerKey} ran successfully`;
+    const toast = useToast();
+    toast.success(`Trigger ran: ${triggerKey}`);
     await args.loadContainers();
     await args.refreshActionTabData();
   } catch (e: unknown) {
-    args.triggerError.value = errorMessage(e, `Failed to run ${triggerKey}`);
+    const msg = errorMessage(e, `Failed to run ${triggerKey}`);
+    args.triggerError.value = msg;
+    const toast = useToast();
+    toast.error(`Trigger failed: ${triggerKey}`, msg);
   } finally {
     args.triggerRunInProgress.value = null;
   }
diff --git a/ui/src/views/dashboard/components/DashboardHostStatusWidget.vue b/ui/src/views/dashboard/components/DashboardHostStatusWidget.vue
new file mode 100644
index 000000000..2f6fbde06
--- /dev/null
+++ b/ui/src/views/dashboard/components/DashboardHostStatusWidget.vue
@@ -0,0 +1,124 @@
+<script setup lang="ts">
+import { onBeforeUnmount, onMounted, ref, watchEffect } from 'vue';
+import AppBadge from '@/components/AppBadge.vue';
+import type { DashboardServerRow } from '../dashboardTypes';
+
+interface Props {
+  editMode: boolean;
+  servers: DashboardServerRow[];
+}
+
+defineProps<Props>();
+
+const emit = defineEmits<{
+  viewAll: [];
+}>();
+
+function handleViewAll() {
+  emit('viewAll');
+}
+
+const rootEl = ref<HTMLElement | null>(null);
+const containerHeight = ref(999);
+// full = header + wide rows with vertical scroll
+// compact = no header, horizontal cards with horizontal scroll
+const mode = ref<'full' | 'compact'>('full');
+
+let observer: ResizeObserver | null = null;
+
+onMounted(() => {
+  if (!rootEl.value) return;
+  observer = new ResizeObserver((entries) => {
+    for (const entry of entries) {
+      containerHeight.value = entry.contentRect.height;
+    }
+  });
+  observer.observe(rootEl.value);
+});
+
+onBeforeUnmount(() => {
+  observer?.disconnect();
+});
+
+watchEffect(() => {
+  mode.value = containerHeight.value >= 250 ? 'full' : 'compact';
+});
+</script>
+
+<template>
+  <div
+    ref="rootEl"
+    aria-label="Host Status widget"
+    class="dashboard-widget dd-rounded overflow-hidden flex flex-col"
+    :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+
+    <!-- Header — full mode only -->
+    <div v-if="mode === 'full'" class="shrink-0 flex items-center justify-between px-5 py-3.5" :style="{ borderBottom: '1px solid var(--dd-border)' }">
+      <div class="flex items-center gap-2">
+        <div v-if="editMode" class="drag-handle dd-drag-handle" v-tooltip.top="'Drag to reorder'"><AppIcon name="ph:dots-six-vertical" :size="14" /></div>
+        <AppIcon name="servers" :size="14" class="text-drydock-secondary" />
+        <h2 class="dd-text-heading-section dd-text">Host Status</h2>
+      </div>
+      <AppButton size="none" variant="link-secondary" weight="medium" class="text-2xs-plus" @click="handleViewAll">View all &rarr;</AppButton>
+    </div>
+
+    <!-- Full mode: wide rows, vertical scroll -->
+    <div v-if="mode === 'full'" class="flex-1 min-h-0 overflow-y-auto overscroll-contain dd-scroll-stable p-4 space-y-3">
+      <div
+        v-for="server in servers"
+        :key="server.name"
+        class="flex items-center gap-3 p-3 dd-rounded cursor-pointer transition-colors hover:dd-bg-elevated"
+        :style="{ backgroundColor: 'var(--dd-bg-inset)' }"
+        @click="handleViewAll">
+        <AppBadge
+          v-tooltip.top="server.status === 'connected' ? 'Connected' : 'Disconnected'"
+          size="xs"
+          class="px-1.5 py-0"
+          :tone="server.status === 'connected' ? 'success' : 'danger'">
+          <AppIcon :name="server.status === 'connected' ? 'check' : 'xmark'" :size="12" />
+        </AppBadge>
+        <div class="flex-1 min-w-0">
+          <div class="text-xs font-semibold truncate dd-text">{{ server.name }}</div>
+          <div v-if="server.host" class="text-2xs font-mono dd-text-muted truncate mt-0.5">{{ server.host }}</div>
+          <div class="text-2xs dd-text-muted">{{ server.containers.running }}/{{ server.containers.total }} containers</div>
+        </div>
+        <AppBadge
+          size="xs"
+          :tone="server.status === 'connected' ? 'success' : 'danger'">
+          {{ server.statusLabel ?? server.status }}
+        </AppBadge>
+      </div>
+    </div>
+
+    <!-- Compact mode: horizontal cards, horizontal scroll -->
+    <div v-else class="flex-1 min-h-0 overflow-x-auto overflow-y-hidden p-4 relative">
+      <div v-if="editMode" class="drag-handle dd-drag-handle absolute top-2 left-2 z-10" v-tooltip.top="'Drag to reorder'"><AppIcon name="ph:dots-six" :size="14" /></div>
+      <div class="flex gap-3 h-full" :class="servers.length <= 3 ? 'justify-center' : ''">
+        <div
+          v-for="server in servers"
+          :key="server.name"
+          class="flex-none w-40 p-3 dd-rounded cursor-pointer transition-colors hover:dd-bg-elevated text-center flex flex-col items-center justify-center gap-1.5"
+          :style="{ backgroundColor: 'var(--dd-bg-inset)' }"
+          @click="handleViewAll">
+          <span
+            v-tooltip.top="server.status === 'connected' ? 'Connected' : 'Disconnected'"
+            class="w-7 h-7 dd-rounded flex items-center justify-center"
+            :style="{
+              backgroundColor: server.status === 'connected' ? 'var(--dd-success-muted)' : 'var(--dd-danger-muted)',
+              color: server.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)',
+            }">
+            <AppIcon :name="server.status === 'connected' ? 'check' : 'xmark'" :size="14" />
+          </span>
+          <div class="text-xs font-semibold dd-text truncate w-full">{{ server.name }}</div>
+          <div v-if="server.host" class="text-3xs font-mono dd-text-muted truncate w-full">{{ server.host }}</div>
+          <div class="text-2xs dd-text-muted">{{ server.containers.running }}/{{ server.containers.total }} containers</div>
+          <span
+            class="text-3xs font-bold uppercase"
+            :style="{ color: server.status === 'connected' ? 'var(--dd-success)' : 'var(--dd-danger)' }">
+            {{ server.statusLabel ?? server.status }}
+          </span>
+        </div>
+      </div>
+    </div>
+  </div>
+</template>
diff --git a/ui/src/views/dashboard/components/DashboardRecentUpdatesWidget.vue b/ui/src/views/dashboard/components/DashboardRecentUpdatesWidget.vue
new file mode 100644
index 000000000..4d1979203
--- /dev/null
+++ b/ui/src/views/dashboard/components/DashboardRecentUpdatesWidget.vue
@@ -0,0 +1,272 @@
+<script setup lang="ts">
+import { onBeforeUnmount, onMounted, ref, watchEffect } from 'vue';
+import AppBadge from '@/components/AppBadge.vue';
+import AppIconButton from '@/components/AppIconButton.vue';
+import type { RecentUpdateRow, UpdateKind } from '../dashboardTypes';
+
+const UPDATE_TABLE_COLUMNS = [
+  { key: 'icon', label: '', icon: true, width: '6%' },
+  { key: 'container', label: 'Container', sortable: false, width: '38%' },
+  { key: 'version', label: 'Version', sortable: false, align: 'text-center', width: '28%' },
+  { key: 'type', label: 'Type', sortable: false, width: '16%' },
+  { key: 'actions', label: 'Actions', sortable: false, align: 'text-center', width: '12%' },
+] as const;
+
+interface Props {
+  dashboardUpdateAllInProgress: boolean;
+  dashboardUpdateError: string | null;
+  dashboardUpdateInProgress: string | null;
+  editMode: boolean;
+  getUpdateKindColor: (kind: UpdateKind | null) => string;
+  getUpdateKindIcon: (kind: UpdateKind | null) => string;
+  getUpdateKindMutedColor: (kind: UpdateKind | null) => string;
+  pendingUpdatesCount: number;
+  recentUpdates: RecentUpdateRow[];
+}
+
+const props = defineProps<Props>();
+
+function getRowClass(row: Record<string, unknown>): string {
+  const id = row.id as string;
+  if (props.dashboardUpdateInProgress === id || props.dashboardUpdateAllInProgress) {
+    return 'opacity-50 pointer-events-none transition-opacity duration-300';
+  }
+  return '';
+}
+
+const emit = defineEmits<{
+  confirmUpdate: [row: RecentUpdateRow];
+  confirmUpdateAll: [];
+  viewAll: [];
+}>();
+
+function handleConfirmUpdate(row: RecentUpdateRow) {
+  emit('confirmUpdate', row);
+}
+
+function handleConfirmUpdateAll() {
+  emit('confirmUpdateAll');
+}
+
+function handleViewAll() {
+  emit('viewAll');
+}
+
+const rootEl = ref<HTMLElement | null>(null);
+const containerHeight = ref(999);
+
+let observer: ResizeObserver | null = null;
+
+onMounted(() => {
+  if (!rootEl.value) return;
+  observer = new ResizeObserver((entries) => {
+    for (const entry of entries) {
+      containerHeight.value = entry.contentRect.height;
+    }
+  });
+  observer.observe(rootEl.value);
+});
+
+onBeforeUnmount(() => {
+  observer?.disconnect();
+});
+
+// Progressive collapse thresholds
+const showHeader = ref(true);
+
+watchEffect(() => {
+  const h = containerHeight.value;
+  showHeader.value = h >= 200;
+});
+</script>
+
+<template>
+  <div
+    ref="rootEl"
+    aria-label="Updates Available widget"
+    class="dashboard-widget xl:col-span-2 dd-rounded overflow-hidden min-w-0 flex flex-col"
+    :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+
+    <!-- Header — hides when compact -->
+    <div v-if="showHeader" class="shrink-0 flex items-center justify-between px-5 py-3.5" :style="{ borderBottom: '1px solid var(--dd-border)' }">
+      <div class="flex items-center gap-2">
+        <div v-if="editMode" class="drag-handle dd-drag-handle" v-tooltip.top="'Drag to reorder'"><AppIcon name="ph:dots-six-vertical" :size="14" /></div>
+        <AppIcon name="recent-updates" :size="14" class="text-drydock-secondary" />
+        <h2 class="dd-text-heading-section dd-text">
+          Updates Available
+        </h2>
+      </div>
+      <div class="flex items-center gap-3">
+        <AppButton
+          v-if="pendingUpdatesCount > 0"
+          data-test="dashboard-update-all-btn"
+          size="none"
+          variant="plain"
+          weight="none"
+          type="button"
+          class="inline-flex items-center justify-center px-2 py-1 dd-rounded border text-2xs font-semibold transition-colors"
+          :class="dashboardUpdateAllInProgress
+            ? 'dd-text-muted cursor-not-allowed opacity-60'
+            : 'dd-text hover:dd-bg-elevated'"
+          :disabled="dashboardUpdateAllInProgress"
+          @click="handleConfirmUpdateAll">
+          <AppIcon
+            :name="dashboardUpdateAllInProgress ? 'spinner' : 'cloud-download'"
+            :size="11"
+            class="mr-1"
+            :class="dashboardUpdateAllInProgress ? 'dd-spin' : ''" />
+          Update all
+        </AppButton>
+        <AppButton
+          size="none"
+          variant="link-secondary"
+          weight="medium"
+          type="button"
+          class="text-2xs-plus font-medium text-drydock-secondary hover:underline"
+          @click="handleViewAll">
+          View all &rarr;
+        </AppButton>
+      </div>
+    </div>
+
+    <!-- Full view: error banner + data table -->
+    <template v-if="showHeader">
+      <div
+        v-if="dashboardUpdateError"
+        data-test="dashboard-update-error"
+        class="mx-5 mt-3 px-3 py-2 text-2xs-plus dd-rounded"
+        :style="{ backgroundColor: 'var(--dd-danger-muted)', color: 'var(--dd-danger)' }">
+        {{ dashboardUpdateError }}
+      </div>
+
+      <div class="flex-1 min-h-0 overflow-y-auto overscroll-contain dd-scroll-stable">
+        <DataTable
+          :columns="UPDATE_TABLE_COLUMNS"
+          :rows="recentUpdates"
+          row-key="id"
+          :row-class="getRowClass"
+          fixed-layout
+          compact>
+          <template #cell-icon="{ row }">
+            <ContainerIcon :icon="row.icon" :size="28" />
+          </template>
+
+          <template #cell-container="{ row }">
+            <div class="font-medium dd-text leading-tight">{{ row.name }}</div>
+            <div class="text-2xs dd-text-muted mt-0.5 truncate">{{ row.image }}</div>
+            <div v-if="row.registryError" class="text-2xs mt-0.5 truncate" style="color: var(--dd-danger);">
+              {{ row.registryError }}
+            </div>
+            <a
+              v-if="row.releaseLink"
+              :href="row.releaseLink"
+              target="_blank"
+              rel="noopener noreferrer"
+              class="text-2xs mt-0.5 inline-flex underline hover:no-underline"
+              style="color: var(--dd-info);">
+              Release notes
+            </a>
+          </template>
+
+          <template #cell-version="{ row }">
+            <div class="hidden sm:flex items-center justify-center gap-1.5 min-w-0">
+              <CopyableTag :tag="row.oldVer" class="text-2xs-plus dd-text-secondary truncate max-w-[100px]">
+                {{ row.oldVer }}
+              </CopyableTag>
+              <AppIcon name="arrow-right" :size="8" class="dd-text-muted shrink-0" />
+              <CopyableTag
+                :tag="row.newVer"
+                class="text-2xs-plus font-semibold truncate max-w-[120px]"
+                :style="{ color: getUpdateKindColor(row.updateKind) }">
+                {{ row.newVer }}
+              </CopyableTag>
+            </div>
+            <div class="flex sm:hidden flex-col items-center gap-0.5 min-w-0 max-w-full">
+              <CopyableTag :tag="row.oldVer" class="text-3xs dd-text-secondary truncate max-w-full leading-tight" v-tooltip.top="row.oldVer">
+                {{ row.oldVer }}
+              </CopyableTag>
+              <CopyableTag
+                :tag="row.newVer"
+                class="text-3xs font-semibold truncate max-w-full leading-tight"
+                :style="{ color: getUpdateKindColor(row.updateKind) }"
+                v-tooltip.top="row.newVer">
+                {{ row.newVer }}
+              </CopyableTag>
+            </div>
+          </template>
+
+          <template #cell-type="{ row }">
+            <AppBadge
+              v-tooltip.top="row.updateKind ?? 'unknown'"
+              size="xs"
+              class="px-1.5 py-0 sm:!hidden"
+              :custom="{
+                bg: getUpdateKindMutedColor(row.updateKind),
+                text: getUpdateKindColor(row.updateKind),
+              }">
+              <AppIcon :name="getUpdateKindIcon(row.updateKind)" :size="12" />
+            </AppBadge>
+            <AppBadge
+              v-tooltip.top="row.updateKind ?? 'unknown'"
+              size="sm"
+              class="max-sm:!hidden"
+              :custom="{
+                bg: getUpdateKindMutedColor(row.updateKind),
+                text: getUpdateKindColor(row.updateKind),
+              }">
+              <AppIcon :name="getUpdateKindIcon(row.updateKind)" :size="12" class="mr-1" />
+              {{ row.updateKind ?? 'unknown' }}
+            </AppBadge>
+          </template>
+
+          <template #cell-actions="{ row }">
+            <div class="flex justify-center">
+            <span
+              v-if="row.blocked"
+              class="w-7 h-7 dd-rounded-sm flex items-center justify-center dd-text-muted opacity-60 cursor-not-allowed"
+              v-tooltip.top="'Security blocked'">
+              <AppIcon name="lock" :size="14" />
+            </span>
+            <AppIconButton
+              v-else-if="row.status === 'pending'"
+              icon="cloud-download"
+              size="toolbar"
+              variant="plain"
+              data-test="dashboard-update-btn"
+              class="dd-rounded-sm transition-colors"
+              :class="dashboardUpdateInProgress === row.id || dashboardUpdateAllInProgress
+                ? 'dd-text-muted opacity-50 cursor-not-allowed'
+                : 'dd-text-muted hover:dd-text-success hover:dd-bg-elevated'"
+              :disabled="dashboardUpdateInProgress === row.id || dashboardUpdateAllInProgress"
+              :loading="dashboardUpdateInProgress === row.id"
+              tooltip="Update container"
+              aria-label="Update container"
+              @click.stop="handleConfirmUpdate(row)" />
+            </div>
+          </template>
+
+          <template #empty>
+            <div class="px-4 py-6 text-center text-2xs-plus dd-text-muted">
+              No updates available
+            </div>
+          </template>
+        </DataTable>
+      </div>
+    </template>
+
+    <!-- Compact: inline summary -->
+    <div v-else class="flex-1 min-h-0 flex flex-col items-center justify-center p-4">
+      <div v-if="editMode" class="drag-handle dd-drag-handle mb-2" v-tooltip.top="'Drag to reorder'"><AppIcon name="ph:dots-six" :size="14" /></div>
+      <div class="flex items-center gap-2 cursor-pointer" @click="handleViewAll">
+        <AppIcon name="recent-updates" :size="16" class="text-drydock-secondary" />
+        <span class="text-xs font-semibold dd-text">{{ pendingUpdatesCount }} update{{ pendingUpdatesCount === 1 ? '' : 's' }} available</span>
+        <AppBadge
+          v-if="pendingUpdatesCount > 0"
+          tone="warning"
+          size="xs">
+          {{ pendingUpdatesCount }}
+        </AppBadge>
+      </div>
+    </div>
+  </div>
+</template>
diff --git a/ui/src/views/dashboard/components/DashboardResourceUsageWidget.vue b/ui/src/views/dashboard/components/DashboardResourceUsageWidget.vue
new file mode 100644
index 000000000..149fa3ed8
--- /dev/null
+++ b/ui/src/views/dashboard/components/DashboardResourceUsageWidget.vue
@@ -0,0 +1,188 @@
+<script setup lang="ts">
+import { onBeforeUnmount, onMounted, ref, watchEffect } from 'vue';
+import type { ResourceUsageSummary } from '../../../utils/stats-summary';
+import {
+  getUsageThresholdColor,
+  getUsageThresholdMutedColor,
+} from '../../../utils/stats-thresholds';
+
+interface Props {
+  editMode: boolean;
+  resourceUsage: ResourceUsageSummary;
+}
+
+defineProps<Props>();
+
+const emit = defineEmits<{
+  viewAll: [];
+}>();
+
+function formatBytes(value: number): string {
+  const units = ['B', 'KB', 'MB', 'GB', 'TB'];
+  let nextValue = Math.max(0, Number.isFinite(value) ? value : 0);
+  let unitIndex = 0;
+  while (nextValue >= 1024 && unitIndex < units.length - 1) {
+    nextValue /= 1024;
+    unitIndex += 1;
+  }
+  const precision = unitIndex === 0 ? 0 : 1;
+  return `${nextValue.toFixed(precision)} ${units[unitIndex]}`;
+}
+
+function handleViewAll() {
+  emit('viewAll');
+}
+
+const rootEl = ref<HTMLElement | null>(null);
+const containerHeight = ref(999);
+
+let observer: ResizeObserver | null = null;
+
+onMounted(() => {
+  if (!rootEl.value) return;
+  observer = new ResizeObserver((entries) => {
+    for (const entry of entries) {
+      containerHeight.value = entry.contentRect.height;
+    }
+  });
+  observer.observe(rootEl.value);
+});
+
+onBeforeUnmount(() => {
+  observer?.disconnect();
+});
+
+// Progressive collapse thresholds
+const showHeader = ref(true);
+const topListLimit = ref(5);
+
+watchEffect(() => {
+  const h = containerHeight.value;
+  showHeader.value = h >= 200;
+  // Progressively reduce top list items — always show at least 1 if space permits
+  if (h >= 500) topListLimit.value = 5;
+  else if (h >= 400) topListLimit.value = 3;
+  else if (h >= 250) topListLimit.value = 2;
+  else if (h >= 180) topListLimit.value = 1;
+  else topListLimit.value = 0;
+});
+</script>
+
+<template>
+  <div
+    ref="rootEl"
+    aria-label="Resource Usage widget"
+    class="dashboard-widget dd-rounded overflow-hidden flex flex-col"
+    :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+
+    <!-- Header — hides when compact -->
+    <div v-if="showHeader" class="shrink-0 flex items-center justify-between px-5 py-3.5" :style="{ borderBottom: '1px solid var(--dd-border)' }">
+      <div class="flex items-center gap-2">
+        <div v-if="editMode" class="drag-handle dd-drag-handle" v-tooltip.top="'Drag to reorder'"><AppIcon name="ph:dots-six-vertical" :size="14" /></div>
+        <AppIcon name="uptime" :size="14" class="text-drydock-secondary" />
+        <h2 class="dd-text-heading-section dd-text">
+          Resource Usage
+        </h2>
+      </div>
+      <AppButton size="none" variant="link-secondary" weight="medium" class="text-2xs-plus" @click="handleViewAll">View all &rarr;</AppButton>
+    </div>
+
+    <div class="flex-1 min-h-0 overflow-y-auto overscroll-contain dd-scroll-stable p-4 space-y-4 relative">
+      <!-- Drag handle when header is hidden — pinned top-left -->
+      <div v-if="!showHeader && editMode" class="drag-handle dd-drag-handle absolute top-2 left-2 z-10" v-tooltip.top="'Drag to reorder'"><AppIcon name="ph:dots-six" :size="14" /></div>
+
+      <div>
+        <div v-if="showHeader" class="dd-text-label mb-2 dd-text-muted">
+          Total Usage ({{ resourceUsage.watchedContainers }} watched)
+        </div>
+        <div class="space-y-2">
+          <div>
+            <div class="flex items-center justify-between text-2xs dd-text-secondary mb-1">
+              <span>CPU</span>
+              <span>{{ resourceUsage.totalCpuPercent.toFixed(1) }}%</span>
+            </div>
+            <div class="h-2 dd-rounded overflow-hidden" :style="{ backgroundColor: 'var(--dd-bg-elevated)' }">
+              <div
+                class="h-full dd-rounded transition-[width,color,background-color]"
+                :style="{
+                  width: `${resourceUsage.totalCpuPercent}%`,
+                  backgroundColor: getUsageThresholdColor(resourceUsage.totalCpuPercent),
+                }" />
+            </div>
+          </div>
+
+          <div>
+            <div class="flex items-center justify-between text-2xs dd-text-secondary mb-1">
+              <span>Memory</span>
+              <span>
+                {{ formatBytes(resourceUsage.totalMemoryUsageBytes) }} / {{ formatBytes(resourceUsage.totalMemoryLimitBytes) }} ({{ resourceUsage.totalMemoryPercent.toFixed(1) }}%)
+              </span>
+            </div>
+            <div class="h-2 dd-rounded overflow-hidden" :style="{ backgroundColor: 'var(--dd-bg-elevated)' }">
+              <div
+                class="h-full dd-rounded transition-[width,color,background-color]"
+                :style="{
+                  width: `${resourceUsage.totalMemoryPercent}%`,
+                  backgroundColor: getUsageThresholdColor(resourceUsage.totalMemoryPercent),
+                }" />
+            </div>
+          </div>
+        </div>
+      </div>
+
+      <div v-if="topListLimit > 0" class="grid grid-cols-1 gap-3">
+        <div>
+          <div class="dd-text-label mb-2 dd-text-muted">
+            Top CPU
+          </div>
+          <div class="space-y-1.5">
+            <div
+              v-for="row in resourceUsage.topCpu.slice(0, topListLimit)"
+              :key="`cpu-${row.id}`"
+              class="px-2.5 py-2 dd-rounded"
+              :style="{ backgroundColor: getUsageThresholdMutedColor(row.cpuPercent) }">
+              <div class="flex items-center justify-between gap-2">
+                <span class="text-2xs-plus font-semibold truncate dd-text">{{ row.name }}</span>
+                <span class="text-2xs font-semibold" :style="{ color: getUsageThresholdColor(row.cpuPercent) }">
+                  {{ row.cpuPercent.toFixed(1) }}%
+                </span>
+              </div>
+            </div>
+            <div
+              v-if="resourceUsage.topCpu.length === 0"
+              class="px-2.5 py-2 dd-rounded text-2xs-plus text-center dd-text-muted"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+              No live CPU data
+            </div>
+          </div>
+        </div>
+
+        <div>
+          <div class="dd-text-label mb-2 dd-text-muted">
+            Top Memory
+          </div>
+          <div class="space-y-1.5">
+            <div
+              v-for="row in resourceUsage.topMemory.slice(0, topListLimit)"
+              :key="`memory-${row.id}`"
+              class="px-2.5 py-2 dd-rounded"
+              :style="{ backgroundColor: getUsageThresholdMutedColor(row.memoryPercent) }">
+              <div class="flex items-center justify-between gap-2">
+                <span class="text-2xs-plus font-semibold truncate dd-text">{{ row.name }}</span>
+                <span class="text-2xs font-semibold" :style="{ color: getUsageThresholdColor(row.memoryPercent) }">
+                  {{ row.memoryPercent.toFixed(1) }}%
+                </span>
+              </div>
+            </div>
+            <div
+              v-if="resourceUsage.topMemory.length === 0"
+              class="px-2.5 py-2 dd-rounded text-2xs-plus text-center dd-text-muted"
+              :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+              No live memory data
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+</template>
diff --git a/ui/src/views/dashboard/components/DashboardSecurityOverviewWidget.vue b/ui/src/views/dashboard/components/DashboardSecurityOverviewWidget.vue
new file mode 100644
index 000000000..a660df59c
--- /dev/null
+++ b/ui/src/views/dashboard/components/DashboardSecurityOverviewWidget.vue
@@ -0,0 +1,190 @@
+<script setup lang="ts">
+import { onBeforeUnmount, onMounted, ref } from 'vue';
+import AppBadge from '@/components/AppBadge.vue';
+import StatusDot from '@/components/StatusDot.vue';
+
+interface SecuritySeverityTotals {
+  critical: number;
+  high: number;
+  low: number;
+  medium: number;
+}
+
+interface VulnerabilityRow {
+  id: string;
+  image: string;
+  package: string;
+  severity: 'CRITICAL' | 'HIGH';
+}
+
+interface Props {
+  donutCircumference: number;
+  editMode: boolean;
+  securityCleanArcLength: number;
+  securityCleanCount: number;
+  securityIssueArcLength: number;
+  securityIssueCount: number;
+  securityNotScannedArcLength: number;
+  securityNotScannedCount: number;
+  securitySeverityTotals: SecuritySeverityTotals;
+  securityTotalCount: number;
+  showSecuritySeverityBreakdown: boolean;
+  vulnerabilities: VulnerabilityRow[];
+}
+
+defineProps<Props>();
+
+const emit = defineEmits<{
+  viewAll: [];
+}>();
+
+function handleViewAll() {
+  emit('viewAll');
+}
+
+const rootEl = ref<HTMLElement | null>(null);
+const containerHeight = ref(999);
+
+let observer: ResizeObserver | null = null;
+
+onMounted(() => {
+  if (!rootEl.value) return;
+  observer = new ResizeObserver((entries) => {
+    for (const entry of entries) {
+      containerHeight.value = entry.contentRect.height;
+    }
+  });
+  observer.observe(rootEl.value);
+});
+
+onBeforeUnmount(() => {
+  observer?.disconnect();
+});
+
+// Progressive collapse thresholds
+const showHeader = ref(true);
+const showLegend = ref(true);
+const showBreakdown = ref(true);
+const showVulns = ref(true);
+
+// Reactively update based on height
+import { watchEffect } from 'vue';
+watchEffect(() => {
+  const h = containerHeight.value;
+  showVulns.value = h >= 400;
+  showBreakdown.value = h >= 300;
+  showLegend.value = h >= 200;
+  showHeader.value = h >= 200;
+});
+</script>
+
+<template>
+  <div
+    ref="rootEl"
+    aria-label="Security Overview widget"
+    class="dashboard-widget dd-rounded overflow-hidden flex flex-col"
+    :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+
+    <!-- Header — hides when very small -->
+    <div v-if="showHeader" class="shrink-0 flex items-center justify-between px-5 py-3.5" :style="{ borderBottom: '1px solid var(--dd-border)' }">
+      <div class="flex items-center gap-2">
+        <div v-if="editMode" class="drag-handle dd-drag-handle" v-tooltip.top="'Drag to reorder'"><AppIcon name="ph:dots-six-vertical" :size="14" /></div>
+        <AppIcon name="security" :size="14" class="text-drydock-accent" />
+        <h2 class="dd-text-heading-section dd-text">Security Overview</h2>
+      </div>
+      <AppButton size="none" variant="link-secondary" weight="medium" class="text-2xs-plus" @click="handleViewAll">View all &rarr;</AppButton>
+    </div>
+
+    <div class="flex-1 min-h-0 overflow-hidden p-5 flex flex-col items-center justify-center relative">
+      <!-- Drag handle when header is hidden — pinned top-left -->
+      <div v-if="!showHeader && editMode" class="drag-handle dd-drag-handle absolute top-2 left-2 z-10" v-tooltip.top="'Drag to reorder'"><AppIcon name="ph:dots-six" :size="14" /></div>
+
+      <!-- Donut chart — always visible -->
+      <div class="flex items-center justify-center" :class="showLegend ? 'mb-5' : ''">
+        <div class="relative" :style="{ width: showLegend ? '140px' : '100px', height: showLegend ? '140px' : '100px' }">
+          <svg viewBox="0 0 120 120" class="w-full h-full" style="transform: rotate(-90deg);">
+            <circle cx="60" cy="60" r="48" fill="none" stroke="var(--dd-border-strong)" stroke-width="14" />
+            <circle cx="60" cy="60" r="48" fill="none" stroke="var(--dd-success)" stroke-width="14"
+              stroke-linecap="round" class="donut-ring"
+              :stroke-dasharray="securityCleanArcLength + ' ' + donutCircumference" />
+            <circle v-if="securityIssueCount > 0" cx="60" cy="60" r="48" fill="none" stroke="var(--dd-danger)" stroke-width="14"
+              stroke-linecap="round" class="donut-ring"
+              :stroke-dasharray="securityIssueArcLength + ' ' + donutCircumference"
+              :stroke-dashoffset="-securityCleanArcLength" />
+            <circle v-if="securityNotScannedCount > 0" cx="60" cy="60" r="48" fill="none" stroke="var(--dd-neutral)" stroke-width="14"
+              stroke-linecap="round" class="donut-ring"
+              :stroke-dasharray="securityNotScannedArcLength + ' ' + donutCircumference"
+              :stroke-dashoffset="-(securityCleanArcLength + securityIssueArcLength)" />
+          </svg>
+          <div class="absolute inset-0 flex flex-col items-center justify-center">
+            <span class="text-xl font-bold dd-text">{{ securityTotalCount }}</span>
+            <span class="text-2xs dd-text-muted">images</span>
+          </div>
+        </div>
+      </div>
+
+      <!-- Legend -->
+      <div v-if="showLegend" class="flex justify-center gap-5" :class="showBreakdown ? 'mb-5' : ''">
+        <div class="flex items-center gap-1.5">
+          <StatusDot color="var(--dd-success)" size="lg" />
+          <span class="text-2xs-plus dd-text-secondary">{{ securityCleanCount }} Clean</span>
+        </div>
+        <div v-if="securityIssueCount > 0" class="flex items-center gap-1.5">
+          <StatusDot color="var(--dd-danger)" size="lg" />
+          <span class="text-2xs-plus dd-text-secondary">{{ securityIssueCount }} Issues</span>
+        </div>
+        <div v-if="securityNotScannedCount > 0" class="flex items-center gap-1.5">
+          <StatusDot color="var(--dd-neutral)" size="lg" />
+          <span class="text-2xs-plus dd-text-secondary">{{ securityNotScannedCount }} Not Scanned</span>
+        </div>
+      </div>
+
+      <!-- Severity breakdown -->
+      <div v-if="showBreakdown && showSecuritySeverityBreakdown" data-test="security-severity-breakdown" class="w-full mb-5">
+        <div class="dd-text-label mb-2 dd-text-muted">Severity Breakdown</div>
+        <div class="grid grid-cols-2 gap-2">
+          <div class="flex items-center justify-between px-2 py-1.5 dd-rounded" :style="{ backgroundColor: 'var(--dd-danger-muted)' }">
+            <span class="text-2xs font-semibold" style="color: var(--dd-danger);">{{ securitySeverityTotals.critical }} Critical</span>
+          </div>
+          <div class="flex items-center justify-between px-2 py-1.5 dd-rounded" :style="{ backgroundColor: 'var(--dd-warning-muted)' }">
+            <span class="text-2xs font-semibold" style="color: var(--dd-warning);">{{ securitySeverityTotals.high }} High</span>
+          </div>
+          <div class="flex items-center justify-between px-2 py-1.5 dd-rounded" :style="{ backgroundColor: 'var(--dd-caution-muted)' }">
+            <span class="text-2xs font-semibold" style="color: var(--dd-caution);">{{ securitySeverityTotals.medium }} Medium</span>
+          </div>
+          <div class="flex items-center justify-between px-2 py-1.5 dd-rounded" :style="{ backgroundColor: 'var(--dd-info-muted)' }">
+            <span class="text-2xs font-semibold" style="color: var(--dd-info);">{{ securitySeverityTotals.low }} Low</span>
+          </div>
+        </div>
+      </div>
+
+      <!-- Top Vulnerabilities -->
+      <template v-if="showVulns">
+        <div class="w-full mb-4" :style="{ borderTop: '1px solid var(--dd-border)' }" />
+        <div class="w-full dd-text-label mb-3 dd-text-muted">Top Vulnerabilities</div>
+        <div class="w-full space-y-2.5 overflow-y-auto max-h-[200px]">
+          <div v-for="vuln in vulnerabilities" :key="vuln.id"
+            class="flex items-start gap-3 p-2.5 dd-rounded"
+            :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+            <div class="shrink-0 mt-0.5">
+              <AppBadge
+                size="xs"
+                :tone="vuln.severity === 'CRITICAL' ? 'danger' : 'warning'">
+                {{ vuln.severity }}
+              </AppBadge>
+            </div>
+            <div class="flex-1 min-w-0">
+              <div class="text-2xs-plus font-semibold truncate dd-text">{{ vuln.id }}</div>
+              <div class="text-2xs mt-0.5 truncate dd-text-muted">{{ vuln.package }} &middot; {{ vuln.image }}</div>
+            </div>
+          </div>
+          <div v-if="vulnerabilities.length === 0"
+            class="p-2.5 dd-rounded text-2xs-plus text-center dd-text-muted"
+            :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+            No vulnerabilities reported
+          </div>
+        </div>
+      </template>
+    </div>
+  </div>
+</template>
diff --git a/ui/src/views/dashboard/components/DashboardStatCards.vue b/ui/src/views/dashboard/components/DashboardStatCards.vue
new file mode 100644
index 000000000..7415bef38
--- /dev/null
+++ b/ui/src/views/dashboard/components/DashboardStatCards.vue
@@ -0,0 +1,88 @@
+<script setup lang="ts">
+import { computed, ref } from 'vue';
+import type { RouteLocationRaw } from 'vue-router';
+import { useDraggable } from 'vue-draggable-plus';
+import type { DashboardStatCard, DashboardWidgetId, WidgetOrderItem } from '../dashboardTypes';
+
+interface Props {
+  editMode: boolean;
+  isWidgetVisible: (id: DashboardWidgetId) => boolean;
+  statOrder: WidgetOrderItem[];
+  stats: DashboardStatCard[];
+}
+
+const props = defineProps<Props>();
+
+const emit = defineEmits<{
+  navigate: [route: RouteLocationRaw];
+}>();
+
+const statById = computed(() => {
+  const map = new Map<string, DashboardStatCard>();
+  for (const s of props.stats) map.set(s.id, s);
+  return map;
+});
+
+const visibleCount = computed(
+  () => props.statOrder.filter((w) => props.isWidgetVisible(w.id)).length,
+);
+
+function handleNavigate(route?: RouteLocationRaw) {
+  if (!props.editMode && route) {
+    emit('navigate', route);
+  }
+}
+
+const gridRef = ref<HTMLElement | null>(null);
+
+useDraggable(gridRef, () => props.statOrder, {
+  animation: 150,
+  handle: '.drag-handle',
+  ghostClass: 'dd-drag-ghost',
+  dragClass: 'dd-drag-active',
+  disabled: computed(() => !props.editMode),
+});
+</script>
+
+<template>
+  <div
+    ref="gridRef"
+    class="grid gap-4 mb-4"
+    :class="visibleCount <= 2 ? 'grid-cols-1 sm:grid-cols-2' : 'grid-cols-1 sm:grid-cols-2 lg:grid-cols-4'">
+    <component
+      :is="statById.get(item.id)?.route && !editMode ? 'button' : 'div'"
+      v-for="item in statOrder"
+      v-show="isWidgetVisible(item.id) || editMode"
+      :key="item.id"
+      :aria-label="(statById.get(item.id)?.label ?? '') + ': ' + (statById.get(item.id)?.value ?? '')"
+      :type="statById.get(item.id)?.route && !editMode ? 'button' : undefined"
+      class="stat-card dd-rounded p-4 text-left w-full dd-widget-card"
+      :class="[
+        statById.get(item.id)?.route && !editMode ? 'cursor-pointer transition-colors hover:dd-bg-elevated' : '',
+        editMode ? 'dd-edit-mode' : '',
+        editMode && !isWidgetVisible(item.id) ? 'opacity-30' : '',
+      ]"
+      :style="{ backgroundColor: 'var(--dd-bg-card)' }"
+      @click="handleNavigate(statById.get(item.id)?.route)">
+      <div v-if="editMode" class="drag-handle dd-drag-handle flex items-center justify-center -mt-1 mb-1" v-tooltip.top="'Drag to reorder'">
+        <AppIcon name="ph:dots-six" :size="14" />
+      </div>
+      <div class="flex items-center justify-between mb-2">
+        <span class="text-2xs-plus font-medium uppercase tracking-wider dd-text-muted">
+          {{ statById.get(item.id)?.label }}
+        </span>
+        <div
+          class="w-9 h-9 dd-rounded flex items-center justify-center"
+          :style="{ backgroundColor: statById.get(item.id)?.colorMuted, color: statById.get(item.id)?.color }">
+          <AppIcon :name="statById.get(item.id)?.icon ?? 'dashboard'" :size="20" />
+        </div>
+      </div>
+      <div class="text-2xl font-bold dd-text">
+        {{ statById.get(item.id)?.value }}
+      </div>
+      <div v-if="statById.get(item.id)?.detail" class="mt-1 text-2xs font-medium dd-text-muted">
+        {{ statById.get(item.id)?.detail }}
+      </div>
+    </component>
+  </div>
+</template>
diff --git a/ui/src/views/dashboard/components/DashboardUpdateBreakdownWidget.vue b/ui/src/views/dashboard/components/DashboardUpdateBreakdownWidget.vue
new file mode 100644
index 000000000..fc6aaa8d1
--- /dev/null
+++ b/ui/src/views/dashboard/components/DashboardUpdateBreakdownWidget.vue
@@ -0,0 +1,119 @@
+<script setup lang="ts">
+import { onBeforeUnmount, onMounted, ref } from 'vue';
+import type { UpdateBreakdownBucket } from '../dashboardTypes';
+
+interface Props {
+  editMode: boolean;
+  totalUpdates: number;
+  updateBreakdownBuckets: UpdateBreakdownBucket[];
+}
+
+defineProps<Props>();
+
+const emit = defineEmits<{
+  viewAll: [];
+}>();
+
+function handleViewAll() {
+  emit('viewAll');
+}
+
+const rootEl = ref<HTMLElement | null>(null);
+const containerHeight = ref(999);
+
+// full: header + big icon grid
+// medium: header + compact inline row
+// compact: no header, just inline row
+const mode = ref<'full' | 'medium' | 'compact'>('full');
+
+let observer: ResizeObserver | null = null;
+
+onMounted(() => {
+  if (!rootEl.value) return;
+  observer = new ResizeObserver((entries) => {
+    for (const entry of entries) {
+      const h = entry.contentRect.height;
+      containerHeight.value = h;
+      // full = header + icon grid (needs ~250px for header + cards)
+      // medium = icon grid only, no header (fits any reasonable size)
+      // compact = tiny inline row (truly tiny widgets only)
+      if (h >= 250) mode.value = 'full';
+      else if (h >= 60) mode.value = 'medium';
+      else mode.value = 'compact';
+    }
+  });
+  observer.observe(rootEl.value);
+});
+
+onBeforeUnmount(() => {
+  observer?.disconnect();
+});
+</script>
+
+<template>
+  <div
+    ref="rootEl"
+    aria-label="Update Breakdown widget"
+    class="dashboard-widget dd-rounded overflow-hidden flex flex-col"
+    :style="{ backgroundColor: 'var(--dd-bg-card)' }">
+
+    <!-- Header — shown in full mode only -->
+    <div v-if="mode === 'full'" class="shrink-0 flex items-center justify-between px-5 py-3.5" :style="{ borderBottom: '1px solid var(--dd-border)' }">
+      <div class="flex items-center gap-2">
+        <div v-if="editMode" class="drag-handle dd-drag-handle" v-tooltip.top="'Drag to reorder'"><AppIcon name="ph:dots-six-vertical" :size="14" /></div>
+        <AppIcon name="updates" :size="14" class="text-drydock-secondary" />
+        <h2 class="dd-text-heading-section dd-text">Update Breakdown</h2>
+      </div>
+      <AppButton size="none" variant="link-secondary" weight="medium" class="text-2xs-plus" @click="handleViewAll">View all &rarr;</AppButton>
+    </div>
+
+    <!-- Icon grid — shown in full and medium modes (medium = no header) -->
+    <div v-if="mode !== 'compact'" class="flex-1 min-h-0 flex items-center justify-center p-4 relative">
+      <div v-if="mode === 'medium' && editMode" class="drag-handle dd-drag-handle absolute top-2 left-2 z-10" v-tooltip.top="'Drag to reorder'"><AppIcon name="ph:dots-six-vertical" :size="14" /></div>
+      <div
+        v-if="totalUpdates === 0"
+        class="p-3 dd-rounded text-2xs-plus text-center dd-text-muted"
+        :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+        No updates to categorize
+      </div>
+      <div v-else class="grid grid-cols-4 gap-3 w-full">
+        <div
+          v-for="kind in updateBreakdownBuckets"
+          :key="kind.label"
+          class="text-center p-2.5 dd-rounded"
+          :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+          <div class="w-8 h-8 mx-auto dd-rounded flex items-center justify-center mb-1.5"
+            :style="{ backgroundColor: kind.colorMuted, color: kind.color }">
+            <AppIcon :name="kind.icon" :size="18" />
+          </div>
+          <div class="text-lg font-bold dd-text">{{ kind.count }}</div>
+          <div class="text-3xs font-medium uppercase tracking-wider mt-0.5 dd-text-muted">{{ kind.label }}</div>
+          <div class="mt-1.5 h-1 dd-rounded-sm overflow-hidden" style="background: var(--dd-bg-elevated);">
+            <div
+              class="h-full dd-rounded-sm"
+              :style="{ width: Math.max(kind.count / Math.max(totalUpdates, 1) * 100, 4) + '%', backgroundColor: kind.color }" />
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <!-- Compact: tiny inline row for extremely small widgets -->
+    <div v-else class="flex items-center flex-1 min-h-0 px-4 gap-3 relative">
+      <div v-if="editMode" class="drag-handle dd-drag-handle absolute top-2 left-2 z-10" v-tooltip.top="'Drag to reorder'"><AppIcon name="ph:dots-six" :size="14" /></div>
+      <div
+        v-for="kind in updateBreakdownBuckets"
+        :key="kind.label"
+        class="flex items-center gap-2 flex-1 min-w-0 px-2 py-1.5 dd-rounded"
+        :style="{ backgroundColor: 'var(--dd-bg-inset)' }">
+        <div class="w-6 h-6 shrink-0 dd-rounded flex items-center justify-center"
+          :style="{ backgroundColor: kind.colorMuted, color: kind.color }">
+          <AppIcon :name="kind.icon" :size="14" />
+        </div>
+        <div class="min-w-0">
+          <div class="text-sm font-bold dd-text leading-none">{{ kind.count }}</div>
+          <div class="text-3xs font-medium uppercase tracking-wider dd-text-muted leading-none mt-0.5">{{ kind.label }}</div>
+        </div>
+      </div>
+    </div>
+  </div>
+</template>
diff --git a/ui/src/views/dashboard/dashboardTypes.ts b/ui/src/views/dashboard/dashboardTypes.ts
index 7f4e547dc..a06e2b23d 100644
--- a/ui/src/views/dashboard/dashboardTypes.ts
+++ b/ui/src/views/dashboard/dashboardTypes.ts
@@ -8,12 +8,91 @@ export const DASHBOARD_WIDGET_IDS = [
   'stat-registries',
   'recent-updates',
   'security-overview',
+  'resource-usage',
   'host-status',
   'update-breakdown',
 ] as const;
 
 export type DashboardWidgetId = (typeof DASHBOARD_WIDGET_IDS)[number];
 
+interface DashboardWidgetMeta {
+  id: DashboardWidgetId;
+  label: string;
+  category: 'stat' | 'widget';
+  canStretch: boolean;
+  defaultSpan: number;
+}
+
+export const DASHBOARD_WIDGET_META: DashboardWidgetMeta[] = [
+  {
+    id: 'stat-containers',
+    label: 'Containers',
+    category: 'stat',
+    canStretch: false,
+    defaultSpan: 1,
+  },
+  {
+    id: 'stat-updates',
+    label: 'Updates Available',
+    category: 'stat',
+    canStretch: false,
+    defaultSpan: 1,
+  },
+  {
+    id: 'stat-security',
+    label: 'Security Issues',
+    category: 'stat',
+    canStretch: false,
+    defaultSpan: 1,
+  },
+  {
+    id: 'stat-registries',
+    label: 'Registries',
+    category: 'stat',
+    canStretch: false,
+    defaultSpan: 1,
+  },
+  {
+    id: 'recent-updates',
+    label: 'Updates Available',
+    category: 'widget',
+    canStretch: true,
+    defaultSpan: 2,
+  },
+  {
+    id: 'security-overview',
+    label: 'Security Overview',
+    category: 'widget',
+    canStretch: false,
+    defaultSpan: 1,
+  },
+  {
+    id: 'resource-usage',
+    label: 'Resource Usage',
+    category: 'widget',
+    canStretch: false,
+    defaultSpan: 1,
+  },
+  {
+    id: 'host-status',
+    label: 'Host Status',
+    category: 'widget',
+    canStretch: false,
+    defaultSpan: 1,
+  },
+  {
+    id: 'update-breakdown',
+    label: 'Update Breakdown',
+    category: 'widget',
+    canStretch: true,
+    defaultSpan: 2,
+  },
+];
+
+export interface WidgetOrderItem {
+  id: DashboardWidgetId;
+}
+
 export interface DashboardServerInfo {
   configuration?: {
     webhook?: {
@@ -65,6 +144,7 @@ export interface RecentUpdateRow {
   updateKind: UpdateKind | null;
   running: boolean;
   registryError?: string;
+  blocked: boolean;
 }
 
 export interface DashboardServerRow {
diff --git a/ui/src/views/dashboard/dashboardWidgetLayout.ts b/ui/src/views/dashboard/dashboardWidgetLayout.ts
new file mode 100644
index 000000000..0f5b4072b
--- /dev/null
+++ b/ui/src/views/dashboard/dashboardWidgetLayout.ts
@@ -0,0 +1,93 @@
+import type { Breakpoints } from 'grid-layout-plus';
+import type { DashboardWidgetId } from './dashboardTypes';
+
+export interface WidgetLayoutItem {
+  i: DashboardWidgetId;
+  x: number;
+  y: number;
+  w: number;
+  h: number;
+  minW?: number;
+  minH?: number;
+  maxW?: number;
+  maxH?: number;
+}
+
+/**
+ * Responsive breakpoints for the dashboard grid (pixel widths).
+ * Measured against the grid CONTAINER width (not viewport) by grid-layout-plus.
+ *
+ * Widget default widths (w:3 stat cards, w:4 big widgets) only tile cleanly
+ * into 12 columns (3*4=12, 4*3=12). Any other column count (6, 8, etc.)
+ * creates gaps because grid-layout-plus responsive mode clamps positions
+ * instead of reflowing. So we keep 12 columns all the way down to phone
+ * width, then drop to 1 column where everything stacks full-width.
+ */
+export const GRID_BREAKPOINTS: Breakpoints = {
+  lg: 1024,
+  md: 640,
+  sm: 0,
+};
+
+/** Column counts per responsive breakpoint. */
+export const GRID_COLS: Breakpoints = {
+  lg: 12,
+  md: 12,
+  sm: 1,
+};
+
+interface WidgetLayoutConstraints {
+  minW: number;
+  minH: number;
+  maxW: number;
+  maxH: number;
+  defaultW: number;
+  defaultH: number;
+}
+
+export const WIDGET_CONSTRAINTS: Record<DashboardWidgetId, WidgetLayoutConstraints> = {
+  'stat-containers': { minW: 2, minH: 3, maxW: 6, maxH: 6, defaultW: 3, defaultH: 3 },
+  'stat-updates': { minW: 2, minH: 3, maxW: 6, maxH: 6, defaultW: 3, defaultH: 3 },
+  'stat-security': { minW: 2, minH: 3, maxW: 6, maxH: 6, defaultW: 3, defaultH: 3 },
+  'stat-registries': { minW: 2, minH: 3, maxW: 6, maxH: 6, defaultW: 3, defaultH: 3 },
+  'recent-updates': { minW: 4, minH: 3, maxW: 12, maxH: 16, defaultW: 8, defaultH: 10 },
+  'security-overview': { minW: 3, minH: 3, maxW: 6, maxH: 16, defaultW: 4, defaultH: 10 },
+  'resource-usage': { minW: 3, minH: 3, maxW: 12, maxH: 20, defaultW: 4, defaultH: 14 },
+  'host-status': { minW: 3, minH: 3, maxW: 12, maxH: 20, defaultW: 4, defaultH: 6 },
+  'update-breakdown': { minW: 3, minH: 3, maxW: 12, maxH: 8, defaultW: 4, defaultH: 6 },
+};
+
+const DEFAULT_LAYOUT: WidgetLayoutItem[] = [
+  // Row 0: stat cards (h:4 = 120px + margins)
+  { i: 'stat-containers', x: 0, y: 0, w: 3, h: 3 },
+  { i: 'stat-security', x: 3, y: 0, w: 3, h: 3 },
+  { i: 'stat-registries', x: 6, y: 0, w: 3, h: 3 },
+  { i: 'stat-updates', x: 9, y: 0, w: 3, h: 3 },
+  // Row 3: three-column layout
+  { i: 'resource-usage', x: 0, y: 3, w: 4, h: 12 },
+  { i: 'security-overview', x: 4, y: 3, w: 4, h: 12 },
+  { i: 'host-status', x: 8, y: 3, w: 4, h: 6 },
+  { i: 'update-breakdown', x: 8, y: 9, w: 4, h: 6 },
+  // Row 15: updates table full width
+  { i: 'recent-updates', x: 0, y: 15, w: 12, h: 10 },
+];
+
+export function applyConstraints(layout: WidgetLayoutItem[]): WidgetLayoutItem[] {
+  return layout.map((item) => {
+    const constraints = WIDGET_CONSTRAINTS[item.i];
+    if (!constraints) return item;
+    return {
+      ...item,
+      w: Math.max(constraints.minW, Math.min(constraints.maxW, item.w)),
+      h: Math.max(constraints.minH, Math.min(constraints.maxH, item.h)),
+      minW: constraints.minW,
+      minH: constraints.minH,
+      maxW: constraints.maxW,
+      maxH: constraints.maxH,
+    };
+  });
+}
+
+export function createDefaultLayout(): WidgetLayoutItem[] {
+  return applyConstraints(DEFAULT_LAYOUT.map((item) => ({ ...item })));
+}
diff --git a/ui/src/views/dashboard/useDashboardComputed.ts b/ui/src/views/dashboard/useDashboardComputed.ts
index d20158644..5fe3f3c9b 100644
--- a/ui/src/views/dashboard/useDashboardComputed.ts
+++ b/ui/src/views/dashboard/useDashboardComputed.ts
@@ -21,6 +21,8 @@ import { getWatcherConfiguration } from './watcherConfiguration';
 const DONUT_CIRCUMFERENCE = 301.6;
 const RECENT_UPDATES_LIMIT = 6;
 
+const FILTER_KIND_ANY = 'ANY'.toLowerCase();
+
 const UPDATE_BREAKDOWN_BUCKETS: ReadonlyArray<Omit<UpdateBreakdownBucket, 'count'>> = [
   {
     kind: 'major',
@@ -206,32 +208,6 @@ function comparePendingRecentUpdates(
   return left.row.name.localeCompare(right.row.name);
 }
 
-function insertPendingRecentUpdate(
-  topPendingUpdates: PendingRecentUpdateCandidate[],
-  candidate: PendingRecentUpdateCandidate,
-  maxItems: number,
-) {
-  let insertAt = -1;
-  for (let index = 0; index < topPendingUpdates.length; index += 1) {
-    if (comparePendingRecentUpdates(candidate, topPendingUpdates[index]) < 0) {
-      insertAt = index;
-      break;
-    }
-  }
-
-  if (insertAt === -1) {
-    if (topPendingUpdates.length < maxItems) {
-      topPendingUpdates.push(candidate);
-    }
-    return;
-  }
-
-  topPendingUpdates.splice(insertAt, 0, candidate);
-  if (topPendingUpdates.length > maxItems) {
-    topPendingUpdates.pop();
-  }
-}
-
 function formatAgentHost(agent: DashboardAgent): string | undefined {
   const host = typeof agent.host === 'string' ? agent.host.trim() : '';
   if (!host) {
@@ -278,6 +254,16 @@ function isMaintenanceWindowOpen(watcher: unknown): boolean {
   return open === true;
 }
 
+function getWatcherName(watcher: unknown): string {
+  if (watcher && typeof watcher === 'object') {
+    const name = (watcher as Record<string, unknown>).name;
+    if (typeof name === 'string' && name.length > 0) {
+      return name;
+    }
+  }
+  return 'local';
+}
+
 function parseMaintenanceWindowAt(watcher: unknown): number | undefined {
   const configuration = getWatcherConfiguration(watcher);
   const value = configuration.maintenancenextwindow ?? configuration.maintenanceNextWindow;
@@ -319,16 +305,29 @@ function useMaintenanceComputed(input: UseDashboardComputedInput) {
     () => maintenanceWindowWatchers.value.filter(isMaintenanceWindowOpen).length,
   );
 
-  const nextMaintenanceWindowAt = computed<number | undefined>(() => {
-    const windows = maintenanceWindowWatchers.value
-      .map(parseMaintenanceWindowAt)
-      .filter((value): value is number => value !== undefined);
+  const nextMaintenanceWindowByWatcher = computed<Map<string, number>>(() => {
+    const map = new Map<string, number>();
+    for (const watcher of maintenanceWindowWatchers.value) {
+      const ts = parseMaintenanceWindowAt(watcher);
+      if (ts !== undefined) {
+        map.set(getWatcherName(watcher), ts);
+      }
+    }
+    return map;
+  });
 
-    if (windows.length === 0) {
+  const nextMaintenanceWindowAt = computed<number | undefined>(() => {
+    const map = nextMaintenanceWindowByWatcher.value;
+    if (map.size === 0) {
       return undefined;
     }
-
-    return Math.min(...windows);
+    let min = Number.POSITIVE_INFINITY;
+    for (const ts of map.values()) {
+      if (ts < min) {
+        min = ts;
+      }
+    }
+    return min;
   });
 
   const maintenanceCountdownLabel = computed(() =>
@@ -343,6 +342,7 @@ function useMaintenanceComputed(input: UseDashboardComputedInput) {
   return {
     maintenanceCountdownLabel,
     maintenanceWindowWatchers,
+    nextMaintenanceWindowByWatcher,
   };
 }
 
@@ -504,7 +504,7 @@ function useStatsComputed(
         icon: 'updates',
         color: updatesStatColor,
         colorMuted: updatesStatMutedColor,
-        route: { path: ROUTES.CONTAINERS, query: { filterKind: 'any' } },
+        route: { path: ROUTES.CONTAINERS, query: { filterKind: FILTER_KIND_ANY } },
         detail:
           freshUpdates > 0
             ? `${freshUpdates} new · ${updatesAvailable - freshUpdates} mature`
@@ -532,22 +532,6 @@ function useStatsComputed(
   });
 }
 
