refactor: use new cache store in services (#912 )

fix: don't allow tagged devices in tailscale integration
feat: use ding for ordered go routine shutdown order (#896 )
2026-06-04 02:20:15 +00:00 · 2026-05-31 18:55:06 +03:00 · 2026-05-31 12:42:00 +03:00 · 2026-05-27 12:46:28 +03:00 · 2026-05-27 12:11:17 +03:00 · 2026-05-27 11:43:43 +03:00
128 changed files with 12110 additions and 2463 deletions
@@ -7,7 +7,9 @@ TINYAUTH_APPURL=
 # database config
-# The path to the database, including file name.
+# The database driver to use. Valid values: sqlite, memory.
 TINYAUTH_DATABASE_DRIVER="sqlite"
 # The path to the SQLite database, including file name. Only used when driver is sqlite.
 TINYAUTH_DATABASE_PATH="./tinyauth.db"
 # analytics config
@@ -30,6 +32,8 @@ TINYAUTH_SERVER_PORT=3000
 TINYAUTH_SERVER_ADDRESS="0.0.0.0"
 # The path to the Unix socket.
 TINYAUTH_SERVER_SOCKETPATH=
 # Enable listening on both TCP and Unix socket at the same time.
 TINYAUTH_SERVER_CONCURRENTLISTENERSENABLED=false
 # auth config
@@ -37,8 +41,52 @@ TINYAUTH_SERVER_SOCKETPATH=
 TINYAUTH_AUTH_IP_ALLOW=
 # List of blocked IPs or CIDR ranges.
 TINYAUTH_AUTH_IP_BLOCK=
 # List of IPs or CIDR ranges that bypass authentication entirely.
 TINYAUTH_AUTH_IP_BYPASS=
 # Comma-separated list of users (username:hashed_password).
 TINYAUTH_AUTH_USERS=
 # Enable subdomains support.
 TINYAUTH_AUTH_SUBDOMAINSENABLED=true
 # Full name of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_NAME=
 # Given (first) name of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_GIVENNAME=
 # Family (last) name of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_FAMILYNAME=
 # Middle name of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_MIDDLENAME=
 # Nickname of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_NICKNAME=
 # URL of the user's profile page.
 TINYAUTH_AUTH_USERATTRIBUTES_name_PROFILE=
 # URL of the user's profile picture.
 TINYAUTH_AUTH_USERATTRIBUTES_name_PICTURE=
 # URL of the user's website.
 TINYAUTH_AUTH_USERATTRIBUTES_name_WEBSITE=
 # Email address of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_EMAIL=
 # Gender of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_GENDER=
 # Birthdate of the user (YYYY-MM-DD).
 TINYAUTH_AUTH_USERATTRIBUTES_name_BIRTHDATE=
 # Time zone of the user (e.g. Europe/Athens).
 TINYAUTH_AUTH_USERATTRIBUTES_name_ZONEINFO=
 # Locale of the user (e.g. en-US).
 TINYAUTH_AUTH_USERATTRIBUTES_name_LOCALE=
 # Phone number of the user.
 TINYAUTH_AUTH_USERATTRIBUTES_name_PHONENUMBER=
 # Full mailing address, formatted for display.
 TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_FORMATTED=
 # Street address.
 TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_STREETADDRESS=
 # City or locality.
 TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_LOCALITY=
 # State, province, or region.
 TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_REGION=
 # Zip or postal code.
 TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_POSTALCODE=
 # Country.
 TINYAUTH_AUTH_USERATTRIBUTES_name_ADDRESS_COUNTRY=
 # Path to the users file.
 TINYAUTH_AUTH_USERSFILE=
 # Enable secure cookies.
@@ -53,6 +101,8 @@ TINYAUTH_AUTH_LOGINTIMEOUT=300
 TINYAUTH_AUTH_LOGINMAXRETRIES=3
 # Comma-separated list of trusted proxy addresses.
 TINYAUTH_AUTH_TRUSTEDPROXIES=
 # ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow.
 TINYAUTH_AUTH_ACLS_POLICY="allow"
 # apps config
@@ -101,6 +151,10 @@ TINYAUTH_OAUTH_PROVIDERS_name_CLIENTID=
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRET=
 # Path to the file containing the OAuth client secret.
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRETFILE=
 # Comma-separated list of allowed OAuth domains for this provider.
 TINYAUTH_OAUTH_PROVIDERS_name_WHITELIST=
 # Path to the OAuth whitelist file for this provider.
 TINYAUTH_OAUTH_PROVIDERS_name_WHITELISTFILE=
 # OAuth scopes.
 TINYAUTH_OAUTH_PROVIDERS_name_SCOPES=
 # OAuth redirect URL.
@@ -164,6 +218,8 @@ TINYAUTH_LDAP_AUTHCERT=
 TINYAUTH_LDAP_AUTHKEY=
 # Cache duration for LDAP group membership in seconds.
 TINYAUTH_LDAP_GROUPCACHETTL=900
 # Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment.
 TINYAUTH_LABELPROVIDER="auto"
 # log config
@@ -183,3 +239,16 @@ TINYAUTH_LOG_STREAMS_APP_LEVEL=
 TINYAUTH_LOG_STREAMS_AUDIT_ENABLED=false
 # Log level for this stream. Use global if empty.
 TINYAUTH_LOG_STREAMS_AUDIT_LEVEL=
 # tailscale config
 # Enable Tailscale integration.
 TINYAUTH_TAILSCALE_ENABLED=false
 # Tailscale state directory.
 TINYAUTH_TAILSCALE_DIR="./tailscale_state"
 # Tailscale hostname.
 TINYAUTH_TAILSCALE_HOSTNAME=
 # Tailscale auth key.
 TINYAUTH_TAILSCALE_AUTHKEY=
 # Use ephemeral Tailscale node.
 TINYAUTH_TAILSCALE_EPHEMERAL=false
@@ -1,38 +0,0 @@
 ---
 name: Bug report
 about: Create a report to help improve Tinyauth
 title: "[BUG]"
 labels: bug
 assignees:
  - steveiliop56
 ---
 **Describe the bug**
 A clear and concise description of what the bug is.
 **To Reproduce**
 Steps to reproduce the behavior:
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
 4. See error
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 **Screenshots**
 If applicable, add screenshots to help explain your problem.
 **Logs**
 Please include the Tinyauth logs below, make sure to not include sensitive info.
 **Device (please complete the following information):**
 - OS: [e.g. iOS]
 - Browser [e.g. chrome, safari]
 - Tinyauth [e.g. v2.1.1]
 - Docker [e.g. 27.3.1]
 **
 **Additional context**
 Add any other context about the problem here.
@@ -0,0 +1,89 @@
 name: Bug Report
 description: Create a report to help us improve this project
 title: "[BUG]"
 labels: bug
 assignees:
  - steveiliop56
 body:
  - type: markdown
    attributes:
      value: |
        Thanks for reporting a bug! Please provide detailed information below.
  - type: textarea
    id: description
    attributes:
      label: Describe the Bug
      description: "A clear and concise description of what the bug is."
    validations:
      required: true
  - type: textarea
    id: reproduce
    attributes:
      label: How to Reproduce
      description: Steps to reproduce the behavior.
      value: |
        1. Go to '...'
        2. Click on '....'
        3. Scroll down to '....'
        4. See error
    validations:
      required: false
  - type: textarea
    id: expected
    attributes:
      label: Expected Behavior
      description: "A clear and concise description of what you expected to happen."
    validations:
      required: true
  - type: textarea
    id: context
    attributes:
      label: "Additional Context"
      description: "If applicable add screenshots to help explain your problem."
    validations:
      required: false
  - type: textarea
    id: logs
    attributes:
      label: "Logs"
      description: "Please include the Tinyauth logs, make sure to not include sensitive info."
    validations:
      required: false
  - type: input
    id: os
    attributes:
      label: Operating System
      placeholder: "e.g. iOS, Android, Windows, Linux, etc"
  - type: input
    id: browser
    attributes:
      label: Browser
      placeholder: "e.g. Chrome, Firefox, Safari, Edge, etc"
  - type: input
    id: tinyauth
    attributes:
      label: Tinyauth Version
      placeholder: "e.g. v5.0.0"
  - type: input
    id: docker
    attributes:
      label: Docker Version (if applicable)
      placeholder: "e.g. 27.3.1"
  - type: checkboxes
    id: not-llm
    attributes:
      label: Human Written Confirmation
      options:
        - label: I confirm this issue was written by me and not generated by an LLM or AI assistant.
          required: true
@@ -0,0 +1,8 @@
 blank_issues_enabled: true
 contact_links:
  - name: Tinyauth Community Support on Discord
    url: https://discord.gg/eHzVaCzRRd
    about: Please ask and answer questions here.
  - name: Tinyauth Documentation
    url: https://tinyauth.app/docs/getting-started/
    about: Please check the documentation here.
@@ -1,21 +0,0 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
 title: "[FEATURE]"
 labels: enhancement
 assignees:
  - steveiliop56
 ---
 **Is your feature request related to a problem? Please describe.**
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 **Describe the solution you'd like**
 A clear and concise description of what you want to happen.
 **Describe alternatives you've considered**
 A clear and concise description of any alternative solutions or features you've considered.
 **Additional context**
 Add any other context or screenshots about the feature request here.
@@ -0,0 +1,52 @@
 name: Feature request
 description: Suggest an idea for this project
 title: "[FEATURE]"
 labels: enhancement
 assignees:
  - steveiliop56
 body:
  - type: markdown
    attributes:
      value: |
        Thanks for suggesting a feature! Please provide detailed information below.
  - type: textarea
    id: problem
    attributes:
      label: Is your feature request related to a problem? Please describe.
      description: "A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]"
    validations:
      required: false
  - type: textarea
    id: solution
    attributes:
      label: Describe the solution you'd like.
      description: "A clear and concise description of what you want to happen."
    validations:
      required: true
  - type: textarea
    id: alternatives
    attributes:
      label: Describe alternatives you've considered.
      description: "A clear and concise description of any alternative solutions or features you've considered."
    validations:
      required: false
  - type: textarea
    id: context
    attributes:
      label: Additional context
      description: "Add any other context or screenshots about the feature request here."
    validations:
      required: false
  - type: checkboxes
    id: not-llm
    attributes:
      label: Human Written Confirmation
      options:
        - label: I confirm this request was written by me and not generated by an LLM or AI assistant.
          required: true
@@ -1,6 +1,6 @@
 version: 2
 updates:
-  - package-ecosystem: "bun"
+  - package-ecosystem: "npm"
    directory: "/frontend"
    groups:
      minor-patch:
@@ -15,8 +15,10 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Setup bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Setup go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -26,33 +28,40 @@ jobs:
      - name: Go dependencies
        run: go mod download
-      - name: Install frontend dependencies
+      - name: Setup sqlc
        uses: sqlc-dev/setup-sqlc@v5
        with:
          sqlc-version: "1.31.1"
      - name: Check codegen is up to date
        run: |
-          cd frontend
+          sqlc generate
-          bun install --frozen-lockfile
+          go generate ./internal/repository/...
          git diff --exit-code -- internal/repository/
          git status --porcelain -- internal/repository/ | grep -q . && echo "untracked files in internal/repository/" && exit 1 || true
      - name: Install frontend dependencies
        working-directory: ./frontend
        run: pnpm ci
      - name: Set version
-        run: |
+        run: echo testing > internal/assets/version
          echo testing > internal/assets/version
      - name: Lint frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run lint
          bun run lint
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Copy frontend
-        run: |
+        run: cp -r frontend/dist internal/assets/dist
          cp -r frontend/dist internal/assets/dist
      - name: Run tests
        run: go test -coverprofile=coverage.txt -v ./...
      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -59,8 +59,10 @@ jobs:
        with:
          ref: nightly
-      - name: Install bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -68,23 +70,20 @@ jobs:
          go-version: "^1.26.0"
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Install backend dependencies
-        run: |
+        run: go mod download
          go mod download
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
+          go build -ldflags "-X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
@@ -105,8 +104,10 @@ jobs:
        with:
          ref: nightly
-      - name: Install bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -114,23 +115,20 @@ jobs:
          go-version: "^1.26.0"
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Install backend dependencies
-        run: |
+        run: go mod download
          go mod download
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
+          go build -ldflags "-X github.com/tinyauthapp/tinyauth/internal/model.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
@@ -168,7 +166,7 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/amd64
@@ -226,7 +224,7 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/amd64
@@ -284,7 +282,7 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/arm64
@@ -342,7 +340,7 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/arm64
@@ -35,8 +35,10 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Install bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -44,18 +46,15 @@ jobs:
          go-version: "^1.26.0"
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Install backend dependencies
-        run: |
+        run: go mod download
          go mod download
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Build
        run: |
@@ -78,8 +77,10 @@ jobs:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Install bun
+      - name: Setup pnpm
-        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
        with:
          package_json_file: ./frontend/package.json
      - name: Install go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
@@ -87,18 +88,15 @@ jobs:
          go-version: "^1.26.0"
      - name: Install frontend dependencies
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm ci
          bun install --frozen-lockfile
      - name: Install backend dependencies
-        run: |
+        run: go mod download
          go mod download
      - name: Build frontend
-        run: |
+        working-directory: ./frontend
-          cd frontend
+        run: pnpm run build
          bun run build
      - name: Build
        run: |
@@ -138,7 +136,7 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/amd64
@@ -152,6 +150,7 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
            LDFLAGS="-s -w"
      - name: Export digest
        run: |
@@ -193,7 +192,7 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/amd64
@@ -208,6 +207,7 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
            LDFLAGS="-s -w"
      - name: Export digest
        run: |
@@ -248,7 +248,7 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/arm64
@@ -262,6 +262,7 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
            LDFLAGS="-s -w"
      - name: Export digest
        run: |
@@ -303,7 +304,7 @@ jobs:
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
        id: build
        with:
          platforms: linux/arm64
@@ -318,6 +319,7 @@ jobs:
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
            LDFLAGS="-s -w"
      - name: Export digest
        run: |
@@ -38,6 +38,6 @@ jobs:
          retention-days: 5
      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4
+        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
        with:
          sarif_file: results.sarif
@@ -1,24 +0,0 @@
 name: Close stale issues and PRs
 on:
  schedule:
    - cron: 0 10 * * *
 permissions:
  issues: write
  pull-requests: write
 jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
        with:
          days-before-stale: 30
          stale-pr-message: This PR has been inactive for 30 days and will be marked as stale.
          stale-issue-message: This issue has been inactive for 30 days and will be marked as stale.
          close-issue-message: Closed for inactivity.
          close-pr-message: Closed for inactivity.
          stale-issue-label: stale
          stale-pr-label: stale
          exempt-issue-labels: pinned
          exempt-pr-labels: pinned
@@ -48,3 +48,6 @@ __debug_*
 # testing config
 config.certify.yml
 # deepsec
 /.deepsec
@@ -7,7 +7,7 @@ Contributing to Tinyauth is straightforward. Follow the steps below to set up a
 ## Requirements
- Bun
+- pnpm
 - Golang v1.24.0 or later
 - Git
 - Docker
@@ -34,7 +34,7 @@ Frontend dependencies can be installed as follows:
 ```sh
 cd frontend/
-bun install
+pnpm ci
 ```
 ## Create the `.env` file
@@ -1,12 +1,14 @@
 # Site builder
-FROM oven/bun:1.3.13-alpine AS frontend-builder
+FROM node:26.2-alpine3.23 AS frontend-builder
 WORKDIR /frontend
-COPY ./frontend/package.json ./
+RUN npm install -g pnpm@11.1.2
 COPY ./frontend/bun.lock ./
-RUN bun install --frozen-lockfile
+COPY ./frontend/package.json ./
 COPY ./frontend/pnpm-lock.yaml ./
 RUN pnpm ci
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -17,7 +19,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
-RUN bun run build
+RUN pnpm run build
 # Builder
 FROM golang:1.26-alpine3.23 AS builder
@@ -25,6 +27,7 @@ FROM golang:1.26-alpine3.23 AS builder
 ARG VERSION
 ARG COMMIT_HASH
 ARG BUILD_TIMESTAMP
 ARG LDFLAGS
 WORKDIR /tinyauth
@@ -37,7 +40,7 @@ COPY ./cmd ./cmd
 COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
-RUN CGO_ENABLED=0 go build -ldflags "-s -w \
+RUN CGO_ENABLED=0 go build -ldflags "${LDFLAGS} \
    -X github.com/tinyauthapp/tinyauth/internal/model.Version=${VERSION} \
    -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
@@ -8,7 +8,7 @@ COPY go.sum ./
 RUN go mod download
 RUN go install github.com/air-verse/air@v1.61.7
-RUN go install github.com/go-delve/delve/cmd/dlv@latest
+RUN go install github.com/go-delve/delve/cmd/dlv@v1.26.3
 COPY ./cmd ./cmd
 COPY ./internal ./internal
@@ -1,12 +1,14 @@
 # Site builder
-FROM oven/bun:1.3.13-alpine AS frontend-builder
+FROM node:26.2-alpine3.23 AS frontend-builder
 WORKDIR /frontend
-COPY ./frontend/package.json ./
+RUN npm install -g pnpm@11.1.2
 COPY ./frontend/bun.lock ./
-RUN bun install --frozen-lockfile
+COPY ./frontend/package.json ./
 COPY ./frontend/pnpm-lock.yaml ./
 RUN pnpm ci
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -17,7 +19,7 @@ COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
-RUN bun run build
+RUN pnpm run build
 # Builder
 FROM golang:1.26-alpine3.23 AS builder
@@ -25,6 +27,7 @@ FROM golang:1.26-alpine3.23 AS builder
 ARG VERSION
 ARG COMMIT_HASH
 ARG BUILD_TIMESTAMP
 ARG LDFLAGS
 WORKDIR /tinyauth
@@ -39,7 +42,7 @@ COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 RUN mkdir -p data
-RUN CGO_ENABLED=0 go build -ldflags "-s -w \
+RUN CGO_ENABLED=0 go build -ldflags "${LDFLAGS} \
    -X github.com/tinyauthapp/tinyauth/internal/model.Version=${VERSION} \
    -X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
@@ -1,5 +1,5 @@
-                    GNU GENERAL PUBLIC LICENSE
+                    GNU AFFERO GENERAL PUBLIC LICENSE
-                       Version 3, 29 June 2007
+                       Version 3, 19 November 2007
 Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
 Everyone is permitted to copy and distribute verbatim copies
@@ -7,17 +7,15 @@
                            Preamble
-  The GNU General Public License is a free, copyleft license for
+  The GNU Affero General Public License is a free, copyleft license for
-software and other kinds of works.
+software and other kinds of works, specifically designed to ensure
 cooperation with the community in the case of network server software.
  The licenses for most software and other practical works are designed
 to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
+our General Public Licenses are intended to guarantee your freedom to
 share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
+software for all its users.
 GNU General Public License for most of our software; it applies also to
 any other work released this way by its authors.  You can apply it to
 your programs, too.
  When we speak of free software, we are referring to freedom, not
 price.  Our General Public Licenses are designed to make sure that you
@@ -26,44 +24,34 @@ them if you wish), that you receive source code or can get it if you
 want it, that you can change the software or use pieces of it in new
 free programs, and that you know you can do these things.
-  To protect your rights, we need to prevent others from denying you
+  Developers that use our General Public Licenses protect your rights
-these rights or asking you to surrender the rights.  Therefore, you have
+with two steps: (1) assert copyright on the software, and (2) offer
-certain responsibilities if you distribute copies of the software, or if
+you this License which gives you legal permission to copy, distribute
-you modify it: responsibilities to respect the freedom of others.
+and/or modify the software.
-  For example, if you distribute copies of such a program, whether
+  A secondary benefit of defending all users' freedom is that
-gratis or for a fee, you must pass on to the recipients the same
+improvements made in alternate versions of the program, if they
-freedoms that you received.  You must make sure that they, too, receive
+receive widespread use, become available for other developers to
-or can get the source code.  And you must show them these terms so they
+incorporate.  Many developers of free software are heartened and
-know their rights.
+encouraged by the resulting cooperation.  However, in the case of
 software used on network servers, this result may fail to come about.
 The GNU General Public License permits making a modified version and
 letting the public access it on a server without ever releasing its
 source code to the public.
-  Developers that use the GNU GPL protect your rights with two steps:
+  The GNU Affero General Public License is designed specifically to
-(1) assert copyright on the software, and (2) offer you this License
+ensure that, in such cases, the modified source code becomes available
-giving you legal permission to copy, distribute and/or modify it.
+to the community.  It requires the operator of a network server to
 provide the source code of the modified version running there to the
 users of that server.  Therefore, public use of a modified version, on
 a publicly accessible server, gives the public access to the source
 code of the modified version.
-  For the developers' and authors' protection, the GPL clearly explains
+  An older license, called the Affero General Public License and
-that there is no warranty for this free software.  For both users' and
+published by Affero, was designed to accomplish similar goals.  This is
-authors' sake, the GPL requires that modified versions be marked as
+a different license, not a version of the Affero GPL, but Affero has
-changed, so that their problems will not be attributed erroneously to
+released a new version of the Affero GPL which permits relicensing under
-authors of previous versions.
+this license.
  Some devices are designed to deny users access to install or run
 modified versions of the software inside them, although the manufacturer
 can do so.  This is fundamentally incompatible with the aim of
 protecting users' freedom to change the software.  The systematic
 pattern of such abuse occurs in the area of products for individuals to
 use, which is precisely where it is most unacceptable.  Therefore, we
 have designed this version of the GPL to prohibit the practice for those
 products.  If such problems arise substantially in other domains, we
 stand ready to extend this provision to those domains in future versions
 of the GPL, as needed to protect the freedom of users.
  Finally, every program is threatened constantly by software patents.
 States should not allow patents to restrict development and use of
 software on general-purpose computers, but in those that do, we wish to
 avoid the special danger that patents applied to a free program could
 make it effectively proprietary.  To prevent this, the GPL assures that
 patents cannot be used to render the program non-free.
  The precise terms and conditions for copying, distribution and
 modification follow.
@@ -72,7 +60,7 @@ modification follow.
  0. Definitions.
-  "This License" refers to version 3 of the GNU General Public License.
+  "This License" refers to version 3 of the GNU Affero General Public License.
  "Copyright" also means copyright-like laws that apply to other kinds of
 works, such as semiconductor masks.
@@ -549,35 +537,45 @@ to collect a royalty for further conveying from those to whom you convey
 the Program, the only way you could satisfy both those terms and this
 License would be to refrain entirely from conveying the Program.
-  13. Use with the GNU Affero General Public License.
+  13. Remote Network Interaction; Use with the GNU General Public License.
  Notwithstanding any other provision of this License, if you modify the
 Program, your modified version must prominently offer all users
 interacting with it remotely through a computer network (if your version
 supports such interaction) an opportunity to receive the Corresponding
 Source of your version by providing access to the Corresponding Source
 from a network server at no charge, through some standard or customary
 means of facilitating copying of software.  This Corresponding Source
 shall include the Corresponding Source for any work covered by version 3
 of the GNU General Public License that is incorporated pursuant to the
 following paragraph.
  Notwithstanding any other provision of this License, you have
 permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
+under version 3 of the GNU General Public License into a single
 combined work, and to convey the resulting work.  The terms of this
 License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
+but the work with which it is combined will remain governed by version
-section 13, concerning interaction through a network will apply to the
+3 of the GNU General Public License.
 combination as such.
  14. Revised Versions of this License.
  The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time.  Such new versions will
+the GNU Affero General Public License from time to time.  Such new versions
-be similar in spirit to the present version, but may differ in detail to
+will be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns.
  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU General
+Program specifies that a certain numbered version of the GNU Affero General
 Public License "or any later version" applies to it, you have the
 option of following the terms and conditions either of that numbered
 version or of any later version published by the Free Software
 Foundation.  If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
+GNU Affero General Public License, you may choose any version ever published
 by the Free Software Foundation.
  If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy's
+versions of the GNU Affero General Public License can be used, that proxy's
 public statement of acceptance of a version permanently authorizes you
 to choose that version for the Program.
@@ -635,40 +633,29 @@ the "copyright" line and a pointer to where the full notice is found.
    Copyright (C) <year>  <name of author>
    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
+    it under the terms of the GNU Affero General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
+    GNU Affero General Public License for more details.
-    You should have received a copy of the GNU General Public License
+    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see <https://www.gnu.org/licenses/>.
 Also add information on how to contact you by electronic and paper mail.
-  If the program does terminal interaction, make it output a short
+  If your software can interact with users remotely through a computer
-notice like this when it starts in an interactive mode:
+network, you should also make sure that it provides a way for users to
-
+get its source.  For example, if your program is a web application, its
-    <program>  Copyright (C) <year>  <name of author>
+interface could display a "Source" link that leads users to an archive
-    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+of the code.  There are many ways you could offer source, and different
-    This is free software, and you are welcome to redistribute it
+solutions will be better for different programs; see section 13 for the
-    under certain conditions; type `show c' for details.
+specific requirements.
 The hypothetical commands `show w' and `show c' should show the appropriate
 parts of the General Public License.  Of course, your program's commands
 might be different; for a GUI interface, you would use an "about box".
  You should also get your employer (if you work as a programmer) or school,
 if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
+For more information on this, and how to apply and follow the GNU AGPL, see
 <https://www.gnu.org/licenses/>.
  The GNU General Public License does not permit incorporating your program
 into proprietary programs.  If your program is a subroutine library, you
 may consider it more useful to permit linking proprietary applications with
 the library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.  But first, please read
 <https://www.gnu.org/licenses/why-not-lgpl.html>.
