From 2039492baffce52fa88f24cd157e55b1def17030 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20=C5=9Al=C4=99zak?= <fslezak@teonite.com>
Date: Thu, 26 Feb 2026 12:58:37 +0100
Subject: [PATCH 01/15] initial migration commit

---
 crates/defguard/src/main.rs                   |  6 +-
 .../src/db/models/migration_wizard.rs         | 66 +++++++++++++
 crates/defguard_core/src/db/models/mod.rs     |  1 +
 crates/defguard_core/src/handlers/mod.rs      |  1 +
 crates/defguard_core/src/handlers/wizard.rs   | 63 ++++++++++++
 crates/defguard_core/src/lib.rs               |  6 ++
 crates/defguard_setup/src/db/mod.rs           |  1 +
 crates/defguard_setup/src/db/models/mod.rs    |  1 +
 .../src/db/models/wizard_flags.rs             | 98 +++++++++++++++++++
 .../initial_wizard.rs}                        |  0
 crates/defguard_setup/src/handlers/mod.rs     |  1 +
 crates/defguard_setup/src/lib.rs              |  1 +
 crates/defguard_setup/src/setup.rs            | 11 ++-
 ...25142454_[2.0.0]_migration_wizard.down.sql |  1 +
 ...0225142454_[2.0.0]_migration_wizard.up.sql | 11 +++
 15 files changed, 264 insertions(+), 4 deletions(-)
 create mode 100644 crates/defguard_core/src/db/models/migration_wizard.rs
 create mode 100644 crates/defguard_core/src/handlers/wizard.rs
 create mode 100644 crates/defguard_setup/src/db/mod.rs
 create mode 100644 crates/defguard_setup/src/db/models/mod.rs
 create mode 100644 crates/defguard_setup/src/db/models/wizard_flags.rs
 rename crates/defguard_setup/src/{handlers.rs => handlers/initial_wizard.rs} (100%)
 create mode 100644 crates/defguard_setup/src/handlers/mod.rs
 create mode 100644 migrations/20260225142454_[2.0.0]_migration_wizard.down.sql
 create mode 100644 migrations/20260225142454_[2.0.0]_migration_wizard.up.sql

diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs
index b4287f01d..855d0b284 100644
--- a/crates/defguard/src/main.rs
+++ b/crates/defguard/src/main.rs
@@ -33,7 +33,7 @@ use defguard_event_router::{RouterReceiverSet, run_event_router};
 use defguard_gateway_manager::{GatewayManager, GatewayTxSet};
 use defguard_proxy_manager::{ProxyManager, ProxyTxSet};
 use defguard_session_manager::{events::SessionManagerEvent, run_session_manager};
-use defguard_setup::setup::run_setup_web_server;
+use defguard_setup::{db::models::wizard_flags::WizardFlags, setup::run_setup_web_server};
 use defguard_vpn_stats_purge::run_periodic_stats_purge;
 use secrecy::ExposeSecret;
 use tokio::sync::{
@@ -94,13 +94,15 @@ async fn main() -> Result<(), anyhow::Error> {
         info!("Using HMAC OpenID signing key");
     }
 
+    let wizard_flags = WizardFlags::init(&pool).await?;
+
     // initialize default settings
     Settings::init_defaults(&pool).await?;
     // initialize global settings struct
     initialize_current_settings(&pool).await?;
     let mut settings = Settings::get_current_settings();
 
-    if !settings.initial_setup_completed {
+    if wizard_flags.initial_wizard_in_progress && !wizard_flags.initial_wizard_completed {
         if let Err(err) =
             run_setup_web_server(pool.clone(), config.http_bind_address, config.http_port).await
         {
diff --git a/crates/defguard_core/src/db/models/migration_wizard.rs b/crates/defguard_core/src/db/models/migration_wizard.rs
new file mode 100644
index 000000000..a41a9c2bf
--- /dev/null
+++ b/crates/defguard_core/src/db/models/migration_wizard.rs
@@ -0,0 +1,66 @@
+use serde::{Deserialize, Serialize};
+use sqlx::PgExecutor;
+
+#[derive(Serialize, Deserialize, Debug, Default)]
+pub(crate) enum MigrationWizardStep {
+    #[default]
+    Welcome,
+    GeneralConfiguration,
+    CertificateAuthority,
+    CertificateSummary,
+    EdgeComponent,
+    EdgeComponentAdaptation,
+    Confirmation,
+    LocationMigration,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct MigrationWizardLocationState {
+    pub(crate) locations: Vec<i64>,
+    pub(crate) current_location: i64,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct MigrationWizardState {
+    pub location_state: Option<MigrationWizardLocationState>,
+}
+
+impl MigrationWizardState {
+    pub(crate) async fn get<'e, E>(executor: E) -> Result<Option<Self>, sqlx::Error>
+    where
+        E: PgExecutor<'e>,
+    {
+        let state: Option<serde_json::Value> = sqlx::query_scalar(
+            "SELECT migration_wizard_state
+             FROM wizard
+             LIMIT 1",
+        )
+        .fetch_optional(executor)
+        .await?
+        .flatten();
+
+        state
+            .map(serde_json::from_value)
+            .transpose()
+            .map_err(|error| sqlx::Error::Decode(Box::new(error)))
+    }
+
+    pub(crate) async fn save<'e, E>(&self, executor: E) -> Result<(), sqlx::Error>
+    where
+        E: PgExecutor<'e>,
+    {
+        let state =
+            serde_json::to_value(self).map_err(|error| sqlx::Error::Decode(Box::new(error)))?;
+
+        sqlx::query(
+            "UPDATE wizard
+             SET migration_wizard_state = $1
+             WHERE is_singleton = TRUE",
+        )
+        .bind(state)
+        .execute(executor)
+        .await?;
+
+        Ok(())
+    }
+}
diff --git a/crates/defguard_core/src/db/models/mod.rs b/crates/defguard_core/src/db/models/mod.rs
index b6efe1b57..7daf2d4ff 100644
--- a/crates/defguard_core/src/db/models/mod.rs
+++ b/crates/defguard_core/src/db/models/mod.rs
@@ -1,3 +1,4 @@
 pub mod activity_log;
 pub mod enrollment;
+pub mod migration_wizard;
 pub mod webhook;
diff --git a/crates/defguard_core/src/handlers/mod.rs b/crates/defguard_core/src/handlers/mod.rs
index b530532ab..f711d482b 100644
--- a/crates/defguard_core/src/handlers/mod.rs
+++ b/crates/defguard_core/src/handlers/mod.rs
@@ -50,6 +50,7 @@ pub(crate) mod updates;
 pub mod user;
 pub(crate) mod webhooks;
 pub mod wireguard;
+pub(crate) mod wizard;
 pub mod worker;
 pub(crate) mod yubikey;
 