-function toRegistryFailureRecentUpdate(container: Container): RecentUpdateRow {
-  return {
-    id: container.id,
-    name: container.name,
-    image: container.image,
-    icon: container.icon,
-    oldVer: container.currentTag,
-    newVer: 'check failed',
-    releaseLink: undefined,
-    status: 'error',
-    updateKind: null,
-    running: container.status === 'running',
-    registryError: container.registryError,
-  };
-}
-
 function isPendingRecentUpdateContainer(container: Container): boolean {
   return !!container.newTag || !!container.updatePolicyState;
 }
@@ -555,6 +539,7 @@ function isPendingRecentUpdateContainer(container: Container): boolean {
 function toPendingRecentUpdateCandidate(
   container: Container,
   recentStatusByContainer: Record<string, RecentAuditStatus>,
+  blocked: boolean,
 ): PendingRecentUpdateCandidate {
   return {
     detectedAt: parseDetectedAt(container.updateDetectedAt),
@@ -570,6 +555,7 @@ function toPendingRecentUpdateCandidate(
       updateKind: container.updateKind ?? null,
       running: container.status === 'running',
       registryError: undefined,
+      blocked,
     },
   };
 }
@@ -578,32 +564,26 @@ function buildRecentUpdateRows(
   containers: Container[],
   recentStatusByContainer: Record<string, RecentAuditStatus>,
 ): RecentUpdateRow[] {
-  const registryFailures = containers
-    .filter((container) => !container.newTag && !!container.registryError)
-    .map(toRegistryFailureRecentUpdate);
-
-  const availablePendingSlots = Math.max(RECENT_UPDATES_LIMIT - registryFailures.length, 0);
-  if (availablePendingSlots === 0) {
-    return registryFailures.slice(0, RECENT_UPDATES_LIMIT);
-  }
-
-  const topPendingUpdates: PendingRecentUpdateCandidate[] = [];
+  // Only show containers with actual available updates — registry failures
+  // ("check failed") are surfaced elsewhere and should not appear in the
+  // "Updates Available" widget (#186).
+  const candidates: PendingRecentUpdateCandidate[] = [];
   for (const container of containers) {
     if (!isPendingRecentUpdateContainer(container)) {
       continue;
     }
 
-    insertPendingRecentUpdate(
-      topPendingUpdates,
-      toPendingRecentUpdateCandidate(container, recentStatusByContainer),
-      availablePendingSlots,
+    candidates.push(
+      toPendingRecentUpdateCandidate(
+        container,
+        recentStatusByContainer,
+        container.bouncer === 'blocked',
+      ),
     );
   }
 
-  return [...registryFailures, ...topPendingUpdates.map((candidate) => candidate.row)].slice(
-    0,
-    RECENT_UPDATES_LIMIT,
-  );
+  candidates.sort(comparePendingRecentUpdates);
+  return candidates.slice(0, RECENT_UPDATES_LIMIT).map((candidate) => candidate.row);
 }
 
 function useRecentUpdatesComputed(input: UseDashboardComputedInput) {
@@ -788,7 +768,8 @@ function useUpdateBreakdownComputed(input: UseDashboardComputedInput) {
 }
 
 export function useDashboardComputed(input: UseDashboardComputedInput) {
-  const { maintenanceCountdownLabel, maintenanceWindowWatchers } = useMaintenanceComputed(input);
+  const { maintenanceCountdownLabel, maintenanceWindowWatchers, nextMaintenanceWindowByWatcher } =
+    useMaintenanceComputed(input);
   const {
     containerMetrics,
     securityCleanArcLength,
@@ -817,6 +798,7 @@ export function useDashboardComputed(input: UseDashboardComputedInput) {
     getUpdateKindMutedColor,
     maintenanceCountdownLabel,
     maintenanceWindowWatchers,
+    nextMaintenanceWindowByWatcher,
     recentUpdates,
     securityCleanArcLength,
     securityCleanCount,
diff --git a/ui/src/views/dashboard/useDashboardData.helpers.ts b/ui/src/views/dashboard/useDashboardData.helpers.ts
index e7049cd72..c37fe3e10 100644
--- a/ui/src/views/dashboard/useDashboardData.helpers.ts
+++ b/ui/src/views/dashboard/useDashboardData.helpers.ts
@@ -1,10 +1,10 @@
 import type { ComputedRef, Ref } from 'vue';
 
-export type RealtimeRefreshMode = 'summary' | 'full';
+type RealtimeRefreshMode = 'summary' | 'full';
 
 interface RealtimeRefreshSchedulerOptions {
   debounceMs: number;
-  refreshSummary: () => void;
+  refreshSummary?: () => void;
   refreshFull: () => void;
   setTimeoutFn?: typeof setTimeout;
   clearTimeoutFn?: typeof clearTimeout;
@@ -52,7 +52,7 @@ export function createRealtimeRefreshScheduler({
         refreshFull();
         return;
       }
-      refreshSummary();
+      refreshSummary?.();
     }, debounceMs);
   }
 
diff --git a/ui/src/views/dashboard/useDashboardData.ts b/ui/src/views/dashboard/useDashboardData.ts
index 834b612e9..94ee6208f 100644
--- a/ui/src/views/dashboard/useDashboardData.ts
+++ b/ui/src/views/dashboard/useDashboardData.ts
@@ -1,12 +1,9 @@
 import { computed, onMounted, onUnmounted, type Ref, ref, watch } from 'vue';
 import { getAgents } from '../../services/agent';
-import {
-  getAllContainers,
-  getContainerRecentStatus,
-  getContainerSummary,
-} from '../../services/container';
+import { getAllContainers, getContainerRecentStatus } from '../../services/container';
 import { getAllRegistries } from '../../services/registry';
 import { getServer } from '../../services/server';
+import { type ContainerStatsSummaryItem, getAllContainerStats } from '../../services/stats';
 import { getAllWatchers } from '../../services/watcher';
 import type { Container } from '../../types/container';
 import { type ApiContainerInput, mapApiContainers } from '../../utils/container-mapper';
@@ -33,6 +30,7 @@ interface DashboardStateRefs {
   loading: Ref<boolean>;
   error: Ref<string | null>;
   containerSummary: Ref<DashboardContainerSummary | null>;
+  containerStats: Ref<ContainerStatsSummaryItem[]>;
   containers: Ref<Container[]>;
   serverInfo: Ref<DashboardServerInfo | null>;
   agents: Ref<DashboardAgent[]>;
@@ -43,6 +41,7 @@ interface DashboardStateRefs {
 
 interface DashboardDataResponse {
   containersRes: ApiContainerInput[];
+  containerStatsRes: ContainerStatsSummaryItem[];
   serverRes: DashboardServerInfo;
   agentsRes: DashboardAgent[];
   watchersRes: unknown;
@@ -73,54 +72,6 @@ function watcherHasMaintenanceWindow(watcher: unknown): boolean {
   return typeof maintenanceWindow === 'string' && maintenanceWindow.trim().length > 0;
 }
 
-function toNonNegativeInteger(value: unknown): number {
-  if (typeof value !== 'number' || !Number.isFinite(value) || value < 0) {
-    return 0;
-  }
-  return Math.floor(value);
-}
-
-function normalizeContainerSummary(summary: unknown): DashboardContainerSummary {
-  const containersData =
-    summary && typeof summary === 'object' && 'containers' in summary
-      ? (summary as { containers?: unknown }).containers
-      : undefined;
-  const securityData =
-    summary && typeof summary === 'object' && 'security' in summary
-      ? (summary as { security?: unknown }).security
-      : undefined;
-  const total = toNonNegativeInteger(
-    containersData && typeof containersData === 'object'
-      ? (containersData as { total?: unknown }).total
-      : undefined,
-  );
-  const running = toNonNegativeInteger(
-    containersData && typeof containersData === 'object'
-      ? (containersData as { running?: unknown }).running
-      : undefined,
-  );
-  const stopped = toNonNegativeInteger(
-    containersData && typeof containersData === 'object'
-      ? (containersData as { stopped?: unknown }).stopped
-      : undefined,
-  );
-  const issues = toNonNegativeInteger(
-    securityData && typeof securityData === 'object'
-      ? (securityData as { issues?: unknown }).issues
-      : undefined,
-  );
-  return {
-    containers: {
-      total,
-      running,
-      stopped,
-    },
-    security: {
-      issues,
-    },
-  };
-}
-
 function buildContainerSummaryFromContainers(containers: Container[]): DashboardContainerSummary {
   const total = containers.length;
   const running = containers.filter((container) => container.status === 'running').length;
@@ -146,6 +97,7 @@ function isPageVisible(): boolean {
 function hasRenderedDashboardData(state: DashboardStateRefs): boolean {
   const hasRenderedCollections = [
     state.containers.value,
+    state.containerStats.value,
     state.watchers.value,
     state.registries.value,
     state.agents.value,
@@ -161,6 +113,7 @@ function hasRenderedDashboardData(state: DashboardStateRefs): boolean {
 function applyFetchedDashboardData(state: DashboardStateRefs, response: DashboardDataResponse) {
   state.containers.value = mapApiContainers(response.containersRes);
   state.containerSummary.value = buildContainerSummaryFromContainers(state.containers.value);
+  state.containerStats.value = response.containerStatsRes;
   state.serverInfo.value = response.serverRes;
   state.agents.value = response.agentsRes;
   state.watchers.value = Array.isArray(response.watchersRes) ? response.watchersRes : [];
@@ -180,17 +133,26 @@ function createDashboardDataFetchers(state: DashboardStateRefs) {
     }
 
     try {
-      const [containersRes, serverRes, agentsRes, watchersRes, registriesRes, recentStatusRes] =
-        await Promise.all([
-          getAllContainers(),
-          getServer(),
-          getAgents(),
-          getAllWatchers(),
-          getAllRegistries(),
-          getContainerRecentStatus(),
-        ]);
+      const [
+        containersRes,
+        containerStatsRes,
+        serverRes,
+        agentsRes,
+        watchersRes,
+        registriesRes,
+        recentStatusRes,
+      ] = await Promise.all([
+        getAllContainers(),
+        getAllContainerStats(),
+        getServer(),
+        getAgents(),
+        getAllWatchers(),
+        getAllRegistries(),
+        getContainerRecentStatus(),
+      ]);
       applyFetchedDashboardData(state, {
         containersRes,
+        containerStatsRes,
         serverRes,
         agentsRes,
         watchersRes,
@@ -209,25 +171,8 @@ function createDashboardDataFetchers(state: DashboardStateRefs) {
       }
     }
   }
-
-  async function fetchDashboardSummary() {
-    const hasRenderedData = hasRenderedDashboardData(state);
-    try {
-      const summary = await getContainerSummary();
-      state.containerSummary.value = normalizeContainerSummary(summary);
-      state.error.value = null;
-    } catch (e: unknown) {
-      if (!hasRenderedData) {
-        state.error.value = errorMessage(e, 'Failed to load dashboard data');
-      } else {
-        console.debug(errorMessage(e, 'Dashboard summary refresh failed'));
-      }
-    }
-  }
-
   return {
     fetchDashboardData,
-    fetchDashboardSummary,
   };
 }
 
@@ -235,6 +180,7 @@ export function useDashboardData() {
   const loading = ref(true);
   const error = ref<string | null>(null);
   const containerSummary = ref<DashboardContainerSummary | null>(null);
+  const containerStats = ref<ContainerStatsSummaryItem[]>([]);
   const containers = ref<Container[]>([]);
   const serverInfo = ref<DashboardServerInfo | null>(null);
   const agents = ref<DashboardAgent[]>([]);
@@ -247,6 +193,7 @@ export function useDashboardData() {
     loading,
     error,
     containerSummary,
+    containerStats,
     containers,
     serverInfo,
     agents,
@@ -255,7 +202,7 @@ export function useDashboardData() {
     recentStatusByContainer,
   };
 
-  const { fetchDashboardData, fetchDashboardSummary } = createDashboardDataFetchers(state);
+  const { fetchDashboardData } = createDashboardDataFetchers(state);
   const hasMaintenanceWindows = computed(() =>
     watchers.value.some((watcher) => watcherHasMaintenanceWindow(watcher)),
   );
@@ -268,9 +215,6 @@ export function useDashboardData() {
   });
   const realtimeRefreshScheduler = createRealtimeRefreshScheduler({
     debounceMs: DASHBOARD_REALTIME_REFRESH_DEBOUNCE_MS,
-    refreshSummary: () => {
-      void fetchDashboardSummary();
-    },
     refreshFull: () => {
       void fetchDashboardData({ background: true });
     },
@@ -278,14 +222,12 @@ export function useDashboardData() {
     clearTimeoutFn: window.clearTimeout.bind(window),
   });
 
-  const summaryRefreshListener = (() =>
-    realtimeRefreshScheduler.schedule('summary')) as EventListener;
   const fullRefreshListener = (() => realtimeRefreshScheduler.schedule('full')) as EventListener;
   const visibilityChangeListener = maintenanceCountdownController.sync as EventListener;
   let stopMaintenanceWindowWatch: ReturnType<typeof watch> | undefined;
 
   onMounted(async () => {
-    globalThis.addEventListener('dd:sse-container-changed', summaryRefreshListener);
+    globalThis.addEventListener('dd:sse-container-changed', fullRefreshListener);
     globalThis.addEventListener('dd:sse-scan-completed', fullRefreshListener);
     globalThis.addEventListener('dd:sse-connected', fullRefreshListener);
     document.addEventListener('visibilitychange', visibilityChangeListener);
@@ -296,7 +238,7 @@ export function useDashboardData() {
   });
 
   onUnmounted(() => {
-    globalThis.removeEventListener('dd:sse-container-changed', summaryRefreshListener);
+    globalThis.removeEventListener('dd:sse-container-changed', fullRefreshListener);
     globalThis.removeEventListener('dd:sse-scan-completed', fullRefreshListener);
     globalThis.removeEventListener('dd:sse-connected', fullRefreshListener);
     document.removeEventListener('visibilitychange', visibilityChangeListener);
@@ -308,6 +250,7 @@ export function useDashboardData() {
   return {
     agents,
     containerSummary,
+    containerStats,
     containers,
     error,
     fetchDashboardData,
diff --git a/ui/src/views/dashboard/useDashboardWidgetOrder.ts b/ui/src/views/dashboard/useDashboardWidgetOrder.ts
index 2069f8215..f3181ec09 100644
--- a/ui/src/views/dashboard/useDashboardWidgetOrder.ts
+++ b/ui/src/views/dashboard/useDashboardWidgetOrder.ts
@@ -1,71 +1,232 @@
-import { onMounted, ref, watch } from 'vue';
+import { onScopeDispose, ref, watch } from 'vue';
 import { preferences } from '../../preferences/store';
 import { DASHBOARD_WIDGET_IDS, type DashboardWidgetId } from './dashboardTypes';
+import {
+  applyConstraints,
+  createDefaultLayout,
+  type WidgetLayoutItem,
+} from './dashboardWidgetLayout';
 
 function isDashboardWidgetId(value: unknown): value is DashboardWidgetId {
   return typeof value === 'string' && (DASHBOARD_WIDGET_IDS as readonly string[]).includes(value);
 }
 
+function arraysEqual<T>(left: readonly T[], right: readonly T[]): boolean {
+  if (left.length !== right.length) {
+    return false;
+  }
+  return left.every((value, index) => value === right[index]);
+}
+
+function sanitizeHiddenWidgets(rawHidden: unknown): DashboardWidgetId[] {
+  if (!Array.isArray(rawHidden)) {
+    return [];
+  }
+  return rawHidden.filter(isDashboardWidgetId);
+}
+
 function sanitizeWidgetOrder(rawOrder: unknown): DashboardWidgetId[] {
   if (!Array.isArray(rawOrder)) {
     return [...DASHBOARD_WIDGET_IDS];
   }
 
   const seen = new Set<DashboardWidgetId>();
-  const normalized: DashboardWidgetId[] = [];
+  const sanitized: DashboardWidgetId[] = [];
+
   for (const value of rawOrder) {
-    if (!isDashboardWidgetId(value) || seen.has(value)) {
-      continue;
+    if (isDashboardWidgetId(value) && !seen.has(value)) {
+      seen.add(value);
+      sanitized.push(value);
     }
-    seen.add(value);
-    normalized.push(value);
   }
 
   for (const id of DASHBOARD_WIDGET_IDS) {
     if (!seen.has(id)) {
-      normalized.push(id);
+      sanitized.push(id);
+    }
+  }
+
+  return sanitized;
+}
+
+const defaultLayout = createDefaultLayout();
+const defaultLayoutById = new Map(defaultLayout.map((item) => [item.i, item] as const));
+
+function isValidLayoutItem(value: unknown): value is WidgetLayoutItem {
+  if (!value || typeof value !== 'object') return false;
+  const item = value as Record<string, unknown>;
+  return (
+    isDashboardWidgetId(item.i) &&
+    typeof item.x === 'number' &&
+    typeof item.y === 'number' &&
+    typeof item.w === 'number' &&
+    typeof item.h === 'number'
+  );
+}
+
+function loadPersistedLayout(order: readonly DashboardWidgetId[]): WidgetLayoutItem[] {
+  const rawLayout = preferences.dashboard.gridLayout;
+  if (!Array.isArray(rawLayout)) {
+    return createLayoutFromOrder(order);
+  }
+
+  const persisted = new Map<string, WidgetLayoutItem>();
+  for (const item of rawLayout) {
+    if (isValidLayoutItem(item)) {
+      persisted.set(item.i, { i: item.i, x: item.x, y: item.y, w: item.w, h: item.h });
     }
   }
 
-  return normalized;
+  // Use persisted positions if available, fall back to defaults
+  const result = order.map((id) => {
+    const saved = persisted.get(id);
+    if (saved) return saved;
+    const fallback = defaultLayoutById.get(id);
+    return { ...fallback! };
+  });
+
+  // Sanity check: if every widget is at x=0 with narrow widths, the layout was
+  // likely corrupted by a breakpoint mismatch — discard and use defaults
+  const allColumnZero = result.length > 1 && result.every((item) => item.x === 0);
+  if (allColumnZero) {
+    return createLayoutFromOrder(order);
+  }
+
+  return applyConstraints(result);
+}
+
+function createLayoutFromOrder(order: readonly DashboardWidgetId[]): WidgetLayoutItem[] {
+  return order.map((id) => {
+    const item = defaultLayoutById.get(id);
+    return { ...item! };
+  });
+}
+
+function getDragSource(event: DragEvent): DashboardWidgetId | null {
+  const rawSource = event.dataTransfer?.getData('text/plain');
+  return isDashboardWidgetId(rawSource) ? rawSource : null;
+}
+
+export function moveWidget(
+  order: DashboardWidgetId[],
+  sourceId: DashboardWidgetId,
+  targetId: DashboardWidgetId,
+) {
+  const sourceIndex = order.indexOf(sourceId);
+  const targetIndex = order.indexOf(targetId);
+
+  if (sourceIndex < 0 || targetIndex < 0 || sourceIndex === targetIndex) {
+    return order;
+  }
+
+  const next = [...order];
+  next.splice(sourceIndex, 1);
+  const insertionIndex = sourceIndex < targetIndex ? targetIndex - 1 : targetIndex;
+  next.splice(insertionIndex, 0, sourceId);
+  return next;
 }
 
 export function useDashboardWidgetOrder() {
-  const widgetOrder = ref<DashboardWidgetId[]>([...DASHBOARD_WIDGET_IDS]);
+  const widgetOrder = ref<DashboardWidgetId[]>(
+    sanitizeWidgetOrder(preferences.dashboard.widgetOrder),
+  );
+  const layout = ref<WidgetLayoutItem[]>(loadPersistedLayout(widgetOrder.value));
+  const hiddenWidgets = ref<DashboardWidgetId[]>(
+    sanitizeHiddenWidgets(preferences.dashboard.hiddenWidgets),
+  );
+  const editMode = ref(false);
   const draggedWidgetId = ref<DashboardWidgetId | null>(null);
 
-  function loadWidgetOrder() {
-    widgetOrder.value = sanitizeWidgetOrder(preferences.dashboard.widgetOrder);
-  }
+  let syncing = false;
 
-  function persistWidgetOrder(order: DashboardWidgetId[]) {
-    preferences.dashboard.widgetOrder = [...order];
+  function persistWidgetOrder() {
+    preferences.dashboard.widgetOrder = [...widgetOrder.value];
+    // Persist full grid layout (x, y, w, h) so positions and sizes survive reload
+    preferences.dashboard.gridLayout = layout.value.map((item) => ({
+      i: item.i,
+      x: item.x,
+      y: item.y,
+      w: item.w,
+      h: item.h,
+    }));
   }
 
-  watch(widgetOrder, persistWidgetOrder);
+  function persistHiddenWidgets() {
+    preferences.dashboard.hiddenWidgets = [...hiddenWidgets.value];
+  }
 
-  function widgetOrderIndex(widgetId: DashboardWidgetId) {
-    const index = widgetOrder.value.indexOf(widgetId);
-    return index >= 0 ? index : DASHBOARD_WIDGET_IDS.indexOf(widgetId);
+  function applyWidgetOrder(nextOrder: readonly DashboardWidgetId[]) {
+    syncing = true;
+    widgetOrder.value = [...nextOrder];
+    layout.value = loadPersistedLayout(widgetOrder.value);
+    persistWidgetOrder();
+    queueMicrotask(() => {
+      syncing = false;
+    });
   }
 
-  function widgetOrderStyle(widgetId: DashboardWidgetId) {
-    return {
-      order: widgetOrderIndex(widgetId),
-    };
+  watch(
+    widgetOrder,
+    (nextOrder) => {
+      if (syncing) {
+        return;
+      }
+      syncing = true;
+      layout.value = loadPersistedLayout(nextOrder);
+      persistWidgetOrder();
+      queueMicrotask(() => {
+        syncing = false;
+      });
+    },
+    { deep: true },
+  );
+
+  // Debounced persist for layout changes (grid-layout-plus fires many updates during drag/resize)
+  let layoutPersistTimer: ReturnType<typeof setTimeout> | undefined;
+
+  watch(
+    layout,
+    (nextLayout) => {
+      if (syncing) {
+        return;
+      }
+
+      // Sync order if it changed
+      const nextOrder = nextLayout.map((item) => item.i);
+      if (!arraysEqual(nextOrder, widgetOrder.value)) {
+        syncing = true;
+        widgetOrder.value = nextOrder;
+        persistWidgetOrder();
+        queueMicrotask(() => {
+          syncing = false;
+        });
+        return;
+      }
+
+      // Debounce position/size persistence (x, y, w, h changes from drag/resize)
+      clearTimeout(layoutPersistTimer);
+      layoutPersistTimer = setTimeout(persistWidgetOrder, 300);
+    },
+    { deep: true },
+  );
+
+  watch(hiddenWidgets, persistHiddenWidgets, { deep: true });
+
+  onScopeDispose(() => {
+    clearTimeout(layoutPersistTimer);
+  });
+
+  function isWidgetVisible(widgetId: DashboardWidgetId): boolean {
+    return !hiddenWidgets.value.includes(widgetId);
   }
 
-  function moveWidget(draggedId: DashboardWidgetId, targetId: DashboardWidgetId) {
-    const nextOrder = [...widgetOrder.value];
-    const draggedIndex = nextOrder.indexOf(draggedId);
-    const targetIndex = nextOrder.indexOf(targetId);
-    if (draggedIndex < 0 || targetIndex < 0) {
-      return;
-    }
+  function widgetOrderIndex(widgetId: DashboardWidgetId): number {
+    const currentIndex = widgetOrder.value.indexOf(widgetId);
+    return currentIndex >= 0 ? currentIndex : DASHBOARD_WIDGET_IDS.indexOf(widgetId);
+  }
 
-    nextOrder.splice(draggedIndex, 1);
-    nextOrder.splice(targetIndex, 0, draggedId);
-    widgetOrder.value = nextOrder;
+  function widgetOrderStyle(widgetId: DashboardWidgetId) {
+    return { order: widgetOrderIndex(widgetId) };
   }
 
   function onWidgetDragStart(widgetId: DashboardWidgetId, event: DragEvent) {
@@ -76,27 +237,36 @@ export function useDashboardWidgetOrder() {
     }
   }
 
-  function onWidgetDragOver(widgetId: DashboardWidgetId, event: DragEvent) {
-    if (!draggedWidgetId.value || draggedWidgetId.value === widgetId) {
+  function onWidgetDragOver(targetId: DashboardWidgetId, event: DragEvent) {
+    const sourceId = draggedWidgetId.value || getDragSource(event);
+    if (!sourceId || sourceId === targetId) {
+      return;
+    }
+    if (!widgetOrder.value.includes(sourceId) || !widgetOrder.value.includes(targetId)) {
       return;
     }
+
     event.preventDefault();
     if (event.dataTransfer) {
       event.dataTransfer.dropEffect = 'move';
     }
   }
 
-  function onWidgetDrop(widgetId: DashboardWidgetId, event: DragEvent) {
+  function onWidgetDrop(targetId: DashboardWidgetId, event: DragEvent) {
     event.preventDefault();
-    const transferWidgetId = event.dataTransfer?.getData('text/plain');
-    const draggedId = isDashboardWidgetId(transferWidgetId)
-      ? transferWidgetId
-      : draggedWidgetId.value;
-    if (!draggedId || draggedId === widgetId) {
+    const sourceId = draggedWidgetId.value || getDragSource(event);
+
+    if (!sourceId || sourceId === targetId) {
+      draggedWidgetId.value = null;
+      return;
+    }
+    if (!widgetOrder.value.includes(sourceId) || !widgetOrder.value.includes(targetId)) {
       draggedWidgetId.value = null;
       return;
     }
-    moveWidget(draggedId, widgetId);
+
+    const nextOrder = moveWidget(widgetOrder.value, sourceId, targetId);
+    applyWidgetOrder(nextOrder);
     draggedWidgetId.value = null;
   }
 
@@ -104,21 +274,47 @@ export function useDashboardWidgetOrder() {
     draggedWidgetId.value = null;
   }
 
+  function toggleWidgetVisibility(widgetId: DashboardWidgetId) {
+    const index = hiddenWidgets.value.indexOf(widgetId);
+    if (index >= 0) {
+      hiddenWidgets.value = hiddenWidgets.value.filter((id) => id !== widgetId);
+      if (!layout.value.some((item) => item.i === widgetId)) {
+        const defaultItem = defaultLayoutById.get(widgetId);
+        layout.value = [...layout.value, { ...defaultItem! }];
+      }
+      return;
+    }
+
+    hiddenWidgets.value = [...hiddenWidgets.value, widgetId];
+  }
+
   function resetWidgetOrder() {
-    widgetOrder.value = [...DASHBOARD_WIDGET_IDS];
+    applyWidgetOrder([...DASHBOARD_WIDGET_IDS]);
   }
 
-  onMounted(() => {
-    loadWidgetOrder();
-  });
+  function resetAll() {
+    hiddenWidgets.value = [];
+    resetWidgetOrder();
+  }
+
+  function toggleEditMode() {
+    editMode.value = !editMode.value;
+  }
 
   return {
     draggedWidgetId,
+    editMode,
+    hiddenWidgets,
+    isWidgetVisible,
+    layout,
     onWidgetDragEnd,
     onWidgetDragOver,
     onWidgetDragStart,
     onWidgetDrop,
+    resetAll,
     resetWidgetOrder,
+    toggleEditMode,
+    toggleWidgetVisibility,
     widgetOrder,
     widgetOrderIndex,
     widgetOrderStyle,
diff --git a/ui/stryker.conf.mjs b/ui/stryker.conf.mjs
new file mode 100644
index 000000000..ea3107320
--- /dev/null
+++ b/ui/stryker.conf.mjs
@@ -0,0 +1,40 @@
+const dashboardReporterEnabled = Boolean(process.env.STRYKER_DASHBOARD_API_KEY);
+
+/** @type {import('@stryker-mutator/api/core').PartialStrykerOptions} */
+const config = {
+  mutate: [
+    'src/**/*.ts',
+    '!src/**/*.stories.ts',
+    '!src/**/*.typecheck.ts',
+    '!src/**/*.d.ts',
+    '!dist/**',
+    '!coverage/**',
+  ],
+  testRunner: 'vitest',
+  checkers: ['typescript'],
+  tsconfigFile: 'tsconfig.json',
+  coverageAnalysis: 'off',
+  reporters: ['clear-text', 'progress', 'html', ...(dashboardReporterEnabled ? ['dashboard'] : [])],
+  htmlReporter: {
+    fileName: 'reports/mutation/html/index.html',
+  },
+  ...(dashboardReporterEnabled
+    ? {
+        dashboard: {
+          project: 'github.com/CodesWhat/drydock',
+          module: 'ui',
+          reportType: 'full',
+        },
+      }
+    : {}),
+  vitest: {
+    configFile: 'vitest.config.ts',
+  },
+  thresholds: {
+    high: 80,
+    low: 70,
+    break: 65,
+  },
+};
+
+export default config;
diff --git a/ui/tests/components/AnnouncementBanner.spec.ts b/ui/tests/components/AnnouncementBanner.spec.ts
index e953e576f..82d9f306e 100644
--- a/ui/tests/components/AnnouncementBanner.spec.ts
+++ b/ui/tests/components/AnnouncementBanner.spec.ts
@@ -37,7 +37,13 @@ describe('AnnouncementBanner', () => {
     expect(icon.props('name')).toBe('info');
   });
 
-  it('renders only the session dismiss action by default', () => {
+  it('uses error styling when tone is error', () => {
+    const wrapper = factory({ tone: 'error' });
+    expect(wrapper.attributes('style')).toContain('var(--dd-danger)');
+    expect(wrapper.attributes('style')).not.toContain('var(--dd-warning)');
+  });
+
+  it('renders only the session dismiss button by default', () => {
     const wrapper = factory();
     const buttons = wrapper.findAll('button');
 
@@ -45,44 +51,72 @@ describe('AnnouncementBanner', () => {
     expect(buttons[0].text()).toBe('Dismiss');
   });
 
-  it('renders custom dismiss labels and permanent action when configured', () => {
+  it('renders a link button when linkHref is provided', () => {
     const wrapper = factory({
-      dismissLabel: 'Not now',
-      permanentDismissLabel: 'Dismiss forever',
+      linkHref: 'https://example.com/docs',
+      linkLabel: 'View docs',
     });
-    const buttons = wrapper.findAll('button');
+    const link = wrapper.find('a[href="https://example.com/docs"]');
+
+    expect(link.exists()).toBe(true);
+    expect(link.text()).toContain('View docs');
+    expect(link.attributes('target')).toBe('_blank');
+  });
+
+  it('shows permanent dismiss checkbox when permanentDismissLabel is provided', () => {
+    const wrapper = factory({ permanentDismissLabel: "Don't show again" });
+    const label = wrapper.find('[data-testid="announcement-dismiss-forever"]');
+
+    expect(label.exists()).toBe(false);
+
+    const wrapper2 = factory(
+      { permanentDismissLabel: "Don't show again" },
+      { 'data-testid': 'announcement' },
+    );
+    const checkbox = wrapper2.find(
+      '[data-testid="announcement-dismiss-forever"] input[type="checkbox"]',
+    );
 
-    expect(buttons).toHaveLength(2);
-    expect(buttons[0].text()).toBe('Not now');
-    expect(buttons[1].text()).toBe('Dismiss forever');
+    expect(checkbox.exists()).toBe(true);
+    expect(wrapper2.text()).toContain("Don't show again");
   });
 
-  it('emits dismiss when the session dismiss button is clicked', async () => {
-    const wrapper = factory({}, { 'data-testid': 'announcement' });
+  it('emits dismiss when dismiss button is clicked without checkbox', async () => {
+    const wrapper = factory(
+      { permanentDismissLabel: "Don't show again" },
+      { 'data-testid': 'announcement' },
+    );
 
     await wrapper.get('[data-testid="announcement-dismiss-session"]').trigger('click');
 
     expect(wrapper.emitted('dismiss')).toHaveLength(1);
+    expect(wrapper.emitted('dismiss-permanent')).toBeUndefined();
   });
 
-  it('emits dismiss-permanent when the permanent dismiss button is clicked', async () => {
+  it('emits dismiss-permanent when dismiss is clicked with checkbox checked', async () => {
     const wrapper = factory(
-      { permanentDismissLabel: 'Dismiss forever' },
+      { permanentDismissLabel: "Don't show again" },
       { 'data-testid': 'announcement' },
     );
 
-    await wrapper.get('[data-testid="announcement-dismiss-forever"]').trigger('click');
+    const checkbox = wrapper.find(
+      '[data-testid="announcement-dismiss-forever"] input[type="checkbox"]',
+    );
+    await checkbox.setValue(true);
+    await wrapper.get('[data-testid="announcement-dismiss-session"]').trigger('click');
 
     expect(wrapper.emitted('dismiss-permanent')).toHaveLength(1);
+    expect(wrapper.emitted('dismiss')).toBeUndefined();
   });
 
   it('adds action data-testids from the provided data-testid attr', () => {
     const wrapper = factory(
-      { permanentDismissLabel: 'Dismiss forever' },
+      { permanentDismissLabel: "Don't show again", linkHref: 'https://example.com' },
       { 'data-testid': 'announcement' },
     );
 