@@ -8,6 +8,7 @@ TAG_NAME := $(shell git describe --abbrev=0 --exact-match 2> /dev/null || echo "
 COMMIT_HASH := $(shell git rev-parse HEAD)
 BUILD_TIMESTAMP := $(shell date '+%Y-%m-%dT%H:%M:%S')
 BIN_NAME := tinyauth-$(GOARCH)
 LDFLAGS := -s -w
 # Development vars
 DEV_COMPOSE := $(shell test -f "docker-compose.test.yml" && echo "docker-compose.test.yml" || echo "docker-compose.dev.yml" )
@@ -17,7 +18,7 @@ PROD_COMPOSE := $(shell test -f "docker-compose.test.prod.yml" && echo "docker-c
 # Deps
 deps:
-	bun install --frozen-lockfile --cwd frontend
+	cd frontend && pnpm ci
 	go mod download
 # Clean data
@@ -31,12 +32,12 @@ clean-webui:
 # Build the web UI
 webui: clean-webui
-	bun run --cwd frontend build
+	cd frontend && pnpm run build
 	cp -r frontend/dist internal/assets
 # Build the binary
 binary: webui
-	CGO_ENABLED=$(CGO_ENABLED) go build -ldflags "-s -w \
+	CGO_ENABLED=$(CGO_ENABLED) go build -ldflags "${LDFLAGS} \
 	-X github.com/tinyauthapp/tinyauth/internal/model.Version=${TAG_NAME} \
 	-X github.com/tinyauthapp/tinyauth/internal/model.CommitHash=${COMMIT_HASH} \
 	-X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" \
@@ -61,6 +62,15 @@ binary-linux-arm64:
 test:
 	go test -v ./...
 # Go vet
 .PHONY: vet
 vet:
 	go vet ./...
 # Go race
 test-race:
 	go test -race ./...
 # Development
 dev:
 	docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans --build
@@ -85,3 +95,4 @@ sql:
 # Go gen
 generate:
 	go run ./gen
 	go generate ./internal/repository/...
@@ -28,9 +28,6 @@ Tinyauth is the simplest and tiniest authentication and authorization server you
 > [!NOTE]
 > This is the main development branch. For the latest stable release, see the [documentation](https://tinyauth.app) or the latest stable tag.
 > [!NOTE]
 > Tinyauth is in the process of migrating to the new [tinyauthapp](https://github.com/tinyauthapp) organization. The organization **is official** and it will host all of the Tinyauth related repositories in the future.
 ## Getting Started
 You can get started with Tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started). There is also an available [docker-compose](./docker-compose.example.yml) file that has Traefik, Whoami and Tinyauth to demonstrate its capabilities (keep in mind that this file lives in the development branch so it may have updates that are not yet released).
@@ -59,7 +56,7 @@ If you like, you can help translate Tinyauth into more languages by visiting the
 ## License
-Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You may copy, distribute and modify the software as long as you track changes/dates in source files. Any modifications to or software including (via compiler) GPL-licensed code must also be made available under the GPL along with build & install instructions. For more information about the license check the [license](./LICENSE) file.
+Tinyauth is licensed under the GNU Affero General Public License v3.0. TL;DR — You may copy, distribute and modify the software as long as you track changes/dates in source files. Any modifications to or software including (via compiler) AGPL-licensed code must also be made available under the AGPL along with build & install instructions. If you run a modified version over a network, you must also make the source available to the users of that service. For more information about the license check the [license](LICENSE) file.
 ## Sponsors
@@ -2,8 +2,56 @@
 ## Supported Versions
-It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
+It is recommended to use the [latest](https://github.com/tinyauthapp/tinyauth/releases/latest) available version of Tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.
 ## Reporting a Vulnerability
-Due to the nature of this app, it needs to be secure. If you discover any security issues or vulnerabilities in the app please contact me as soon as possible at <security@tinyauth.app>. Please do not use the issues section to report security issues as I won't be able to patch them in time and they may get exploited by malicious actors.
+Please **do not** report security vulnerabilities through public GitHub issues, discussions, or pull requests as I won't be able to patch them in time and they may get exploited by malicious actors.
 Instead, report them privately using [GitHub's Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) via the **Security** tab of this repository.
 Or send us an email at <security@tinyauth.app>.
 ### A note on AI-assisted reports
 If AI tooling (LLMs, automated scanners, agentic assistants, etc.) helped you discover, analyse, or write up this issue, please say so in your report. This isn't a judgement - AI-assisted findings are welcome - but disclosing it up front helps maintainers calibrate how much additional verification a report needs, and tends to make the report itself clearer.
 When submitting a report, please use the structure below so it can be triaged quickly.
 ---
 ### 1. Summary
 A short, one-paragraph description of the vulnerability and its impact (e.g. what an attacker can achieve, who is affected, and under what conditions).
 ### 2. Steps to Reproduce / Proof of Concept
 Provide a minimal, reliable reproduction:
 1. Step one
 2. Step two
 3. Step three
 Include any required input, payloads, configuration, or code snippets. Attach a PoC script or screenshots where helpful.
 ### 3. Expected vs. Actual Behaviour
 - **Expected:** what *should* happen
 - **Actual:** what *does* happen, and why it's a security issue
 ### 4. Suggested Fix or Mitigation *(optional)*
 If you have an idea for how to address the issue, describe it here. A private gist link is welcome but not required.
 - **Have you tested this fix?** Yes / No
 - **If yes,** briefly describe how it was tested and what was verified.
 ---
 ## What to Expect
 - **Acknowledgement** within a reasonable timeframe after receiving your report
 - **Updates** as the issue is investigated and addressed
 - **Public credit** in the resulting advisory, along with any **CVE assigned**, unless you'd prefer to stay anonymous
 We follow a **90-day coordinated disclosure** window: please allow up to 90 days from the date of your report for the issue to be investigated and patched before publicly disclosing it. The publication date - whether earlier if a fix lands sooner, or later if more time is genuinely needed - will be agreed with you in advance.
@@ -1,9 +1,10 @@
 services:
  traefik:
    image: traefik:v3.6
-    command: --api.insecure=true --providers.docker
+    command: --api.insecure=true --providers.docker --entrypoints.web.address=:80 --entrypoints.websecure.address=:443
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
@@ -25,6 +26,8 @@ services:
    labels:
      traefik.enable: true
      traefik.http.routers.tinyauth.rule: Host(`tinyauth.127.0.0.1.sslip.io`)
      traefik.http.routers.tinyauth.entrypoints: websecure
      traefik.http.routers.tinyauth.tls: true
  tinyauth-backend:
    build:
@@ -1,6 +0,0 @@
 # Ignore artifacts:
 dist
 node_modules
 bun.lock
 package.json
 src/lib/i18n/locales
@@ -1 +0,0 @@
 {}
@@ -1,11 +1,13 @@
-FROM oven/bun:1.2.16-alpine
+FROM node:26.1-alpine3.23
 RUN npm install -g pnpm@11.1.2
 WORKDIR /frontend
 COPY ./frontend/package.json ./
-COPY ./frontend/bun.lock ./
+COPY ./frontend/pnpm-lock.yaml ./
-RUN bun install --frozen-lockfile
+RUN pnpm ci
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -19,4 +21,4 @@ COPY ./frontend/vite.config.ts ./
 EXPOSE 5173
-ENTRYPOINT ["bun", "run", "dev"]
+ENTRYPOINT ["pnpm", "run", "dev"]
@@ -10,6 +10,7 @@
    "preview": "vite preview",
    "tsc": "tsc -b"
  },
  "packageManager": "pnpm@11.1.2",
  "dependencies": {
    "@hookform/resolvers": "^5.2.2",
    "@radix-ui/react-dropdown-menu": "^2.1.16",
@@ -0,0 +1,4 @@
 dangerouslyAllowAllBuilds: false
 blockExoticSubdeps: true
 minimumReleaseAge: 1440 # 1 day
 trustPolicy: no-downgrade
@@ -80,5 +80,17 @@
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information.",
-    "backToLoginButton": "Back to login"
+    "backToLoginButton": "Back to login",
    "phoneScopeName": "Phone",
    "phoneScopeDescription": "Allows the app to access your phone number.",
    "addressScopeName": "Address",
    "addressScopeDescription": "Allows the app to access your address.",
    "loginTailscaleTitle": "Continue with Tailscale",
    "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
    "loginTailscaleDeviceName": "Device name:",
    "loginTailscaleSubmit": "Continue with Tailscale",
    "loginTailscaleOtherMethod": "Login with another method",
    "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
    "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
    "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout."
 }
@@ -84,5 +84,13 @@
    "phoneScopeName": "Phone",
    "phoneScopeDescription": "Allows the app to access your phone number.",
    "addressScopeName": "Address",
-    "addressScopeDescription": "Allows the app to access your address."
+    "addressScopeDescription": "Allows the app to access your address.",
    "loginTailscaleTitle": "Continue with Tailscale",
    "loginTailscaleDescription": "You appear to be accessing Tinyauth from an authorized Tailscale device. Would you like to continue with your Tailscale connection?",
    "loginTailscaleDeviceName": "Device name:",
    "loginTailscaleSubmit": "Continue with Tailscale",
    "loginTailscaleOtherMethod": "Login with another method",
    "loginTailscaleSuccess": "Successfully authenticated with Tailscale.",
    "loginTailscaleFail": "Failed to authenticate with Tailscale. Please try again or use another login method.",
    "logoutTailscaleSubtitle": "You are currently logged in with Tailscale on your device <code>{{deviceName}}</code>. Click the button below to logout."
 }
@@ -58,8 +58,8 @@
    "invalidInput": "Input non valido",
    "domainWarningTitle": "Dominio non valido",
    "domainWarningSubtitle": "Stai accedendo a questa istanza da un dominio errato. Scegliendo di procedere, potresti incontrare problemi con l'autenticazione.",
-    "domainWarningCurrent": "Current:",
+    "domainWarningCurrent": "Attuale:",
-    "domainWarningExpected": "Expected:",
+    "domainWarningExpected": "Previsto:",
    "ignoreTitle": "Ignora",
    "goToCorrectDomainTitle": "Vai al dominio corretto",
    "authorizeTitle": "Autorizza",
@@ -57,7 +57,7 @@
    "fieldRequired": "Ово поље је неопходно",
    "invalidInput": "Неисправан унос",
    "domainWarningTitle": "Неисправан домен",
-    "domainWarningSubtitle": "You are accessing this instance from an incorrect domain. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Приступате овој инстанци са неисправног домена. Ако наставите, можете наићи на проблеме са аутентификацијом.",
    "domainWarningCurrent": "Тренутни:",
    "domainWarningExpected": "Очекивани:",
    "ignoreTitle": "Игнориши",
@@ -37,12 +37,16 @@ const iconMap: Record<string, React.ReactNode> = {
 export const LoginPage = () => {
  const { auth, tailscale } = useUserContext();
-  const { ui, oauth, auth: cauth } = useAppContext();
+  const {
    ui,
    oauth,
    auth: { providers },
  } = useAppContext();
  const { search } = useLocation();
  const { t } = useTranslation();
  const [showRedirectButton, setShowRedirectButton] = useState(false);
-  const [useTailscale, setUseTailscale] = useState(tailscale.nodeName !== "");
+  const [useTailscale, setUseTailscale] = useState(tailscale.nodeName !== undefined);
  const hasAutoRedirectedRef = useRef(false);
@@ -56,15 +60,15 @@ export const LoginPage = () => {
  const oidcParams = useOIDCParams(searchParams);
  const [isOauthAutoRedirect, setIsOauthAutoRedirect] = useState(
-    cauth.providers.find((provider) => provider.id === oauth.autoRedirect) !==
+    providers.find((provider) => provider.id === oauth.autoRedirect) !==
      undefined && redirectUri !== undefined,
  );
-  const oauthProviders = cauth.providers.filter(
+  const oauthProviders = providers.filter(
    (provider) => provider.id !== "local" && provider.id !== "ldap",
  );
  const userAuthConfigured =
-    cauth.providers.find(
+    providers.find(
      (provider) => provider.id === "local" || provider.id === "ldap",
    ) !== undefined;
@@ -154,8 +158,8 @@ export const LoginPage = () => {
      mutationFn: () => axios.post("/api/user/tailscale"),
      mutationKey: ["tailscale"],
      onSuccess: () => {
-        toast.success("Logged in", {
+        toast.success(t("loginSuccessTitle"), {
-          description: t("Tailscale session confirmed"),
+          description: t("loginTailscaleSuccess"),
        });
        redirectTimer.current = window.setTimeout(() => {
@@ -169,8 +173,8 @@ export const LoginPage = () => {
        }, 500);
      },
      onError: () => {
-        toast.error("Failed to login", {
+        toast.error(t("loginFailTitle"), {
-          description: "Failed to authenticate with Tailscale.",
+          description: t("loginTailscaleFail"),
        });
      },
    });
@@ -262,17 +266,15 @@ export const LoginPage = () => {
        <CardHeader className="gap-3">
          <TailscaleIcon className="mx-auto h-8 w-8" />
          <CardTitle className="text-center text-xl">
-            Tinyauth · Tailscale
+            {t("loginTailscaleTitle")}
          </CardTitle>
        </CardHeader>
        <CardContent className="flex flex-col gap-4">
          <div className="text-muted-foreground text-sm">
-            We detected that you are accessing Tinyauth from an authorized
+            {t("loginTailscaleDescription")}
            Tailscale device. Would you like to continue with your Tailscale
            credentials?
          </div>
          <div className="text-muted-foreground text-sm">
-            Machine Name: <code>{tailscale.nodeName}</code>
+            {t("loginTailscaleDeviceName")} <code>{tailscale.nodeName}</code>
          </div>
        </CardContent>
        <CardFooter className="flex flex-col items-stretch gap-3">
@@ -281,7 +283,7 @@ export const LoginPage = () => {
            onClick={() => tailscaleMutate()}
            loading={tailscaleIsPending}
          >
-            Continue with Tailscale
+            {t("loginTailscaleSubmit")}
          </Button>
          <Button
            className="w-full"
@@ -289,7 +291,7 @@ export const LoginPage = () => {
            onClick={() => setUseTailscale(false)}
            disabled={tailscaleIsPending}
          >
-            Use other login method
+            {t("loginTailscaleOtherMethod")}
          </Button>
        </CardFooter>
      </Card>
@@ -300,7 +302,7 @@ export const LoginPage = () => {
    <Card>
      <CardHeader className="gap-1.5">
        <CardTitle className="text-center text-xl">{ui.title}</CardTitle>
-        {cauth.providers.length > 0 && (
+        {providers.length > 0 && (
          <CardDescription className="text-center">
            {oauthProviders.length !== 0
              ? t("loginTitle")
@@ -338,7 +340,7 @@ export const LoginPage = () => {
            })()}
          />
        )}
-        {cauth.providers.length == 0 && (
+        {providers.length == 0 && (
          <pre className="break-normal! text-sm text-red-600">
            {t("failedToFetchProvidersTitle")}
          </pre>
@@ -75,9 +75,17 @@ export const LogoutPage = () => {
  if (auth.providerId === "tailscale") {
    return (
      <LogoutLayout logoutMutation={logoutMutation}>
-        You are currently logged in with the Tailscale integration identified by
+        <Trans
-        the <code>{tailscale.nodeName}</code> node. Click the button below to
+          i18nKey="logoutTailscaleSubtitle"
-        log out.
+          t={t}
          components={{
            code: <code />,
          }}
          values={{
            deviceName: tailscale.nodeName,
          }}
          shouldUnescape={true}
        />
      </LogoutLayout>
    );
  }
@@ -18,7 +18,7 @@ const totpSchema = z.object({
 });
 const tailscaleSchema = z.object({
-  nodeName: z.string(),
+  nodeName: z.string().optional(),
 });
 export const userContextSchema = z.object({
@@ -0,0 +1,473 @@
 // gen/sqlc-wrapper generates store.go wrapper files for each sqlc driver package under
 // internal/repository/<driver>/. Run via:
 //
 //	go generate ./internal/repository/...
 //
 // The generator introspects *Queries methods and the model/params types in the
 // driver package, then emits a store.go that wraps *Queries so it satisfies
 // repository.Store using the canonical shared types in the parent package.
 // This generator is specific to sqlc-generated drivers. Non-sqlc drivers should
 // implement repository.Store directly by hand.
 package main
 import (
 	"bytes"
 	_ "embed"
 	"flag"
 	"fmt"
 	"go/format"
 	"go/types"
 	"log"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"sort"
 	"strings"
 	"text/template"
 	"golang.org/x/tools/go/packages"
 )
 //go:embed store.tmpl
 var storeSrc string
 func main() {
 	fmt.Println("sqlc-wrapper: generating store.go files for sqlc driver packages...")
 	if err := run(); err != nil {
 		log.Fatal(err)
 	}
 }
 func run() error {
 	driverPkg := flag.String("pkg", "", "import path of the driver package")
 	out := flag.String("out", "store.go", "output filename relative to driver package directory")
 	flag.Parse()
 	if *driverPkg == "" {
 		return fmt.Errorf("-pkg is required")
 	}
 	// Resolve the driver package directory so we can overlay the output file
 	// with a valid stub. This prevents a stale store.go from poisoning the
 	// type-checker and producing cryptic "undefined" errors.
 	driverDir, err := pkgDir(*driverPkg)
 	if err != nil {
 		return fmt.Errorf("resolve driver dir: %w", err)
 	}
 	outPath := filepath.Join(driverDir, *out)
 	if filepath.IsAbs(*out) {
 		outPath = *out
 	}
 	// Stub replaces the output file during load so stale generated code is ignored.
 	stub := []byte("package " + filepath.Base(driverDir) + "\n")
 	cfg := &packages.Config{
 		Mode:    packages.NeedName | packages.NeedTypes | packages.NeedSyntax | packages.NeedImports,
 		Overlay: map[string][]byte{outPath: stub},
 	}
 	driverTypePkg, err := loadOnePkg(cfg, *driverPkg)
 	if err != nil {
 		return fmt.Errorf("load driver package: %w", err)
 	}
 	repoPkgPath := parentPkg(*driverPkg)
 	repoTypePkg, err := loadOnePkg(cfg, repoPkgPath)
 	if err != nil {
 		return fmt.Errorf("load repo package: %w", err)
 	}
 	if err := validateStructShapes(driverTypePkg, repoTypePkg); err != nil {
 		return fmt.Errorf("struct shape mismatch: %w", err)
 	}
 	if err := validateStoreCoverage(driverTypePkg, repoTypePkg); err != nil {
 		return err
 	}
 	methods, err := collectMethods(driverTypePkg)
 	if err != nil {
 		return err
 	}
 	src, err := render(tmplData{
 		PkgName: driverTypePkg.Name(),
 		RepoPkg: repoPkgPath,
 		Methods: renderMethods(methods),
 	})
 	if err != nil {
 		return fmt.Errorf("render: %w", err)
 	}
 	if err := os.WriteFile(outPath, src, 0644); err != nil {
 		return fmt.Errorf("write %s: %w", outPath, err)
 	}
 	fmt.Printf("wrote %s\n", outPath)
 	return nil
 }
 // loadOnePkg loads a single package via cfg and returns its *types.Package,
 // or an error if the package fails to load or has type errors.
 func loadOnePkg(cfg *packages.Config, importPath string) (*types.Package, error) {
 	pkgs, err := packages.Load(cfg, importPath)
 	if err != nil {
 		return nil, fmt.Errorf("load %s: %w", importPath, err)
 	}
 	if len(pkgs) != 1 {
 		return nil, fmt.Errorf("expected 1 package for %s, got %d", importPath, len(pkgs))
 	}
 	pkg := pkgs[0]
 	if len(pkg.Errors) > 0 {
 		msgs := make([]string, len(pkg.Errors))
 		for i, e := range pkg.Errors {
 			msgs[i] = e.Error()
 		}
 		return nil, fmt.Errorf("package %s has errors:\n  %s", importPath, strings.Join(msgs, "\n  "))
 	}
 	return pkg.Types, nil
 }
 // parentPkg returns the parent import path (everything before the last /).
 // Panics if imp contains no slash — callers are expected to pass driver sub-packages.
 func parentPkg(imp string) string {
 	i := strings.LastIndex(imp, "/")
 	if i < 0 {
 		panic(fmt.Sprintf("parentPkg: import path %q has no parent", imp))
 	}
 	return imp[:i]
 }
 // pkgDir returns the on-disk directory for an import path using `go list`.
 func pkgDir(importPath string) (string, error) {
 	out, err := exec.Command("go", "list", "-f", "{{.Dir}}", importPath).Output()
 	if err != nil {
 		return "", fmt.Errorf("go list %s: %w", importPath, err)
 	}
 	return strings.TrimSpace(string(out)), nil
 }
 // scopeStructs returns all named struct types in pkg, excluding the internal
 // sqlc types Queries, DBTX, and Store. Names are returned in sorted order.
 func scopeStructs(pkg *types.Package) (names []string, byName map[string]*types.Struct) {
 	byName = make(map[string]*types.Struct)
 	for _, name := range pkg.Scope().Names() { // Names() is already sorted
 		switch name {
 		case "Queries", "DBTX", "Store":
 			continue
 		}
 		obj, ok := pkg.Scope().Lookup(name).(*types.TypeName)
 		if !ok {
 			continue
 		}
 		named, ok := obj.Type().(*types.Named)
 		if !ok {
 			continue
 		}
 		s, ok := named.Underlying().(*types.Struct)
 		if !ok {
 			continue
 		}
 		names = append(names, name)
 		byName[name] = s
 	}
 	return
 }
 // validateStoreCoverage checks that every method declared in repository.Store
 // exists on *Queries in the driver package. Missing methods are reported by
 // name so the developer knows exactly which SQL queries need to be added.
 func validateStoreCoverage(driverPkg, repoPkg *types.Package) error {
 	queriesObj := driverPkg.Scope().Lookup("Queries")
 	if queriesObj == nil {
 		return fmt.Errorf("queries type not found in driver package")
 	}
 	queriesNamed := queriesObj.Type().(*types.Named)
 	queriesMS := types.NewMethodSet(types.NewPointer(queriesNamed))
 	queriesMethods := make(map[string]bool)
 	for m := range queriesMS.Methods() {
 		queriesMethods[m.Obj().Name()] = true
 	}
 	storeObj := repoPkg.Scope().Lookup("Store")
 	if storeObj == nil {
 		return fmt.Errorf("store type not found in repository package")
 	}
 	storeIface, ok := storeObj.Type().Underlying().(*types.Interface)
 	if !ok {
 		return fmt.Errorf("repository.Store is not an interface")
 	}
 	var missing []string
 	for method := range storeIface.Methods() {
 		if name := method.Name(); !queriesMethods[name] {
 			missing = append(missing, name)
 		}
 	}
 	if len(missing) > 0 {
 		sort.Strings(missing)
 		return fmt.Errorf(
 			"driver *Queries is missing %d method(s) required by repository.Store:\n  - %s\n\nRun sqlc generate to regenerate query methods, or add the missing SQL queries",
 			len(missing), strings.Join(missing, "\n  - "),
 		)
 	}
 	return nil
 }
 // validateStructShapes checks that every model/params struct in the driver
 // package has fields that exactly match the corresponding type in the repo
 // (parent) package. This catches drift between sqlc-generated types and the
 // canonical repository types before a broken cast reaches the compiler.
 func validateStructShapes(driverPkg, repoPkg *types.Package) error {
 	_, repoStructs := scopeStructs(repoPkg)
 	driverNames, driverStructs := scopeStructs(driverPkg)
 	var errs []string
 	for _, name := range driverNames {
 		repoStruct, ok := repoStructs[name]
 		if !ok {
 			// Driver has a type not in repo — fine (e.g. internal helpers).
 			continue
 		}
 		if err := compareStructs(name, driverStructs[name], repoStruct); err != nil {
 			errs = append(errs, err.Error())
 		}
 	}
 	if len(errs) > 0 {
 		sort.Strings(errs)
 		return fmt.Errorf("%s", strings.Join(errs, "\n  "))
 	}
 	return nil
 }
 func compareStructs(name string, driver, repo *types.Struct) error {
 	if driver.NumFields() != repo.NumFields() {
 		return fmt.Errorf("%s: field count mismatch (driver=%d, repo=%d)",
 			name, driver.NumFields(), repo.NumFields())
 	}
 	for i := range driver.NumFields() {
 		df := driver.Field(i)
 		rf := repo.Field(i)
 		if df.Name() != rf.Name() {
 			return fmt.Errorf("%s: field %d name mismatch (driver=%q, repo=%q)",
 				name, i, df.Name(), rf.Name())
 		}
 		if !types.Identical(df.Type(), rf.Type()) {
 			return fmt.Errorf("%s.%s: type mismatch (driver=%s, repo=%s)",
 				name, df.Name(), df.Type(), rf.Type())
 		}
 	}
 	return nil
 }
 type methodInfo struct {
 	Name    string
 	Params  []paramInfo
 	Results []resultInfo
 }
 type paramInfo struct {
 	Name     string
 	TypeStr  string // local (unqualified) type name
 	RepoType string // "repository.X" if this is a driver model/params type; else ""
 }
 type resultInfo struct {
 	TypeStr  string
 	IsSlice  bool
 	RepoType string // "repository.X" if driver type; else ""
 }
 func collectMethods(pkg *types.Package) ([]methodInfo, error) {
 	obj := pkg.Scope().Lookup("Queries")
 	if obj == nil {
 		return nil, fmt.Errorf("queries type not found in %s", pkg.Path())
 	}
 	named, ok := obj.Type().(*types.Named)
 	if !ok {
 		return nil, fmt.Errorf("queries is not a named type")
 	}
 	ms := types.NewMethodSet(types.NewPointer(named))
 	var out []methodInfo
 	for method := range ms.Methods() {
 		fn, ok := method.Obj().(*types.Func)
 		if !ok || fn.Name() == "WithTx" {
 			continue
 		}
 		sig := fn.Type().(*types.Signature)
 		mi := methodInfo{Name: fn.Name()}
 		// params: skip receiver + first (context.Context)
 		for i := 1; i < sig.Params().Len(); i++ {
 			p := sig.Params().At(i)
 			mi.Params = append(mi.Params, makeParam(p.Name(), p.Type(), pkg.Path()))
 		}
 		// results: skip error
 		for r := range sig.Results().Variables() {
 			if r.Type().String() == "error" {
 				continue
 			}
 			mi.Results = append(mi.Results, makeResult(r.Type(), pkg.Path()))
 		}
 		out = append(out, mi)
 	}
 	return out, nil
 }
 func makeParam(name string, t types.Type, driverPath string) paramInfo {
 	return paramInfo{
 		Name:     name,
 		TypeStr:  localName(t, driverPath),
 		RepoType: repoName(t, driverPath),
 	}
 }
 func makeResult(t types.Type, driverPath string) resultInfo {
 	ri := resultInfo{}
 	if sl, ok := t.(*types.Slice); ok {
 		ri.IsSlice = true
 		t = sl.Elem()
 	}
 	ri.TypeStr = localName(t, driverPath)
 	ri.RepoType = repoName(t, driverPath)
 	return ri
 }
 func localName(t types.Type, driverPath string) string {
 	named, ok := t.(*types.Named)
 	if !ok {
 		return types.TypeString(t, nil)
 	}
 	if named.Obj().Pkg() != nil && named.Obj().Pkg().Path() == driverPath {
 		return named.Obj().Name()
 	}
 	return types.TypeString(t, func(p *types.Package) string { return p.Name() })
 }
 func repoName(t types.Type, driverPath string) string {
 	named, ok := t.(*types.Named)
 	if !ok {
 		return ""
 	}
 	if named.Obj().Pkg() != nil && named.Obj().Pkg().Path() == driverPath {
 		return "repository." + named.Obj().Name()
 	}
 	return ""
 }
 // renderedMethod holds pre-built signature and body strings passed to the template.