diff --git a/crates/defguard_core/src/handlers/wizard.rs b/crates/defguard_core/src/handlers/wizard.rs
new file mode 100644
index 000000000..c8c71c75f
--- /dev/null
+++ b/crates/defguard_core/src/handlers/wizard.rs
@@ -0,0 +1,63 @@
+use axum::{Json, extract::State, http::StatusCode};
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+use sqlx::FromRow;
+
+use super::{ApiResponse, ApiResult};
+use crate::{
+    appstate::AppState, auth::AdminRole, db::models::migration_wizard::MigrationWizardState,
+};
+
+#[derive(Debug, Serialize, Deserialize, FromRow)]
+pub(crate) struct WizardFlags {
+    pub migration_wizard_needed: bool,
+    pub migration_wizard_in_progress: bool,
+    pub migration_wizard_completed: bool,
+    pub initial_wizard_completed: bool,
+    pub initial_wizard_in_progress: bool,
+}
+
+pub(crate) async fn get_wizard_flags(
+    _role: AdminRole,
+    State(appstate): State<AppState>,
+) -> ApiResult {
+    let flags = sqlx::query_as!(
+        WizardFlags,
+        "SELECT
+            migration_wizard_needed,
+            migration_wizard_in_progress,
+            migration_wizard_completed,
+            initial_wizard_completed,
+            initial_wizard_in_progress
+         FROM wizard
+         LIMIT 1"
+    )
+    .fetch_one(&appstate.pool)
+    .await?;
+
+    Ok(ApiResponse::json(flags, StatusCode::OK))
+}
+
+pub(crate) async fn get_migration_wizard_state(
+    _role: AdminRole,
+    State(appstate): State<AppState>,
+) -> ApiResult {
+    let migration_state = MigrationWizardState::get(&appstate.pool).await?;
+
+    Ok(ApiResponse::new(
+        json!({
+            "migration_state": migration_state
+        }),
+        StatusCode::OK,
+    ))
+}
+
+pub(crate) async fn update_migration_wizard_state(
+    _role: AdminRole,
+    State(appstate): State<AppState>,
+    Json(data): Json<MigrationWizardState>,
+) -> ApiResult {
+    data.save(&appstate.pool).await?;
+
+    Ok(ApiResponse::new(json!({}), StatusCode::OK))
+}
diff --git a/crates/defguard_core/src/lib.rs b/crates/defguard_core/src/lib.rs
index bc6ae24ca..a5c0cd882 100644
--- a/crates/defguard_core/src/lib.rs
+++ b/crates/defguard_core/src/lib.rs
@@ -49,6 +49,7 @@ use handlers::{
     },
     updates::check_new_version,
     wireguard::all_gateways_status,
+    wizard::{get_migration_wizard_state, get_wizard_flags, update_migration_wizard_state},
     yubikey::{delete_yubikey, rename_yubikey},
 };
 use ipnetwork::IpNetwork;
@@ -239,6 +240,11 @@ pub fn build_webapp(
             .route("/ssh_authorized_keys", get(get_authorized_keys))
             .route("/api-docs", get(openapi))
             .route("/updates", get(check_new_version))
+            .route("/wizard", get(get_wizard_flags))
+            .route(
+                "/wizard/migration",
+                get(get_migration_wizard_state).put(update_migration_wizard_state),
+            )
             // /auth
             .route("/auth", post(authenticate))
             .route("/auth/logout", post(logout))
diff --git a/crates/defguard_setup/src/db/mod.rs b/crates/defguard_setup/src/db/mod.rs
new file mode 100644
index 000000000..c446ac883
--- /dev/null
+++ b/crates/defguard_setup/src/db/mod.rs
@@ -0,0 +1 @@
+pub mod models;
diff --git a/crates/defguard_setup/src/db/models/mod.rs b/crates/defguard_setup/src/db/models/mod.rs
new file mode 100644
index 000000000..2efc7e284
--- /dev/null
+++ b/crates/defguard_setup/src/db/models/mod.rs
@@ -0,0 +1 @@
+pub mod wizard_flags;
diff --git a/crates/defguard_setup/src/db/models/wizard_flags.rs b/crates/defguard_setup/src/db/models/wizard_flags.rs
new file mode 100644
index 000000000..24f2e8f34
--- /dev/null
+++ b/crates/defguard_setup/src/db/models/wizard_flags.rs
@@ -0,0 +1,98 @@
+use sqlx::{PgExecutor, prelude::FromRow};
+
+#[derive(Debug, FromRow)]
+pub struct WizardFlags {
+    pub migration_wizard_needed: bool,
+    pub migration_wizard_in_progress: bool,
+    pub migration_wizard_completed: bool,
+    pub initial_wizard_completed: bool,
+    pub initial_wizard_in_progress: bool,
+}
+
+impl WizardFlags {
+    pub async fn save<'e, E>(&self, executor: E) -> Result<(), sqlx::Error>
+    where
+        E: PgExecutor<'e>,
+    {
+        sqlx::query(
+            "UPDATE wizard
+             SET
+                migration_wizard_needed = $1,
+                     migration_wizard_in_progress = $2,
+                     migration_wizard_completed = $3,
+                     initial_wizard_in_progress = $4,
+                     initial_wizard_completed = $5
+             WHERE is_singleton = TRUE",
+        )
+        .bind(self.migration_wizard_needed)
+        .bind(self.migration_wizard_in_progress)
+        .bind(self.migration_wizard_completed)
+        .bind(self.initial_wizard_in_progress)
+        .bind(self.initial_wizard_completed)
+        .execute(executor)
+        .await?;
+
+        Ok(())
+    }
+
+    pub async fn get<'e, E>(executor: E) -> Result<Self, sqlx::Error>
+    where
+        E: PgExecutor<'e>,
+    {
+        sqlx::query_as!(
+            Self,
+            "SELECT
+                migration_wizard_needed,
+                migration_wizard_in_progress,
+                migration_wizard_completed,
+                initial_wizard_in_progress,
+                initial_wizard_completed
+             FROM wizard
+             LIMIT 1"
+        )
+        .fetch_one(executor)
+        .await
+    }
+
+    pub async fn init<'e, E>(executor: E) -> Result<Self, sqlx::Error>
+    where
+        E: PgExecutor<'e> + Copy,
+    {
+        let count: i64 = sqlx::query_scalar("SELECT COUNT(*) FROM wizard")
+            .fetch_one(executor)
+            .await?;
+
+        if count == 0 {
+            let is_fresh_instance: bool = sqlx::query_scalar(
+                "SELECT
+                    (SELECT COUNT(*) FROM \"user\") = 0
+                    AND (SELECT COUNT(*) FROM wireguard_network) = 0
+                    AND (SELECT COUNT(*) FROM \"device\") = 0",
+            )
+            .fetch_one(executor)
+            .await?;
+
+            sqlx::query(
+                "INSERT INTO wizard (
+                    migration_wizard_needed,
+                    migration_wizard_in_progress,
+                    migration_wizard_completed,
+                    initial_wizard_in_progress,
+                    initial_wizard_completed
+                ) VALUES (FALSE, FALSE, FALSE, $1, FALSE)",
+            )
+            .bind(is_fresh_instance)
+            .execute(executor)
+            .await?;
+
+            return Ok(Self {
+                migration_wizard_needed: false,
+                migration_wizard_in_progress: false,
+                migration_wizard_completed: false,
+                initial_wizard_in_progress: is_fresh_instance,
+                initial_wizard_completed: false,
+            });
+        }
+        Self::get(executor).await
+    }
+}
diff --git a/crates/defguard_setup/src/handlers.rs b/crates/defguard_setup/src/handlers/initial_wizard.rs
similarity index 100%
rename from crates/defguard_setup/src/handlers.rs
rename to crates/defguard_setup/src/handlers/initial_wizard.rs
diff --git a/crates/defguard_setup/src/handlers/mod.rs b/crates/defguard_setup/src/handlers/mod.rs
new file mode 100644
index 000000000..efd8e8296
--- /dev/null
+++ b/crates/defguard_setup/src/handlers/mod.rs
@@ -0,0 +1 @@
+pub mod initial_wizard;
diff --git a/crates/defguard_setup/src/lib.rs b/crates/defguard_setup/src/lib.rs
index 97bcacc11..5d1cc01be 100644
--- a/crates/defguard_setup/src/lib.rs
+++ b/crates/defguard_setup/src/lib.rs
@@ -1,2 +1,3 @@
+pub mod db;
 pub mod handlers;
 pub mod setup;
diff --git a/crates/defguard_setup/src/setup.rs b/crates/defguard_setup/src/setup.rs
index 96091fb18..e7203532e 100644
--- a/crates/defguard_setup/src/setup.rs
+++ b/crates/defguard_setup/src/setup.rs
@@ -18,15 +18,22 @@ use defguard_core::{
 };
 use defguard_web_ui::{index, svg, web_asset};
 use semver::Version;
-use sqlx::PgPool;
+use sqlx::{PgExecutor, PgPool};
 use tokio::{net::TcpListener, sync::oneshot::Sender};
 use tracing::{info, instrument};
 