     expect(wrapper.find('[data-testid="announcement-dismiss-session"]').exists()).toBe(true);
     expect(wrapper.find('[data-testid="announcement-dismiss-forever"]').exists()).toBe(true);
+    expect(wrapper.find('[data-testid="announcement-link"]').exists()).toBe(true);
   });
 });
diff --git a/ui/tests/components/AppBadge.spec.ts b/ui/tests/components/AppBadge.spec.ts
new file mode 100644
index 000000000..6857c9f36
--- /dev/null
+++ b/ui/tests/components/AppBadge.spec.ts
@@ -0,0 +1,168 @@
+import { mount } from '@vue/test-utils';
+import { describe, expect, it } from 'vitest';
+import AppBadge from '@/components/AppBadge.vue';
+
+describe('AppBadge', () => {
+  it('renders with default props (tone=neutral, size=sm, uppercase=true)', () => {
+    const wrapper = mount(AppBadge, {
+      slots: { default: 'Default' },
+    });
+
+    const span = wrapper.get('span');
+
+    expect(span.classes()).toContain('badge');
+    expect(span.classes()).toContain('text-2xs');
+    expect(span.classes()).toContain('font-semibold');
+    expect(span.classes()).toContain('uppercase');
+    expect(span.attributes('style')).toContain('background-color: var(--dd-neutral-muted)');
+    expect(span.attributes('style')).toContain('color: var(--dd-neutral)');
+  });
+
+  it('applies correct size classes for xs', () => {
+    const wrapper = mount(AppBadge, {
+      props: { size: 'xs' },
+      slots: { default: 'XS' },
+    });
+
+    const span = wrapper.get('span');
+
+    expect(span.classes()).toContain('text-3xs');
+    expect(span.classes()).toContain('font-bold');
+  });
+
+  it('applies correct size classes for sm', () => {
+    const wrapper = mount(AppBadge, {
+      props: { size: 'sm' },
+      slots: { default: 'SM' },
+    });
+
+    const span = wrapper.get('span');
+
+    expect(span.classes()).toContain('text-2xs');
+    expect(span.classes()).toContain('font-semibold');
+  });
+
+  it('applies correct size classes for md', () => {
+    const wrapper = mount(AppBadge, {
+      props: { size: 'md' },
+      slots: { default: 'MD' },
+    });
+
+    const span = wrapper.get('span');
+
+    expect(span.classes()).toContain('text-2xs-plus');
+    expect(span.classes()).toContain('font-semibold');
+  });
+
+  it('applies uppercase class when uppercase=true', () => {
+    const wrapper = mount(AppBadge, {
+      props: { uppercase: true },
+      slots: { default: 'Upper' },
+    });
+
+    expect(wrapper.get('span').classes()).toContain('uppercase');
+  });
+
+  it('omits uppercase class when uppercase=false', () => {
+    const wrapper = mount(AppBadge, {
+      props: { uppercase: false },
+      slots: { default: 'Lower' },
+    });
+
+    expect(wrapper.get('span').classes()).not.toContain('uppercase');
+  });
+
+  it.each([
+    ['success', '--dd-success-muted', '--dd-success'],
+    ['danger', '--dd-danger-muted', '--dd-danger'],
+    ['warning', '--dd-warning-muted', '--dd-warning'],
+    ['caution', '--dd-caution-muted', '--dd-caution'],
+    ['info', '--dd-info-muted', '--dd-info'],
+    ['primary', '--dd-primary-muted', '--dd-primary'],
+    ['alt', '--dd-alt-muted', '--dd-alt'],
+    ['neutral', '--dd-neutral-muted', '--dd-neutral'],
+  ] as const)('applies correct color style for tone=%s', (tone, bgVar, textVar) => {
+    const wrapper = mount(AppBadge, {
+      props: { tone },
+      slots: { default: tone },
+    });
+
+    const style = wrapper.get('span').attributes('style');
+
+    expect(style).toContain(`background-color: var(${bgVar})`);
+    expect(style).toContain(`color: var(${textVar})`);
+  });
+
+  it('uses custom colors when custom prop provided, overriding tone', () => {
+    const wrapper = mount(AppBadge, {
+      props: {
+        tone: 'danger',
+        custom: { bg: '#1e3a5f', text: '#7cb3ff' },
+      },
+      slots: { default: 'Custom' },
+    });
+
+    const style = wrapper.get('span').attributes('style');
+
+    expect(style).toContain('background-color: rgb(30, 58, 95)');
+    expect(style).toContain('color: rgb(124, 179, 255)');
+    expect(style).not.toContain('var(--dd-danger');
+  });
+
+  it('renders dot when dot=true with correct color', () => {
+    const wrapper = mount(AppBadge, {
+      props: { dot: true, tone: 'success' },
+      slots: { default: 'Dot' },
+    });
+
+    const dot = wrapper.get('span span');
+
+    expect(dot.classes()).toContain('w-1.5');
+    expect(dot.classes()).toContain('h-1.5');
+    expect(dot.classes()).toContain('rounded-full');
+    expect(dot.attributes('style')).toContain('background-color: var(--dd-success)');
+  });
+
+  it('does not render dot when dot=false', () => {
+    const wrapper = mount(AppBadge, {
+      props: { dot: false },
+      slots: { default: 'No dot' },
+    });
+
+    const innerSpans = wrapper.findAll('span span');
+
+    expect(innerSpans).toHaveLength(0);
+  });
+
+  it('dot uses custom.text color when custom prop is provided', () => {
+    const wrapper = mount(AppBadge, {
+      props: {
+        dot: true,
+        custom: { bg: '#222', text: '#f0a' },
+      },
+      slots: { default: 'Custom dot' },
+    });
+
+    const dot = wrapper.get('span span');
+
+    expect(dot.attributes('style')).toContain('background-color: rgb(255, 0, 170)');
+    expect(dot.attributes('style')).not.toContain('var(--dd-');
+  });
+
+  it('renders slot content', () => {
+    const wrapper = mount(AppBadge, {
+      slots: { default: 'Hello Badge' },
+    });
+
+    expect(wrapper.text()).toBe('Hello Badge');
+  });
+
+  it('includes base badge class always', () => {
+    const wrapper = mount(AppBadge, {
+      props: { tone: 'danger', size: 'xs', uppercase: false },
+      slots: { default: 'Always badge' },
+    });
+
+    expect(wrapper.get('span').classes()).toContain('badge');
+  });
+});
diff --git a/ui/tests/components/AppButton.spec.ts b/ui/tests/components/AppButton.spec.ts
new file mode 100644
index 000000000..f2cfe9274
--- /dev/null
+++ b/ui/tests/components/AppButton.spec.ts
@@ -0,0 +1,158 @@
+import { mount } from '@vue/test-utils';
+import { describe, expect, it } from 'vitest';
+import AppButton from '@/components/AppButton.vue';
+
+describe('AppButton', () => {
+  it('renders button defaults with muted/md/semibold classes', () => {
+    const wrapper = mount(AppButton, {
+      slots: {
+        default: 'Run',
+      },
+    });
+
+    const button = wrapper.get('button');
+
+    expect(button.attributes('type')).toBe('button');
+    expect(button.classes()).toContain('dd-rounded');
+    expect(button.classes()).toContain('transition-colors');
+    expect(button.classes()).toContain('px-3');
+    expect(button.classes()).toContain('py-1.5');
+    expect(button.classes()).toContain('text-2xs-plus');
+    expect(button.classes()).toContain('font-semibold');
+    expect(button.classes()).toContain('dd-text-muted');
+    expect(button.classes()).toContain('hover:dd-text');
+    expect(button.classes()).toContain('hover:dd-bg-elevated');
+  });
+
+  it('supports explicit size/variant/weight and forwards attrs', () => {
+    const wrapper = mount(AppButton, {
+      props: {
+        size: 'xs',
+        variant: 'secondary',
+        weight: 'medium',
+      },
+      attrs: {
+        disabled: true,
+        'data-test': 'secondary-action',
+      },
+      slots: {
+        default: 'Refresh',
+      },
+    });
+
+    const button = wrapper.get('button');
+
+    expect(button.attributes('disabled')).toBeDefined();
+    expect(button.attributes('data-test')).toBe('secondary-action');
+    expect(button.classes()).toContain('px-2');
+    expect(button.classes()).toContain('py-1');
+    expect(button.classes()).toContain('text-2xs');
+    expect(button.classes()).toContain('font-medium');
+    expect(button.classes()).toContain('dd-text-secondary');
+    expect(button.classes()).toContain('hover:dd-text');
+    expect(button.classes()).toContain('hover:dd-bg-elevated');
+  });
+
+  it('uses plain variant and icon-xs size for compact icon controls', () => {
+    const wrapper = mount(AppButton, {
+      props: {
+        size: 'icon-xs',
+        variant: 'plain',
+      },
+      slots: {
+        default: 'x',
+      },
+    });
+
+    const button = wrapper.get('button');
+
+    expect(button.classes()).toContain('inline-flex');
+    expect(button.classes()).toContain('items-center');
+    expect(button.classes()).toContain('justify-center');
+    expect(button.classes()).toContain('w-9');
+    expect(button.classes()).toContain('h-9');
+    expect(button.classes()).not.toContain('dd-text-muted');
+  });
+
+  it('supports text-style muted actions with no padding size', () => {
+    const wrapper = mount(AppButton, {
+      props: {
+        size: 'none',
+        variant: 'text-muted',
+        weight: 'medium',
+      },
+      slots: {
+        default: 'Clear',
+      },
+    });
+
+    const button = wrapper.get('button');
+
+    expect(button.classes()).toContain('font-medium');
+    expect(button.classes()).toContain('dd-text-muted');
+    expect(button.classes()).toContain('hover:dd-text');
+    expect(button.classes()).not.toContain('px-3');
+    expect(button.classes()).not.toContain('py-1.5');
+  });
+
+  it('supports link-secondary variant for dashboard view-all actions', () => {
+    const wrapper = mount(AppButton, {
+      props: {
+        size: 'none',
+        variant: 'link-secondary',
+        weight: 'medium',
+      },
+      slots: {
+        default: 'View all',
+      },
+    });
+
+    const button = wrapper.get('button');
+
+    expect(button.classes()).toContain('text-drydock-secondary');
+    expect(button.classes()).toContain('hover:underline');
+    expect(button.classes()).toContain('font-medium');
+  });
+
+  it('supports weight none for passthrough button styling', () => {
+    const wrapper = mount(AppButton, {
+      props: {
+        size: 'none',
+        variant: 'plain',
+        weight: 'none',
+      },
+      attrs: {
+        class: 'font-bold px-2',
+      },
+      slots: {
+        default: 'Custom',
+      },
+    });
+
+    const button = wrapper.get('button');
+
+    expect(button.classes()).toContain('px-2');
+    expect(button.classes()).toContain('font-bold');
+    expect(button.classes()).not.toContain('font-medium');
+    expect(button.classes()).not.toContain('font-semibold');
+  });
+
+  it('uses tooltip text as the accessible label and title for icon-only controls', () => {
+    const wrapper = mount(AppButton, {
+      props: {
+        size: 'none',
+        variant: 'plain',
+        weight: 'none',
+        tooltip: 'Close panel',
+      } as any,
+      slots: {
+        default: 'x',
+      },
+    });
+
+    const button = wrapper.get('button');
+
+    expect(button.attributes('aria-label')).toBe('Close panel');
+    expect(button.attributes('title')).toBe('Close panel');
+  });
+});
diff --git a/ui/tests/components/AppIconButton.spec.ts b/ui/tests/components/AppIconButton.spec.ts
new file mode 100644
index 000000000..fd534a976
--- /dev/null
+++ b/ui/tests/components/AppIconButton.spec.ts
@@ -0,0 +1,232 @@
+import { mount } from '@vue/test-utils';
+import { ref } from 'vue';
+import AppIcon from '@/components/AppIcon.vue';
+import AppIconButton from '@/components/AppIconButton.vue';
+
+const mockIcon = vi.fn((name: string) => `resolved:${name}`);
+const mockIconScale = ref(1);
+
+vi.mock('@/composables/useIcons', () => ({
+  useIcons: () => ({ icon: mockIcon, iconScale: mockIconScale }),
+}));
+
+const tooltipStub = () => {};
+
+function mountButton(props: Record<string, unknown> = {}, attrs: Record<string, unknown> = {}) {
+  return mount(AppIconButton, {
+    props: { icon: 'edit', ...props },
+    attrs,
+    global: {
+      directives: { tooltip: tooltipStub },
+    },
+  });
+}
+
+describe('AppIconButton', () => {
+  beforeEach(() => {
+    mockIcon.mockImplementation((name: string) => `resolved:${name}`);
+    mockIconScale.value = 1;
+  });
+
+  // 1. Default props
+  it('renders with default props (size=sm, variant=muted)', () => {
+    const wrapper = mountButton();
+    const button = wrapper.get('button');
+
+    expect(button.classes()).toContain('w-11');
+    expect(button.classes()).toContain('h-11');
+    expect(button.classes()).toContain('min-w-8');
+    expect(button.classes()).toContain('min-h-8');
+    expect(button.classes()).toContain('dd-text-muted');
+    expect(button.classes()).toContain('hover:dd-text');
+    expect(button.classes()).toContain('hover:dd-bg-elevated');
+    expect(button.classes()).toContain('inline-flex');
+    expect(button.classes()).toContain('items-center');
+    expect(button.classes()).toContain('justify-center');
+    expect(button.classes()).toContain('dd-rounded');
+    expect(button.classes()).toContain('transition-colors');
+  });
+
+  // 2. Size classes
+  it('applies xs size classes (w-10 h-10)', () => {
+    const wrapper = mountButton({ size: 'xs' });
+    const button = wrapper.get('button');
+    expect(button.classes()).toContain('w-10');
+    expect(button.classes()).toContain('h-10');
+  });
+
+  it('applies sm size classes (w-11 h-11)', () => {
+    const wrapper = mountButton({ size: 'sm' });
+    const button = wrapper.get('button');
+    expect(button.classes()).toContain('w-11');
+    expect(button.classes()).toContain('h-11');
+  });
+
+  it('applies toolbar size classes (w-8 h-8)', () => {
+    const wrapper = mountButton({ size: 'toolbar' });
+    const button = wrapper.get('button');
+    expect(button.classes()).toContain('w-8');
+    expect(button.classes()).toContain('h-8');
+    expect(button.classes()).toContain('min-w-8');
+    expect(button.classes()).toContain('min-h-8');
+  });
+
+  it('passes icon size 15 for toolbar', () => {
+    const wrapper = mountButton({ size: 'toolbar' });
+    const icon = wrapper.findComponent(AppIcon);
+    expect(icon.props('size')).toBe(15);
+  });
+
+  it('applies md size classes (w-12 h-12)', () => {
+    const wrapper = mountButton({ size: 'md' });
+    const button = wrapper.get('button');
+    expect(button.classes()).toContain('w-12');
+    expect(button.classes()).toContain('h-12');
+  });
+
+  it('applies lg size classes (w-14 h-14)', () => {
+    const wrapper = mountButton({ size: 'lg' });
+    const button = wrapper.get('button');
+    expect(button.classes()).toContain('w-14');
+    expect(button.classes()).toContain('h-14');
+  });
+
+  // 3. Icon sizes
+  it('passes icon size 16 for xs', () => {
+    const wrapper = mountButton({ size: 'xs' });
+    const icon = wrapper.findComponent(AppIcon);
+    expect(icon.props('size')).toBe(16);
+  });
+
+  it('passes icon size 18 for sm', () => {
+    const wrapper = mountButton({ size: 'sm' });
+    const icon = wrapper.findComponent(AppIcon);
+    expect(icon.props('size')).toBe(18);
+  });
+
+  it('passes icon size 20 for md', () => {
+    const wrapper = mountButton({ size: 'md' });
+    const icon = wrapper.findComponent(AppIcon);
+    expect(icon.props('size')).toBe(20);
+  });
+
+  it('passes icon size 24 for lg', () => {
+    const wrapper = mountButton({ size: 'lg' });
+    const icon = wrapper.findComponent(AppIcon);
+    expect(icon.props('size')).toBe(24);
+  });
+
+  // 4. Variant classes
+  it('applies muted variant classes', () => {
+    const wrapper = mountButton({ variant: 'muted' });
+    const button = wrapper.get('button');
+    expect(button.classes()).toContain('dd-text-muted');
+    expect(button.classes()).toContain('hover:dd-text');
+    expect(button.classes()).toContain('hover:dd-bg-elevated');
+  });
+
+  it('applies secondary variant classes', () => {
+    const wrapper = mountButton({ variant: 'secondary' });
+    const button = wrapper.get('button');
+    expect(button.classes()).toContain('dd-text-secondary');
+    expect(button.classes()).toContain('hover:dd-text');
+    expect(button.classes()).toContain('hover:dd-bg-elevated');
+  });
+
+  it('applies danger variant classes', () => {
+    const wrapper = mountButton({ variant: 'danger' });
+    const button = wrapper.get('button');
+    expect(button.classes()).toContain('dd-text-muted');
+    expect(button.classes()).toContain('hover:dd-text-danger');
+    expect(button.classes()).toContain('hover:dd-bg-elevated');
+  });
+
+  it('applies success variant classes', () => {
+    const wrapper = mountButton({ variant: 'success' });
+    const button = wrapper.get('button');
+    expect(button.classes()).toContain('dd-text-muted');
+    expect(button.classes()).toContain('hover:dd-text-success');
+    expect(button.classes()).toContain('hover:dd-bg-elevated');
+  });
+
+  it('applies plain variant with no extra classes', () => {
+    const wrapper = mountButton({ variant: 'plain' });
+    const button = wrapper.get('button');
+    expect(button.classes()).not.toContain('dd-text-muted');
+    expect(button.classes()).not.toContain('dd-text-secondary');
+    expect(button.classes()).not.toContain('hover:dd-text-danger');
+    expect(button.classes()).not.toContain('hover:dd-text-success');
+  });
+
+  // 5. Loading state — spinner
+  it('renders spinner icon with dd-spin class when loading is true', () => {
+    const wrapper = mountButton({ loading: true });
+    const icon = wrapper.findComponent(AppIcon);
+    expect(icon.props('name')).toBe('spinner');
+    expect(icon.classes()).toContain('dd-spin');
+  });
+
+  // 6. Normal icon when not loading
+  it('renders the provided icon when loading is false', () => {
+    const wrapper = mountButton({ icon: 'trash', loading: false });
+    const icon = wrapper.findComponent(AppIcon);
+    expect(icon.props('name')).toBe('trash');
+    expect(icon.classes()).not.toContain('dd-spin');
+  });
+
+  // 7. Disabled state
+  it('applies disabled classes when disabled is true', () => {
+    const wrapper = mountButton({ disabled: true });
+    const button = wrapper.get('button');
+    expect(button.classes()).toContain('opacity-40');
+    expect(button.classes()).toContain('cursor-not-allowed');
+    expect(button.classes()).not.toContain('pointer-events-none');
+    expect(button.attributes('disabled')).toBeDefined();
+  });
+
+  it('does not apply disabled classes when disabled is false', () => {
+    const wrapper = mountButton({ disabled: false });
+    const button = wrapper.get('button');
+    expect(button.classes()).not.toContain('opacity-40');
+    expect(button.classes()).not.toContain('cursor-not-allowed');
+  });
+
+  // 8. aria-label from ariaLabel prop
+  it('sets aria-label from ariaLabel prop', () => {
+    const wrapper = mountButton({ ariaLabel: 'Delete item' });
+    expect(wrapper.get('button').attributes('aria-label')).toBe('Delete item');
+  });
+
+  // 9. Falls back to tooltip for aria-label
+  it('falls back to tooltip for aria-label when ariaLabel is not set', () => {
+    const wrapper = mountButton({ tooltip: 'Edit record' });
+    expect(wrapper.get('button').attributes('aria-label')).toBe('Edit record');
+  });
+
+  it('does not use object tooltip for aria-label', () => {
+    const wrapper = mountButton({ tooltip: { content: 'Edit', placement: 'top' } as any });
+    expect(wrapper.get('button').attributes('aria-label')).toBeUndefined();
+  });
+
+  it('prefers ariaLabel over tooltip for aria-label', () => {
+    const wrapper = mountButton({
+      ariaLabel: 'Custom label',
+      tooltip: 'Tooltip text',
+    });
+    expect(wrapper.get('button').attributes('aria-label')).toBe('Custom label');
+  });
+
+  // 10. Forwards attrs to button element
+  it('forwards attrs to the button element', () => {
+    const wrapper = mountButton({}, { 'data-test': 'icon-btn', id: 'my-btn' });
+    const button = wrapper.get('button');
+    expect(button.attributes('data-test')).toBe('icon-btn');
+    expect(button.attributes('id')).toBe('my-btn');
+  });
+
+  // 11. Button type
+  it('sets button type="button"', () => {
+    const wrapper = mountButton();
+    expect(wrapper.get('button').attributes('type')).toBe('button');
+  });
+});
diff --git a/ui/tests/components/AppLogViewer.spec.ts b/ui/tests/components/AppLogViewer.spec.ts
new file mode 100644
index 000000000..8c616258a
--- /dev/null
+++ b/ui/tests/components/AppLogViewer.spec.ts
@@ -0,0 +1,291 @@
+import { flushPromises, mount, type VueWrapper } from '@vue/test-utils';
+import { nextTick } from 'vue';
+import AppLogViewer from '@/components/AppLogViewer.vue';
+import type { AppLogEntry } from '@/types/log-entry';
+
+function makeEntry(id: number, overrides: Partial<AppLogEntry> = {}): AppLogEntry {
+  const plainLine = overrides.plainLine ?? `line-${id}`;
+
+  return {
+    id,
+    timestamp: overrides.timestamp ?? `2026-03-19T00:00:0${id}Z`,
+    line: overrides.line ?? plainLine,
+    plainLine,
+    ansiSegments: overrides.ansiSegments ?? [
+      {
+        text: plainLine,
+        color: null,
+        bold: false,
+        dim: false,
+      },
+    ],
+    json: overrides.json ?? null,
+    level: overrides.level,
+    channel: overrides.channel,
+    component: overrides.component,
+  };
+}
+
+function mountViewer(props: Record<string, unknown> = {}) {
+  return mount(AppLogViewer, {
+    props: {
+      entries: [],
+      ...props,
+    },
+    global: {
+      stubs: {
+        AppIcon: {
+          template: '<span class="app-icon-stub" />',
+        },
+      },
+    },
+  });
+}
+
+function getButtonByText(wrapper: VueWrapper, text: string) {
+  const button = wrapper.findAll('button').find((candidate) => candidate.text().includes(text));
+  if (!button) {
+    throw new Error(`Button not found: ${text}`);
+  }
+  return button;
+}
+
+function setViewportMetrics(
+  viewport: HTMLElement,
+  metrics: { scrollHeight: number; clientHeight: number; scrollTop: number },
+): void {
+  Object.defineProperty(viewport, 'scrollHeight', {
+    configurable: true,
+    value: metrics.scrollHeight,
+  });
+  Object.defineProperty(viewport, 'clientHeight', {
+    configurable: true,
+    value: metrics.clientHeight,
+  });
+  viewport.scrollTop = metrics.scrollTop;
+}
+
+describe('AppLogViewer', () => {
+  afterEach(() => {
+    vi.restoreAllMocks();
+    vi.useRealTimers();
+  });
+
+  it('renders empty state and custom footer status details', () => {
+    const wrapper = mountViewer({
+      entries: [],
+      emptyMessage: 'Nothing to show',
+      lineCount: 42,
+      statusLabel: 'Connected',
+    });
+
+    expect(wrapper.find('[data-test="app-log-viewer"]').exists()).toBe(true);
+    expect(wrapper.text()).toContain('Nothing to show');
+    expect(wrapper.text()).toContain('42 lines');
+    expect(wrapper.text()).toContain('Connected');
+  });
+
+  it('renders ANSI segments with expected color, bold, and dim styles', () => {
+    const wrapper = mountViewer({
+      entries: [
+        makeEntry(1, {
+          plainLine: 'colored output',
+          ansiSegments: [
+            {
+              text: 'ERR',
+              color: 'red',
+              bold: true,
+              dim: false,
+            },
+            {
+              text: ' low-priority',
+              color: null,
+              bold: false,
+              dim: true,
+            },
+          ],
+        }),
+      ],
+    });
+
+    const row = wrapper.get('[data-test="container-log-row"]');
+    const spanStyles = row.findAll('span').map((segment) => segment.attributes('style') ?? '');
+
+    expect(spanStyles.some((style) => style.includes('color: var(--dd-danger)'))).toBe(true);
+    expect(spanStyles.some((style) => style.includes('font-weight: 700'))).toBe(true);
+    expect(spanStyles.some((style) => style.includes('opacity: var(--dd-opacity-dim)'))).toBe(true);
+  });
+
+  it('tokenizes JSON log entries into semantic token classes', () => {
+    const wrapper = mountViewer({
+      entries: [
+        makeEntry(1, {
+          plainLine: '{"msg":"ok"}',
+          json: {
+            level: 'info',
+            value: {
+              msg: 'ok',
+              count: 3,
+              enabled: true,
+              data: null,
+            },
+            pretty: '{\n  "msg": "ok",\n  "count": 3,\n  "enabled": true,\n  "data": null\n}',
+          },
+          ansiSegments: [],
+        }),
+      ],
+    });
+
+    expect(wrapper.find('pre').exists()).toBe(true);
+    expect(wrapper.find('.json-key').text()).toContain('"msg"');
+    expect(wrapper.find('.json-string').text()).toContain('"ok"');
+    expect(wrapper.find('.json-number').text()).toContain('3');
+    expect(wrapper.find('.json-boolean').text()).toContain('true');
+    expect(wrapper.find('.json-null').text()).toContain('null');
+    expect(wrapper.findAll('.json-punctuation').length).toBeGreaterThan(0);
+  });
+
+  it('emits pause and pin toggle events from toolbar controls', async () => {
+    const wrapper = mountViewer({
+      entries: [makeEntry(1)],
+      paused: false,
+      autoScrollPinned: true,
+    });
+
+    await wrapper.get('[data-test="container-log-toggle-pause"]').trigger('click');
+    await getButtonByText(wrapper, 'Unpin').trigger('click');
+
+    expect(wrapper.emitted('toggle-pause')).toHaveLength(1);
+    expect(wrapper.emitted('toggle-pin')).toHaveLength(1);
+  });
+
+  it('pins and scrolls to bottom when pinning from an unpinned state', async () => {
+    const wrapper = mountViewer({
+      entries: [makeEntry(1)],
+      autoScrollPinned: false,
+    });
+
+    const viewport = wrapper.get('div.overflow-auto.font-mono').element as HTMLElement;
+    setViewportMetrics(viewport, {
+      scrollHeight: 700,
+      clientHeight: 100,
+      scrollTop: 10,
+    });
+
+    await getButtonByText(wrapper, 'Pin').trigger('click');
+    await nextTick();
+
+    expect(wrapper.emitted('toggle-pin')).toHaveLength(1);
+    expect(viewport.scrollTop).toBe(700);
+  });
+
+  it('emits pin toggle on user scroll when leaving bottom proximity', async () => {
+    const wrapper = mountViewer({
+      entries: [makeEntry(1)],
+      autoScrollPinned: true,
+    });
+
+    const viewport = wrapper.get('div.overflow-auto.font-mono').element as HTMLElement;
+    setViewportMetrics(viewport, {
+      scrollHeight: 1000,
+      clientHeight: 100,
+      scrollTop: 100,
+    });
+
+    await wrapper.get('div.overflow-auto.font-mono').trigger('scroll');
+
+    expect(wrapper.emitted('toggle-pin')).toHaveLength(1);
+  });
+
+  it('supports search highlighting and next-match navigation with scroll targeting', async () => {
+    const wrapper = mountViewer({
+      entries: [
+        makeEntry(1, { plainLine: 'alpha started' }),
+        makeEntry(2, { plainLine: 'beta step' }),
+        makeEntry(3, { plainLine: 'alpha finished' }),
+      ],
+    });
+
+    await wrapper.get('[data-test="container-log-search-input"]').setValue('alpha');
+    await nextTick();
+
+    const rows = wrapper.findAll('[data-test="container-log-row"]');
+    for (const row of rows) {
+      (row.element as HTMLElement).scrollIntoView = vi.fn();
+    }
+
+    expect(wrapper.get('[data-test="container-log-match-index"]').text()).toBe('1 / 2');
+    expect(rows[0].classes()).toContain('ring-1');
+    expect(rows[0].classes()).toContain('bg-drydock-secondary/10');
+    expect(rows[2].classes()).toContain('ring-1');
+
+    await wrapper.get('[data-test="container-log-next-match"]').trigger('click');
+    await nextTick();
+
+    expect(wrapper.get('[data-test="container-log-match-index"]').text()).toBe('2 / 2');
+    expect(rows[2].classes()).toContain('bg-drydock-secondary/10');
+    expect((rows[2].element as HTMLElement).scrollIntoView).toHaveBeenCalledWith({
+      block: 'center',
+    });
+  });
+
+  it('surfaces regex errors and disables match navigation when regex is invalid', async () => {
+    const wrapper = mountViewer({
+      entries: [makeEntry(1, { plainLine: 'hello world' })],
+    });
+
+    await wrapper.get('[data-test="container-log-regex-toggle"]').trigger('click');
+    await wrapper.get('[data-test="container-log-search-input"]').setValue('[');
+    await nextTick();
+
+    expect(wrapper.text()).toContain('Invalid regular expression');
+    expect(
+      wrapper.get('[data-test="container-log-prev-match"]').attributes('disabled'),
+    ).toBeDefined();
+    expect(
+      wrapper.get('[data-test="container-log-next-match"]').attributes('disabled'),
+    ).toBeDefined();
+  });
+
+  it('copies formatted logs to clipboard and shows a temporary success state', async () => {
+    vi.useFakeTimers();
+
+    const writeText = vi.fn().mockResolvedValue(undefined);
+    Object.defineProperty(navigator, 'clipboard', {
+      configurable: true,
+      value: {
+        writeText,
+      },
+    });
+
+    const wrapper = mountViewer({
+      entries: [
+        makeEntry(1, {
+          timestamp: '2026-03-19T00:00:00Z',
+          channel: 'stdout',
+          component: 'api',
+          plainLine: 'ready',
+        }),
+        makeEntry(2, {
+          timestamp: '2026-03-19T00:00:01Z',
+          level: 'warn',
+          component: 'worker',
+          plainLine: 'retrying',
+        }),
+      ],
+    });
+
+    await wrapper.get('[data-test="container-log-copy"]').trigger('click');
+    await flushPromises();
+
+    expect(writeText).toHaveBeenCalledWith(
+      '2026-03-19T00:00:00Z STDOUT api ready\n2026-03-19T00:00:01Z WARN worker retrying',
+    );
+    expect(wrapper.get('[data-test="container-log-copy"]').text()).toContain('Copied');
+
+    vi.advanceTimersByTime(2000);
+    await nextTick();
+
+    expect(wrapper.get('[data-test="container-log-copy"]').text()).toContain('Copy');
+  });
+});
diff --git a/ui/tests/components/AppTabBar.spec.ts b/ui/tests/components/AppTabBar.spec.ts
new file mode 100644
index 000000000..75840a0e1
--- /dev/null
+++ b/ui/tests/components/AppTabBar.spec.ts
@@ -0,0 +1,229 @@
+import { mount } from '@vue/test-utils';
+import { describe, expect, it } from 'vitest';
+import AppTabBar from '@/components/AppTabBar.vue';
+
+const tabs = [
+  { id: 'overview', label: 'Overview', icon: 'info' },
+  { id: 'actions', label: 'Actions' },
+  { id: 'logs', label: 'Logs', count: 5 },
+  { id: 'disabled', label: 'Disabled', disabled: true },
+];
+
+function factory(overrides: Record<string, unknown> = {}) {
+  return mount(AppTabBar, {
+    props: {
+      tabs,
+      modelValue: 'overview',
+      ...overrides,
+    },
+    global: {
+      directives: { tooltip: () => {} },
+    },
+  });
+}
+
+describe('AppTabBar', () => {
+  it('renders all tabs with correct labels', () => {
+    const wrapper = factory();
+    const buttons = wrapper.findAll('button');
+
+    expect(buttons).toHaveLength(4);
+    expect(buttons[0].text()).toContain('Overview');
+    expect(buttons[1].text()).toContain('Actions');
+    expect(buttons[2].text()).toContain('Logs');
+    expect(buttons[3].text()).toContain('Disabled');
+  });
+
+  it('active tab has dd-text class, inactive has dd-text-muted', () => {
+    const wrapper = factory({ modelValue: 'overview' });
+    const buttons = wrapper.findAll('button');
+
+    expect(buttons[0].classes()).toContain('dd-text');
+    expect(buttons[0].classes()).not.toContain('dd-text-muted');
+
+    expect(buttons[1].classes()).toContain('dd-text-muted');
+    expect(buttons[1].classes()).not.toContain('dd-text');
+  });
+
+  it('clicking a tab emits update:modelValue', async () => {
+    const wrapper = factory({ modelValue: 'overview' });
+    const buttons = wrapper.findAll('button');
+
+    await buttons[1].trigger('click');
+
+    expect(wrapper.emitted('update:modelValue')).toBeTruthy();
+    expect(wrapper.emitted('update:modelValue')![0]).toEqual(['actions']);
+  });
+
+  it('disabled tab has opacity-40 and cursor-not-allowed classes', () => {
+    const wrapper = factory();
+    const disabledButton = wrapper.findAll('button')[3];
+
+    expect(disabledButton.classes()).toContain('opacity-40');
+    expect(disabledButton.classes()).toContain('cursor-not-allowed');
+    expect(disabledButton.attributes('disabled')).toBeDefined();
+  });
+
+  it('clicking disabled tab does NOT emit update:modelValue', async () => {
+    const wrapper = factory();
+    const disabledButton = wrapper.findAll('button')[3];
+
+    await disabledButton.trigger('click');
+
+    expect(wrapper.emitted('update:modelValue')).toBeFalsy();
+  });
+
+  it('compact size applies correct classes (px-2 py-1.5 text-2xs)', () => {
+    const wrapper = factory({ size: 'compact' });
+    const button = wrapper.findAll('button')[0];
+
+    expect(button.classes()).toContain('px-2');
+    expect(button.classes()).toContain('py-1.5');
+    expect(button.classes()).toContain('text-2xs');
+    expect(button.classes()).toContain('font-semibold');
+    expect(button.classes()).toContain('uppercase');
+    expect(button.classes()).toContain('tracking-wide');
+  });
+
+  it('default size applies correct classes (px-3 py-2 text-2xs-plus)', () => {
+    const wrapper = factory();
+    const button = wrapper.findAll('button')[0];
+
+    expect(button.classes()).toContain('px-3');
+    expect(button.classes()).toContain('py-2');
+    expect(button.classes()).toContain('text-2xs-plus');
+    expect(button.classes()).toContain('font-semibold');
+    expect(button.classes()).toContain('uppercase');
+    expect(button.classes()).toContain('tracking-wide');
+  });
+
+  it('active tab shows underline indicator div (h-[2px])', () => {
+    const wrapper = factory({ modelValue: 'overview' });
+    const activeButton = wrapper.findAll('button')[0];
+    const indicator = activeButton.find('div');
+
+    expect(indicator.exists()).toBe(true);
+    expect(indicator.classes()).toContain('h-[2px]');
+    expect(indicator.classes()).toContain('absolute');
+    expect(indicator.classes()).toContain('bottom-0');
+    expect(indicator.classes()).toContain('rounded-t-full');
+  });
+
+  it('inactive tab does NOT show underline indicator', () => {
+    const wrapper = factory({ modelValue: 'overview' });
+    const inactiveButton = wrapper.findAll('button')[1];
+    const indicator = inactiveButton.find('div');
+
+    expect(indicator.exists()).toBe(false);
+  });
+
+  it('tab with icon renders AppIcon (iconify-icon element)', () => {
+    const wrapper = factory();
+    const overviewButton = wrapper.findAll('button')[0];
+    const iconEl = overviewButton.find('iconify-icon');
+
+    expect(iconEl.exists()).toBe(true);
+
+    const actionsButton = wrapper.findAll('button')[1];
+    const noIconEl = actionsButton.find('iconify-icon');
+
+    expect(noIconEl.exists()).toBe(false);
+  });
+
+  it('tab with count renders count badge', () => {
+    const wrapper = factory();
+    const logsButton = wrapper.findAll('button')[2];
+    const badge = logsButton.findAll('span').find((s) => s.classes().includes('badge'));
+
+    expect(badge).toBeDefined();
+    expect(badge!.text()).toBe('5');
+    expect(badge!.classes()).toContain('text-4xs');
+    expect(badge!.classes()).toContain('font-bold');
+  });
+
+  it('tab without count does not render count badge', () => {
+    const wrapper = factory();
+    const actionsButton = wrapper.findAll('button')[1];
+    const badge = actionsButton.findAll('span').find((s) => s.classes().includes('badge'));
+
+    expect(badge).toBeUndefined();
+  });
+
+  it('iconOnly mode hides label text', () => {
+    const wrapper = factory({ iconOnly: true });
+    const overviewButton = wrapper.findAll('button')[0];
+
+    const spans = overviewButton.findAll('span');
+    const labelSpan = spans.filter(
+      (s) =>
+        !s.classes().includes('badge') &&
+        !s.find('iconify-icon').exists() &&
+        s.text() === 'Overview',
+    );
+
+    expect(labelSpan).toHaveLength(0);
+  });
+
+  it('iconOnly mode sets aria-label on tabs for assistive tech', () => {
+    const wrapper = factory({ iconOnly: true });
+    const buttons = wrapper.findAll('button');
+
+    expect(buttons[0].attributes('aria-label')).toBe('Overview');
+    expect(buttons[1].attributes('aria-label')).toBe('Actions');
+    expect(buttons[2].attributes('aria-label')).toBe('Logs');
+  });
+
+  it('non-iconOnly mode does not set aria-label on tabs', () => {
+    const wrapper = factory({ iconOnly: false });
+    const buttons = wrapper.findAll('button');
+
+    expect(buttons[0].attributes('aria-label')).toBeUndefined();
+  });
+
+  it('icon has mr-1.5 class when not in iconOnly mode', () => {
+    const wrapper = factory({ iconOnly: false });
+    const overviewButton = wrapper.findAll('button')[0];
+    const iconEl = overviewButton.find('iconify-icon');
+
+    expect(iconEl.classes()).toContain('mr-1.5');
+  });
+
+  it('icon does NOT have mr-1.5 class in iconOnly mode', () => {
+    const wrapper = factory({ iconOnly: true });
+    const overviewButton = wrapper.findAll('button')[0];
+    const iconEl = overviewButton.find('iconify-icon');
+
+    expect(iconEl.classes()).not.toContain('mr-1.5');
+  });
+
+  it('compact size uses smaller icon size', () => {
+    const wrapper = factory({ size: 'compact' });
+    const overviewButton = wrapper.findAll('button')[0];
+    const iconEl = overviewButton.find('iconify-icon');
+
+    // compact iconSize = 10, default iconSize = 12
+    // The actual rendered size goes through iconScale, but the prop is passed
+    expect(iconEl.exists()).toBe(true);
+  });
+
+  it('count badge has correct inline styles', () => {
+    const wrapper = factory();
+    const logsButton = wrapper.findAll('button')[2];
+    const badge = logsButton.findAll('span').find((s) => s.classes().includes('badge'));
+
+    expect(badge).toBeDefined();
+    expect(badge!.attributes('style')).toContain('background-color: var(--dd-neutral-muted)');
+    expect(badge!.attributes('style')).toContain('color: var(--dd-neutral)');
+  });
+
+  it('wrapper div has correct border styling', () => {
+    const wrapper = factory();
+    const root = wrapper.find('div');
+
+    expect(root.classes()).toContain('flex');
+    expect(root.classes()).toContain('items-center');
+    expect(root.classes()).toContain('gap-1');
+    expect(root.classes()).toContain('border-b');
+    expect(root.attributes('style')).toContain('border-color: var(--dd-border)');
+  });
+});
diff --git a/ui/tests/components/ButtonStandard.spec.ts b/ui/tests/components/ButtonStandard.spec.ts
new file mode 100644
index 000000000..1c4e4bd11
--- /dev/null
+++ b/ui/tests/components/ButtonStandard.spec.ts
@@ -0,0 +1,123 @@
+import { readdirSync, readFileSync } from 'node:fs';
+import { join, relative } from 'node:path';
+import { JSDOM } from 'jsdom';
+import { describe, expect, it } from 'vitest';
+
+const SRC_DIR = join(process.cwd(), 'src');
+
+const ALLOWED_RAW_BUTTON_FILES = new Set([
+  'src/components/AppButton.vue',
+  'src/components/AppIconButton.vue',
+  'src/components/AppTabBar.vue',
+  'src/components/ThemeToggle.vue',
+  'src/components/ToggleSwitch.vue',
+]);
+
+const ALLOWED_ICON_ONLY_APP_BUTTON_FILES = new Set([
+  'src/components/containers/ContainerFullPageActionsTab.vue',
+  'src/components/containers/ContainerFullPageEnvironmentTab.vue',
+  'src/components/containers/ContainerFullPageTabContent.vue',
+  'src/components/containers/ContainerSideTabContent.vue',
+]);
+
+function getVisibleText(source: string): string {
+  const dom = new JSDOM(`<body>${source}</body>`);
+  const { document, Node } = dom.window;
+
+  function collectText(node: ParentNode): string {
+    let text = '';
+
+    for (const child of node.childNodes) {
+      if (child.nodeType === Node.TEXT_NODE) {
+        text += child.textContent ?? '';
+        continue;
+      }
+
+      if (child.nodeType !== Node.ELEMENT_NODE) {
+        continue;
+      }
+
+      if (child instanceof dom.window.HTMLTemplateElement) {
+        text += collectText(child.content);
+        continue;
+      }
+
+      text += collectText(child);
+    }
+
+    return text;
+  }
+
+  return collectText(document.body).replace(/\s+/g, '').trim();
+}
+
+function collectVueFiles(dir: string): string[] {
+  const entries = readdirSync(dir, { withFileTypes: true });
+  const files: string[] = [];
+
+  for (const entry of entries) {
+    const fullPath = join(dir, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...collectVueFiles(fullPath));
+      continue;
+    }
+
+    if (entry.isFile() && entry.name.endsWith('.vue')) {
+      files.push(fullPath);
+    }
+  }
+
+  return files;
+}
+
+describe('button standard', () => {
+  it('uses AppButton as the shared button primitive across Vue templates', () => {
+    const vueFiles = collectVueFiles(SRC_DIR);
+    const offenders: string[] = [];
+
+    for (const filePath of vueFiles) {
+      const relPath = relative(process.cwd(), filePath).replaceAll('\\', '/');
+      if (ALLOWED_RAW_BUTTON_FILES.has(relPath)) {
+        continue;
+      }
+
+      const source = readFileSync(filePath, 'utf8');
+      if (/<button\b/.test(source)) {
+        offenders.push(relPath);
+      }
+    }
+
+    expect(offenders).toEqual([]);
+  });
+
+  it('uses AppIconButton for standalone icon-only AppButton interactions', () => {
+    const vueFiles = collectVueFiles(SRC_DIR);
+    const offenders: string[] = [];
+
+    for (const filePath of vueFiles) {
+      const relPath = relative(process.cwd(), filePath).replaceAll('\\', '/');
+      if (ALLOWED_ICON_ONLY_APP_BUTTON_FILES.has(relPath)) {
+        continue;
+      }
+
+      const source = readFileSync(filePath, 'utf8');
+      const buttonBlocks = source.match(/<AppButton\b[\s\S]*?<\/AppButton>/g) ?? [];
+      const hasIconOnlyAppButton = buttonBlocks.some((block) => {
+        const inner = block.replace(/^<AppButton\b[\s\S]*?>/, '').replace(/<\/AppButton>$/, '');
+
+        if (!/<AppIcon\b/.test(inner)) {
+          return false;
+        }
+
+        const visibleContent = getVisibleText(inner);
+        return visibleContent.length === 0;
+      });
+
+      if (hasIconOnlyAppButton) {
+        offenders.push(relPath);
+      }
+    }
+
+    expect(offenders).toEqual([]);
+  });
+});
diff --git a/ui/tests/components/ComponentImports.spec.ts b/ui/tests/components/ComponentImports.spec.ts
new file mode 100644
index 000000000..5d72c63a5
--- /dev/null
+++ b/ui/tests/components/ComponentImports.spec.ts
@@ -0,0 +1,118 @@
+import { readdirSync, readFileSync } from 'node:fs';
+import { join, relative } from 'node:path';
+import { describe, expect, it } from 'vitest';
+
+const SRC_DIR = join(process.cwd(), 'src');
+
+/**
+ * Components registered globally in main.ts — these never need local imports.
+ * Keep this list in sync with app.component() calls in src/main.ts.
+ */
+const GLOBAL_COMPONENTS = new Set([
+  'AppButton',
+  'AppIcon',
+  'AppLayout',
+  'AppToast',
+  'ConfirmDialog',
+  'ContainerIcon',
+  'CopyableTag',
+  'DataCardGrid',
+  'DataFilterBar',
+  'DataListAccordion',
+  'DataTable',
+  'DataViewLayout',
+  'DetailPanel',
+  'EmptyState',
+  'ThemeToggle',
+  'ToggleSwitch',
+  // Vue built-ins
+  'RouterLink',
+  'RouterView',
+  'Teleport',
+  'Transition',
+  'TransitionGroup',
+  'KeepAlive',
+  'Suspense',
+  'Component',
+]);
+
+function collectVueFiles(dir: string): string[] {
+  const entries = readdirSync(dir, { withFileTypes: true });
+  const files: string[] = [];
+  for (const entry of entries) {
+    const fullPath = join(dir, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...collectVueFiles(fullPath));
+    } else if (entry.isFile() && entry.name.endsWith('.vue')) {
+      files.push(fullPath);
+    }
+  }
+  return files;
+}
+
+function extractTemplate(source: string): string {
+  const match = /<template\b[^>]*>([\s\S]*)<\/template>/.exec(source);
+  return match?.[1] ?? '';
+}
+
+function extractScriptImports(source: string): Set<string> {
+  const imports = new Set<string>();
+  const defaultImportRe = /import\s+(\w+)\s+from\s+/g;
+  const namedImportRe = /import\s+\{([^}]+)\}\s+from\s+/g;
+  let match: RegExpExecArray | null;
+  while ((match = defaultImportRe.exec(source)) !== null) {
+    imports.add(match[1]);
+  }
+  while ((match = namedImportRe.exec(source)) !== null) {
+    for (const name of match[1].split(',')) {
+      const trimmed = name
+        .trim()
+        .split(/\s+as\s+/)
+        .pop()
+        ?.trim();
+      if (trimmed) imports.add(trimmed);
+    }
+  }
+  return imports;
+}
+
+function extractTemplateComponents(template: string): Set<string> {
+  const components = new Set<string>();
+  // Match PascalCase component tags: <AppButton, <StatusDot, etc.
+  // Requires at least 2 uppercase-starting words to avoid matching HTML like <Select>
+  const tagRe = /<([A-Z][a-z]+[A-Z][A-Za-z0-9]*)\b/g;
+  let match: RegExpExecArray | null;
+  while ((match = tagRe.exec(template)) !== null) {
+    components.add(match[1]);
+  }
+  return components;
+}
+
+describe('component imports', () => {
+  it('every component used in a template is either imported or globally registered', () => {
+    const vueFiles = collectVueFiles(SRC_DIR);
+    const offenders: string[] = [];
+
+    for (const filePath of vueFiles) {
+      const relPath = relative(process.cwd(), filePath).replaceAll('\\', '/');
+      const source = readFileSync(filePath, 'utf8');
+      const template = extractTemplate(source);
+      if (!template) continue;
+
+      const imports = extractScriptImports(source);
+      const usedComponents = extractTemplateComponents(template);
+
+      for (const comp of usedComponents) {
+        if (GLOBAL_COMPONENTS.has(comp)) continue;
+        if (imports.has(comp)) continue;
+        // Skip self-references (component name matches filename)
+        const fileName = filePath.split('/').pop()?.replace('.vue', '');
+        if (fileName === comp) continue;
+
+        offenders.push(`${relPath}: <${comp}> used but not imported`);
+      }
+    }
+
+    expect(offenders).toEqual([]);
+  });
+});
diff --git a/ui/tests/components/ConfigLogsTab.spec.ts b/ui/tests/components/ConfigLogsTab.spec.ts
index 6e83fccb8..55e9cda6f 100644
--- a/ui/tests/components/ConfigLogsTab.spec.ts
+++ b/ui/tests/components/ConfigLogsTab.spec.ts
@@ -2,8 +2,8 @@ import { mount } from '@vue/test-utils';
 import { defineComponent } from 'vue';
 import ConfigLogsTab from '@/components/config/ConfigLogsTab.vue';
 
-const LogViewerStub = defineComponent({
-  template: '<div data-test="log-viewer-stub"><slot /></div>',
+const AppLogViewerStub = defineComponent({
+  template: '<div data-test="app-log-viewer-stub"><slot /></div>',
 });
 
 const baseProps = {
@@ -13,18 +13,7 @@ const baseProps = {
   error: '',
   logLevelFilter: 'all',
   tail: 100,
-  autoFetchInterval: 0,
   componentFilter: '',
-  autoFetchOptions: [
-    { value: 0, label: 'Off' },
-    { value: 5000, label: '5s' },
-  ],
-  scrollBlocked: false,
-  lastFetchedIso: '',
-  formatLastFetched: () => 'never',
-  formatTimestamp: () => 'timestamp',
-  messageForEntry: () => '',
-  levelColor: () => 'var(--dd-info)',
 };
 
 describe('ConfigLogsTab', () => {
@@ -33,13 +22,13 @@ describe('ConfigLogsTab', () => {
       props: baseProps,
       global: {
         stubs: {
-          LogViewer: LogViewerStub,
+          AppLogViewer: AppLogViewerStub,
           AppIcon: true,
         },
       },
     });
 
-    const viewer = wrapper.get('[data-test="log-viewer-stub"]');
+    const viewer = wrapper.get('[data-test="app-log-viewer-stub"]');
     expect(viewer.classes()).toContain('flex-1');
     expect(viewer.classes()).toContain('min-h-0');
   });
diff --git a/ui/tests/components/ContainerSideDetail.spec.ts b/ui/tests/components/ContainerSideDetail.spec.ts
index 92a3c1958..cb51cfcae 100644
--- a/ui/tests/components/ContainerSideDetail.spec.ts
+++ b/ui/tests/components/ContainerSideDetail.spec.ts
@@ -44,6 +44,7 @@ vi.mock('@/components/containers/containersViewTemplateContext', () => ({
     scanContainer,
     confirmUpdate,
     confirmDelete,
+    actionInProgress: ref(new Set<string>()),
     tt,
   }),
 }));
@@ -90,8 +91,8 @@ describe('ContainerSideDetail', () => {
 
     const panelBefore = wrapper.find('aside');
     expect(panelBefore.exists()).toBe(true);
-    expect(panelBefore.attributes('style')).toContain('flex: 0 0 420px');
-    expect(panelBefore.attributes('style')).toContain('width: 420px');
+    expect(panelBefore.attributes('style')).toContain('flex: 0 0 var(--dd-layout-panel-width-sm)');
+    expect(panelBefore.attributes('style')).toContain('width: var(--dd-layout-panel-width-sm)');
 
     const mediumButton = wrapper.findAll('button').find((button) => button.text().trim() === 'M');
     expect(mediumButton).toBeDefined();
@@ -100,7 +101,31 @@ describe('ContainerSideDetail', () => {
 
     expect(panelSize.value).toBe('md');
     const panelAfter = wrapper.find('aside');
-    expect(panelAfter.attributes('style')).toContain('flex: 0 0 560px');
-    expect(panelAfter.attributes('style')).toContain('width: 560px');
+    expect(panelAfter.attributes('style')).toContain('flex: 0 0 var(--dd-layout-panel-width-md)');
+    expect(panelAfter.attributes('style')).toContain('width: var(--dd-layout-panel-width-md)');
+  });
+
+  it('renders the selected container name with direct heading utility classes', () => {
+    const wrapper = mount(ContainerSideDetail, {
+      global: {
+        components: {
+          DetailPanel,
+        },
+        stubs: {
+          AppIcon: { template: '<span class="app-icon-stub" />' },
+          ContainerSideTabContent: { template: '<div class="side-tab-content-stub" />' },
+        },
+        directives: {
+          tooltip: {},
+        },
+      },
+    });
+
+    const title = wrapper
+      .findAll('span')
+      .find((candidate) => candidate.text().trim() === selectedContainer.value.name);
+    expect(title).toBeDefined();
+    expect(title?.classes()).toContain('text-sm');
+    expect(title?.classes()).toContain('font-bold');
   });
 });
diff --git a/ui/tests/components/ContainerSideTabContent.spec.ts b/ui/tests/components/ContainerSideTabContent.spec.ts
index 09ded3a84..e25fec06d 100644
--- a/ui/tests/components/ContainerSideTabContent.spec.ts
+++ b/ui/tests/components/ContainerSideTabContent.spec.ts
@@ -100,7 +100,7 @@ const containerResumeAutoScroll = vi.fn();
 const previewLoading = ref(false);
 const previewError = ref<string | null>(null);
 const runContainerPreview = vi.fn();
-const actionInProgress = ref<string | null>(null);
+const actionInProgress = ref(new Set<string>());
 const mockSkipCurrentForSelected = vi.fn();
 const mockSnoozeSelected = vi.fn();
 const mockSnoozeSelectedUntilDate = vi.fn();
@@ -213,7 +213,7 @@ vi.mock('@/components/containers/containersViewTemplateContext', () => ({
     maturityMinAgeDaysInput,
     setMaturityPolicySelected: mockSetMaturityPolicySelected,
     clearMaturityPolicySelected: mockClearMaturityPolicySelected,
-    clearPolicySelected: mockClearPolicySelected,
+    confirmClearPolicy: mockClearPolicySelected,
     policyMessage,
     policyError,
     removeSkipTagSelected: mockRemoveSkipTagSelected,
@@ -256,6 +256,16 @@ function mountComponent() {
     global: {
       stubs: {
         AppIcon: { template: '<span class="app-icon-stub" />', props: ['name', 'size'] },
+        ContainerLogs: {
+          props: ['containerId', 'containerName', 'compact'],
+          template:
+            '<div data-test="container-logs-stub" :data-id="containerId" :data-name="containerName" :data-compact="compact === undefined ? `false` : `true`">{{ containerName }}</div>',
+        },
+        ContainerStats: {
+          props: ['containerId', 'compact'],
+          template:
+            '<div data-test="container-stats-stub" :data-id="containerId" :data-compact="compact === undefined ? `false` : `true`"></div>',
+        },
       },
       directives: {
         tooltip: {},
@@ -312,7 +322,7 @@ describe('ContainerSideTabContent - Environment Variables', () => {
     containerScrollBlocked.value = false;
     previewLoading.value = false;
     previewError.value = null;
-    actionInProgress.value = null;
+    actionInProgress.value = new Set();
     policyInProgress.value = null;
     snoozeDateInput.value = '';
     selectedSnoozeUntil.value = null;
@@ -395,6 +405,7 @@ describe('ContainerSideTabContent - Environment Variables', () => {
 
     const eyeButton = passwordRow?.find('button');
     expect(eyeButton).toBeDefined();
+    expect(eyeButton?.attributes('aria-label')).toBe('Reveal value');
 
     await eyeButton?.trigger('click');
     await flushPromises();
@@ -403,6 +414,7 @@ describe('ContainerSideTabContent - Environment Variables', () => {
     const updatedRows = wrapper.findAll('[data-test="container-side-tab-content"] .font-mono');
     const updatedPasswordRow = updatedRows.find((row) => row.text().includes('DB_PASSWORD'));
     expect(updatedPasswordRow?.text()).toContain('super-secret');
+    expect(updatedPasswordRow?.find('button').attributes('aria-label')).toBe('Hide value');
     expect(mockRevealContainerEnv).toHaveBeenCalledWith('container-1');
   });
 
@@ -609,6 +621,8 @@ describe('ContainerSideTabContent - Environment Variables', () => {
     expect(wrapper.text()).toContain('2026-03-12T14:30:00Z');
     expect(wrapper.text()).toContain('Skipped tags:');
     expect(wrapper.text()).toContain('Skipped digests:');
+    expect(tagChip?.find('button').attributes('aria-label')).toBe('Remove skip');
+    expect(digestChip?.find('button').attributes('aria-label')).toBe('Remove skip');
 
     await tagChip?.find('button').trigger('click');
     await digestChip?.find('button').trigger('click');
@@ -719,29 +733,16 @@ describe('ContainerSideTabContent - Environment Variables', () => {
     expect(loadDetailSbom).toHaveBeenCalledTimes(1);
   });
 
-  it('renders logs tab rows and handles scroll-resume controls', async () => {
+  it('renders compact logs tab via container logs component', () => {
     activeDetailTab.value = 'logs';
-    getContainerLogs.mockReturnValue([
-      '2026-03-13T20:00:00.000Z [warn] first warning',
-      '2026-03-13T20:00:01.000Z [error] second error',
-    ]);
-    containerScrollBlocked.value = true;
-    containerAutoFetchInterval.value = 15;
 
     const wrapper = mountComponent();
-    const intervalSelect = wrapper.find('select');
-    const logContainer = wrapper.find('[style*="max-height: calc(100vh - 400px);"]');
-    const resumeButton = findButtonByText(wrapper, 'Resume');
-
-    await intervalSelect.setValue('30');
-    await logContainer.trigger('scroll');
-    await resumeButton?.trigger('click');
-
-    expect(wrapper.text()).toContain('Container Logs');
-    expect(wrapper.text()).toContain('2 lines');
-    expect(containerAutoFetchInterval.value).toBe(30);
-    expect(containerHandleLogScroll).toHaveBeenCalledTimes(1);
-    expect(containerResumeAutoScroll).toHaveBeenCalledTimes(1);
+    const logsStub = wrapper.find('[data-test="container-logs-stub"]');
+
+    expect(logsStub.exists()).toBe(true);
+    expect(logsStub.attributes('data-id')).toBe('container-1');
+    expect(logsStub.attributes('data-name')).toBe('nginx');
+    expect(logsStub.attributes('data-compact')).toBe('true');
   });
 
   it('renders labels list when labels exist', () => {
@@ -887,6 +888,40 @@ describe('ContainerSideTabContent - Environment Variables', () => {
     expect(wrapper.text()).toContain('Pinned image digest has no newer tag');
   });
 
+  it('shows floating tag badge in overview when tag precision is floating and digest watch is disabled', () => {
+    activeDetailTab.value = 'overview';
+    selectedContainer.value = {
+      ...createSelectedContainer(),
+      tagPrecision: 'floating',
+      imageDigestWatch: false,
+    };
+
+    const wrapper = mountComponent();
+
+    expect(wrapper.find('[data-test="floating-tag-badge"]').exists()).toBe(true);
+  });
+
+  it('hides floating tag badge in overview when tag is specific or digest watch is enabled', async () => {
+    activeDetailTab.value = 'overview';
+    selectedContainer.value = {
+      ...createSelectedContainer(),
+      tagPrecision: 'specific',
+      imageDigestWatch: false,
+    };
+
+    const wrapper = mountComponent();
+    expect(wrapper.find('[data-test="floating-tag-badge"]').exists()).toBe(false);
+
+    selectedContainer.value = {
+      ...createSelectedContainer(),
+      tagPrecision: 'floating',
+      imageDigestWatch: true,
+    };
+    await nextTick();
+
+    expect(wrapper.find('[data-test="floating-tag-badge"]').exists()).toBe(false);
+  });
+
   it('renders vulnerability and SBOM loading/error states', () => {
     activeDetailTab.value = 'overview';
     detailVulnerabilityLoading.value = true;
@@ -1022,19 +1057,17 @@ describe('ContainerSideTabContent - Environment Variables', () => {
     expect(dataWrapper.text()).toContain('timeout');
   });
 
-  it('renders labels empty state and logs without auto-scroll pause', async () => {
+  it('renders labels empty state and logs component without inline pause controls', async () => {
     activeDetailTab.value = 'labels';
     const labelsWrapper = mountComponent();
     expect(labelsWrapper.text()).toContain('No labels assigned');
 
     activeDetailTab.value = 'logs';
-    getContainerLogs.mockReturnValue(['2026-03-13T20:00:02.000Z [info] steady-state']);
-    containerScrollBlocked.value = true;
-    containerAutoFetchInterval.value = 0;
     await nextTick();
 
     const logsWrapper = mountComponent();
-    expect(logsWrapper.text()).toContain('1 lines');
+    const logsStub = logsWrapper.find('[data-test="container-logs-stub"]');
+    expect(logsStub.exists()).toBe(true);
     expect(logsWrapper.text()).not.toContain('Auto-scroll paused');
   });
 
diff --git a/ui/tests/components/DataFilterBar.spec.ts b/ui/tests/components/DataFilterBar.spec.ts
index f670fab53..6b206b20e 100644
--- a/ui/tests/components/DataFilterBar.spec.ts
+++ b/ui/tests/components/DataFilterBar.spec.ts
@@ -13,7 +13,14 @@ function factory(props: Record<string, any> = {}, slots: Record<string, any> = {
     },
     slots,
     global: {
-      stubs: { AppIcon: { template: '<span class="app-icon-stub" />' } },
+      stubs: {
+        AppIcon: { template: '<span class="app-icon-stub" />' },
+        AppIconButton: {
+          props: ['icon', 'variant', 'tooltip', 'ariaLabel'],
+          template:
+            '<button class="app-icon-button-stub" :data-icon="icon" :data-variant="variant" :aria-label="ariaLabel"><slot /></button>',
+        },
+      },
       directives: { tooltip: {} },
     },
   });
@@ -30,7 +37,14 @@ function factoryWithTooltip(props: Record<string, any> = {}, slots: Record<strin
     },
     slots,
     global: {
-      stubs: { AppIcon: { template: '<span class="app-icon-stub" />' } },
+      stubs: {
+        AppIcon: { template: '<span class="app-icon-stub" />' },
+        AppIconButton: {
+          props: ['icon', 'variant', 'tooltip', 'ariaLabel', 'size'],
+          template:
+            '<button class="app-icon-button-stub" v-tooltip="tooltip" :data-icon="icon" :data-variant="variant" :aria-label="ariaLabel || tooltip"><slot /></button>',
+        },
+      },
       directives: { tooltip: tooltipDirective },
     },
   });
@@ -57,6 +71,14 @@ describe('DataFilterBar', () => {
   });
 
   describe('filter toggle', () => {
+    it('renders the filter toggle as an AppIconButton', () => {
+      const w = factory();
+      const filterBtn = w.find('.app-icon-button-stub[aria-label="Toggle filters"]');
+      expect(filterBtn.exists()).toBe(true);
+      expect(filterBtn.attributes('data-icon')).toBe('filter');
+      expect(filterBtn.attributes('data-variant')).toBe('plain');
+    });
+
     it('renders filter button when hideFilter is not set', () => {
       const w = factory();
       const filterBtn = w.find('button[aria-label="Toggle filters"]');
diff --git a/ui/tests/components/DataTable.spec.ts b/ui/tests/components/DataTable.spec.ts
index 94a50eb92..689c95d7b 100644
--- a/ui/tests/components/DataTable.spec.ts
+++ b/ui/tests/components/DataTable.spec.ts
@@ -64,6 +64,11 @@ describe('DataTable', () => {
       const ths = w.findAll('thead th');
       expect(ths).toHaveLength(3);
     });
+
+    it('uses fixed table layout when fixedLayout is enabled', () => {
+      const w = factory({ fixedLayout: true });
+      expect(w.find('table').attributes('style')).toContain('table-layout: fixed');
+    });
   });
 
   describe('rows', () => {
diff --git a/ui/tests/components/DataViewLayout.spec.ts b/ui/tests/components/DataViewLayout.spec.ts
index 91ec96d03..5b4fbce99 100644
--- a/ui/tests/components/DataViewLayout.spec.ts
+++ b/ui/tests/components/DataViewLayout.spec.ts
@@ -76,16 +76,25 @@ describe('DataViewLayout', () => {
     const wrapper = mount(DataViewLayout, {
       slots: { default: '<p>Scrollable</p>' },
     });
-    const scrollArea = wrapper.find('.overflow-auto');
+    const scrollArea = wrapper.find('.overflow-y-auto');
     expect(scrollArea.exists()).toBe(true);
     expect(scrollArea.text()).toContain('Scrollable');
   });
 
+  it('uses the shared mobile touch-scroll behavior on the main content area', () => {
+    const wrapper = mount(DataViewLayout, {
+      slots: { default: '<p>Scrollable</p>' },
+    });
+    const scrollArea = wrapper.find('.overflow-y-auto');
+    expect(scrollArea.classes()).toContain('dd-touch-scroll');
+    expect(scrollArea.classes()).toContain('overflow-x-hidden');
+  });
+
   it('applies pr-[15px] on the scrollable content area for scrollbar centering', () => {
     const wrapper = mount(DataViewLayout, {
       slots: { default: '<p>Content</p>' },
     });
-    const scrollArea = wrapper.find('.overflow-auto');
+    const scrollArea = wrapper.find('.overflow-y-auto');
     expect(scrollArea.classes()).toContain('sm:pr-[15px]');
   });
 
diff --git a/ui/tests/components/DetailField.spec.ts b/ui/tests/components/DetailField.spec.ts
new file mode 100644
index 000000000..3a32313dc
--- /dev/null
+++ b/ui/tests/components/DetailField.spec.ts
@@ -0,0 +1,93 @@
+import { mount } from '@vue/test-utils';
+import { describe, expect, it } from 'vitest';
+import DetailField from '@/components/DetailField.vue';
+
+describe('DetailField', () => {
+  it('renders label text in the first div', () => {
+    const wrapper = mount(DetailField, {
+      props: { label: 'Image' },
+      slots: { default: 'nginx:latest' },
+    });
+
+    const labelDiv = wrapper.get('.dd-text-label');
+    expect(labelDiv.text()).toBe('Image');
+  });
+
+  it('renders slot content in the second div', () => {
+    const wrapper = mount(DetailField, {
+      props: { label: 'Tag' },
+      slots: { default: '<span class="custom">v1.2.3</span>' },
+    });
+
+    const valueDiv = wrapper.get('.text-2xs-plus');
+    expect(valueDiv.get('.custom').text()).toBe('v1.2.3');
+  });
+
+  it('label div uses dd-text-label class', () => {
+    const wrapper = mount(DetailField, {
+      props: { label: 'Status' },
+      slots: { default: 'running' },
+    });
+
+    const divs = wrapper.findAll('div');
+    const labelDiv = divs[1];
+
+    expect(labelDiv.classes()).toContain('dd-text-label');
+  });
+
+  it('value div uses text-2xs-plus class', () => {
+    const wrapper = mount(DetailField, {
+      props: { label: 'Status' },
+      slots: { default: 'running' },
+    });
+
+    const valueDiv = wrapper.get('.text-2xs-plus');
+    expect(valueDiv.classes()).toContain('text-2xs-plus');
+  });
+
+  it('applies mb-0.5 when compact is true', () => {
+    const wrapper = mount(DetailField, {
+      props: { label: 'Port', compact: true },
+      slots: { default: '8080' },
+    });
+
+    const labelDiv = wrapper.get('.dd-text-label');
+    expect(labelDiv.classes()).toContain('mb-0.5');
+    expect(labelDiv.classes()).not.toContain('mb-1');
+  });
+
+  it('applies mb-1 when compact is false', () => {
+    const wrapper = mount(DetailField, {
+      props: { label: 'Port', compact: false },
+      slots: { default: '8080' },
+    });
+
+    const labelDiv = wrapper.get('.dd-text-label');
+    expect(labelDiv.classes()).toContain('mb-1');
+    expect(labelDiv.classes()).not.toContain('mb-0.5');
+  });
+
+  it('applies font-mono to value div when mono is true', () => {
+    const wrapper = mount(DetailField, {
+      props: { label: 'Hash', mono: true },
+      slots: { default: 'abc123def' },
+    });
+
+    const valueDiv = wrapper.get('.text-2xs-plus');
+    expect(valueDiv.classes()).toContain('font-mono');
+  });
+
+  it('defaults to mono=false and compact=false', () => {
+    const wrapper = mount(DetailField, {
+      props: { label: 'Name' },
+      slots: { default: 'drydock' },
+    });
+
+    const labelDiv = wrapper.get('.dd-text-label');
+    expect(labelDiv.classes()).toContain('mb-1');
+    expect(labelDiv.classes()).not.toContain('mb-0.5');
+
+    const valueDiv = wrapper.get('.text-2xs-plus');
+    expect(valueDiv.classes()).not.toContain('font-mono');
+  });
+});
diff --git a/ui/tests/components/DetailPanel.spec.ts b/ui/tests/components/DetailPanel.spec.ts
index 899633a20..9c670707b 100644
--- a/ui/tests/components/DetailPanel.spec.ts
+++ b/ui/tests/components/DetailPanel.spec.ts
@@ -66,12 +66,10 @@ describe('DetailPanel', () => {
   describe('close button', () => {
     it('emits update:open false when close button is clicked', async () => {
       const w = factory();
-      // Close button is the w-7 h-7 button in the toolbar (last button in the toolbar row)
-      const toolbarButtons = w
+      // Close button is the w-8 h-8 AppIconButton in the toolbar
+      const closeBtn = w
         .findAll('button')
-        .filter((b) => b.classes().includes('w-7') && b.classes().includes('h-7'));
-      // The close button is the one that is not a size control (S/M/L)
-      const closeBtn = toolbarButtons.find((b) => !['S', 'M', 'L'].includes(b.text().trim()));
+        .find((b) => b.attributes('aria-label') === 'Close details panel');
       expect(closeBtn).toBeDefined();
       await closeBtn?.trigger('click');
       expect(w.emitted('update:open')?.[0]).toEqual([false]);
@@ -110,8 +108,8 @@ describe('DetailPanel', () => {
       const w = factory();
       const closeBtn = w
         .findAll('button')
-        .find((b) => b.classes().includes('w-7') && b.classes().includes('h-7'));
-      expect(closeBtn?.attributes('aria-label')).toBe('Close details panel');
+        .find((b) => b.attributes('aria-label') === 'Close details panel');
+      expect(closeBtn).toBeDefined();
     });
   });
 
@@ -170,24 +168,17 @@ describe('DetailPanel', () => {
 
     it('does not render full page button when showFullPage is false (default)', () => {
       const w = factory();
-      // When showFullPage is false, the only icon-only button is the close button (w-7 h-7)
-      const iconOnlyButtons = w
+      const fpBtn = w
         .findAll('button')
-        .filter((b) => b.find('.app-icon-stub').exists() && !b.text().trim());
-      // All icon-only buttons should be close buttons (w-7 h-7 class)
-      for (const btn of iconOnlyButtons) {
-        expect(btn.classes()).toContain('w-7');
-      }
+        .find((b) => b.attributes('aria-label') === 'Open full page view');
+      expect(fpBtn).toBeUndefined();
     });
 
     it('emits full-page when full page button is clicked', async () => {
       const w = factory({ showFullPage: true });
       const fpBtn = w
         .findAll('button')
-        .find(
-          (b) =>
-            b.find('.app-icon-stub').exists() && !b.text().trim() && !b.classes().includes('w-7'),
-        );
+        .find((b) => b.attributes('aria-label') === 'Open full page view');
       expect(fpBtn).toBeDefined();
       await fpBtn?.trigger('click');
       expect(w.emitted('full-page')).toHaveLength(1);
@@ -195,31 +186,31 @@ describe('DetailPanel', () => {
   });
 
   describe('panel width style', () => {
-    it('uses 420px basis for sm size', () => {
+    it('uses sm width token for sm size', () => {
       const w = factory({ size: 'sm' });
       const style = w.find('aside').attributes('style');
-      expect(style).toContain('flex: 0 0 420px');
-      expect(style).toContain('width: 420px');
+      expect(style).toContain('flex: 0 0 var(--dd-layout-panel-width-sm)');
+      expect(style).toContain('width: var(--dd-layout-panel-width-sm)');
     });
 
-    it('uses 560px basis for md size', () => {
+    it('uses md width token for md size', () => {
       const w = factory({ size: 'md' });
       const style = w.find('aside').attributes('style');
-      expect(style).toContain('flex: 0 0 560px');
-      expect(style).toContain('width: 560px');
+      expect(style).toContain('flex: 0 0 var(--dd-layout-panel-width-md)');
+      expect(style).toContain('width: var(--dd-layout-panel-width-md)');
     });
 
-    it('uses 720px basis for lg size', () => {
+    it('uses lg width token for lg size', () => {
       const w = factory({ size: 'lg' });
       const style = w.find('aside').attributes('style');
-      expect(style).toContain('flex: 0 0 720px');
-      expect(style).toContain('width: 720px');
+      expect(style).toContain('flex: 0 0 var(--dd-layout-panel-width-lg)');
+      expect(style).toContain('width: var(--dd-layout-panel-width-lg)');
     });
 
     it('does not set flex on mobile', () => {
       const w = factory({ isMobile: true, size: 'md' });
       const style = w.find('aside').attributes('style') ?? '';
-      expect(style).not.toContain('flex: 0 0 560px');
+      expect(style).not.toContain('flex: 0 0 var(--dd-layout-panel-width-md)');
       expect(style).toContain('width: 100%');
     });
   });
diff --git a/ui/tests/components/NotificationBell.spec.ts b/ui/tests/components/NotificationBell.spec.ts
index 1da7175f8..6dddb356a 100644
--- a/ui/tests/components/NotificationBell.spec.ts
+++ b/ui/tests/components/NotificationBell.spec.ts
@@ -40,7 +40,7 @@ const transitionStub = {
 const mountedWrappers: ReturnType<typeof mount>[] = [];
 
 function findDropdown(wrapper: ReturnType<typeof mount>) {
-  return wrapper.find('.notification-bell-wrapper div.absolute');
+  return wrapper.find('[data-test="notification-dropdown"]');
 }
 
 function findEntryRows(wrapper: ReturnType<typeof mount>) {
@@ -79,10 +79,19 @@ describe('NotificationBell', () => {
     expect(wrapper.find('button[aria-label="Notifications"]').exists()).toBe(true);
   });
 
-  it('fetches entries on mount', async () => {
+  it('fetches entries on mount with actionable action filter', async () => {
     factory();
     await flushPromises();
-    expect(mockGetAuditLog).toHaveBeenCalledWith({ limit: 20 });
+    expect(mockGetAuditLog).toHaveBeenCalledWith({
+      limit: 20,
+      actions: [
+        'update-available',
+        'update-applied',
+        'update-failed',
+        'security-alert',
+        'agent-disconnect',
+      ],
+    });
   });
 
   it('shows badge with unread count when no lastSeen', async () => {
@@ -142,12 +151,21 @@ describe('NotificationBell', () => {
     expect(findDropdown(wrapper).exists()).toBe(false);
   });
 