 type renderedMethod struct {
 	Signature string
 	Body      string
 }
 func renderMethods(methods []methodInfo) []renderedMethod {
 	out := make([]renderedMethod, len(methods))
 	for i, m := range methods {
 		out[i] = renderedMethod{
 			Signature: buildSig(m),
 			Body:      buildBody(m),
 		}
 	}
 	return out
 }
 func buildSig(m methodInfo) string {
 	var sb strings.Builder
 	sb.WriteString("func (s *Store) ")
 	sb.WriteString(m.Name)
 	sb.WriteString("(ctx context.Context")
 	for _, p := range m.Params {
 		sb.WriteString(", ")
 		sb.WriteString(p.Name)
 		sb.WriteString(" ")
 		if p.RepoType != "" {
 			sb.WriteString(p.RepoType)
 		} else {
 			sb.WriteString(p.TypeStr)
 		}
 	}
 	sb.WriteString(") (")
 	for _, r := range m.Results {
 		if r.IsSlice {
 			sb.WriteString("[]")
 		}
 		if r.RepoType != "" {
 			sb.WriteString(r.RepoType)
 		} else {
 			sb.WriteString(r.TypeStr)
 		}
 		sb.WriteString(", ")
 	}
 	sb.WriteString("error)")
 	return sb.String()
 }
 func callArgs(m methodInfo) string {
 	args := make([]string, 0, len(m.Params))
 	for _, p := range m.Params {
 		if p.RepoType != "" {
 			// convert repo type → driver type: DriverType(arg)
 			args = append(args, p.TypeStr+"("+p.Name+")")
 		} else {
 			args = append(args, p.Name)
 		}
 	}
 	if len(args) == 0 {
 		return "ctx"
 	}
 	return "ctx, " + strings.Join(args, ", ")
 }
 var bodyTmpl = template.Must(template.New("store").Parse(storeSrc))
 type bodyData struct {
 	Call     string
 	RepoType string
 }
 func buildBody(m methodInfo) string {
 	call := "s.q." + m.Name + "(" + callArgs(m) + ")"
 	var (
 		name string
 		data bodyData
 	)
 	switch {
 	case len(m.Results) == 0 || m.Results[0].RepoType == "":
 		name = "void"
 		data = bodyData{Call: call}
 	case m.Results[0].IsSlice:
 		name = "slice"
 		data = bodyData{Call: call, RepoType: m.Results[0].RepoType}
 	default:
 		name = "scalar"
 		data = bodyData{Call: call, RepoType: m.Results[0].RepoType}
 	}
 	var buf bytes.Buffer
 	if err := bodyTmpl.ExecuteTemplate(&buf, name, data); err != nil {
 		panic(fmt.Sprintf("buildBody %s: %v", name, err))
 	}
 	return buf.String()
 }
 type tmplData struct {
 	PkgName string
 	RepoPkg string
 	Methods []renderedMethod
 }
 func render(data tmplData) ([]byte, error) {
 	var buf bytes.Buffer
 	if err := bodyTmpl.Execute(&buf, data); err != nil {
 		return nil, fmt.Errorf("execute template: %w", err)
 	}
 	formatted, err := format.Source(buf.Bytes())
 	if err != nil {
 		return buf.Bytes(), fmt.Errorf("format source: %w\nraw:\n%s", err, buf.String())
 	}
 	return formatted, nil
 }
@@ -0,0 +1,59 @@
 // Code generated by cmd/gen/sqlc-wrapper. DO NOT EDIT.
 package {{.PkgName}}
 import (
 	"context"
 	"database/sql"
 	"errors"
 	"{{.RepoPkg}}"
 )
 // Store wraps *Queries and implements repository.Store.
 type Store struct {
 	q *Queries
 }
 // NewStore wraps a *Queries to satisfy repository.Store.
 func NewStore(q *Queries) repository.Store {
 	return &Store{q: q}
 }
 var errorMap = map[error]error{
 	sql.ErrNoRows: repository.ErrNotFound,
 }
 func mapErr(err error) error {
 	for from, to := range errorMap {
 		if errors.Is(err, from) {
 			return to
 		}
 	}
 	return err
 }
 {{range .Methods}}{{.Signature}} {
 {{.Body}}}
 {{end}}
 {{- define "void"}}	return mapErr({{.Call}})
 {{end}}
 {{- define "scalar"}}	r, err := {{.Call}}
 	if err != nil {
 		return {{.RepoType}}{}, mapErr(err)
 	}
 	return {{.RepoType}}(r), nil
 {{end}}
 {{- define "slice"}}	rows, err := {{.Call}}
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]{{.RepoType}}, len(rows))
 	for i, row := range rows {
 		out[i] = {{.RepoType}}(row)
 	}
 	return out, nil
 {{end}}
@@ -1,6 +1,6 @@
 module github.com/tinyauthapp/tinyauth
-go 1.26.1
+go 1.26.3
 require (
 	charm.land/huh/v2 v2.0.3
@@ -12,18 +12,21 @@ require (
 	github.com/golang-migrate/migrate/v4 v4.19.1
 	github.com/google/go-querystring v1.2.0
 	github.com/google/uuid v1.6.0
 	github.com/jackc/pgx/v5 v5.9.2
 	github.com/mdp/qrterminal/v3 v3.2.1
 	github.com/pquerna/otp v1.5.0
 	github.com/rs/zerolog v1.35.1
 	github.com/steveiliop56/ding v0.2.0
 	github.com/stretchr/testify v1.11.1
 	github.com/tinyauthapp/paerser v0.0.0-20260410140347-85c3740d6298
 	github.com/weppos/publicsuffix-go v0.50.3
-	golang.org/x/crypto v0.50.0
+	golang.org/x/crypto v0.52.0
 	golang.org/x/oauth2 v0.36.0
-	k8s.io/apimachinery v0.36.0
+	golang.org/x/tools v0.44.0
-	k8s.io/client-go v0.36.0
+	k8s.io/apimachinery v0.36.1
-	modernc.org/sqlite v1.50.0
+	k8s.io/client-go v0.36.1
-	tailscale.com v1.96.5
+	modernc.org/sqlite v1.50.1
 	tailscale.com v1.98.3
 )
 require (
@@ -41,19 +44,6 @@ require (
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.41.0 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.29.5 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.58 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.27 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.24.14 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.13 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 // indirect
 	github.com/aws/smithy-go v1.24.0 // indirect
 	github.com/boombuler/barcode v1.0.2 // indirect
 	github.com/bytedance/gopkg v0.1.3 // indirect
 	github.com/bytedance/sonic v1.15.0 // indirect
@@ -78,7 +68,7 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -102,9 +92,13 @@ require (
 	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/huin/goupnp v1.3.0 // indirect
 	github.com/jackc/pgerrcode v0.0.0-20220416144525-469b46aa5efa // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.18.2 // indirect
+	github.com/klauspost/compress v1.18.5 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
@@ -131,7 +125,6 @@ require (
 	github.com/pires/go-proxyproto v0.8.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.59.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
@@ -139,12 +132,12 @@ require (
 	github.com/safchain/ethtool v0.3.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
-	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e // indirect
+	github.com/tailscale/certstore v0.1.1-0.20260409135935-3638fb84b77d // indirect
 	github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 // indirect
-	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a // indirect
+	github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd // indirect
 	github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc // indirect
 	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 // indirect
-	github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da // indirect
+	github.com/tailscale/wireguard-go v0.0.0-20260427181203-e3ac4a0afb4e // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
@@ -163,11 +156,12 @@ require (
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
 	golang.org/x/arch v0.22.0 // indirect
 	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
-	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/mod v0.35.0 // indirect
 	golang.org/x/net v0.54.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/sys v0.45.0 // indirect
-	golang.org/x/term v0.42.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
@@ -179,7 +173,7 @@ require (
 	k8s.io/klog/v2 v2.140.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a // indirect
 	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
-	modernc.org/libc v1.72.0 // indirect
+	modernc.org/libc v1.72.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	rsc.io/qr v0.2.0 // indirect
@@ -143,6 +143,8 @@ github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbww
 github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
 github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc h1:8WFBn63wegobsYAX0YjD+8suexZDga5CctH4CCTx2+8=
 github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc/go.mod h1:c9O8+fpSOX1DM8cPNSkX/qsBWdkD4yd2dpciOWQjpBw=
 github.com/dhui/dktest v0.4.6 h1:+DPKyScKSEp3VLtbMDHcUq6V5Lm5zfZZVb0Sk7Ahom4=
 github.com/dhui/dktest v0.4.6/go.mod h1:JHTSYDtKkvFNFHJKqCzVzqXecyv+tKt8EzceOmQOgbU=
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e h1:vUmf0yezR0y7jJ5pceLHthLaYf4bA5T14B6q39S4q2Q=
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e/go.mod h1:YTIHhz/QFSYnu/EhlF2SpU2Uk+32abacUYA5ZPljz1A=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
@@ -151,8 +153,8 @@ github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
 github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
 github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
@@ -251,6 +253,16 @@ github.com/illarion/gonotify/v3 v3.0.2 h1:O7S6vcopHexutmpObkeWsnzMJt/r1hONIEogeV
 github.com/illarion/gonotify/v3 v3.0.2/go.mod h1:HWGPdPe817GfvY3w7cx6zkbzNZfi3QjcBm/wgVvEL1U=
 github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
 github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
 github.com/jackc/pgerrcode v0.0.0-20220416144525-469b46aa5efa h1:s+4MhCQ6YrzisK6hFJUX53drDT4UsSW3DEhKn0ifuHw=
 github.com/jackc/pgerrcode v0.0.0-20220416144525-469b46aa5efa/go.mod h1:a/s9Lp5W7n/DD0VrVoyJ00FbP2ytTPDVOivvn2bMlds=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
 github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
 github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -273,8 +285,8 @@ github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUF
 github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
+github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
-github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a h1:+RR6SqnTkDLWyICxS1xpjCi/3dhyV+TgZwA6Ww3KncQ=
@@ -364,8 +376,6 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
 github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/prometheus-community/pro-bing v0.4.0 h1:YMbv+i08gQz97OZZBwLyvmmQEEzyfyrrjEaAchdy3R4=
 github.com/prometheus-community/pro-bing v0.4.0/go.mod h1:b7wRYZtCcPmt4Sz319BykUU241rWLe1VFXyiyWK/dH4=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
@@ -386,32 +396,37 @@ github.com/safchain/ethtool v0.3.0 h1:gimQJpsI6sc1yIqP/y8GYgiXn/NjgvpM0RNoWLVVmP
 github.com/safchain/ethtool v0.3.0/go.mod h1:SA9BwrgyAqNo7M+uaL6IYbxpm5wk3L7Mm6ocLW+CJUs=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
 github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
-github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
-github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/steveiliop56/ding v0.2.0 h1:m/Fj99wBpVVLHlpqb2RDJkWubOc5cWJ11ZYCHya3Sk0=
 github.com/steveiliop56/ding v0.2.0/go.mod h1:bE2u2XH7CjhPzbb/0Ems+D8YZlf2Ae+eKhj00UR1iAY=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
+github.com/tailscale/certstore v0.1.1-0.20260409135935-3638fb84b77d h1:JcGKBZAL7ePLwOhUdN8qGQZlP5GueEiIZwY7R62pejE=
-github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
+github.com/tailscale/certstore v0.1.1-0.20260409135935-3638fb84b77d/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
 github.com/tailscale/gliderssh v0.3.4-0.20260330083525-c1389c70ff89 h1:glgVc1ZYMjwN1Q/ITWeuSQyl029uayagaR2sjsifehc=
 github.com/tailscale/gliderssh v0.3.4-0.20260330083525-c1389c70ff89/go.mod h1:wn16Km1EZOX4UEAyaZa3dBwfFGOJ7neck40NcwosJUw=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
 github.com/tailscale/golang-x-crypto v0.0.0-20250404221719-a5573b049869 h1:SRL6irQkKGQKKLzvQP/ke/2ZuB7Py5+XuqtOgSj+iMM=
 github.com/tailscale/golang-x-crypto v0.0.0-20250404221719-a5573b049869/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
-github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
+github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd h1:Rf9uhF1+VJ7ZHqxrG8pJ6YacmHvVCmByDmGbAWCc/gA=
-github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
+github.com/tailscale/hujson v0.0.0-20260302212456-ecc657c15afd/go.mod h1:EbW0wDK/qEUYI0A5bqq0C2kF8JTQwWONmGDBbzsxxHo=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4ZoF094vE6iYTLDl0qCiKzYXlL6UeWObU=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+yfntqhI3oAu9i27nEojcQ4NuBQOo5ZFA=
@@ -420,8 +435,8 @@ github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:U
 github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6 h1:l10Gi6w9jxvinoiq15g8OToDdASBni4CyJOdHY1Hr8M=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6/go.mod h1:ZXRML051h7o4OcI0d3AaILDIad/Xw0IkXaHM17dic1Y=
-github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da h1:jVRUZPRs9sqyKlYHHzHjAqKN+6e/Vog6NpHYeNPJqOw=
+github.com/tailscale/wireguard-go v0.0.0-20260427181203-e3ac4a0afb4e h1:GexFR7ak1iz26fxg8HWCpOEqAOL8UEZJ7J3JxeCalDs=
-github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
+github.com/tailscale/wireguard-go v0.0.0-20260427181203-e3ac4a0afb4e/go.mod h1:6SerzcvHWQchKO2BfNdmquA77CHSECZuFl+D9fp4RnI=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
@@ -478,18 +493,18 @@ go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBs
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/arch v0.22.0 h1:c/Zle32i5ttqRXjdLyyHZESLD/bB90DCU1g9l/0YBDI=
 golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
 golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
 golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
-golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
-golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
-golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
-golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
+golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -497,16 +512,16 @@ golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
-golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
-golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
@@ -534,26 +549,26 @@ gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
 gvisor.dev/gvisor v0.0.0-20260224225140-573d5e7127a8 h1:Zy8IV/+FMLxy6j6p87vk/vQGKcdnbprwjTxc8UiUtsA=
 gvisor.dev/gvisor v0.0.0-20260224225140-573d5e7127a8/go.mod h1:QkHjoMIBaYtpVufgwv3keYAbln78mBoCuShZrPrer1Q=
-honnef.co/go/tools v0.7.0-0.dev.0.20251022135355-8273271481d0 h1:5SXjd4ET5dYijLaf0O3aOenC0Z4ZafIWSpjUzsQaNho=
+honnef.co/go/tools v0.7.0 h1:w6WUp1VbkqPEgLz4rkBzH/CSU6HkoqNLp6GstyTx3lU=
-honnef.co/go/tools v0.7.0-0.dev.0.20251022135355-8273271481d0/go.mod h1:EPDDhEZqVHhWuPI5zPAsjU0U7v9xNIWjoOVyZ5ZcniQ=
+honnef.co/go/tools v0.7.0/go.mod h1:pm29oPxeP3P82ISxZDgIYeOaf9ta6Pi0EWvCFoLG2vc=
 howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
-k8s.io/api v0.36.0 h1:SgqDhZzHdOtMk40xVSvCXkP9ME0H05hPM3p9AB1kL80=
+k8s.io/api v0.36.1 h1:XbL/EMj8K2aJpJtePmqUyQMsM0D4QI2pvl7YKJ20FTY=
-k8s.io/api v0.36.0/go.mod h1:m1LVrGPNYax5NBHdO+QuAedXyuzTt4RryI/qnmNvs34=
+k8s.io/api v0.36.1/go.mod h1:KOWo4ey3TINlXjeHVuwB3i+tXXnu+UcwFBHlI/9dvEo=
-k8s.io/apimachinery v0.36.0 h1:jZyPzhd5Z+3h9vJLt0z9XdzW9VzNzWAUw+P1xZ9PXtQ=
+k8s.io/apimachinery v0.36.1 h1:G63Gjx2W+q0YD+72Vo8oY0nDnePVwnuzTmmy5ENrVSA=
-k8s.io/apimachinery v0.36.0/go.mod h1:FklypaRJt6n5wUIwWXIP6GJlIpUizTgfo1T/As+Tyxc=
+k8s.io/apimachinery v0.36.1/go.mod h1:ibYOR00vW/I1kzvi5SF0dRuJ52BvKtfvRdOn35GPQ+8=
-k8s.io/client-go v0.36.0 h1:pOYi7C4RHChYjMiHpZSpSbIM6ZxVbRXBy7CuiIwqA3c=
+k8s.io/client-go v0.36.1 h1:FN/K8QIT2CEDt+2WB2HnWrUANZ50AP5GII43/SP2JR0=
-k8s.io/client-go v0.36.0/go.mod h1:ZKKcpwF0aLYfkHFCjillCKaTK/yBkEDHTDXCFY6AS9Y=
+k8s.io/client-go v0.36.1/go.mod h1:s6rAnCtTGYDQnpNjEhSaISV+2O8jwruZ6m3QOYBFbtU=
 k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
 k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
 k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a h1:xCeOEAOoGYl2jnJoHkC3hkbPJgdATINPMAxaynU2Ovg=
 k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a/go.mod h1:uGBT7iTA6c6MvqUvSXIaYZo9ukscABYi2btjhvgKGZ0=
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 h1:AZYQSJemyQB5eRxqcPky+/7EdBj0xi3g0ZcxxJ7vbWU=
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
-modernc.org/cc/v4 v4.27.3 h1:uNCgn37E5U09mTv1XgskEVUJ8ADKpmFMPxzGJ0TSo+U=
+modernc.org/cc/v4 v4.28.2 h1:3tQ0lf2ADtoby2EtSP+J7IE2SHwEJdP8ioR59wx7XpY=
-modernc.org/cc/v4 v4.27.3/go.mod h1:3YjcbCqhoTTHPycJDRl2WZKKFj0nwcOIPBfEZK0Hdk8=
+modernc.org/cc/v4 v4.28.2/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
-modernc.org/ccgo/v4 v4.32.4 h1:L5OB8rpEX4ZsXEQwGozRfJyJSFHbbNVOoQ59DU9/KuU=
+modernc.org/ccgo/v4 v4.34.0 h1:yRLPFZieg532OT4rp4JFNIVcquwalMX26G95WQDqwCQ=
-modernc.org/ccgo/v4 v4.32.4/go.mod h1:lY7f+fiTDHfcv6YlRgSkxYfhs+UvOEEzj49jAn2TOx0=
+modernc.org/ccgo/v4 v4.34.0/go.mod h1:AS5WYMyBakQ+fhsHhtP8mWB82KTGPkNNJDGfGQCe0/A=
 modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
 modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
@@ -562,18 +577,18 @@ modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
 modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.72.0 h1:IEu559v9a0XWjw0DPoVKtXpO2qt5NVLAnFaBbjq+n8c=
+modernc.org/libc v1.72.3 h1:ZnDF4tXn4NBXFutMMQC4vtbTFSXhhKzR73fv0beZEAU=
-modernc.org/libc v1.72.0/go.mod h1:tTU8DL8A+XLVkEY3x5E/tO7s2Q/q42EtnNWda/L5QhQ=
+modernc.org/libc v1.72.3/go.mod h1:dn0dZNnnn1clLyvRxLxYExxiKRZIRENOfqQ8XEeg4Qs=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
 modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
-modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
+modernc.org/opt v0.2.0 h1:tGyef5ApycA7FSEOMraay9SaTk5zmbx7Tu+cJs4QKZg=
-modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
+modernc.org/opt v0.2.0/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.50.0 h1:eMowQSWLK0MeiQTdmz3lqoF5dqclujdlIKeJA11+7oM=
+modernc.org/sqlite v1.50.1 h1:l+cQvn0sd0zJJtfygGHuQJ5AjlrwXmWPw4KP3ZMwr9w=
-modernc.org/sqlite v1.50.0/go.mod h1:m0w8xhwYUVY3H6pSDwc3gkJ/irZT/0YEXwBlhaxQEew=
+modernc.org/sqlite v1.50.1/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
@@ -590,5 +605,5 @@ sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
 software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
 software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
-tailscale.com v1.96.5 h1:gNkfA/KSZAl6jCH9cj8urq00HRWItDDTtGsyATI89jA=
+tailscale.com v1.98.3 h1:caAbG4UfkKfKPE6b1fj5t4ep5qrwEis5AJu91ruvePw=
-tailscale.com v1.96.5/go.mod h1:/3lnZBYb2UEwnN0MNu2SDXUtT06AGd5k0s+OWx3WmcY=
+tailscale.com v1.98.3/go.mod h1:U23ZwbZlKJMNU7CScy+lCVVlece/S5n09q0nyudncBI=
@@ -11,5 +11,5 @@ var FrontendAssets embed.FS
 // Migrations
 //
-//go:embed migrations/*.sql
+//go:embed migrations/sqlite/*.sql migrations/postgres/*.sql
 var Migrations embed.FS
@@ -0,0 +1,4 @@
 DROP TABLE IF EXISTS "oidc_tokens";
 DROP TABLE IF EXISTS "oidc_userinfo";
 DROP TABLE IF EXISTS "oidc_codes";
 DROP TABLE IF EXISTS "sessions";
@@ -0,0 +1,60 @@
 CREATE TABLE "sessions" (
    "uuid"         TEXT    NOT NULL PRIMARY KEY,
    "username"     TEXT    NOT NULL,
    "email"        TEXT    NOT NULL,
    "name"         TEXT    NOT NULL,
    "provider"     TEXT    NOT NULL,
    "totp_pending" BOOLEAN NOT NULL,
    "oauth_groups" TEXT    NOT NULL DEFAULT '',
    "expiry"       BIGINT  NOT NULL,
    "created_at"   BIGINT  NOT NULL,
    "oauth_name"   TEXT    NOT NULL DEFAULT '',
    "oauth_sub"    TEXT    NOT NULL DEFAULT ''
 );
 CREATE TABLE "oidc_codes" (
    "sub"            TEXT   NOT NULL UNIQUE,
    "code_hash"      TEXT   NOT NULL PRIMARY KEY,
    "scope"          TEXT   NOT NULL,
    "redirect_uri"   TEXT   NOT NULL,
    "client_id"      TEXT   NOT NULL,
    "expires_at"     BIGINT NOT NULL,
    "nonce"          TEXT   NOT NULL DEFAULT '',
    "code_challenge" TEXT   NOT NULL DEFAULT ''
 );
 CREATE TABLE "oidc_tokens" (
    "sub"                      TEXT   NOT NULL UNIQUE,
    "access_token_hash"        TEXT   NOT NULL PRIMARY KEY,
    "refresh_token_hash"       TEXT   NOT NULL,
    "code_hash"                TEXT   NOT NULL,
    "scope"                    TEXT   NOT NULL,
    "client_id"                TEXT   NOT NULL,
    "token_expires_at"         BIGINT NOT NULL,
    "refresh_token_expires_at" BIGINT NOT NULL,
    "nonce"                    TEXT   NOT NULL DEFAULT ''
 );
 CREATE TABLE "oidc_userinfo" (
    "sub"                TEXT   NOT NULL PRIMARY KEY,
    "name"               TEXT   NOT NULL,
    "preferred_username" TEXT   NOT NULL,
    "email"              TEXT   NOT NULL,
    "groups"             TEXT   NOT NULL,
    "updated_at"         BIGINT NOT NULL,
    "given_name"         TEXT   NOT NULL,
    "family_name"        TEXT   NOT NULL,
    "middle_name"        TEXT   NOT NULL,
    "nickname"           TEXT   NOT NULL,
    "profile"            TEXT   NOT NULL,
    "picture"            TEXT   NOT NULL,
    "website"            TEXT   NOT NULL,
    "gender"             TEXT   NOT NULL,
    "birthdate"          TEXT   NOT NULL,
    "zoneinfo"           TEXT   NOT NULL,
    "locale"             TEXT   NOT NULL,
    "phone_number"       TEXT   NOT NULL,
    "address"            TEXT   NOT NULL
 );
 CREATE INDEX idx_sessions_expiry ON "sessions" ("expiry");
@@ -7,18 +7,18 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"os/signal"
 	"sort"
 	"strings"
 	"sync"
 	"syscall"
 	"time"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/service"
@@ -26,6 +26,12 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 // Shutdown order for go routines
 // 1. Janitor routines (e.g. database cleanup, heartbeat) - ding.RingMinor
 // 2. HTTP server listeners - ding.RingNormal
 // 3. Networking layers, user and label providers (e.g. ailscale service, kubernetes service) - ding.RingMajor
 // 4. Database connection - ding.RingCritical
 type Services struct {
 	accessControlService *service.AccessControlsService
 	authService          *service.AuthService
@@ -35,19 +41,21 @@ type Services struct {
 	oauthBrokerService   *service.OAuthBrokerService
 	oidcService          *service.OIDCService
 	tailscaleService     *service.TailscaleService
 	policyEngine         *service.PolicyEngine
 }
 type BootstrapApp struct {
-	config   model.Config
+	config    model.Config
-	runtime  model.RuntimeConfig
+	runtime   model.RuntimeConfig
-	services Services
+	services  Services
-	log      *logger.Logger
+	log       *logger.Logger
-	ctx      context.Context
+	ctx       context.Context
-	cancel   context.CancelFunc
+	cancel    context.CancelFunc
-	queries  *repository.Queries
+	queries   repository.Store
-	router   *gin.Engine
+	router    *gin.Engine
-	db       *sql.DB
+	db        *sql.DB
-	wg       sync.WaitGroup
+	ding      *ding.Ding
 	listeners []Listener
 }
 func NewBootstrapApp(config model.Config) *BootstrapApp {
@@ -62,6 +70,10 @@ func (app *BootstrapApp) Setup() error {
 	app.ctx = ctx
 	app.cancel = cancel
 	// Create a ding instance
 	dg := ding.New(ctx)
 	app.ding = dg
 	// setup logger
 	log := logger.NewLogger().WithConfig(app.config.Log)
 	log.Init()
@@ -95,7 +107,12 @@ func (app *BootstrapApp) Setup() error {
 		return fmt.Errorf("failed to load users: %w", err)
 	}
-	app.runtime.LocalUsers = *users
+	if users != nil {
 		app.runtime.LocalUsers = *users
 	} else {
 		log.App.Debug().Msg("No local users found, local authentication will not be available")
 		app.runtime.LocalUsers = []model.LocalUser{}
 	}
 	// load oauth whitelist
 	oauthWhitelist, err := utils.GetStringList(app.config.OAuth.Whitelist, app.config.OAuth.WhitelistFile)
@@ -110,6 +127,13 @@ func (app *BootstrapApp) Setup() error {
 	app.runtime.OAuthProviders = app.config.OAuth.Providers
 	for id, provider := range app.runtime.OAuthProviders {
 		providerWhitelist, err := utils.GetStringList(provider.Whitelist, provider.WhitelistFile)
 		if err != nil {
 			return fmt.Errorf("failed to load oauth whitelist for provider %s: %w", id, err)
 		}
 		provider.Whitelist = providerWhitelist
 		secret := utils.GetSecret(provider.ClientSecret, provider.ClientSecretFile)
 		provider.ClientSecret = secret
 		provider.ClientSecretFile = ""
@@ -166,23 +190,26 @@ func (app *BootstrapApp) Setup() error {
 	app.runtime.OAuthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
 	// database
-	err = app.SetupDatabase()
+	store, err := app.SetupStore()
 	if err != nil {
 		return fmt.Errorf("failed to setup database: %w", err)
 	}
-	// after this point, we start initializing dependencies so it's a good time to setup a defer
+	app.ding.Go(func(ctx context.Context) {
-	// to ensure that resources are cleaned up properly in case of an error during initialization
+		<-ctx.Done()
-	defer func() {
+		app.log.App.Debug().Msg("Shutting down database connection")
-		app.cancel()
+		if app.db == nil {
-		app.wg.Wait()
+			// using memory store, no db instance
-		app.db.Close()
+			return
-	}()
+		}
 		if err := app.db.Close(); err != nil {
 			app.log.App.Error().Err(err).Msg("Failed to close database connection")
 		}
 	}, ding.RingCritical)
-	// queries
+	// store
-	queries := repository.New(app.db)
+	app.queries = store
 	app.queries = queries
 	// services
 	err = app.setupServices()
@@ -246,190 +273,44 @@ func (app *BootstrapApp) Setup() error {
 	// start db cleanup routine
 	app.log.App.Debug().Msg("Starting database cleanup routine")
-	app.wg.Go(app.dbCleanupRoutine)
+	app.ding.Go(app.dbCleanupRoutine, ding.RingMinor)
 	// if analytics are not disabled, start heartbeat
 	if app.config.Analytics.Enabled {
 		app.log.App.Debug().Msg("Starting heartbeat routine")
-		app.wg.Go(app.heartbeatRoutine)
+		app.ding.Go(app.heartbeatRoutine, ding.RingMinor)
 	}
-	// create err channel to listen for server errors
+	// setup listeners
-	errChanLen := 0
+	app.listeners = app.calculateListenerPolicy()
 	runUnix := app.config.Server.SocketPath != ""
 	runHTTP := app.config.Server.SocketPath == "" || app.config.Server.ConcurrentListenersEnabled
 	runTailscale := app.services.tailscaleService != nil
 	if runUnix {
 		errChanLen++
 	}
 	if runHTTP {
 		errChanLen++
 	}
 	if runTailscale {
 		errChanLen++
 	}
 	errChan := make(chan error, errChanLen)
 	if app.config.Server.ConcurrentListenersEnabled {
 		app.log.App.Info().Msg("Concurrent listeners enabled, will run on all available listeners")
 	}
-	// serve unix
+	// run listeners
-	if runUnix {
+	lec, err := app.runListeners()
 		app.wg.Go(func() {
 			if err := app.serveUnix(); err != nil {
 				errChan <- err
 			}
 		})
 	}
-	// serve to http
+	if err != nil {
-	if runHTTP {
+		return fmt.Errorf("failed to run listeners: %w", err)
 		app.wg.Go(func() {
 			if err := app.serveHTTP(); err != nil {
 				errChan <- err
 			}
 		})
 	}
 	// serve to tailscale
 	if runTailscale {
 		app.wg.Go(func() {
 			if err := app.serveTailscale(); err != nil {
 				errChan <- err
 			}
 		})
 	}
 	// monitor cancellation and server errors
 	for {
 		select {
 		case <-app.ctx.Done():
 			app.ding.Wait()
 			app.log.App.Info().Msg("Oh, it's time for me to go, bye!")