-use crate::handlers::{
+use crate::handlers::initial_wizard::{
     create_admin, create_ca, finish_setup, get_ca, set_general_config, setup_login, setup_session,
     upload_ca,
 };
 
+pub async fn is_initial_setup_needed<'e, E>(executor: E) -> Result<bool, sqlx::Error>
+where
+    E: PgExecutor<'e>,
+{
+    todo!()
+}
+
 pub fn build_setup_webapp(pool: PgPool, version: Version, setup_shutdown_tx: Sender<()>) -> Router {
     let failed_logins = Arc::new(Mutex::new(FailedLoginMap::new()));
     Router::<()>::new()
diff --git a/migrations/20260225142454_[2.0.0]_migration_wizard.down.sql b/migrations/20260225142454_[2.0.0]_migration_wizard.down.sql
new file mode 100644
index 000000000..b9be5a828
--- /dev/null
+++ b/migrations/20260225142454_[2.0.0]_migration_wizard.down.sql
@@ -0,0 +1 @@
+DROP TABLE wizard;
diff --git a/migrations/20260225142454_[2.0.0]_migration_wizard.up.sql b/migrations/20260225142454_[2.0.0]_migration_wizard.up.sql
new file mode 100644
index 000000000..ea2af6ad2
--- /dev/null
+++ b/migrations/20260225142454_[2.0.0]_migration_wizard.up.sql
@@ -0,0 +1,11 @@
+CREATE TABLE wizard (
+    migration_wizard_needed BOOLEAN NOT NULL DEFAULT FALSE,
+    migration_wizard_state JSONB DEFAULT NULL,
+    migration_wizard_completed BOOLEAN NOT NULL DEFAULT FALSE,
+    migration_wizard_in_progress BOOLEAN NOT NULL DEFAULT FALSE,
+    initial_wizard_completed BOOLEAN NOT NULL DEFAULT FALSE,
+    initial_wizard_in_progress BOOLEAN NOT NULL DEFAULT FALSE,
+    initial_wizard_state JSONB DEFAULT NULL,
+    -- Constrain to a single row
+    is_singleton BOOLEAN NOT NULL DEFAULT TRUE PRIMARY KEY CHECK (is_singleton)
+);

From 18ffd09c625004dd7bde4f1ba4dcd516ea6a75cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20=C5=9Al=C4=99zak?= <fslezak@teonite.com>
Date: Thu, 26 Feb 2026 13:05:36 +0100
Subject: [PATCH 02/15] set migration on flags init

---
 crates/defguard_setup/src/db/models/wizard_flags.rs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/crates/defguard_setup/src/db/models/wizard_flags.rs b/crates/defguard_setup/src/db/models/wizard_flags.rs
index 24f2e8f34..91694e57c 100644
--- a/crates/defguard_setup/src/db/models/wizard_flags.rs
+++ b/crates/defguard_setup/src/db/models/wizard_flags.rs
@@ -72,6 +72,8 @@ impl WizardFlags {
             .fetch_one(executor)
             .await?;
 
+            let is_migration_needed = !is_fresh_instance;
+
             sqlx::query(
                 "INSERT INTO wizard (
                     migration_wizard_needed,
@@ -79,14 +81,15 @@ impl WizardFlags {
                     migration_wizard_completed,
                     initial_wizard_in_progress,
                     initial_wizard_completed
-                ) VALUES (FALSE, FALSE, FALSE, $1, FALSE)",
+                ) VALUES ($1, FALSE, FALSE, $2, FALSE)",
             )
+            .bind(is_migration_needed)
             .bind(is_fresh_instance)
             .execute(executor)
             .await?;
 
             return Ok(Self {
-                migration_wizard_needed: false,
+                migration_wizard_needed: is_migration_needed,
                 migration_wizard_in_progress: false,
                 migration_wizard_completed: false,
                 initial_wizard_in_progress: is_fresh_instance,

From 8876f8b7f66f92980f9f6c5ed04299fb2c2eed20 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20=C5=9Al=C4=99zak?= <fslezak@teonite.com>
Date: Thu, 26 Feb 2026 13:57:40 +0100
Subject: [PATCH 03/15] add session info endpoint