-  it('refetches on open', async () => {
+  it('refetches on open with actionable action filter', async () => {
     const wrapper = factory();
     await flushPromises();
     mockGetAuditLog.mockClear();
     await openBell(wrapper);
-    expect(mockGetAuditLog).toHaveBeenCalledWith({ limit: 20 });
+    expect(mockGetAuditLog).toHaveBeenCalledWith({
+      limit: 20,
+      actions: [
+        'update-available',
+        'update-applied',
+        'update-failed',
+        'security-alert',
+        'agent-disconnect',
+      ],
+    });
   });
 
   it('renders entry rows with correct action labels', async () => {
diff --git a/ui/tests/components/StatusDot.spec.ts b/ui/tests/components/StatusDot.spec.ts
new file mode 100644
index 000000000..65730d5e2
--- /dev/null
+++ b/ui/tests/components/StatusDot.spec.ts
@@ -0,0 +1,111 @@
+import { mount } from '@vue/test-utils';
+import { describe, expect, it } from 'vitest';
+import StatusDot from '@/components/StatusDot.vue';
+
+describe('StatusDot', () => {
+  it('renders with default props (size=md, muted fallback color)', () => {
+    const wrapper = mount(StatusDot);
+    const span = wrapper.get('span');
+
+    expect(span.classes()).toContain('rounded-full');
+    expect(span.classes()).toContain('shrink-0');
+    expect(span.classes()).toContain('inline-block');
+    expect(span.classes()).toContain('w-2');
+    expect(span.classes()).toContain('h-2');
+    expect(span.attributes('style')).toContain('background-color: var(--dd-text-muted)');
+  });
+
+  it('applies correct size class for sm', () => {
+    const wrapper = mount(StatusDot, { props: { size: 'sm' } });
+    const span = wrapper.get('span');
+
+    expect(span.classes()).toContain('w-1.5');
+    expect(span.classes()).toContain('h-1.5');
+  });
+
+  it('applies correct size class for md', () => {
+    const wrapper = mount(StatusDot, { props: { size: 'md' } });
+    const span = wrapper.get('span');
+
+    expect(span.classes()).toContain('w-2');
+    expect(span.classes()).toContain('h-2');
+  });
+
+  it('applies correct size class for lg', () => {
+    const wrapper = mount(StatusDot, { props: { size: 'lg' } });
+    const span = wrapper.get('span');
+
+    expect(span.classes()).toContain('w-2.5');
+    expect(span.classes()).toContain('h-2.5');
+  });
+
+  it('uses success color for connected status', () => {
+    const wrapper = mount(StatusDot, { props: { status: 'connected' } });
+
+    expect(wrapper.get('span').attributes('style')).toContain(
+      'background-color: var(--dd-success)',
+    );
+  });
+
+  it('uses success color for running status', () => {
+    const wrapper = mount(StatusDot, { props: { status: 'running' } });
+
+    expect(wrapper.get('span').attributes('style')).toContain(
+      'background-color: var(--dd-success)',
+    );
+  });
+
+  it('uses danger color for disconnected status', () => {
+    const wrapper = mount(StatusDot, { props: { status: 'disconnected' } });
+
+    expect(wrapper.get('span').attributes('style')).toContain('background-color: var(--dd-danger)');
+  });
+
+  it('uses danger color for stopped status', () => {
+    const wrapper = mount(StatusDot, { props: { status: 'stopped' } });
+
+    expect(wrapper.get('span').attributes('style')).toContain('background-color: var(--dd-danger)');
+  });
+
+  it('uses warning color for warning status', () => {
+    const wrapper = mount(StatusDot, { props: { status: 'warning' } });
+
+    expect(wrapper.get('span').attributes('style')).toContain(
+      'background-color: var(--dd-warning)',
+    );
+  });
+
+  it('uses muted color for idle status', () => {
+    const wrapper = mount(StatusDot, { props: { status: 'idle' } });
+
+    expect(wrapper.get('span').attributes('style')).toContain(
+      'background-color: var(--dd-text-muted)',
+    );
+  });
+
+  it('custom color overrides status color', () => {
+    const wrapper = mount(StatusDot, {
+      props: { status: 'connected', color: '#ff0000' },
+    });
+
+    expect(wrapper.get('span').attributes('style')).toContain('background-color: rgb(255, 0, 0)');
+  });
+
+  it('adds animate-pulse class when pulse is true', () => {
+    const wrapper = mount(StatusDot, { props: { pulse: true } });
+
+    expect(wrapper.get('span').classes()).toContain('animate-pulse');
+  });
+
+  it('does not add animate-pulse class by default', () => {
+    const wrapper = mount(StatusDot);
+
+    expect(wrapper.get('span').classes()).not.toContain('animate-pulse');
+  });
+
+  it('has role="presentation"', () => {
+    const wrapper = mount(StatusDot);
+
+    expect(wrapper.get('span').attributes('role')).toBe('presentation');
+  });
+});
diff --git a/ui/tests/components/ThemeToggle.spec.ts b/ui/tests/components/ThemeToggle.spec.ts
index 2df59fb6d..ca68d3573 100644
--- a/ui/tests/components/ThemeToggle.spec.ts
+++ b/ui/tests/components/ThemeToggle.spec.ts
@@ -64,15 +64,15 @@ describe('ThemeToggle', () => {
   it('is collapsed by default showing only the active icon width', () => {
     const wrapper = factory();
     const toggle = wrapper.find('.theme-toggle');
-    // Collapsed to one cell width (32px)
-    expect(toggle.attributes('style')).toContain('width: 32px');
+    // Collapsed to one shared sm icon-button cell width (44px)
+    expect(toggle.attributes('style')).toContain('width: 44px');
   });
 
   it('translates to show the active icon when collapsed', () => {
     mockThemeVariant.value = 'dark'; // index 2
     const wrapper = factory();
     const inner = wrapper.find('.theme-toggle-track');
-    expect(inner.attributes('style')).toContain('translateX(-64px)');
+    expect(inner.attributes('style')).toContain('translateX(-88px)');
   });
 
   it('translates to index 0 when light is active', () => {
@@ -85,8 +85,8 @@ describe('ThemeToggle', () => {
   it('expands on mouseenter', async () => {
     const wrapper = factory();
     await wrapper.find('.theme-toggle').trigger('mouseenter');
-    // Expanded to full width (3 * 32 = 96px)
-    expect(wrapper.find('.theme-toggle').attributes('style')).toContain('width: 96px');
+    // Expanded to full width (3 * 44 = 132px)
+    expect(wrapper.find('.theme-toggle').attributes('style')).toContain('width: 132px');
   });
 
   it('resets translation on expand', async () => {
@@ -101,7 +101,7 @@ describe('ThemeToggle', () => {
     const wrapper = factory();
     await wrapper.find('.theme-toggle').trigger('mouseenter');
     await wrapper.find('.theme-toggle').trigger('mouseleave');
-    expect(wrapper.find('.theme-toggle').attributes('style')).toContain('width: 32px');
+    expect(wrapper.find('.theme-toggle').attributes('style')).toContain('width: 44px');
   });
 
   it('calls transitionTheme when clicking an inactive variant', async () => {
@@ -116,40 +116,40 @@ describe('ThemeToggle', () => {
     const wrapper = factory();
     await wrapper.find('.theme-toggle').trigger('mouseenter');
     await wrapper.findAll('button')[0].trigger('click');
-    expect(wrapper.find('.theme-toggle').attributes('style')).toContain('width: 32px');
+    expect(wrapper.find('.theme-toggle').attributes('style')).toContain('width: 44px');
   });
 
   it('toggles expanded when clicking the active icon', async () => {
     mockThemeVariant.value = 'dark';
     const wrapper = factory();
     await wrapper.findAll('button')[2].trigger('click'); // Dark (active)
-    expect(wrapper.find('.theme-toggle').attributes('style')).toContain('width: 96px');
+    expect(wrapper.find('.theme-toggle').attributes('style')).toContain('width: 132px');
   });
 
   it('uses sm dimensions by default', () => {
     const wrapper = factory();
     const icons = wrapper.findAllComponents(iconStub);
-    expect(icons[0].props('size')).toBe(15);
+    expect(icons[0].props('size')).toBe(18);
   });
 
   it('uses md dimensions when size is md', () => {
     const wrapper = factory({ size: 'md' });
     const icons = wrapper.findAllComponents(iconStub);
-    expect(icons[0].props('size')).toBe(14);
+    expect(icons[0].props('size')).toBe(20);
   });
 
   it('uses sm cell size on buttons', () => {
     const wrapper = factory();
     const btn = wrapper.find('button');
-    expect(btn.attributes('style')).toContain('width: 32px');
-    expect(btn.attributes('style')).toContain('height: 32px');
+    expect(btn.attributes('style')).toContain('width: 44px');
+    expect(btn.attributes('style')).toContain('height: 44px');
   });
 
   it('uses md cell size on buttons', () => {
     const wrapper = factory({ size: 'md' });
     const btn = wrapper.find('button');
-    expect(btn.attributes('style')).toContain('width: 32px');
-    expect(btn.attributes('style')).toContain('height: 32px');
+    expect(btn.attributes('style')).toContain('width: 48px');
+    expect(btn.attributes('style')).toContain('height: 48px');
   });
 
   it('exposes aria labels and pressed state on variant buttons', () => {
diff --git a/ui/tests/components/containers/ContainerFullPageDetail.spec.ts b/ui/tests/components/containers/ContainerFullPageDetail.spec.ts
index a6e135e9d..9a2fb697a 100644
--- a/ui/tests/components/containers/ContainerFullPageDetail.spec.ts
+++ b/ui/tests/components/containers/ContainerFullPageDetail.spec.ts
@@ -16,7 +16,7 @@ const selectedContainer = ref({
 });
 
 const activeDetailTab = ref('overview');
-const actionInProgress = ref<string | null>(null);
+const actionInProgress = ref(new Set<string>());
 const closeFullPage = vi.fn();
 const confirmStop = vi.fn();
 const startContainer = vi.fn();
@@ -59,7 +59,7 @@ function factory() {
 describe('ContainerFullPageDetail', () => {
   afterEach(() => {
     activeDetailTab.value = 'overview';
-    actionInProgress.value = null;
+    actionInProgress.value = new Set();
     selectedContainer.value = {
       id: 'container-1',
       name: 'nginx',
@@ -128,7 +128,7 @@ describe('ContainerFullPageDetail', () => {
 
   describe('disabled state during action', () => {
     it('disables action buttons when actionInProgress matches container name', () => {
-      actionInProgress.value = 'nginx';
+      actionInProgress.value = new Set(['nginx']);
       const wrapper = factory();
       const actionButtons = wrapper
         .findAll('button')
@@ -139,7 +139,7 @@ describe('ContainerFullPageDetail', () => {
     });
 
     it('does not disable buttons when actionInProgress is a different container', () => {
-      actionInProgress.value = 'other-container';
+      actionInProgress.value = new Set(['other-container']);
       const wrapper = factory();
       const actionButtons = wrapper
         .findAll('button')
@@ -150,7 +150,7 @@ describe('ContainerFullPageDetail', () => {
     });
 
     it('applies opacity-50 class when disabled', () => {
-      actionInProgress.value = 'nginx';
+      actionInProgress.value = new Set(['nginx']);
       const wrapper = factory();
       const stopBtn = wrapper.find('button[aria-label="Stop container"]');
       expect(stopBtn.classes()).toContain('opacity-50');
@@ -158,7 +158,7 @@ describe('ContainerFullPageDetail', () => {
     });
 
     it('does not apply opacity-50 class when not disabled', () => {
-      actionInProgress.value = null;
+      actionInProgress.value = new Set();
       const wrapper = factory();
       const stopBtn = wrapper.find('button[aria-label="Stop container"]');
       expect(stopBtn.classes()).not.toContain('opacity-50');
diff --git a/ui/tests/components/containers/ContainerFullPageTabContent.spec.ts b/ui/tests/components/containers/ContainerFullPageTabContent.spec.ts
index 863528ae0..9e9e8bc9f 100644
--- a/ui/tests/components/containers/ContainerFullPageTabContent.spec.ts
+++ b/ui/tests/components/containers/ContainerFullPageTabContent.spec.ts
@@ -103,7 +103,7 @@ const containerAutoFetchInterval = ref(0);
 const containerLogRef = ref<HTMLElement | null>(null);
 const containerScrollBlocked = ref(false);
 const previewLoading = ref(false);
-const actionInProgress = ref<string | null>(null);
+const actionInProgress = ref(new Set<string>());
 const policyInProgress = ref<string | null>(null);
 const snoozeDateInput = ref('');
 const selectedSnoozeUntil = ref<string | null>(null);
@@ -238,7 +238,7 @@ vi.mock('@/components/containers/containersViewTemplateContext', () => ({
     maturityMinAgeDaysInput,
     setMaturityPolicySelected: mockSetMaturityPolicySelected,
     clearMaturityPolicySelected: mockClearMaturityPolicySelected,
-    clearPolicySelected: mockClearPolicySelected,
+    confirmClearPolicy: mockClearPolicySelected,
     policyMessage,
     policyError,
     removeSkipTagSelected: mockRemoveSkipTagSelected,
@@ -321,7 +321,7 @@ function resetState() {
   containerLogRef.value = null;
   containerScrollBlocked.value = false;
   previewLoading.value = false;
-  actionInProgress.value = null;
+  actionInProgress.value = new Set();
   policyInProgress.value = null;
   snoozeDateInput.value = '';
   selectedSnoozeUntil.value = null;
@@ -385,6 +385,11 @@ function mountComponent() {
   return mount(ContainerFullPageTabContent, {
     global: {
       stubs: {
+        ContainerLogs: {
+          template:
+            '<div data-test="container-logs-stub" :data-id="containerId" :data-name="containerName" :data-compact="compact ? `true` : `false`">{{ containerName }}</div>',
+          props: ['containerId', 'containerName', 'compact'],
+        },
         AppIcon: {
           template: '<span class="app-icon-stub" />',
           props: ['name', 'size'],
@@ -512,6 +517,10 @@ describe('ContainerFullPageTabContent', () => {
     const digestRemoveButton = digestLabel?.element.parentElement?.querySelector('button');
     expect(tagRemoveButton).toBeTruthy();
     expect(digestRemoveButton).toBeTruthy();
+    expect((tagRemoveButton as HTMLButtonElement).getAttribute('aria-label')).toBe('Remove skip');
+    expect((digestRemoveButton as HTMLButtonElement).getAttribute('aria-label')).toBe(
+      'Remove skip',
+    );
 
     (tagRemoveButton as HTMLButtonElement).click();
     (digestRemoveButton as HTMLButtonElement).click();
@@ -855,32 +864,50 @@ describe('ContainerFullPageTabContent', () => {
     expect(errorWrapper.text()).toContain('SBOM refresh failed');
   });
 
-  it('renders logs tab branches and log controls', async () => {
-    activeDetailTab.value = 'logs';
-    containerAutoFetchInterval.value = 5;
-    containerScrollBlocked.value = true;
-    mockGetContainerLogs.mockReturnValue([
-      '2026-03-13T00:00:00Z [error] broken',
-      '2026-03-13T00:00:01Z [warn] attention',
-      '2026-03-13T00:00:02Z plain message',
-    ]);
+  it('shows floating tag badge in overview when tag precision is floating and digest watch is disabled', () => {
+    activeDetailTab.value = 'overview';
+    selectedContainer.value = makeContainer({
+      newTag: undefined,
+      tagPrecision: 'floating',
+      imageDigestWatch: false,
+    });
 
     const wrapper = mountComponent();
-    expect(wrapper.text()).toContain('Container Logs');
-    expect(wrapper.text()).toContain('3 lines');
-    expect(wrapper.text()).toContain('Auto-scroll paused');
 
-    const logViewport = wrapper.find('div[style*="max-height: calc(100vh - 320px)"]');
-    expect(logViewport.exists()).toBe(true);
-    await logViewport.trigger('scroll');
-    expect(mockContainerHandleLogScroll).toHaveBeenCalledTimes(1);
+    expect(wrapper.find('[data-test="floating-tag-badge"]').exists()).toBe(true);
+  });
 
-    await findButtonByText(wrapper, 'Resume')?.trigger('click');
-    expect(mockContainerResumeAutoScroll).toHaveBeenCalledTimes(1);
+  it('hides floating tag badge in overview when tag is specific or digest watch is enabled', async () => {
+    activeDetailTab.value = 'overview';
+    selectedContainer.value = makeContainer({
+      newTag: undefined,
+      tagPrecision: 'specific',
+      imageDigestWatch: false,
+    });
+
+    const wrapper = mountComponent();
+    expect(wrapper.find('[data-test="floating-tag-badge"]').exists()).toBe(false);
 
-    containerScrollBlocked.value = false;
+    selectedContainer.value = makeContainer({
+      newTag: undefined,
+      tagPrecision: 'floating',
+      imageDigestWatch: true,
+    });
     await nextTick();
-    expect(wrapper.text()).not.toContain('Auto-scroll paused');
+
+    expect(wrapper.find('[data-test="floating-tag-badge"]').exists()).toBe(false);
+  });
+
+  it('renders logs tab with the real-time log viewer component', () => {
+    activeDetailTab.value = 'logs';
+    selectedContainer.value = makeContainer({ id: 'container-99', name: 'api' });
+
+    const wrapper = mountComponent();
+    const logsStub = wrapper.find('[data-test="container-logs-stub"]');
+    expect(logsStub.exists()).toBe(true);
+    expect(logsStub.attributes('data-id')).toBe('container-99');
+    expect(logsStub.attributes('data-name')).toBe('api');
+    expect(logsStub.attributes('data-compact')).toBe('false');
   });
 
   it('renders environment sensitive-value reveal flows including cache and hide', async () => {
@@ -907,11 +934,19 @@ describe('ContainerFullPageTabContent', () => {
     const secretRow = wrapper.findAll('.font-mono').find((node) => node.text().includes('SECRET'));
     const eyeButton = secretRow?.find('button');
     expect(eyeButton).toBeDefined();
+    expect(eyeButton?.attributes('aria-label')).toBe('Reveal value');
 
     await eyeButton?.trigger('click');
     await flushPromises();
     await nextTick();
     expect(wrapper.text()).toContain('super-secret');
+    expect(
+      wrapper
+        .findAll('.font-mono')
+        .find((node) => node.text().includes('SECRET'))
+        ?.find('button')
+        .attributes('aria-label'),
+    ).toBe('Hide value');
     expect(mockRevealContainerEnv).toHaveBeenCalledTimes(1);
 
     await eyeButton?.trigger('click');
@@ -1052,7 +1087,7 @@ describe('ContainerFullPageTabContent', () => {
     expect(mockRevealContainerEnv).toHaveBeenCalledTimes(1);
   });
 
-  it('updates select and input models for sbom, logs, snooze date, and maturity mode controls', async () => {
+  it('updates select and input models for sbom, snooze date, and maturity mode controls', async () => {
     activeDetailTab.value = 'overview';
     const wrapper = mountComponent();
 
@@ -1063,15 +1098,6 @@ describe('ContainerFullPageTabContent', () => {
     await sbomSelect?.setValue('cyclonedx-json');
     expect(selectedSbomFormat.value).toBe('cyclonedx-json');
 
-    activeDetailTab.value = 'logs';
-    await nextTick();
-    const logsSelect = wrapper
-      .findAll('select')
-      .find((select) => select.find('option[value="5"]').exists());
-    expect(logsSelect).toBeDefined();
-    await logsSelect?.setValue('5');
-    expect(containerAutoFetchInterval.value).toBe(5);
-
     activeDetailTab.value = 'actions';
     await nextTick();
     const snoozeInput = wrapper.find('input[type="date"]');
diff --git a/ui/tests/components/containers/ContainerLogs.spec.ts b/ui/tests/components/containers/ContainerLogs.spec.ts
new file mode 100644
index 000000000..fa9028d47
--- /dev/null
+++ b/ui/tests/components/containers/ContainerLogs.spec.ts
@@ -0,0 +1,191 @@
+import { mount } from '@vue/test-utils';
+import { nextTick } from 'vue';
+import ContainerLogs from '@/components/containers/ContainerLogs.vue';
+
+const mocks = vi.hoisted(() => {
+  type StreamOptions = {
+    onMessage: (frame: { type: 'stdout' | 'stderr'; ts: string; line: string }) => void;
+    onStatus?: (status: 'connected' | 'disconnected') => void;
+    query?: Record<string, unknown>;
+    containerId: string;
+  };
+
+  let latestOptions: StreamOptions | null = null;
+  const handle = {
+    update: vi.fn(),
+    pause: vi.fn(),
+    resume: vi.fn(),
+    close: vi.fn(),
+    isPaused: vi.fn(() => false),
+  };
+
+  return {
+    handle,
+    createConnection: vi.fn((options: StreamOptions) => {
+      latestOptions = options;
+      return handle;
+    }),
+    downloadLogs: vi.fn(async () => new Blob(['downloaded'], { type: 'text/plain' })),
+    getLatestOptions: () => latestOptions,
+  };
+});
+
+vi.mock('@/services/logs', () => ({
+  createContainerLogStreamConnection: mocks.createConnection,
+  downloadContainerLogs: mocks.downloadLogs,
+  toLogTailValue: (value: number | 'all') => (value === 'all' ? 2147483647 : value),
+}));
+
+describe('ContainerLogs', () => {
+  const originalCreateObjectURL = URL.createObjectURL;
+  const originalRevokeObjectURL = URL.revokeObjectURL;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    URL.createObjectURL = vi.fn(() => 'blob:mock-url');
+    URL.revokeObjectURL = vi.fn();
+  });
+
+  afterEach(() => {
+    URL.createObjectURL = originalCreateObjectURL;
+    URL.revokeObjectURL = originalRevokeObjectURL;
+  });
+
+  function mountComponent(props: Record<string, unknown> = {}) {
+    return mount(ContainerLogs, {
+      props: {
+        containerId: 'container-1',
+        containerName: 'web-app',
+        ...props,
+      },
+      attachTo: document.body,
+      global: {
+        stubs: {
+          AppIcon: {
+            template: '<span class="app-icon-stub" />',
+            props: ['name', 'size'],
+          },
+        },
+      },
+    });
+  }
+
+  it('creates a stream connection and renders incoming log frames', async () => {
+    const wrapper = mountComponent();
+
+    expect(mocks.createConnection).toHaveBeenCalledTimes(1);
+    const latestOptions = mocks.getLatestOptions();
+    if (!latestOptions) {
+      throw new Error('Missing stream options');
+    }
+
+    latestOptions.onMessage({
+      type: 'stdout',
+      ts: '2026-03-15T00:00:00Z',
+      line: 'plain line',
+    });
+    latestOptions.onMessage({
+      type: 'stderr',
+      ts: '2026-03-15T00:00:01Z',
+      line: '{"level":"error","msg":"boom"}',
+    });
+    await nextTick();
+
+    expect(wrapper.text()).toContain('plain line');
+    expect(wrapper.text()).toContain('boom');
+    expect(wrapper.findAll('[data-test="container-log-row"]').length).toBe(2);
+  });
+
+  it('filters stream types and updates stream query when toggles change', async () => {
+    const wrapper = mountComponent();
+    const latestOptions = mocks.getLatestOptions();
+    if (!latestOptions) {
+      throw new Error('Missing stream options');
+    }
+
+    latestOptions.onMessage({
+      type: 'stdout',
+      ts: '2026-03-15T00:00:00Z',
+      line: 'stdout line',
+    });
+    latestOptions.onMessage({
+      type: 'stderr',
+      ts: '2026-03-15T00:00:01Z',
+      line: 'stderr line',
+    });
+    await nextTick();
+
+    expect(wrapper.text()).toContain('stdout line');
+    expect(wrapper.text()).toContain('stderr line');
+
+    const stderrToggle = wrapper.find('[data-test="container-log-toggle-stderr"]');
+    await stderrToggle.trigger('click');
+
+    expect(wrapper.text()).toContain('stdout line');
+    expect(wrapper.text()).not.toContain('stderr line');
+    expect(mocks.handle.update).toHaveBeenCalled();
+  });
+
+  it('supports regex search, match navigation, and pause/resume controls', async () => {
+    const wrapper = mountComponent();
+    const latestOptions = mocks.getLatestOptions();
+    if (!latestOptions) {
+      throw new Error('Missing stream options');
+    }
+
+    latestOptions.onMessage({
+      type: 'stdout',
+      ts: '2026-03-15T00:00:00Z',
+      line: 'alpha',
+    });
+    latestOptions.onMessage({
+      type: 'stdout',
+      ts: '2026-03-15T00:00:01Z',
+      line: 'beta',
+    });
+    latestOptions.onMessage({
+      type: 'stdout',
+      ts: '2026-03-15T00:00:02Z',
+      line: 'alpha-2',
+    });
+    await nextTick();
+
+    await wrapper.find('[data-test="container-log-search-input"]').setValue('alpha');
+    await wrapper.find('[data-test="container-log-regex-toggle"]').trigger('click');
+    await nextTick();
+
+    const rows = wrapper.findAll('[data-test="container-log-row"]');
+    const highlightedRows = rows.filter((row) => row.classes().includes('ring-1'));
+    expect(highlightedRows.length).toBe(2);
+
+    await wrapper.find('[data-test="container-log-next-match"]').trigger('click');
+    expect(wrapper.find('[data-test="container-log-match-index"]').text()).toContain('2 / 2');
+
+    const pauseButton = wrapper.find('[data-test="container-log-toggle-pause"]');
+    await pauseButton.trigger('click');
+    expect(mocks.handle.pause).toHaveBeenCalledTimes(1);
+
+    await pauseButton.trigger('click');
+    expect(mocks.handle.resume).toHaveBeenCalledTimes(1);
+  });
+
+  it('downloads current log selection as a .log file', async () => {
+    const appendSpy = vi.spyOn(document.body, 'appendChild');
+    const removeSpy = vi.spyOn(document.body, 'removeChild');
+
+    try {
+      const wrapper = mountComponent();
+
+      await wrapper.find('[data-test="container-log-download"]').trigger('click');
+
+      expect(mocks.downloadLogs).toHaveBeenCalledWith('container-1', expect.any(Object));
+      expect(URL.createObjectURL).toHaveBeenCalledTimes(1);
+      expect(URL.revokeObjectURL).toHaveBeenCalledTimes(1);
+      expect(appendSpy).toHaveBeenCalled();
+      expect(removeSpy).toHaveBeenCalled();
+    } finally {
+      appendSpy.mockRestore();
+      removeSpy.mockRestore();
+    }
+  });
+});
diff --git a/ui/tests/components/containers/ContainerStats.spec.ts b/ui/tests/components/containers/ContainerStats.spec.ts
new file mode 100644
index 000000000..d82509a41
--- /dev/null
+++ b/ui/tests/components/containers/ContainerStats.spec.ts
@@ -0,0 +1,140 @@
+import { flushPromises, mount } from '@vue/test-utils';
+import { nextTick } from 'vue';
+import ContainerStats from '@/components/containers/ContainerStats.vue';
+
+const mocks = vi.hoisted(() => ({
+  getContainerStats: vi.fn(),
+  connectContainerStatsStream: vi.fn(),
+}));
+
+vi.mock('@/services/stats', () => ({
+  getContainerStats: mocks.getContainerStats,
+  connectContainerStatsStream: mocks.connectContainerStatsStream,
+}));
+
+function makeSnapshot(overrides: Record<string, unknown> = {}) {
+  return {
+    containerId: 'c1',
+    cpuPercent: 20,
+    memoryUsageBytes: 200,
+    memoryLimitBytes: 400,
+    memoryPercent: 50,
+    networkRxBytes: 1_000,
+    networkTxBytes: 2_000,
+    blockReadBytes: 500,
+    blockWriteBytes: 700,
+    timestamp: '2026-03-14T10:00:00.000Z',
+    ...overrides,
+  };
+}
+
+describe('ContainerStats', () => {
+  beforeEach(() => {
+    vi.resetAllMocks();
+  });
+
+  it('loads initial stats and updates from SSE snapshots', async () => {
+    let streamHandlers: Record<string, (payload?: unknown) => void> = {};
+    const streamController = {
+      pause: vi.fn(),
+      resume: vi.fn(),
+      disconnect: vi.fn(),
+      isPaused: vi.fn(() => false),
+    };
+
+    mocks.getContainerStats.mockResolvedValue({
+      data: makeSnapshot(),
+      history: [
+        makeSnapshot({ cpuPercent: 10, timestamp: '2026-03-14T09:59:50.000Z' }),
+        makeSnapshot(),
+      ],
+    });
+    mocks.connectContainerStatsStream.mockImplementation(
+      (_containerId: string, handlers: Record<string, (payload?: unknown) => void>) => {
+        streamHandlers = handlers;
+        return streamController;
+      },
+    );
+
+    const wrapper = mount(ContainerStats, {
+      props: {
+        containerId: 'c1',
+      },
+      global: {
+        stubs: {
+          AppIcon: true,
+        },
+      },
+    });
+
+    await flushPromises();
+
+    expect(mocks.getContainerStats).toHaveBeenCalledWith('c1');
+    expect(mocks.connectContainerStatsStream).toHaveBeenCalledWith(
+      'c1',
+      expect.any(Object),
+      expect.any(Object),
+    );
+
+    expect(wrapper.get('[data-test="metric-cpu-value"]').text()).toContain('20');
+    expect(wrapper.get('[data-test="metric-memory-value"]').text()).toContain('50');
+
+    streamHandlers.onSnapshot?.(
+      makeSnapshot({
+        cpuPercent: 72,
+        memoryPercent: 80,
+        memoryUsageBytes: 320,
+        timestamp: '2026-03-14T10:00:10.000Z',
+      }),
+    );
+    await nextTick();
+
+    expect(wrapper.get('[data-test="metric-cpu-value"]').text()).toContain('72');
+    expect(wrapper.get('[data-test="metric-memory-value"]').text()).toContain('80');
+    expect(wrapper.get('[data-test="sparkline-cpu"]').attributes('points')).not.toBe('');
+
+    wrapper.unmount();
+    expect(streamController.disconnect).toHaveBeenCalledTimes(1);
+  });
+
+  it('supports pause and resume controls', async () => {
+    const streamController = {
+      pause: vi.fn(),
+      resume: vi.fn(),
+      disconnect: vi.fn(),
+      isPaused: vi.fn(() => false),
+    };
+
+    mocks.getContainerStats.mockResolvedValue({
+      data: makeSnapshot(),
+      history: [makeSnapshot()],
+    });
+    mocks.connectContainerStatsStream.mockReturnValue(streamController);
+
+    const wrapper = mount(ContainerStats, {
+      props: {
+        containerId: 'c1',
+      },
+      global: {
+        stubs: {
+          AppIcon: true,
+        },
+      },
+    });
+
+    await flushPromises();
+
+    const toggleButton = wrapper.get('[data-test="stats-toggle-stream"]');
+    expect(toggleButton.text()).toContain('Pause');
+
+    await toggleButton.trigger('click');
+    await nextTick();
+    expect(streamController.pause).toHaveBeenCalledTimes(1);
+    expect(wrapper.get('[data-test="stats-toggle-stream"]').text()).toContain('Resume');
+
+    await wrapper.get('[data-test="stats-toggle-stream"]').trigger('click');
+    await nextTick();
+    expect(streamController.resume).toHaveBeenCalledTimes(1);
+    expect(wrapper.get('[data-test="stats-toggle-stream"]').text()).toContain('Pause');
+  });
+});
diff --git a/ui/tests/components/containers/ContainersGroupedViews.spec.ts b/ui/tests/components/containers/ContainersGroupedViews.spec.ts
index 441005488..041bbaf07 100644
--- a/ui/tests/components/containers/ContainersGroupedViews.spec.ts
+++ b/ui/tests/components/containers/ContainersGroupedViews.spec.ts
@@ -99,7 +99,7 @@ function makeContext(overrides: Record<string, unknown> = {}) {
   const collapsedGroups = ref(new Set<string>());
   const groupUpdateInProgress = ref(new Set<string>());
   const containerActionsEnabled = ref(true);
-  const actionInProgress = ref<string | null>(null);
+  const actionInProgress = ref(new Set<string>());
   const containerViewMode = ref<'table' | 'cards' | 'list'>('table');
   const tableColumns = ref([
     { key: 'icon', label: '', align: 'text-center' },
@@ -538,6 +538,57 @@ describe('ContainersGroupedViews', () => {
     expect(spies.confirmDelete).toHaveBeenCalled();
   });
 
+  it('renders a single teleported actions menu when one container menu is open across groups', async () => {
+    const alpha = makeContainer({
+      id: 'c-alpha',
+      name: 'alpha',
+      newTag: '2.0.0',
+      bouncer: 'blocked',
+      status: 'running',
+    });
+    const beta = makeContainer({
+      id: 'c-beta',
+      name: 'beta',
+      newTag: null,
+      status: 'stopped',
+    });
+
+    const { context, refs } = makeContext();
+    context.groupByStack.value = true;
+    context.containerViewMode.value = 'table';
+    context.tableActionStyle.value = 'buttons';
+    context.filteredContainers.value = [alpha, beta];
+    context.displayContainers.value = [alpha, beta];
+    context.renderGroups.value = [
+      {
+        key: 'stack-a',
+        name: 'stack-a',
+        containers: [alpha],
+        containerCount: 1,
+        updatesAvailable: 1,
+        updatableCount: 1,
+      },
+      {
+        key: 'stack-b',
+        name: 'stack-b',
+        containers: [beta],
+        containerCount: 1,
+        updatesAvailable: 0,
+        updatableCount: 0,
+      },
+    ];
+    refs.openActionsMenu.value = 'alpha';
+    mocked.context = context;
+
+    const wrapper = mountSubject();
+    await nextTick();
+
+    const deleteButtons = wrapper
+      .findAll('button')
+      .filter((button) => button.text().trim() === 'Delete');
+    expect(deleteButtons).toHaveLength(1);
+  });
+
   it('covers card/list view events and footer action handlers', async () => {
     const running = makeContainer({
       id: 'c-card-1',
@@ -546,7 +597,7 @@ describe('ContainersGroupedViews', () => {
       updateKind: 'major',
       updateMaturity: 'fresh',
       status: 'running',
-      bouncer: 'blocked',
+      bouncer: 'safe',
       registryError: 'timeout',
       server: 'local-main',
     });
@@ -671,7 +722,7 @@ describe('ContainersGroupedViews', () => {
     refs.groupByStack.value = true;
     refs.containerActionsEnabled.value = false;
     refs.groupUpdateInProgress.value = new Set(['stack-disabled']);
-    refs.actionInProgress.value = 'alpha';
+    refs.actionInProgress.value = new Set(['alpha']);
     refs.filteredContainers.value = [item];
     refs.displayContainers.value = [item];
     refs.renderGroups.value = [
@@ -687,12 +738,11 @@ describe('ContainersGroupedViews', () => {
     mocked.context = context;
 
     const wrapper = mountSubject();
-    const tableLock = wrapper
-      .findAll('button.w-8.h-8')
-      .find((button) => button.attributes('disabled') !== undefined);
-    expect(tableLock).toBeDefined();
-    (tableLock!.element as HTMLButtonElement).disabled = false;
-    await tableLock!.trigger('click');
+    const tableLockBtns = wrapper.findAll('button[disabled]');
+    const tableLockBtn = tableLockBtns[0];
+    expect(tableLockBtn).toBeDefined();
+    (tableLockBtn!.element as HTMLButtonElement).disabled = false;
+    await tableLockBtn!.trigger('click');
   });
 
   it('covers compact table badge branches across kind/maturity/policy/status variants', async () => {
@@ -802,19 +852,19 @@ describe('ContainersGroupedViews', () => {
     ];
     refs.containerViewMode.value = 'table';
     refs.tableActionStyle.value = 'buttons';
-    refs.actionInProgress.value = 'alpha';
+    refs.actionInProgress.value = new Set(['alpha']);
     mocked.context = context;
 
     const wrapper = mountSubject();
     expect(wrapper.text()).toContain('alpha');
 
-    refs.actionInProgress.value = 'beta';
+    refs.actionInProgress.value = new Set(['beta']);
     await nextTick();
-    refs.actionInProgress.value = 'gamma';
+    refs.actionInProgress.value = new Set(['gamma']);
     await nextTick();
 
     refs.tableActionStyle.value = 'icons';
-    refs.actionInProgress.value = 'gamma';
+    refs.actionInProgress.value = new Set(['gamma']);
     await nextTick();
   });
 
@@ -879,23 +929,24 @@ describe('ContainersGroupedViews', () => {
         updatableCount: 4,
       },
     ];
-    refs.actionInProgress.value = 'beta';
+    refs.actionInProgress.value = new Set(['beta']);
     mocked.context = context;
 
     const wrapper = mountSubject();
 
-    refs.actionInProgress.value = 'gamma';
+    refs.actionInProgress.value = new Set(['gamma']);
     await nextTick();
 
     refs.containerActionsEnabled.value = false;
-    refs.actionInProgress.value = null;
+    refs.actionInProgress.value = new Set();
     await nextTick();
-    const cardLock = wrapper
-      .findAll('button.w-7.h-7')
-      .find((button) => button.attributes('disabled') !== undefined);
-    expect(cardLock).toBeDefined();
-    (cardLock!.element as HTMLButtonElement).disabled = false;
-    await cardLock!.trigger('click');
+    const cardLockButtons = wrapper
+      .findAll('button[disabled]')
+      .filter((b) => b.classes().includes('w-10') || b.classes().includes('w-8'));
+    const cardLockBtn = cardLockButtons[0];
+    expect(cardLockBtn).toBeDefined();
+    (cardLockBtn!.element as HTMLButtonElement).disabled = false;
+    await cardLockBtn!.trigger('click');
 
     refs.containerViewMode.value = 'list';
     refs.containerActionsEnabled.value = true;
diff --git a/ui/tests/components/containers/FloatingTagBadge.spec.ts b/ui/tests/components/containers/FloatingTagBadge.spec.ts
new file mode 100644
index 000000000..d6d6955ba
--- /dev/null
+++ b/ui/tests/components/containers/FloatingTagBadge.spec.ts
@@ -0,0 +1,44 @@
+import { mount } from '@vue/test-utils';
+import FloatingTagBadge from '@/components/containers/FloatingTagBadge.vue';
+
+describe('FloatingTagBadge', () => {
+  const globalConfig = {
+    directives: {
+      tooltip: {
+        mounted(el: HTMLElement, binding: { value: string }) {
+          el.dataset.tooltip = binding.value;
+        },
+      },
+    },
+  };
+
+  it('does not render when tagPrecision is not floating', () => {
+    const wrapper = mount(FloatingTagBadge, {
+      props: { tagPrecision: 'specific', imageDigestWatch: false },
+      global: globalConfig,
+    });
+    expect(wrapper.find('[data-test="floating-tag-badge"]').exists()).toBe(false);
+  });
+
+  it('does not render when digest watch is enabled', () => {
+    const wrapper = mount(FloatingTagBadge, {
+      props: { tagPrecision: 'floating', imageDigestWatch: true },
+      global: globalConfig,
+    });
+    expect(wrapper.find('[data-test="floating-tag-badge"]').exists()).toBe(false);
+  });
+
+  it('renders floating tag badge with tooltip when tag is floating and digest watch is disabled', () => {
+    const wrapper = mount(FloatingTagBadge, {
+      props: { tagPrecision: 'floating', imageDigestWatch: false },
+      global: globalConfig,
+    });
+
+    const badge = wrapper.find('[data-test="floating-tag-badge"]');
+    expect(badge.exists()).toBe(true);
+    expect(badge.text()).toContain('floating tag');
+    expect(badge.attributes('data-tooltip')).toBe(
+      'This tag may be updated in-place by the registry. Enable dd.watch.digest=true or use a full semver tag for complete update detection.',
+    );
+  });
+});
diff --git a/ui/tests/components/containers/ReleaseNotesLink.spec.ts b/ui/tests/components/containers/ReleaseNotesLink.spec.ts
new file mode 100644
index 000000000..3c1443d02
--- /dev/null
+++ b/ui/tests/components/containers/ReleaseNotesLink.spec.ts
@@ -0,0 +1,123 @@
+import { mount } from '@vue/test-utils';
+import { nextTick } from 'vue';
+import ReleaseNotesLink from '@/components/containers/ReleaseNotesLink.vue';
+
+describe('ReleaseNotesLink', () => {
+  const globalConfig = {
+    stubs: { AppIcon: { template: '<span />', props: ['name', 'size'] } },
+  };
+
+  const sampleNotes = {
+    title: 'v2.0.0 Release',
+    body: 'This is the release body with some details about the release.',
+    url: 'https://github.com/example/repo/releases/tag/v2.0.0',
+    publishedAt: '2026-03-10T12:00:00Z',
+    provider: 'github',
+  };
+
+  const longBody = 'A'.repeat(250);
+
+  it('renders nothing when neither releaseNotes nor releaseLink is provided', () => {
+    const wrapper = mount(ReleaseNotesLink, {
+      props: {},
+      global: globalConfig,
+    });
+    expect(wrapper.find('[data-test="release-notes-link"]').exists()).toBe(false);
+    expect(wrapper.find('[data-test="release-link"]').exists()).toBe(false);
+  });
+
+  it('shows simple link with href when only releaseLink is provided', () => {
+    const wrapper = mount(ReleaseNotesLink, {
+      props: { releaseLink: 'https://github.com/example/repo/releases' },
+      global: globalConfig,
+    });
+    expect(wrapper.find('[data-test="release-notes-link"]').exists()).toBe(false);
+    const link = wrapper.find('[data-test="release-link"]');
+    expect(link.exists()).toBe(true);
+    expect(link.attributes('href')).toBe('https://github.com/example/repo/releases');
+    expect(link.text()).toContain('Release notes');
+  });
+
+  it('shows expandable button when releaseNotes is provided', () => {
+    const wrapper = mount(ReleaseNotesLink, {
+      props: { releaseNotes: sampleNotes },
+      global: globalConfig,
+    });
+    const container = wrapper.find('[data-test="release-notes-link"]');
+    expect(container.exists()).toBe(true);
+    const button = container.find('button');
+    expect(button.exists()).toBe(true);
+    expect(button.text()).toContain('Release notes');
+  });
+
+  it('click toggles inline preview content', async () => {
+    const wrapper = mount(ReleaseNotesLink, {
+      props: { releaseNotes: sampleNotes },
+      global: globalConfig,
+    });
+    const button = wrapper.find('[data-test="release-notes-link"] button');
+
+    // Initially collapsed — no preview content
+    expect(wrapper.text()).not.toContain(sampleNotes.title);
+
+    // Expand
+    await button.trigger('click');
+    await nextTick();
+    expect(wrapper.text()).toContain(sampleNotes.title);
+    expect(wrapper.text()).toContain(sampleNotes.body);
+
+    // Collapse
+    await button.trigger('click');
+    await nextTick();
+    expect(wrapper.text()).not.toContain(sampleNotes.title);
+  });
+
+  it('preview shows title and truncated body', async () => {
+    const wrapper = mount(ReleaseNotesLink, {
+      props: {
+        releaseNotes: { ...sampleNotes, body: longBody },
+      },
+      global: globalConfig,
+    });
+    await wrapper.find('[data-test="release-notes-link"] button').trigger('click');
+    await nextTick();
+
+    expect(wrapper.text()).toContain(sampleNotes.title);
+    // Body should be truncated to 200 chars + "..."
+    expect(wrapper.text()).toContain('A'.repeat(200));
+    expect(wrapper.text()).toContain('...');
+    // Full body (250 chars) should NOT appear
+    expect(wrapper.text()).not.toContain(longBody);
+  });
+
+  it('preview includes "View full notes" link with correct url', async () => {
+    const wrapper = mount(ReleaseNotesLink, {
+      props: { releaseNotes: sampleNotes },
+      global: globalConfig,
+    });
+    await wrapper.find('[data-test="release-notes-link"] button').trigger('click');
+    await nextTick();
+
+    const viewLink = wrapper.find('[data-test="release-notes-link"] a');
+    expect(viewLink.exists()).toBe(true);
+    expect(viewLink.text()).toContain('View full notes');
+    expect(viewLink.attributes('href')).toBe(sampleNotes.url);
+    expect(viewLink.attributes('target')).toBe('_blank');
+  });
+
+  it('body is truncated at 200 chars with ellipsis', async () => {
+    const exactBody = 'B'.repeat(200);
+    const wrapper = mount(ReleaseNotesLink, {
+      props: {
+        releaseNotes: { ...sampleNotes, body: exactBody },
+      },
+      global: globalConfig,
+    });
+    await wrapper.find('[data-test="release-notes-link"] button').trigger('click');
+    await nextTick();
+
+    // Exactly 200 chars should NOT be truncated
+    expect(wrapper.text()).toContain(exactBody);
+    expect(wrapper.text()).not.toContain('...');
+  });
+});
diff --git a/ui/tests/components/containers/SuggestedTagBadge.spec.ts b/ui/tests/components/containers/SuggestedTagBadge.spec.ts
new file mode 100644
index 000000000..19cfedfda
--- /dev/null
+++ b/ui/tests/components/containers/SuggestedTagBadge.spec.ts
@@ -0,0 +1,59 @@
+import { mount } from '@vue/test-utils';
+import SuggestedTagBadge from '@/components/containers/SuggestedTagBadge.vue';
+
+describe('SuggestedTagBadge', () => {
+  const globalConfig = {
+    stubs: { AppIcon: { template: '<span />', props: ['name', 'size'] } },
+    directives: { tooltip: () => {} },
+  };
+
+  it('does not render when tag is undefined', () => {
+    const wrapper = mount(SuggestedTagBadge, {
+      props: { tag: undefined, currentTag: 'latest' },
+      global: globalConfig,
+    });
+    expect(wrapper.find('[data-test="suggested-tag-badge"]').exists()).toBe(false);
+  });
+
+  it('does not render when currentTag is not latest or empty', () => {
+    const wrapper = mount(SuggestedTagBadge, {
+      props: { tag: 'v1.3.0', currentTag: '1.2.3' },
+      global: globalConfig,
+    });
+    expect(wrapper.find('[data-test="suggested-tag-badge"]').exists()).toBe(false);
+  });
+
+  it('renders badge with "Suggested: v1.3.0" when tag is v1.3.0 and currentTag is latest', () => {
+    const wrapper = mount(SuggestedTagBadge, {
+      props: { tag: 'v1.3.0', currentTag: 'latest' },
+      global: globalConfig,
+    });
+    const badge = wrapper.find('[data-test="suggested-tag-badge"]');
+    expect(badge.exists()).toBe(true);
+    expect(badge.text()).toContain('Suggested: v1.3.0');
+  });
+
+  it('renders when currentTag is Latest (case insensitive)', () => {
+    const wrapper = mount(SuggestedTagBadge, {
+      props: { tag: 'v2.0.0', currentTag: 'Latest' },
+      global: globalConfig,
+    });
+    expect(wrapper.find('[data-test="suggested-tag-badge"]').exists()).toBe(true);
+  });
+
+  it('renders when currentTag is empty string', () => {
+    const wrapper = mount(SuggestedTagBadge, {
+      props: { tag: 'v1.0.0', currentTag: '' },
+      global: globalConfig,
+    });
+    expect(wrapper.find('[data-test="suggested-tag-badge"]').exists()).toBe(true);
+  });
+
+  it('does not render when currentTag is 1.2.3 even with tag set', () => {
+    const wrapper = mount(SuggestedTagBadge, {
+      props: { tag: 'v1.3.0', currentTag: '1.2.3' },
+      global: globalConfig,
+    });
+    expect(wrapper.find('[data-test="suggested-tag-badge"]').exists()).toBe(false);
+  });
+});
diff --git a/ui/tests/components/containers/UpdateMaturityBadge.spec.ts b/ui/tests/components/containers/UpdateMaturityBadge.spec.ts
new file mode 100644
index 000000000..faea1e415
--- /dev/null
+++ b/ui/tests/components/containers/UpdateMaturityBadge.spec.ts
@@ -0,0 +1,69 @@
+import { mount } from '@vue/test-utils';
+import UpdateMaturityBadge from '@/components/containers/UpdateMaturityBadge.vue';
+
+describe('UpdateMaturityBadge', () => {
+  const globalConfig = {
+    stubs: { AppIcon: { template: '<span />', props: ['name', 'size'] } },
+    directives: { tooltip: () => {} },
+  };
+
+  it('does not render when maturity is null', () => {
+    const wrapper = mount(UpdateMaturityBadge, {
+      props: { maturity: null },
+      global: globalConfig,
+    });
+    expect(wrapper.find('[data-test="update-maturity-badge"]').exists()).toBe(false);
+  });
+
+  it('renders badge with "NEW" text for fresh', () => {
+    const wrapper = mount(UpdateMaturityBadge, {
+      props: { maturity: 'fresh' },
+      global: globalConfig,
+    });
+    const badge = wrapper.find('[data-test="update-maturity-badge"]');
+    expect(badge.exists()).toBe(true);
+    expect(badge.text()).toContain('NEW');
+  });
+
+  it('renders badge with "MATURE" text for settled', () => {
+    const wrapper = mount(UpdateMaturityBadge, {
+      props: { maturity: 'settled' },
+      global: globalConfig,
+    });
+    const badge = wrapper.find('[data-test="update-maturity-badge"]');
+    expect(badge.exists()).toBe(true);
+    expect(badge.text()).toContain('MATURE');
+  });
+
+  it('applies correct maturityColor style for fresh', () => {
+    const wrapper = mount(UpdateMaturityBadge, {
+      props: { maturity: 'fresh' },
+      global: globalConfig,
+    });
+    const badge = wrapper.find('[data-test="update-maturity-badge"]');
+    const style = badge.attributes('style');
+    expect(style).toContain('color-mix(in srgb, var(--dd-warning) 35%, var(--dd-bg-card))');
+    expect(style).toContain('color: var(--dd-text)');
+  });
+
+  it('applies correct maturityColor style for settled', () => {
+    const wrapper = mount(UpdateMaturityBadge, {
+      props: { maturity: 'settled' },
+      global: globalConfig,
+    });
+    const badge = wrapper.find('[data-test="update-maturity-badge"]');
+    const style = badge.attributes('style');
+    expect(style).toContain('color-mix(in srgb, var(--dd-info) 35%, var(--dd-bg-card))');
+    expect(style).toContain('color: var(--dd-text)');
+  });
+
+  it('uses sm size class when size prop is sm', () => {
+    const wrapper = mount(UpdateMaturityBadge, {
+      props: { maturity: 'fresh', size: 'sm' },
+      global: globalConfig,
+    });
+    const badge = wrapper.find('[data-test="update-maturity-badge"]');
+    expect(badge.classes()).toContain('px-1.5');
+    expect(badge.classes()).toContain('py-0');
+  });
+});
diff --git a/ui/tests/components/stories/sampleData.spec.ts b/ui/tests/components/stories/sampleData.spec.ts
new file mode 100644
index 000000000..a8b9506f7
--- /dev/null
+++ b/ui/tests/components/stories/sampleData.spec.ts
@@ -0,0 +1,28 @@
+import {
+  sampleContainerRows,
+  sampleServiceCards,
+  sampleWatcherItems,
+} from '@/components/stories/sampleData';
+
+describe('sample story data', () => {
+  it('exports representative records for service cards, watchers, and containers', () => {
+    expect(sampleServiceCards).toHaveLength(3);
+    expect(sampleServiceCards[0]).toMatchObject({
+      id: 'gateway',
+      status: 'healthy',
+    });
+
+    expect(sampleWatcherItems).toHaveLength(3);
+    expect(sampleWatcherItems[2]).toMatchObject({
+      id: 'edge-2',
+      status: 'disconnected',
+    });
+
+    expect(sampleContainerRows).toHaveLength(3);
+    expect(sampleContainerRows[1]).toMatchObject({
+      id: 'web',
+      status: 'running',
+      updates: 2,
+    });
+  });
+});
diff --git a/ui/tests/composables/useColumnVisibility.spec.ts b/ui/tests/composables/useColumnVisibility.spec.ts
index 2f0d29993..80e6e9c62 100644
--- a/ui/tests/composables/useColumnVisibility.spec.ts
+++ b/ui/tests/composables/useColumnVisibility.spec.ts
@@ -30,7 +30,7 @@ describe('useColumnVisibility', () => {
       'version',
       'kind',
       'status',
-      'bouncer',
+      'imageAge',
       'server',
       'registry',
     ]);
@@ -94,12 +94,12 @@ describe('useColumnVisibility', () => {
   it('should persist visible columns to preferences', async () => {
     const { useColumnVisibility } = await loadColumnVisibility();
     const { toggleColumn } = useColumnVisibility(ref(false));
-    toggleColumn('bouncer');
+    toggleColumn('kind');
     await nextTick();
     const { flushPreferences } = await import('@/preferences/store');
     flushPreferences();
     const stored = JSON.parse(localStorage.getItem('dd-preferences') ?? '{}').containers.columns;
-    expect(stored).not.toContain('bouncer');
+    expect(stored).not.toContain('kind');
   });
 
   it('should restore visible columns from preferences', async () => {
diff --git a/ui/tests/composables/useDeprecationBanner.spec.ts b/ui/tests/composables/useDeprecationBanner.spec.ts
new file mode 100644
index 000000000..a176b554e
--- /dev/null
+++ b/ui/tests/composables/useDeprecationBanner.spec.ts
@@ -0,0 +1,64 @@
+import { flushPromises } from '@vue/test-utils';
+import { useDeprecationBanner } from '@/composables/useDeprecationBanner';
+
+describe('useDeprecationBanner', () => {
+  const STORAGE_KEY = 'dd-banner-test-v1';
+
+  beforeEach(() => {
+    localStorage.clear();
+  });
+
+  it('is not visible when nothing is detected', () => {
+    const banner = useDeprecationBanner(STORAGE_KEY);
+
+    expect(banner.visible.value).toBe(false);
+    expect(banner.detected.value).toBe(false);
+  });
+
+  it('becomes visible when the condition is detected', () => {
+    const banner = useDeprecationBanner(STORAGE_KEY);
+
+    banner.detected.value = true;
+
+    expect(banner.visible.value).toBe(true);
+  });
+
+  it('hides for the current session on session dismiss', () => {
+    const banner = useDeprecationBanner(STORAGE_KEY);
+    banner.detected.value = true;
+
+    banner.dismissForSession();
+
+    expect(banner.visible.value).toBe(false);
+    expect(localStorage.getItem(STORAGE_KEY)).toBeNull();
+  });
+
+  it('hides permanently and persists to localStorage', async () => {
+    const banner = useDeprecationBanner(STORAGE_KEY);
+    banner.detected.value = true;
+
+    banner.dismissPermanently();
+    await flushPromises();
+
+    expect(banner.visible.value).toBe(false);
+    expect(localStorage.getItem(STORAGE_KEY)).toBe('true');
+  });
+
+  it('stays hidden when localStorage already has a permanent dismissal', () => {
+    localStorage.setItem(STORAGE_KEY, 'true');
+
+    const banner = useDeprecationBanner(STORAGE_KEY);
+    banner.detected.value = true;
+
+    expect(banner.visible.value).toBe(false);
+  });
+
+  it('ignores corrupt localStorage values and defaults to visible', () => {
+    localStorage.setItem(STORAGE_KEY, '"not-a-boolean"');
+
+    const banner = useDeprecationBanner(STORAGE_KEY);
+    banner.detected.value = true;
+
+    expect(banner.visible.value).toBe(true);
+  });
+});
diff --git a/ui/tests/composables/useDetailPanel.spec.ts b/ui/tests/composables/useDetailPanel.spec.ts
index 2255f5c98..8e2fc8fd2 100644
--- a/ui/tests/composables/useDetailPanel.spec.ts
+++ b/ui/tests/composables/useDetailPanel.spec.ts
@@ -53,34 +53,35 @@ describe('useDetailPanel', () => {
   });
 
   describe('panelFlex', () => {
-    it('should return 420px basis for sm', () => {
+    it('should return sm token basis for sm', () => {
       const { panelFlex } = useDetailPanel();
-      expect(panelFlex.value).toBe('0 0 420px');
+      expect(panelFlex.value).toBe('0 0 var(--dd-layout-panel-width-sm)');
     });
 
-    it('should return 560px basis for md', () => {
+    it('should return md token basis for md', () => {
       const { panelSize, panelFlex } = useDetailPanel();
       panelSize.value = 'md';
-      expect(panelFlex.value).toBe('0 0 560px');
+      expect(panelFlex.value).toBe('0 0 var(--dd-layout-panel-width-md)');
     });
 
-    it('should return 720px basis for lg', () => {
+    it('should return lg token basis for lg', () => {
       const { panelSize, panelFlex } = useDetailPanel();
       panelSize.value = 'lg';
-      expect(panelFlex.value).toBe('0 0 720px');
+      expect(panelFlex.value).toBe('0 0 var(--dd-layout-panel-width-lg)');
     });
   });
 
   describe('detailTabs', () => {
-    it('should have 5 tabs', () => {
+    it('should have 6 tabs', () => {
       const { detailTabs } = useDetailPanel();
-      expect(detailTabs).toHaveLength(5);
+      expect(detailTabs).toHaveLength(6);
     });
 
     it('should have correct tab ids', () => {
       const { detailTabs } = useDetailPanel();
       expect(detailTabs.map((t) => t.id)).toEqual([
         'overview',
+        'stats',
         'logs',
         'environment',
         'labels',
diff --git a/ui/tests/composables/useLogSearch.spec.ts b/ui/tests/composables/useLogSearch.spec.ts
new file mode 100644
index 000000000..5aafc8200
--- /dev/null
+++ b/ui/tests/composables/useLogSearch.spec.ts
@@ -0,0 +1,250 @@
+import { computed, nextTick, ref } from 'vue';
+import { useLogSearch } from '@/composables/useLogSearch';
+
+type SearchEntry = {
+  id: number;
+  timestamp: string;
+  plainLine: string;
+};
+
+function makeEntry(id: number, timestamp: string, plainLine: string): SearchEntry {
+  return { id, timestamp, plainLine };
+}
+
+describe('useLogSearch', () => {
+  it('matches using escaped plain-text search by default', () => {
+    const visibleEntries = ref<SearchEntry[]>([
+      makeEntry(1, '2026-03-15T00:00:00Z', 'alpha'),
+      makeEntry(2, '2026-03-15T00:00:01Z', 'alpha.*'),
+      makeEntry(3, '2026-03-15T00:00:02Z', 'beta'),
+    ]);
+
+    const search = useLogSearch({
+      visibleEntries: computed(() => visibleEntries.value),
+      lineElements: new Map(),
+      searchTextForEntry: (entry) => entry.plainLine,
+    });
+
+    search.searchQuery.value = 'alpha.*';
+
+    expect(search.searchError.value).toBeNull();
+    expect(search.searchPattern.value?.source).toBe('alpha\\.\\*');
+    expect(search.matchedEntryIds.value).toEqual([2]);
+    expect(search.matchLabel.value).toBe('1 / 1');
+  });
+
+  it('supports regex mode and reports invalid regex patterns', () => {
+    const visibleEntries = ref<SearchEntry[]>([
+      makeEntry(1, '2026-03-15T00:00:00Z', 'alpha'),
+      makeEntry(2, '2026-03-15T00:00:01Z', 'beta'),
+      makeEntry(3, '2026-03-15T00:00:02Z', 'alpha-2'),
+    ]);
+
+    const search = useLogSearch({
+      visibleEntries: computed(() => visibleEntries.value),
+      lineElements: new Map(),
+      searchTextForEntry: (entry) => entry.plainLine,
+    });
+
+    search.regexSearch.value = true;
+    search.searchQuery.value = '^alpha(-\\d+)?$';
+
+    expect(search.searchError.value).toBeNull();
+    expect(search.matchedEntryIds.value).toEqual([1, 3]);
+
+    search.searchQuery.value = '[unclosed';
+    expect(search.searchPattern.value).toBeNull();
+    expect(search.searchError.value).toBe('Invalid regular expression');
+    expect(search.matchedEntryIds.value).toEqual([]);
+  });
+
+  it('falls back to null error when regex construction fails in plain-text mode', () => {
+    const visibleEntries = ref<SearchEntry[]>([makeEntry(1, '2026-03-15T00:00:00Z', 'alpha')]);
+    const search = useLogSearch({
+      visibleEntries: computed(() => visibleEntries.value),
+      lineElements: new Map(),
+      searchTextForEntry: (entry) => entry.plainLine,
+    });
+
+    const originalRegExp = globalThis.RegExp;
+    Object.defineProperty(globalThis, 'RegExp', {
+      value: (() => {
+        throw new Error('forced-regex-failure');
+      }) as unknown as RegExpConstructor,
+      configurable: true,
+      writable: true,
+    });
+
+    try {
+      search.regexSearch.value = false;
+      search.searchQuery.value = 'alpha';
+      expect(search.searchPattern.value).toBeNull();
+      expect(search.searchError.value).toBeNull();
+      expect(search.matchedEntryIds.value).toEqual([]);
+    } finally {
+      Object.defineProperty(globalThis, 'RegExp', {
+        value: originalRegExp,
+        configurable: true,
+        writable: true,
+      });
+    }
+  });
+
+  it('navigates matches in both directions and scrolls to active match', async () => {
+    const visibleEntries = ref<SearchEntry[]>([
+      makeEntry(1, '2026-03-15T00:00:00Z', 'alpha'),
+      makeEntry(2, '2026-03-15T00:00:01Z', 'beta'),
+      makeEntry(3, '2026-03-15T00:00:02Z', 'alpha-2'),
+    ]);
+
+    const firstRow = document.createElement('div');
+    const thirdRow = document.createElement('div');
+    firstRow.scrollIntoView = vi.fn();
+    thirdRow.scrollIntoView = vi.fn();
+
+    const search = useLogSearch({
+      visibleEntries: computed(() => visibleEntries.value),
+      lineElements: new Map([
+        [1, firstRow],
+        [3, thirdRow],
+      ]),
+    });
+
+    search.searchQuery.value = 'alpha';
+    await nextTick();
+
+    expect(search.currentMatchEntryId.value).toBe(1);
+    expect(search.isMatchedEntry(1)).toBe(true);
+    expect(search.isCurrentMatch(1)).toBe(true);
+
+    search.jumpToMatch('next');
+    expect(search.currentMatchEntryId.value).toBe(3);
+    expect(search.matchLabel.value).toBe('2 / 2');
+    expect(thirdRow.scrollIntoView).toHaveBeenCalledWith({ block: 'center' });
+
+    search.jumpToMatch('next');
+    expect(search.currentMatchEntryId.value).toBe(1);
+    expect(firstRow.scrollIntoView).toHaveBeenCalledWith({ block: 'center' });
+
+    search.jumpToMatch('prev');
+    expect(search.currentMatchEntryId.value).toBe(3);
+  });
+
+  it('resets match index when search input changes', async () => {
+    const visibleEntries = ref<SearchEntry[]>([
+      makeEntry(1, '2026-03-15T00:00:00Z', 'alpha'),
+      makeEntry(2, '2026-03-15T00:00:01Z', 'beta'),
+      makeEntry(3, '2026-03-15T00:00:02Z', 'alpha-2'),
+    ]);
+
+    const search = useLogSearch({
+      visibleEntries: computed(() => visibleEntries.value),
+      lineElements: new Map(),
+    });
+
+    search.searchQuery.value = 'alpha';
+    await nextTick();
+
+    search.jumpToMatch('next');
+    expect(search.matchLabel.value).toBe('2 / 2');
+
+    search.searchQuery.value = 'beta';
+    await nextTick();
+
+    expect(search.currentMatchIndex.value).toBe(0);
+    expect(search.currentMatchEntryId.value).toBe(2);
+    expect(search.matchLabel.value).toBe('1 / 1');
+  });
+
+  it('handles empty matches and keeps current index in range when entries change', async () => {
+    const visibleEntries = ref<SearchEntry[]>([
+      makeEntry(1, '2026-03-15T00:00:00Z', 'alpha'),
+      makeEntry(2, '2026-03-15T00:00:01Z', 'alpha-2'),
+      makeEntry(3, '2026-03-15T00:00:02Z', 'alpha-3'),
+    ]);
+
+    const search = useLogSearch({
+      visibleEntries: computed(() => visibleEntries.value),
+      lineElements: new Map(),
+    });
+
+    search.searchQuery.value = 'alpha';
+    await nextTick();
+
+    search.jumpToMatch('next');
+    search.jumpToMatch('next');
+    expect(search.currentMatchIndex.value).toBe(2);
+
+    visibleEntries.value = [makeEntry(1, '2026-03-15T00:00:00Z', 'alpha')];
+    await nextTick();
+
+    expect(search.currentMatchIndex.value).toBe(0);
+    expect(search.currentMatchEntryId.value).toBe(1);
+
+    search.searchQuery.value = 'does-not-exist';
+    await nextTick();
+    expect(search.currentMatchEntryId.value).toBeNull();
+    expect(search.matchLabel.value).toBe('0 / 0');
+  });
+
+  it('uses the first match when current match index is out of range', async () => {
+    const visibleEntries = ref<SearchEntry[]>([
+      makeEntry(1, '2026-03-15T00:00:00Z', 'alpha'),
+      makeEntry(2, '2026-03-15T00:00:01Z', 'alpha-2'),
+    ]);
+    const search = useLogSearch({
+      visibleEntries: computed(() => visibleEntries.value),
+      lineElements: new Map(),
+    });
+
+    search.searchQuery.value = 'alpha';
+    await nextTick();
+
+    search.currentMatchIndex.value = -1;
+    expect(search.currentMatchEntryId.value).toBe(1);
+
+    search.currentMatchIndex.value = 9;
+    expect(search.currentMatchEntryId.value).toBe(1);
+  });
+
+  it('returns null when a matched entry id is missing at runtime', async () => {
+    const visibleEntries = ref<SearchEntry[]>([
+      {
+        id: undefined as unknown as number,
+        timestamp: '2026-03-15T00:00:00Z',
+        plainLine: 'alpha',
+      },
+    ]);
+    const search = useLogSearch({
+      visibleEntries: computed(() => visibleEntries.value),
+      lineElements: new Map(),
+    });
+
+    search.searchQuery.value = 'alpha';
+    await nextTick();
+
+    expect(search.matchedEntryIds.value).toEqual([undefined]);
+    expect(search.currentMatchEntryId.value).toBeNull();
+  });
+
+  it('no-ops jump navigation when there are no matches', () => {
+    const visibleEntries = ref<SearchEntry[]>([
+      makeEntry(1, '2026-03-15T00:00:00Z', 'alpha'),
+      makeEntry(2, '2026-03-15T00:00:01Z', 'beta'),
+    ]);
+
+    const search = useLogSearch({
+      visibleEntries: computed(() => visibleEntries.value),
+      lineElements: new Map(),
+    });
+
+    expect(search.matchedEntryIds.value).toEqual([]);
+    expect(search.currentMatchIndex.value).toBe(0);
+
+    search.jumpToMatch('next');
+    search.jumpToMatch('prev');
+
+    expect(search.currentMatchIndex.value).toBe(0);
+    expect(search.currentMatchEntryId.value).toBeNull();
+  });
+});
diff --git a/ui/tests/composables/useLogViewerBehavior.spec.ts b/ui/tests/composables/useLogViewerBehavior.spec.ts
index 146b9c78a..02a487580 100644
--- a/ui/tests/composables/useLogViewerBehavior.spec.ts
+++ b/ui/tests/composables/useLogViewerBehavior.spec.ts
@@ -94,6 +94,7 @@ describe('useLogViewport', () => {
 
 describe('useAutoFetchLogs', () => {
   beforeEach(() => {
+    vi.clearAllMocks();
     vi.useFakeTimers();
   });
 