 			return nil
-		case err := <-errChan:
+		case err := <-lec:
 			if err != nil {
-				return fmt.Errorf("server error: %w", err)
+				return fmt.Errorf("listener error: %w", err)
 			}
 		}
 	}
 }
-func (app *BootstrapApp) serveHTTP() error {
+func (app *BootstrapApp) heartbeatRoutine(ctx context.Context) {
 	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
 	app.log.App.Info().Msgf("Starting server on %s", address)
 	server := &http.Server{
 		Addr:    address,
 		Handler: app.router.Handler(),
 	}
 	go func() {
 		<-app.ctx.Done()
 		app.log.App.Debug().Msg("Shutting down http listener")
 		server.Shutdown(app.ctx)
 	}()
 	err := server.ListenAndServe()
 	if err != nil && !errors.Is(err, http.ErrServerClosed) {
 		return fmt.Errorf("failed to start http listener: %w", err)
 	}
 	return nil
 }
 func (app *BootstrapApp) serveUnix() error {
 	if app.config.Server.SocketPath == "" {
 		return nil
 	}
 	_, err := os.Stat(app.config.Server.SocketPath)
 	if err == nil {
 		app.log.App.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
 		err := os.Remove(app.config.Server.SocketPath)
 		if err != nil {
 			return fmt.Errorf("failed to remove existing socket file: %w", err)
 		}
 	}
 	app.log.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
 	listener, err := net.Listen("unix", app.config.Server.SocketPath)
 	if err != nil {
 		return fmt.Errorf("failed to create unix socket listener: %w", err)
 	}
 	server := &http.Server{
 		Handler: app.router.Handler(),
 	}
 	shutdown := func() {
 		server.Shutdown(app.ctx)
 		listener.Close()
 		os.Remove(app.config.Server.SocketPath)
 	}
 	go func() {
 		<-app.ctx.Done()
 		app.log.App.Debug().Msg("Shutting down unix socket listener")
 		shutdown()
 	}()
 	err = server.Serve(listener)
 	if err != nil && !errors.Is(err, http.ErrServerClosed) {
 		shutdown()
 		return fmt.Errorf("failed to start unix socket listener: %w", err)
 	}
 	return nil
 }
 func (app *BootstrapApp) serveTailscale() error {
 	app.log.App.Info().Msgf("Starting Tailscale server on %s", app.services.tailscaleService.GetHostname())
 	listener, err := app.services.tailscaleService.CreateListener()
 	if err != nil {
 		return fmt.Errorf("failed to create tailscale listener: %w", err)
 	}
 	server := &http.Server{
 		Handler: app.router.Handler(),
 	}
 	shutdown := func() {
 		server.Shutdown(app.ctx)
 		listener.Close()
 	}
 	go func() {
 		<-app.ctx.Done()
 		app.log.App.Debug().Msg("Shutting down Tailscale listener")
 		shutdown()
 	}()
 	err = server.Serve(listener)
 	if err != nil && !errors.Is(err, http.ErrServerClosed) {
 		shutdown()
 		return fmt.Errorf("failed to start tailscale listener: %w", err)
 	}
 	return nil
 }
 func (app *BootstrapApp) heartbeatRoutine() {
 	ticker := time.NewTicker(time.Duration(12) * time.Hour)
 	defer ticker.Stop()
@@ -482,7 +363,7 @@ func (app *BootstrapApp) heartbeatRoutine() {
 			if res.StatusCode != 200 && res.StatusCode != 201 {
 				app.log.App.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
 			}
-		case <-app.ctx.Done():
+		case <-ctx.Done():
 			app.log.App.Debug().Msg("Stopping heartbeat routine")
 			ticker.Stop()
 			return
@@ -490,7 +371,7 @@ func (app *BootstrapApp) heartbeatRoutine() {
 	}
 }
-func (app *BootstrapApp) dbCleanupRoutine() {
+func (app *BootstrapApp) dbCleanupRoutine(ctx context.Context) {
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
@@ -499,14 +380,14 @@ func (app *BootstrapApp) dbCleanupRoutine() {
 		case <-ticker.C:
 			app.log.App.Debug().Msg("Running database cleanup")
-			err := app.queries.DeleteExpiredSessions(app.ctx, time.Now().Unix())
+			err := app.queries.DeleteExpiredSessions(ctx, time.Now().Unix())
 			if err != nil {
 				app.log.App.Error().Err(err).Msg("Failed to delete expired sessions")
 			}
 			app.log.App.Debug().Msg("Database cleanup completed")
-		case <-app.ctx.Done():
+		case <-ctx.Done():
 			app.log.App.Debug().Msg("Stopping database cleanup routine")
 			ticker.Stop()
 			return
@@ -6,30 +6,49 @@ import (
 	"os"
 	"path/filepath"
 	"github.com/tinyauthapp/tinyauth/internal/assets"
 	"github.com/golang-migrate/migrate/v4"
 	pgxmigrate "github.com/golang-migrate/migrate/v4/database/pgx/v5"
 	"github.com/golang-migrate/migrate/v4/database/sqlite3"
 	"github.com/golang-migrate/migrate/v4/source/iofs"
 	_ "github.com/jackc/pgx/v5/stdlib"
 	_ "modernc.org/sqlite"
 	"github.com/tinyauthapp/tinyauth/internal/assets"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/repository/postgres"
 	"github.com/tinyauthapp/tinyauth/internal/repository/sqlite"
 )
-func (app *BootstrapApp) SetupDatabase() error {
+func (app *BootstrapApp) SetupStore() (repository.Store, error) {
-	dir := filepath.Dir(app.config.Database.Path)
+	switch app.config.Database.Driver {
 	case "memory":
 		return memory.New(), nil
 	case "sqlite", "":
 		return app.setupSQLite(app.config.Database.Path)
 	case "postgres":
 		return app.setupPostgres(app.config.Database.Path)
 	default:
 		return nil, fmt.Errorf("unknown database driver %q: valid values are sqlite, postgres, memory", app.config.Database.Driver)
 	}
 }
 func (app *BootstrapApp) setupSQLite(databasePath string) (repository.Store, error) {
 	dir := filepath.Dir(databasePath)
 	if err := os.MkdirAll(dir, 0750); err != nil {
-		return fmt.Errorf("failed to create database directory %s: %w", dir, err)
+		return nil, fmt.Errorf("failed to create database directory %s: %w", dir, err)
 	}
-	db, err := sql.Open("sqlite", app.config.Database.Path)
+	db, err := sql.Open("sqlite", databasePath)
 	if err != nil {
-		return fmt.Errorf("failed to open database: %w", err)
+		return nil, fmt.Errorf("failed to open database: %w", err)
 	}
-	// Close the database if there is an error during migration
+	cleanup := true
 	defer func() {
-		if err != nil {
+		if cleanup {
 			db.Close()
 		}
 	}()
@@ -38,32 +57,72 @@ func (app *BootstrapApp) SetupDatabase() error {
 	// if the sqlite connection starts being a bottleneck
 	db.SetMaxOpenConns(1)
-	migrations, err := iofs.New(assets.Migrations, "migrations")
+	migrations, err := iofs.New(assets.Migrations, "migrations/sqlite")
 	if err != nil {
-		return fmt.Errorf("failed to create migrations: %w", err)
+		return nil, fmt.Errorf("failed to create migrations: %w", err)
 	}
 	target, err := sqlite3.WithInstance(db, &sqlite3.Config{})
 	if err != nil {
-		return fmt.Errorf("failed to create sqlite3 instance: %w", err)
+		return nil, fmt.Errorf("failed to create sqlite3 instance: %w", err)
 	}
 	migrator, err := migrate.NewWithInstance("iofs", migrations, "sqlite3", target)
 	if err != nil {
-		return fmt.Errorf("failed to create migrator: %w", err)
+		return nil, fmt.Errorf("failed to create migrator: %w", err)
 	}
-	if err := migrator.Up(); err != nil && err != migrate.ErrNoChange {
+	if err = migrator.Up(); err != nil && err != migrate.ErrNoChange {
-		return fmt.Errorf("failed to migrate database: %w", err)
+		return nil, fmt.Errorf("failed to migrate database: %w", err)
 	}
 	cleanup = false
 	app.db = db
-	return nil
+
 	return sqlite.NewStore(sqlite.New(db)), nil
 }
-func (app *BootstrapApp) GetDB() *sql.DB {
+func (app *BootstrapApp) setupPostgres(databaseURL string) (repository.Store, error) {
-	return app.db
+	db, err := sql.Open("pgx", databaseURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to open database: %w", err)
 	}
 	cleanup := true
 	defer func() {
 		if cleanup {
 			db.Close()
 		}
 	}()
 	migrations, err := iofs.New(assets.Migrations, "migrations/postgres")
 	if err != nil {
 		return nil, fmt.Errorf("failed to create migrations: %w", err)
 	}
 	target, err := pgxmigrate.WithInstance(db, &pgxmigrate.Config{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to create postgres instance: %w", err)
 	}
 	migrator, err := migrate.NewWithInstance("iofs", migrations, "pgx", target)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create migrator: %w", err)
 	}
 	if err = migrator.Up(); err != nil && err != migrate.ErrNoChange {
 		return nil, fmt.Errorf("failed to migrate database: %w", err)
 	}
 	cleanup = false
 	app.db = db
 	return postgres.NewStore(postgres.New(db)), nil
 }
@@ -1,14 +1,30 @@
 package bootstrap
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"os"
 	"time"
 	"github.com/steveiliop56/ding"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/gin-gonic/gin"
 )
 type Listener int
 const (
 	ListenerHTTP Listener = iota
 	ListenerUnix
 	ListenerTailscale
 )
 func (app *BootstrapApp) setupRouter() error {
 	// we don't want gin debug mode
 	gin.SetMode(gin.ReleaseMode)
@@ -44,7 +60,7 @@ func (app *BootstrapApp) setupRouter() error {
 	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
 	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.authService)
 	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter)
-	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService)
+	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
 	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
 	controller.NewResourcesController(app.config, &engine.RouterGroup)
 	controller.NewHealthController(apiRouter)
@@ -53,3 +69,162 @@ func (app *BootstrapApp) setupRouter() error {
 	app.router = engine
 	return nil
 }
 func (app *BootstrapApp) runListeners() (chan error, error) {
 	// lec -> listener error channel
 	lec := make(chan error, len(app.listeners))
 	for _, listenerType := range app.listeners {
 		listenerFunc, err := app.listenerFromType(listenerType)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get listener function: %w", err)
 		}
 		app.ding.Go(func(ctx context.Context) {
 			lec <- listenerFunc(ctx)
 		}, ding.RingNormal)
 	}
 	return lec, nil
 }
 // The way we calculate listeners is as follows:
 // If concurrent listeners are disabled, we pick the first available listener, so:
 // 1. If tailscale is enabled, we use tailscale
 // 2. If socket path is configured, we use unix socket
 // 3. Finally if none is configured we use http
 // If concurrent listeners are enabled, we add all available listeners in the following order
 func (app *BootstrapApp) calculateListenerPolicy() []Listener {
 	l := []Listener{}
 	if !app.config.Server.ConcurrentListenersEnabled {
 		if app.services.tailscaleService != nil {
 			l = append(l, ListenerTailscale)
 			return l
 		}
 		if app.config.Server.SocketPath != "" {
 			l = append(l, ListenerUnix)
 			return l
 		}
 		l = append(l, ListenerHTTP)
 		return l
 	}
 	if app.config.Server.SocketPath != "" {
 		l = append(l, ListenerUnix)
 	}
 	if app.services.tailscaleService != nil {
 		l = append(l, ListenerTailscale)
 	}
 	l = append(l, ListenerHTTP)
 	return l
 }
 func (app *BootstrapApp) listenerFromType(listenerType Listener) (func(ctx context.Context) error, error) {
 	switch listenerType {
 	case ListenerHTTP:
 		return app.serveHTTP, nil
 	case ListenerUnix:
 		return app.serveUnix, nil
 	case ListenerTailscale:
 		return app.serveTailscale, nil
 	default:
 		return nil, fmt.Errorf("invalid listener type: %d", listenerType)
 	}
 }
 func (app *BootstrapApp) serveHTTP(ctx context.Context) error {
 	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
 	app.log.App.Info().Msgf("Starting server on %s", address)
 	listener, err := net.Listen("tcp", address)
 	if err != nil {
 		return fmt.Errorf("failed to create tcp listener: %w", err)
 	}
 	server := &http.Server{
 		Addr:    address,
 		Handler: app.router.Handler(),
 	}
 	return app.serve(listener, server, ctx, "http")
 }
 func (app *BootstrapApp) serveUnix(ctx context.Context) error {
 	_, err := os.Stat(app.config.Server.SocketPath)
 	if err == nil {
 		app.log.App.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
 		err := os.Remove(app.config.Server.SocketPath)
 		if err != nil {
 			return fmt.Errorf("failed to remove existing socket file: %w", err)
 		}
 	}
 	app.log.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
 	listener, err := net.Listen("unix", app.config.Server.SocketPath)
 	if err != nil {
 		return fmt.Errorf("failed to create unix socket listener: %w", err)
 	}
 	server := &http.Server{
 		Handler: app.router.Handler(),
 	}
 	return app.serve(listener, server, ctx, "unix socket")
 }
 func (app *BootstrapApp) serveTailscale(ctx context.Context) error {
 	app.log.App.Info().Msgf("Starting Tailscale server on %s", fmt.Sprintf("https://%s", app.services.tailscaleService.GetHostname()))
 	listener, err := app.services.tailscaleService.CreateListener()
 	if err != nil {
 		return fmt.Errorf("failed to create tailscale listener: %w", err)
 	}
 	server := &http.Server{
 		Handler: app.router.Handler(),
 	}
 	return app.serve(listener, server, ctx, "tailscale")
 }
 func (app *BootstrapApp) serve(listener net.Listener, server *http.Server, ctx context.Context, name string) error {
 	shutdown := func() {
 		// we use a new context for the shutdown since the main one is cancelled
 		sctx, cancel := context.WithTimeout(context.Background(), model.GracefulShutdownTimeout*time.Second)
 		defer cancel()
 		err := server.Shutdown(sctx)
 		if err != nil {
 			app.log.App.Error().Err(err).Msgf("Failed to shutdown %s listener gracefully", name)
 		}
 		listener.Close()
 	}
 	go func() {
 		<-ctx.Done()
 		app.log.App.Debug().Msgf("Shutting down %s listener", name)
 		shutdown()
 	}()
 	err := server.Serve(listener)
 	if err != nil && !errors.Is(err, http.ErrServerClosed) {
 		shutdown()
 		return fmt.Errorf("failed to start %s listener: %w", name, err)
 	}
 	return nil
 }
@@ -2,14 +2,13 @@ package bootstrap
 import (
 	"fmt"
 	"os"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 )
 func (app *BootstrapApp) setupServices() error {
-	ldapService, err := service.NewLdapService(app.log, app.config, app.ctx, &app.wg)
+	ldapService, err := service.NewLdapService(app.log, app.config, app.ding)
 	if err != nil {
 		app.log.App.Warn().Err(err).Msg("Failed to initialize LDAP connection, will continue without it")
@@ -17,53 +16,36 @@ func (app *BootstrapApp) setupServices() error {
 	app.services.ldapService = ldapService
-	useKubernetes := app.config.LabelProvider == "kubernetes" ||
+	labelProvider, err := app.getLabelProvider()
 		(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")
-	var labelProvider service.LabelProvider
+	if err != nil {
-
+		return fmt.Errorf("failed to initialize label provider: %w", err)
 	if useKubernetes {
 		app.log.App.Debug().Msg("Using Kubernetes label provider")
 		kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)
 		if err != nil {
 			return fmt.Errorf("failed to initialize kubernetes service: %w", err)
 		}
 		app.services.kubernetesService = kubernetesService
 		labelProvider = kubernetesService
 	} else {
 		app.log.App.Debug().Msg("Using Docker label provider")
 		dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)
 		if err != nil {
 			return fmt.Errorf("failed to initialize docker service: %w", err)
 		}
 		app.services.dockerService = dockerService
 		labelProvider = dockerService
 	}
-	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, &app.wg)
+	tailscaleService, err := service.NewTailscaleService(app.log, app.config, app.ctx, app.ding)
 	if err != nil {
 		app.log.App.Warn().Err(err).Msg("Failed to initialize Tailscale connection, will continue without it")
 	} else {
 		app.services.tailscaleService = tailscaleService
 	}
-	accessControlsService := service.NewAccessControlsService(app.log, &labelProvider, app.config.Apps)
+	app.services.tailscaleService = tailscaleService
 	accessControlsService := service.NewAccessControlsService(app.log, app.config, &labelProvider)
 	app.services.accessControlService = accessControlsService
 	err = app.setupPolicyEngine()
 	if err != nil {
 		return fmt.Errorf("failed to initialize policy engine: %w", err)
 	}
 	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
 	app.services.oauthBrokerService = oauthBrokerService
-	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, &app.wg, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService)
+	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
 	app.services.authService = authService
-	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ctx, &app.wg)
+	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ding)
 	if err != nil {
 		return fmt.Errorf("failed to initialize oidc service: %w", err)
@@ -73,3 +55,80 @@ func (app *BootstrapApp) setupServices() error {
 	return nil
 }
 func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
 	switch app.config.LabelProvider {
 	case "none", "docker", "kubernetes", "auto":
 		if app.config.LabelProvider == "none" {
 			return nil, nil
 		}
 		useKubernetes := app.config.LabelProvider == "kubernetes" ||
 			(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")
 		if useKubernetes {
 			app.log.App.Debug().Msg("Using Kubernetes label provider")
 			kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, app.ding)
 			if err != nil {
 				return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
 			}
 			app.services.kubernetesService = kubernetesService
 			return kubernetesService, nil
 		}
 		app.log.App.Debug().Msg("Using Docker label provider")
 		dockerService, err := service.NewDockerService(app.log, app.ctx, app.ding)
 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize docker service: %w", err)
 		}
 		if dockerService == nil {
 			if app.config.LabelProvider == "docker" {
 				app.log.App.Warn().Msg("Docker label provider selected but Docker is not available, will continue without it")
 			}
 			return nil, nil
 		}
 		app.services.dockerService = dockerService
 		return dockerService, nil
 	default:
 		return nil, fmt.Errorf("invalid label provider: %s", app.config.LabelProvider)
 	}
 }
 func (app *BootstrapApp) setupPolicyEngine() error {
 	policyEngine, err := service.NewPolicyEngine(app.config, app.log)
 	if err != nil {
 		return fmt.Errorf("failed to initialize policy engine: %w", err)
 	}
 	policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
 		Log: app.log,
 	})
 	policyEngine.RegisterRule(service.RuleOAuthGroup, &service.OAuthGroupRule{
 		Log: app.log,
 	})
 	policyEngine.RegisterRule(service.RuleLDAPGroup, &service.LDAPGroupRule{
 		Log: app.log,
 	})
 	policyEngine.RegisterRule(service.RuleAuthEnabled, &service.AuthEnabledRule{
 		Log: app.log,
 	})
 	policyEngine.RegisterRule(service.RuleIPAllowed, &service.IPAllowedRule{
 		Log:    app.log,
 		Config: app.config,
 	})
 	policyEngine.RegisterRule(service.RuleIPBypassed, &service.IPBypassedRule{
 		Log:    app.log,
 		Config: app.config,
 	})
 	app.services.policyEngine = policyEngine
 	return nil
 }
@@ -183,9 +183,23 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
-	if !controller.auth.IsEmailWhitelisted(user.Email) {
+	svc, err := controller.auth.GetOAuthService(sessionIdCookie)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to get OAuth service for session")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 	if svc.ID() != req.Provider {
 		controller.log.App.Warn().Msgf("OAuth provider mismatch: expected %s, got %s", req.Provider, svc.ID())
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 	if !controller.auth.IsEmailWhitelisted(svc.ID(), user.Email) {
 		controller.log.App.Warn().Str("email", user.Email).Msg("Email not whitelisted, denying access")
-		controller.log.AuditLoginFailure(user.Email, req.Provider, c.ClientIP(), "email not whitelisted")
+		controller.log.AuditLoginFailure(user.Email, svc.ID(), c.ClientIP(), "email not whitelisted")
 		queries, err := query.Values(UnauthorizedQuery{
 			Username: user.Email,
@@ -208,7 +222,12 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		name = user.Name
 	} else {
 		controller.log.App.Debug().Msg("No name from OAuth provider, generating from email")
-		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
+		parts := strings.SplitN(user.Email, "@", 2)
 		if len(parts) == 2 {
 			name = fmt.Sprintf("%s (%s)", utils.Capitalize(parts[0]), parts[1])
 		} else {
 			name = utils.Capitalize(user.Email)
 		}
 	}
 	var username string
@@ -221,20 +240,6 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		username = strings.Replace(user.Email, "@", "_", 1)
 	}
 	svc, err := controller.auth.GetOAuthService(sessionIdCookie)
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to get OAuth service for session")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 	if svc.ID() != req.Provider {
 		controller.log.App.Warn().Msgf("OAuth provider mismatch: expected %s, got %s", req.Provider, svc.ID())
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
 		return
 	}
 	sessionCookie := repository.Session{
 		Username:    username,
 		Name:        name,