---
 crates/defguard_core/src/db/models/mod.rs     |  1 +
 .../src/db/models/wizard_flags.rs             |  3 +-
 crates/defguard_core/src/handlers/mod.rs      |  1 +
 .../src/handlers/session_info.rs              | 71 +++++++++++++++++++
 crates/defguard_core/src/handlers/wizard.rs   | 29 ++------
 crates/defguard_core/src/lib.rs               |  2 +
 crates/defguard_setup/src/db/models/mod.rs    |  2 +-
 7 files changed, 82 insertions(+), 27 deletions(-)
 rename crates/{defguard_setup => defguard_core}/src/db/models/wizard_flags.rs (97%)
 create mode 100644 crates/defguard_core/src/handlers/session_info.rs

diff --git a/crates/defguard_core/src/db/models/mod.rs b/crates/defguard_core/src/db/models/mod.rs
index 7daf2d4ff..74616bc53 100644
--- a/crates/defguard_core/src/db/models/mod.rs
+++ b/crates/defguard_core/src/db/models/mod.rs
@@ -2,3 +2,4 @@ pub mod activity_log;
 pub mod enrollment;
 pub mod migration_wizard;
 pub mod webhook;
+pub mod wizard_flags;
diff --git a/crates/defguard_setup/src/db/models/wizard_flags.rs b/crates/defguard_core/src/db/models/wizard_flags.rs
similarity index 97%
rename from crates/defguard_setup/src/db/models/wizard_flags.rs
rename to crates/defguard_core/src/db/models/wizard_flags.rs
index 91694e57c..1c76d80b1 100644
--- a/crates/defguard_setup/src/db/models/wizard_flags.rs
+++ b/crates/defguard_core/src/db/models/wizard_flags.rs
@@ -1,6 +1,7 @@
+use serde::{Deserialize, Serialize};
 use sqlx::{PgExecutor, prelude::FromRow};
 
-#[derive(Debug, FromRow)]
+#[derive(Debug, Serialize, Deserialize, FromRow)]
 pub struct WizardFlags {
     pub migration_wizard_needed: bool,
     pub migration_wizard_in_progress: bool,
diff --git a/crates/defguard_core/src/handlers/mod.rs b/crates/defguard_core/src/handlers/mod.rs
index f711d482b..c82707d69 100644
--- a/crates/defguard_core/src/handlers/mod.rs
+++ b/crates/defguard_core/src/handlers/mod.rs
@@ -42,6 +42,7 @@ pub mod openid_clients;
 pub mod openid_flow;
 pub(crate) mod pagination;
 pub mod proxy;
+pub(crate) mod session_info;
 pub mod settings;
 pub(crate) mod ssh_authorized_keys;
 pub(crate) mod static_ips;
diff --git a/crates/defguard_core/src/handlers/session_info.rs b/crates/defguard_core/src/handlers/session_info.rs
new file mode 100644
index 000000000..439167231
--- /dev/null
+++ b/crates/defguard_core/src/handlers/session_info.rs
@@ -0,0 +1,71 @@
+use axum::{extract::State, http::StatusCode};
+use defguard_common::db::models::User;
+use serde::Serialize;
+
+use super::{ApiResponse, ApiResult};
+use crate::{
+    appstate::AppState, auth::SessionExtractor, db::models::wizard_flags::WizardFlags,
+    error::WebError,
+};
+
+#[derive(Serialize)]
+struct SessionInfoResponse {
+    authorized: bool,
+    wizard_flags: Option<WizardFlags>,
+}
+
+pub(crate) async fn get_session_info(
+    State(appstate): State<AppState>,
+    session: Result<SessionExtractor, WebError>,
+) -> ApiResult {
+    let pool = &appstate.pool;
+    let flags = WizardFlags::get(pool).await?;
+
+    let Ok(SessionExtractor(session)) = session else {
+        if flags.initial_wizard_in_progress {
+            return Ok(ApiResponse::json(
+                SessionInfoResponse {
+                    authorized: false,
+                    wizard_flags: Some(flags),
+                },
+                StatusCode::OK,
+            ));
+        } else {
+            return Ok(ApiResponse::json(
+                SessionInfoResponse {
+                    authorized: false,
+                    wizard_flags: None,
+                },
+                StatusCode::OK,
+            ));
+        }
+    };
+
+    let Some(user) = User::find_by_id(pool, session.user_id).await? else {
+        return Ok(ApiResponse::json(
+            SessionInfoResponse {
+                authorized: false,
+                wizard_flags: None,
+            },
+            StatusCode::OK,
+        ));
+    };
+
+    if !user.is_admin(pool).await? {
+        return Ok(ApiResponse::json(
+            SessionInfoResponse {
+                authorized: true,
+                wizard_flags: None,
+            },
+            StatusCode::OK,
+        ));
+    }
+
+    Ok(ApiResponse::json(
+        SessionInfoResponse {
+            authorized: true,
+            wizard_flags: Some(flags),
+        },
+        StatusCode::OK,
+    ))
+}
diff --git a/crates/defguard_core/src/handlers/wizard.rs b/crates/defguard_core/src/handlers/wizard.rs
index c8c71c75f..ee1dc5aac 100644
--- a/crates/defguard_core/src/handlers/wizard.rs
+++ b/crates/defguard_core/src/handlers/wizard.rs
@@ -1,39 +1,18 @@
 use axum::{Json, extract::State, http::StatusCode};
-use serde::{Deserialize, Serialize};
 use serde_json::json;
-use sqlx::FromRow;
 
 use super::{ApiResponse, ApiResult};
 use crate::{
-    appstate::AppState, auth::AdminRole, db::models::migration_wizard::MigrationWizardState,
+    appstate::AppState,
+    auth::AdminRole,
+    db::models::{migration_wizard::MigrationWizardState, wizard_flags::WizardFlags},
 };
 
-#[derive(Debug, Serialize, Deserialize, FromRow)]
-pub(crate) struct WizardFlags {
-    pub migration_wizard_needed: bool,
-    pub migration_wizard_in_progress: bool,
-    pub migration_wizard_completed: bool,
-    pub initial_wizard_completed: bool,
-    pub initial_wizard_in_progress: bool,
-}
-
 pub(crate) async fn get_wizard_flags(
     _role: AdminRole,
     State(appstate): State<AppState>,
 ) -> ApiResult {
-    let flags = sqlx::query_as!(
-        WizardFlags,
-        "SELECT
-            migration_wizard_needed,
-            migration_wizard_in_progress,
-            migration_wizard_completed,
-            initial_wizard_completed,
-            initial_wizard_in_progress
-         FROM wizard
-         LIMIT 1"
-    )
-    .fetch_one(&appstate.pool)
-    .await?;
+    let flags = WizardFlags::get(&appstate.pool).await?;
 