@@ -327,6 +328,66 @@ describe('useAutoFetchLogs', () => {
     }
   });
 
+  it('does not leak timer when visibilitychange fires during scope disposal', async () => {
+    const fetchFn = vi.fn().mockResolvedValue(undefined);
+    const originalHidden = Object.getOwnPropertyDescriptor(document, 'hidden');
+    const originalVisibilityState = Object.getOwnPropertyDescriptor(document, 'visibilityState');
+
+    // Tab is hidden so the interval is paused
+    Object.defineProperty(document, 'hidden', {
+      configurable: true,
+      get: () => true,
+    });
+    Object.defineProperty(document, 'visibilityState', {
+      configurable: true,
+      get: () => 'hidden',
+    });
+
+    const scope = effectScope();
+    try {
+      scope.run(() => {
+        const { autoFetchInterval } = useAutoFetchLogs({
+          fetchFn,
+          scrollToBottom: vi.fn(),
+          scrollBlocked: ref(false),
+        });
+        autoFetchInterval.value = 2000;
+      });
+      await nextTick();
+
+      // Tab becomes visible right as scope is being disposed.
+      // The visibility listener removal must run BEFORE stopAutoFetch
+      // (onScopeDispose reverse order) to prevent the listener from
+      // restarting the interval after stopAutoFetch clears it.
+      Object.defineProperty(document, 'hidden', {
+        configurable: true,
+        get: () => false,
+      });
+      Object.defineProperty(document, 'visibilityState', {
+        configurable: true,
+        get: () => 'visible',
+      });
+
+      scope.stop();
+
+      // Fire visibilitychange AFTER scope disposal — listener must be gone
+      document.dispatchEvent(new Event('visibilitychange'));
+      await nextTick();
+
+      // Advance time well past the interval — no fetch should fire
+      vi.advanceTimersByTime(10_000);
+      expect(fetchFn).not.toHaveBeenCalled();
+    } finally {
+      if (originalHidden) Object.defineProperty(document, 'hidden', originalHidden);
+      else Reflect.deleteProperty(document, 'hidden');
+      if (originalVisibilityState) {
+        Object.defineProperty(document, 'visibilityState', originalVisibilityState);
+      } else {
+        Reflect.deleteProperty(document, 'visibilityState');
+      }
+    }
+  });
+
   it('ignores visibilitychange resume when interval is off', async () => {
     const fetchFn = vi.fn().mockResolvedValue(undefined);
     const originalHidden = Object.getOwnPropertyDescriptor(document, 'hidden');
diff --git a/ui/tests/composables/useSystemLogStream.spec.ts b/ui/tests/composables/useSystemLogStream.spec.ts
new file mode 100644
index 000000000..38e805669
--- /dev/null
+++ b/ui/tests/composables/useSystemLogStream.spec.ts
@@ -0,0 +1,228 @@
+import { effectScope } from 'vue';
+import { useSystemLogStream } from '@/composables/useSystemLogStream';
+
+class MockWebSocket {
+  static instances: MockWebSocket[] = [];
+
+  readonly url: string;
+  onopen: ((event: Event) => void) | null = null;
+  onmessage: ((event: MessageEvent) => void) | null = null;
+  onerror: ((event: Event) => void) | null = null;
+  onclose: ((event: CloseEvent) => void) | null = null;
+  close = vi.fn();
+
+  constructor(url: string) {
+    this.url = url;
+    MockWebSocket.instances.push(this);
+  }
+
+  emitOpen() {
+    this.onopen?.(new Event('open'));
+  }
+
+  emitMessage(payload: unknown) {
+    this.onmessage?.(new MessageEvent('message', { data: payload as string }));
+  }
+
+  emitError() {
+    this.onerror?.(new Event('error'));
+  }
+
+  emitClose(code = 1000, reason = 'normal') {
+    this.onclose?.(new CloseEvent('close', { code, reason }));
+  }
+}
+
+function makeEntryPayload(overrides: Record<string, unknown> = {}) {
+  return JSON.stringify({
+    timestamp: Date.now(),
+    level: 'info',
+    component: 'drydock',
+    msg: 'test message',
+    ...overrides,
+  });
+}
+
+describe('useSystemLogStream', () => {
+  const mockLocation = { protocol: 'http:', host: 'localhost:3000' } as Location;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    MockWebSocket.instances = [];
+  });
+
+  it('starts disconnected with empty entries', () => {
+    const scope = effectScope();
+    scope.run(() => {
+      const { entries, status } = useSystemLogStream({
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: mockLocation,
+      });
+
+      expect(entries.value).toEqual([]);
+      expect(status.value).toBe('disconnected');
+    });
+    scope.stop();
+  });
+
+  it('connects and receives entries', () => {
+    const scope = effectScope();
+    scope.run(() => {
+      const { entries, status, connect } = useSystemLogStream({
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: mockLocation,
+      });
+
+      connect({ level: 'info', tail: 50 });
+
+      const socket = MockWebSocket.instances[0];
+      socket.emitOpen();
+      expect(status.value).toBe('connected');
+
+      socket.emitMessage(makeEntryPayload({ msg: 'entry-1' }));
+      socket.emitMessage(makeEntryPayload({ msg: 'entry-2' }));
+
+      expect(entries.value).toHaveLength(2);
+      expect(entries.value[0].msg).toBe('entry-1');
+      expect(entries.value[1].msg).toBe('entry-2');
+    });
+    scope.stop();
+  });
+
+  it('caps entries at 2000', () => {
+    const scope = effectScope();
+    scope.run(() => {
+      const { entries, connect } = useSystemLogStream({
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: mockLocation,
+      });
+
+      connect();
+
+      const socket = MockWebSocket.instances[0];
+      socket.emitOpen();
+
+      for (let i = 0; i < 2010; i++) {
+        socket.emitMessage(makeEntryPayload({ msg: `msg-${i}` }));
+      }
+
+      expect(entries.value).toHaveLength(2000);
+      // Oldest entries should be dropped
+      expect(entries.value[0].msg).toBe('msg-10');
+      expect(entries.value[entries.value.length - 1].msg).toBe('msg-2009');
+    });
+    scope.stop();
+  });
+
+  it('disconnects and clears entries', () => {
+    const scope = effectScope();
+    scope.run(() => {
+      const { status, connect, disconnect } = useSystemLogStream({
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: mockLocation,
+      });
+
+      connect();
+      const socket = MockWebSocket.instances[0];
+      socket.emitOpen();
+      socket.emitMessage(makeEntryPayload({ msg: 'before-disconnect' }));
+
+      disconnect();
+      expect(status.value).toBe('disconnected');
+      expect(socket.close).toHaveBeenCalledWith(1000, 'manual-close');
+    });
+    scope.stop();
+  });
+
+  it('updateFilters reconnects with new query and clears entries', () => {
+    const scope = effectScope();
+    scope.run(() => {
+      const { entries, updateFilters, connect } = useSystemLogStream({
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: mockLocation,
+      });
+
+      connect({ level: 'info' });
+      const socket1 = MockWebSocket.instances[0];
+      socket1.emitOpen();
+      socket1.emitMessage(makeEntryPayload({ msg: 'old-entry' }));
+      expect(entries.value).toHaveLength(1);
+
+      updateFilters({ level: 'warn', tail: 200 });
+      expect(entries.value).toHaveLength(0);
+      expect(MockWebSocket.instances).toHaveLength(2);
+      expect(MockWebSocket.instances[1].url).toContain('level=warn');
+      expect(MockWebSocket.instances[1].url).toContain('tail=200');
+    });
+    scope.stop();
+  });
+
+  it('updateFilters creates a new connection when none exists', () => {
+    const scope = effectScope();
+    scope.run(() => {
+      const { updateFilters } = useSystemLogStream({
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: mockLocation,
+      });
+
+      updateFilters({ level: 'error' });
+      expect(MockWebSocket.instances).toHaveLength(1);
+      expect(MockWebSocket.instances[0].url).toContain('level=error');
+    });
+    scope.stop();
+  });
+
+  it('clear empties entries without disconnecting', () => {
+    const scope = effectScope();
+    scope.run(() => {
+      const { entries, status, connect, clear } = useSystemLogStream({
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: mockLocation,
+      });
+
+      connect();
+      const socket = MockWebSocket.instances[0];
+      socket.emitOpen();
+      socket.emitMessage(makeEntryPayload({ msg: 'to-clear' }));
+      expect(entries.value).toHaveLength(1);
+
+      clear();
+      expect(entries.value).toHaveLength(0);
+      expect(status.value).toBe('connected');
+    });
+    scope.stop();
+  });
+
+  it('auto-disconnects on scope dispose', () => {
+    const scope = effectScope();
+    let closeRef: ReturnType<typeof vi.fn> | undefined;
+
+    scope.run(() => {
+      const { connect } = useSystemLogStream({
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: mockLocation,
+      });
+
+      connect();
+      closeRef = MockWebSocket.instances[0].close;
+    });
+
+    scope.stop();
+    expect(closeRef).toHaveBeenCalledWith(1000, 'manual-close');
+  });
+
+  it('handles disconnect when no connection exists', () => {
+    const scope = effectScope();
+    scope.run(() => {
+      const { disconnect, status } = useSystemLogStream({
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: mockLocation,
+      });
+
+      // Should not throw
+      disconnect();
+      expect(status.value).toBe('disconnected');
+    });
+    scope.stop();
+  });
+});
diff --git a/ui/tests/composables/useToast.spec.ts b/ui/tests/composables/useToast.spec.ts
new file mode 100644
index 000000000..f039665e1
--- /dev/null
+++ b/ui/tests/composables/useToast.spec.ts
@@ -0,0 +1,84 @@
+import { beforeEach, describe, expect, test, vi } from 'vitest';
+import { useToast } from '../../src/composables/useToast';
+
+beforeEach(() => {
+  const { toasts, dismissToast } = useToast();
+  for (const t of [...toasts.value]) {
+    dismissToast(t.id);
+  }
+});
+
+describe('useToast', () => {
+  test('addToast adds a toast to the list', () => {
+    const { addToast, toasts } = useToast();
+    addToast('Test title', { tone: 'error', body: 'Test body', duration: 0 });
+    expect(toasts.value).toHaveLength(1);
+    expect(toasts.value[0].title).toBe('Test title');
+    expect(toasts.value[0].body).toBe('Test body');
+    expect(toasts.value[0].tone).toBe('error');
+  });
+
+  test('dismissToast removes a toast by id', () => {
+    const { addToast, toasts, dismissToast } = useToast();
+    addToast('Toast 1', { duration: 0 });
+    addToast('Toast 2', { duration: 0 });
+    expect(toasts.value).toHaveLength(2);
+    dismissToast(toasts.value[0].id);
+    expect(toasts.value).toHaveLength(1);
+    expect(toasts.value[0].title).toBe('Toast 2');
+  });
+
+  test('error helper sets tone to error', () => {
+    const { error, toasts } = useToast();
+    error('Fail', 'Details');
+    expect(toasts.value[0].tone).toBe('error');
+    expect(toasts.value[0].title).toBe('Fail');
+    expect(toasts.value[0].body).toBe('Details');
+  });
+
+  test('success helper sets tone to success', () => {
+    const { success, toasts } = useToast();
+    success('Done');
+    expect(toasts.value[0].tone).toBe('success');
+  });
+
+  test('warning helper sets tone to warning', () => {
+    const { warning, toasts } = useToast();
+    warning('Careful');
+    expect(toasts.value[0].tone).toBe('warning');
+  });
+
+  test('info helper sets tone to info', () => {
+    const { info, toasts } = useToast();
+    info('FYI');
+    expect(toasts.value[0].tone).toBe('info');
+  });
+
+  test('auto-dismisses after duration', () => {
+    vi.useFakeTimers();
+    const { addToast, toasts } = useToast();
+    addToast('Temporary', { duration: 3000 });
+    expect(toasts.value).toHaveLength(1);
+    vi.advanceTimersByTime(3000);
+    expect(toasts.value).toHaveLength(0);
+    vi.useRealTimers();
+  });
+
+  test('addToast defaults to info tone and auto-dismiss', () => {
+    vi.useFakeTimers();
+    const { addToast, toasts } = useToast();
+    addToast('Default');
+    expect(toasts.value[0].tone).toBe('info');
+    vi.advanceTimersByTime(6000);
+    expect(toasts.value).toHaveLength(0);
+    vi.useRealTimers();
+  });
+
+  test('shares state across multiple useToast calls', () => {
+    const a = useToast();
+    const b = useToast();
+    a.error('From A');
+    expect(b.toasts.value).toHaveLength(1);
+    expect(b.toasts.value[0].title).toBe('From A');
+  });
+});
diff --git a/ui/tests/config/vite.config.spec.ts b/ui/tests/config/vite.config.spec.ts
index f1da0959c..6ea38f622 100644
--- a/ui/tests/config/vite.config.spec.ts
+++ b/ui/tests/config/vite.config.spec.ts
@@ -1,44 +1,57 @@
 // @vitest-environment node
 import viteConfig from '../../vite.config';
 
-const getManualChunks = () => {
-  const output = viteConfig.build?.rollupOptions?.output;
+type CodeSplittingGroup = { name: string; test: RegExp };
+
+const getCodeSplittingGroups = (): CodeSplittingGroup[] => {
+  const output = viteConfig.build?.rolldownOptions?.output;
   const normalizedOutput = Array.isArray(output) ? output[0] : output;
-  const { manualChunks } = normalizedOutput ?? {};
+  const groups = (normalizedOutput as Record<string, unknown>)?.codeSplitting as
+    | { groups: CodeSplittingGroup[] }
+    | undefined;
 
-  expect(typeof manualChunks).toBe('function');
-  if (typeof manualChunks !== 'function') {
-    throw new Error('Expected build.rollupOptions.output.manualChunks to be a function');
-  }
+  expect(groups?.groups).toBeDefined();
+  expect(Array.isArray(groups?.groups)).toBe(true);
 
-  return manualChunks;
+  return groups!.groups;
 };
 
+const findGroup = (groups: CodeSplittingGroup[], path: string): string | undefined =>
+  groups.find((g) => g.test.test(path))?.name;
+
 describe('vite build configuration', () => {
   it('disables source maps for production builds', () => {
     expect(viteConfig.build?.sourcemap).toBe(false);
   });
 
-  it('splits framework and icon vendor bundles using manual chunks', () => {
-    const manualChunks = getManualChunks();
-    const chunkFor = (id: string) => manualChunks(id, {} as Parameters<typeof manualChunks>[1]);
+  it('splits framework and icon vendor bundles using codeSplitting groups', () => {
+    const groups = getCodeSplittingGroups();
 
-    expect(chunkFor('/Users/test/app/src/main.ts')).toBeUndefined();
-    expect(chunkFor('/Users/test/app/node_modules/vue/dist/vue.runtime.esm-bundler.js')).toBe(
+    expect(findGroup(groups, '/Users/test/app/src/main.ts')).toBeUndefined();
+    expect(
+      findGroup(groups, '/Users/test/app/node_modules/vue/dist/vue.runtime.esm-bundler.js'),
+    ).toBe('framework');
+    expect(findGroup(groups, '/Users/test/app/node_modules/vue-router/dist/vue-router.mjs')).toBe(
       'framework',
     );
-    expect(chunkFor('/Users/test/app/node_modules/vue-router/dist/vue-router.mjs')).toBe(
-      'framework',
-    );
-    expect(chunkFor('/Users/test/app/node_modules/iconify-icon/dist/iconify-icon.mjs')).toBe(
-      'icons',
-    );
-    expect(chunkFor('/Users/test/app/node_modules/@headlessui/vue/dist/headlessui.esm.js')).toBe(
-      'vendor',
-    );
-    expect(chunkFor('/Users/test/app/node_modules/pinia/dist/pinia.mjs')).toBe('vendor');
-    expect(chunkFor('C:\\app\\node_modules\\vue\\dist\\vue.runtime.esm-bundler.js')).toBe(
+    expect(
+      findGroup(groups, '/Users/test/app/node_modules/iconify-icon/dist/iconify-icon.mjs'),
+    ).toBe('icons');
+    expect(
+      findGroup(groups, '/Users/test/app/node_modules/@headlessui/vue/dist/headlessui.esm.js'),
+    ).toBe('vendor');
+    expect(findGroup(groups, '/Users/test/app/node_modules/pinia/dist/pinia.mjs')).toBe('vendor');
+    expect(findGroup(groups, 'C:\\app\\node_modules\\vue\\dist\\vue.runtime.esm-bundler.js')).toBe(
       'framework',
     );
   });
+
+  it('defines exactly three codeSplitting groups in priority order', () => {
+    const groups = getCodeSplittingGroups();
+
+    expect(groups).toHaveLength(3);
+    expect(groups[0]?.name).toBe('framework');
+    expect(groups[1]?.name).toBe('icons');
+    expect(groups[2]?.name).toBe('vendor');
+  });
 });
diff --git a/ui/tests/layouts/AppLayout.spec.ts b/ui/tests/layouts/AppLayout.spec.ts
index 166af0458..484636513 100644
--- a/ui/tests/layouts/AppLayout.spec.ts
+++ b/ui/tests/layouts/AppLayout.spec.ts
@@ -13,6 +13,7 @@ const {
   mockGetEffectiveDisplayIcon,
   mockGetAllNotificationRules,
   mockGetAllRegistries,
+  mockGetServer,
   mockGetAllTriggers,
   mockGetAllWatchers,
   mockSseConnect,
@@ -30,6 +31,7 @@ const {
   mockGetEffectiveDisplayIcon: vi.fn(),
   mockGetAllNotificationRules: vi.fn(),
   mockGetAllRegistries: vi.fn(),
+  mockGetServer: vi.fn(),
   mockGetAllTriggers: vi.fn(),
   mockGetAllWatchers: vi.fn(),
   mockSseConnect: vi.fn(),
@@ -96,6 +98,10 @@ vi.mock('@/services/registry', () => ({
   getAllRegistries: (...args: unknown[]) => mockGetAllRegistries(...args),
 }));
 
+vi.mock('@/services/server', () => ({
+  getServer: (...args: unknown[]) => mockGetServer(...args),
+}));
+
 vi.mock('@/services/trigger', () => ({
   getAllTriggers: (...args: unknown[]) => mockGetAllTriggers(...args),
 }));
@@ -140,6 +146,15 @@ describe('AppLayout', () => {
     mockGetAllTriggers.mockResolvedValue([]);
     mockGetAllWatchers.mockResolvedValue([]);
     mockGetAllRegistries.mockResolvedValue([]);
+    mockGetServer.mockResolvedValue({
+      compatibility: {
+        legacyInputs: {
+          total: 0,
+          env: { total: 0, keys: [] },
+          label: { total: 0, keys: [] },
+        },
+      },
+    });
     mockGetAllAuthentications.mockResolvedValue([]);
     mockGetAllNotificationRules.mockResolvedValue([]);
     mockGetEffectiveDisplayIcon.mockReturnValue('docker');
@@ -348,7 +363,7 @@ describe('AppLayout', () => {
 
     const banner = wrapper.find('[data-testid="oidc-http-compat-banner"]');
     expect(banner.exists()).toBe(true);
-    expect(banner.text()).toContain('Migrate your IdP to HTTPS');
+    expect(banner.text()).toContain('Migration guide');
   });
 
   it('supports dismissing OIDC HTTP compatibility banner for current session', async () => {
@@ -393,7 +408,10 @@ describe('AppLayout', () => {
 
     expect(wrapper.find('[data-testid="oidc-http-compat-banner"]').exists()).toBe(true);
 
-    await wrapper.find('[data-testid="oidc-http-compat-banner-dismiss-forever"]').trigger('click');
+    await wrapper
+      .find('[data-testid="oidc-http-compat-banner-dismiss-forever"] input[type="checkbox"]')
+      .setValue(true);
+    await wrapper.find('[data-testid="oidc-http-compat-banner-dismiss-session"]').trigger('click');
     await flushPromises();
 
     expect(wrapper.find('[data-testid="oidc-http-compat-banner"]').exists()).toBe(false);
@@ -483,7 +501,10 @@ describe('AppLayout', () => {
     expect(wrapper.find('[data-testid="sha-hash-deprecation-banner"]').exists()).toBe(true);
 
     await wrapper
-      .find('[data-testid="sha-hash-deprecation-banner-dismiss-forever"]')
+      .find('[data-testid="sha-hash-deprecation-banner-dismiss-forever"] input[type="checkbox"]')
+      .setValue(true);
+    await wrapper
+      .find('[data-testid="sha-hash-deprecation-banner-dismiss-session"]')
       .trigger('click');
     await flushPromises();
 
@@ -527,4 +548,120 @@ describe('AppLayout', () => {
 
     expect(wrapper.find('[data-testid="sha-hash-deprecation-banner"]').exists()).toBe(false);
   });
+
+  it('shows a legacy env deprecation banner with truncated key preview', async () => {
+    mockGetServer.mockResolvedValue({
+      compatibility: {
+        legacyInputs: {
+          total: 20,
+          env: {
+            total: 20,
+            keys: [
+              'DD_TRIGGER_DOCKER_LOCAL_AUTO',
+              'DD_TRIGGER_DOCKER_LOCAL_PRUNE',
+              'DD_TRIGGER_DOCKER_LOCAL_INCLUDE',
+              'DD_TRIGGER_DOCKER_LOCAL_EXCLUDE',
+              'DD_TRIGGER_DOCKER_LOCAL_NOTIFY',
+              'DD_TRIGGER_DOCKER_LOCAL_INTERVAL',
+              'WUD_SERVER_PORT',
+              'WUD_WATCHER_LOCAL_WATCHBYDEFAULT',
+            ],
+          },
+          label: { total: 0, keys: [] },
+        },
+      },
+    });
+
+    const wrapper = mountLayout();
+    mountedWrappers.push(wrapper);
+    await flushPromises();
+
+    const banner = wrapper.find('[data-testid="legacy-config-deprecation-banner"]');
+    expect(banner.exists()).toBe(true);
+    expect(banner.text()).toContain('20 legacy configuration aliases detected');
+    expect(banner.text()).toContain('Env keys (20):');
+    expect(banner.text()).toContain('DD_TRIGGER_DOCKER_LOCAL_AUTO');
+    expect(banner.text()).toContain('(+2 more)');
+  });
+
+  it('shows consolidated legacy config banner when only labels are detected', async () => {
+    mockGetServer.mockResolvedValue({
+      compatibility: {
+        legacyInputs: {
+          total: 3,
+          env: { total: 0, keys: [] },
+          label: {
+            total: 3,
+            keys: ['wud.tag.include', 'wud.tag.exclude', 'wud.watch'],
+          },
+        },
+      },
+    });
+
+    const wrapper = mountLayout();
+    mountedWrappers.push(wrapper);
+    await flushPromises();
+
+    const banner = wrapper.find('[data-testid="legacy-config-deprecation-banner"]');
+    expect(banner.exists()).toBe(true);
+    expect(banner.text()).toContain('3 legacy configuration aliases detected');
+    expect(banner.text()).toContain('Label keys (3):');
+    expect(banner.text()).toContain('wud.watch');
+  });
+
+  it('shows a legacy API path deprecation banner when server reports API path usage', async () => {
+    mockGetServer.mockResolvedValue({
+      compatibility: {
+        legacyInputs: {
+          total: 7,
+          env: { total: 0, keys: [] },
+          label: { total: 0, keys: [] },
+          api: {
+            total: 7,
+            keys: ['/api/containers', '/api/settings'],
+          },
+        },
+      },
+    });
+
+    const wrapper = mountLayout();
+    mountedWrappers.push(wrapper);
+    await flushPromises();
+
+    const banner = wrapper.find('[data-testid="legacy-api-path-deprecation-banner"]');
+    expect(banner.exists()).toBe(true);
+    expect(banner.text()).toContain('7 legacy API paths detected');
+    expect(banner.text()).toContain('/api/containers');
+  });
+
+  it('dismisses consolidated legacy config banner', async () => {
+    mockGetServer.mockResolvedValue({
+      compatibility: {
+        legacyInputs: {
+          total: 2,
+          env: { total: 1, keys: ['DD_TRIGGER_DOCKER_LOCAL_AUTO'] },
+          label: { total: 1, keys: ['wud.watch'] },
+        },
+      },
+    });
+
+    const wrapper = mountLayout();
+    mountedWrappers.push(wrapper);
+    await flushPromises();
+
+    expect(wrapper.find('[data-testid="legacy-config-deprecation-banner"]').exists()).toBe(true);
+
+    await wrapper
+      .find(
+        '[data-testid="legacy-config-deprecation-banner-dismiss-forever"] input[type="checkbox"]',
+      )
+      .setValue(true);
+    await wrapper
+      .find('[data-testid="legacy-config-deprecation-banner-dismiss-session"]')
+      .trigger('click');
+    await flushPromises();
+
+    expect(wrapper.find('[data-testid="legacy-config-deprecation-banner"]').exists()).toBe(false);
+    expect(localStorage.getItem('dd-banner-legacy-config-v1')).toBe('true');
+  });
 });
diff --git a/ui/tests/preferences/deepMerge.spec.ts b/ui/tests/preferences/deepMerge.spec.ts
index e31314ef9..edf6a6986 100644
--- a/ui/tests/preferences/deepMerge.spec.ts
+++ b/ui/tests/preferences/deepMerge.spec.ts
@@ -15,6 +15,28 @@ describe('deepMerge', () => {
     expect(merged.layout).toEqual({ sidebarCollapsed: false });
   });
 
+  it('preserves array values from source when target has matching key', () => {
+    const target = {
+      dashboard: {
+        widgetOrder: ['a', 'b'],
+        hiddenWidgets: [],
+        gridLayout: [] as { i: string; x: number; y: number; w: number; h: number }[],
+      },
+    };
+    const source = {
+      dashboard: {
+        widgetOrder: ['b', 'a'],
+        gridLayout: [{ i: 'a', x: 1, y: 2, w: 3, h: 4 }],
+      },
+    };
+
+    const merged = deepMerge(structuredClone(target), source);
+
+    expect(merged.dashboard.gridLayout).toEqual([{ i: 'a', x: 1, y: 2, w: 3, h: 4 }]);
+    expect(merged.dashboard.widgetOrder).toEqual(['b', 'a']);
+    expect(merged.dashboard.hiddenWidgets).toEqual([]);
+  });
+
   it('does not overwrite with undefined source values', () => {
     const merged = deepMerge({ containers: { viewMode: 'table', groupByStack: false } }, {
       containers: { viewMode: undefined },
diff --git a/ui/tests/preferences/migrate.spec.ts b/ui/tests/preferences/migrate.spec.ts
index 598b27c64..b9495d4f5 100644
--- a/ui/tests/preferences/migrate.spec.ts
+++ b/ui/tests/preferences/migrate.spec.ts
@@ -144,6 +144,27 @@ describe('preferences migration', () => {
       expect(result.containers.tableActions).toBe(DEFAULTS.containers.tableActions);
     });
 
+    it('should replace invalid container columns with default', () => {
+      const result = migrate({ schemaVersion: 1, containers: { columns: 'name' as any } });
+      expect(result.containers.columns).toEqual(DEFAULTS.containers.columns);
+    });
+
+    it('should preserve dashboard gridLayout through migration (#223)', () => {
+      const gridLayout = [
+        { i: 'host-status', x: 10, y: 11, w: 4, h: 6 },
+        { i: 'recent-updates', x: 0, y: 0, w: 12, h: 8 },
+      ];
+      const result = migrate({
+        schemaVersion: 1,
+        dashboard: {
+          widgetOrder: ['host-status', 'recent-updates'],
+          hiddenWidgets: [],
+          gridLayout,
+        },
+      });
+      expect(result.dashboard.gridLayout).toEqual(gridLayout);
+    });
+
     it('should preserve all valid values through sanitization', () => {
       const input = {
         schemaVersion: 1,
@@ -404,7 +425,16 @@ describe('preferences migration', () => {
         const columns = ['name', 'status', 'registry'];
         localStorage.setItem('dd-table-cols-v1', JSON.stringify(columns));
         const result = migrateFromLegacyKeys();
-        expect(result.containers.columns).toEqual(columns);
+        expect(result.containers.columns).toEqual(['icon', ...columns]);
+      });
+
+      it('should drop stale columns that no longer exist in the table', () => {
+        localStorage.setItem(
+          'dd-table-cols-v1',
+          JSON.stringify(['icon', 'name', 'bouncer', 'status', 'registry']),
+        );
+        const result = migrateFromLegacyKeys();
+        expect(result.containers.columns).toEqual(['icon', 'name', 'status', 'registry']);
       });
     });
 
diff --git a/ui/tests/preferences/radius.types.ts b/ui/tests/preferences/radius.types.ts
deleted file mode 100644
index 1dd5f1489..000000000
--- a/ui/tests/preferences/radius.types.ts
+++ /dev/null
@@ -1,13 +0,0 @@
-import type { applyRadius } from '@/preferences/radius';
-
-type RadiusParam = Parameters<typeof applyRadius>[0];
-type ExpectedRadiusPresetId = 'none' | 'sharp' | 'modern' | 'soft' | 'round';
-
-type IsRadiusParamExpected = [RadiusParam] extends [ExpectedRadiusPresetId]
-  ? [ExpectedRadiusPresetId] extends [RadiusParam]
-    ? true
-    : false
-  : false;
-
-const applyRadiusParamMatchesExpected: IsRadiusParamExpected = true;
-void applyRadiusParamMatchesExpected;
diff --git a/ui/tests/preferences/tsconfig.radius.types.json b/ui/tests/preferences/tsconfig.radius.types.json
deleted file mode 100644
index a4aa24261..000000000
--- a/ui/tests/preferences/tsconfig.radius.types.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
-  "extends": "../../tsconfig.json",
-  "include": ["../../src/preferences/radius.ts", "./radius.types.ts"]
-}
diff --git a/ui/tests/router/index.spec.ts b/ui/tests/router/index.spec.ts
index a6ba70684..d760831a9 100644
--- a/ui/tests/router/index.spec.ts
+++ b/ui/tests/router/index.spec.ts
@@ -52,7 +52,7 @@ describe('router auth guard', () => {
       .map((route) => route.component as () => Promise<unknown>);
     const loaders = [...topLevelLoaders, ...childLoaders];
 
-    expect(loaders).toHaveLength(14);
+    expect(loaders).toHaveLength(15);
     await Promise.all(loaders.map((loader) => loader()));
   });
 
diff --git a/ui/tests/router/routes.spec.ts b/ui/tests/router/routes.spec.ts
index 3ce52f555..d7976e3ab 100644
--- a/ui/tests/router/routes.spec.ts
+++ b/ui/tests/router/routes.spec.ts
@@ -16,4 +16,8 @@ describe('ROUTES', () => {
 
     expect(duplicatePaths).toEqual([]);
   });
+
+  it('defines a dedicated container logs route with an id param', () => {
+    expect(ROUTES.CONTAINER_LOGS).toBe('/containers/:id/logs');
+  });
 });
diff --git a/ui/tests/security/picomatch-lockfile.spec.ts b/ui/tests/security/picomatch-lockfile.spec.ts
new file mode 100644
index 000000000..74b5447ab
--- /dev/null
+++ b/ui/tests/security/picomatch-lockfile.spec.ts
@@ -0,0 +1,35 @@
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { describe, expect, it } from 'vitest';
+
+function compareSemver(a: string, b: string): number {
+  const aParts = a.split('.').map(Number);
+  const bParts = b.split('.').map(Number);
+
+  for (let index = 0; index < Math.max(aParts.length, bParts.length); index += 1) {
+    const aPart = aParts[index] ?? 0;
+    const bPart = bParts[index] ?? 0;
+    if (aPart !== bPart) {
+      return aPart - bPart;
+    }
+  }
+
+  return 0;
+}
+
+describe('ui package lockfile security', () => {
+  it('does not pin vulnerable picomatch versions', () => {
+    const lockfilePath = join(process.cwd(), 'package-lock.json');
+    const lockfile = JSON.parse(readFileSync(lockfilePath, 'utf8')) as {
+      packages?: Record<string, { version?: string }>;
+    };
+
+    const vulnerableEntries = Object.entries(lockfile.packages ?? {})
+      .filter(([, value]) => {
+        return typeof value.version === 'string' && compareSemver(value.version, '4.0.4') < 0;
+      })
+      .filter(([path]) => path.includes('picomatch'));
+
+    expect(vulnerableEntries).toEqual([]);
+  });
+});
diff --git a/ui/tests/security/yaml-lockfile.spec.ts b/ui/tests/security/yaml-lockfile.spec.ts
new file mode 100644
index 000000000..66668b260
--- /dev/null
+++ b/ui/tests/security/yaml-lockfile.spec.ts
@@ -0,0 +1,41 @@
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { describe, expect, it } from 'vitest';
+
+function compareSemver(a: string, b: string): number {
+  const aParts = a.split('.').map(Number);
+  const bParts = b.split('.').map(Number);
+
+  for (let index = 0; index < Math.max(aParts.length, bParts.length); index += 1) {
+    const aPart = aParts[index] ?? 0;
+    const bPart = bParts[index] ?? 0;
+
+    if (aPart !== bPart) {
+      return aPart - bPart;
+    }
+  }
+
+  return 0;
+}
+
+describe('ui yaml security', () => {
+  it('package manifest explicitly pins yaml to the patched version', () => {
+    const packageJson = JSON.parse(readFileSync(join(process.cwd(), 'package.json'), 'utf8')) as {
+      overrides?: Record<string, string>;
+    };
+
+    expect(packageJson.overrides?.yaml).toBe('2.8.3');
+  });
+
+  it('package lockfile does not resolve vulnerable yaml versions', () => {
+    const lockfile = JSON.parse(readFileSync(join(process.cwd(), 'package-lock.json'), 'utf8')) as {
+      packages?: Record<string, { version?: string }>;
+    };
+
+    const vulnerableEntries = Object.entries(lockfile.packages ?? {})
+      .filter(([path, value]) => path === 'node_modules/yaml' && typeof value.version === 'string')
+      .filter(([, value]) => compareSemver(value.version, '2.8.3') < 0);
+
+    expect(vulnerableEntries).toEqual([]);
+  });
+});
diff --git a/ui/tests/services/audit.spec.ts b/ui/tests/services/audit.spec.ts
index e31380655..c8baf4bf0 100644
--- a/ui/tests/services/audit.spec.ts
+++ b/ui/tests/services/audit.spec.ts
@@ -58,6 +58,34 @@ describe('audit service', () => {
     expect(calledUrl).toContain('to=2026-01-31');
   });
 
+  it('appends actions query parameter when actions are provided', async () => {
+    global.fetch = vi.fn().mockResolvedValue({
+      ok: true,
+      json: () => Promise.resolve({ data: [], total: 0 }),
+    });
+
+    await getAuditLog({
+      actions: ['update-found', 'update-applied'],
+    });
+
+    const calledUrl = (global.fetch as any).mock.calls[0][0];
+    expect(calledUrl).toContain('actions=update-found%2Cupdate-applied');
+  });
+
+  it('omits actions query parameter when actions are empty', async () => {
+    global.fetch = vi.fn().mockResolvedValue({
+      ok: true,
+      json: () => Promise.resolve({ data: [], total: 0 }),
+    });
+
+    await getAuditLog({
+      actions: [],
+    });
+
+    const calledUrl = (global.fetch as any).mock.calls[0][0];
+    expect(calledUrl).toBe('/api/v1/audit?limit=50');
+  });
+
   it('prefers explicit offset over page-derived offset', async () => {
     global.fetch = vi.fn().mockResolvedValue({
       ok: true,
diff --git a/ui/tests/services/auth.spec.ts b/ui/tests/services/auth.spec.ts
index dc0eed0f8..24375f33a 100644
--- a/ui/tests/services/auth.spec.ts
+++ b/ui/tests/services/auth.spec.ts
@@ -97,6 +97,54 @@ describe('Auth Service', () => {
         'Username or password error',
       );
     });
+
+    it('surfaces API error details for non-credential failures', async () => {
+      fetchMock.mockResolvedValueOnce({
+        ok: false,
+        status: 500,
+        json: async () => ({ error: "Basic auth 'ANDI': hash is required" }),
+      });
+
+      await expect(loginBasic('testuser', 'testpass')).rejects.toThrow(
+        "Basic auth 'ANDI': hash is required",
+      );
+    });
+
+    it('falls back to generic credential error when payload is not an object', async () => {
+      fetchMock.mockResolvedValueOnce({
+        ok: false,
+        status: 500,
+        json: async () => 'not-an-object',
+      });
+
+      await expect(loginBasic('testuser', 'testpass')).rejects.toThrow(
+        'Username or password error',
+      );
+    });
+
+    it('falls back to generic credential error when payload has no error field', async () => {
+      fetchMock.mockResolvedValueOnce({
+        ok: false,
+        status: 500,
+        json: async () => ({ detail: 'missing field' }),
+      });
+
+      await expect(loginBasic('testuser', 'testpass')).rejects.toThrow(
+        'Username or password error',
+      );
+    });
+
+    it('falls back to generic credential error when payload error is non-string', async () => {
+      fetchMock.mockResolvedValueOnce({
+        ok: false,
+        status: 500,
+        json: async () => ({ error: { message: 'not-a-string' } }),
+      });
+
+      await expect(loginBasic('testuser', 'testpass')).rejects.toThrow(
+        'Username or password error',
+      );
+    });
   });
 