@@ -16,6 +16,15 @@ import (
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 type authorizeErrorParams struct {
 	err           error
 	reason        string
 	reasonPublic  string
 	callback      string
 	callbackError string
 	state         string
 }
 type OIDCController struct {
 	log     *logger.Logger
 	oidc    *service.OIDCService
@@ -119,34 +128,55 @@ func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 func (controller *OIDCController) Authorize(c *gin.Context) {
 	if controller.oidc == nil {
-		controller.authorizeError(c, errors.New("err_oidc_not_configured"), "OIDC not configured", "This instance is not configured for OIDC", "", "", "")
+		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err_oidc_not_configured"),
 			reason:       "OIDC not configured",
 			reasonPublic: "This instance is not configured for OIDC",
 		})
 		return
 	}
 	userContext, err := new(model.UserContext).NewFromGin(c)
 	if err != nil {
-		controller.authorizeError(c, err, "Failed to get user context", "User is not logged in or the session is invalid", "", "", "")
+		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to get user context",
 			reasonPublic: "User is not logged in or the session is invalid",
 		})
 		return
 	}
 	if !userContext.Authenticated {
-		controller.authorizeError(c, errors.New("err user not logged in"), "User not logged in", "The user is not logged in", "", "", "")
+		controller.authorizeError(c, authorizeErrorParams{
 			err:          errors.New("err user not logged in"),
 			reason:       "User not logged in",
 			reasonPublic: "The user is not logged in",
 		})
 		return
 	}
 	var req service.AuthorizeRequest
-	err = c.BindJSON(&req)
+	err = c.Bind(&req)
 	if err != nil {
-		controller.authorizeError(c, err, "Failed to bind JSON", "The client provided an invalid authorization request", "", "", "")
+		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Failed to bind JSON",
 			reasonPublic: "The client provided an invalid authorization request",
 		})
 		return
 	}
 	client, ok := controller.oidc.GetClient(req.ClientID)
 	if !ok {
-		controller.authorizeError(c, err, "Client not found", "The client ID is invalid", "", "", "")
+		controller.authorizeError(c, authorizeErrorParams{
 			err:          fmt.Errorf("client not found: %s", req.ClientID),
 			reason:       "Client not found",
 			reasonPublic: "The client ID is invalid",
 		})
 		return
 	}
@@ -155,10 +185,21 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	if err != nil {
 		controller.log.App.Warn().Err(err).Msg("Failed to validate authorize params")
 		if err.Error() != "invalid_request_uri" {
-			controller.authorizeError(c, err, "Failed validate authorize params", "Invalid request parameters", req.RedirectURI, err.Error(), req.State)
+			controller.authorizeError(c, authorizeErrorParams{
 				err:           err,
 				reason:        "Failed validate authorize params",
 				reasonPublic:  "Invalid request parameters",
 				callback:      req.RedirectURI,
 				callbackError: err.Error(),
 				state:         req.State,
 			})
 			return
 		}
-		controller.authorizeError(c, err, "Redirect URI not trusted", "The provided redirect URI is not trusted", "", "", "")
+		controller.authorizeError(c, authorizeErrorParams{
 			err:          err,
 			reason:       "Redirect URI not trusted",
 			reasonPublic: "The provided redirect URI is not trusted",
 		})
 		return
 	}
@@ -169,14 +210,28 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	// Before storing the code, delete old session
 	err = controller.oidc.DeleteOldSession(c, sub)
 	if err != nil {
-		controller.authorizeError(c, err, "Failed to delete old sessions", "Failed to delete old sessions", req.RedirectURI, "server_error", req.State)
+		controller.authorizeError(c, authorizeErrorParams{
 			err:           err,
 			reason:        "Failed to delete old sessions",
 			reasonPublic:  "Failed to delete old sessions",
 			callback:      req.RedirectURI,
 			callbackError: "server_error",
 			state:         req.State,
 		})
 		return
 	}
 	err = controller.oidc.StoreCode(c, sub, code, req)
 	if err != nil {
-		controller.authorizeError(c, err, "Failed to store code", "Failed to store code", req.RedirectURI, "server_error", req.State)
+		controller.authorizeError(c, authorizeErrorParams{
 			err:           err,
 			reason:        "Failed to store code",
 			reasonPublic:  "Failed to store code",
 			callback:      req.RedirectURI,
 			callbackError: "server_error",
 			state:         req.State,
 		})
 		return
 	}
@@ -186,7 +241,14 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 		if err != nil {
 			controller.log.App.Error().Err(err).Msg("Failed to store user info")
-			controller.authorizeError(c, err, "Failed to store user info", "Failed to store user info", req.RedirectURI, "server_error", req.State)
+			controller.authorizeError(c, authorizeErrorParams{
 				err:           err,
 				reason:        "Failed to store user info",
 				reasonPublic:  "Failed to store user info",
 				callback:      req.RedirectURI,
 				callbackError: "server_error",
 				state:         req.State,
 			})
 			return
 		}
 	}
@@ -197,7 +259,14 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
 	})
 	if err != nil {
-		controller.authorizeError(c, err, "Failed to build query", "Failed to build query", req.RedirectURI, "server_error", req.State)
+		controller.authorizeError(c, authorizeErrorParams{
 			err:           err,
 			reason:        "Failed to build query",
 			reasonPublic:  "Failed to build query",
 			callback:      req.RedirectURI,
 			callbackError: "server_error",
 			state:         req.State,
 		})
 		return
 	}
@@ -288,7 +357,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
 		if err != nil {
 			if err := controller.oidc.DeleteTokenByCodeHash(c, controller.oidc.Hash(req.Code)); err != nil {
-				controller.log.App.Error().Err(err).Msg("Failed to delete code")
+				controller.log.App.Error().Err(err).Msg("Failed to revoke tokens for replayed code")
 			}
 			if errors.Is(err, service.ErrCodeNotFound) {
 				controller.log.App.Warn().Msg("Code not found")
@@ -478,20 +547,20 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	c.JSON(200, controller.oidc.CompileUserinfo(user, entry.Scope))
 }
-func (controller *OIDCController) authorizeError(c *gin.Context, err error, reason string, reasonUser string, callback string, callbackError string, state string) {
+func (controller *OIDCController) authorizeError(c *gin.Context, params authorizeErrorParams) {
-	controller.log.App.Warn().Err(err).Str("reason", reason).Msg("Authorization error")
+	controller.log.App.Error().Err(params.err).Str("reason", params.reason).Msg("Authorization error")
-	if callback != "" {
+	if params.callback != "" {
 		errorQueries := CallbackError{
-			Error: callbackError,
+			Error: params.callbackError,
 		}
-		if reasonUser != "" {
+		if params.reasonPublic != "" {
-			errorQueries.ErrorDescription = reasonUser
+			errorQueries.ErrorDescription = params.reasonPublic
 		}
-		if state != "" {
+		if params.state != "" {
-			errorQueries.State = state
+			errorQueries.State = params.state
 		}
 		queries, err := query.Values(errorQueries)
@@ -503,13 +572,13 @@ func (controller *OIDCController) authorizeError(c *gin.Context, err error, reas
 		c.JSON(200, gin.H{
 			"status":       200,
-			"redirect_uri": fmt.Sprintf("%s?%s", callback, queries.Encode()),
+			"redirect_uri": fmt.Sprintf("%s?%s", params.callback, queries.Encode()),
 		})
 		return
 	}
 	errorQueries := ErrorScreen{
-		Error: reasonUser,
+		Error: params.reasonPublic,
 	}
 	queries, err := query.Values(errorQueries)
@@ -8,17 +8,16 @@ import (
 	"net/http/httptest"
 	"net/url"
 	"strings"
 	"sync"
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
@@ -839,16 +838,11 @@ func TestOIDCController(t *testing.T) {
 		},
 	}
-	app := bootstrap.NewBootstrapApp(cfg)
+	store := memory.New()
-	err := app.SetupDatabase()
+	dg := ding.New(context.TODO())
 	require.NoError(t, err)
-	queries := repository.New(app.GetDB())
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, dg)
 	wg := &sync.WaitGroup{}
 	oidcService, err := service.NewOIDCService(log, cfg, runtime, queries, context.TODO(), wg)
 	require.NoError(t, err)
 	for _, test := range tests {
@@ -869,8 +863,4 @@ func TestOIDCController(t *testing.T) {
 			test.run(t, router, recorder)
 		})
 	}
 	t.Cleanup(func() {
 		app.GetDB().Close()
 	})
 }
@@ -3,6 +3,7 @@ package controller
 import (
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"net/url"
 	"regexp"
@@ -51,10 +52,11 @@ type ProxyContext struct {
 }
 type ProxyController struct {
-	log     *logger.Logger
+	log          *logger.Logger
-	runtime model.RuntimeConfig
+	runtime      model.RuntimeConfig
-	acls    *service.AccessControlsService
+	acls         *service.AccessControlsService
-	auth    *service.AuthService
+	auth         *service.AuthService
 	policyEngine *service.PolicyEngine
 }
 func NewProxyController(
@@ -63,12 +65,14 @@ func NewProxyController(
 	router *gin.RouterGroup,
 	acls *service.AccessControlsService,
 	auth *service.AuthService,
 	policyEngine *service.PolicyEngine,
 ) *ProxyController {
 	controller := &ProxyController{
-		log:     log,
+		log:          log,
-		runtime: runtime,
+		runtime:      runtime,
-		acls:    acls,
+		acls:         acls,
-		auth:    auth,
+		auth:         auth,
 		policyEngine: policyEngine,
 	}
 	proxyGroup := router.Group("/auth")
@@ -101,7 +105,13 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	clientIP := c.ClientIP()
-	if controller.auth.IsBypassedIP(clientIP, acls) {
+	aclsCtx := &service.ACLContext{
 		ACLs: acls,
 		IP:   net.ParseIP(clientIP),
 		Path: proxyCtx.Path,
 	}
 	if controller.policyEngine.Evaluate(service.RuleIPBypassed, aclsCtx) {
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -110,15 +120,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
-	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls)
+	if controller.policyEngine.Evaluate(service.RuleAuthEnabled, aclsCtx) {
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to determine if authentication is enabled for resource")
 		controller.handleError(c, proxyCtx)
 		return
 	}
 	if !authEnabled {
 		controller.log.App.Debug().Msg("Authentication is disabled for this resource, allowing access without authentication")
 		controller.setHeaders(c, acls)
 		c.JSON(200, gin.H{
@@ -128,7 +130,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
-	if !controller.auth.CheckIP(clientIP, acls) {
+	if !controller.policyEngine.Evaluate(service.RuleIPAllowed, aclsCtx) {
 		queries, err := query.Values(UnauthorizedQuery{
 			Resource: strings.Split(proxyCtx.Host, ".")[0],
 			IP:       clientIP,
@@ -144,9 +146,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		if !controller.useBrowserResponse(proxyCtx) {
 			c.Header("x-tinyauth-location", redirectURL)
-			c.JSON(401, gin.H{
+			c.JSON(403, gin.H{
-				"status":  401,
+				"status":  403,
-				"message": "Unauthorized",
+				"message": "Forbidden",
 			})
 			return
 		}
@@ -158,16 +160,19 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	userContext, err := new(model.UserContext).NewFromGin(c)
 	if err != nil {
-		controller.log.App.Debug().Err(err).Msg("Failed to create user context from request, treating as unauthenticated")
+		// No user context found is not an issue
 		if !errors.Is(err, model.ErrUserContextNotFound) {
 			controller.log.App.Error().Err(err).Msg("Failed to create user context from request, treating as unauthenticated")
 		}
 		userContext = &model.UserContext{
 			Authenticated: false,
 		}
 	}
-	if userContext.Authenticated {
+	aclsCtx.UserContext = userContext
 		userAllowed := controller.auth.IsUserAllowed(c, *userContext, acls)
-		if !userAllowed {
+	if userContext.Authenticated {
 		if !controller.policyEngine.Evaluate(service.RuleUserAllowed, aclsCtx) {
 			controller.log.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User is not allowed to access resource")
 			queries, err := query.Values(UnauthorizedQuery{
@@ -205,9 +210,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			var groupOK bool
 			if userContext.IsOAuth() {
-				groupOK = controller.auth.IsInOAuthGroup(c, *userContext, acls)
+				groupOK = controller.policyEngine.Evaluate(service.RuleOAuthGroup, aclsCtx)
 			} else {
-				groupOK = controller.auth.IsInLDAPGroup(c, *userContext, acls)
+				groupOK = controller.policyEngine.Evaluate(service.RuleLDAPGroup, aclsCtx)
 			}
 			if !groupOK {
@@ -3,16 +3,15 @@ package controller_test
 import (
 	"context"
 	"net/http/httptest"
 	"sync"
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
@@ -24,33 +23,6 @@ func TestProxyController(t *testing.T) {
 	cfg, runtime := test.CreateTestConfigs(t)
 	acls := map[string]model.App{
 		"app_path_allow": {
 			Config: model.AppConfig{
 				Domain: "path-allow.example.com",
 			},
 			Path: model.AppPath{
 				Allow: "/allowed",
 			},
 		},
 		"app_user_allow": {
 			Config: model.AppConfig{
 				Domain: "user-allow.example.com",
 			},
 			Users: model.AppUsers{
 				Allow: "testuser",
 			},
 		},
 		"ip_bypass": {
 			Config: model.AppConfig{
 				Domain: "ip-bypass.example.com",
 			},
 			IP: model.AppIP{
 				Bypass: []string{"10.10.10.10"},
 			},
 		},
 	}
 	const browserUserAgent = `
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`
@@ -379,19 +351,38 @@ func TestProxyController(t *testing.T) {
 		},
 	}
-	app := bootstrap.NewBootstrapApp(cfg)
+	store := memory.New()
 	err := app.SetupDatabase()
 	require.NoError(t, err)
 	queries := repository.New(app.GetDB())
 	wg := &sync.WaitGroup{}
 	ctx := context.TODO()
 	dg := ding.New(ctx)
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker, nil)
+	aclsService := service.NewAccessControlsService(log, cfg, nil)
-	aclsService := service.NewAccessControlsService(log, nil, acls)
+
 	policyEngine, err := service.NewPolicyEngine(cfg, log)
 	require.NoError(t, err)
 	policyEngine.RegisterRule(service.RuleUserAllowed, &service.UserAllowedRule{
 		Log: log,
 	})
 	policyEngine.RegisterRule(service.RuleOAuthGroup, &service.OAuthGroupRule{
 		Log: log,
 	})
 	policyEngine.RegisterRule(service.RuleLDAPGroup, &service.LDAPGroupRule{
 		Log: log,
 	})
 	policyEngine.RegisterRule(service.RuleAuthEnabled, &service.AuthEnabledRule{
 		Log: log,
 	})
 	policyEngine.RegisterRule(service.RuleIPAllowed, &service.IPAllowedRule{
 		Log:    log,
 		Config: cfg,
 	})
 	policyEngine.RegisterRule(service.RuleIPBypassed, &service.IPBypassedRule{
 		Log: log,
 	})
 	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
@@ -406,13 +397,9 @@ func TestProxyController(t *testing.T) {
 			recorder := httptest.NewRecorder()
-			controller.NewProxyController(log, runtime, group, aclsService, authService)
+			controller.NewProxyController(log, runtime, group, aclsService, authService, policyEngine)
 			test.run(t, router, recorder)
 		})
 	}
 	t.Cleanup(func() {
 		app.GetDB().Close()
 	})
 }
@@ -32,7 +32,7 @@ func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
 	if controller.config.Resources.Path == "" {
 		c.JSON(404, gin.H{
 			"status":  404,
-			"message": "Resources not found",
+			"message": "Resource not found",
 		})
 		return
 	}
@@ -190,6 +190,9 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 	if search.Type == model.UserLDAP {
 		sessionCookie.Provider = "ldap"
 		if search.Email != "" {
 			sessionCookie.Email = search.Email
 		}
 	}
 	cookie, err := controller.auth.CreateSession(c, sessionCookie)
@@ -424,7 +427,7 @@ func (controller *UserController) tailscaleHandler(c *gin.Context) {
 	cookie, err := controller.auth.CreateSession(c, sessionCookie)
 	if err != nil {
-		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful TOTP verification")
+		controller.log.App.Error().Err(err).Str("username", context.GetUsername()).Msg("Failed to create session cookie after successful Tailscale login")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
@@ -6,18 +6,18 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"sync"
 	"testing"
 	"time"
 	"github.com/gin-gonic/gin"
 	"github.com/pquerna/otp/totp"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
@@ -73,12 +73,7 @@ func TestUserController(t *testing.T) {
 		})
 	}
-	app := bootstrap.NewBootstrapApp(cfg)
+	store := memory.New()
 	err := app.SetupDatabase()
 	require.NoError(t, err)
 	queries := repository.New(app.GetDB())
 	type testCase struct {
 		description string
@@ -254,7 +249,7 @@ func TestUserController(t *testing.T) {
 				totpCtx,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				_, err := queries.CreateSession(context.TODO(), repository.CreateSessionParams{
+				_, err := store.CreateSession(context.TODO(), repository.CreateSessionParams{
 					UUID:        "test-totp-login-uuid",
 					Username:    "test",
 					Email:       "test@example.com",
@@ -378,7 +373,7 @@ func TestUserController(t *testing.T) {
 				totpAttrCtx,
 			},
 			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				_, err := queries.CreateSession(context.TODO(), repository.CreateSessionParams{
+				_, err := store.CreateSession(context.TODO(), repository.CreateSessionParams{
 					UUID:        "test-totp-login-attributes-uuid",
 					Username:    "test",
 					Email:       "test@example.com",
@@ -417,14 +412,17 @@ func TestUserController(t *testing.T) {
 	}
 	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
+	dg := ding.New(ctx)
 	policyEngine, err := service.NewPolicyEngine(cfg, log)
 	require.NoError(t, err)
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker, nil)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
 	beforeEach := func() {
 		// Clear failed login attempts before each test
-		authService.ClearRateLimitsTestingOnly()
+		authService.ClearLoginAttempts()
 	}
 	for _, test := range tests {
@@ -446,8 +444,4 @@ func TestUserController(t *testing.T) {
 			test.run(t, router, recorder)
 		})
 	}
 	t.Cleanup(func() {
 		app.GetDB().Close()
 	})
 }
@@ -5,15 +5,14 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http/httptest"
 	"sync"
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/controller"
-	"github.com/tinyauthapp/tinyauth/internal/repository"
+	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
@@ -90,16 +89,11 @@ func TestWellKnownController(t *testing.T) {
 	}
 	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
+	dg := ding.New(ctx)
-	app := bootstrap.NewBootstrapApp(cfg)
+	store := memory.New()
-	err := app.SetupDatabase()
+	oidcService, err := service.NewOIDCService(log, cfg, runtime, store, dg)
 	require.NoError(t, err)
 	queries := repository.New(app.GetDB())
 	oidcService, err := service.NewOIDCService(log, cfg, runtime, queries, ctx, wg)
 	require.NoError(t, err)
 	for _, test := range tests {
@@ -114,8 +108,4 @@ func TestWellKnownController(t *testing.T) {
 			test.run(t, router, recorder)
 		})
 	}
 	t.Cleanup(func() {
 		app.GetDB().Close()
 	})
 }
@@ -116,6 +116,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			if tailscaleContext != nil {
 				c.Set("context", &model.UserContext{
 					Authenticated: false,
 					Provider:      model.ProviderTailscale,
 					Tailscale:     tailscaleContext,
 				})
 			}
@@ -191,7 +192,12 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip stri
 		userContext.LDAP.Groups = user.Groups
 		userContext.LDAP.Name = utils.Capitalize(userContext.LDAP.Username)
 		userContext.LDAP.Email = utils.CompileUserEmail(userContext.LDAP.Username, m.runtime.CookieDomain)
 		if search.Email != "" {
 			userContext.LDAP.Email = search.Email
 		}
 	case model.ProviderOAuth:
 		_, exists := m.broker.GetService(userContext.OAuth.ID)
@@ -199,7 +205,7 @@ func (m *ContextMiddleware) cookieAuth(ctx context.Context, uuid string, ip stri
 			return nil, nil, fmt.Errorf("oauth provider from session cookie not found: %s", userContext.OAuth.ID)
 		}
-		if !m.auth.IsEmailWhitelisted(userContext.OAuth.Email) {
+		if !m.auth.IsEmailWhitelisted(userContext.OAuth.ID, userContext.OAuth.Email) {
 			m.auth.DeleteSession(ctx, uuid)
 			return nil, nil, fmt.Errorf("email from session cookie not whitelisted: %s", userContext.OAuth.Email)
 		}
@@ -245,6 +251,10 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
 	case model.UserLocal:
 		user := m.auth.GetLocalUser(username)
 		if user == nil {
 			return nil, nil, fmt.Errorf("user not found locally: %s", username)
 		}
 		if user.TOTPSecret != "" {
 			return nil, nil, fmt.Errorf("user with totp not allowed to login via basic auth: %s", username)
 		}
@@ -269,11 +279,15 @@ func (m *ContextMiddleware) basicAuth(username string, password string) (*model.