     Ok(ApiResponse::json(flags, StatusCode::OK))
 }
diff --git a/crates/defguard_core/src/lib.rs b/crates/defguard_core/src/lib.rs
index a5c0cd882..79a249964 100644
--- a/crates/defguard_core/src/lib.rs
+++ b/crates/defguard_core/src/lib.rs
@@ -43,6 +43,7 @@ use handlers::{
         find_available_ips, get_network_device, list_network_devices, modify_network_device,
         start_network_device_setup, start_network_device_setup_for_device,
     },
+    session_info::get_session_info,
     ssh_authorized_keys::{
         add_authentication_key, delete_authentication_key, fetch_authentication_keys,
         rename_authentication_key,
@@ -237,6 +238,7 @@ pub fn build_webapp(
         Router::new()
             .route("/health", get(health_check))
             .route("/info", get(get_app_info))
+            .route("/session-info", get(get_session_info))
             .route("/ssh_authorized_keys", get(get_authorized_keys))
             .route("/api-docs", get(openapi))
             .route("/updates", get(check_new_version))
diff --git a/crates/defguard_setup/src/db/models/mod.rs b/crates/defguard_setup/src/db/models/mod.rs
index 2efc7e284..8b1378917 100644
--- a/crates/defguard_setup/src/db/models/mod.rs
+++ b/crates/defguard_setup/src/db/models/mod.rs
@@ -1 +1 @@
-pub mod wizard_flags;
+

From b80c10157a799f605d6a3d8c22d23ad190e0d9ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20=C5=9Al=C4=99zak?= <fslezak@teonite.com>
Date: Thu, 26 Feb 2026 14:21:37 +0100
Subject: [PATCH 04/15] fix clippy

---
 crates/defguard/src/main.rs                            | 4 ++--
 crates/defguard_core/src/db/models/migration_wizard.rs | 1 +
 crates/defguard_setup/src/setup.rs                     | 9 +--------
 3 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs
index 855d0b284..2b397163e 100644
--- a/crates/defguard/src/main.rs
+++ b/crates/defguard/src/main.rs
@@ -16,7 +16,7 @@ use defguard_common::{
 };
 use defguard_core::{
     auth::failed_login::FailedLoginMap,
-    db::AppEvent,
+    db::{AppEvent, models::wizard_flags::WizardFlags},
     enterprise::{
         activity_log_stream::activity_log_stream_manager::run_activity_log_stream_manager,
         license::{License, run_periodic_license_check, set_cached_license},
@@ -33,7 +33,7 @@ use defguard_event_router::{RouterReceiverSet, run_event_router};
 use defguard_gateway_manager::{GatewayManager, GatewayTxSet};
 use defguard_proxy_manager::{ProxyManager, ProxyTxSet};
 use defguard_session_manager::{events::SessionManagerEvent, run_session_manager};
-use defguard_setup::{db::models::wizard_flags::WizardFlags, setup::run_setup_web_server};
+use defguard_setup::setup::run_setup_web_server;
 use defguard_vpn_stats_purge::run_periodic_stats_purge;
 use secrecy::ExposeSecret;
 use tokio::sync::{
diff --git a/crates/defguard_core/src/db/models/migration_wizard.rs b/crates/defguard_core/src/db/models/migration_wizard.rs
index a41a9c2bf..237cb5a19 100644
--- a/crates/defguard_core/src/db/models/migration_wizard.rs
+++ b/crates/defguard_core/src/db/models/migration_wizard.rs
@@ -1,6 +1,7 @@
 use serde::{Deserialize, Serialize};
 use sqlx::PgExecutor;
 
+#[allow(dead_code)]
 #[derive(Serialize, Deserialize, Debug, Default)]
 pub(crate) enum MigrationWizardStep {
     #[default]
diff --git a/crates/defguard_setup/src/setup.rs b/crates/defguard_setup/src/setup.rs
index e7203532e..914611126 100644
--- a/crates/defguard_setup/src/setup.rs
+++ b/crates/defguard_setup/src/setup.rs
@@ -18,7 +18,7 @@ use defguard_core::{
 };
 use defguard_web_ui::{index, svg, web_asset};
 use semver::Version;
-use sqlx::{PgExecutor, PgPool};
+use sqlx::PgPool;
 use tokio::{net::TcpListener, sync::oneshot::Sender};
 use tracing::{info, instrument};
 
@@ -27,13 +27,6 @@ use crate::handlers::initial_wizard::{
     upload_ca,
 };
 
-pub async fn is_initial_setup_needed<'e, E>(executor: E) -> Result<bool, sqlx::Error>
-where
-    E: PgExecutor<'e>,
-{
-    todo!()
-}
-
 pub fn build_setup_webapp(pool: PgPool, version: Version, setup_shutdown_tx: Sender<()>) -> Router {
     let failed_logins = Arc::new(Mutex::new(FailedLoginMap::new()));
     Router::<()>::new()

From f219d61496497003cdba68eeed1be1880c7df949 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20=C5=9Al=C4=99zak?= <fslezak@teonite.com>
Date: Thu, 26 Feb 2026 14:58:32 +0100
Subject: [PATCH 05/15] sqlx query for offline

---
 ...c844a983d2f0697a7b937a94e3f00d0c7a830.json | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 .sqlx/query-9042a72c21aa8c26cd187c2d336c844a983d2f0697a7b937a94e3f00d0c7a830.json

diff --git a/.sqlx/query-9042a72c21aa8c26cd187c2d336c844a983d2f0697a7b937a94e3f00d0c7a830.json b/.sqlx/query-9042a72c21aa8c26cd187c2d336c844a983d2f0697a7b937a94e3f00d0c7a830.json
new file mode 100644
index 000000000..228b97e2a
--- /dev/null
+++ b/.sqlx/query-9042a72c21aa8c26cd187c2d336c844a983d2f0697a7b937a94e3f00d0c7a830.json
@@ -0,0 +1,44 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT\n                migration_wizard_needed,\n                migration_wizard_in_progress,\n                migration_wizard_completed,\n                initial_wizard_in_progress,\n                initial_wizard_completed\n             FROM wizard\n             LIMIT 1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "migration_wizard_needed",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 1,
+        "name": "migration_wizard_in_progress",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 2,
+        "name": "migration_wizard_completed",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 3,
+        "name": "initial_wizard_in_progress",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 4,
+        "name": "initial_wizard_completed",
+        "type_info": "Bool"
+      }
+    ],
+    "parameters": {
+      "Left": []
+    },
+    "nullable": [
+      false,
+      false,
+      false,
+      false,
+      false
+    ]
+  },
+  "hash": "9042a72c21aa8c26cd187c2d336c844a983d2f0697a7b937a94e3f00d0c7a830"
+}