   describe('logout', () => {
diff --git a/ui/tests/services/container.spec.ts b/ui/tests/services/container.spec.ts
index 127850cd1..7e3f0484a 100644
--- a/ui/tests/services/container.spec.ts
+++ b/ui/tests/services/container.spec.ts
@@ -3,6 +3,7 @@ import {
   getAllContainers,
   getContainerLogs,
   getContainerRecentStatus,
+  getContainerReleaseNotes,
   getContainerSbom,
   getContainerSummary,
   getContainerTriggers,
@@ -892,4 +893,50 @@ describe('Container Service', () => {
       );
     });
   });
+
+  describe('getContainerReleaseNotes', () => {
+    it('fetches release notes successfully', async () => {
+      const mockNotes = {
+        title: 'Release 2.0',
+        body: 'New features',
+        url: 'https://github.com/org/repo/releases/tag/v2.0',
+        publishedAt: '2026-01-15T00:00:00Z',
+        provider: 'github',
+      };
+      vi.mocked(fetch).mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => mockNotes,
+      } as any);
+
+      const result = await getContainerReleaseNotes('c1');
+      expect(fetch).toHaveBeenCalledWith('/api/v1/containers/c1/release-notes', {
+        credentials: 'include',
+      });
+      expect(result).toEqual(mockNotes);
+    });
+
+    it('returns null when release notes are not found (404)', async () => {
+      vi.mocked(fetch).mockResolvedValueOnce({
+        ok: false,
+        status: 404,
+        statusText: 'Not Found',
+      } as any);
+
+      const result = await getContainerReleaseNotes('c1');
+      expect(result).toBeNull();
+    });
+
+    it('throws when fetching release notes fails with non-404 error', async () => {
+      vi.mocked(fetch).mockResolvedValueOnce({
+        ok: false,
+        status: 500,
+        statusText: 'Internal Server Error',
+      } as any);
+
+      await expect(getContainerReleaseNotes('c1')).rejects.toThrow(
+        'Failed to get release notes for container c1: Internal Server Error',
+      );
+    });
+  });
 });
diff --git a/ui/tests/services/debug.spec.ts b/ui/tests/services/debug.spec.ts
new file mode 100644
index 000000000..211fdd30c
--- /dev/null
+++ b/ui/tests/services/debug.spec.ts
@@ -0,0 +1,146 @@
+import { downloadDebugDump } from '@/services/debug';
+
+describe('Debug Service', () => {
+  beforeEach(() => {
+    global.fetch = vi.fn();
+  });
+
+  afterEach(() => {
+    vi.resetAllMocks();
+  });
+
+  it('requests debug dump and returns blob + filename from response headers', async () => {
+    const blob = new Blob(['{"ok":true}'], { type: 'application/json' });
+    (global.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+      ok: true,
+      blob: vi.fn().mockResolvedValue(blob),
+      headers: {
+        get: vi.fn((name: string) =>
+          name.toLowerCase() === 'content-disposition'
+            ? 'attachment; filename="drydock-debug-dump-2026-03-18.json"'
+            : null,
+        ),
+      },
+    });
+
+    const result = await downloadDebugDump();
+
+    expect(global.fetch).toHaveBeenCalledWith('/api/v1/debug/dump', {
+      credentials: 'include',
+      headers: {
+        Accept: 'application/json',
+      },
+    });
+    expect(result.blob).toBe(blob);
+    expect(result.filename).toBe('drydock-debug-dump-2026-03-18.json');
+  });
+
+  it('falls back to default filename when content-disposition is missing', async () => {
+    const blob = new Blob(['{"ok":true}'], { type: 'application/json' });
+    (global.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+      ok: true,
+      blob: vi.fn().mockResolvedValue(blob),
+      headers: {
+        get: vi.fn(() => null),
+      },
+    });
+
+    const result = await downloadDebugDump();
+    expect(result.filename).toBe('drydock-debug-dump.json');
+  });
+
+  it('decodes UTF-8 filenames and falls back to the raw value when decoding fails', async () => {
+    const blob = new Blob(['{"ok":true}'], { type: 'application/json' });
+    (global.fetch as ReturnType<typeof vi.fn>)
+      .mockResolvedValueOnce({
+        ok: true,
+        blob: vi.fn().mockResolvedValue(blob),
+        headers: {
+          get: vi.fn(() => "attachment; filename*=UTF-8''drydock%20debug%20dump.json"),
+        },
+      })
+      .mockResolvedValueOnce({
+        ok: true,
+        blob: vi.fn().mockResolvedValue(blob),
+        headers: {
+          get: vi.fn(() => "attachment; filename*=UTF-8''drydock%ZZdebug.json"),
+        },
+      });
+
+    await expect(downloadDebugDump()).resolves.toMatchObject({
+      blob,
+      filename: 'drydock debug dump.json',
+    });
+    await expect(downloadDebugDump()).resolves.toMatchObject({
+      blob,
+      filename: 'drydock%ZZdebug.json',
+    });
+  });
+
+  it('falls back to the plain filename parameter', async () => {
+    const blob = new Blob(['{"ok":true}'], { type: 'application/json' });
+    (global.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+      ok: true,
+      blob: vi.fn().mockResolvedValue(blob),
+      headers: {
+        get: vi.fn(() => 'attachment; filename=drydock-debug-dump-plain.json'),
+      },
+    });
+
+    const result = await downloadDebugDump();
+    expect(result.filename).toBe('drydock-debug-dump-plain.json');
+  });
+
+  it('returns no filename when the content-disposition header has no filename token', async () => {
+    const blob = new Blob(['{"ok":true}'], { type: 'application/json' });
+    (global.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+      ok: true,
+      blob: vi.fn().mockResolvedValue(blob),
+      headers: {
+        get: vi.fn(() => 'attachment; creation-date="Wed, 18 Mar 2026 12:00:00 GMT"'),
+      },
+    });
+
+    const result = await downloadDebugDump();
+    expect(result.filename).toBe('drydock-debug-dump.json');
+  });
+
+  it('throws API error when request fails', async () => {
+    (global.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+      ok: false,
+      status: 500,
+      json: vi.fn().mockResolvedValue({ error: 'Unable to generate debug dump' }),
+      headers: {
+        get: vi.fn(() => null),
+      },
+    });
+
+    await expect(downloadDebugDump()).rejects.toThrow('Unable to generate debug dump');
+  });
+
+  it('falls back to HTTP status when the error payload is blank', async () => {
+    (global.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+      ok: false,
+      status: 500,
+      json: vi.fn().mockResolvedValue({ error: '   ' }),
+      headers: {
+        get: vi.fn(() => null),
+      },
+    });
+
+    await expect(downloadDebugDump()).rejects.toThrow('HTTP 500');
+  });
+
+  it('falls back to HTTP status when the error payload is not usable', async () => {
+    (global.fetch as ReturnType<typeof vi.fn>).mockResolvedValue({
+      ok: false,
+      status: 502,
+      json: vi.fn().mockRejectedValue(new Error('bad json')),
+      headers: {
+        get: vi.fn(() => null),
+      },
+    });
+
+    await expect(downloadDebugDump()).rejects.toThrow('HTTP 502');
+  });
+});
diff --git a/ui/tests/services/logs.spec.ts b/ui/tests/services/logs.spec.ts
new file mode 100644
index 000000000..aceb6aa55
--- /dev/null
+++ b/ui/tests/services/logs.spec.ts
@@ -0,0 +1,361 @@
+import {
+  buildContainerLogStreamUrl,
+  createContainerLogStreamConnection,
+  downloadContainerLogs,
+  toLogTailValue,
+} from '@/services/logs';
+
+class MockWebSocket {
+  static instances: MockWebSocket[] = [];
+
+  readonly url: string;
+  onopen: ((event: Event) => void) | null = null;
+  onmessage: ((event: MessageEvent) => void) | null = null;
+  onerror: ((event: Event) => void) | null = null;
+  onclose: ((event: CloseEvent) => void) | null = null;
+  close = vi.fn();
+
+  constructor(url: string) {
+    this.url = url;
+    MockWebSocket.instances.push(this);
+  }
+
+  emitOpen() {
+    this.onopen?.(new Event('open'));
+  }
+
+  emitMessage(payload: unknown) {
+    this.onmessage?.(new MessageEvent('message', { data: payload as string }));
+  }
+
+  emitError() {
+    this.onerror?.(new Event('error'));
+  }
+
+  emitClose(code = 1000, reason = 'normal') {
+    this.onclose?.(new CloseEvent('close', { code, reason }));
+  }
+}
+
+describe('logs service', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    MockWebSocket.instances = [];
+    global.fetch = vi.fn();
+  });
+
+  describe('buildContainerLogStreamUrl', () => {
+    it('uses ws protocol and default query values for http locations', () => {
+      const url = buildContainerLogStreamUrl('abc/def', {}, {
+        protocol: 'http:',
+        host: 'localhost:3000',
+      } as Location);
+
+      expect(url).toBe(
+        'ws://localhost:3000/api/v1/containers/abc%2Fdef/logs/stream?stdout=true&stderr=true&tail=100&follow=true',
+      );
+    });
+
+    it('uses wss protocol and includes explicit query values', () => {
+      const url = buildContainerLogStreamUrl(
+        'container-1',
+        {
+          stdout: false,
+          stderr: true,
+          tail: 'all',
+          since: '2026-03-15T00:00:00Z',
+          follow: false,
+        },
+        {
+          protocol: 'https:',
+          host: 'example.com',
+        } as Location,
+      );
+
+      expect(url).toBe(
+        'wss://example.com/api/v1/containers/container-1/logs/stream?stdout=false&stderr=true&tail=2147483647&since=2026-03-15T00%3A00%3A00Z&follow=false',
+      );
+    });
+  });
+
+  describe('createContainerLogStreamConnection', () => {
+    it('opens socket and emits parsed messages', () => {
+      const onMessage = vi.fn();
+      const onStatus = vi.fn();
+
+      const connection = createContainerLogStreamConnection({
+        containerId: 'container-1',
+        onMessage,
+        onStatus,
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: {
+          protocol: 'http:',
+          host: 'localhost:3000',
+        } as Location,
+      });
+
+      expect(MockWebSocket.instances).toHaveLength(1);
+      const socket = MockWebSocket.instances[0];
+      socket.emitOpen();
+      socket.emitMessage('{"type":"stdout","ts":"2026-03-15T00:00:00Z","line":"hello"}');
+      socket.emitMessage('{"type":"invalid","ts":"2026-03-15T00:00:00Z","line":"ignored"}');
+      socket.emitMessage('"primitive-json"');
+      socket.emitMessage({ unexpected: true });
+      socket.emitMessage('not-json');
+
+      expect(onStatus).toHaveBeenCalledWith('connected');
+      expect(onMessage).toHaveBeenCalledTimes(1);
+      expect(onMessage).toHaveBeenCalledWith({
+        type: 'stdout',
+        ts: '2026-03-15T00:00:00Z',
+        line: 'hello',
+      });
+
+      connection.close();
+      expect(socket.close).toHaveBeenCalledWith(1000, 'manual-close');
+    });
+
+    it('supports update, pause, and resume lifecycle controls', () => {
+      const connection = createContainerLogStreamConnection({
+        containerId: 'container-1',
+        onMessage: vi.fn(),
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: {
+          protocol: 'http:',
+          host: 'localhost:3000',
+        } as Location,
+      });
+
+      expect(MockWebSocket.instances).toHaveLength(1);
+      const firstSocket = MockWebSocket.instances[0];
+
+      connection.update({ tail: 500, stdout: false });
+      expect(firstSocket.close).toHaveBeenCalledWith(1000, 'reconnect');
+      expect(MockWebSocket.instances).toHaveLength(2);
+      expect(MockWebSocket.instances[1].url).toContain('tail=500');
+      expect(MockWebSocket.instances[1].url).toContain('stdout=false');
+
+      const secondSocket = MockWebSocket.instances[1];
+      connection.pause();
+      expect(secondSocket.close).toHaveBeenCalledWith(1000, 'pause');
+      expect(connection.isPaused()).toBe(true);
+
+      connection.resume();
+      expect(MockWebSocket.instances).toHaveLength(3);
+      expect(connection.isPaused()).toBe(false);
+    });
+
+    it('handles idempotent lifecycle no-op branches', () => {
+      const connection = createContainerLogStreamConnection({
+        containerId: 'container-1',
+        onMessage: vi.fn(),
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: {
+          protocol: 'http:',
+          host: 'localhost:3000',
+        } as Location,
+      });
+
+      // resume while active: no-op
+      connection.resume();
+      expect(MockWebSocket.instances).toHaveLength(1);
+
+      // pause twice: second call is no-op branch
+      connection.pause();
+      connection.pause();
+      expect(connection.isPaused()).toBe(true);
+
+      // update while paused: no-op branch
+      const pausedSocket = MockWebSocket.instances[0];
+      connection.update({ tail: 999 });
+      expect(pausedSocket.close).toHaveBeenCalledTimes(1);
+      expect(MockWebSocket.instances).toHaveLength(1);
+
+      // close twice: second call is no-op branch
+      connection.close();
+      connection.close();
+    });
+
+    it('notifies disconnected state on close/error while active', () => {
+      const onStatus = vi.fn();
+
+      createContainerLogStreamConnection({
+        containerId: 'container-1',
+        onMessage: vi.fn(),
+        onStatus,
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: {
+          protocol: 'http:',
+          host: 'localhost:3000',
+        } as Location,
+      });
+
+      const socket = MockWebSocket.instances[0];
+      socket.emitError();
+      socket.emitClose(1011, 'boom');
+
+      expect(onStatus).toHaveBeenCalledWith('disconnected');
+    });
+
+    it('does not notify disconnected when socket events happen after pause/close', () => {
+      const onStatus = vi.fn();
+
+      const connection = createContainerLogStreamConnection({
+        containerId: 'container-1',
+        onMessage: vi.fn(),
+        onStatus,
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: {
+          protocol: 'http:',
+          host: 'localhost:3000',
+        } as Location,
+      });
+
+      const firstSocket = MockWebSocket.instances[0];
+      connection.pause();
+      firstSocket.emitError();
+      firstSocket.emitClose(1011, 'paused-close');
+
+      connection.resume();
+      const resumedSocket = MockWebSocket.instances[1];
+      connection.close();
+      resumedSocket.emitError();
+      resumedSocket.emitClose(1011, 'closed-close');
+
+      const disconnectedCalls = onStatus.mock.calls.filter(([status]) => status === 'disconnected');
+      expect(disconnectedCalls).toHaveLength(0);
+    });
+
+    it('ignores stale socket close events after update-triggered reconnect', () => {
+      const onStatus = vi.fn();
+
+      const connection = createContainerLogStreamConnection({
+        containerId: 'container-1',
+        onMessage: vi.fn(),
+        onStatus,
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: {
+          protocol: 'http:',
+          host: 'localhost:3000',
+        } as Location,
+      });
+
+      const firstSocket = MockWebSocket.instances[0];
+      connection.update({ tail: 500 });
+      firstSocket.emitClose(1000, 'stale-close');
+
+      const disconnectedCalls = onStatus.mock.calls.filter(([status]) => status === 'disconnected');
+      expect(disconnectedCalls).toHaveLength(0);
+    });
+
+    it('ignores stale socket open and message events after update-triggered reconnect', () => {
+      const onStatus = vi.fn();
+      const onMessage = vi.fn();
+
+      const connection = createContainerLogStreamConnection({
+        containerId: 'container-1',
+        onMessage,
+        onStatus,
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: {
+          protocol: 'http:',
+          host: 'localhost:3000',
+        } as Location,
+      });
+
+      const firstSocket = MockWebSocket.instances[0];
+      connection.update({ tail: 500 });
+      const secondSocket = MockWebSocket.instances[1];
+
+      firstSocket.emitOpen();
+      firstSocket.emitMessage('{"type":"stdout","ts":"2026-03-15T00:00:00Z","line":"stale"}');
+      secondSocket.emitOpen();
+      secondSocket.emitMessage('{"type":"stderr","ts":"2026-03-15T00:00:01Z","line":"fresh"}');
+
+      expect(onStatus).toHaveBeenCalledTimes(1);
+      expect(onStatus).toHaveBeenCalledWith('connected');
+      expect(onMessage).toHaveBeenCalledTimes(1);
+      expect(onMessage).toHaveBeenCalledWith({
+        type: 'stderr',
+        ts: '2026-03-15T00:00:01Z',
+        line: 'fresh',
+      });
+    });
+
+    it('uses default browser websocket factory and location when options are omitted', () => {
+      const originalWebSocket = globalThis.WebSocket;
+      const urls: string[] = [];
+      class NativeWebSocketMock extends MockWebSocket {
+        constructor(url: string) {
+          super(url);
+          urls.push(url);
+        }
+      }
+      globalThis.WebSocket = NativeWebSocketMock as unknown as typeof WebSocket;
+
+      try {
+        const connection = createContainerLogStreamConnection({
+          containerId: 'container-1',
+          onMessage: vi.fn(),
+        });
+
+        expect(urls).toHaveLength(1);
+        const streamUrl = urls[0];
+        const expectedProtocol = window.location.protocol === 'https:' ? 'wss://' : 'ws://';
+        expect(streamUrl.startsWith(`${expectedProtocol}${window.location.host}`)).toBe(true);
+        expect(streamUrl).toContain('/api/v1/containers/container-1/logs/stream?');
+
+        connection.close();
+      } finally {
+        globalThis.WebSocket = originalWebSocket;
+      }
+    });
+  });
+
+  describe('downloadContainerLogs', () => {
+    it('requests plain text log download and returns blob payload', async () => {
+      const blob = new Blob(['log payload'], { type: 'text/plain' });
+      vi.mocked(fetch).mockResolvedValueOnce({
+        ok: true,
+        statusText: 'OK',
+        blob: async () => blob,
+      } as Response);
+
+      const result = await downloadContainerLogs('container-1', {
+        stdout: true,
+        stderr: false,
+        tail: 1000,
+        since: '2026-03-15T00:00:00Z',
+      });
+
+      expect(fetch).toHaveBeenCalledWith(
+        '/api/v1/containers/container-1/logs?stdout=true&stderr=false&tail=1000&since=2026-03-15T00%3A00%3A00Z',
+        {
+          credentials: 'include',
+          headers: {
+            Accept: 'text/plain',
+          },
+        },
+      );
+      expect(result).toBe(blob);
+    });
+
+    it('throws on unsuccessful download response', async () => {
+      vi.mocked(fetch).mockResolvedValueOnce({
+        ok: false,
+        statusText: 'Unauthorized',
+      } as Response);
+
+      await expect(downloadContainerLogs('container-1')).rejects.toThrow(
+        'Failed to download logs for container container-1: Unauthorized',
+      );
+    });
+  });
+
+  describe('toLogTailValue', () => {
+    it('maps all tail option to large integer for backend compatibility', () => {
+      expect(toLogTailValue('all')).toBe(2147483647);
+      expect(toLogTailValue(100)).toBe(100);
+    });
+  });
+});
diff --git a/ui/tests/services/stats.spec.ts b/ui/tests/services/stats.spec.ts
new file mode 100644
index 000000000..62f406fe9
--- /dev/null
+++ b/ui/tests/services/stats.spec.ts
@@ -0,0 +1,409 @@
+import {
+  connectContainerStatsStream,
+  getAllContainerStats,
+  getContainerStats,
+} from '@/services/stats';
+
+interface MockEventSource {
+  addEventListener: ReturnType<typeof vi.fn>;
+  close: ReturnType<typeof vi.fn>;
+  onerror: ((event: Event) => void) | null;
+  emit: (event: string, payload?: unknown) => void;
+}
+
+describe('stats service', () => {
+  let mockFetch: ReturnType<typeof vi.fn>;
+
+  beforeEach(() => {
+    mockFetch = vi.fn();
+    vi.stubGlobal('fetch', mockFetch);
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+    vi.unstubAllGlobals();
+  });
+
+  it('fetches a container snapshot and history', async () => {
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({
+        data: {
+          containerId: 'c1',
+          cpuPercent: 12,
+          memoryUsageBytes: 100,
+          memoryLimitBytes: 200,
+          memoryPercent: 50,
+          networkRxBytes: 10,
+          networkTxBytes: 11,
+          blockReadBytes: 12,
+          blockWriteBytes: 13,
+          timestamp: '2026-03-14T10:00:00.000Z',
+        },
+        history: [],
+      }),
+    });
+
+    const result = await getContainerStats('c1');
+
+    expect(mockFetch).toHaveBeenCalledWith('/api/v1/containers/c1/stats', {
+      credentials: 'include',
+    });
+    expect(result.data?.containerId).toBe('c1');
+    expect(result.history).toEqual([]);
+  });
+
+  it('throws when container stats request fails', async () => {
+    mockFetch.mockResolvedValue({ ok: false, statusText: 'Nope' });
+
+    await expect(getContainerStats('c1')).rejects.toThrow('Failed to get container stats: Nope');
+  });
+
+  it('normalizes malformed container stats snapshots and history entries', async () => {
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({
+        data: {
+          containerId: 'c1',
+          cpuPercent: 'bad',
+          memoryUsageBytes: 100,
+          memoryLimitBytes: 200,
+          memoryPercent: 50,
+          networkRxBytes: 10,
+          networkTxBytes: 11,
+          blockReadBytes: 12,
+          blockWriteBytes: 13,
+          timestamp: '2026-03-14T10:00:00.000Z',
+        },
+        history: [
+          'invalid-history-entry',
+          {
+            containerId: 'c1',
+            cpuPercent: 10,
+            memoryUsageBytes: 100,
+            memoryLimitBytes: 200,
+            memoryPercent: 50,
+            networkRxBytes: 10,
+            networkTxBytes: 11,
+            blockReadBytes: 12,
+            blockWriteBytes: 13,
+            timestamp: '2026-03-14T09:59:00.000Z',
+          },
+        ],
+      }),
+    });
+
+    const result = await getContainerStats('c1');
+
+    expect(result.data).toBeNull();
+    expect(result.history).toEqual([
+      expect.objectContaining({
+        containerId: 'c1',
+        cpuPercent: 10,
+      }),
+    ]);
+  });
+
+  it('returns an empty history when history is missing or not an array', async () => {
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({
+        data: null,
+        history: 'not-an-array',
+      }),
+    });
+
+    const result = await getContainerStats('c1');
+
+    expect(result).toEqual({
+      data: null,
+      history: [],
+    });
+  });
+
+  it('returns null data when required snapshot identity fields are missing', async () => {
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({
+        data: {
+          containerId: 'c1',
+          cpuPercent: 12,
+          memoryUsageBytes: 100,
+          memoryLimitBytes: 200,
+          memoryPercent: 50,
+          networkRxBytes: 10,
+          networkTxBytes: 11,
+          blockReadBytes: 12,
+          blockWriteBytes: 13,
+        },
+        history: [],
+      }),
+    });
+
+    const result = await getContainerStats('c1');
+
+    expect(result.data).toBeNull();
+  });
+
+  it('returns null data for snapshots with an empty container id', async () => {
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({
+        data: {
+          containerId: '',
+          cpuPercent: 12,
+          memoryUsageBytes: 100,
+          memoryLimitBytes: 200,
+          memoryPercent: 50,
+          networkRxBytes: 10,
+          networkTxBytes: 11,
+          blockReadBytes: 12,
+          blockWriteBytes: 13,
+          timestamp: '2026-03-14T10:00:00.000Z',
+        },
+        history: [],
+      }),
+    });
+
+    const result = await getContainerStats('c1');
+
+    expect(result.data).toBeNull();
+  });
+
+  it('falls back to an empty envelope when the response payload is not an object', async () => {
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => 'not-an-object',
+    });
+
+    const result = await getContainerStats('c1');
+
+    expect(result).toEqual({
+      data: null,
+      history: [],
+    });
+  });
+
+  it('fetches all container stats summary', async () => {
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({
+        data: [
+          {
+            id: 'c1',
+            name: 'web',
+            status: 'running',
+            watcher: 'local',
+            stats: {
+              containerId: 'c1',
+              cpuPercent: 8,
+              memoryUsageBytes: 100,
+              memoryLimitBytes: 200,
+              memoryPercent: 50,
+              networkRxBytes: 10,
+              networkTxBytes: 11,
+              blockReadBytes: 12,
+              blockWriteBytes: 13,
+              timestamp: '2026-03-14T10:00:00.000Z',
+            },
+          },
+        ],
+      }),
+    });
+
+    const result = await getAllContainerStats();
+
+    expect(mockFetch).toHaveBeenCalledWith('/api/v1/containers/stats', {
+      credentials: 'include',
+    });
+    expect(result).toHaveLength(1);
+    expect(result[0]?.name).toBe('web');
+  });
+
+  it('filters malformed summary items while keeping well-formed rows', async () => {
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: async () => ({
+        data: [
+          null,
+          { id: 42, name: 'bad-id' },
+          { id: 'missing-name' },
+          {
+            id: 'c0',
+            name: 'cache',
+            status: 123,
+            watcher: false,
+            agent: 'edge',
+            stats: null,
+          },
+          {
+            id: 'c1',
+            name: 'web',
+            status: 'running',
+            watcher: 'local',
+            stats: {
+              containerId: 'c1',
+              cpuPercent: 8,
+              memoryUsageBytes: 100,
+              memoryLimitBytes: 200,
+              memoryPercent: 50,
+              networkRxBytes: 10,
+              networkTxBytes: 11,
+              blockReadBytes: 12,
+              blockWriteBytes: 13,
+              timestamp: '2026-03-14T10:00:00.000Z',
+            },
+          },
+        ],
+      }),
+    });
+
+    const result = await getAllContainerStats();
+
+    expect(result).toEqual([
+      expect.objectContaining({
+        id: 'c0',
+        name: 'cache',
+        status: undefined,
+        watcher: undefined,
+        agent: 'edge',
+        stats: null,
+      }),
+      expect.objectContaining({
+        id: 'c1',
+        name: 'web',
+      }),
+    ]);
+  });
+
+  it('throws when all-container stats request fails', async () => {
+    mockFetch.mockResolvedValue({ ok: false, statusText: 'Nope' });
+
+    await expect(getAllContainerStats()).rejects.toThrow('Failed to get container stats: Nope');
+  });
+
+  describe('connectContainerStatsStream', () => {
+    let eventSources: MockEventSource[];
+    let EventSourceMock: ReturnType<typeof vi.fn>;
+
+    beforeEach(() => {
+      vi.useFakeTimers();
+      eventSources = [];
+      EventSourceMock = vi.fn(function (this: unknown, _url: string) {
+        const listeners: Record<string, (payload?: unknown) => void> = {};
+        const source: MockEventSource = {
+          addEventListener: vi.fn((event: string, handler: (payload?: unknown) => void) => {
+            listeners[event] = handler;
+          }),
+          close: vi.fn(),
+          onerror: null,
+          emit(event: string, payload?: unknown) {
+            listeners[event]?.(payload);
+          },
+        };
+        eventSources.push(source);
+        return source;
+      });
+      vi.stubGlobal('EventSource', EventSourceMock);
+    });
+
+    it('connects to the container stats SSE endpoint and emits parsed snapshots', () => {
+      const onOpen = vi.fn();
+      const onSnapshot = vi.fn();
+      const onHeartbeat = vi.fn();
+
+      const controller = connectContainerStatsStream('container 1', {
+        onOpen,
+        onSnapshot,
+        onHeartbeat,
+      });
+
+      expect(EventSourceMock).toHaveBeenCalledWith('/api/v1/containers/container%201/stats/stream');
+
+      const source = eventSources[0];
+      source.emit('open');
+      source.emit('dd:container-stats', {
+        data: JSON.stringify({
+          containerId: 'container 1',
+          cpuPercent: 45,
+          memoryUsageBytes: 1024,
+          memoryLimitBytes: 2048,
+          memoryPercent: 50,
+          networkRxBytes: 100,
+          networkTxBytes: 200,
+          blockReadBytes: 300,
+          blockWriteBytes: 400,
+          timestamp: '2026-03-14T10:00:00.000Z',
+        }),
+      });
+      source.emit('dd:heartbeat', {});
+
+      expect(onSnapshot).toHaveBeenCalledWith(
+        expect.objectContaining({
+          containerId: 'container 1',
+          cpuPercent: 45,
+        }),
+      );
+      expect(onOpen).toHaveBeenCalledTimes(1);
+      expect(onHeartbeat).toHaveBeenCalledTimes(1);
+
+      source.emit('dd:container-stats', { data: '{broken' });
+      source.emit('dd:container-stats', { data: 42 });
+      expect(onSnapshot).toHaveBeenCalledTimes(1);
+
+      controller.disconnect();
+    });
+
+    it('reconnects after stream errors and supports pause/resume', () => {
+      const onError = vi.fn();
+      const controller = connectContainerStatsStream(
+        'c1',
+        {
+          onError,
+        },
+        { reconnectDelayMs: 1500 },
+      );
+
+      controller.resume();
+
+      const firstSource = eventSources[0];
+      firstSource.onerror?.(new Event('error'));
+      expect(onError).toHaveBeenCalledTimes(1);
+
+      vi.advanceTimersByTime(1499);
+      expect(EventSourceMock).toHaveBeenCalledTimes(1);
+      vi.advanceTimersByTime(1);
+      expect(EventSourceMock).toHaveBeenCalledTimes(2);
+
+      controller.pause();
+      expect(controller.isPaused()).toBe(true);
+      expect(eventSources[1].close).toHaveBeenCalled();
+
+      eventSources[1].onerror?.(new Event('error'));
+      vi.advanceTimersByTime(2000);
+      expect(EventSourceMock).toHaveBeenCalledTimes(2);
+
+      controller.resume();
+      expect(controller.isPaused()).toBe(false);
+      expect(EventSourceMock).toHaveBeenCalledTimes(3);
+
+      controller.disconnect();
+      expect(eventSources[2].close).toHaveBeenCalled();
+
+      controller.pause();
+      controller.resume();
+      controller.disconnect();
+    });
+
+    it('does not reconnect after disconnect', () => {
+      const controller = connectContainerStatsStream('c1', undefined, { reconnectDelayMs: 1000 });
+      const firstSource = eventSources[0];
+
+      firstSource.onerror?.(new Event('error'));
+      controller.disconnect();
+
+      vi.advanceTimersByTime(2000);
+      expect(EventSourceMock).toHaveBeenCalledTimes(1);
+    });
+  });
+});
diff --git a/ui/tests/services/system-log-stream.spec.ts b/ui/tests/services/system-log-stream.spec.ts
new file mode 100644
index 000000000..f08e37e79
--- /dev/null
+++ b/ui/tests/services/system-log-stream.spec.ts
@@ -0,0 +1,271 @@
+import {
+  buildSystemLogStreamUrl,
+  createSystemLogStreamConnection,
+} from '@/services/system-log-stream';
+
+class MockWebSocket {
+  static instances: MockWebSocket[] = [];
+
+  readonly url: string;
+  onopen: ((event: Event) => void) | null = null;
+  onmessage: ((event: MessageEvent) => void) | null = null;
+  onerror: ((event: Event) => void) | null = null;
+  onclose: ((event: CloseEvent) => void) | null = null;
+  close = vi.fn();
+
+  constructor(url: string) {
+    this.url = url;
+    MockWebSocket.instances.push(this);
+  }
+
+  emitOpen() {
+    this.onopen?.(new Event('open'));
+  }
+
+  emitMessage(payload: unknown) {
+    this.onmessage?.(new MessageEvent('message', { data: payload as string }));
+  }
+
+  emitError() {
+    this.onerror?.(new Event('error'));
+  }
+
+  emitClose(code = 1000, reason = 'normal') {
+    this.onclose?.(new CloseEvent('close', { code, reason }));
+  }
+}
+
+describe('system-log-stream service', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    MockWebSocket.instances = [];
+  });
+
+  describe('buildSystemLogStreamUrl', () => {
+    it('uses ws protocol and default query values for http locations', () => {
+      const url = buildSystemLogStreamUrl({}, {
+        protocol: 'http:',
+        host: 'localhost:3000',
+      } as Location);
+
+      expect(url).toBe('ws://localhost:3000/api/v1/log/stream?tail=100');
+    });
+
+    it('uses wss protocol and includes explicit query values', () => {
+      const url = buildSystemLogStreamUrl({ level: 'warn', component: 'api', tail: 50 }, {
+        protocol: 'https:',
+        host: 'example.com',
+      } as Location);
+
+      expect(url).toBe('wss://example.com/api/v1/log/stream?level=warn&component=api&tail=50');
+    });
+
+    it('omits level param when set to all', () => {
+      const url = buildSystemLogStreamUrl({ level: 'all' }, {
+        protocol: 'http:',
+        host: 'localhost:3000',
+      } as Location);
+
+      expect(url).toBe('ws://localhost:3000/api/v1/log/stream?tail=100');
+    });
+
+    it('omits component param when empty', () => {
+      const url = buildSystemLogStreamUrl({ component: '' }, {
+        protocol: 'http:',
+        host: 'localhost:3000',
+      } as Location);
+
+      expect(url).toBe('ws://localhost:3000/api/v1/log/stream?tail=100');
+    });
+  });
+
+  describe('createSystemLogStreamConnection', () => {
+    it('opens socket and emits parsed log entries', () => {
+      const onMessage = vi.fn();
+      const onStatus = vi.fn();
+
+      const connection = createSystemLogStreamConnection({
+        onMessage,
+        onStatus,
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: { protocol: 'http:', host: 'localhost:3000' } as Location,
+      });
+
+      expect(MockWebSocket.instances).toHaveLength(1);
+      const socket = MockWebSocket.instances[0];
+      socket.emitOpen();
+      socket.emitMessage('{"timestamp":1000,"level":"info","component":"api","msg":"hello"}');
+      socket.emitMessage('{"invalid":"entry"}');
+      socket.emitMessage('not-json');
+      socket.emitMessage({ unexpected: true });
+      socket.emitMessage('"primitive-json"');
+
+      expect(onStatus).toHaveBeenCalledWith('connected');
+      expect(onMessage).toHaveBeenCalledTimes(1);
+      expect(onMessage).toHaveBeenCalledWith({
+        timestamp: 1000,
+        level: 'info',
+        component: 'api',
+        msg: 'hello',
+      });
+
+      connection.close();
+      expect(socket.close).toHaveBeenCalledWith(1000, 'manual-close');
+    });
+
+    it('supports update, pause, and resume lifecycle controls', () => {
+      const connection = createSystemLogStreamConnection({
+        onMessage: vi.fn(),
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: { protocol: 'http:', host: 'localhost:3000' } as Location,
+      });
+
+      expect(MockWebSocket.instances).toHaveLength(1);
+      const firstSocket = MockWebSocket.instances[0];
+
+      connection.update({ level: 'warn', tail: 500 });
+      expect(firstSocket.close).toHaveBeenCalledWith(1000, 'reconnect');
+      expect(MockWebSocket.instances).toHaveLength(2);
+      expect(MockWebSocket.instances[1].url).toContain('level=warn');
+      expect(MockWebSocket.instances[1].url).toContain('tail=500');
+
+      const secondSocket = MockWebSocket.instances[1];
+      connection.pause();
+      expect(secondSocket.close).toHaveBeenCalledWith(1000, 'pause');
+      expect(connection.isPaused()).toBe(true);
+
+      connection.resume();
+      expect(MockWebSocket.instances).toHaveLength(3);
+      expect(connection.isPaused()).toBe(false);
+    });
+
+    it('handles idempotent lifecycle no-op branches', () => {
+      const connection = createSystemLogStreamConnection({
+        onMessage: vi.fn(),
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: { protocol: 'http:', host: 'localhost:3000' } as Location,
+      });
+
+      // resume while active: no-op
+      connection.resume();
+      expect(MockWebSocket.instances).toHaveLength(1);
+
+      // pause twice
+      connection.pause();
+      connection.pause();
+      expect(connection.isPaused()).toBe(true);
+
+      // update while paused: no-op (closed + reconnect skipped because paused)
+      const pausedSocket = MockWebSocket.instances[0];
+      connection.update({ tail: 999 });
+      expect(pausedSocket.close).toHaveBeenCalledTimes(1);
+      expect(MockWebSocket.instances).toHaveLength(1);
+
+      // close twice
+      connection.close();
+      connection.close();
+    });
+
+    it('notifies disconnected state on close/error while active', () => {
+      const onStatus = vi.fn();
+
+      createSystemLogStreamConnection({
+        onMessage: vi.fn(),
+        onStatus,
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: { protocol: 'http:', host: 'localhost:3000' } as Location,
+      });
+
+      const socket = MockWebSocket.instances[0];
+      socket.emitError();
+      socket.emitClose(1011, 'boom');
+
+      expect(onStatus).toHaveBeenCalledWith('disconnected');
+    });
+
+    it('does not notify disconnected when socket events happen after pause/close', () => {
+      const onStatus = vi.fn();
+
+      const connection = createSystemLogStreamConnection({
+        onMessage: vi.fn(),
+        onStatus,
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: { protocol: 'http:', host: 'localhost:3000' } as Location,
+      });
+
+      const firstSocket = MockWebSocket.instances[0];
+      connection.pause();
+      firstSocket.emitError();
+      firstSocket.emitClose(1011, 'paused-close');
+
+      connection.resume();
+      const resumedSocket = MockWebSocket.instances[1];
+      connection.close();
+      resumedSocket.emitError();
+      resumedSocket.emitClose(1011, 'closed-close');
+
+      const disconnectedCalls = onStatus.mock.calls.filter(([s]) => s === 'disconnected');
+      expect(disconnectedCalls).toHaveLength(0);
+    });
+
+    it('ignores stale socket events after update-triggered reconnect', () => {
+      const onStatus = vi.fn();
+      const onMessage = vi.fn();
+
+      const connection = createSystemLogStreamConnection({
+        onMessage,
+        onStatus,
+        webSocketFactory: (url) => new MockWebSocket(url) as unknown as WebSocket,
+        location: { protocol: 'http:', host: 'localhost:3000' } as Location,
+      });
+
+      const firstSocket = MockWebSocket.instances[0];
+      connection.update({ tail: 500 });
+      const secondSocket = MockWebSocket.instances[1];
+
+      firstSocket.emitOpen();
+      firstSocket.emitMessage('{"timestamp":1000,"level":"info","component":"api","msg":"stale"}');
+      firstSocket.emitClose(1000, 'stale-close');
+      secondSocket.emitOpen();
+      secondSocket.emitMessage('{"timestamp":2000,"level":"warn","component":"api","msg":"fresh"}');
+
+      expect(onStatus).toHaveBeenCalledTimes(1);
+      expect(onStatus).toHaveBeenCalledWith('connected');
+      expect(onMessage).toHaveBeenCalledTimes(1);
+      expect(onMessage).toHaveBeenCalledWith({
+        timestamp: 2000,
+        level: 'warn',
+        component: 'api',
+        msg: 'fresh',
+      });
+    });
+
+    it('uses default browser websocket factory and location when options are omitted', () => {
+      const originalWebSocket = globalThis.WebSocket;
+      const urls: string[] = [];
+      class NativeWebSocketMock extends MockWebSocket {
+        constructor(url: string) {
+          super(url);
+          urls.push(url);
+        }
+      }
+      globalThis.WebSocket = NativeWebSocketMock as unknown as typeof WebSocket;
+
+      try {
+        const connection = createSystemLogStreamConnection({
+          onMessage: vi.fn(),
+        });
+
+        expect(urls).toHaveLength(1);
+        const streamUrl = urls[0];
+        const expectedProtocol = window.location.protocol === 'https:' ? 'wss://' : 'ws://';
+        expect(streamUrl.startsWith(`${expectedProtocol}${window.location.host}`)).toBe(true);
+        expect(streamUrl).toContain('/api/v1/log/stream?');
+
+        connection.close();
+      } finally {
+        globalThis.WebSocket = originalWebSocket;
+      }
+    });
+  });
+});
diff --git a/ui/tests/setup.ts b/ui/tests/setup.ts
index 62a599cdc..1761e7830 100644
--- a/ui/tests/setup.ts
+++ b/ui/tests/setup.ts
@@ -1,4 +1,5 @@
 import { config } from '@vue/test-utils';
+import AppButton from '@/components/AppButton.vue';
 
 // Some CI/runtime environments expose an incompatible localStorage object.
 // Override with a minimal Storage-compatible mock used by this test suite.
@@ -96,3 +97,38 @@ config.global.provide = {
 config.global.directives = {
   tooltip: {},
 };
+
+config.global.components = {
+  AppButton,
+  CopyableTag: {
+    template: '<span><slot /></span>',
+  },
+};
+
+class ResizeObserverMock {
+  callback: ResizeObserverCallback;
+
+  constructor(callback: ResizeObserverCallback) {
+    this.callback = callback;
+  }
+
+  observe() {
+    // The dashboard widgets only need the observer to exist in unit tests.
+  }
+
+  unobserve() {
+    // No-op for tests.
+  }
+
+  disconnect() {
+    // No-op for tests.
+  }
+}
+
+vi.stubGlobal('ResizeObserver', ResizeObserverMock);
+
+if (typeof document !== 'undefined' && !document.getElementById('breadcrumb-actions')) {
+  const breadcrumbActions = document.createElement('div');
+  breadcrumbActions.id = 'breadcrumb-actions';
+  document.body.appendChild(breadcrumbActions);
+}
diff --git a/ui/tests/style.spec.ts b/ui/tests/style.spec.ts
index 6e3caf5b3..466feebfa 100644
--- a/ui/tests/style.spec.ts
+++ b/ui/tests/style.spec.ts
@@ -16,16 +16,12 @@ describe('style.css scrollbar rules', () => {
     expect(css).toMatch(/::-webkit-scrollbar-track\s*\{[^}]*background:\s*transparent/);
   });
 
-  it('enables overflow overlay for .overflow-auto when supported', () => {
-    expect(css).toMatch(/@supports\s*\(overflow:\s*overlay\)/);
-    expect(css).toMatch(/\.overflow-auto\s*\{[^}]*overflow:\s*overlay;/);
+  it('does not use deprecated overflow overlay', () => {
+    expect(css).not.toMatch(/@supports\s*\(overflow:\s*overlay\)/);
+    expect(css).not.toMatch(/overflow:\s*overlay/);
   });
 
-  it('enables overflow-y overlay for .overflow-y-auto when supported', () => {
-    expect(css).toMatch(/\.overflow-y-auto\s*\{[^}]*overflow-y:\s*overlay;/);
-  });
-
-  it('enables overflow-x overlay for .overflow-x-auto when supported', () => {
-    expect(css).toMatch(/\.overflow-x-auto\s*\{[^}]*overflow-x:\s*overlay;/);
+  it('provides dd-scroll-stable utility with scrollbar-gutter stable', () => {
+    expect(css).toMatch(/\.dd-scroll-stable\s*\{[^}]*scrollbar-gutter:\s*stable/);
   });
 });
diff --git a/ui/tests/utils/audit-helpers.spec.ts b/ui/tests/utils/audit-helpers.spec.ts
index 2c53b68fc..de1112f4c 100644
--- a/ui/tests/utils/audit-helpers.spec.ts
+++ b/ui/tests/utils/audit-helpers.spec.ts
@@ -1,6 +1,7 @@
 import {
   actionIcon,
   actionLabel,
+  imageAge,
   statusBg,
   statusColor,
   targetLabel,
@@ -167,4 +168,53 @@ describe('audit-helpers', () => {
       expect(timeAgo(sixDays)).toBe('6d ago');
     });
   });
+
+  describe('imageAge', () => {
+    it('returns em dash for undefined', () => {
+      expect(imageAge(undefined)).toBe('\u2014');
+    });
+
+    it('returns em dash for invalid date', () => {
+      expect(imageAge('not-a-date')).toBe('\u2014');
+    });
+
+    it('returns "now" for future timestamps', () => {
+      const future = new Date(Date.now() + 60_000).toISOString();
+      expect(imageAge(future)).toBe('now');
+    });
+
+    it('returns minutes for recent images', () => {
+      const fiveMinAgo = new Date(Date.now() - 5 * 60_000).toISOString();
+      expect(imageAge(fiveMinAgo)).toBe('5m');
+    });
+
+    it('returns hours', () => {
+      const threeHrsAgo = new Date(Date.now() - 3 * 3_600_000).toISOString();
+      expect(imageAge(threeHrsAgo)).toBe('3h');
+    });
+
+    it('returns days for under 2 weeks', () => {
+      const tenDays = new Date(Date.now() - 10 * 86_400_000).toISOString();
+      expect(imageAge(tenDays)).toBe('10d');
+    });
+
+    it('returns weeks for 14-59 days', () => {
+      const thirtyDays = new Date(Date.now() - 30 * 86_400_000).toISOString();
+      expect(imageAge(thirtyDays)).toBe('4w');
+    });
+
+    it('returns months for 60-364 days', () => {
+      const ninetyDays = new Date(Date.now() - 90 * 86_400_000).toISOString();
+      expect(imageAge(ninetyDays)).toBe('2mo');
+    });
+
+    it('returns years for 365+ days', () => {
+      const twoYears = new Date(Date.now() - 730 * 86_400_000).toISOString();
+      expect(imageAge(twoYears)).toBe('1y');
+    });
+
+    it('returns em dash for empty string', () => {
+      expect(imageAge('')).toBe('\u2014');
+    });
+  });
 });
diff --git a/ui/tests/utils/container-logs.spec.ts b/ui/tests/utils/container-logs.spec.ts
new file mode 100644
index 000000000..aec7a201e
--- /dev/null
+++ b/ui/tests/utils/container-logs.spec.ts
@@ -0,0 +1,212 @@
+import {
+  extractJsonLogLevel,
+  parseAnsiSegments,
+  parseJsonLogLine,
+  parseLogTimestampToUnixSeconds,
+  stripAnsiCodes,
+} from '@/utils/container-logs';
+
+describe('container log utils', () => {
+  describe('parseAnsiSegments', () => {
+    it('returns plain text segment when no ANSI sequence exists', () => {
+      expect(parseAnsiSegments('plain text')).toEqual([
+        {
+          text: 'plain text',
+          color: null,
+          bold: false,
+          dim: false,
+        },
+      ]);
+    });
+
+    it('splits and annotates ANSI colored segments', () => {
+      const input = 'start \u001b[31mred\u001b[0m end';
+      expect(parseAnsiSegments(input)).toEqual([
+        {
+          text: 'start ',
+          color: null,
+          bold: false,
+          dim: false,
+        },
+        {
+          text: 'red',
+          color: 'red',
+          bold: false,
+          dim: false,
+        },
+        {
+          text: ' end',
+          color: null,
+          bold: false,
+          dim: false,
+        },
+      ]);
+    });
+
+    it('tracks bold/dim codes and resets state', () => {
+      const input = '\u001b[1;32mgreen\u001b[22m plain \u001b[2mghost\u001b[0m';
+      expect(parseAnsiSegments(input)).toEqual([
+        {
+          text: 'green',
+          color: 'green',
+          bold: true,
+          dim: false,
+        },
+        {
+          text: ' plain ',
+          color: 'green',
+          bold: false,
+          dim: false,
+        },
+        {
+          text: 'ghost',
+          color: 'green',
+          bold: false,
+          dim: true,
+        },
+      ]);
+    });
+
+    it('drops empty segments created by consecutive ANSI sequences', () => {
+      const input = '\u001b[31m\u001b[0m';
+      expect(parseAnsiSegments(input)).toEqual([]);
+    });
+
+    it('resets only color when ANSI 39 is present', () => {
+      const input = '\u001b[31mred\u001b[39m plain';
+      expect(parseAnsiSegments(input)).toEqual([
+        {
+          text: 'red',
+          color: 'red',
+          bold: false,
+          dim: false,
+        },
+        {
+          text: ' plain',
+          color: null,
+          bold: false,
+          dim: false,
+        },
+      ]);
+    });
+
+    it('handles empty and unsupported ANSI codes without mutating style state', () => {
+      const input = 'x\u001b[m y\u001b[;m z\u001b[90m end';
+      expect(parseAnsiSegments(input)).toEqual([
+        {
+          text: 'x',
+          color: null,
+          bold: false,
+          dim: false,
+        },
+        {
+          text: ' y',
+          color: null,
+          bold: false,
+          dim: false,
+        },
+        {
+          text: ' z',
+          color: null,
+          bold: false,
+          dim: false,
+        },
+        {
+          text: ' end',
+          color: null,
+          bold: false,
+          dim: false,
+        },
+      ]);
+    });
+  });
+
+  describe('stripAnsiCodes', () => {
+    it('removes ANSI escape sequences from text', () => {
+      const input = 'foo \u001b[31mbar\u001b[0m baz';
+      expect(stripAnsiCodes(input)).toBe('foo bar baz');
+    });
+  });
+
+  describe('parseJsonLogLine', () => {
+    it('returns null for non-JSON text', () => {
+      expect(parseJsonLogLine('not json')).toBeNull();
+    });
+
+    it('returns null when ANSI-only payload strips to empty text', () => {
+      expect(parseJsonLogLine('\u001b[31m\u001b[0m')).toBeNull();
+    });
+
+    it('parses JSON object line and extracts normalized level', () => {
+      const parsed = parseJsonLogLine('{"level":"WARN","msg":"boom"}');
+      expect(parsed).toEqual({
+        level: 'warn',
+        pretty: '{\n  "level": "WARN",\n  "msg": "boom"\n}',
+        value: {
+          level: 'WARN',
+          msg: 'boom',
+        },
+      });
+    });
+
+    it('ignores JSON primitives as structured logs', () => {
+      expect(parseJsonLogLine('"hello"')).toBeNull();
+      expect(parseJsonLogLine('123')).toBeNull();
+      expect(parseJsonLogLine('true')).toBeNull();
+    });
+
+    it('supports ANSI wrapped JSON payloads', () => {
+      const parsed = parseJsonLogLine('\u001b[32m{"severity":"ERROR"}\u001b[0m');
+      expect(parsed?.level).toBe('error');
+      expect(parsed?.value).toEqual({ severity: 'ERROR' });
+    });
+  });
+
+  describe('extractJsonLogLevel', () => {
+    it('returns null when no known level key exists', () => {
+      expect(extractJsonLogLevel({ message: 'hello' })).toBeNull();
+      expect(extractJsonLogLevel(null)).toBeNull();
+      expect(extractJsonLogLevel({ level: {} })).toBeNull();
+    });
+
+    it('normalizes numeric log levels from pino style values', () => {
+      expect(extractJsonLogLevel({ level: 10 })).toBe('trace');
+      expect(extractJsonLogLevel({ level: 20 })).toBe('debug');
+      expect(extractJsonLogLevel({ level: 30 })).toBe('info');
+      expect(extractJsonLogLevel({ level: 40 })).toBe('warn');
+      expect(extractJsonLogLevel({ level: 50 })).toBe('error');
+      expect(extractJsonLogLevel({ level: 60 })).toBe('fatal');
+      expect(extractJsonLogLevel({ level: 70 })).toBe('70');
+    });
+
+    it('checks fallback key aliases for level', () => {
+      expect(extractJsonLogLevel({ severity: 'ERROR' })).toBe('error');
+      expect(extractJsonLogLevel({ logLevel: 'INFO' })).toBe('info');
+      expect(extractJsonLogLevel({ log_level: 'debug' })).toBe('debug');
+      expect(extractJsonLogLevel({ lvl: 'warn' })).toBe('warn');
+    });
+
+    it('returns null for whitespace-only string levels', () => {
+      expect(extractJsonLogLevel({ level: '   ' })).toBeNull();
+    });
+  });
+
+  describe('parseLogTimestampToUnixSeconds', () => {
+    it('returns floored unix seconds for finite numbers', () => {
+      expect(parseLogTimestampToUnixSeconds(42.9)).toBe(42);
+    });
+
+    it('returns undefined for empty string and non-string values', () => {
+      expect(parseLogTimestampToUnixSeconds('   ')).toBeUndefined();
+      expect(parseLogTimestampToUnixSeconds({})).toBeUndefined();
+    });
+
+    it('returns undefined for invalid date strings', () => {
+      expect(parseLogTimestampToUnixSeconds('not-a-date')).toBeUndefined();
+    });
+
+    it('parses valid date strings to unix seconds', () => {
+      expect(parseLogTimestampToUnixSeconds('2026-03-15T00:00:00.999Z')).toBe(1773532800);
+    });
+  });
+});
diff --git a/ui/tests/utils/container-mapper.spec.ts b/ui/tests/utils/container-mapper.spec.ts
index 0de7b0458..47b0c2afe 100644
--- a/ui/tests/utils/container-mapper.spec.ts
+++ b/ui/tests/utils/container-mapper.spec.ts
@@ -752,6 +752,29 @@ describe('container-mapper', () => {
       expect(c.updateDetectedAt).toBeUndefined();
     });
 
+    it('maps imageCreated from api image.created when valid', () => {
+      const c = mapApiContainer(
+        makeApiContainer({
+          image: { name: 'nginx', tag: { value: '1.0' }, created: '2025-06-15T10:00:00.000Z' },
+        }),
+      );
+      expect(c.imageCreated).toBe('2025-06-15T10:00:00.000Z');
+    });
+
+    it('ignores invalid imageCreated values', () => {
+      const c = mapApiContainer(
+        makeApiContainer({
+          image: { name: 'nginx', tag: { value: '1.0' }, created: 'bad-date' },
+        }),
+      );
+      expect(c.imageCreated).toBeUndefined();
+    });
+
+    it('sets imageCreated to undefined when not provided', () => {
+      const c = mapApiContainer(makeApiContainer({}));
+      expect(c.imageCreated).toBeUndefined();
+    });
+
     it('sets updateMaturity to fresh when update is recent', () => {
       const recentDate = new Date(Date.now() - 2 * 86_400_000).toISOString();
       const c = mapApiContainer(
@@ -839,6 +862,37 @@ describe('container-mapper', () => {
       expect(c.imageTagSemver).toBe(true);
     });
 
+    it('maps tagPrecision when present in API response', () => {
+      const c = mapApiContainer(
+        makeApiContainer({
+          image: {
+            registry: { name: 'hub', url: 'https://registry-1.docker.io' },
+            name: 'nginx',
+            tag: { value: 'latest', tagPrecision: 'floating' },
+          },
+        }),
+      );
+      expect(c.tagPrecision).toBe('floating');
+    });
+
+    it('maps tagPrecision as specific when set', () => {
+      const c = mapApiContainer(
+        makeApiContainer({
+          image: {
+            registry: { name: 'hub', url: 'https://registry-1.docker.io' },
+            name: 'nginx',
+            tag: { value: '1.25.3', tagPrecision: 'specific' },
+          },
+        }),
+      );
+      expect(c.tagPrecision).toBe('specific');
+    });
+
+    it('leaves tagPrecision undefined when not present', () => {
+      const c = mapApiContainer(makeApiContainer());
+      expect(c.tagPrecision).toBeUndefined();
+    });
+
     it('handles labels with empty values', () => {
       const c = mapApiContainer(
         makeApiContainer({
@@ -1130,4 +1184,94 @@ describe('container-mapper', () => {
       expect(c.securityDelta).toBeUndefined();
     });
   });
+
+  describe('suggestedTag', () => {
+    it('maps suggestedTag from result', () => {
+      const c = mapApiContainer(
+        makeApiContainer({
+          result: { tag: '2.0', suggestedTag: 'v1.25.3' },
+          updateAvailable: true,
+        }),
+      );
+      expect(c.suggestedTag).toBe('v1.25.3');
+    });
+
+    it('returns undefined when suggestedTag is missing', () => {
+      const c = mapApiContainer(
+        makeApiContainer({ result: { tag: '2.0' }, updateAvailable: true }),
+      );
+      expect(c.suggestedTag).toBeUndefined();
+    });
+
+    it('returns undefined when suggestedTag is empty string', () => {
+      const c = mapApiContainer(
+        makeApiContainer({ result: { tag: '2.0', suggestedTag: '  ' }, updateAvailable: true }),
+      );
+      expect(c.suggestedTag).toBeUndefined();
+    });
+  });
+
+  describe('sourceRepo', () => {
+    it('maps sourceRepo from API container', () => {
+      const c = mapApiContainer(makeApiContainer({ sourceRepo: 'https://github.com/nginx/nginx' }));
+      expect(c.sourceRepo).toBe('https://github.com/nginx/nginx');
+    });
+
+    it('returns undefined when sourceRepo is missing', () => {
+      const c = mapApiContainer(makeApiContainer());
+      expect(c.sourceRepo).toBeUndefined();
+    });
+  });
+
+  describe('releaseNotes', () => {
+    it('maps complete releaseNotes from result', () => {
+      const c = mapApiContainer(
+        makeApiContainer({
+          result: {
+            tag: '2.0',
+            releaseNotes: {
+              title: 'Release 2.0',
+              body: 'New features',
+              url: 'https://github.com/org/repo/releases/tag/v2.0',
+              publishedAt: '2026-01-15T00:00:00Z',
+              provider: 'github',
+            },
+          },
+          updateAvailable: true,
+        }),
+      );
+      expect(c.releaseNotes).toEqual({
+        title: 'Release 2.0',
+        body: 'New features',
+        url: 'https://github.com/org/repo/releases/tag/v2.0',
+        publishedAt: '2026-01-15T00:00:00Z',
+        provider: 'github',
+      });
+    });
+
+    it('returns null when releaseNotes is missing', () => {
+      const c = mapApiContainer(
+        makeApiContainer({ result: { tag: '2.0' }, updateAvailable: true }),
+      );
+      expect(c.releaseNotes).toBeNull();
+    });
+
+    it('returns null when releaseNotes has missing required fields', () => {
+      const c = mapApiContainer(
+        makeApiContainer({
+          result: {
+            tag: '2.0',
+            releaseNotes: { title: 'Release', body: '', url: '', publishedAt: '', provider: '' },
+          },
+          updateAvailable: true,
+        }),
+      );
+      expect(c.releaseNotes).toBeNull();
+    });
+
+    it('returns null when result is null', () => {
+      const c = mapApiContainer(makeApiContainer());
+      expect(c.releaseNotes).toBeNull();
+    });
+  });
 });
diff --git a/ui/tests/utils/display.spec.ts b/ui/tests/utils/display.spec.ts
index e65e8c159..754696d1f 100644
--- a/ui/tests/utils/display.spec.ts
+++ b/ui/tests/utils/display.spec.ts
@@ -5,6 +5,7 @@ import {
   registryColorText,
   registryLabel,
   serverBadgeColor,
+  suggestedTagColor,
   updateKindColor,
 } from '@/utils/display';
 
@@ -173,4 +174,13 @@ describe('display utilities', () => {
       expect(maturityColor(null)).toEqual({ bg: 'transparent', text: 'transparent' });
     });
   });
+
+  describe('suggestedTagColor', () => {
+    it('returns alt colors', () => {
+      expect(suggestedTagColor()).toEqual({
+        bg: 'var(--dd-alt-muted)',
+        text: 'var(--dd-alt)',
+      });
+    });
+  });
 });
diff --git a/ui/tests/utils/json-tokenizer.spec.ts b/ui/tests/utils/json-tokenizer.spec.ts
new file mode 100644
index 000000000..f2c39695b
--- /dev/null
+++ b/ui/tests/utils/json-tokenizer.spec.ts
@@ -0,0 +1,151 @@
+import { clearTokenCache, tokenizeJson } from '../../src/utils/json-tokenizer';
+
+describe('tokenizeJson', () => {
+  afterEach(() => {
+    clearTokenCache();
+  });
+
+  test('returns empty array for empty string', () => {
+    expect(tokenizeJson('')).toEqual([]);
+  });
+
+  test('tokenizes a simple object', () => {
+    const tokens = tokenizeJson('{"a": 1}');
+    expect(tokens).toEqual([
+      { text: '{', type: 'punctuation' },
+      { text: '"a"', type: 'key' },
+      { text: ':', type: 'punctuation' },
+      { text: ' ', type: 'text' },
+      { text: '1', type: 'number' },
+      { text: '}', type: 'punctuation' },
+    ]);
+  });
+
+  test('distinguishes keys from string values', () => {
+    const tokens = tokenizeJson('{"name": "drydock"}');
+    const keyToken = tokens.find((t) => t.type === 'key');
+    const stringToken = tokens.find((t) => t.type === 'string');
+    expect(keyToken?.text).toBe('"name"');
+    expect(stringToken?.text).toBe('"drydock"');
+  });
+
+  test('tokenizes booleans', () => {
+    const tokens = tokenizeJson('{"ok": true, "fail": false}');
+    const booleans = tokens.filter((t) => t.type === 'boolean');
+    expect(booleans).toEqual([
+      { text: 'true', type: 'boolean' },
+      { text: 'false', type: 'boolean' },
+    ]);
+  });
+
+  test('tokenizes null', () => {
+    const tokens = tokenizeJson('{"x": null}');
+    expect(tokens).toContainEqual({ text: 'null', type: 'null' });
+  });
+
+  test('tokenizes negative numbers', () => {
+    const tokens = tokenizeJson('{"n": -42}');
+    expect(tokens).toContainEqual({ text: '-42', type: 'number' });
+  });
+
+  test('tokenizes floating-point numbers', () => {
+    const tokens = tokenizeJson('{"pi": 3.14}');
+    expect(tokens).toContainEqual({ text: '3.14', type: 'number' });
+  });
+
+  test('tokenizes scientific notation', () => {
+    const tokens = tokenizeJson('{"big": 1e10}');
+    expect(tokens).toContainEqual({ text: '1e10', type: 'number' });
+  });
+
+  test('tokenizes negative exponent', () => {
+    const tokens = tokenizeJson('{"small": 5E-3}');
+    expect(tokens).toContainEqual({ text: '5E-3', type: 'number' });
+  });
+
+  test('tokenizes arrays', () => {
+    const tokens = tokenizeJson('[1, 2, 3]');
+    expect(tokens[0]).toEqual({ text: '[', type: 'punctuation' });
+    expect(tokens[tokens.length - 1]).toEqual({ text: ']', type: 'punctuation' });
+    expect(tokens.filter((t) => t.text === ',')).toHaveLength(2);
+  });
+
+  test('preserves whitespace as text tokens', () => {
+    const tokens = tokenizeJson('{\n  "a": 1\n}');
+    const whitespaceTokens = tokens.filter((t) => t.type === 'text');
+    expect(whitespaceTokens.length).toBeGreaterThan(0);
+    for (const token of whitespaceTokens) {
+      expect(token.text).toMatch(/^\s+$/);
+    }
+  });
+
+  test('handles escaped quotes in strings', () => {
+    const tokens = tokenizeJson('{"msg": "say \\"hello\\""}');
+    const stringToken = tokens.find((t) => t.type === 'string');
+    expect(stringToken?.text).toBe('"say \\"hello\\""');
+  });
+
+  test('handles consecutive escaped backslashes before closing quote', () => {
+    // Value is a string ending with two literal backslashes: "path\\"
+    // In JSON: {"p": "path\\\\"}  →  the \\\\ is two escaped backslashes
+    const input = '{"p": "path\\\\\\\\"}';
+    const tokens = tokenizeJson(input);
+    const stringToken = tokens.find((t) => t.type === 'string');
+    expect(stringToken?.text).toBe('"path\\\\\\\\"');
+    // Verify the token stream reconstructs the input
+    expect(tokens.map((t) => t.text).join('')).toBe(input);
+  });
+
+  test('classifies key with whitespace before colon', () => {
+    const tokens = tokenizeJson('{"spaced"  : "val"}');
+    const keyToken = tokens.find((t) => t.type === 'key');
+    expect(keyToken?.text).toBe('"spaced"');
+  });
+
+  test('handles nested objects', () => {
+    const input = JSON.stringify({ a: { b: 1 } }, null, 2);
+    const tokens = tokenizeJson(input);
+    const punctuation = tokens.filter((t) => t.type === 'punctuation');
+    const braces = punctuation.filter((t) => t.text === '{' || t.text === '}');
+    expect(braces).toHaveLength(4);
+  });
+
+  test('handles unknown characters as text', () => {
+    // Feed a character that doesn't match any rule (a bare letter outside a string/keyword)
+    const tokens = tokenizeJson('x');
+    expect(tokens).toEqual([{ text: 'x', type: 'text' }]);
+  });
+
+  test('round-trips reconstructed text', () => {
+    const input = JSON.stringify({ name: 'drydock', count: 42, active: true, data: null }, null, 2);
+    const tokens = tokenizeJson(input);
+    const reconstructed = tokens.map((t) => t.text).join('');
+    expect(reconstructed).toBe(input);
+  });
+
+  test('returns cached result for identical input', () => {
+    const input = '{"a": 1}';
+    const first = tokenizeJson(input);
+    const second = tokenizeJson(input);
+    expect(second).toBe(first);
+  });
+
+  test('evicts oldest entry when cache exceeds limit', () => {
+    const first = tokenizeJson('{"evict": 0}');
+    for (let i = 1; i <= 500; i += 1) {
+      tokenizeJson(`{"fill": ${i}}`);
+    }
+    const refetch = tokenizeJson('{"evict": 0}');
+    expect(refetch).not.toBe(first);
+    expect(refetch).toEqual(first);
+  });
+
+  test('clearTokenCache empties the cache', () => {
+    const input = '{"c": true}';
+    const first = tokenizeJson(input);
+    clearTokenCache();
+    const second = tokenizeJson(input);
+    expect(second).not.toBe(first);
+    expect(second).toEqual(first);
+  });
+});
diff --git a/ui/tests/utils/stats-sparkline.spec.ts b/ui/tests/utils/stats-sparkline.spec.ts
new file mode 100644
index 000000000..caab7656a
--- /dev/null
+++ b/ui/tests/utils/stats-sparkline.spec.ts
@@ -0,0 +1,25 @@
+import { buildSparklinePoints } from '@/utils/stats-sparkline';
+
+describe('stats-sparkline', () => {
+  it('returns an empty string for empty values', () => {
+    expect(buildSparklinePoints([], 120, 32)).toBe('');
+  });
+
+  it('builds normalized points for ascending values', () => {
+    expect(buildSparklinePoints([0, 50, 100], 100, 20)).toBe('0,20 50,10 100,0');
+  });
+
+  it('builds a centerline for flat values', () => {
+    expect(buildSparklinePoints([5, 5, 5], 60, 12)).toBe('0,6 30,6 60,6');
+  });
+
+  it('builds a single centered point for one flat value', () => {
+    expect(buildSparklinePoints([5], 60, 12)).toBe('0,6');
+  });
+
+  it('coerces invalid values to zero before plotting', () => {
+    expect(buildSparklinePoints([1, Number.NaN, Number.POSITIVE_INFINITY], 100, 20)).toBe(
+      '0,0 50,20 100,20',
+    );
+  });
+});
diff --git a/ui/tests/utils/stats-summary.spec.ts b/ui/tests/utils/stats-summary.spec.ts
new file mode 100644
index 000000000..66abf31b0
--- /dev/null
+++ b/ui/tests/utils/stats-summary.spec.ts
@@ -0,0 +1,108 @@
+import { summarizeContainerResourceUsage } from '@/utils/stats-summary';
+
+function makeRow(overrides: Record<string, unknown> = {}) {
+  return {
+    id: 'c1',
+    name: 'web',
+    status: 'running',
+    watcher: 'local',
+    agent: undefined,
+    stats: {
+      containerId: 'c1',
+      cpuPercent: 10,
+      memoryUsageBytes: 100,
+      memoryLimitBytes: 200,
+      memoryPercent: 50,
+      networkRxBytes: 1,
+      networkTxBytes: 2,
+      blockReadBytes: 3,
+      blockWriteBytes: 4,
+      timestamp: '2026-03-14T10:00:00.000Z',
+    },
+    ...overrides,
+  };
+}
+
+describe('stats-summary', () => {
+  it('returns top CPU and memory lists limited to five rows', () => {
+    const summary = summarizeContainerResourceUsage([
+      makeRow({ id: 'c1', name: 'a', stats: makeRow().stats }),
+      makeRow({
+        id: 'c2',
+        name: 'b',
+        stats: { ...makeRow().stats, cpuPercent: 90, memoryPercent: 20 },
+      }),
+      makeRow({
+        id: 'c3',
+        name: 'c',
+        stats: { ...makeRow().stats, cpuPercent: 30, memoryPercent: 95 },
+      }),
+      makeRow({
+        id: 'c4',
+        name: 'd',
+        stats: { ...makeRow().stats, cpuPercent: 60, memoryPercent: 40 },
+      }),
+      makeRow({
+        id: 'c5',
+        name: 'e',
+        stats: { ...makeRow().stats, cpuPercent: 70, memoryPercent: 70 },
+      }),
+      makeRow({
+        id: 'c6',
+        name: 'f',
+        stats: { ...makeRow().stats, cpuPercent: 20, memoryPercent: 80 },
+      }),
+    ]);
+
+    expect(summary.topCpu).toHaveLength(5);
+    expect(summary.topMemory).toHaveLength(5);
+    expect(summary.topCpu.map((row) => row.name)).toEqual(['b', 'e', 'd', 'c', 'f']);
+    expect(summary.topMemory.map((row) => row.name)).toEqual(['c', 'f', 'e', 'a', 'd']);
+  });
+
+  it('computes aggregate cpu and memory usage values', () => {
+    const summary = summarizeContainerResourceUsage([
+      makeRow({
+        id: 'c1',
+        name: 'web',
+        stats: { ...makeRow().stats, cpuPercent: 50, memoryUsageBytes: 300, memoryLimitBytes: 600 },
+      }),
+      makeRow({
+        id: 'c2',
+        name: 'db',
+        stats: {
+          ...makeRow().stats,
+          cpuPercent: 100,
+          memoryUsageBytes: 100,
+          memoryLimitBytes: 200,
+        },
+      }),
+    ]);
+
+    expect(summary.watchedContainers).toBe(2);
+    expect(summary.totalCpuPercent).toBe(75);
+    expect(summary.totalMemoryPercent).toBe(50);
+    expect(summary.totalMemoryUsageBytes).toBe(400);
+    expect(summary.totalMemoryLimitBytes).toBe(800);
+  });
+
+  it('ignores rows without stats and handles zero memory limits', () => {
+    const summary = summarizeContainerResourceUsage([
+      makeRow({ id: 'c1', name: 'web', stats: null }),
+      makeRow({
+        id: 'c2',
+        name: 'db',
+        stats: {
+          ...makeRow().stats,
+          cpuPercent: Number.NaN,
+          memoryUsageBytes: 100,
+          memoryLimitBytes: 0,
+        },
+      }),
+    ]);
+
+    expect(summary.watchedContainers).toBe(1);
+    expect(summary.totalCpuPercent).toBe(0);
+    expect(summary.totalMemoryPercent).toBe(0);
+  });
+});
diff --git a/ui/tests/utils/stats-thresholds.spec.ts b/ui/tests/utils/stats-thresholds.spec.ts
new file mode 100644
index 000000000..f8f3ced77
--- /dev/null
+++ b/ui/tests/utils/stats-thresholds.spec.ts
@@ -0,0 +1,37 @@
+import {
+  getUsageThreshold,
+  getUsageThresholdColor,
+  getUsageThresholdMutedColor,
+} from '@/utils/stats-thresholds';
+
+describe('stats-thresholds', () => {
+  it('maps values below 60 to healthy', () => {
+    expect(getUsageThreshold(0)).toBe('healthy');
+    expect(getUsageThreshold(59.99)).toBe('healthy');
+  });
+
+  it('maps values in [60, 85] to warning', () => {
+    expect(getUsageThreshold(60)).toBe('warning');
+    expect(getUsageThreshold(85)).toBe('warning');
+  });
+
+  it('maps values above 85 to critical', () => {
+    expect(getUsageThreshold(85.01)).toBe('critical');
+    expect(getUsageThreshold(160)).toBe('critical');
+  });
+
+  it('treats non-finite values as healthy', () => {
+    expect(getUsageThreshold(Number.NaN)).toBe('healthy');
+    expect(getUsageThreshold(Number.POSITIVE_INFINITY)).toBe('healthy');
+  });
+
+  it('returns the expected semantic colors', () => {
+    expect(getUsageThresholdColor(40)).toBe('var(--dd-success)');
+    expect(getUsageThresholdColor(60)).toBe('var(--dd-warning)');
+    expect(getUsageThresholdColor(86)).toBe('var(--dd-danger)');
+
+    expect(getUsageThresholdMutedColor(40)).toBe('var(--dd-success-muted)');
+    expect(getUsageThresholdMutedColor(60)).toBe('var(--dd-warning-muted)');
+    expect(getUsageThresholdMutedColor(86)).toBe('var(--dd-danger-muted)');
+  });
+});
diff --git a/ui/tests/utils/system-log-adapter.spec.ts b/ui/tests/utils/system-log-adapter.spec.ts
new file mode 100644
index 000000000..0cba3b7b8
--- /dev/null
+++ b/ui/tests/utils/system-log-adapter.spec.ts
@@ -0,0 +1,84 @@
+import type { SystemLogEntry } from '@/services/system-log-stream';
+import { toAppLogEntry } from '@/utils/system-log-adapter';
+
+function makeSystemLogEntry(overrides: Partial<SystemLogEntry> = {}): SystemLogEntry {
+  return {
+    timestamp: Date.UTC(2026, 2, 15, 0, 0, 0),
+    level: 'info',
+    component: 'drydock',
+    msg: 'hello world',
+    ...overrides,
+  };
+}
+
+describe('toAppLogEntry', () => {
+  it('maps plain system log entry fields and parses ANSI segments', () => {
+    const entry = makeSystemLogEntry({
+      level: 'WARN',
+      msg: '\u001b[31mboom\u001b[0m happened',
+    });
+
+    const adapted = toAppLogEntry(entry, 42);
+
+    expect(adapted.id).toBe(42);
+    expect(adapted.timestamp).toBe('2026-03-15T00:00:00.000Z');
+    expect(adapted.line).toBe('\u001b[31mboom\u001b[0m happened');
+    expect(adapted.plainLine).toBe('boom happened');
+    expect(adapted.json).toBeNull();
+    expect(adapted.level).toBe('warn');
+    expect(adapted.component).toBe('drydock');
+    expect(adapted.channel).toBeUndefined();
+    expect(adapted.ansiSegments).toEqual([
+      { text: 'boom', color: 'red', bold: false, dim: false },
+      { text: ' happened', color: null, bold: false, dim: false },
+    ]);
+  });
+
+  it('extracts log level from JSON payload when present', () => {
+    const entry = makeSystemLogEntry({
+      level: 'debug',
+      msg: '{"level":"ERROR","msg":"db down"}',
+    });
+
+    const adapted = toAppLogEntry(entry, 7);
+
+    expect(adapted.level).toBe('error');
+    expect(adapted.json?.value).toEqual({ level: 'ERROR', msg: 'db down' });
+  });
+
+  it('falls back to entry level when JSON payload has no level key', () => {
+    const entry = makeSystemLogEntry({
+      level: 'ERROR',
+      msg: '{"msg":"db down"}',
+    });
+
+    const adapted = toAppLogEntry(entry, 8);
+
+    expect(adapted.json).not.toBeNull();
+    expect(adapted.json?.level).toBeNull();
+    expect(adapted.level).toBe('error');
+  });
+
+  it('uses "-" timestamp for invalid timestamp values and null level for empty level', () => {
+    const entry = makeSystemLogEntry({
+      timestamp: Number.NaN as unknown as number,
+      level: '   ',
+      msg: 'plain',
+    });
+
+    const adapted = toAppLogEntry(entry, 9);
+
+    expect(adapted.timestamp).toBe('-');
+    expect(adapted.level).toBeNull();
+  });
+
+  it('uses "-" timestamp when finite number produces an invalid Date', () => {
+    const entry = makeSystemLogEntry({
+      timestamp: 8.64e15 + 1,
+    });
+
+    const adapted = toAppLogEntry(entry, 10);
+
+    expect(adapted.timestamp).toBe('-');
+  });
+});
diff --git a/ui/tests/views/AgentsView.spec.ts b/ui/tests/views/AgentsView.spec.ts
index 605ef2ccb..7244e6b0b 100644
--- a/ui/tests/views/AgentsView.spec.ts
+++ b/ui/tests/views/AgentsView.spec.ts
@@ -13,6 +13,7 @@ const { mockRoute } = vi.hoisted(() => ({
 
 vi.mock('vue-router', () => ({
   useRoute: () => mockRoute,
+  useRouter: () => ({ push: vi.fn(), replace: vi.fn() }),
 }));
 
 vi.mock('@/composables/useBreakpoints', () => ({
@@ -68,7 +69,16 @@ function makeAgent(overrides: Record<string, any> = {}) {
 
 async function mountAgentsView() {
   const wrapper = mountWithPlugins(AgentsView, {
-    global: { stubs: dataViewStubs },
+    global: {
+      stubs: {
+        ...dataViewStubs,
+        AppIconButton: {
+          props: ['icon', 'variant', 'tooltip', 'ariaLabel', 'size'],
+          template:
+            '<button class="app-icon-button-stub" v-bind="$attrs" :data-icon="icon" :data-variant="variant" :data-size="size" :aria-label="ariaLabel"><slot /></button>',
+        },
+      },
+    },
   });
   mountedWrappers.push(wrapper);
   await flushPromises();
@@ -137,6 +147,16 @@ describe('AgentsView', () => {
     expect(wrapper.find('.data-table').attributes('data-row-count')).toBe('0');
   });
 