 			BaseContext: model.BaseContext{
 				Username: username,
 				Name:     utils.Capitalize(username),
 				Email:    utils.CompileUserEmail(username, m.runtime.CookieDomain),
 			},
 			Groups: user.Groups,
 		}
 		userContext.Provider = model.ProviderLDAP
 		userContext.LDAP.Email = utils.CompileUserEmail(username, m.runtime.CookieDomain)
 		if search.Email != "" {
 			userContext.LDAP.Email = search.Email
 		}
 	}
 	userContext.Authenticated = true
@@ -312,11 +326,6 @@ func (m *ContextMiddleware) tailscaleWhois(ctx context.Context, ip string) (*mod
 			Name:     whois.DisplayName,
 		},
 		UserID: whois.UserID,
 		Tags:   whois.Tags,
 	}
 	if !strings.ContainsAny(uctx.Email, "@") {
 		uctx.Email = utils.CompileUserEmail(uctx.Email+"-tailscale", m.runtime.CookieDomain)
 	}
 	return &uctx, nil
@@ -5,17 +5,17 @@ import (
 	"encoding/base64"
 	"net/http"
 	"net/http/httptest"
 	"sync"
 	"testing"
 	"time"
 	"github.com/gin-gonic/gin"
 	"github.com/steveiliop56/ding"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/bootstrap"
 	"github.com/tinyauthapp/tinyauth/internal/middleware"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/test"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
@@ -31,7 +31,7 @@ func TestContextMiddleware(t *testing.T) {
 		return "Basic " + base64.StdEncoding.EncodeToString([]byte(username+":"+password))
 	}
-	seedSession := func(t *testing.T, queries *repository.Queries, params repository.CreateSessionParams) {
+	seedSession := func(t *testing.T, queries repository.Store, params repository.CreateSessionParams) {
 		t.Helper()
 		_, err := queries.CreateSession(context.Background(), params)
 		require.NoError(t, err)
@@ -39,7 +39,7 @@ func TestContextMiddleware(t *testing.T) {
 	type runArgs struct {
 		do      func(req *http.Request) (*model.UserContext, *httptest.ResponseRecorder)
-		queries *repository.Queries
+		queries repository.Store
 	}
 	type testCase struct {
@@ -250,22 +250,20 @@ func TestContextMiddleware(t *testing.T) {
 	}
 	ctx := context.TODO()
-	wg := &sync.WaitGroup{}
+	dg := ding.New(ctx)
-	app := bootstrap.NewBootstrapApp(cfg)
+	store := memory.New()
-	err := app.SetupDatabase()
+	policyEngine, err := service.NewPolicyEngine(cfg, log)
 	require.NoError(t, err)
 	queries := repository.New(app.GetDB())
 	broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
-	authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, queries, broker, nil)
+	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
 	contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
 	for _, test := range tests {
-		authService.ClearRateLimitsTestingOnly()
+		authService.ClearLoginAttempts()
 		t.Run(test.description, func(t *testing.T) {
 			gin.SetMode(gin.TestMode)
@@ -286,11 +284,7 @@ func TestContextMiddleware(t *testing.T) {
 				return captured, recorder
 			}
-			test.run(t, runArgs{do: do, queries: queries})
+			test.run(t, runArgs{do: do, queries: store})
 		})
 	}
 	t.Cleanup(func() {
 		app.GetDB().Close()
 	})
 }
@@ -4,7 +4,8 @@ package model
 func NewDefaultConfiguration() *Config {
 	return &Config{
 		Database: DatabaseConfig{
-			Path: "./tinyauth.db",
+			Driver: "sqlite",
 			Path:   "./tinyauth.db",
 		},
 		Analytics: AnalyticsConfig{
 			Enabled: true,
@@ -24,6 +25,9 @@ func NewDefaultConfiguration() *Config {
 			SessionMaxLifetime: 0,     // disabled
 			LoginTimeout:       300,   // 5 minutes
 			LoginMaxRetries:    3,
 			ACLs: ACLsConfig{
 				Policy: "allow",
 			},
 		},
 		UI: UIConfig{
 			Title:                 "Tinyauth",
@@ -58,11 +62,8 @@ func NewDefaultConfiguration() *Config {
 			PrivateKeyPath: "./tinyauth_oidc_key",
 			PublicKeyPath:  "./tinyauth_oidc_key.pub",
 		},
 		Experimental: ExperimentalConfig{
 			ConfigFile: "",
 		},
 		Tailscale: TailscaleConfig{
-			Dir: "./state",
+			Dir: "./tailscale_state",
 		},
 		LabelProvider: "auto",
 	}
@@ -81,13 +82,15 @@ type Config struct {
 	UI            UIConfig           `description:"UI customization." yaml:"ui"`
 	LDAP          LDAPConfig         `description:"LDAP configuration." yaml:"ldap"`
 	Experimental  ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
 	LabelProvider string             `description:"Label provider to use for ACLs (auto, docker, kubernetes or none to disable). auto detects the environment." yaml:"labelProvider"`
 	Log           LogConfig          `description:"Logging configuration." yaml:"log"`
 	Tailscale     TailscaleConfig    `description:"Tailscale configuration." yaml:"tailscale"`
-	LabelProvider string             `description:"Label provider to use (docker, kubernetes, auto)." yaml:"labelProvider"`
+	ConfigFile    string             `description:"Path to config file." yaml:"-"`
 }
 type DatabaseConfig struct {
-	Path string `description:"The path to the database, including file name." yaml:"path"`
+	Driver string `description:"The database driver to use. Valid values: sqlite, postgres, memory." yaml:"driver"`
 	Path   string `description:"The path to the SQLite database file, or connection URL when driver is postgres." yaml:"path"`
 }
 type AnalyticsConfig struct {
@@ -118,6 +121,7 @@ type AuthConfig struct {
 	LoginTimeout       int                       `description:"Login timeout in seconds." yaml:"loginTimeout"`
 	LoginMaxRetries    int                       `description:"Maximum login retries." yaml:"loginMaxRetries"`
 	TrustedProxies     []string                  `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
 	ACLs               ACLsConfig                `description:"ACLs configuration." yaml:"acls"`
 }
 type UserAttributes struct {
@@ -148,8 +152,9 @@ type AddressClaim struct {
 }
 type IPConfig struct {
-	Allow []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
+	Allow  []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
-	Block []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`
+	Block  []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`
 	Bypass []string `description:"List of IPs or CIDR ranges that bypass authentication entirely." yaml:"bypass"`
 }
 type OAuthConfig struct {
@@ -201,11 +206,11 @@ type LogStreamConfig struct {
 	Level   string `description:"Log level for this stream. Use global if empty." yaml:"level"`
 }
-type ExperimentalConfig struct {
+// no experimental features
-	ConfigFile string `description:"Path to config file." yaml:"-"`
+type ExperimentalConfig struct{}
 }
 type TailscaleConfig struct {
 	Enabled   bool   `description:"Enable Tailscale integration." yaml:"enabled"`
 	Dir       string `description:"Tailscale state directory." yaml:"dir"`
 	Hostname  string `description:"Tailscale hostname." yaml:"hostname"`
 	AuthKey   string `description:"Tailscale auth key." yaml:"authKey"`
@@ -218,6 +223,8 @@ type OAuthServiceConfig struct {
 	ClientID         string   `description:"OAuth client ID." yaml:"clientId"`
 	ClientSecret     string   `description:"OAuth client secret." yaml:"clientSecret"`
 	ClientSecretFile string   `description:"Path to the file containing the OAuth client secret." yaml:"clientSecretFile"`
 	Whitelist        []string `description:"Comma-separated list of allowed OAuth domains for this provider." yaml:"whitelist"`
 	WhitelistFile    string   `description:"Path to the OAuth whitelist file for this provider." yaml:"whitelistFile"`
 	Scopes           []string `description:"OAuth scopes." yaml:"scopes"`
 	RedirectURL      string   `description:"OAuth redirect URL." yaml:"redirectUrl"`
 	AuthURL          string   `description:"OAuth authorization URL." yaml:"authUrl"`
@@ -236,14 +243,12 @@ type OIDCClientConfig struct {
 	Name                string   `description:"Client name in UI." yaml:"name"`
 }
-type TailscaleWhoisResponse struct {
+type ACLsConfig struct {
-	UserID      string
+	Policy string `description:"ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow." yaml:"policy"`
 	LoginName   string
 	DisplayName string
 	NodeName    string
 	Tags        []string
 }
 // ACLs
 type Apps struct {
 	Apps map[string]App `description:"App ACLs configuration." yaml:"apps"`
 }
@@ -21,3 +21,5 @@ const SessionCookieName = "tinyauth-session"
 const CSRFCookieName = "tinyauth-csrf"
 const RedirectCookieName = "tinyauth-redirect"
 const OAuthSessionCookieName = "tinyauth-oauth"
 const GracefulShutdownTimeout = 5 // seconds
@@ -59,8 +59,6 @@ type LDAPContext struct {
 type TailscaleContext struct {
 	BaseContext
 	UserID string
 	// for future use
 	Tags []string
 }
 func (c *UserContext) IsAuthenticated() bool {
@@ -21,5 +21,6 @@ type LocalUser struct {
 type UserSearch struct {
 	Username string
 	Email    string // used for LDAP, we can't throw it to LDAPUser because it would need another cache or an LDAP lookup every time
 	Type     UserSearchType
 }
@@ -0,0 +1,472 @@
 package memory_test
 import (
 	"context"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 	"github.com/tinyauthapp/tinyauth/internal/repository/memory"
 )
 var ctx = context.Background()
 func TestMemoryStore(t *testing.T) {
 	type testCase struct {
 		description string
 		run         func(t *testing.T, s repository.Store)
 	}
 	tests := []testCase{
 		{
 			description: "Create and get session",
 			run: func(t *testing.T, s repository.Store) {
 				sess, err := s.CreateSession(ctx, repository.CreateSessionParams{
 					UUID:     "uuid-1",
 					Username: "alice",
 					Expiry:   9999,
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "uuid-1", sess.UUID)
 				assert.Equal(t, "alice", sess.Username)
 				got, err := s.GetSession(ctx, "uuid-1")
 				require.NoError(t, err)
 				assert.Equal(t, sess, got)
 			},
 		},
 		{
 			description: "Get session not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetSession(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Update session",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateSession(ctx, repository.CreateSessionParams{UUID: "uuid-1", Username: "alice"})
 				require.NoError(t, err)
 				updated, err := s.UpdateSession(ctx, repository.UpdateSessionParams{
 					UUID:     "uuid-1",
 					Username: "bob",
 					Email:    "bob@example.com",
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "bob", updated.Username)
 				assert.Equal(t, "bob@example.com", updated.Email)
 				got, err := s.GetSession(ctx, "uuid-1")
 				require.NoError(t, err)
 				assert.Equal(t, updated, got)
 			},
 		},
 		{
 			description: "Update session not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.UpdateSession(ctx, repository.UpdateSessionParams{UUID: "missing"})
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete session",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateSession(ctx, repository.CreateSessionParams{UUID: "uuid-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteSession(ctx, "uuid-1"))
 				_, err = s.GetSession(ctx, "uuid-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete expired sessions",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateSession(ctx, repository.CreateSessionParams{UUID: "expired", Expiry: 10})
 				require.NoError(t, err)
 				_, err = s.CreateSession(ctx, repository.CreateSessionParams{UUID: "valid", Expiry: 100})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteExpiredSessions(ctx, 50))
 				_, err = s.GetSession(ctx, "expired")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 				_, err = s.GetSession(ctx, "valid")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Create and get OIDC code",
 			run: func(t *testing.T, s repository.Store) {
 				code, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{
 					Sub:      "sub-1",
 					CodeHash: "hash-1",
 					Scope:    "openid",
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", code.Sub)
 				// destructive read removes the record
 				got, err := s.GetOidcCode(ctx, "hash-1")
 				require.NoError(t, err)
 				assert.Equal(t, code, got)
 				_, err = s.GetOidcCode(ctx, "hash-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcCode(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				got, err := s.GetOidcCodeBySub(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 				// destructive — gone after read
 				_, err = s.GetOidcCodeBySub(ctx, "sub-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code by sub not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcCodeBySub(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code unsafe",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				got, err := s.GetOidcCodeUnsafe(ctx, "hash-1")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 				// non-destructive — still present
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Get OIDC code unsafe not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcCodeUnsafe(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC code by sub unsafe",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				got, err := s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, "hash-1", got.CodeHash)
 				// non-destructive — still present
 				_, err = s.GetOidcCodeBySubUnsafe(ctx, "sub-1")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Get OIDC code by sub unsafe not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcCodeBySubUnsafe(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Create OIDC code unique sub constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_codes.sub")
 			},
 		},
 		{
 			description: "Delete OIDC code",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcCode(ctx, "hash-1"))
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC code by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcCodeBySub(ctx, "sub-1"))
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete expired OIDC codes",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-1", CodeHash: "hash-1", ExpiresAt: 10})
 				require.NoError(t, err)
 				_, err = s.CreateOidcCode(ctx, repository.CreateOidcCodeParams{Sub: "sub-2", CodeHash: "hash-2", ExpiresAt: 100})
 				require.NoError(t, err)
 				deleted, err := s.DeleteExpiredOidcCodes(ctx, 50)
 				require.NoError(t, err)
 				require.Len(t, deleted, 1)
 				assert.Equal(t, "hash-1", deleted[0].CodeHash)
 				_, err = s.GetOidcCodeUnsafe(ctx, "hash-2")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Create and get OIDC token",
 			run: func(t *testing.T, s repository.Store) {
 				tok, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:             "sub-1",
 					AccessTokenHash: "at-hash-1",
 					CodeHash:        "code-hash-1",
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", tok.Sub)
 				got, err := s.GetOidcToken(ctx, "at-hash-1")
 				require.NoError(t, err)
 				assert.Equal(t, tok, got)
 			},
 		},
 		{
 			description: "Get OIDC token not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcToken(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Create OIDC token unique sub constraint",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
 				require.NoError(t, err)
 				_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-2"})
 				assert.ErrorContains(t, err, "UNIQUE constraint failed: oidc_tokens.sub")
 			},
 		},
 		{
 			description: "Get OIDC token by refresh token",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:              "sub-1",
 					AccessTokenHash:  "at-1",
 					RefreshTokenHash: "rt-1",
 				})
 				require.NoError(t, err)
 				got, err := s.GetOidcTokenByRefreshToken(ctx, "rt-1")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 			},
 		},
 		{
 			description: "Get OIDC token by refresh token not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcTokenByRefreshToken(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Get OIDC token by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:             "sub-1",
 					AccessTokenHash: "at-1",
 				})
 				require.NoError(t, err)
 				got, err := s.GetOidcTokenBySub(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, "at-1", got.AccessTokenHash)
 			},
 		},
 		{
 			description: "Get OIDC token by sub not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcTokenBySub(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Update OIDC token by refresh token",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:              "sub-1",
 					AccessTokenHash:  "at-1",
 					RefreshTokenHash: "rt-1",
 				})
 				require.NoError(t, err)
 				updated, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
 					RefreshTokenHash_2:    "rt-1",
 					AccessTokenHash:       "at-2",
 					RefreshTokenHash:      "rt-2",
 					TokenExpiresAt:        200,
 					RefreshTokenExpiresAt: 400,
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "at-2", updated.AccessTokenHash)
 				assert.Equal(t, "rt-2", updated.RefreshTokenHash)
 				// old key gone, new key present
 				_, err = s.GetOidcToken(ctx, "at-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 				got, err := s.GetOidcToken(ctx, "at-2")
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", got.Sub)
 			},
 		},
 		{
 			description: "Update OIDC token by refresh token not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.UpdateOidcTokenByRefreshToken(ctx, repository.UpdateOidcTokenByRefreshTokenParams{
 					RefreshTokenHash_2: "missing",
 				})
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC token",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcToken(ctx, "at-1"))
 				_, err = s.GetOidcToken(ctx, "at-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC token by sub",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{Sub: "sub-1", AccessTokenHash: "at-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcTokenBySub(ctx, "sub-1"))
 				_, err = s.GetOidcToken(ctx, "at-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC token by code hash",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub:             "sub-1",
 					AccessTokenHash: "at-1",
 					CodeHash:        "code-1",
 				})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcTokenByCodeHash(ctx, "code-1"))
 				_, err = s.GetOidcToken(ctx, "at-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete expired OIDC tokens",
 			run: func(t *testing.T, s repository.Store) {
 				// both expiries past
 				_, err := s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub: "sub-1", AccessTokenHash: "at-1",
 					TokenExpiresAt: 10, RefreshTokenExpiresAt: 10,
 				})
 				require.NoError(t, err)
 				// valid
 				_, err = s.CreateOidcToken(ctx, repository.CreateOidcTokenParams{
 					Sub: "sub-3", AccessTokenHash: "at-3",
 					TokenExpiresAt: 100, RefreshTokenExpiresAt: 100,
 				})
 				require.NoError(t, err)
 				deleted, err := s.DeleteExpiredOidcTokens(ctx, repository.DeleteExpiredOidcTokensParams{
 					TokenExpiresAt:        50,
 					RefreshTokenExpiresAt: 50,
 				})
 				require.NoError(t, err)
 				assert.Len(t, deleted, 1)
 				_, err = s.GetOidcToken(ctx, "at-3")
 				assert.NoError(t, err)
 			},
 		},
 		{
 			description: "Create and get OIDC user info",
 			run: func(t *testing.T, s repository.Store) {
 				u, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{
 					Sub:   "sub-1",
 					Name:  "Alice",
 					Email: "alice@example.com",
 				})
 				require.NoError(t, err)
 				assert.Equal(t, "sub-1", u.Sub)
 				got, err := s.GetOidcUserInfo(ctx, "sub-1")
 				require.NoError(t, err)
 				assert.Equal(t, u, got)
 			},
 		},
 		{
 			description: "Get OIDC user info not found",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.GetOidcUserInfo(ctx, "missing")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 		{
 			description: "Delete OIDC user info",
 			run: func(t *testing.T, s repository.Store) {
 				_, err := s.CreateOidcUserInfo(ctx, repository.CreateOidcUserInfoParams{Sub: "sub-1"})
 				require.NoError(t, err)
 				require.NoError(t, s.DeleteOidcUserInfo(ctx, "sub-1"))
 				_, err = s.GetOidcUserInfo(ctx, "sub-1")
 				assert.ErrorIs(t, err, repository.ErrNotFound)
 			},
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {
 			s := memory.New()
 			test.run(t, s)
 		})
 	}
 }
@@ -0,0 +1,241 @@
 package memory
 import (
 	"context"
 	"fmt"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 func (s *Store) CreateOidcCode(_ context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	// Enforce sub UNIQUE constraint
 	for _, c := range s.oidcCodes {
 		if c.Sub == arg.Sub {
 			return repository.OidcCode{}, fmt.Errorf("UNIQUE constraint failed: oidc_codes.sub")
 		}
 	}
 	code := repository.OidcCode(arg)
 	s.oidcCodes[arg.CodeHash] = code
 	return code, nil
 }
 // GetOidcCode is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
 func (s *Store) GetOidcCode(_ context.Context, codeHash string) (repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	c, ok := s.oidcCodes[codeHash]
 	if !ok {
 		return repository.OidcCode{}, repository.ErrNotFound
 	}
 	delete(s.oidcCodes, codeHash)
 	return c, nil
 }
 // GetOidcCodeBySub is a destructive read: it deletes and returns the code (mirrors SQLite's DELETE...RETURNING).
 func (s *Store) GetOidcCodeBySub(_ context.Context, sub string) (repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, c := range s.oidcCodes {
 		if c.Sub == sub {
 			delete(s.oidcCodes, k)
 			return c, nil
 		}
 	}
 	return repository.OidcCode{}, repository.ErrNotFound
 }
 // GetOidcCodeUnsafe is a non-destructive read (mirrors SQLite's SELECT).
 func (s *Store) GetOidcCodeUnsafe(_ context.Context, codeHash string) (repository.OidcCode, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	c, ok := s.oidcCodes[codeHash]
 	if !ok {
 		return repository.OidcCode{}, repository.ErrNotFound
 	}
 	return c, nil
 }
 // GetOidcCodeBySubUnsafe is a non-destructive read (mirrors SQLite's SELECT).
 func (s *Store) GetOidcCodeBySubUnsafe(_ context.Context, sub string) (repository.OidcCode, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, c := range s.oidcCodes {
 		if c.Sub == sub {
 			return c, nil
 		}
 	}
 	return repository.OidcCode{}, repository.ErrNotFound
 }
 func (s *Store) DeleteOidcCode(_ context.Context, codeHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.oidcCodes, codeHash)
 	return nil
 }
 func (s *Store) DeleteOidcCodeBySub(_ context.Context, sub string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, c := range s.oidcCodes {
 		if c.Sub == sub {
 			delete(s.oidcCodes, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteExpiredOidcCodes(_ context.Context, expiresAt int64) ([]repository.OidcCode, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	var deleted []repository.OidcCode
 	for k, c := range s.oidcCodes {
 		if c.ExpiresAt < expiresAt {
 			deleted = append(deleted, c)
 			delete(s.oidcCodes, k)
 		}
 	}
 	return deleted, nil
 }
 func (s *Store) CreateOidcToken(_ context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	// Enforce sub UNIQUE constraint
 	for _, t := range s.oidcTokens {
 		if t.Sub == arg.Sub {
 			return repository.OidcToken{}, fmt.Errorf("UNIQUE constraint failed: oidc_tokens.sub")
 		}
 	}
 	tok := repository.OidcToken{
 		Sub:                   arg.Sub,
 		AccessTokenHash:       arg.AccessTokenHash,
 		RefreshTokenHash:      arg.RefreshTokenHash,
 		CodeHash:              arg.CodeHash,
 		Scope:                 arg.Scope,
 		ClientID:              arg.ClientID,
 		TokenExpiresAt:        arg.TokenExpiresAt,
 		RefreshTokenExpiresAt: arg.RefreshTokenExpiresAt,
 		Nonce:                 arg.Nonce,
 	}
 	s.oidcTokens[arg.AccessTokenHash] = tok
 	return tok, nil
 }
 func (s *Store) GetOidcToken(_ context.Context, accessTokenHash string) (repository.OidcToken, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	t, ok := s.oidcTokens[accessTokenHash]
 	if !ok {
 		return repository.OidcToken{}, repository.ErrNotFound
 	}
 	return t, nil
 }
 func (s *Store) GetOidcTokenByRefreshToken(_ context.Context, refreshTokenHash string) (repository.OidcToken, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, t := range s.oidcTokens {
 		if t.RefreshTokenHash == refreshTokenHash {
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) GetOidcTokenBySub(_ context.Context, sub string) (repository.OidcToken, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	for _, t := range s.oidcTokens {
 		if t.Sub == sub {
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) UpdateOidcTokenByRefreshToken(_ context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.RefreshTokenHash == arg.RefreshTokenHash_2 {
 			delete(s.oidcTokens, k)
 			t.AccessTokenHash = arg.AccessTokenHash
 			t.RefreshTokenHash = arg.RefreshTokenHash
 			t.TokenExpiresAt = arg.TokenExpiresAt
 			t.RefreshTokenExpiresAt = arg.RefreshTokenExpiresAt
 			s.oidcTokens[arg.AccessTokenHash] = t
 			return t, nil
 		}
 	}
 	return repository.OidcToken{}, repository.ErrNotFound
 }
 func (s *Store) DeleteOidcToken(_ context.Context, accessTokenHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.oidcTokens, accessTokenHash)
 	return nil
 }
 func (s *Store) DeleteOidcTokenBySub(_ context.Context, sub string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.Sub == sub {
 			delete(s.oidcTokens, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteOidcTokenByCodeHash(_ context.Context, codeHash string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, t := range s.oidcTokens {
 		if t.CodeHash == codeHash {
 			delete(s.oidcTokens, k)
 		}
 	}
 	return nil
 }
 func (s *Store) DeleteExpiredOidcTokens(_ context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	var deleted []repository.OidcToken
 	for k, t := range s.oidcTokens {
 		if t.TokenExpiresAt < arg.TokenExpiresAt && t.RefreshTokenExpiresAt < arg.RefreshTokenExpiresAt {
 			deleted = append(deleted, t)
 			delete(s.oidcTokens, k)
 		}
 	}
 	return deleted, nil
 }
 func (s *Store) CreateOidcUserInfo(_ context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	u := repository.OidcUserinfo(arg)
 	s.oidcUsers[arg.Sub] = u
 	return u, nil
 }
 func (s *Store) GetOidcUserInfo(_ context.Context, sub string) (repository.OidcUserinfo, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	u, ok := s.oidcUsers[sub]
 	if !ok {
 		return repository.OidcUserinfo{}, repository.ErrNotFound
 	}
 	return u, nil
 }
 func (s *Store) DeleteOidcUserInfo(_ context.Context, sub string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.oidcUsers, sub)
 	return nil
 }
@@ -0,0 +1,63 @@
 package memory
 import (
 	"context"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 func (s *Store) CreateSession(_ context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	sess := repository.Session(arg)
 	s.sessions[arg.UUID] = sess
 	return sess, nil
 }
 func (s *Store) GetSession(_ context.Context, uuid string) (repository.Session, error) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	sess, ok := s.sessions[uuid]
 	if !ok {
 		return repository.Session{}, repository.ErrNotFound
 	}
 	return sess, nil
 }
 func (s *Store) UpdateSession(_ context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	sess, ok := s.sessions[arg.UUID]
 	if !ok {
 		return repository.Session{}, repository.ErrNotFound
 	}
 	sess.Username = arg.Username
 	sess.Email = arg.Email
 	sess.Name = arg.Name
 	sess.Provider = arg.Provider
 	sess.TotpPending = arg.TotpPending
 	sess.OAuthGroups = arg.OAuthGroups
 	sess.Expiry = arg.Expiry
 	sess.OAuthName = arg.OAuthName
 	sess.OAuthSub = arg.OAuthSub
 	s.sessions[arg.UUID] = sess
 	return sess, nil
 }
 func (s *Store) DeleteSession(_ context.Context, uuid string) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	delete(s.sessions, uuid)
 	return nil
 }
 func (s *Store) DeleteExpiredSessions(_ context.Context, expiry int64) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for k, v := range s.sessions {
 		if v.Expiry < expiry {
 			delete(s.sessions, k)
 		}
 	}
 	return nil
 }
@@ -0,0 +1,27 @@
 // Package memory provides an in-memory implementation of repository.Store for use in tests.
 package memory
 import (
 	"sync"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 // Store is a thread-safe in-memory implementation of repository.Store.
 type Store struct {
 	mu         sync.RWMutex
 	sessions   map[string]repository.Session
 	oidcCodes  map[string]repository.OidcCode
 	oidcTokens map[string]repository.OidcToken
 	oidcUsers  map[string]repository.OidcUserinfo
 }
 // New returns a new empty in-memory Store.
 func New() repository.Store {
 	return &Store{
 		sessions:   make(map[string]repository.Session),
 		oidcCodes:  make(map[string]repository.OidcCode),
 		oidcTokens: make(map[string]repository.OidcToken),
 		oidcUsers:  make(map[string]repository.OidcUserinfo),
 	}
 }
@@ -1,9 +1,22 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
 //   sqlc v1.30.0
 package repository
 // Shared model and parameter types for all storage drivers.
 // sqlc-generated driver packages use these via the conversion layer in their store.go.