From 36fafc59fed156c8c312aa72b1aa0b02c3505b45 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20=C5=9Al=C4=99zak?= <fslezak@teonite.com>
Date: Fri, 27 Feb 2026 15:16:07 +0100
Subject: [PATCH 06/15] migration wizard ui init - copy existing steps

---
 crates/defguard/src/main.rs                   |   4 -
 web/messages/en/migration_wizard.json         |  46 +++
 web/project.inlang/settings.json              |   7 +-
 .../MigrationWizardPage.tsx                   |  98 +++++++
 .../steps/MigrationWizardCAStep.tsx           | 265 ++++++++++++++++++
 .../steps/MigrationWizardCASummaryStep.tsx    | 119 ++++++++
 .../steps/MigrationWizardConfirmationStep.tsx |  22 ++
 .../steps/MigrationWizardEdgeAdoptionStep.tsx | 188 +++++++++++++
 .../MigrationWizardEdgeComponentStep.tsx      | 131 +++++++++
 ...igrationWizardGeneralConfigurationStep.tsx |  23 ++
 .../steps/MigrationWizardStart.tsx            |  39 +++
 .../store/useMigrationWizardStore.tsx         |  84 ++++++
 web/src/pages/MigrationWizardPage/style.scss  |  40 +++
 web/src/pages/MigrationWizardPage/types.ts    |  18 ++
 web/src/routeTree.gen.ts                      |  21 ++
 web/src/routes/_wizard/migration.tsx          |   6 +
 16 files changed, 1105 insertions(+), 6 deletions(-)
 create mode 100644 web/messages/en/migration_wizard.json
 create mode 100644 web/src/pages/MigrationWizardPage/MigrationWizardPage.tsx
 create mode 100644 web/src/pages/MigrationWizardPage/steps/MigrationWizardCAStep.tsx
 create mode 100644 web/src/pages/MigrationWizardPage/steps/MigrationWizardCASummaryStep.tsx
 create mode 100644 web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep.tsx
 create mode 100644 web/src/pages/MigrationWizardPage/steps/MigrationWizardEdgeAdoptionStep.tsx
 create mode 100644 web/src/pages/MigrationWizardPage/steps/MigrationWizardEdgeComponentStep.tsx
 create mode 100644 web/src/pages/MigrationWizardPage/steps/MigrationWizardGeneralConfigurationStep.tsx
 create mode 100644 web/src/pages/MigrationWizardPage/steps/MigrationWizardStart.tsx
 create mode 100644 web/src/pages/MigrationWizardPage/store/useMigrationWizardStore.tsx
 create mode 100644 web/src/pages/MigrationWizardPage/style.scss
 create mode 100644 web/src/pages/MigrationWizardPage/types.ts
 create mode 100644 web/src/routes/_wizard/migration.tsx

diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs
index 2b397163e..32de64976 100644
--- a/crates/defguard/src/main.rs
+++ b/crates/defguard/src/main.rs
@@ -139,10 +139,6 @@ async fn main() -> Result<(), anyhow::Error> {
 
     let incompatible_components: Arc<RwLock<IncompatibleComponents>> = Arc::default();
 