+  it('renders the table column picker as an AppIconButton', async () => {
+    const wrapper = await mountAgentsView();
+
+    const columnPicker = wrapper.find('.app-icon-button-stub[aria-label="Toggle columns"]');
+    expect(columnPicker.exists()).toBe(true);
+    expect(columnPicker.attributes('data-icon')).toBe('config');
+    expect(columnPicker.attributes('data-variant')).toBe('plain');
+    expect(columnPicker.attributes('data-size')).toBe('toolbar');
+  });
+
   it('refreshes agents when agent status SSE event is received', async () => {
     await mountAgentsView();
     expect(mockGetAgents).toHaveBeenCalledTimes(1);
diff --git a/ui/tests/views/ConfigView.spec.ts b/ui/tests/views/ConfigView.spec.ts
index 95d4d21d5..d4442ad8e 100644
--- a/ui/tests/views/ConfigView.spec.ts
+++ b/ui/tests/views/ConfigView.spec.ts
@@ -6,6 +6,7 @@ const mockGetAppInfos = vi.fn();
 const mockGetSettings = vi.fn();
 const mockUpdateSettings = vi.fn();
 const mockClearIconCache = vi.fn();
+const mockDownloadDebugDump = vi.fn();
 const mockGetUser = vi.fn();
 
 vi.mock('@/services/app', () => ({
@@ -26,6 +27,10 @@ vi.mock('@/services/settings', () => ({
   clearIconCache: (...args: any[]) => mockClearIconCache(...args),
 }));
 
+vi.mock('@/services/debug', () => ({
+  downloadDebugDump: (...args: any[]) => mockDownloadDebugDump(...args),
+}));
+
 vi.mock('@/services/auth', () => ({
   getUser: (...args: any[]) => mockGetUser(...args),
 }));
@@ -251,6 +256,10 @@ describe('ConfigView', () => {
     });
     mockGetAppInfos.mockResolvedValue({ version: '1.4.0' });
     mockGetStore.mockResolvedValue({ configuration: { path: '/store', file: 'dd.json' } });
+    mockDownloadDebugDump.mockResolvedValue({
+      blob: new Blob(['{}'], { type: 'application/json' }),
+      filename: 'drydock-debug-dump.json',
+    });
   });
 
   describe('on mount', () => {
@@ -391,7 +400,7 @@ describe('ConfigView', () => {
       expect(text).toContain('3000');
     });
 
-    it('shows legacy compatibility warning banner with migration guidance', async () => {
+    it('does not render a legacy compatibility inputs card in general settings', async () => {
       mockGetServer.mockResolvedValue({
         configuration: {
           port: 3000,
@@ -415,11 +424,9 @@ describe('ConfigView', () => {
       });
 
       const text = w.text();
-      expect(text).toContain('Legacy compatibility inputs detected');
-      expect(text).toContain('WUD_SERVER_PORT');
-      expect(text).toContain('wud.watch');
-      expect(text).toContain('node dist/index.js config migrate --dry-run');
-      expect(w.find('a[href="https://getdrydock.com/docs/quickstart"]').exists()).toBe(true);
+      expect(text).not.toContain('Legacy compatibility inputs detected');
+      expect(text).not.toContain('node dist/index.js config migrate --dry-run');
+      expect(w.find('[data-testid="legacy-input-banner"]').exists()).toBe(false);
     });
   });
 
@@ -523,6 +530,77 @@ describe('ConfigView', () => {
     });
   });
 
+  describe('debug dump download', () => {
+    const originalCreateObjectURL = URL.createObjectURL;
+    const originalRevokeObjectURL = URL.revokeObjectURL;
+    let createObjectUrlSpy: ReturnType<typeof vi.fn>;
+    let revokeObjectUrlSpy: ReturnType<typeof vi.fn>;
+
+    beforeEach(() => {
+      createObjectUrlSpy = vi.fn(() => 'blob:debug-dump');
+      revokeObjectUrlSpy = vi.fn();
+      Object.defineProperty(URL, 'createObjectURL', {
+        configurable: true,
+        writable: true,
+        value: createObjectUrlSpy,
+      });
+      Object.defineProperty(URL, 'revokeObjectURL', {
+        configurable: true,
+        writable: true,
+        value: revokeObjectUrlSpy,
+      });
+    });
+
+    afterEach(() => {
+      Object.defineProperty(URL, 'createObjectURL', {
+        configurable: true,
+        writable: true,
+        value: originalCreateObjectURL,
+      });
+      Object.defineProperty(URL, 'revokeObjectURL', {
+        configurable: true,
+        writable: true,
+        value: originalRevokeObjectURL,
+      });
+    });
+
+    it('downloads a debug dump from settings', async () => {
+      mockGetServer.mockResolvedValue({ configuration: {} });
+      mockGetSettings.mockResolvedValue({ internetlessMode: false });
+
+      const w = factory();
+      await vi.waitFor(() => expect(mockGetSettings).toHaveBeenCalled());
+      await nextTick();
+
+      const downloadButton = w.find('[data-test="download-debug-dump"]');
+      expect(downloadButton.exists()).toBe(true);
+      await downloadButton.trigger('click');
+
+      await vi.waitFor(() => {
+        expect(mockDownloadDebugDump).toHaveBeenCalledOnce();
+      });
+      expect(createObjectUrlSpy).toHaveBeenCalledTimes(1);
+      expect(revokeObjectUrlSpy).toHaveBeenCalledWith('blob:debug-dump');
+    });
+
+    it('shows debug dump download error', async () => {
+      mockGetServer.mockResolvedValue({ configuration: {} });
+      mockGetSettings.mockResolvedValue({ internetlessMode: false });
+      mockDownloadDebugDump.mockRejectedValue(new Error('debug dump unavailable'));
+
+      const w = factory();
+      await vi.waitFor(() => expect(mockGetSettings).toHaveBeenCalled());
+      await nextTick();
+
+      const downloadButton = w.find('[data-test="download-debug-dump"]');
+      await downloadButton.trigger('click');
+
+      await vi.waitFor(() => {
+        expect(w.text()).toContain('debug dump unavailable');
+      });
+    });
+  });
+
   describe('appearance tab', () => {
     async function mountAppearanceTab() {
       mockGetServer.mockResolvedValue({ configuration: {} });
diff --git a/ui/tests/views/ContainerLogsView.spec.ts b/ui/tests/views/ContainerLogsView.spec.ts
new file mode 100644
index 000000000..505e0b864
--- /dev/null
+++ b/ui/tests/views/ContainerLogsView.spec.ts
@@ -0,0 +1,174 @@
+import { flushPromises, mount } from '@vue/test-utils';
+import ContainerLogsView from '@/views/ContainerLogsView.vue';
+
+const mocks = vi.hoisted(() => ({
+  push: vi.fn(),
+  getAllContainers: vi.fn().mockResolvedValue([]),
+  mapApiContainer: vi.fn((c: Record<string, unknown>) => ({
+    id: c.id,
+    name: c.name ?? c.id,
+    image: 'nginx:latest',
+    status: 'running',
+    icon: '',
+    currentTag: 'latest',
+    newTag: null,
+    registry: 'dockerhub',
+    updateKind: null,
+    updateMaturity: null,
+    bouncer: 'safe',
+    server: 'local',
+    details: { ports: [], volumes: [], env: [], labels: [] },
+  })),
+}));
+
+vi.mock('vue-router', () => ({
+  useRoute: () => ({
+    params: { id: 'container-1' },
+  }),
+  useRouter: () => ({
+    push: mocks.push,
+  }),
+}));
+
+vi.mock('@/services/container', () => ({
+  getAllContainers: mocks.getAllContainers,
+}));
+
+vi.mock('@/utils/container-mapper', () => ({
+  mapApiContainer: mocks.mapApiContainer,
+}));
+
+vi.mock('@/services/logs', () => ({
+  createContainerLogStreamConnection: vi.fn(() => ({
+    update: vi.fn(),
+    pause: vi.fn(),
+    resume: vi.fn(),
+    close: vi.fn(),
+    isPaused: vi.fn(() => false),
+  })),
+  downloadContainerLogs: vi.fn(async () => new Blob([])),
+  toLogTailValue: (v: number | 'all') => (v === 'all' ? 2147483647 : v),
+}));
+
+function mountView(stubs: Record<string, unknown> = {}) {
+  return mount(ContainerLogsView, {
+    global: {
+      stubs: {
+        ContainerLogs: { template: '<div data-test="container-logs-stub" />' },
+        ...stubs,
+      },
+    },
+  });
+}
+
+describe('ContainerLogsView', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mocks.getAllContainers.mockResolvedValue([]);
+  });
+
+  describe('layout', () => {
+    it('applies standard view layout classes on root element', () => {
+      const wrapper = mountView();
+      const root = wrapper.find('div');
+      expect(root.classes()).toContain('flex-1');
+      expect(root.classes()).toContain('min-h-0');
+      expect(root.classes()).toContain('min-w-0');
+      expect(root.classes()).toContain('overflow-y-auto');
+      expect(root.classes()).toContain('sm:pr-[15px]');
+    });
+  });
+
+  describe('header', () => {
+    it('shows container name from route param when container not loaded', () => {
+      const wrapper = mountView();
+      expect(wrapper.text()).toContain('container-1');
+    });
+
+    it('shows container name after loading', async () => {
+      mocks.getAllContainers.mockResolvedValue([{ id: 'container-1', name: 'my-web-app' }]);
+      const wrapper = mountView();
+      await flushPromises();
+      expect(wrapper.text()).toContain('my-web-app');
+    });
+
+    it('shows running status badge when container is running', async () => {
+      mocks.getAllContainers.mockResolvedValue([{ id: 'container-1', name: 'web' }]);
+      const wrapper = mountView();
+      await flushPromises();
+      expect(wrapper.text()).toContain('running');
+    });
+
+    it('shows "Container Logs" label', () => {
+      const wrapper = mountView();
+      expect(wrapper.text()).toContain('Container Logs');
+    });
+  });
+
+  describe('back navigation', () => {
+    it('navigates to containers page when back button clicked', async () => {
+      const wrapper = mountView();
+      const backButton = wrapper.find('button');
+      await backButton.trigger('click');
+      expect(mocks.push).toHaveBeenCalledWith('/containers');
+    });
+  });
+
+  describe('container loading', () => {
+    it('shows loading state initially', () => {
+      mocks.getAllContainers.mockReturnValue(new Promise(() => {}));
+      const wrapper = mountView();
+      expect(wrapper.text()).toContain('Loading container');
+    });
+
+    it('shows error when container is not found', async () => {
+      mocks.getAllContainers.mockResolvedValue([]);
+      const wrapper = mountView();
+      await flushPromises();
+      expect(wrapper.text()).toContain('not found');
+    });
+
+    it('shows error when API call fails', async () => {
+      mocks.getAllContainers.mockRejectedValue(new Error('network'));
+      const wrapper = mountView();
+      await flushPromises();
+      expect(wrapper.text()).toContain('Failed to load container info');
+    });
+
+    it('renders ContainerLogs component when container loads successfully', async () => {
+      mocks.getAllContainers.mockResolvedValue([{ id: 'container-1', name: 'web' }]);
+      const wrapper = mountView();
+      await flushPromises();
+      expect(wrapper.find('[data-test="container-logs-stub"]').exists()).toBe(true);
+    });
+
+    it('does not render ContainerLogs when container not found', async () => {
+      mocks.getAllContainers.mockResolvedValue([]);
+      const wrapper = mountView();
+      await flushPromises();
+      expect(wrapper.find('[data-test="container-logs-stub"]').exists()).toBe(false);
+    });
+
+    it('matches container by id', async () => {
+      mocks.getAllContainers.mockResolvedValue([
+        { id: 'container-1', name: 'web' },
+        { id: 'container-2', name: 'api' },
+      ]);
+      const wrapper = mountView();
+      await flushPromises();
+      expect(mocks.mapApiContainer).toHaveBeenCalledWith(
+        expect.objectContaining({ id: 'container-1' }),
+      );
+      expect(wrapper.find('[data-test="container-logs-stub"]').exists()).toBe(true);
+    });
+  });
+
+  describe('container image display', () => {
+    it('shows container image below the name', async () => {
+      mocks.getAllContainers.mockResolvedValue([{ id: 'container-1', name: 'web' }]);
+      const wrapper = mountView();
+      await flushPromises();
+      expect(wrapper.text()).toContain('nginx:latest');
+    });
+  });
+});
diff --git a/ui/tests/views/ContainersView.spec.ts b/ui/tests/views/ContainersView.spec.ts
index 1f0360828..4177327d8 100644
--- a/ui/tests/views/ContainersView.spec.ts
+++ b/ui/tests/views/ContainersView.spec.ts
@@ -4,14 +4,24 @@ import type { Container } from '@/types/container';
 import ContainersView from '@/views/ContainersView.vue';
 import { mountWithPlugins } from '../helpers/mount';
 
-const { mockRoute, mockContainerActionsEnabled, mockLoadServerFeatures } = vi.hoisted(() => ({
-  mockRoute: { query: {} as Record<string, unknown> },
-  mockContainerActionsEnabled: { value: true },
-  mockLoadServerFeatures: vi.fn().mockResolvedValue(undefined),
-}));
+const { mockRoute, mockRouterReplace, mockContainerActionsEnabled, mockLoadServerFeatures } =
+  vi.hoisted(() => ({
+    mockRoute: {
+      name: 'containers',
+      path: '/containers',
+      params: {} as Record<string, unknown>,
+      query: {} as Record<string, unknown>,
+    },
+    mockRouterReplace: vi.fn().mockResolvedValue(undefined),
+    mockContainerActionsEnabled: { value: true },
+    mockLoadServerFeatures: vi.fn().mockResolvedValue(undefined),
+  }));
 
 vi.mock('vue-router', () => ({
   useRoute: () => mockRoute,
+  useRouter: () => ({
+    replace: mockRouterReplace,
+  }),
 }));
 
 vi.mock('@/composables/useServerFeatures', () => ({
@@ -79,6 +89,7 @@ vi.mock('@/utils/display', () => ({
   registryColorText: vi.fn(() => 'text'),
   registryLabel: vi.fn((r: string) => r),
   serverBadgeColor: vi.fn(() => ({ bg: 'bg', text: 'text' })),
+  suggestedTagColor: vi.fn(() => ({ bg: 'bg', text: 'text' })),
   updateKindColor: vi.fn(() => ({ bg: 'bg', text: 'text' })),
 }));
 
@@ -259,6 +270,24 @@ const childStubs = {
     template: '<div class="empty-state">{{ message }}</div>',
     props: ['icon', 'message', 'showClear'],
   },
+  ContainerLogs: {
+    template:
+      '<div data-test="container-logs-stub" :data-id="containerId" :data-name="containerName" :data-compact="compact === undefined ? `false` : `true`">{{ containerName }}</div>',
+    props: ['containerId', 'containerName', 'compact'],
+  },
+  UpdateMaturityBadge: {
+    template: '<span data-test="update-maturity-badge" v-if="maturity">{{ maturity }}</span>',
+    props: ['maturity', 'tooltip', 'size'],
+  },
+  SuggestedTagBadge: {
+    template: '<span data-test="suggested-tag-badge" v-if="tag">{{ tag }}</span>',
+    props: ['tag', 'currentTag'],
+  },
+  ReleaseNotesLink: {
+    template:
+      '<span data-test="release-notes-link"><a v-if="releaseLink" :href="releaseLink">Release notes</a></span>',
+    props: ['releaseNotes', 'releaseLink'],
+  },
 };
 
 import {
@@ -345,6 +374,7 @@ async function mountContainersView(
 describe('ContainersView', () => {
   beforeEach(async () => {
     vi.clearAllMocks();
+    mockRouterReplace.mockResolvedValue(undefined);
     mockContainerActionsEnabled.value = true;
     mockIsMobile.value = false;
     mockWindowNarrow.value = false;
@@ -369,6 +399,9 @@ describe('ContainersView', () => {
     mockContainerScrollBlocked.value = false;
     mockContainerAutoFetchInterval.value = 0;
     mockDetailPanelStorageRead.mockReturnValue(null);
+    mockRoute.name = 'containers';
+    mockRoute.path = '/containers';
+    mockRoute.params = {};
     mockRoute.query = {};
     localStorage.clear();
     sessionStorage.clear();
@@ -436,10 +469,26 @@ describe('ContainersView', () => {
       expect(mockFilterKind.value).toBe('all');
     });
 
-    it('resets filterKind to all when query omits filterKind', async () => {
+    it('keeps persisted filterKind when query omits filterKind', async () => {
       mockRoute.query = {};
       await mountContainersView([makeContainer()], undefined, { initialFilterKind: 'major' });
-      expect(mockFilterKind.value).toBe('all');
+      expect(mockFilterKind.value).toBe('major');
+    });
+
+    it('applies sort from route query', async () => {
+      mockRoute.query = { sort: 'status-desc' };
+      const wrapper = await mountContainersView([makeContainer()]);
+      const vm = wrapper.vm as any;
+      expect(vm.containerSortKey).toBe('status');
+      expect(vm.containerSortAsc).toBe(false);
+    });
+
+    it('applies image-age sort aliases from route query', async () => {
+      mockRoute.query = { sort: 'oldest-first' };
+      const wrapper = await mountContainersView([makeContainer()]);
+      const vm = wrapper.vm as any;
+      expect(vm.containerSortKey).toBe('imageAge');
+      expect(vm.containerSortAsc).toBe(true);
     });
 
     it('clears dropdown filters when navigating with a search query', async () => {
@@ -456,6 +505,53 @@ describe('ContainersView', () => {
       expect(mockFilterServer.value).toBe('all');
       expect(mockFilterKind.value).toBe('all');
     });
+
+    it('syncs filter/sort state to URL query params', async () => {
+      const wrapper = await mountContainersView([makeContainer()]);
+      const vm = wrapper.vm as any;
+
+      mockFilterSearch.value = 'nginx';
+      mockFilterStatus.value = 'running';
+      mockFilterRegistry.value = 'dockerhub';
+      mockFilterBouncer.value = 'safe';
+      mockFilterServer.value = 'Local';
+      mockFilterKind.value = 'major';
+      vm.groupByStack = true;
+      vm.containerSortKey = 'status';
+      vm.containerSortAsc = false;
+      await flushPromises();
+
+      expect(mockRouterReplace).toHaveBeenCalled();
+      const lastCall = mockRouterReplace.mock.calls.at(-1)?.[0];
+      expect(lastCall).toEqual({
+        query: expect.objectContaining({
+          q: 'nginx',
+          filterStatus: 'running',
+          filterRegistry: 'dockerhub',
+          filterBouncer: 'safe',
+          filterServer: 'Local',
+          filterKind: 'major',
+          groupByStack: 'true',
+          sort: 'status-desc',
+        }),
+      });
+    });
+  });
+
+  describe('route-driven logs detail', () => {
+    it('opens full-page logs tab for /containers/:id/logs', async () => {
+      const targetContainer = makeContainer({ id: 'container-42', name: 'api' });
+      mockRoute.name = 'container-logs';
+      mockRoute.path = '/containers/container-42/logs';
+      mockRoute.params = { id: 'container-42' };
+
+      await mountContainersView([targetContainer]);
+
+      expect(mockSelectedContainer.value?.id).toBe('container-42');
+      expect(mockActiveDetailTab.value).toBe('logs');
+      expect(mockContainerFullPage.value).toBe(true);
+      expect(mockDetailPanelOpen.value).toBe(false);
+    });
   });
 
   describe('empty state', () => {
@@ -694,21 +790,38 @@ describe('ContainersView', () => {
   });
 
   describe('actionInProgress', () => {
-    it('prevents concurrent actions', async () => {
+    it('prevents concurrent actions on the same container', async () => {
       const containers = [makeContainer({ newTag: '2.0.0' })];
       const wrapper = await mountContainersView(containers);
       const vm = wrapper.vm as any;
 
-      // Simulate first action in progress
-      vm.actionInProgress = 'nginx';
+      // Simulate action already in progress on 'nginx'
+      vm.actionInProgress = new Set(['nginx']);
 
-      // Attempting another action should be blocked (containerIdMap needs an entry)
+      // Attempting the same container should be blocked
       mockApiUpdate.mockResolvedValue({});
-      await vm.executeAction('other', mockApiUpdate);
+      await vm.executeAction('nginx', mockApiUpdate);
 
-      // apiUpdateContainer should not be called because actionInProgress is set
       expect(mockApiUpdate).not.toHaveBeenCalled();
     });
+
+    it('allows concurrent actions on different containers', async () => {
+      const containers = [
+        makeContainer({ name: 'nginx', newTag: '2.0.0' }),
+        makeContainer({ name: 'redis', newTag: '8.0.0' }),
+      ];
+      const wrapper = await mountContainersView(containers);
+      const vm = wrapper.vm as any;
+
+      // Simulate action already in progress on 'nginx'
+      vm.actionInProgress = new Set(['nginx']);
+
+      // Attempting a different container should NOT be blocked
+      mockApiUpdate.mockResolvedValue({});
+      await vm.executeAction('redis', mockApiUpdate);
+
+      expect(mockApiUpdate).toHaveBeenCalled();
+    });
   });
 
   describe('ghost state', () => {
@@ -1200,18 +1313,24 @@ describe('ContainersView', () => {
         makeContainer({ name: 'nginx' }),
         makeContainer({ id: 'c2', name: 'redis' }),
         makeContainer({ id: 'c3', name: 'postgres' }),
+        makeContainer({ id: 'c4', name: 'mongo' }),
       ];
       const wrapper = await mountContainersView(containers);
       const vm = wrapper.vm as any;
 
       vm.groupByStack = true;
-      vm.groupMembershipMap = { nginx: 'web-stack', redis: 'web-stack', postgres: 'db-stack' };
+      vm.groupMembershipMap = {
+        nginx: 'web-stack',
+        redis: 'web-stack',
+        postgres: 'db-stack',
+        mongo: 'db-stack',
+      };
       await flushPromises();
 
       const groups = vm.groupedContainers;
       expect(groups).toHaveLength(2);
       expect(groups[0].key).toBe('db-stack');
-      expect(groups[0].containers).toHaveLength(1);
+      expect(groups[0].containers).toHaveLength(2);
       expect(groups[1].key).toBe('web-stack');
       expect(groups[1].containers).toHaveLength(2);
     });
@@ -1219,21 +1338,65 @@ describe('ContainersView', () => {
     it('places ungrouped containers last', async () => {
       const containers = [
         makeContainer({ name: 'nginx' }),
-        makeContainer({ id: 'c2', name: 'solo' }),
+        makeContainer({ id: 'c2', name: 'redis' }),
+        makeContainer({ id: 'c3', name: 'solo' }),
+      ];
+      const wrapper = await mountContainersView(containers);
+      const vm = wrapper.vm as any;
+
+      vm.groupByStack = true;
+      vm.groupMembershipMap = { nginx: 'web-stack', redis: 'web-stack' };
+      await flushPromises();
+
+      const groups = vm.groupedContainers;
+      expect(groups).toHaveLength(2);
+      expect(groups[0].key).toBe('web-stack');
+      expect(groups[1].key).toBe('__ungrouped__');
+      expect(groups[1].name).toBeNull();
+      expect(groups[1].containers).toHaveLength(1);
+    });
+
+    it('flattens single-container stacks into ungrouped bucket', async () => {
+      const containers = [
+        makeContainer({ name: 'nginx' }),
+        makeContainer({ id: 'c2', name: 'redis' }),
+        makeContainer({ id: 'c3', name: 'postgres' }),
       ];
       const wrapper = await mountContainersView(containers);
       const vm = wrapper.vm as any;
 
       vm.groupByStack = true;
-      vm.groupMembershipMap = { nginx: 'web-stack' };
+      vm.groupMembershipMap = { nginx: 'web-stack', redis: 'web-stack', postgres: 'db-stack' };
       await flushPromises();
 
       const groups = vm.groupedContainers;
+      // db-stack has only 1 container, so it should be flattened into ungrouped
       expect(groups).toHaveLength(2);
       expect(groups[0].key).toBe('web-stack');
+      expect(groups[0].containers).toHaveLength(2);
       expect(groups[1].key).toBe('__ungrouped__');
       expect(groups[1].name).toBeNull();
       expect(groups[1].containers).toHaveLength(1);
+      expect(groups[1].containers[0].name).toBe('postgres');
+    });
+
+    it('flattens all single-container stacks when none have multiple containers', async () => {
+      const containers = [
+        makeContainer({ name: 'nginx' }),
+        makeContainer({ id: 'c2', name: 'redis' }),
+      ];
+      const wrapper = await mountContainersView(containers);
+      const vm = wrapper.vm as any;
+
+      vm.groupByStack = true;
+      vm.groupMembershipMap = { nginx: 'web-stack', redis: 'db-stack' };
+      await flushPromises();
+
+      const groups = vm.groupedContainers;
+      // Both stacks have only 1 container — all flattened into a single ungrouped bucket
+      expect(groups).toHaveLength(1);
+      expect(groups[0].key).toBe('__ungrouped__');
+      expect(groups[0].containers).toHaveLength(2);
     });
 
     it('persists toggle state to preferences', async () => {
@@ -1329,25 +1492,28 @@ describe('ContainersView', () => {
     it('tracks group update-all loading state during execution', async () => {
       const containers = [
         makeContainer({ id: 'c1', name: 'nginx', newTag: '2.0.0', updateKind: 'major' }),
+        makeContainer({ id: 'c2', name: 'redis' }),
       ];
       const wrapper = await mountContainersView(containers);
       const vm = wrapper.vm as any;
-      let resolveUpdate: ((value: unknown) => void) | undefined;
+      const resolvers: Array<(value: unknown) => void> = [];
       mockApiUpdate.mockImplementation(
         () =>
           new Promise((resolve) => {
-            resolveUpdate = resolve;
+            resolvers.push(resolve);
           }),
       );
 
       vm.groupByStack = true;
-      vm.groupMembershipMap = { nginx: 'web-stack' };
+      vm.groupMembershipMap = { nginx: 'web-stack', redis: 'web-stack' };
       await flushPromises();
 
       const pending = vm.updateAllInGroup(vm.groupedContainers[0]);
       expect(vm.groupUpdateInProgress.has('web-stack')).toBe(true);
 
-      resolveUpdate?.({});
+      for (const resolve of resolvers) {
+        resolve({});
+      }
       await pending;
 
       expect(vm.groupUpdateInProgress.has('web-stack')).toBe(false);
@@ -1373,41 +1539,44 @@ describe('ContainersView', () => {
     });
   });
 
-  describe('container logs auto-fetch', () => {
-    it('renders auto-fetch interval selector in logs tab', async () => {
+  describe('container logs viewer integration', () => {
+    it('renders compact log viewer in side-panel logs tab', async () => {
       const c = makeContainer();
-      const { getContainerLogs } = await import('@/services/container');
-      (getContainerLogs as ReturnType<typeof vi.fn>).mockResolvedValue({ logs: 'line1\nline2' });
-
       const wrapper = await mountContainersView([c]);
       mockSelectedContainer.value = c;
       mockDetailPanelOpen.value = true;
       mockActiveDetailTab.value = 'logs';
       await flushPromises();
 
-      const selects = wrapper.findAll('select');
-      const autoFetchSelect = selects.find((s) => s.text().includes('Off'));
-      expect(autoFetchSelect).toBeDefined();
+      const logsStubs = wrapper.findAll('[data-test="container-logs-stub"]');
+      expect(logsStubs.length).toBeGreaterThan(0);
+      const compactStub = logsStubs.find(
+        (stub) =>
+          stub.attributes('data-id') === 'c1' &&
+          stub.attributes('data-name') === 'nginx' &&
+          stub.attributes('data-compact') === 'true',
+      );
+      expect(compactStub).toBeDefined();
     });
 
-    it('shows scroll-paused indicator when scrollBlocked and auto-fetch active', async () => {
-      const c = makeContainer();
-      const { getContainerLogs } = await import('@/services/container');
-      (getContainerLogs as ReturnType<typeof vi.fn>).mockResolvedValue({ logs: 'line1\nline2' });
+    it('renders full-size log viewer for /containers/:id/logs route', async () => {
+      const c = makeContainer({ id: 'container-42', name: 'api' });
+      mockRoute.name = 'container-logs';
+      mockRoute.path = '/containers/container-42/logs';
+      mockRoute.params = { id: 'container-42' };
 
       const wrapper = await mountContainersView([c]);
-      mockSelectedContainer.value = c;
-      mockDetailPanelOpen.value = true;
-      mockActiveDetailTab.value = 'logs';
       await flushPromises();
-      // Set after tab switch so the watcher reset has already fired
-      mockContainerScrollBlocked.value = true;
-      mockContainerAutoFetchInterval.value = 2000;
-      await wrapper.vm.$nextTick();
-
-      expect(wrapper.text()).toContain('Auto-scroll paused');
-      const resumeBtn = wrapper.findAll('button').find((b) => b.text().includes('Resume'));
-      expect(resumeBtn).toBeDefined();
+
+      const logsStubs = wrapper.findAll('[data-test="container-logs-stub"]');
+      expect(logsStubs.length).toBeGreaterThan(0);
+      const fullSizeStub = logsStubs.find(
+        (stub) =>
+          stub.attributes('data-id') === 'container-42' &&
+          stub.attributes('data-name') === 'api' &&
+          stub.attributes('data-compact') === 'false',
+      );
+      expect(fullSizeStub).toBeDefined();
     });
   });
 
diff --git a/ui/tests/views/DashboardView.spec.ts b/ui/tests/views/DashboardView.spec.ts
index 0ac44cc4c..74561c1bb 100644
--- a/ui/tests/views/DashboardView.spec.ts
+++ b/ui/tests/views/DashboardView.spec.ts
@@ -22,6 +22,10 @@ vi.mock('@/services/container', () => ({
   getContainerSummary: vi.fn(),
 }));
 
+vi.mock('@/services/stats', () => ({
+  getAllContainerStats: vi.fn(),
+}));
+
 vi.mock('@/services/agent', () => ({
   getAgents: vi.fn(),
 }));
@@ -69,9 +73,11 @@ import {
 } from '@/services/container';
 import { getAllRegistries } from '@/services/registry';
 import { getServer } from '@/services/server';
+import { getAllContainerStats } from '@/services/stats';
 import { getAllWatchers } from '@/services/watcher';
 
 const mockGetAllContainers = getAllContainers as ReturnType<typeof vi.fn>;
+const mockGetAllContainerStats = getAllContainerStats as ReturnType<typeof vi.fn>;
 const mockGetContainerRecentStatus = getContainerRecentStatus as ReturnType<typeof vi.fn>;
 const mockGetContainerSummary = getContainerSummary as ReturnType<typeof vi.fn>;
 const mockGetAgents = getAgents as ReturnType<typeof vi.fn>;
@@ -105,6 +111,7 @@ interface DashboardDataOverrides {
   registries?: any[];
   auditEntries?: any[];
   recentStatuses?: Record<string, string>;
+  containerStats?: any[];
 }
 
 function mapAuditEntriesToRecentStatuses(auditEntries: any[]): Record<string, string> {
@@ -135,6 +142,7 @@ async function mountDashboard(
   overrides: DashboardDataOverrides = {},
 ) {
   mockGetAllContainers.mockResolvedValue(containers);
+  mockGetAllContainerStats.mockResolvedValue(overrides.containerStats ?? []);
   mockGetContainerSummary.mockResolvedValue({
     containers: {
       total: containers.length,
@@ -358,23 +366,17 @@ describe('DashboardView', () => {
   });
 
   describe('SSE refresh behavior', () => {
-    it('refreshes dashboard summary on dd:sse-container-changed without full refresh', async () => {
+    it('performs full data refresh on dd:sse-container-changed (#229)', async () => {
       vi.useFakeTimers();
       try {
         await mountDashboard([makeContainer()]);
-        const summaryCallsBefore = mockGetContainerSummary.mock.calls.length;
         const containersCallsBefore = mockGetAllContainers.mock.calls.length;
-        const serverCallsBefore = mockGetServer.mock.calls.length;
-        const agentsCallsBefore = mockGetAgents.mock.calls.length;
 
         globalThis.dispatchEvent(new CustomEvent('dd:sse-container-changed'));
         vi.advanceTimersByTime(1000);
         await flushPromises();
 
-        expect(mockGetContainerSummary.mock.calls.length).toBeGreaterThan(summaryCallsBefore);
-        expect(mockGetAllContainers.mock.calls.length).toBe(containersCallsBefore);
-        expect(mockGetServer.mock.calls.length).toBe(serverCallsBefore);
-        expect(mockGetAgents.mock.calls.length).toBe(agentsCallsBefore);
+        expect(mockGetAllContainers.mock.calls.length).toBeGreaterThan(containersCallsBefore);
       } finally {
         vi.useRealTimers();
       }
@@ -564,7 +566,7 @@ describe('DashboardView', () => {
       expect(wrapper.text()).toContain('7.0.0');
     });
 
-    it('limits recent updates to 6 entries', async () => {
+    it('caps pending updates to six visible rows', async () => {
       const containers = Array.from({ length: 12 }, (_, i) =>
         makeContainer({
           id: `c${i}`,
@@ -578,6 +580,23 @@ describe('DashboardView', () => {
       expect(rows.length).toBe(6);
     });
 
+    it('renders the recent updates table with a fixed layout to keep columns stable while scrolling', async () => {
+      const containers = Array.from({ length: 12 }, (_, i) =>
+        makeContainer({
+          id: `c${i}`,
+          name: `container-${i}`,
+          newTag: `${i + 1}.0.0`,
+        }),
+      );
+      const wrapper = await mountDashboard(containers);
+      const tableStyle = wrapper
+        .find('[data-widget-id="recent-updates"]')
+        .find('table')
+        .attributes('style');
+
+      expect(tableStyle).toContain('table-layout: fixed');
+    });
+
     it('orders recent updates by newest detected update first', async () => {
       const containers = [
         {
@@ -693,7 +712,7 @@ describe('DashboardView', () => {
       expect(rows[0].text()).toContain('redis');
     });
 
-    it('surfaces registry check failures in recent updates', async () => {
+    it('does not include registry check failures in recent updates', async () => {
       const containers = [
         makeContainer({
           id: 'c1',
@@ -713,9 +732,10 @@ describe('DashboardView', () => {
       const widget = wrapper.find('[data-widget-id="recent-updates"]');
       const rows = widget.findAll('tbody tr').filter((r) => !r.attributes('aria-hidden'));
       const errorRow = rows.find((r) => r.text().includes('registry-fail'));
+      const pendingRow = rows.find((r) => r.text().includes('has-update'));
 
-      expect(errorRow).toBeDefined();
-      expect(errorRow!.text()).toContain('Registry request failed: unauthorized');
+      expect(errorRow).toBeUndefined();
+      expect(pendingRow).toBeDefined();
     });
 
     it('renders release notes links when available in recent updates rows', async () => {
@@ -997,6 +1017,67 @@ describe('DashboardView', () => {
     });
   });
 
+  describe('resource usage widget', () => {
+    it('renders top cpu and memory containers from live stats summary', async () => {
+      const wrapper = await mountDashboard(
+        [makeContainer()],
+        [],
+        {},
+        {
+          containerStats: [
+            {
+              id: 'c1',
+              name: 'web',
+              status: 'running',
+              watcher: 'local',
+              agent: undefined,
+              stats: {
+                containerId: 'c1',
+                cpuPercent: 30,
+                memoryUsageBytes: 300,
+                memoryLimitBytes: 600,
+                memoryPercent: 50,
+                networkRxBytes: 1,
+                networkTxBytes: 2,
+                blockReadBytes: 3,
+                blockWriteBytes: 4,
+                timestamp: '2026-03-14T10:00:00.000Z',
+              },
+            },
+            {
+              id: 'c2',
+              name: 'db',
+              status: 'running',
+              watcher: 'local',
+              agent: undefined,
+              stats: {
+                containerId: 'c2',
+                cpuPercent: 80,
+                memoryUsageBytes: 500,
+                memoryLimitBytes: 1_000,
+                memoryPercent: 50,
+                networkRxBytes: 1,
+                networkTxBytes: 2,
+                blockReadBytes: 3,
+                blockWriteBytes: 4,
+                timestamp: '2026-03-14T10:00:00.000Z',
+              },
+            },
+          ],
+        },
+      );
+
+      const resourceWidget = wrapper.find('[data-widget-id="resource-usage"]');
+      expect(resourceWidget.text()).toContain('Resource Usage');
+      expect(resourceWidget.text()).toContain('Top CPU');
+      expect(resourceWidget.text()).toContain('Top Memory');
+      expect(resourceWidget.text()).toContain('db');
+      expect(resourceWidget.text()).toContain('web');
+      expect(resourceWidget.text()).toContain('55.0%');
+      expect(resourceWidget.text()).toContain('800 B / 1.6 KB');
+    });
+  });
+
   describe('dashboard widget ordering', () => {
     it('hydrates widget order from preferences', async () => {
       const { preferences } = await import('@/preferences/store');
@@ -1008,6 +1089,7 @@ describe('DashboardView', () => {
         'host-status',
         'recent-updates',
         'security-overview',
+        'resource-usage',
         'update-breakdown',
       ];
 
@@ -1022,6 +1104,9 @@ describe('DashboardView', () => {
       expect(
         wrapper.find('[data-widget-id="security-overview"]').attributes('data-widget-order'),
       ).toBe('6');
+      expect(
+        wrapper.find('[data-widget-id="resource-usage"]').attributes('data-widget-order'),
+      ).toBe('7');
     });
 
     it('reorders widgets on drop and persists the new order', async () => {
@@ -1058,6 +1143,7 @@ describe('DashboardView', () => {
         'update-breakdown',
         'recent-updates',
         'security-overview',
+        'resource-usage',
         'host-status',
       ]);
     });
@@ -1115,6 +1201,10 @@ describe('DashboardView', () => {
       const securityCard = statCards.find((c) => c.text().includes('Security Issues'));
       await securityCard?.trigger('click');
       expect(mockRouterPush).toHaveBeenCalledWith('/security');
+
+      const registriesCard = statCards.find((c) => c.text().includes('Registries'));
+      await registriesCard?.trigger('click');
+      expect(mockRouterPush).toHaveBeenCalledWith('/registries');
     });
 
     it('routes update view-all buttons with has-update filter', async () => {
diff --git a/ui/tests/views/LoginView.spec.ts b/ui/tests/views/LoginView.spec.ts
index 465b4d3d1..a86c3129f 100644
--- a/ui/tests/views/LoginView.spec.ts
+++ b/ui/tests/views/LoginView.spec.ts
@@ -146,7 +146,7 @@ describe('LoginView', () => {
     });
 
     it('shows error on login failure', async () => {
-      mockLoginBasic.mockRejectedValue(new Error('bad creds'));
+      mockLoginBasic.mockRejectedValue(new Error('Username or password error'));
       const wrapper = await mountLogin([{ type: 'basic', name: 'basic' }]);
 
       await wrapper.find('input[type="text"]').setValue('admin');
@@ -157,6 +157,19 @@ describe('LoginView', () => {
       expect(wrapper.text()).toContain('Invalid username or password');
     });
 
+    it('shows server-provided auth error when available', async () => {
+      mockLoginBasic.mockRejectedValue(new Error("Basic auth 'ANDI': hash is required"));
+      const wrapper = await mountLogin([{ type: 'basic', name: 'basic' }]);
+
+      await wrapper.find('input[type="text"]').setValue('admin');
+      await wrapper.find('input[type="password"]').setValue('wrong');
+      await wrapper.find('form').trigger('submit');
+      await flushPromises();
+
+      expect(wrapper.text()).toContain("Basic auth 'ANDI': hash is required");
+      expect(wrapper.text()).not.toContain('Invalid username or password');
+    });
+
     it('shows Signing in... text while submitting', async () => {
       let resolveLogin: (v: any) => void;
       mockLoginBasic.mockReturnValue(
diff --git a/ui/tests/views/LogsView.spec.ts b/ui/tests/views/LogsView.spec.ts
index b20b263e3..659d2aa64 100644
--- a/ui/tests/views/LogsView.spec.ts
+++ b/ui/tests/views/LogsView.spec.ts
@@ -6,15 +6,14 @@ vi.mock('@/services/log', () => ({
   getLogEntries: vi.fn().mockResolvedValue([]),
 }));
 
-vi.mock('@/composables/useLogViewerBehavior', () => ({
-  LOG_AUTO_FETCH_INTERVALS: [{ label: 'Off', value: 0 }],
-  useAutoFetchLogs: () => ({ autoFetchInterval: { value: 0 } }),
-  useLogViewport: () => ({
-    logContainer: { value: null },
-    scrollBlocked: { value: false },
-    scrollToBottom: vi.fn(),
-    handleLogScroll: vi.fn(),
-    resumeAutoScroll: vi.fn(),
+vi.mock('@/composables/useSystemLogStream', () => ({
+  useSystemLogStream: () => ({
+    entries: { value: [] },
+    status: { value: 'disconnected' },
+    connect: vi.fn(),
+    disconnect: vi.fn(),
+    updateFilters: vi.fn(),
+    clear: vi.fn(),
   }),
 }));
 
@@ -32,7 +31,7 @@ describe('LogsView', () => {
       expect(root.classes()).toContain('sm:pr-[15px]');
     });
 
-    it('prevents page-level scroll with overflow-hidden', () => {
+    it('uses the standard vertical scroll container', () => {
       const wrapper = mount(LogsView, {
         global: {
           stubs: {
@@ -41,10 +40,10 @@ describe('LogsView', () => {
         },
       });
       const root = wrapper.find('div');
-      expect(root.classes()).toContain('overflow-hidden');
+      expect(root.classes()).toContain('overflow-y-auto');
     });
 
-    it('stretches to fill available height with flex-1 and min-h-0', () => {
+    it('stretches to fill available height with flex-1/min-h-0/min-w-0', () => {
       const wrapper = mount(LogsView, {
         global: {
           stubs: {
@@ -55,7 +54,7 @@ describe('LogsView', () => {
       const root = wrapper.find('div');
       expect(root.classes()).toContain('flex-1');
       expect(root.classes()).toContain('min-h-0');
-      expect(root.classes()).toContain('flex-col');
+      expect(root.classes()).toContain('min-w-0');
     });
   });
 });
diff --git a/ui/tests/views/SecurityView.spec.ts b/ui/tests/views/SecurityView.spec.ts
index 8ac01829c..e70db279f 100644
--- a/ui/tests/views/SecurityView.spec.ts
+++ b/ui/tests/views/SecurityView.spec.ts
@@ -5,6 +5,8 @@ const mockGetSecurityVulnerabilityOverview = vi.fn();
 const mockScanContainer = vi.fn();
 const mockGetContainerSbom = vi.fn();
 const mockGetSecurityRuntime = vi.fn();
+const mockIsMobile = { value: false };
+const mockWindowNarrow = { value: false };
 const { mockComputeSecurityDelta } = vi.hoisted(() => ({
   mockComputeSecurityDelta: vi.fn(),
 }));
@@ -21,7 +23,7 @@ vi.mock('@/services/server', () => ({
 }));
 
 vi.mock('@/composables/useBreakpoints', () => ({
-  useBreakpoints: () => ({ isMobile: { value: false }, windowNarrow: { value: false } }),
+  useBreakpoints: () => ({ isMobile: mockIsMobile, windowNarrow: mockWindowNarrow }),
 }));
 
 vi.mock('@/utils/container-mapper', async () => {
@@ -78,7 +80,14 @@ const stubs: Record<string, any> = {
       'countLabel',
     ],
     emits: ['update:modelValue', 'update:showFilters'],
-    template: '<div class="dfb"><slot name="filters" /><slot name="left" /></div>',
+    template:
+      '<div class="dfb"><slot name="filters" /><slot name="left" /><slot name="center" /></div>',
+  }),
+  AppIconButton: defineComponent({
+    inheritAttrs: false,
+    props: ['icon', 'size', 'variant', 'tooltip', 'ariaLabel', 'disabled', 'loading'],
+    template:
+      '<button class="app-icon-button-stub" v-bind="$attrs" :data-icon="icon" :data-size="size" :data-variant="variant" :data-loading="String(loading)" :aria-label="ariaLabel" :disabled="disabled"><slot /></button>',
   }),
   DataTable: defineComponent({
     props: ['columns', 'rows', 'rowKey', 'sortKey', 'sortAsc', 'selectedKey'],
@@ -247,6 +256,8 @@ describe('SecurityView', () => {
   beforeEach(() => {
     vi.clearAllMocks();
     containerIdCounter = 0;
+    mockIsMobile.value = false;
+    mockWindowNarrow.value = false;
     mockGetSecurityRuntime.mockResolvedValue(readyRuntimeStatus());
   });
 
@@ -516,6 +527,24 @@ describe('SecurityView', () => {
     });
   });
 
+  describe('scan action sizing', () => {
+    it('renders the compact scan action as a toolbar AppIconButton', async () => {
+      mockWindowNarrow.value = true;
+      mockContainers([makeContainer()]);
+
+      const wrapper = factory();
+      await vi.waitFor(() => {
+        expect(mockGetSecurityRuntime).toHaveBeenCalledOnce();
+      });
+      await nextTick();
+
+      const scanButton = wrapper.find('.app-icon-button-stub[aria-label="Scan all containers"]');
+      expect(scanButton.exists()).toBe(true);
+      expect(scanButton.attributes('data-icon')).toBe('restart');
+      expect(scanButton.attributes('data-size')).toBe('toolbar');
+    });
+  });
+
   describe('scan coverage display', () => {
     it('shows 0/N scanned when no containers have been scanned', async () => {
       mockContainers([makeContainer({ security: null }), makeContainer({ security: null })]);
diff --git a/ui/tests/views/WatchersView.spec.ts b/ui/tests/views/WatchersView.spec.ts
index 0a87c5c2d..4eef38791 100644
--- a/ui/tests/views/WatchersView.spec.ts
+++ b/ui/tests/views/WatchersView.spec.ts
@@ -11,6 +11,7 @@ const { mockRoute } = vi.hoisted(() => ({
 
 vi.mock('vue-router', () => ({
   useRoute: () => mockRoute,
+  useRouter: () => ({ push: vi.fn(), replace: vi.fn() }),
 }));
 
 vi.mock('@/composables/useBreakpoints', () => ({
@@ -170,6 +171,44 @@ describe('WatchersView', () => {
     expect(wrapper.text()).toContain('Failed to load watchers');
   });
 
+  it('renders lastRun from metadata.lastRunAt when present', async () => {
+    const fiveMinutesAgo = new Date(Date.now() - 5 * 60 * 1000).toISOString();
+    mockGetAllWatchers.mockResolvedValue([
+      {
+        id: 'watcher-alpha',
+        name: 'Alpha Watcher',
+        type: 'docker',
+        configuration: { cron: '*/5 * * * *' },
+        metadata: { lastRunAt: fiveMinutesAgo },
+      },
+    ]);
+    mockGetAllContainers.mockResolvedValue([]);
+
+    const wrapper = await mountWatchersView();
+    const table = wrapper.findComponent(dataViewStubs.DataTable);
+    const rows = table.props('rows') as Array<{ lastRun: string }>;
+
+    expect(rows[0].lastRun).toBe('5m ago');
+  });
+
+  it('renders em dash for lastRun when metadata.lastRunAt is absent', async () => {
+    mockGetAllWatchers.mockResolvedValue([
+      {
+        id: 'watcher-alpha',
+        name: 'Alpha Watcher',
+        type: 'docker',
+        configuration: { cron: '*/5 * * * *' },
+      },
+    ]);
+    mockGetAllContainers.mockResolvedValue([]);
+
+    const wrapper = await mountWatchersView();
+    const table = wrapper.findComponent(dataViewStubs.DataTable);
+    const rows = table.props('rows') as Array<{ lastRun: string }>;
+
+    expect(rows[0].lastRun).toBe('\u2014');
+  });
+
   it('clicking a row fetches watcher details from per-component endpoint', async () => {
     mockGetAllWatchers.mockResolvedValue([
       {
diff --git a/ui/tests/views/containers/containerActionComposables.spec.ts b/ui/tests/views/containers/containerActionComposables.spec.ts
index 591b2c020..f34e69b4d 100644
--- a/ui/tests/views/containers/containerActionComposables.spec.ts
+++ b/ui/tests/views/containers/containerActionComposables.spec.ts
@@ -1,4 +1,6 @@
-import { describe, expect, it } from 'vitest';
+import { describe, expect, it, vi } from 'vitest';
+import { ref } from 'vue';
+import { loadContainerDetailListState } from '@/views/containers/loadContainerDetailListState';
 import { useContainerBackups } from '@/views/containers/useContainerBackups';
 import { useContainerPolicy } from '@/views/containers/useContainerPolicy';
 import { useContainerPreview } from '@/views/containers/useContainerPreview';
@@ -11,4 +13,66 @@ describe('container action focused composables', () => {
     expect(typeof useContainerTriggers).toBe('function');
     expect(typeof useContainerBackups).toBe('function');
   });
+
+  it('loads container detail list state from a loader', async () => {
+    const loading = ref(false);
+    const error = ref<string | null>(null);
+    const value = ref<Record<string, unknown>[]>([{ stale: true }]);
+    const loader = vi.fn().mockResolvedValue([{ id: 'a' }]);
+
+    await loadContainerDetailListState({
+      containerId: 'container-a',
+      loading,
+      error,
+      value,
+      loader,
+      failureMessage: 'Failed to load detail list',
+    });
+
+    expect(loader).toHaveBeenCalledWith('container-a');
+    expect(value.value).toEqual([{ id: 'a' }]);
+    expect(error.value).toBeNull();
+    expect(loading.value).toBe(false);
+  });
+
+  it('handles loader failures by clearing the list and setting an error', async () => {
+    const loading = ref(false);
+    const error = ref<string | null>(null);
+    const value = ref<Record<string, unknown>[]>([{ stale: true }]);
+    const loader = vi.fn().mockRejectedValue(new Error('boom'));
+
+    await loadContainerDetailListState({
+      containerId: 'container-b',
+      loading,
+      error,
+      value,
+      loader,
+      failureMessage: 'Failed to load detail list',
+    });
+
+    expect(value.value).toEqual([]);
+    expect(error.value).toBe('boom');
+    expect(loading.value).toBe(false);
+  });
+
+  it('resets to an empty list when no container is selected', async () => {
+    const loading = ref(false);
+    const error = ref<string | null>('existing error');
+    const value = ref<Record<string, unknown>[]>([{ stale: true }]);
+    const loader = vi.fn();
+
+    await loadContainerDetailListState({
+      containerId: undefined,
+      loading,
+      error,
+      value,
+      loader,
+      failureMessage: 'Failed to load detail list',
+    });
+
+    expect(loader).not.toHaveBeenCalled();
+    expect(value.value).toEqual([]);
+    expect(error.value).toBe('existing error');
+    expect(loading.value).toBe(false);
+  });
 });
diff --git a/ui/tests/views/containers/useContainerActions.spec.ts b/ui/tests/views/containers/useContainerActions.spec.ts
index a584c56d7..36c6711fe 100644
--- a/ui/tests/views/containers/useContainerActions.spec.ts
+++ b/ui/tests/views/containers/useContainerActions.spec.ts
@@ -10,6 +10,8 @@ import {
 } from '@/views/containers/useContainerActions';
 
 const mocks = vi.hoisted(() => ({
+  toastSuccess: vi.fn(),
+  toastError: vi.fn(),
   confirmRequire: vi.fn(),
   getBackups: vi.fn(),
   rollback: vi.fn(),
@@ -59,6 +61,18 @@ vi.mock('@/services/preview', () => ({
   previewContainer: mocks.previewContainer,
 }));
 