 type Session struct {
 	UUID        string
 	Username    string
 	Email       string
 	Name        string
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
 	Expiry      int64
 	CreatedAt   int64
 	OAuthName   string
 	OAuthSub    string
 }
 type OidcCode struct {
 	Sub           string
 	CodeHash      string
@@ -49,7 +62,7 @@ type OidcUserinfo struct {
 	Address           string
 }
-type Session struct {
+type CreateSessionParams struct {
 	UUID        string
 	Username    string
 	Email       string
@@ -62,3 +75,74 @@ type Session struct {
 	OAuthName   string
 	OAuthSub    string
 }
 type UpdateSessionParams struct {
 	Username    string
 	Email       string
 	Name        string
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
 	Expiry      int64
 	OAuthName   string
 	OAuthSub    string
 	UUID        string
 }
 type CreateOidcCodeParams struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type CreateOidcTokenParams struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	CodeHash              string
 	Nonce                 string
 }
 type UpdateOidcTokenByRefreshTokenParams struct {
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	RefreshTokenHash_2    string
 }
 type DeleteExpiredOidcTokensParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
 type CreateOidcUserInfoParams struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
@@ -1,8 +1,8 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.1
-package repository
+package postgres
 import (
 	"context"
@@ -0,0 +1,3 @@
 package postgres
 //go:generate go run github.com/tinyauthapp/tinyauth/gen/sqlc-wrapper -pkg github.com/tinyauthapp/tinyauth/internal/repository/postgres
@@ -0,0 +1,64 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
 //   sqlc v1.31.1
 package postgres
 type OidcCode struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type OidcToken struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
 }
 type OidcUserinfo struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 type Session struct {
 	UUID        string
 	Username    string
 	Email       string
 	Name        string
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
 	Expiry      int64
 	CreatedAt   int64
 	OAuthName   string
 	OAuthSub    string
 }
@@ -0,0 +1,581 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
 //   sqlc v1.31.1
 // source: oidc_queries.sql
 package postgres
 import (
 	"context"
 )
 const createOidcCode = `-- name: CreateOidcCode :one
 INSERT INTO "oidc_codes" (
    "sub",
    "code_hash",
    "scope",
    "redirect_uri",
    "client_id",
    "expires_at",
    "nonce",
    "code_challenge"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8
 )
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 type CreateOidcCodeParams struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, createOidcCode,
 		arg.Sub,
 		arg.CodeHash,
 		arg.Scope,
 		arg.RedirectURI,
 		arg.ClientID,
 		arg.ExpiresAt,
 		arg.Nonce,
 		arg.CodeChallenge,
 	)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const createOidcToken = `-- name: CreateOidcToken :one
 INSERT INTO "oidc_tokens" (
    "sub",
    "access_token_hash",
    "refresh_token_hash",
    "scope",
    "client_id",
    "token_expires_at",
    "refresh_token_expires_at",
    "code_hash",
    "nonce"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9
 )
 RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
 type CreateOidcTokenParams struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	CodeHash              string
 	Nonce                 string
 }
 func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, createOidcToken,
 		arg.Sub,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
 		arg.Scope,
 		arg.ClientID,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
 		arg.CodeHash,
 		arg.Nonce,
 	)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const createOidcUserInfo = `-- name: CreateOidcUserInfo :one
 INSERT INTO "oidc_userinfo" (
    "sub",
    "name",
    "preferred_username",
    "email",
    "groups",
    "updated_at",
    "given_name",
    "family_name",
    "middle_name",
    "nickname",
    "profile",
    "picture",
    "website",
    "gender",
    "birthdate",
    "zoneinfo",
    "locale",
    "phone_number",
    "address"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19
 )
 RETURNING sub, name, preferred_username, email, groups, updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address
 `
 type CreateOidcUserInfoParams struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error) {
 	row := q.db.QueryRowContext(ctx, createOidcUserInfo,
 		arg.Sub,
 		arg.Name,
 		arg.PreferredUsername,
 		arg.Email,
 		arg.Groups,
 		arg.UpdatedAt,
 		arg.GivenName,
 		arg.FamilyName,
 		arg.MiddleName,
 		arg.Nickname,
 		arg.Profile,
 		arg.Picture,
 		arg.Website,
 		arg.Gender,
 		arg.Birthdate,
 		arg.Zoneinfo,
 		arg.Locale,
 		arg.PhoneNumber,
 		arg.Address,
 	)
 	var i OidcUserinfo
 	err := row.Scan(
 		&i.Sub,
 		&i.Name,
 		&i.PreferredUsername,
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
 const deleteExpiredOidcCodes = `-- name: DeleteExpiredOidcCodes :many
 DELETE FROM "oidc_codes"
 WHERE "expires_at" < $1
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error) {
 	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcCodes, expiresAt)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	var items []OidcCode
 	for rows.Next() {
 		var i OidcCode
 		if err := rows.Scan(
 			&i.Sub,
 			&i.CodeHash,
 			&i.Scope,
 			&i.RedirectURI,
 			&i.ClientID,
 			&i.ExpiresAt,
 			&i.Nonce,
 			&i.CodeChallenge,
 		); err != nil {
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteExpiredOidcTokens = `-- name: DeleteExpiredOidcTokens :many
 DELETE FROM "oidc_tokens"
 WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2
 RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
 type DeleteExpiredOidcTokensParams struct {
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 }
 func (q *Queries) DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error) {
 	rows, err := q.db.QueryContext(ctx, deleteExpiredOidcTokens, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
 	var items []OidcToken
 	for rows.Next() {
 		var i OidcToken
 		if err := rows.Scan(
 			&i.Sub,
 			&i.AccessTokenHash,
 			&i.RefreshTokenHash,
 			&i.CodeHash,
 			&i.Scope,
 			&i.ClientID,
 			&i.TokenExpiresAt,
 			&i.RefreshTokenExpiresAt,
 			&i.Nonce,
 		); err != nil {
 			return nil, err
 		}
 		items = append(items, i)
 	}
 	if err := rows.Close(); err != nil {
 		return nil, err
 	}
 	if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return items, nil
 }
 const deleteOidcCode = `-- name: DeleteOidcCode :exec
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = $1
 `
 func (q *Queries) DeleteOidcCode(ctx context.Context, codeHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcCode, codeHash)
 	return err
 }
 const deleteOidcCodeBySub = `-- name: DeleteOidcCodeBySub :exec
 DELETE FROM "oidc_codes"
 WHERE "sub" = $1
 `
 func (q *Queries) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcCodeBySub, sub)
 	return err
 }
 const deleteOidcToken = `-- name: DeleteOidcToken :exec
 DELETE FROM "oidc_tokens"
 WHERE "access_token_hash" = $1
 `
 func (q *Queries) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcToken, accessTokenHash)
 	return err
 }
 const deleteOidcTokenByCodeHash = `-- name: DeleteOidcTokenByCodeHash :exec
 DELETE FROM "oidc_tokens"
 WHERE "code_hash" = $1
 `
 func (q *Queries) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcTokenByCodeHash, codeHash)
 	return err
 }
 const deleteOidcTokenBySub = `-- name: DeleteOidcTokenBySub :exec
 DELETE FROM "oidc_tokens"
 WHERE "sub" = $1
 `
 func (q *Queries) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcTokenBySub, sub)
 	return err
 }
 const deleteOidcUserInfo = `-- name: DeleteOidcUserInfo :exec
 DELETE FROM "oidc_userinfo"
 WHERE "sub" = $1
 `
 func (q *Queries) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	_, err := q.db.ExecContext(ctx, deleteOidcUserInfo, sub)
 	return err
 }
 const getOidcCode = `-- name: GetOidcCode :one
 DELETE FROM "oidc_codes"
 WHERE "code_hash" = $1
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCode, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeBySub = `-- name: GetOidcCodeBySub :one
 DELETE FROM "oidc_codes"
 WHERE "sub" = $1
 RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
 `
 func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySub, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeBySubUnsafe = `-- name: GetOidcCodeBySubUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "sub" = $1
 `
 func (q *Queries) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeBySubUnsafe, sub)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcCodeUnsafe = `-- name: GetOidcCodeUnsafe :one
 SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
 WHERE "code_hash" = $1
 `
 func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error) {
 	row := q.db.QueryRowContext(ctx, getOidcCodeUnsafe, codeHash)
 	var i OidcCode
 	err := row.Scan(
 		&i.Sub,
 		&i.CodeHash,
 		&i.Scope,
 		&i.RedirectURI,
 		&i.ClientID,
 		&i.ExpiresAt,
 		&i.Nonce,
 		&i.CodeChallenge,
 	)
 	return i, err
 }
 const getOidcToken = `-- name: GetOidcToken :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "access_token_hash" = $1
 `
 func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, getOidcToken, accessTokenHash)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcTokenByRefreshToken = `-- name: GetOidcTokenByRefreshToken :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "refresh_token_hash" = $1
 `
 func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, getOidcTokenByRefreshToken, refreshTokenHash)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcTokenBySub = `-- name: GetOidcTokenBySub :one
 SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
 WHERE "sub" = $1
 `
 func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, getOidcTokenBySub, sub)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
 const getOidcUserInfo = `-- name: GetOidcUserInfo :one
 SELECT sub, name, preferred_username, email, groups, updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address FROM "oidc_userinfo"
 WHERE "sub" = $1
 `
 func (q *Queries) GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error) {
 	row := q.db.QueryRowContext(ctx, getOidcUserInfo, sub)
 	var i OidcUserinfo
 	err := row.Scan(
 		&i.Sub,
 		&i.Name,
 		&i.PreferredUsername,
 		&i.Email,
 		&i.Groups,
 		&i.UpdatedAt,
 		&i.GivenName,
 		&i.FamilyName,
 		&i.MiddleName,
 		&i.Nickname,
 		&i.Profile,
 		&i.Picture,
 		&i.Website,
 		&i.Gender,
 		&i.Birthdate,
 		&i.Zoneinfo,
 		&i.Locale,
 		&i.PhoneNumber,
 		&i.Address,
 	)
 	return i, err
 }
 const updateOidcTokenByRefreshToken = `-- name: UpdateOidcTokenByRefreshToken :one
 UPDATE "oidc_tokens" SET
    "access_token_hash"        = $1,
    "refresh_token_hash"       = $2,
    "token_expires_at"         = $3,
    "refresh_token_expires_at" = $4
 WHERE "refresh_token_hash" = $5
 RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
 `
 type UpdateOidcTokenByRefreshTokenParams struct {
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	RefreshTokenHash_2    string
 }
 func (q *Queries) UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error) {
 	row := q.db.QueryRowContext(ctx, updateOidcTokenByRefreshToken,
 		arg.AccessTokenHash,
 		arg.RefreshTokenHash,
 		arg.TokenExpiresAt,
 		arg.RefreshTokenExpiresAt,
 		arg.RefreshTokenHash_2,
 	)
 	var i OidcToken
 	err := row.Scan(
 		&i.Sub,
 		&i.AccessTokenHash,
 		&i.RefreshTokenHash,
 		&i.CodeHash,
 		&i.Scope,
 		&i.ClientID,
 		&i.TokenExpiresAt,
 		&i.RefreshTokenExpiresAt,
 		&i.Nonce,
 	)
 	return i, err
 }
@@ -0,0 +1,176 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
 //   sqlc v1.31.1
 // source: session_queries.sql
 package postgres
 import (
 	"context"
 )
 const createSession = `-- name: CreateSession :one
 INSERT INTO "sessions" (
    "uuid",
    "username",
    "email",
    "name",
    "provider",
    "totp_pending",
    "oauth_groups",
    "expiry",
    "created_at",
    "oauth_name",
    "oauth_sub"
 ) VALUES (
    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11
 )
 RETURNING uuid, username, email, name, provider, totp_pending, oauth_groups, expiry, created_at, oauth_name, oauth_sub
 `
 type CreateSessionParams struct {
 	UUID        string
 	Username    string
 	Email       string
 	Name        string
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
 	Expiry      int64
 	CreatedAt   int64
 	OAuthName   string
 	OAuthSub    string
 }
 func (q *Queries) CreateSession(ctx context.Context, arg CreateSessionParams) (Session, error) {
 	row := q.db.QueryRowContext(ctx, createSession,
 		arg.UUID,
 		arg.Username,
 		arg.Email,
 		arg.Name,
 		arg.Provider,
 		arg.TotpPending,
 		arg.OAuthGroups,
 		arg.Expiry,
 		arg.CreatedAt,
 		arg.OAuthName,
 		arg.OAuthSub,
 	)
 	var i Session
 	err := row.Scan(
 		&i.UUID,
 		&i.Username,
 		&i.Email,
 		&i.Name,
 		&i.Provider,
 		&i.TotpPending,
 		&i.OAuthGroups,
 		&i.Expiry,
 		&i.CreatedAt,
 		&i.OAuthName,
 		&i.OAuthSub,
 	)
 	return i, err
 }
 const deleteExpiredSessions = `-- name: DeleteExpiredSessions :exec
 DELETE FROM "sessions"
 WHERE "expiry" < $1
 `
 func (q *Queries) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	_, err := q.db.ExecContext(ctx, deleteExpiredSessions, expiry)
 	return err
 }
 const deleteSession = `-- name: DeleteSession :exec
 DELETE FROM "sessions"
 WHERE "uuid" = $1
 `
 func (q *Queries) DeleteSession(ctx context.Context, uuid string) error {
 	_, err := q.db.ExecContext(ctx, deleteSession, uuid)
 	return err
 }
 const getSession = `-- name: GetSession :one
 SELECT uuid, username, email, name, provider, totp_pending, oauth_groups, expiry, created_at, oauth_name, oauth_sub FROM "sessions"
 WHERE "uuid" = $1
 `
 func (q *Queries) GetSession(ctx context.Context, uuid string) (Session, error) {
 	row := q.db.QueryRowContext(ctx, getSession, uuid)
 	var i Session
 	err := row.Scan(
 		&i.UUID,
 		&i.Username,
 		&i.Email,
 		&i.Name,
 		&i.Provider,
 		&i.TotpPending,
 		&i.OAuthGroups,
 		&i.Expiry,
 		&i.CreatedAt,
 		&i.OAuthName,
 		&i.OAuthSub,
 	)
 	return i, err
 }
 const updateSession = `-- name: UpdateSession :one
 UPDATE "sessions" SET
    "username"     = $1,
    "email"        = $2,
    "name"         = $3,
    "provider"     = $4,
    "totp_pending" = $5,
    "oauth_groups" = $6,
    "expiry"       = $7,
    "oauth_name"   = $8,
    "oauth_sub"    = $9
 WHERE "uuid" = $10
 RETURNING uuid, username, email, name, provider, totp_pending, oauth_groups, expiry, created_at, oauth_name, oauth_sub
 `
 type UpdateSessionParams struct {
 	Username    string
 	Email       string
 	Name        string
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
 	Expiry      int64
 	OAuthName   string
 	OAuthSub    string
 	UUID        string
 }
 func (q *Queries) UpdateSession(ctx context.Context, arg UpdateSessionParams) (Session, error) {
 	row := q.db.QueryRowContext(ctx, updateSession,
 		arg.Username,
 		arg.Email,
 		arg.Name,
 		arg.Provider,
 		arg.TotpPending,
 		arg.OAuthGroups,
 		arg.Expiry,
 		arg.OAuthName,
 		arg.OAuthSub,
 		arg.UUID,
 	)
 	var i Session
 	err := row.Scan(
 		&i.UUID,
 		&i.Username,
 		&i.Email,
 		&i.Name,
 		&i.Provider,
 		&i.TotpPending,
 		&i.OAuthGroups,
 		&i.Expiry,
 		&i.CreatedAt,
 		&i.OAuthName,
 		&i.OAuthSub,
 	)
 	return i, err
 }
@@ -0,0 +1,209 @@
 // Code generated by cmd/gen/sqlc-wrapper. DO NOT EDIT.
 package postgres
 import (
 	"context"
 	"database/sql"
 	"errors"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 // Store wraps *Queries and implements repository.Store.
 type Store struct {
 	q *Queries
 }
 // NewStore wraps a *Queries to satisfy repository.Store.
 func NewStore(q *Queries) repository.Store {
 	return &Store{q: q}
 }
 var errorMap = map[error]error{
 	sql.ErrNoRows: repository.ErrNotFound,
 }
 func mapErr(err error) error {
 	for from, to := range errorMap {
 		if errors.Is(err, from) {
 			return to
 		}
 	}
 	return err
 }
 func (s *Store) CreateOidcCode(ctx context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
 	r, err := s.q.CreateOidcCode(ctx, CreateOidcCodeParams(arg))
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) CreateOidcToken(ctx context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
 	r, err := s.q.CreateOidcToken(ctx, CreateOidcTokenParams(arg))
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) CreateOidcUserInfo(ctx context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	r, err := s.q.CreateOidcUserInfo(ctx, CreateOidcUserInfoParams(arg))
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
 	r, err := s.q.CreateSession(ctx, CreateSessionParams(arg))
 	if err != nil {
 		return repository.Session{}, mapErr(err)
 	}
 	return repository.Session(r), nil
 }
 func (s *Store) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]repository.OidcCode, error) {
 	rows, err := s.q.DeleteExpiredOidcCodes(ctx, expiresAt)
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcCode, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcCode(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredOidcTokens(ctx context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	rows, err := s.q.DeleteExpiredOidcTokens(ctx, DeleteExpiredOidcTokensParams(arg))
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcToken, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcToken(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
 func (s *Store) DeleteOidcCode(ctx context.Context, codeHash string) error {
 	return mapErr(s.q.DeleteOidcCode(ctx, codeHash))
 }
 func (s *Store) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcCodeBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	return mapErr(s.q.DeleteOidcToken(ctx, accessTokenHash))
 }
 func (s *Store) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	return mapErr(s.q.DeleteOidcTokenByCodeHash(ctx, codeHash))
 }
 func (s *Store) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcTokenBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcUserInfo(ctx, sub))
 }
 func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
 func (s *Store) GetOidcCode(ctx context.Context, codeHash string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCode(ctx, codeHash)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcCodeBySub(ctx context.Context, sub string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCodeBySub(ctx, sub)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCodeBySubUnsafe(ctx, sub)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCodeUnsafe(ctx, codeHash)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcToken(ctx context.Context, accessTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcToken(ctx, accessTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenByRefreshToken(ctx, refreshTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenBySub(ctx context.Context, sub string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenBySub(ctx, sub)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcUserInfo(ctx context.Context, sub string) (repository.OidcUserinfo, error) {
 	r, err := s.q.GetOidcUserInfo(ctx, sub)
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session, error) {
 	r, err := s.q.GetSession(ctx, uuid)
 	if err != nil {
 		return repository.Session{}, mapErr(err)
 	}
 	return repository.Session(r), nil
 }
 func (s *Store) UpdateOidcTokenByRefreshToken(ctx context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
 	r, err := s.q.UpdateOidcTokenByRefreshToken(ctx, UpdateOidcTokenByRefreshTokenParams(arg))
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) UpdateSession(ctx context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
 	r, err := s.q.UpdateSession(ctx, UpdateSessionParams(arg))
 	if err != nil {
 		return repository.Session{}, mapErr(err)
 	}
 	return repository.Session(r), nil
 }
@@ -0,0 +1,31 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
 //   sqlc v1.31.1
 package sqlite
 import (
 	"context"
 	"database/sql"
 )
 type DBTX interface {
 	ExecContext(context.Context, string, ...interface{}) (sql.Result, error)
 	PrepareContext(context.Context, string) (*sql.Stmt, error)
 	QueryContext(context.Context, string, ...interface{}) (*sql.Rows, error)
 	QueryRowContext(context.Context, string, ...interface{}) *sql.Row
 }
 func New(db DBTX) *Queries {
 	return &Queries{db: db}
 }
 type Queries struct {
 	db DBTX
 }
 func (q *Queries) WithTx(tx *sql.Tx) *Queries {
 	return &Queries{
 		db: tx,
 	}
 }
@@ -0,0 +1,3 @@
 package sqlite
 //go:generate go run github.com/tinyauthapp/tinyauth/gen/sqlc-wrapper -pkg github.com/tinyauthapp/tinyauth/internal/repository/sqlite
@@ -0,0 +1,64 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
 //   sqlc v1.31.1
 package sqlite
 type OidcCode struct {
 	Sub           string
 	CodeHash      string
 	Scope         string
 	RedirectURI   string
 	ClientID      string
 	ExpiresAt     int64
 	Nonce         string
 	CodeChallenge string
 }
 type OidcToken struct {
 	Sub                   string
 	AccessTokenHash       string
 	RefreshTokenHash      string
 	CodeHash              string
 	Scope                 string
 	ClientID              string
 	TokenExpiresAt        int64
 	RefreshTokenExpiresAt int64
 	Nonce                 string
 }
 type OidcUserinfo struct {
 	Sub               string
 	Name              string
 	PreferredUsername string
 	Email             string
 	Groups            string
 	UpdatedAt         int64
 	GivenName         string
 	FamilyName        string
 	MiddleName        string
 	Nickname          string
 	Profile           string
 	Picture           string
 	Website           string
 	Gender            string
 	Birthdate         string
 	Zoneinfo          string
 	Locale            string
 	PhoneNumber       string
 	Address           string
 }
 type Session struct {
 	UUID        string
 	Username    string
 	Email       string
 	Name        string
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
 	Expiry      int64
 	CreatedAt   int64
 	OAuthName   string
 	OAuthSub    string
 }
@@ -1,9 +1,9 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.1
 // source: oidc_queries.sql
-package repository
+package sqlite
 import (
 	"context"
@@ -1,9 +1,9 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.1
 // source: session_queries.sql
-package repository
+package sqlite
 import (
 	"context"
@@ -0,0 +1,209 @@
 // Code generated by cmd/gen/sqlc-wrapper. DO NOT EDIT.
 package sqlite
 import (
 	"context"
 	"database/sql"
 	"errors"
 	"github.com/tinyauthapp/tinyauth/internal/repository"
 )
 // Store wraps *Queries and implements repository.Store.
 type Store struct {
 	q *Queries
 }
 // NewStore wraps a *Queries to satisfy repository.Store.
 func NewStore(q *Queries) repository.Store {
 	return &Store{q: q}
 }
 var errorMap = map[error]error{
 	sql.ErrNoRows: repository.ErrNotFound,
 }
 func mapErr(err error) error {
 	for from, to := range errorMap {
 		if errors.Is(err, from) {
 			return to
 		}
 	}
 	return err
 }
 func (s *Store) CreateOidcCode(ctx context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
 	r, err := s.q.CreateOidcCode(ctx, CreateOidcCodeParams(arg))
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) CreateOidcToken(ctx context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
 	r, err := s.q.CreateOidcToken(ctx, CreateOidcTokenParams(arg))
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) CreateOidcUserInfo(ctx context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
 	r, err := s.q.CreateOidcUserInfo(ctx, CreateOidcUserInfoParams(arg))
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
 	r, err := s.q.CreateSession(ctx, CreateSessionParams(arg))
 	if err != nil {
 		return repository.Session{}, mapErr(err)
 	}
 	return repository.Session(r), nil
 }
 func (s *Store) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]repository.OidcCode, error) {
 	rows, err := s.q.DeleteExpiredOidcCodes(ctx, expiresAt)
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcCode, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcCode(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredOidcTokens(ctx context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
 	rows, err := s.q.DeleteExpiredOidcTokens(ctx, DeleteExpiredOidcTokensParams(arg))
 	if err != nil {
 		return nil, mapErr(err)
 	}
 	out := make([]repository.OidcToken, len(rows))
 	for i, row := range rows {
 		out[i] = repository.OidcToken(row)
 	}
 	return out, nil
 }
 func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
 	return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
 }
 func (s *Store) DeleteOidcCode(ctx context.Context, codeHash string) error {
 	return mapErr(s.q.DeleteOidcCode(ctx, codeHash))
 }
 func (s *Store) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcCodeBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
 	return mapErr(s.q.DeleteOidcToken(ctx, accessTokenHash))
 }
 func (s *Store) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
 	return mapErr(s.q.DeleteOidcTokenByCodeHash(ctx, codeHash))
 }
 func (s *Store) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcTokenBySub(ctx, sub))
 }
 func (s *Store) DeleteOidcUserInfo(ctx context.Context, sub string) error {
 	return mapErr(s.q.DeleteOidcUserInfo(ctx, sub))
 }
 func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
 	return mapErr(s.q.DeleteSession(ctx, uuid))
 }
 func (s *Store) GetOidcCode(ctx context.Context, codeHash string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCode(ctx, codeHash)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcCodeBySub(ctx context.Context, sub string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCodeBySub(ctx, sub)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCodeBySubUnsafe(ctx, sub)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (repository.OidcCode, error) {
 	r, err := s.q.GetOidcCodeUnsafe(ctx, codeHash)
 	if err != nil {
 		return repository.OidcCode{}, mapErr(err)
 	}
 	return repository.OidcCode(r), nil
 }
 func (s *Store) GetOidcToken(ctx context.Context, accessTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcToken(ctx, accessTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenByRefreshToken(ctx, refreshTokenHash)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcTokenBySub(ctx context.Context, sub string) (repository.OidcToken, error) {
 	r, err := s.q.GetOidcTokenBySub(ctx, sub)
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) GetOidcUserInfo(ctx context.Context, sub string) (repository.OidcUserinfo, error) {
 	r, err := s.q.GetOidcUserInfo(ctx, sub)
 	if err != nil {
 		return repository.OidcUserinfo{}, mapErr(err)
 	}
 	return repository.OidcUserinfo(r), nil
 }
 func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session, error) {
 	r, err := s.q.GetSession(ctx, uuid)
 	if err != nil {
 		return repository.Session{}, mapErr(err)
 	}
 	return repository.Session(r), nil
 }
 func (s *Store) UpdateOidcTokenByRefreshToken(ctx context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
 	r, err := s.q.UpdateOidcTokenByRefreshToken(ctx, UpdateOidcTokenByRefreshTokenParams(arg))
 	if err != nil {
 		return repository.OidcToken{}, mapErr(err)
 	}
 	return repository.OidcToken(r), nil
 }
 func (s *Store) UpdateSession(ctx context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
 	r, err := s.q.UpdateSession(ctx, UpdateSessionParams(arg))
 	if err != nil {
 		return repository.Session{}, mapErr(err)
 	}
 	return repository.Session(r), nil
 }
@@ -0,0 +1,47 @@
 package repository
 import (
 	"context"
 	"errors"
 )
 // ErrNotFound is returned by Store methods when the requested record does not exist.
 var ErrNotFound = errors.New("not found")
 // Store is the interface that all storage drivers must implement.
 // The sqlc-generated *Queries struct satisfies this interface for SQLite.
 // Future drivers (postgres, etc.) must return the shared types defined in this package.
 type Store interface {
 	// Sessions
 	CreateSession(ctx context.Context, arg CreateSessionParams) (Session, error)
 	GetSession(ctx context.Context, uuid string) (Session, error)
 	UpdateSession(ctx context.Context, arg UpdateSessionParams) (Session, error)
 	DeleteSession(ctx context.Context, uuid string) error
 	DeleteExpiredSessions(ctx context.Context, expiry int64) error
 	// OIDC codes
 	CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error)
 	GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error)
 	GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error)
 	GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error)
 	GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error)
 	DeleteOidcCode(ctx context.Context, codeHash string) error
 	DeleteOidcCodeBySub(ctx context.Context, sub string) error
 	DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error)
 	// OIDC tokens
 	CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error)
 	GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error)
 	GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error)
 	GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error)
 	UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error)
 	DeleteOidcToken(ctx context.Context, accessTokenHash string) error
 	DeleteOidcTokenBySub(ctx context.Context, sub string) error
 	DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error
 	DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error)
 	// OIDC userinfo
 	CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error)
 	GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error)
 	DeleteOidcUserInfo(ctx context.Context, sub string) error
 }
@@ -0,0 +1,286 @@
 package service
 import (
 	"regexp"
 	"strings"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 // For LDAP and OAuth groups and IP allow/deny, we default to allow even with a deny policy.