-    if settings.ca_cert_der.is_none() || settings.ca_key_der.is_none() {
-        anyhow::bail!("CA certificate or key were not found in settings, despite completing setup.")
-    }
-
     // read grpc TLS cert and key
     let grpc_cert = config
         .grpc_cert
diff --git a/web/messages/en/migration_wizard.json b/web/messages/en/migration_wizard.json
new file mode 100644
index 000000000..8c1cee003
--- /dev/null
+++ b/web/messages/en/migration_wizard.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://inlang.com/schema/inlang-message-format",
+  "migration_wizard_title": "Migration Wizard",
+  "migration_wizard_subtitle": "This wizard will guide you through migration-related configuration of your Defguard instance.",
+
+  "migration_wizard_step_general_config_label": "General Configuration",
+  "migration_wizard_step_general_config_description": "Manage core details and connection parameters for your VPN location.",
+  "migration_wizard_step_certificate_authority_label": "Certificate Authority",
+  "migration_wizard_step_certificate_authority_description": "Securing component communication",
+  "migration_wizard_step_certificate_authority_summary_label": "Certificate Authority Summary",
+  "migration_wizard_step_certificate_authority_summary_description": "Securing component communication",
+  "migration_wizard_step_edge_component_label": "Edge Component",
+  "migration_wizard_step_edge_component_description": "Set up your VPN proxy quickly and ensure secure, optimized traffic flow for your users.",
+  "migration_wizard_step_edge_adoption_label": "Edge Component Adoption",
+  "migration_wizard_step_edge_adoption_description": "Review the system’s checks and see if any issues need attention before deployment.",
+  "migration_wizard_step_confirmation_label": "Confirmation",
+  "migration_wizard_step_confirmation_description": "Your configuration was successful. You’re all set.",
+
+  "migration_wizard_ca_validity_one_year": "1 year",
+  "migration_wizard_ca_validity_years": "{years} years",
+  "migration_wizard_ca_error_common_name_required": "Common name is required",
+  "migration_wizard_ca_error_email_invalid": "Invalid email address",
+  "migration_wizard_ca_error_email_required": "Email is required",
+  "migration_wizard_ca_error_validity_min": "Validity period must be at least 1 year",
+  "migration_wizard_ca_error_cert_required": "Certificate file is required",
+  "migration_wizard_ca_error_create_failed": "Failed to create CA. Please review the information and try again.",
+  "migration_wizard_ca_error_upload_failed": "Failed to upload CA. Please ensure the certificate file is valid and try again.",
+  "migration_wizard_ca_option_create_title": "Create a certificate authority & configure all Defguard components",
+  "migration_wizard_ca_option_create_description": "By choosing this option, Defguard will create its own certificate authority and automatically configure all components to use its certificates — no manual setup required.",
+  "migration_wizard_ca_label_common_name": "Common Name",
+  "migration_wizard_ca_placeholder_common_name": "Defguard Certificate Authority",
+  "migration_wizard_ca_label_email": "Email",
+  "migration_wizard_ca_placeholder_email": "email@example.com",
+  "migration_wizard_ca_label_validity": "Validity Period",
+
+  "migration_wizard_ca_generated_title": "Certificate Authority Generated",
+  "migration_wizard_ca_generated_subtitle": "The system created all required certificate files, including the root certificate and private key. You can download these files and continue with the configuration.",
+  "migration_wizard_ca_download_button": "Download CA certificate",
+  "migration_wizard_ca_validated_title": "Certificate Authority Validated",
+  "migration_wizard_ca_validated_subtitle": "Your uploaded Certificate Authority has been successfully validated. All required files were checked and confirmed as correct and ready for use. You can download the validated CA files if needed for your setup.",
+  "migration_wizard_ca_info_title": "Information extracted from uploaded file",
+  "migration_wizard_ca_info_label_common_name": "Common Name",
+  "migration_wizard_ca_info_label_validity": "Validity",
+  "migration_wizard_ca_validity_unknown": "—",
+  "migration_wizard_ca_validity_less_than_year": "Less than a year"
+}
diff --git a/web/project.inlang/settings.json b/web/project.inlang/settings.json
index fa3338bde..61308a6bc 100644
--- a/web/project.inlang/settings.json
+++ b/web/project.inlang/settings.json
@@ -1,7 +1,9 @@
 {
   "$schema": "https://inlang.com/schema/project-settings",
   "baseLocale": "en",
-  "locales": ["en"],
+  "locales": [
+    "en"
+  ],
   "modules": [
     "https://cdn.jsdelivr.net/npm/@inlang/plugin-message-format@latest/dist/index.js"
   ],
@@ -24,7 +26,8 @@
       "./messages/{locale}/location.json",
       "./messages/{locale}/settings.json",
       "./messages/{locale}/gateway_wizard.json",
-      "./messages/{locale}/initial_wizard.json"
+      "./messages/{locale}/initial_wizard.json",
+      "./messages/{locale}/migration_wizard.json"
     ]
   }
 }
diff --git a/web/src/pages/MigrationWizardPage/MigrationWizardPage.tsx b/web/src/pages/MigrationWizardPage/MigrationWizardPage.tsx
new file mode 100644
index 000000000..f39dda08d
--- /dev/null
+++ b/web/src/pages/MigrationWizardPage/MigrationWizardPage.tsx
@@ -0,0 +1,98 @@
+import './style.scss';
+import { type ReactNode, useMemo } from 'react';
+import { m } from '../../paraglide/messages';
+import type {
+  WizardPageStep,
+  WizardWelcomePageConfig,
+} from '../../shared/components/wizard/types';
+import { WizardPage } from '../../shared/components/wizard/WizardPage/WizardPage';
+import { MigrationWizardCAStep } from './steps/MigrationWizardCAStep';
+import { MigrationWizardCASummaryStep } from './steps/MigrationWizardCASummaryStep';
+import { MigrationWizardConfirmationStep } from './steps/MigrationWizardConfirmationStep';
+import { MigrationWizardEdgeAdoptionStep } from './steps/MigrationWizardEdgeAdoptionStep';
+import { MigrationWizardEdgeComponentStep } from './steps/MigrationWizardEdgeComponentStep';
+import { MigrationWizardGeneralConfigurationStep } from './steps/MigrationWizardGeneralConfigurationStep';
+import { MigrationWizardStart } from './steps/MigrationWizardStart';
+import { useMigrationWizardStore } from './store/useMigrationWizardStore';
+import { MigrationWizardStep, type MigrationWizardStepValue } from './types';
+
+const welcomePageConfig: WizardWelcomePageConfig = {
+  title: 'Welcome to Defguard Migration Wizard.',
+  subtitle: `We've detected your previous version 1.X so email.`,
+  content: <MigrationWizardStart />,
+  media: <img alt="media.png" />,
+  docsText: `We'll guide you through the process step by step. For full details, see the migration guide following the link bellow.`,
+} as const;
+
+export const MigrationWizardPage = () => {
+  const isWelcome = useMigrationWizardStore((s) => s.isWelcome);
+  const activeStep = useMigrationWizardStore((s) => s.activeStep);
+
+  const stepsConfig = useMemo(
+    (): Record<MigrationWizardStepValue, WizardPageStep> => ({
+      general: {
+        id: MigrationWizardStep.General,
+        order: 1,
+        label: m.migration_wizard_step_general_config_label(),
+        description: m.migration_wizard_step_general_config_description(),
+      },
+      ca: {
+        id: MigrationWizardStep.Ca,
+        order: 2,
+        label: m.migration_wizard_step_certificate_authority_label(),
+        description: m.migration_wizard_step_certificate_authority_description(),
+      },
+      caSummary: {
+        id: MigrationWizardStep.CaSummary,
+        order: 3,
+        label: m.migration_wizard_step_certificate_authority_summary_label(),
+        description: m.migration_wizard_step_certificate_authority_summary_description(),
+      },
+      edge: {
+        id: MigrationWizardStep.Edge,