+vi.mock('@/composables/useToast', () => ({
+  useToast: () => ({
+    success: mocks.toastSuccess,
+    error: mocks.toastError,
+    warning: vi.fn(),
+    info: vi.fn(),
+    toasts: { value: [] },
+    addToast: vi.fn(),
+    dismissToast: vi.fn(),
+  }),
+}));
+
 vi.mock('@/composables/useServerFeatures', () => ({
   useServerFeatures: () => ({
     featureFlags: computed(() => ({
@@ -238,6 +252,7 @@ describe('useContainerActions', () => {
     expect(mocks.getBackups).toHaveBeenCalledTimes(1);
     expect(mocks.getContainerUpdateOperations).toHaveBeenCalledTimes(1);
     expect(composable.triggerRunInProgress.value).toBeNull();
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Trigger ran: agent-1.slack.notify');
   });
 
   it('guards trigger execution without a selected id and reports trigger run failures', async () => {
@@ -280,6 +295,7 @@ describe('useContainerActions', () => {
     expect(loadContainers).toHaveBeenCalledTimes(1);
     expect(mocks.getBackups).toHaveBeenCalledTimes(1);
     expect(mocks.getContainerUpdateOperations).toHaveBeenCalledTimes(1);
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Rollback completed from selected backup');
   });
 
   it('updates skip policy for selected container and tracks skipped updates', async () => {
@@ -319,6 +335,8 @@ describe('useContainerActions', () => {
 
     expect(mocks.updateContainer).toHaveBeenCalledWith('container-1');
     expect(mocks.scanContainer).toHaveBeenCalledWith('container-1');
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Updated: web');
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Scan triggered: web');
 
     mocks.updateContainer.mockClear();
     mocks.scanContainer.mockClear();
@@ -441,6 +459,7 @@ describe('useContainerActions', () => {
     expect(closeFullPage).toHaveBeenCalledTimes(1);
     expect(closePanel).toHaveBeenCalledTimes(1);
     expect(loadContainers).toHaveBeenCalledTimes(1);
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Deleted: web');
   });
 
   it('updates all eligible containers in a group and reloads once after the batch', async () => {
@@ -480,6 +499,50 @@ describe('useContainerActions', () => {
     expect(mocks.updateContainer).toHaveBeenNthCalledWith(2, 'container-2');
     expect(loadContainers).toHaveBeenCalledTimes(1);
     expect(composable.groupUpdateInProgress.value.has('group-1')).toBe(false);
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Updated 2 containers in group-1');
+  });
+
+  it('freezes grouped update ids and skips containers renamed during the batch', async () => {
+    const web = makeContainer({ id: 'container-1', name: 'web', newTag: '1.1.0', bouncer: 'safe' });
+    const api = makeContainer({ id: 'container-2', name: 'api', newTag: '2.0.0', bouncer: 'safe' });
+    const { composable, containerIdMap, containers, loadContainers } = await mountActionsHarness({
+      containers: [web, api],
+      containerIdMap: {
+        web: 'container-1',
+        api: 'container-2',
+      },
+    });
+    loadContainers.mockClear();
+
+    mocks.updateContainer.mockImplementation(async (containerId: string) => {
+      if (containerId === 'container-1') {
+        containerIdMap.value = {
+          web: 'container-1-new',
+          api: 'container-2-new',
+          'api-old-1773933154786': 'container-2',
+        };
+        containers.value = [
+          makeContainer({ id: 'container-1-new', name: 'web', newTag: null }),
+          makeContainer({
+            id: 'container-2',
+            name: 'api-old-1773933154786',
+            newTag: '2.0.0',
+            bouncer: 'safe',
+          }),
+          makeContainer({ id: 'container-2-new', name: 'api', newTag: '2.0.0', bouncer: 'safe' }),
+        ];
+      }
+      return {};
+    });
+
+    await composable.updateAllInGroup({
+      key: 'group-1',
+      containers: [web, api],
+    });
+
+    expect(mocks.updateContainer).toHaveBeenCalledTimes(1);
+    expect(mocks.updateContainer).toHaveBeenCalledWith('container-1');
+    expect(loadContainers).toHaveBeenCalledTimes(1);
   });
 
   it('does not reload grouped containers when every update action fails', async () => {
@@ -506,8 +569,10 @@ describe('useContainerActions', () => {
     });
 
     expect(mocks.updateContainer).toHaveBeenCalledTimes(2);
-    expect(loadContainers).not.toHaveBeenCalled();
+    expect(loadContainers).toHaveBeenCalledTimes(1);
     expect(composable.groupUpdateInProgress.value.has('group-1')).toBe(false);
+    expect(mocks.toastSuccess).not.toHaveBeenCalled();
+    expect(mocks.toastError).toHaveBeenCalledTimes(2);
   });
 
   it('tracks pending actions and polls until container reappears', async () => {
@@ -572,13 +637,15 @@ describe('useContainerActions', () => {
 
     await composable.startContainer('web');
 
-    expect(composable.actionInProgress.value).toBeNull();
+    expect(composable.actionInProgress.value.size).toBe(0);
     expect(error.value).toBe('start failed');
+    expect(mocks.toastError).toHaveBeenCalledWith('Update failed: web', 'start failed');
 
     // subsequent successful action clears the error
     mocks.startContainer.mockResolvedValueOnce({ message: 'ok' });
     await composable.startContainer('web');
     expect(error.value).toBeNull();
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Started: web');
   });
 
   it('builds skipped-policy tooltip fallback and pluralized variants', async () => {
@@ -891,6 +958,9 @@ describe('useContainerActions', () => {
     expect(mocks.restartContainer).toHaveBeenCalledWith('container-1');
     expect(mocks.updateContainerPolicy).toHaveBeenCalledWith('container-1', 'clear', {});
     expect(mocks.updateContainer).toHaveBeenCalledWith('container-1');
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Stopped: web');
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Restarted: web');
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Force updated: web');
   });
 
   it('wires update confirmation dialog to update accept handler', async () => {
@@ -914,6 +984,66 @@ describe('useContainerActions', () => {
 
     await confirmCall.accept?.();
     expect(mocks.updateContainer).toHaveBeenCalledWith('container-1');
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Updated: web');
+  });
+
+  it('shows tag change details in update confirmation for tag updates', async () => {
+    const container = makeContainer({
+      id: 'container-1',
+      name: 'web',
+      currentTag: 'v6',
+      newTag: 'v7',
+      updateKind: 'major',
+    });
+    const { composable } = await mountActionsHarness({
+      selectedContainer: container,
+      selectedContainerId: container.id,
+      containerIdMap: { web: 'container-1' },
+    });
+
+    composable.confirmUpdate('web');
+
+    const confirmCall = mocks.confirmRequire.mock.calls[0][0] as { message: string };
+    expect(confirmCall.message).toContain(':v6');
+    expect(confirmCall.message).toContain(':v7');
+    expect(confirmCall.message).toContain('major');
+  });
+
+  it('shows digest change details in update confirmation for digest updates', async () => {
+    const container = makeContainer({
+      id: 'container-1',
+      name: 'web',
+      currentTag: 'latest',
+      newTag: 'latest',
+      updateKind: 'digest',
+    });
+    const { composable } = await mountActionsHarness({
+      selectedContainer: container,
+      selectedContainerId: container.id,
+      containerIdMap: { web: 'container-1' },
+    });
+
+    composable.confirmUpdate('web');
+
+    const confirmCall = mocks.confirmRequire.mock.calls[0][0] as { message: string };
+    expect(confirmCall.message).toContain(':latest');
+    expect(confirmCall.message).toContain('digest');
+    expect(confirmCall.message).not.toContain(':v');
+  });
+
+  it('falls back to the generic update confirmation when container details are missing', async () => {
+    const { composable } = await mountActionsHarness({
+      selectedContainer: null,
+      selectedContainerId: undefined,
+      containerIdMap: { web: 'container-1' },
+    });
+
+    composable.confirmUpdate('web');
+
+    const confirmCall = mocks.confirmRequire.mock.calls[0][0] as { message: string };
+    expect(confirmCall.message).toBe(
+      'Update web now? This will apply the latest discovered image.',
+    );
   });
 
   it('wires rollback confirmation dialog to rollback accept handler', async () => {
@@ -937,6 +1067,36 @@ describe('useContainerActions', () => {
     expect(mocks.rollback).toHaveBeenCalledWith('container-1', 'backup-1');
   });
 
+  it('opens clear-policy confirmation only when a container is selected and wires accept', async () => {
+    const container = makeContainer({ id: 'container-1', name: 'web' });
+    const { composable, selectedContainer, selectedContainerId } = await mountActionsHarness({
+      selectedContainer: null,
+      selectedContainerId: undefined,
+      containerIdMap: { web: 'container-1' },
+    });
+
+    composable.confirmClearPolicy();
+    expect(mocks.confirmRequire).not.toHaveBeenCalled();
+
+    selectedContainer.value = container;
+    selectedContainerId.value = container.id;
+    composable.confirmClearPolicy();
+
+    expect(mocks.confirmRequire).toHaveBeenCalledTimes(1);
+    const confirmCall = mocks.confirmRequire.mock.calls[0][0] as {
+      header: string;
+      message: string;
+      acceptLabel: string;
+      accept?: () => Promise<unknown>;
+    };
+    expect(confirmCall.header).toBe('Clear Update Policy');
+    expect(confirmCall.message).toContain('Clear all update policy for web?');
+    expect(confirmCall.acceptLabel).toBe('Clear Policy');
+
+    await confirmCall.accept?.();
+    expect(mocks.updateContainerPolicy).toHaveBeenCalledWith('container-1', 'clear', {});
+  });
+
   it('uses latest-backup messaging when rollback confirmation has no explicit backup id', async () => {
     const container = makeContainer({ id: 'container-1', name: 'web' });
     const { composable } = await mountActionsHarness({
@@ -1218,6 +1378,7 @@ describe('useContainerActions', () => {
     mocks.rollback.mockResolvedValueOnce({});
     await composable.rollbackToBackup();
     expect(composable.rollbackMessage.value).toBe('Rollback completed from latest backup');
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Rollback completed from latest backup');
   });
 
   it('covers policy-action guards, failures, and action variants', async () => {
@@ -1415,6 +1576,7 @@ describe('useContainerActions', () => {
 
     await composable.startContainer('web');
     expect(mocks.startContainer).toHaveBeenCalledWith('container-1');
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Started: web');
     expect(mocks.getContainerTriggers).toHaveBeenCalledTimes(1);
     expect(mocks.getBackups).toHaveBeenCalledTimes(1);
     expect(mocks.getContainerUpdateOperations).toHaveBeenCalledTimes(1);
@@ -1494,6 +1656,7 @@ describe('useContainerActions', () => {
     const failedResult = await confirmOptions.accept?.();
     expect(failedResult).toBe(false);
     expect(error.value).toBe('delete failed');
+    expect(mocks.toastError).toHaveBeenCalledWith('Delete failed: web', 'delete failed');
   });
 
   it('deletes non-selected containers without closing the selected detail views', async () => {
@@ -1516,6 +1679,7 @@ describe('useContainerActions', () => {
     expect(closeFullPage).not.toHaveBeenCalled();
     expect(closePanel).not.toHaveBeenCalled();
     expect(loadContainers).toHaveBeenCalledTimes(1);
+    expect(mocks.toastSuccess).toHaveBeenCalledWith('Deleted: web');
   });
 
   it('skips overlapping poll cycles when a pending-action poll is still in flight', async () => {
diff --git a/ui/tests/views/dashboard/DashboardRecentUpdatesWidget.spec.ts b/ui/tests/views/dashboard/DashboardRecentUpdatesWidget.spec.ts
new file mode 100644
index 000000000..7ee446d5c
--- /dev/null
+++ b/ui/tests/views/dashboard/DashboardRecentUpdatesWidget.spec.ts
@@ -0,0 +1,134 @@
+import type { VueWrapper } from '@vue/test-utils';
+import { defineComponent, nextTick } from 'vue';
+import DashboardRecentUpdatesWidget from '@/views/dashboard/components/DashboardRecentUpdatesWidget.vue';
+import type { RecentUpdateRow } from '@/views/dashboard/dashboardTypes';
+import { mountWithPlugins } from '../../helpers/mount';
+
+let resizeObserverCallback: ResizeObserverCallback | undefined;
+const originalResizeObserver = globalThis.ResizeObserver;
+const mountedWrappers: VueWrapper[] = [];
+
+class ResizeObserverTestMock {
+  constructor(callback: ResizeObserverCallback) {
+    resizeObserverCallback = callback;
+  }
+
+  observe() {
+    // No-op for tests.
+  }
+
+  unobserve() {
+    // No-op for tests.
+  }
+
+  disconnect() {
+    // No-op for tests.
+  }
+}
+
+function makeRecentUpdate(overrides: Partial<RecentUpdateRow> = {}): RecentUpdateRow {
+  return {
+    id: 'c1',
+    name: 'nginx',
+    image: 'nginx:1.0.0',
+    icon: 'docker',
+    oldVer: '1.0.0',
+    newVer: '2.0.0',
+    status: 'pending',
+    updateKind: 'major',
+    running: true,
+    blocked: false,
+    ...overrides,
+  };
+}
+
+function triggerResize(height: number) {
+  if (!resizeObserverCallback) {
+    throw new Error('ResizeObserver callback was not registered');
+  }
+
+  resizeObserverCallback(
+    [
+      {
+        contentRect: {
+          x: 0,
+          y: 0,
+          width: 320,
+          height,
+          top: 0,
+          right: 320,
+          bottom: height,
+          left: 0,
+          toJSON: () => ({}),
+        },
+      } as ResizeObserverEntry,
+    ],
+    {} as ResizeObserver,
+  );
+}
+
+function mountWidget(
+  overrides: Partial<InstanceType<typeof DashboardRecentUpdatesWidget>['$props']> = {},
+) {
+  const wrapper = mountWithPlugins(DashboardRecentUpdatesWidget, {
+    props: {
+      dashboardUpdateAllInProgress: false,
+      dashboardUpdateError: null,
+      dashboardUpdateInProgress: null,
+      editMode: false,
+      getUpdateKindColor: vi.fn(() => 'var(--dd-warning)'),
+      getUpdateKindIcon: vi.fn(() => 'updates'),
+      getUpdateKindMutedColor: vi.fn(() => 'var(--dd-warning-muted)'),
+      pendingUpdatesCount: 1,
+      recentUpdates: [makeRecentUpdate()],
+      ...overrides,
+    },
+    global: {
+      stubs: {
+        DataTable: defineComponent({
+          template: '<div data-test="data-table-stub" />',
+        }),
+      },
+    },
+  });
+  mountedWrappers.push(wrapper);
+  return wrapper;
+}
+
+describe('DashboardRecentUpdatesWidget', () => {
+  beforeEach(() => {
+    resizeObserverCallback = undefined;
+    Object.defineProperty(globalThis, 'ResizeObserver', {
+      value: ResizeObserverTestMock,
+      configurable: true,
+      writable: true,
+    });
+  });
+
+  afterEach(() => {
+    for (const wrapper of mountedWrappers.splice(0)) {
+      wrapper.unmount();
+    }
+    Object.defineProperty(globalThis, 'ResizeObserver', {
+      value: originalResizeObserver,
+      configurable: true,
+      writable: true,
+    });
+  });
+
+  it('shows the compact edit-mode layout when resized below 200px', async () => {
+    const wrapper = mountWidget({
+      editMode: true,
+      pendingUpdatesCount: 2,
+    });
+
+    triggerResize(180);
+    await nextTick();
+
+    expect(wrapper.find('h2').exists()).toBe(false);
+    expect(wrapper.find('[data-test="dashboard-update-all-btn"]').exists()).toBe(false);
+    expect(wrapper.text()).toContain('2 updates available');
+    expect(wrapper.find('.drag-handle').exists()).toBe(true);
+    expect(wrapper.find('.app-icon-stub[data-icon="ph:dots-six"]').exists()).toBe(true);
+  });
+});
diff --git a/ui/tests/views/dashboard/dashboardWidgetLayout.spec.ts b/ui/tests/views/dashboard/dashboardWidgetLayout.spec.ts
new file mode 100644
index 000000000..4fd1bd8b4
--- /dev/null
+++ b/ui/tests/views/dashboard/dashboardWidgetLayout.spec.ts
@@ -0,0 +1,136 @@
+import { describe, expect, test } from 'vitest';
+import { DASHBOARD_WIDGET_IDS } from '@/views/dashboard/dashboardTypes';
+import {
+  applyConstraints,
+  createDefaultLayout,
+  GRID_BREAKPOINTS,
+  GRID_COLS,
+  WIDGET_CONSTRAINTS,
+} from '@/views/dashboard/dashboardWidgetLayout';
+
+describe('dashboardWidgetLayout', () => {
+  describe('createDefaultLayout', () => {
+    const layout = createDefaultLayout();
+
+    test('includes every widget exactly once', () => {
+      const ids = layout.map((item) => item.i).sort();
+      const expected = [...DASHBOARD_WIDGET_IDS].sort();
+      expect(ids).toEqual(expected);
+    });
+
+    test('stat cards fill the first row as 4 equal columns', () => {
+      const statCards = layout.filter((item) => item.i.startsWith('stat-'));
+      expect(statCards).toHaveLength(4);
+      for (const card of statCards) {
+        expect(card.y).toBe(0);
+        expect(card.w).toBe(3);
+        expect(card.h).toBe(3);
+      }
+      const xPositions = statCards.map((c) => c.x).sort((a, b) => a - b);
+      expect(xPositions).toEqual([0, 3, 6, 9]);
+    });
+
+    test('resource-usage and security-overview have equal height', () => {
+      const resource = layout.find((item) => item.i === 'resource-usage');
+      const security = layout.find((item) => item.i === 'security-overview');
+      expect(resource?.h).toBe(security?.h);
+    });
+
+    test('host-status and update-breakdown stack in the right column', () => {
+      const host = layout.find((item) => item.i === 'host-status');
+      const breakdown = layout.find((item) => item.i === 'update-breakdown');
+      expect(host?.x).toBe(8);
+      expect(breakdown?.x).toBe(8);
+      expect(host?.w).toBe(4);
+      expect(breakdown?.w).toBe(4);
+    });
+
+    test('recent-updates spans full width at the bottom', () => {
+      const updates = layout.find((item) => item.i === 'recent-updates');
+      expect(updates?.x).toBe(0);
+      expect(updates?.w).toBe(12);
+      const maxY = Math.max(
+        ...layout.filter((i) => i.i !== 'recent-updates').map((i) => i.y + i.h),
+      );
+      expect(updates?.y).toBeGreaterThanOrEqual(maxY);
+    });
+
+    test('all items have constraints applied', () => {
+      for (const item of layout) {
+        const c = WIDGET_CONSTRAINTS[item.i];
+        expect(item.w).toBeGreaterThanOrEqual(c.minW);
+        expect(item.w).toBeLessThanOrEqual(c.maxW);
+        expect(item.h).toBeGreaterThanOrEqual(c.minH);
+        expect(item.h).toBeLessThanOrEqual(c.maxH);
+        expect(item.minW).toBe(c.minW);
+        expect(item.minH).toBe(c.minH);
+        expect(item.maxW).toBe(c.maxW);
+        expect(item.maxH).toBe(c.maxH);
+      }
+    });
+
+    test('no items overlap', () => {
+      for (let i = 0; i < layout.length; i++) {
+        for (let j = i + 1; j < layout.length; j++) {
+          const a = layout[i];
+          const b = layout[j];
+          const overlapsX = a.x < b.x + b.w && a.x + a.w > b.x;
+          const overlapsY = a.y < b.y + b.h && a.y + a.h > b.y;
+          expect(overlapsX && overlapsY, `${a.i} overlaps ${b.i}`).toBe(false);
+        }
+      }
+    });
+  });
+
+  describe('responsive grid constants', () => {
+    test('GRID_BREAKPOINTS and GRID_COLS have matching keys', () => {
+      const bpKeys = Object.keys(GRID_BREAKPOINTS).sort();
+      const colKeys = Object.keys(GRID_COLS).sort();
+      expect(bpKeys).toEqual(colKeys);
+      for (const key of bpKeys) {
+        expect(typeof GRID_BREAKPOINTS[key]).toBe('number');
+        expect(typeof GRID_COLS[key]).toBe('number');
+        expect(GRID_COLS[key]).toBeGreaterThanOrEqual(1);
+      }
+    });
+
+    test('breakpoints are ordered ascending', () => {
+      const entries = Object.entries(GRID_BREAKPOINTS).sort(([, a], [, b]) => a - b);
+      for (let i = 1; i < entries.length; i++) {
+        expect(entries[i][1]).toBeGreaterThan(entries[i - 1][1]);
+      }
+    });
+
+    test('smallest breakpoint uses 1 column for stacking', () => {
+      const smallest = Object.entries(GRID_BREAKPOINTS).sort(([, a], [, b]) => a - b)[0][0];
+      expect(GRID_COLS[smallest]).toBe(1);
+    });
+
+    test('desktop breakpoint (lg) uses 12 columns matching colNum', () => {
+      expect(GRID_COLS.lg).toBe(12);
+    });
+
+    test('column counts increase with breakpoint size', () => {
+      const entries = Object.entries(GRID_BREAKPOINTS).sort(([, a], [, b]) => a - b);
+      for (let i = 1; i < entries.length; i++) {
+        expect(GRID_COLS[entries[i][0]]).toBeGreaterThanOrEqual(GRID_COLS[entries[i - 1][0]]);
+      }
+    });
+  });
+
+  describe('applyConstraints', () => {
+    test('clamps oversized items to max', () => {
+      const result = applyConstraints([{ i: 'stat-containers', x: 0, y: 0, w: 20, h: 20 }]);
+      const c = WIDGET_CONSTRAINTS['stat-containers'];
+      expect(result[0].w).toBe(c.maxW);
+      expect(result[0].h).toBe(c.maxH);
+    });
+
+    test('clamps undersized items to min', () => {
+      const result = applyConstraints([{ i: 'resource-usage', x: 0, y: 0, w: 1, h: 1 }]);
+      const c = WIDGET_CONSTRAINTS['resource-usage'];
+      expect(result[0].w).toBe(c.minW);
+      expect(result[0].h).toBe(c.minH);
+    });
+  });
+});
diff --git a/ui/tests/views/dashboard/useDashboardComputed.spec.ts b/ui/tests/views/dashboard/useDashboardComputed.spec.ts
index 554a47400..7ed22d1e8 100644
--- a/ui/tests/views/dashboard/useDashboardComputed.spec.ts
+++ b/ui/tests/views/dashboard/useDashboardComputed.spec.ts
@@ -8,6 +8,12 @@ import type {
   RecentAuditStatus,
 } from '@/views/dashboard/dashboardTypes';
 import { useDashboardComputed } from '@/views/dashboard/useDashboardComputed';
+import { getWatcherConfiguration } from '@/views/dashboard/watcherConfiguration';
+
+vi.mock('@/views/dashboard/watcherConfiguration', async (importOriginal) => {
+  const original = await importOriginal<typeof import('@/views/dashboard/watcherConfiguration')>();
+  return { getWatcherConfiguration: vi.fn(original.getWatcherConfiguration) };
+});
 
 function makeContainer(
   id: number,
@@ -599,10 +605,231 @@ describe('useDashboardComputed maintenance countdown', () => {
 
     expect(state.maintenanceCountdownLabel.value).toBe('45m');
   });
+
+  it('exposes nextMaintenanceWindowByWatcher keyed by watcher name', () => {
+    const now = Date.parse('2026-03-01T00:00:00.000Z');
+    const thirtyMin = new Date(now + 30 * 60_000).toISOString();
+    const sixtyMin = new Date(now + 60 * 60_000).toISOString();
+    const watchers = [
+      {
+        name: 'docker-a',
+        configuration: {
+          maintenanceWindow: 'Sun 02:00-03:00 UTC',
+          maintenanceNextWindow: thirtyMin,
+        },
+      },
+      {
+        name: 'docker-b',
+        configuration: {
+          maintenanceWindow: 'Mon 04:00-05:00 UTC',
+          maintenanceNextWindow: sixtyMin,
+        },
+      },
+      {
+        name: 'no-window',
+        configuration: {},
+      },
+    ];
+    const state = createState({ watchers, maintenanceCountdownNow: now });
+    const map = state.nextMaintenanceWindowByWatcher.value;
+
+    expect(map.size).toBe(2);
+    expect(map.get('docker-a')).toBe(Date.parse(thirtyMin));
+    expect(map.get('docker-b')).toBe(Date.parse(sixtyMin));
+    expect(map.has('no-window')).toBe(false);
+  });
+
+  it('falls back to local for unnamed watchers in nextMaintenanceWindowByWatcher', () => {
+    const now = Date.parse('2026-03-01T00:00:00.000Z');
+    const ts = new Date(now + 10 * 60_000).toISOString();
+    const watchers = [
+      {
+        configuration: {
+          maintenanceWindow: 'Sun 02:00-03:00 UTC',
+          maintenanceNextWindow: ts,
+        },
+      },
+    ];
+    const state = createState({ watchers, maintenanceCountdownNow: now });
+    const map = state.nextMaintenanceWindowByWatcher.value;
+
+    expect(map.get('local')).toBe(Date.parse(ts));
+  });
+
+  it('omits watchers with invalid timestamps from nextMaintenanceWindowByWatcher', () => {
+    const watchers = [
+      {
+        name: 'bad-ts',
+        configuration: {
+          maintenanceWindow: 'Sun 02:00-03:00 UTC',
+          maintenanceNextWindow: 'not-a-date',
+        },
+      },
+    ];
+    const state = createState({ watchers });
+    const map = state.nextMaintenanceWindowByWatcher.value;
+
+    expect(map.size).toBe(0);
+  });
+
+  it('falls back to local key when watcher name is an empty string', () => {
+    const now = Date.parse('2026-03-01T00:00:00.000Z');
+    const ts = new Date(now + 20 * 60_000).toISOString();
+    const watchers = [
+      {
+        name: '',
+        configuration: {
+          maintenanceWindow: 'Sun 02:00-03:00 UTC',
+          maintenanceNextWindow: ts,
+        },
+      },
+    ];
+    const state = createState({ watchers, maintenanceCountdownNow: now });
+    const map = state.nextMaintenanceWindowByWatcher.value;
+
+    expect(map.get('local')).toBe(Date.parse(ts));
+  });
+
+  it('defaults watcher name to local when a non-object entry leaks into the filtered list', () => {
+    const now = Date.parse('2026-03-01T00:00:00.000Z');
+    const ts = new Date(now + 25 * 60_000).toISOString();
+    const watchers = [
+      {
+        name: 'docker-a',
+        configuration: {
+          maintenanceWindow: 'Sun 02:00-03:00 UTC',
+          maintenanceNextWindow: ts,
+        },
+      },
+    ];
+    const state = createState({ watchers, maintenanceCountdownNow: now });
+
+    // Force the filtered maintenance-window watcher list to be computed and cached.
+    const cached = state.maintenanceWindowWatchers.value;
+
+    // Inject a non-object entry into the cached array to exercise the defensive
+    // guard in getWatcherName (line 283 else-branch).
+    cached.push(null as unknown as never);
+
+    // Access nextMaintenanceWindowByWatcher for the first time so Vue computes
+    // it using the (now mutated) cached maintenanceWindowWatchers array.
+    const map = state.nextMaintenanceWindowByWatcher.value;
+
+    // The valid watcher should still appear; the null entry is safely ignored
+    // because parseMaintenanceWindowAt returns undefined for non-objects.
+    expect(map.get('docker-a')).toBe(Date.parse(ts));
+    expect(map.has('local')).toBe(false);
+  });
+
+  it('falls back to local when getWatcherName receives a non-object watcher with a parseable timestamp', () => {
+    const now = Date.parse('2026-03-01T00:00:00.000Z');
+    const ts = new Date(now + 40 * 60_000).toISOString();
+    const nonObjectWatcher = 42;
+    const watchers = [
+      {
+        name: 'docker-a',
+        configuration: {
+          maintenanceWindow: 'Sun 02:00-03:00 UTC',
+          maintenanceNextWindow: ts,
+        },
+      },
+    ];
+    const state = createState({ watchers, maintenanceCountdownNow: now });
+
+    // Cache the maintenanceWindowWatchers computed, then inject a non-object
+    // entry that has getWatcherConfiguration mocked to return a valid timestamp.
+    const cached = state.maintenanceWindowWatchers.value;
+    cached.push(nonObjectWatcher as unknown as never);
+
+    // Make getWatcherConfiguration return a configuration with a parseable
+    // timestamp for the non-object entry so getWatcherName is actually reached.
+    const mockedGetConfig = vi.mocked(getWatcherConfiguration);
+    const originalImpl = mockedGetConfig.getMockImplementation()!;
+    mockedGetConfig.mockImplementation((w: unknown) => {
+      if (w === nonObjectWatcher) {
+        return { maintenanceNextWindow: ts } as ReturnType<typeof getWatcherConfiguration>;
+      }
+      return originalImpl(w);
+    });
+
+    const map = state.nextMaintenanceWindowByWatcher.value;
+
+    expect(map.get('docker-a')).toBe(Date.parse(ts));
+    // The non-object watcher falls back to 'local' in getWatcherName.
+    expect(map.get('local')).toBe(Date.parse(ts));
+
+    mockedGetConfig.mockImplementation(originalImpl);
+  });
+
+  it('picks the earliest next window across multiple watchers for the countdown', () => {
+    const now = Date.parse('2026-03-01T00:00:00.000Z');
+    const earlyTs = new Date(now + 15 * 60_000).toISOString();
+    const lateTs = new Date(now + 90 * 60_000).toISOString();
+    const watchers = [
+      {
+        name: 'watcher-early',
+        configuration: {
+          maintenanceWindow: 'Sun 02:00-03:00 UTC',
+          maintenanceNextWindow: earlyTs,
+        },
+      },
+      {
+        name: 'watcher-late',
+        configuration: {
+          maintenanceWindow: 'Mon 04:00-05:00 UTC',
+          maintenanceNextWindow: lateTs,
+        },
+      },
+    ];
+    const state = createState({ watchers, maintenanceCountdownNow: now });
+
+    expect(state.maintenanceCountdownLabel.value).toBe('15m');
+    expect(state.nextMaintenanceWindowByWatcher.value.size).toBe(2);
+  });
+
+  it('skips non-minimum timestamps in the min-reduction loop when finding next window', () => {
+    const now = Date.parse('2026-03-01T00:00:00.000Z');
+    const earliest = new Date(now + 10 * 60_000).toISOString();
+    const middle = new Date(now + 30 * 60_000).toISOString();
+    const latest = new Date(now + 60 * 60_000).toISOString();
+    const watchers = [
+      {
+        name: 'watcher-first',
+        configuration: {
+          maintenanceWindow: 'Sun 02:00-03:00 UTC',
+          maintenanceNextWindow: earliest,
+        },
+      },
+      {
+        name: 'watcher-second',
+        configuration: {
+          maintenanceWindow: 'Mon 04:00-05:00 UTC',
+          maintenanceNextWindow: middle,
+        },
+      },
+      {
+        name: 'watcher-third',
+        configuration: {
+          maintenanceWindow: 'Tue 06:00-07:00 UTC',
+          maintenanceNextWindow: latest,
+        },
+      },
+    ];
+    const state = createState({ watchers, maintenanceCountdownNow: now });
+
+    // The earliest timestamp should be selected as the countdown target.
+    // The second and third entries exercise the ts < min false branch.
+    expect(state.maintenanceCountdownLabel.value).toBe('10m');
+    const map = state.nextMaintenanceWindowByWatcher.value;
+    expect(map.size).toBe(3);
+    expect(map.get('watcher-first')).toBe(Date.parse(earliest));
+    expect(map.get('watcher-second')).toBe(Date.parse(middle));
+    expect(map.get('watcher-third')).toBe(Date.parse(latest));
+  });
 });
 
 describe('useDashboardComputed recent updates', () => {
-  it('prioritizes registry errors, sorts pending updates, and enforces the six-row limit', () => {
+  it('excludes registry errors and sorts pending updates by date with six-row limit', () => {
     const state = createState({
       containers: [
         makeBaseContainer({
@@ -672,21 +899,19 @@ describe('useDashboardComputed recent updates', () => {
     const rows = state.recentUpdates.value;
     const rowByName = new Map(rows.map((row) => [row.name, row]));
 
+    // Registry error containers should NOT appear (#186)
+    expect(rowByName.has('registry-error')).toBe(false);
+    expect(rowByName.has('ignore-me')).toBe(false);
+
     expect(rows).toHaveLength(6);
     expect(rows.map((row) => row.name)).toEqual([
-      'registry-error',
       'bravo',
       'alpha',
       'charlie',
       'skip-me',
       'snooze-me',
+      'no-date',
     ]);
-    expect(rowByName.get('registry-error')).toMatchObject({
-      status: 'error',
-      newVer: 'check failed',
-      registryError: 'registry auth failed',
-      running: false,
-    });
     expect(rowByName.get('bravo')).toMatchObject({ status: 'pending' });
     expect(rowByName.get('alpha')).toMatchObject({
       status: 'updated',
@@ -702,11 +927,9 @@ describe('useDashboardComputed recent updates', () => {
       status: 'snoozed',
       newVer: '8.8.8',
     });
-    expect(rowByName.has('no-date')).toBe(false);
-    expect(rowByName.has('ignore-me')).toBe(false);
   });
 
-  it('returns only registry failures when they already fill the recent update limit', () => {
+  it('returns empty list when only registry failures exist', () => {
     const containers = Array.from({ length: 8 }, (_, index) =>
       makeBaseContainer({
         id: `registry-failure-${index}`,
@@ -719,39 +942,22 @@ describe('useDashboardComputed recent updates', () => {
     const state = createState({ containers });
     const rows = state.recentUpdates.value;
 
-    expect(rows).toHaveLength(6);
-    expect(rows.every((row) => row.status === 'error')).toBe(true);
-    expect(rows.map((row) => row.name)).toEqual([
-      'registry-failure-0',
-      'registry-failure-1',
-      'registry-failure-2',
-      'registry-failure-3',
-      'registry-failure-4',
-      'registry-failure-5',
-    ]);
+    // Registry failures should not appear in Updates Available (#186)
+    expect(rows).toHaveLength(0);
   });
 
-  it('selects top rows without repeatedly reading updateDetectedAt during sort', () => {
-    const counters = { detectedAtReads: 0 };
+  it('returns only the six most recent pending updates after sorting', () => {
     const containers = Array.from({ length: 300 }, (_, index) => {
-      const container = makeBaseContainer({
-        id: `u-${index}`,
-        name: `update-${String(index).padStart(3, '0')}`,
-        newTag: `2.${index}.0`,
-      });
-
-      Object.defineProperty(container, 'updateDetectedAt', {
-        configurable: true,
-        enumerable: true,
-        get() {
-          counters.detectedAtReads += 1;
-          const day = String((index % 28) + 1).padStart(2, '0');
-          const hour = String(index % 24).padStart(2, '0');
-          return `2026-03-${day}T${hour}:00:00.000Z`;
-        },
-      });
-
-      return container;
+      const day = String((index % 28) + 1).padStart(2, '0');
+      const hour = String(index % 24).padStart(2, '0');
+      return {
+        ...makeBaseContainer({
+          id: `u-${index}`,
+          name: `update-${String(index).padStart(3, '0')}`,
+          newTag: `2.${index}.0`,
+        }),
+        updateDetectedAt: `2026-03-${day}T${hour}:00:00.000Z`,
+      };
     });
 
     const state = createState({ containers });
@@ -759,7 +965,14 @@ describe('useDashboardComputed recent updates', () => {
     const rows = state.recentUpdates.value;
 
     expect(rows).toHaveLength(6);
-    expect(counters.detectedAtReads).toBeLessThanOrEqual(containers.length * 3);
+    expect(rows.map((row) => row.name)).toEqual([
+      'update-167',
+      'update-139',
+      'update-111',
+      'update-279',
+      'update-083',
+      'update-251',
+    ]);
   });
 
   it('falls back to suppressed update defaults when tags or timestamps are invalid', () => {
diff --git a/ui/tests/views/dashboard/useDashboardData.helpers.spec.ts b/ui/tests/views/dashboard/useDashboardData.helpers.spec.ts
index 5edc61261..a3faa639c 100644
--- a/ui/tests/views/dashboard/useDashboardData.helpers.spec.ts
+++ b/ui/tests/views/dashboard/useDashboardData.helpers.spec.ts
@@ -25,4 +25,39 @@ describe('createRealtimeRefreshScheduler', () => {
 
     scheduler.dispose();
   });
+
+  it('runs a summary refresh when no full refresh supersedes it', () => {
+    vi.useFakeTimers();
+    const refreshSummary = vi.fn();
+    const refreshFull = vi.fn();
+    const scheduler = createRealtimeRefreshScheduler({
+      debounceMs: 1_000,
+      refreshSummary,
+      refreshFull,
+    });
+
+    scheduler.schedule('summary');
+
+    vi.advanceTimersByTime(1_000);
+    expect(refreshSummary).toHaveBeenCalledTimes(1);
+    expect(refreshFull).not.toHaveBeenCalled();
+
+    scheduler.dispose();
+  });
+
+  it('ignores summary refreshes when no summary handler is configured', () => {
+    vi.useFakeTimers();
+    const refreshFull = vi.fn();
+    const scheduler = createRealtimeRefreshScheduler({
+      debounceMs: 1_000,
+      refreshFull,
+    });
+
+    scheduler.schedule('summary');
+
+    expect(() => vi.advanceTimersByTime(1_000)).not.toThrow();
+    expect(refreshFull).not.toHaveBeenCalled();
+
+    scheduler.dispose();
+  });
 });
diff --git a/ui/tests/views/dashboard/useDashboardData.spec.ts b/ui/tests/views/dashboard/useDashboardData.spec.ts
index 7ee2c0499..6fba607f4 100644
--- a/ui/tests/views/dashboard/useDashboardData.spec.ts
+++ b/ui/tests/views/dashboard/useDashboardData.spec.ts
@@ -6,6 +6,7 @@ import { useDashboardData } from '@/views/dashboard/useDashboardData';
 const mocks = vi.hoisted(() => ({
   getAgents: vi.fn(),
   getAllContainers: vi.fn(),
+  getAllContainerStats: vi.fn(),
   getContainerRecentStatus: vi.fn(),
   getContainerSummary: vi.fn(),
   getAllRegistries: vi.fn(),
@@ -24,6 +25,10 @@ vi.mock('@/services/container', () => ({
   getContainerSummary: mocks.getContainerSummary,
 }));
 
+vi.mock('@/services/stats', () => ({
+  getAllContainerStats: mocks.getAllContainerStats,
+}));
+
 vi.mock('@/services/registry', () => ({
   getAllRegistries: mocks.getAllRegistries,
 }));
@@ -97,6 +102,7 @@ describe('useDashboardData', () => {
     vi.resetAllMocks();
 
     mocks.getAllContainers.mockResolvedValue([{ id: 'api-c1' }]);
+    mocks.getAllContainerStats.mockResolvedValue([]);
     mocks.getServer.mockResolvedValue({ configuration: { webhook: { enabled: true } } });
     mocks.getAgents.mockResolvedValue([{ name: 'agent-1', connected: true }]);
     mocks.getAllWatchers.mockResolvedValue([]);
@@ -150,6 +156,7 @@ describe('useDashboardData', () => {
     expect(state.loading.value).toBe(false);
     expect(state.error.value).toBeNull();
     expect(state.containers.value).toEqual([makeContainer()]);
+    expect(state.containerStats.value).toEqual([]);
     expect(state.serverInfo.value).toEqual({ configuration: { webhook: { enabled: true } } });
     expect(state.agents.value).toEqual([{ name: 'agent-1', connected: true }]);
     expect(state.watchers.value).toHaveLength(4);
@@ -190,56 +197,32 @@ describe('useDashboardData', () => {
     expect(state.recentStatusByContainer.value).toEqual({});
   });
 
-  it('normalizes malformed summary payload values during debounced summary refresh', async () => {
+  it('performs full data refresh on debounced container-changed SSE event', async () => {
     vi.useFakeTimers();
     const setIntervalSpy = vi.spyOn(window, 'setInterval');
     mocks.getAllWatchers.mockResolvedValue([{ id: 'watcher-without-config' }]);
 
     const { state } = await mountDashboardData();
-    mocks.getContainerSummary.mockResolvedValueOnce({
-      containers: {
-        total: -5,
-        running: Number.POSITIVE_INFINITY,
-        stopped: 'invalid',
-      },
-      security: {
-        issues: -1,
-      },
-    });
+
+    // Reset call counts from initial mount fetch
+    mocks.getAllContainers.mockClear();
 
     globalThis.dispatchEvent(new CustomEvent('dd:sse-container-changed'));
     vi.advanceTimersByTime(1_000);
     await flushPromises();
 
-    expect(mocks.getContainerSummary).toHaveBeenCalledTimes(1);
-    expect(state.containerSummary.value).toEqual({
-      containers: { total: 0, running: 0, stopped: 0 },
-      security: { issues: 0 },
-    });
+    expect(mocks.getAllContainers).toHaveBeenCalledTimes(1);
+    expect(state.error.value).toBeNull();
     expect(setIntervalSpy).not.toHaveBeenCalled();
 
-    mocks.getContainerSummary.mockResolvedValueOnce({
-      containers: 'invalid',
-      security: 'invalid',
-    });
+    // Debounce collapses rapid events into a single refresh
+    mocks.getAllContainers.mockClear();
     globalThis.dispatchEvent(new CustomEvent('dd:sse-container-changed'));
-    vi.advanceTimersByTime(1_000);
-    await flushPromises();
-
-    expect(state.containerSummary.value).toEqual({
-      containers: { total: 0, running: 0, stopped: 0 },
-      security: { issues: 0 },
-    });
-
-    mocks.getContainerSummary.mockResolvedValueOnce({});
     globalThis.dispatchEvent(new CustomEvent('dd:sse-container-changed'));
     vi.advanceTimersByTime(1_000);
     await flushPromises();
 
-    expect(state.containerSummary.value).toEqual({
-      containers: { total: 0, running: 0, stopped: 0 },
-      security: { issues: 0 },
-    });
+    expect(mocks.getAllContainers).toHaveBeenCalledTimes(1);
   });
 
   it('sets error for a failed foreground fetch and clears loading', async () => {
@@ -282,19 +265,18 @@ describe('useDashboardData', () => {
     wrapper.unmount();
   });
 
-  it('logs summary refresh failures when data has already rendered', async () => {
+  it('logs full refresh failures when data has already rendered via container-changed SSE', async () => {
     vi.useFakeTimers();
     const debugSpy = vi.spyOn(console, 'debug').mockImplementation(() => {});
 
     await mountDashboardData();
-    mocks.getContainerSummary.mockRejectedValueOnce(new Error('summary refresh failed'));
+    mocks.getAllContainers.mockRejectedValueOnce(new Error('background refresh failed'));
 
     globalThis.dispatchEvent(new CustomEvent('dd:sse-container-changed'));
     vi.advanceTimersByTime(1_000);
     await flushPromises();
 
-    expect(mocks.getContainerSummary).toHaveBeenCalledTimes(1);
-    expect(debugSpy).toHaveBeenCalledWith('summary refresh failed');
+    expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining('background refresh failed'));
   });
 
   it('surfaces background errors when no data has rendered yet', async () => {
@@ -327,19 +309,17 @@ describe('useDashboardData', () => {
     warnSpy.mockRestore();
   });
 
-  it('surfaces summary refresh errors when no dashboard data has rendered yet', async () => {
+  it('surfaces full refresh errors when no dashboard data has rendered yet', async () => {
     vi.useFakeTimers();
     mocks.getAllContainers.mockRejectedValue(new Error('initial load failed'));
 
     const { state } = await mountDashboardData();
-    mocks.getContainerSummary.mockRejectedValueOnce(new Error('summary bootstrap failed'));
 
     globalThis.dispatchEvent(new CustomEvent('dd:sse-container-changed'));
     vi.advanceTimersByTime(1_000);
     await flushPromises();
 
-    expect(mocks.getContainerSummary).toHaveBeenCalledTimes(1);
-    expect(state.error.value).toBe('summary bootstrap failed');
+    expect(state.error.value).toBe('initial load failed');
   });
 
   it('pauses timer while hidden, resumes when visible, and clears pending realtime timer on unmount', async () => {
diff --git a/ui/tests/views/dashboard/useDashboardWidgetOrder.spec.ts b/ui/tests/views/dashboard/useDashboardWidgetOrder.spec.ts
index 70d8abc68..e6cca92ed 100644
--- a/ui/tests/views/dashboard/useDashboardWidgetOrder.spec.ts
+++ b/ui/tests/views/dashboard/useDashboardWidgetOrder.spec.ts
@@ -1,8 +1,9 @@
 import { mount } from '@vue/test-utils';
 import { defineComponent, h, nextTick } from 'vue';
 import { preferences } from '@/preferences/store';
-import { DASHBOARD_WIDGET_IDS } from '@/views/dashboard/dashboardTypes';
-import { useDashboardWidgetOrder } from '@/views/dashboard/useDashboardWidgetOrder';
+import { DASHBOARD_WIDGET_IDS, type DashboardWidgetId } from '@/views/dashboard/dashboardTypes';
+import { applyConstraints } from '@/views/dashboard/dashboardWidgetLayout';
+import { moveWidget, useDashboardWidgetOrder } from '@/views/dashboard/useDashboardWidgetOrder';
 
 async function mountWidgetOrderComposable() {
   let state: ReturnType<typeof useDashboardWidgetOrder> | undefined;
@@ -27,6 +28,7 @@ describe('useDashboardWidgetOrder', () => {
   beforeEach(() => {
     localStorage.clear();
     preferences.dashboard.widgetOrder = [...DASHBOARD_WIDGET_IDS];
+    preferences.dashboard.gridLayout = [];
   });
 
   it('hydrates from preferences and falls back to defaults for non-array values', async () => {
@@ -54,6 +56,71 @@ describe('useDashboardWidgetOrder', () => {
     ]);
   });
 
+  it('sanitizes invalid hidden widget values', async () => {
+    preferences.dashboard.hiddenWidgets = 'invalid-hidden' as unknown as string[];
+
+    const { state } = await mountWidgetOrderComposable();
+
+    expect(state.hiddenWidgets.value).toEqual([]);
+  });
+
+  it('falls back to default layout when gridLayout is not an array', async () => {
+    preferences.dashboard.gridLayout = 'not-an-array' as unknown as unknown[];
+
+    const { state } = await mountWidgetOrderComposable();
+
+    expect(state.layout.value).toHaveLength(DASHBOARD_WIDGET_IDS.length);
+    expect(state.layout.value.map((item) => item.i)).toEqual(DASHBOARD_WIDGET_IDS);
+  });
+
+  it('hydrates persisted grid layouts and skips invalid entries', async () => {
+    preferences.dashboard.gridLayout = [
+      { i: 'host-status', x: 10, y: 11, w: 4, h: 6 },
+      null,
+      'not-a-layout-item',
+      { i: 'recent-updates', x: 1, y: 2, w: 6, h: 5 },
+    ];
+
+    const { state } = await mountWidgetOrderComposable();
+
+    expect(state.layout.value).toHaveLength(DASHBOARD_WIDGET_IDS.length);
+    expect(state.layout.value.map((item) => item.i)).toEqual(DASHBOARD_WIDGET_IDS);
+    expect(state.layout.value.find((item) => item.i === 'host-status')).toMatchObject({
+      x: 10,
+      y: 11,
+      w: 4,
+      h: 6,
+    });
+    expect(state.layout.value.find((item) => item.i === 'recent-updates')).toMatchObject({
+      x: 1,
+      y: 2,
+      w: 6,
+      h: 5,
+    });
+  });
+
+  it('falls back to the default layout when every persisted widget lands in column zero', async () => {
+    preferences.dashboard.gridLayout = DASHBOARD_WIDGET_IDS.map((id, index) => ({
+      i: id,
+      x: 0,
+      y: index,
+      w: 1,
+      h: 1,
+    }));
+
+    const { state } = await mountWidgetOrderComposable();
+
+    expect(state.layout.value).toEqual(
+      applyConstraints(
+        DASHBOARD_WIDGET_IDS.map((id) => {
+          const item = state.layout.value.find((layoutItem) => layoutItem.i === id);
+          return { ...item! };
+        }),
+      ),
+    );
+    expect(state.layout.value.some((item) => item.x !== 0)).toBe(true);
+  });
+
   it('returns explicit style ordering and uses canonical fallback index for missing ids', async () => {
     const { state } = await mountWidgetOrderComposable();
     state.widgetOrder.value = DASHBOARD_WIDGET_IDS.filter((id) => id !== 'host-status');
@@ -100,6 +167,7 @@ describe('useDashboardWidgetOrder', () => {
       'update-breakdown',
       'recent-updates',
       'security-overview',
+      'resource-usage',
       'host-status',
     ]);
     expect(state.draggedWidgetId.value).toBeNull();
@@ -121,6 +189,14 @@ describe('useDashboardWidgetOrder', () => {
     } as unknown as DragEvent);
     expect(preventDefault).not.toHaveBeenCalled();
 
+    state.onWidgetDragOver(
+      'not-a-dashboard-widget' as any,
+      {
+        preventDefault,
+      } as unknown as DragEvent,
+    );
+    expect(preventDefault).not.toHaveBeenCalled();
+
     state.onWidgetDragOver('recent-updates', {
       preventDefault,
     } as unknown as DragEvent);
@@ -136,6 +212,23 @@ describe('useDashboardWidgetOrder', () => {
     } as unknown as DragEvent);
     expect(state.widgetOrder.value).not.toContain('stat-security');
 
+    state.onWidgetDrop('stat-updates', {
+      preventDefault,
+      dataTransfer: {
+        getData: () => 'stat-updates',
+      },
+    } as unknown as DragEvent);
+
+    state.onWidgetDrop(
+      'not-a-dashboard-widget' as any,
+      {
+        preventDefault,
+        dataTransfer: {
+          getData: () => 'stat-updates',
+        },
+      } as unknown as DragEvent,
+    );
+
     state.onWidgetDrop('stat-updates', {
       preventDefault,
       dataTransfer: {
@@ -150,4 +243,131 @@ describe('useDashboardWidgetOrder', () => {
     state.resetWidgetOrder();
     expect(state.widgetOrder.value).toEqual(DASHBOARD_WIDGET_IDS);
   });
+
+  it('keeps layout, visibility, edit mode, and reset state in sync', async () => {
+    const { state } = await mountWidgetOrderComposable();
+
+    expect(state.isWidgetVisible('host-status')).toBe(true);
+    state.toggleWidgetVisibility('host-status');
+    await nextTick();
+    expect(state.hiddenWidgets.value).toContain('host-status');
+    expect(state.isWidgetVisible('host-status')).toBe(false);
+    expect(preferences.dashboard.hiddenWidgets).toContain('host-status');
+
+    state.hiddenWidgets.value = ['host-status'];
+    state.layout.value = state.layout.value.filter((item) => item.i !== 'host-status');
+    await nextTick();
+    state.toggleWidgetVisibility('host-status');
+    await nextTick();
+    expect(state.isWidgetVisible('host-status')).toBe(true);
+    expect(state.layout.value.some((item) => item.i === 'host-status')).toBe(true);
+
+    state.hiddenWidgets.value = ['host-status'];
+    const layoutBeforeRestore = [...state.layout.value];
+    await nextTick();
+    state.toggleWidgetVisibility('host-status');
+    await nextTick();
+    expect(state.isWidgetVisible('host-status')).toBe(true);
+    expect(state.layout.value).toEqual(layoutBeforeRestore);
+
+    const reversed: DashboardWidgetId[] = [...DASHBOARD_WIDGET_IDS].reverse();
+    state.widgetOrder.value = [...reversed];
+    await nextTick();
+    expect(state.layout.value.map((item) => item.i)).toEqual(reversed);
+    expect(preferences.dashboard.widgetOrder).toEqual(reversed);
+
+    state.layout.value = [...state.layout.value].reverse();
+    await nextTick();
+    expect(state.widgetOrder.value).toEqual([...DASHBOARD_WIDGET_IDS]);
+
+    state.toggleEditMode();
+    expect(state.editMode.value).toBe(true);
+
+    state.resetAll();
+    await nextTick();
+    expect(state.hiddenWidgets.value).toEqual([]);
+    expect(state.widgetOrder.value).toEqual(DASHBOARD_WIDGET_IDS);
+    expect(state.editMode.value).toBe(true);
+  });
+
+  it('debounces position/size persistence when layout changes without order change', async () => {
+    vi.useFakeTimers();
+    const { state } = await mountWidgetOrderComposable();
+
+    // Mutate a position without changing order
+    const updated = state.layout.value.map((item) => ({ ...item }));
+    updated[0] = { ...updated[0], x: 99 };
+    state.layout.value = updated;
+    await nextTick();
+
+    // Before debounce fires, gridLayout should not yet be updated
+    vi.advanceTimersByTime(300);
+    expect(preferences.dashboard.gridLayout).toEqual(
+      expect.arrayContaining([expect.objectContaining({ i: updated[0].i, x: 99 })]),
+    );
+
+    vi.useRealTimers();
+  });
+
+  it('returns the original order when asked to move invalid or no-op widget pairs', () => {
+    const original = [...DASHBOARD_WIDGET_IDS];
+    expect(moveWidget(original, 'stat-containers', 'stat-containers')).toEqual(original);
+    expect(moveWidget(original, 'missing-widget' as DashboardWidgetId, 'stat-containers')).toEqual(
+      original,
+    );
+    expect(moveWidget(original, 'stat-containers', 'missing-widget' as DashboardWidgetId)).toEqual(
+      original,
+    );
+  });
+
+  it('moves widgets from an earlier slot ahead of later targets', () => {
+    const moved = moveWidget([...DASHBOARD_WIDGET_IDS], 'stat-containers', 'resource-usage');
+
+    expect(moved).toEqual([
+      'stat-updates',
+      'stat-security',
+      'stat-registries',
+      'recent-updates',
+      'security-overview',
+      'stat-containers',
+      'resource-usage',
+      'host-status',
+      'update-breakdown',
+    ]);
+  });
+
+  it('preserves custom positions when widget order changes (#223)', async () => {
+    const customLayout = DASHBOARD_WIDGET_IDS.map((id, index) => ({
+      i: id,
+      x: index * 2,
+      y: index * 3,
+      w: 4,
+      h: 5,
+    }));
+    preferences.dashboard.gridLayout = customLayout;
+
+    const { state } = await mountWidgetOrderComposable();
+
+    // Verify custom positions loaded
+    const hostBefore = state.layout.value.find((item) => item.i === 'host-status');
+    expect(hostBefore?.x).toBe(customLayout.find((l) => l.i === 'host-status')!.x);
+
+    // Reorder via drag-drop
+    const reversed: DashboardWidgetId[] = [...DASHBOARD_WIDGET_IDS].reverse();
+    state.widgetOrder.value = [...reversed];
+    await nextTick();
+
+    // Custom positions should be preserved for each widget
+    for (const id of DASHBOARD_WIDGET_IDS) {
+      const layoutItem = state.layout.value.find((item) => item.i === id);
+      const original = customLayout.find((item) => item.i === id)!;
+      expect(layoutItem?.x).toBe(original.x);
+      expect(layoutItem?.y).toBe(original.y);
+    }
+  });
+
+  it('leaves unknown layout items untouched when applying constraints', () => {
+    const item = { i: 'unknown-widget', x: 1, y: 2, w: 3, h: 4 } as never;
+    expect(applyConstraints([item])).toEqual([item]);
+  });
 });
diff --git a/ui/vite.config.ts b/ui/vite.config.ts
index 2e82862e0..589390003 100644
--- a/ui/vite.config.ts
+++ b/ui/vite.config.ts
@@ -42,31 +42,14 @@ export default defineConfig({
     outDir: 'dist',
     assetsDir: 'assets',
     sourcemap: false,
-    rollupOptions: {
+    rolldownOptions: {
       output: {
-        manualChunks(id) {
-          const normalizedId = id.replaceAll('\\', '/');
-          const nodeModulesSegment = '/node_modules/';
-          const nodeModulesIndex = normalizedId.lastIndexOf(nodeModulesSegment);
-          if (nodeModulesIndex === -1) {
-            return undefined;
-          }
-
-          const packagePath = normalizedId.slice(nodeModulesIndex + nodeModulesSegment.length);
-          const packageSegments = packagePath.split('/');
-          const packageName = packageSegments[0]?.startsWith('@')
-            ? `${packageSegments[0]}/${packageSegments[1] ?? ''}`
-            : packageSegments[0];
-
-          if (packageName === 'vue' || packageName === 'vue-router') {
-            return 'framework';
-          }
-
-          if (packageName === 'iconify-icon') {
-            return 'icons';
-          }
-
-          return 'vendor';
+        codeSplitting: {
+          groups: [
+            { name: 'framework', test: /[\\/]node_modules[\\/](vue|vue-router)[\\/]/ },
+            { name: 'icons', test: /[\\/]node_modules[\\/]iconify-icon[\\/]/ },
+            { name: 'vendor', test: /[\\/]node_modules[\\/]/ },
+          ],
         },
       },
     },
diff --git a/ui/vitest.config.ts b/ui/vitest.config.ts
index 42b8cc2f5..e3c46acb6 100644
--- a/ui/vitest.config.ts
+++ b/ui/vitest.config.ts
@@ -29,7 +29,13 @@ export default mergeConfig(
         provider: 'v8',
         reporter: ['text', 'lcov', 'html'],
         include: ['src/**/*.ts'],
-        exclude: ['**/*.stories.ts', '**/*.typecheck.ts', '**/*.d.ts', '**/node_modules/**'],
+        exclude: [
+          '**/*.stories.ts',
+          '**/*.typecheck.ts',
+          '**/*.d.ts',
+          '**/types/**',
+          '**/node_modules/**',
+        ],
         thresholds: {
           lines: 100,
           branches: 100,