 // This is because we can't force the user to use groups in LDAP and OAuth if they would like to use
 // a deny policy. As for IP checks, we can't reliably get the client IP (most of Tinyauth instances are
 // behind a Docker bridge network) so to make it easier for users to use a deny policy without
 // issues with IPs we allow by default.
 type RuleName string
 const (
 	RuleUserAllowed RuleName = "rule-user-allowed"
 	RuleOAuthGroup  RuleName = "rule-oauth-group"
 	RuleLDAPGroup   RuleName = "rule-ldap-group"
 	RuleAuthEnabled RuleName = "rule-auth-enabled"
 	RuleIPAllowed   RuleName = "rule-ip-allowed"
 	RuleIPBypassed  RuleName = "rule-ip-bypassed"
 )
 type UserAllowedRule struct {
 	Log *logger.Logger
 }
 func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect {
 	if ctx.UserContext == nil {
 		return EffectDeny
 	}
 	if ctx.ACLs == nil {
 		return EffectAbstain
 	}
 	if ctx.UserContext.Provider == model.ProviderOAuth {
 		rule.Log.App.Debug().Msg("User is an OAuth user, checking OAuth whitelist")
 		match, err := utils.CheckFilter(ctx.ACLs.OAuth.Whitelist, ctx.UserContext.OAuth.Email)
 		if err != nil {
 			rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.OAuth.Email).Msg("Invalid entry in OAuth whitelist")
 			return EffectDeny
 		}
 		if match {
 			rule.Log.App.Debug().Str("email", ctx.UserContext.OAuth.Email).Msg("User is in OAuth whitelist, allowing access")
 			return EffectAllow
 		}
 		return EffectDeny
 	}
 	if ctx.ACLs.Users.Block != "" {
 		rule.Log.App.Debug().Msg("Checking users block list")
 		match, err := utils.CheckFilter(ctx.ACLs.Users.Block, ctx.UserContext.GetUsername())
 		if err != nil {
 			rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.GetUsername()).Msg("Invalid entry in users block list")
 			return EffectDeny
 		}
 		if match {
 			rule.Log.App.Debug().Str("username", ctx.UserContext.GetUsername()).Msg("User is in users block list, denying access")
 			return EffectDeny
 		}
 		return EffectAllow
 	}
 	rule.Log.App.Debug().Msg("Checking users allow list")
 	match, err := utils.CheckFilter(ctx.ACLs.Users.Allow, ctx.UserContext.GetUsername())
 	if err != nil {
 		if err == utils.ErrFilterEmpty {
 			return EffectAbstain
 		}
 		rule.Log.App.Warn().Err(err).Str("item", ctx.UserContext.GetUsername()).Msg("Invalid entry in users allow list")
 		return EffectDeny
 	}
 	if match {
 		rule.Log.App.Debug().Str("username", ctx.UserContext.GetUsername()).Msg("User is in users allow list, allowing access")
 		return EffectAllow
 	}
 	rule.Log.App.Debug().Str("username", ctx.UserContext.GetUsername()).Msg("User is not in users allow list, denying access")
 	return EffectDeny
 }
 type OAuthGroupRule struct {
 	Log *logger.Logger
 }
 func (rule *OAuthGroupRule) Evaluate(ctx *ACLContext) Effect {
 	if ctx.UserContext == nil {
 		return EffectDeny
 	}
 	if ctx.ACLs == nil {
 		return EffectAllow
 	}
 	if !ctx.UserContext.IsOAuth() {
 		rule.Log.App.Debug().Msg("User is not an OAuth user, skipping OAuth group check")
 		return EffectAllow
 	}
 	if len(ctx.ACLs.OAuth.Groups) == 0 {
 		rule.Log.App.Debug().Msg("No OAuth groups specified in ACLs, allowing access")
 		return EffectAllow
 	}
 	if _, ok := model.OverrideProviders[ctx.UserContext.OAuth.ID]; ok {
 		rule.Log.App.Debug().Str("provider", ctx.UserContext.OAuth.ID).Msg("Provider override detected, skipping group check")
 		return EffectAllow
 	}
 	for _, group := range ctx.UserContext.OAuth.Groups {
 		match, err := utils.CheckFilter(ctx.ACLs.OAuth.Groups, strings.TrimSpace(group))
 		if err != nil {
 			rule.Log.App.Warn().Err(err).Str("item", group).Msg("Invalid entry in OAuth groups ACL")
 			return EffectDeny
 		}
 		if match {
 			rule.Log.App.Trace().Str("group", group).Str("required", ctx.ACLs.OAuth.Groups).Msg("User group matched, allowing access")
 			return EffectAllow
 		}
 	}
 	rule.Log.App.Debug().Msg("No groups matched")
 	return EffectDeny
 }
 type LDAPGroupRule struct {
 	Log *logger.Logger
 }
 func (rule *LDAPGroupRule) Evaluate(ctx *ACLContext) Effect {
 	if ctx.UserContext == nil {
 		return EffectDeny
 	}
 	if ctx.ACLs == nil {
 		return EffectAllow
 	}
 	if !ctx.UserContext.IsLDAP() {
 		rule.Log.App.Debug().Msg("User is not an LDAP user, skipping LDAP group check")
 		return EffectAllow
 	}
 	if len(ctx.ACLs.LDAP.Groups) == 0 {
 		rule.Log.App.Debug().Msg("No LDAP groups specified in ACLs, allowing access")
 		return EffectAllow
 	}
 	for _, group := range ctx.UserContext.LDAP.Groups {
 		match, err := utils.CheckFilter(ctx.ACLs.LDAP.Groups, strings.TrimSpace(group))
 		if err != nil {
 			rule.Log.App.Warn().Err(err).Str("item", group).Msg("Invalid entry in LDAP groups ACL")
 			return EffectDeny
 		}
 		if match {
 			rule.Log.App.Trace().Str("group", group).Str("required", ctx.ACLs.LDAP.Groups).Msg("User group matched, allowing access")
 			return EffectAllow
 		}
 	}
 	rule.Log.App.Debug().Msg("No groups matched")
 	return EffectDeny
 }
 type AuthEnabledRule struct {
 	Log *logger.Logger
 }
 func (rule *AuthEnabledRule) Evaluate(ctx *ACLContext) Effect {
 	if ctx.ACLs == nil {
 		return EffectDeny
 	}
 	if ctx.ACLs.Path.Block != "" {
 		regex, err := regexp.Compile(ctx.ACLs.Path.Block)
 		if err != nil {
 			rule.Log.App.Error().Err(err).Msg("Failed to compile block regex")
 			return EffectDeny
 		}
 		if !regex.MatchString(ctx.Path) {
 			return EffectAllow
 		}
 	}
 	if ctx.ACLs.Path.Allow != "" {
 		regex, err := regexp.Compile(ctx.ACLs.Path.Allow)
 		if err != nil {
 			rule.Log.App.Error().Err(err).Msg("Failed to compile allow regex")
 			return EffectDeny
 		}
 		if regex.MatchString(ctx.Path) {
 			return EffectAllow
 		}
 	}
 	return EffectDeny
 }
 type IPAllowedRule struct {
 	Log    *logger.Logger
 	Config model.Config
 }
 func (rule *IPAllowedRule) Evaluate(ctx *ACLContext) Effect {
 	// merge global and per-app block/allow lists
 	blockedIps := append([]string{}, rule.Config.Auth.IP.Block...)
 	allowedIPs := append([]string{}, rule.Config.Auth.IP.Allow...)
 	if ctx.ACLs != nil {
 		blockedIps = append(blockedIps, ctx.ACLs.IP.Block...)
 		allowedIPs = append(allowedIPs, ctx.ACLs.IP.Allow...)
 	}
 	for _, blocked := range blockedIps {
 		match, err := utils.CheckIPFilter(blocked, ctx.IP.String())
 		if err != nil {
 			rule.Log.App.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
 			continue
 		}
 		if match {
 			rule.Log.App.Debug().Str("ip", ctx.IP.String()).Str("item", blocked).Msg("IP is in block list, denying access")
 			return EffectDeny
 		}
 	}
 	for _, allowed := range allowedIPs {
 		match, err := utils.CheckIPFilter(allowed, ctx.IP.String())
 		if err != nil {
 			rule.Log.App.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
 			continue
 		}
 		if match {
 			rule.Log.App.Debug().Str("ip", ctx.IP.String()).Str("item", allowed).Msg("IP is in allow list, allowing access")
 			return EffectAllow
 		}
 	}
 	if len(allowedIPs) > 0 {
 		rule.Log.App.Debug().Str("ip", ctx.IP.String()).Msg("IP not in allow list, denying access")
 		return EffectDeny
 	}
 	rule.Log.App.Debug().Str("ip", ctx.IP.String()).Msg("IP not in block or allow list, allowing access")
 	return EffectAllow
 }
 type IPBypassedRule struct {
 	Log    *logger.Logger
 	Config model.Config
 }
 func (rule *IPBypassedRule) Evaluate(ctx *ACLContext) Effect {
 	// merge global and per-app bypass lists
 	bypassList := append([]string{}, rule.Config.Auth.IP.Bypass...)
 	if ctx.ACLs != nil {
 		bypassList = append(bypassList, ctx.ACLs.IP.Bypass...)
 	}
 	for _, bypassed := range bypassList {
 		match, err := utils.CheckIPFilter(bypassed, ctx.IP.String())
 		if err != nil {
 			rule.Log.App.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
 			continue
 		}
 		if match {
 			rule.Log.App.Debug().Str("ip", ctx.IP.String()).Str("item", bypassed).Msg("IP is in bypass list, skipping authentication")
 			return EffectAllow
 		}
 	}
 	rule.Log.App.Debug().Str("ip", ctx.IP.String()).Msg("IP not in bypass list, proceeding with authentication")
 	return EffectDeny
 }
@@ -0,0 +1,836 @@
 package service
 import (
 	"net"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/utils/logger"
 )
 func TestUserAllowedRule(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()
 	rule := &UserAllowedRule{Log: log}
 	tests := []struct {
 		name     string
 		ctx      *ACLContext
 		expected Effect
 	}{
 		{
 			name: "denies when user context is nil",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "alice"},
 				},
 				UserContext: nil,
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "abstains when ACLs are nil",
 			ctx: &ACLContext{
 				ACLs: nil,
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLocal,
 					Local: &model.LocalContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectAbstain,
 		},
 		{
 			name: "allows OAuth user when email matches whitelist",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "allowed@example.com"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderOAuth,
 					OAuth: &model.OAuthContext{
 						BaseContext: model.BaseContext{
 							Username: "different-username",
 							Email:    "allowed@example.com",
 						},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "denies OAuth user when email does not match whitelist",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "allowed@example.com"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderOAuth,
 					OAuth: &model.OAuthContext{
 						BaseContext: model.BaseContext{Email: "denied@example.com"},
 					},
 				},
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "denies for OAuth user when whitelist filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "/[/"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderOAuth,
 					OAuth: &model.OAuthContext{
 						BaseContext: model.BaseContext{Email: "allowed@example.com"},
 					},
 				},
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "denies local user when username matches block list",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Users: model.AppUsers{Block: "alice,bob"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLocal,
 					Local: &model.LocalContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "allows local user when username does not match block list",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Users: model.AppUsers{Block: "alice,bob"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLocal,
 					Local: &model.LocalContext{
 						BaseContext: model.BaseContext{Username: "charlie"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "denies when block list filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Users: model.AppUsers{Block: "/[/"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLocal,
 					Local: &model.LocalContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "abstains when allow list is empty",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Users: model.AppUsers{Allow: ""},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLocal,
 					Local: &model.LocalContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectAbstain,
 		},
 		{
 			name: "allows local user when username matches allow list",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Users: model.AppUsers{Allow: "alice,bob"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLocal,
 					Local: &model.LocalContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "denies local user when username does not match allow list",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Users: model.AppUsers{Allow: "alice,bob"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLocal,
 					Local: &model.LocalContext{
 						BaseContext: model.BaseContext{Username: "charlie"},
 					},
 				},
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "denies when allow list filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Users: model.AppUsers{Allow: "/[/"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLocal,
 					Local: &model.LocalContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectDeny,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			assert.Equal(t, tt.expected, rule.Evaluate(tt.ctx))
 		})
 	}
 }
 func TestOAuthGroupRule(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()
 	rule := &OAuthGroupRule{Log: log}
 	tests := []struct {
 		name     string
 		ctx      *ACLContext
 		expected Effect
 	}{
 		{
 			name: "denies when user context is nil",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "alice"},
 				},
 				UserContext: nil,
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "allows when ACLs are nil",
 			ctx: &ACLContext{
 				ACLs: nil,
 				UserContext: &model.UserContext{
 					Provider: model.ProviderOAuth,
 					OAuth: &model.OAuthContext{
 						Groups: []string{"admins"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows when user is not OAuth",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Groups: "admins"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLocal,
 					Local: &model.LocalContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows when group filter is empty",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Groups: ""},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderOAuth,
 					OAuth: &model.OAuthContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows when provider is an override provider regardless of groups",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Groups: "admins"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderOAuth,
 					OAuth: &model.OAuthContext{
 						ID:     "google",
 						Groups: []string{"unrelated"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows OAuth user when a group matches",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Groups: "admins,users"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderOAuth,
 					OAuth: &model.OAuthContext{
 						ID:     "custom",
 						Groups: []string{"users"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "denies OAuth user when no group matches",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Groups: "admins"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderOAuth,
 					OAuth: &model.OAuthContext{
 						ID:     "custom",
 						Groups: []string{"users", "guests"},
 					},
 				},
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "denies OAuth user when user has no groups",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Groups: "admins"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderOAuth,
 					OAuth: &model.OAuthContext{
 						ID:     "custom",
 						Groups: nil,
 					},
 				},
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "denies when groups filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Groups: "/[/"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderOAuth,
 					OAuth: &model.OAuthContext{
 						ID:     "custom",
 						Groups: []string{"admins"},
 					},
 				},
 			},
 			expected: EffectDeny,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			assert.Equal(t, tt.expected, rule.Evaluate(tt.ctx))
 		})
 	}
 }
 func TestLDAPGroupRule(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()
 	rule := &LDAPGroupRule{Log: log}
 	tests := []struct {
 		name     string
 		ctx      *ACLContext
 		expected Effect
 	}{
 		{
 			name: "denies when user context is nil",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					OAuth: model.AppOAuth{Whitelist: "alice"},
 				},
 				UserContext: nil,
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "allows when acls are nil",
 			ctx: &ACLContext{
 				ACLs: nil,
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLocal,
 					Local: &model.LocalContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows when user is not LDAP",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					LDAP: model.AppLDAP{Groups: "admins"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLocal,
 					Local: &model.LocalContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows when group filter is empty",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					LDAP: model.AppLDAP{Groups: ""},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLDAP,
 					LDAP: &model.LDAPContext{
 						BaseContext: model.BaseContext{Username: "alice"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows LDAP user when a group matches",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					LDAP: model.AppLDAP{Groups: "admins,users"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLDAP,
 					LDAP: &model.LDAPContext{
 						Groups: []string{"users"},
 					},
 				},
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "denies LDAP user when no group matches",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					LDAP: model.AppLDAP{Groups: "admins"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLDAP,
 					LDAP: &model.LDAPContext{
 						Groups: []string{"users", "guests"},
 					},
 				},
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "denies LDAP user when user has no groups",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					LDAP: model.AppLDAP{Groups: "admins"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLDAP,
 					LDAP: &model.LDAPContext{
 						Groups: nil,
 					},
 				},
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "denies when groups filter is invalid",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					LDAP: model.AppLDAP{Groups: "/[/"},
 				},
 				UserContext: &model.UserContext{
 					Provider: model.ProviderLDAP,
 					LDAP: &model.LDAPContext{
 						Groups: []string{"admins"},
 					},
 				},
 			},
 			expected: EffectDeny,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			assert.Equal(t, tt.expected, rule.Evaluate(tt.ctx))
 		})
 	}
 }
 func TestAuthEnabledRule(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()
 	rule := &AuthEnabledRule{Log: log}
 	tests := []struct {
 		name     string
 		ctx      *ACLContext
 		expected Effect
 	}{
 		{
 			name: "deny when ACLs are nil",
 			ctx: &ACLContext{
 				ACLs: nil,
 				Path: "/anything",
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "allows when path does not match block regex",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Path: model.AppPath{Block: "^/admin"},
 				},
 				Path: "/public",
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "denies when path matches block regex and no allow regex",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Path: model.AppPath{Block: "^/admin"},
 				},
 				Path: "/admin/users",
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "allows when path matches allow regex",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Path: model.AppPath{Allow: "^/public"},
 				},
 				Path: "/public/index",
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "denies when path does not match allow regex",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Path: model.AppPath{Allow: "^/public"},
 				},
 				Path: "/private",
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "allows when blocked path is also explicitly allowed",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Path: model.AppPath{
 						Block: "^/admin",
 						Allow: "^/admin/public",
 					},
 				},
 				Path: "/admin/public/page",
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "denies when block regex fails to compile",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Path: model.AppPath{Block: "[invalid"},
 				},
 				Path: "/anything",
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "denies when allow regex fails to compile",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					Path: model.AppPath{Allow: "[invalid"},
 				},
 				Path: "/anything",
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "denies when no path rules are configured",
 			ctx: &ACLContext{
 				ACLs: &model.App{},
 				Path: "/anything",
 			},
 			expected: EffectDeny,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			assert.Equal(t, tt.expected, rule.Evaluate(tt.ctx))
 		})
 	}
 }
 func TestIPAllowedRule(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()
 	tests := []struct {
 		name     string
 		config   model.Config
 		ctx      *ACLContext
 		expected Effect
 	}{
 		{
 			name: "allows when ACLs are nil and no global lists configured",
 			ctx: &ACLContext{
 				ACLs: nil,
 				IP:   net.ParseIP("10.0.0.1"),
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "denies when IP matches app block list",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{Block: []string{"10.0.0.1"}},
 				},
 				IP: net.ParseIP("10.0.0.1"),
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "denies when IP matches global block list",
 			config: model.Config{
 				Auth: model.AuthConfig{
 					IP: model.IPConfig{Block: []string{"10.0.0.0/24"}},
 				},
 			},
 			ctx: &ACLContext{
 				ACLs: &model.App{},
 				IP:   net.ParseIP("10.0.0.5"),
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "allows when IP matches app allow list",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{Allow: []string{"192.168.1.0/24"}},
 				},
 				IP: net.ParseIP("192.168.1.10"),
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows when IP matches global allow list",
 			config: model.Config{
 				Auth: model.AuthConfig{
 					IP: model.IPConfig{Allow: []string{"192.168.1.10"}},
 				},
 			},
 			ctx: &ACLContext{
 				ACLs: &model.App{},
 				IP:   net.ParseIP("192.168.1.10"),
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "denies when allow list is set and IP does not match",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{Allow: []string{"192.168.1.0/24"}},
 				},
 				IP: net.ParseIP("10.0.0.1"),
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "allows when no block or allow lists are configured",
 			ctx: &ACLContext{
 				ACLs: &model.App{},
 				IP:   net.ParseIP("10.0.0.1"),
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "block list takes precedence over allow list",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{
 						Block: []string{"10.0.0.1"},
 						Allow: []string{"10.0.0.1"},
 					},
 				},
 				IP: net.ParseIP("10.0.0.1"),
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "skips invalid block entries and continues evaluation",
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{
 						Block: []string{"not-an-ip"},
 						Allow: []string{"10.0.0.1"},
 					},
 				},
 				IP: net.ParseIP("10.0.0.1"),
 			},
 			expected: EffectAllow,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			rule := &IPAllowedRule{Log: log, Config: tt.config}
 			assert.Equal(t, tt.expected, rule.Evaluate(tt.ctx))
 		})
 	}
 }
 func TestIPBypassedRule(t *testing.T) {
 	log := logger.NewLogger().WithTestConfig()
 	log.Init()
 	defaultIPBR := &IPBypassedRule{Log: log}
 	globBypassIPBR := &IPBypassedRule{
 		Log:    log,
 		Config: model.Config{Auth: model.AuthConfig{IP: model.IPConfig{Bypass: []string{"10.0.0.0/24"}}}},
 	}
 	tests := []struct {
 		name     string
 		rule     *IPBypassedRule
 		ctx      *ACLContext
 		expected Effect
 	}{
 		{
 			name: "deny when ACLs are nil and no global bypass",
 			rule: defaultIPBR,
 			ctx: &ACLContext{
 				ACLs: nil,
 				IP:   net.ParseIP("10.0.0.1"),
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "allows when ACLs are nil but IP matches global bypass",
 			rule: globBypassIPBR,
 			ctx: &ACLContext{
 				ACLs: nil,
 				IP:   net.ParseIP("10.0.0.5"),
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "denies when ACLs are nil and IP does not match global bypass",
 			rule: globBypassIPBR,
 			ctx: &ACLContext{
 				ACLs: nil,
 				IP:   net.ParseIP("192.168.1.1"),
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "allows when IP matches per-app bypass but not global bypass",
 			rule: defaultIPBR,
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{Bypass: []string{"10.0.0.0/24"}},
 				},
 				IP: net.ParseIP("10.0.0.5"),
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows when IP matches global bypass but not per-app bypass",
 			rule: globBypassIPBR,
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{Bypass: []string{"172.16.0.0/24"}},
 				},
 				IP: net.ParseIP("10.0.0.5"),
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "allows when IP matches bypass list",
 			rule: defaultIPBR,
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{Bypass: []string{"10.0.0.0/24"}},
 				},
 				IP: net.ParseIP("10.0.0.5"),
 			},
 			expected: EffectAllow,
 		},
 		{
 			name: "denies when IP does not match bypass list",
 			rule: defaultIPBR,
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{Bypass: []string{"10.0.0.0/24"}},
 				},
 				IP: net.ParseIP("192.168.1.1"),
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "denies when bypass list is empty",
 			rule: defaultIPBR,
 			ctx: &ACLContext{
 				ACLs: &model.App{},
 				IP:   net.ParseIP("10.0.0.1"),
 			},
 			expected: EffectDeny,
 		},
 		{
 			name: "skips invalid bypass entries and allows on later match",
 			rule: defaultIPBR,
 			ctx: &ACLContext{
 				ACLs: &model.App{
 					IP: model.AppIP{Bypass: []string{"not-an-ip", "10.0.0.1"}},
 				},
 				IP: net.ParseIP("10.0.0.1"),
 			},
 			expected: EffectAllow,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			assert.Equal(t, tt.expected, tt.rule.Evaluate(tt.ctx))
 		})
 	}
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Stavros	dac844595d	refactor: use new cache store in services (#912 )	2026-05-31 18:55:06 +03:00
Stavros	940ba6dff7	fix: don't allow tagged devices in tailscale integration	2026-05-31 12:42:00 +03:00
Stavros	faee58ca8e	feat: use ding for ordered go routine shutdown order (#896 )	2026-05-27 12:46:28 +03:00
Stavros	e9b8ca3cf8	fix: cleanup acl logic to match stable one	2026-05-27 12:11:17 +03:00
Stavros	f2c4e7932d	chore: include debug symbols in nightly images (#908 )	2026-05-27 11:43:43 +03:00
Stavros	4538922caf	refactor: simplify error handling in oidc authorize handler (#907 )	2026-05-27 11:27:10 +03:00
Stavros	672db84200	feat: make config file a stable feature (#897 )	2026-05-27 11:26:09 +03:00
Scott McKendry	359000f731	feat(db): add postgresql support (#892 )	2026-05-26 00:08:59 +03:00
Stavros	0a3e7bf265	fix: use policy engine in oauth whitelist check (#904 )	2026-05-26 00:07:46 +03:00
Puneet Dixit	c3461131f5	feat: support provider-specific OAuth whitelists (#882 ) Co-authored-by: Puneet Dixit <236133619+puneetdixit200@users.noreply.github.com>	2026-05-24 20:18:33 +03:00
Stavros	3f584ca741	New Crowdin updates (#798 )	2026-05-24 19:16:29 +03:00
dependabot[bot]	36d0ffc2b5	chore(deps): bump sqlc-dev/setup-sqlc from 4 to 5 (#880 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-24 19:14:15 +03:00
dependabot[bot]	37b79735f0	chore(deps): bump the minor-patch group across 1 directory with 6 updates (#881 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-24 19:13:53 +03:00
dependabot[bot]	09540fbe6e	chore(deps): bump docker/build-push-action from 7.1.0 to 7.2.0 (#891 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-24 19:13:15 +03:00
dependabot[bot]	8e60a2e28e	chore(deps): bump codecov/codecov-action from 6.0.0 to 6.0.1 (#879 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-24 19:12:51 +03:00
dependabot[bot]	9619024c37	chore(deps): bump github/codeql-action from 4.35.4 to 4.35.5 (#871 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-24 19:12:20 +03:00
dependabot[bot]	1c305bacca	chore(deps): bump node from 26.1-alpine3.23 to 26.2-alpine3.23 (#883 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-24 19:11:55 +03:00
Scott McKendry	e532cde2b6	fix: potential nil pointer dereferences (#893 )	2026-05-24 17:23:48 +03:00
Stavros	2737a25227	fix: don't point to nil local users in bootstrap app	2026-05-23 20:24:54 +03:00
Scott McKendry	7aa25210f5	feat(config): allow global bypass by ip (#889 )	2026-05-23 19:58:48 +03:00
Stavros	55bef72639	fix: ensure domain defined in acls is included in host rules (#884 )	2026-05-23 17:13:41 +03:00
Stavros	ae17bd3b66	fix: do not log user context not found errors in proxy controller	2026-05-23 16:43:03 +03:00
Scott McKendry	8849d7e00f	fix(frontend): tailscale prompt on every login (#888 )	2026-05-21 21:02:46 +03:00
Stavros	c9e90547d4	chore: change project license to AGPL (#876 )	2026-05-21 12:16:57 +03:00
Stavros	3194f4b987	chore: remove stale error from tailscale service	2026-05-20 23:04:38 +03:00
Stavros	9b50670925	fix: handle panics in tailscale service	2026-05-20 23:01:14 +03:00
Stavros	1166a15aa7	feat: tailscale integration (#847 )	2026-05-20 20:10:38 +03:00
Stavros	c855f9b8ac	feat: add support for deny by default access controls (#852 )	2026-05-19 18:07:55 +03:00
Scott McKendry	a56c349525	refactor(db): use new store interface (#831 )	2026-05-18 22:33:09 +03:00
Stavros	8b4ba23328	chore: remove stale bot	2026-05-18 14:32:50 +03:00
Stavros	8932f2ad46	feat: ensure public key pairs with private key in oidc service	2026-05-16 20:43:50 +03:00
Stavros	482ba9d99f	fix: use yml instead of yaml files for issue templates	2026-05-16 20:27:48 +03:00
Stavros	1bcd1bb59a	fix: fix feature request template and allow blank issues	2026-05-16 20:24:11 +03:00
Stavros	5349f21212	fix: use loaded public key in oidc service, fixes #860	2026-05-16 17:09:21 +03:00
Dreddy	e8071a9d80	fix: bug fixes for issues #859 , 860, 861, 862, 863, 864, 865, 866 (#867 ) Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>	2026-05-16 17:04:01 +03:00
Ryc O'Chet	1f67797605	Update templates to use forms (#872 )	2026-05-16 17:01:18 +03:00
Stavros	ca06099466	tests: fix tests for proxy controller	2026-05-15 18:43:18 +03:00
Stavros	d4b4245017	chore: revert `4c741a5` and use 403 for acl errors	2026-05-15 18:39:12 +03:00
Stavros	4c741a5990	fix: use 401 errors instead of 403 for nginx responses	2026-05-15 18:12:15 +03:00
Stavros	def539a40f	refactor: replace bun with pnpm (#870 )	2026-05-15 14:43:51 +03:00
Dreddy	e6b291d21c	docs: enhance security policy with reporting guidelines (#868 )	2026-05-14 00:08:48 +03:00
Stavros	086e3af4e2	chore: add deepsec to gitignore	2026-05-13 19:11:39 +03:00
Dreddy	f9fff24ca5	fix: oidc open redirect (#854 )	2026-05-13 17:34:39 +03:00
Ilyas	a9eac7edd2	fix(ldap): pass through LDAP mail attribute instead of crafting email (#834 ) * fix(ldap): pass through LDAP mail attribute instead of crafting email TinyAuth was constructing LDAP user emails as username@CookieDomain instead of using the mail attribute stored in the directory. This caused OIDC clients like Grafana to receive a synthetic email rather than the real one. Rename GetUserDN to GetUserInfo and extend it to also fetch the mail attribute in the same LDAP query. Thread the result through UserSearch and use it in both the login flow and the basic auth middleware, falling back to the crafted email only when LDAP returns no mail value. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: add ldap email logic back after main merge --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Stavros <steveiliop56@gmail.com>	2026-05-11 15:40:15 +03:00
dependabot[bot]	a6351790c3	chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 (#842 ) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.3 to 4.35.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/e46ed2cbd01164d986452f91f178727624ae40d7...68bde559dea0fdcac2102bfdf6230c5f70eb485e) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-10 16:36:01 +03:00
		`@@ -0,0 +1,3 @@`
							`package postgres`

							`//go:generate go run github.com/tinyauthapp/tinyauth/gen/sqlc-wrapper -pkg github.com/tinyauthapp/tinyauth/internal/repository/postgres`
		`@@ -0,0 +1,3 @@`
							`package sqlite`

							`//go:generate go run github.com/tinyauthapp/tinyauth/gen/sqlc-wrapper -pkg github.com/tinyauthapp/tinyauth/internal/repository/sqlite`