+        order: 4,
+        label: m.migration_wizard_step_edge_component_label(),
+        description: m.migration_wizard_step_edge_component_description(),
+      },
+      edgeAdoption: {
+        id: MigrationWizardStep.EdgeAdoption,
+        order: 5,
+        label: m.migration_wizard_step_edge_adoption_label(),
+        description: m.migration_wizard_step_edge_adoption_description(),
+      },
+      confirmation: {
+        id: MigrationWizardStep.Confirmation,
+        order: 6,
+        label: m.migration_wizard_step_confirmation_label(),
+        description: m.migration_wizard_step_confirmation_description(),
+      },
+    }),
+    [],
+  );
+
+  const stepsComponents = useMemo(
+    (): Record<MigrationWizardStepValue, ReactNode> => ({
+      general: <MigrationWizardGeneralConfigurationStep />,
+      ca: <MigrationWizardCAStep />,
+      caSummary: <MigrationWizardCASummaryStep />,
+      edge: <MigrationWizardEdgeComponentStep />,
+      edgeAdoption: <MigrationWizardEdgeAdoptionStep />,
+      confirmation: <MigrationWizardConfirmationStep />,
+    }),
+    [],
+  );
+
+  return (
+    <WizardPage
+      id="migration-wizard"
+      activeStep={activeStep}
+      subtitle={m.migration_wizard_subtitle()}
+      title={m.migration_wizard_title()}
+      steps={stepsConfig}
+      isOnWelcomePage={isWelcome}
+      welcomePageConfig={welcomePageConfig}
+    >
+      {stepsComponents[activeStep]}
+    </WizardPage>
+  );
+};
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardCAStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardCAStep.tsx
new file mode 100644
index 000000000..b98641c86
--- /dev/null
+++ b/web/src/pages/MigrationWizardPage/steps/MigrationWizardCAStep.tsx
@@ -0,0 +1,265 @@
+import { useMutation } from '@tanstack/react-query';
+import { useCallback, useMemo } from 'react';
+import z from 'zod';
+import { useShallow } from 'zustand/react/shallow';
+import { m } from '../../../paraglide/messages';
+import api from '../../../shared/api/api';
+import { Controls } from '../../../shared/components/Controls/Controls';
+import { WizardCard } from '../../../shared/components/wizard/WizardCard/WizardCard';
+import { BadgeVariant } from '../../../shared/defguard-ui/components/Badge/types';
+import { Button } from '../../../shared/defguard-ui/components/Button/Button';
+import { InteractiveBlock } from '../../../shared/defguard-ui/components/InteractiveBlock/InteractiveBlock';
+import type { SelectOption } from '../../../shared/defguard-ui/components/Select/types';
+import { SizedBox } from '../../../shared/defguard-ui/components/SizedBox/SizedBox';
+import { Snackbar } from '../../../shared/defguard-ui/providers/snackbar/snackbar';
+import { ThemeSpacing } from '../../../shared/defguard-ui/types';
+import { isPresent } from '../../../shared/defguard-ui/utils/isPresent';
+import { useAppForm } from '../../../shared/form';
+import { formChangeLogic } from '../../../shared/formLogic';
+import { useMigrationWizardStore } from '../store/useMigrationWizardStore';
+import { CAOption, type CAOptionType, MigrationWizardStep } from '../types';
+
+type ValidityValue = 1 | 2 | 3 | 5 | 10;
+
+const validityOptions: SelectOption<ValidityValue>[] = [
+  { key: 1, label: m.migration_wizard_ca_validity_one_year(), value: 1 },
+  { key: 2, label: m.migration_wizard_ca_validity_years({ years: 2 }), value: 2 },
+  { key: 3, label: m.migration_wizard_ca_validity_years({ years: 3 }), value: 3 },
+  { key: 5, label: m.migration_wizard_ca_validity_years({ years: 5 }), value: 5 },
+  {
+    key: 10,
+    label: m.migration_wizard_ca_validity_years({ years: 10 }),
+    value: 10,
+  },
+];
+
+type CreateCAFormFields = CreateCAStoreValues;
+
+type CreateCAStoreValues = {
+  ca_common_name: string;
+  ca_email: string;
+  ca_validity_period_years: number;
+};
+
+type UploadCAFormFields = UploadCAStoreValues;
+
+type UploadCAStoreValues = {
+  ca_cert_file: File | null;
+};
+
+const readFileAsText = (file: File): Promise<string> => {
+  return new Promise((resolve, reject) => {
+    const reader = new FileReader();
+    reader.onload = () => resolve(reader.result as string);
+    reader.onerror = () => reject(reader.error);
+    reader.readAsText(file);
+  });
+};
+
+export const MigrationWizardCAStep = () => {
+  const setActiveStep = useMigrationWizardStore((s) => s.setActiveStep);
+  const caOption = useMigrationWizardStore((s) => s.ca_option);
+  const setCAOption = useCallback((option: CAOptionType) => {
+    useMigrationWizardStore.setState({ ca_option: option });
+  }, []);
+
+  const createCAdefaultValues = useMigrationWizardStore(
+    useShallow(
+      (s): CreateCAFormFields => ({
+        ca_common_name: s.ca_common_name,
+        ca_email: s.ca_email,
+        ca_validity_period_years: s.ca_validity_period_years,
+      }),
+    ),
+  );
+
+  const uploadCAdefaultValues: UploadCAFormFields = {
+    ca_cert_file: undefined as unknown as File,
+  };
+
+  const createFormSchema = useMemo(
+    () =>
+      z.object({
+        ca_common_name: z
+          .string()
+          .min(1, m.migration_wizard_ca_error_common_name_required()),
+        ca_email: z
+          .email(m.migration_wizard_ca_error_email_invalid())
+          .min(1, m.migration_wizard_ca_error_email_required()),
+        ca_validity_period_years: z
+          .number()
+          .min(1, m.migration_wizard_ca_error_validity_min()),
+      }),
+    [],
+  );
+
+  const uploadFormSchema = useMemo(
+    () =>
+      z.object({
+        ca_cert_file: z
+          .file()
+          .refine((file) => isPresent(file), m.migration_wizard_ca_error_cert_required()),
+      }),
+    [],
+  );
+
+  const { mutate: createCA, isPending: isCreatingCA } = useMutation({
+    mutationFn: api.initial_setup.createCA,
+    onSuccess: () => {
+      setActiveStep(MigrationWizardStep.CaSummary);
+    },
+    onError: (error) => {
+      console.error('Failed to create CA:', error);
+      Snackbar.error(m.migration_wizard_ca_error_create_failed());
+    },
+    meta: {
+      invalidate: ['initial_setup', 'ca'],
+    },
+  });
+
+  const { mutate: uploadCA, isPending: isUploadingCA } = useMutation({
+    mutationFn: api.initial_setup.uploadCA,
+    onSuccess: () => {
+      setActiveStep(MigrationWizardStep.CaSummary);
+    },
+    onError: (error) => {
+      console.error('Failed to upload CA:', error);
+      Snackbar.error(m.migration_wizard_ca_error_upload_failed());
+    },
+    meta: {
+      invalidate: ['initial_setup', 'ca'],
+    },
+  });
+
+  const createForm = useAppForm({
+    defaultValues: createCAdefaultValues,
+    validationLogic: formChangeLogic,
+    validators: {
+      onSubmit: createFormSchema,
+      onChange: createFormSchema,
+    },
+    onSubmit: ({ value }) => {
+      useMigrationWizardStore.setState({
+        ca_common_name: value.ca_common_name,
+        ca_email: value.ca_email,
+        ca_validity_period_years: value.ca_validity_period_years,
+      });
+      createCA({
+        common_name: value.ca_common_name,
+        email: value.ca_email,
+        validity_period_years: value.ca_validity_period_years,
+      });
+    },
+  });
+
+  const uploadForm = useAppForm({
+    defaultValues: uploadCAdefaultValues,
+    validationLogic: formChangeLogic,
+    validators: {
+      onSubmit: uploadFormSchema,
+      onChange: uploadFormSchema,
+    },
+    onSubmit: async ({ value }) => {
+      if (!value.ca_cert_file) return;
+      const certContent = await readFileAsText(value.ca_cert_file);
+      uploadCA({ cert_file: certContent });
+    },
+  });
+
+  const CreateCAForm = () => {
+    const form = createForm;
+    return (
+      <div className="ca-settings">
+        <form
+          onSubmit={(e) => {
+            e.stopPropagation();
+            e.preventDefault();
+            form.handleSubmit();
+          }}
+        >
+          <form.AppForm>
+            <form.AppField name="ca_common_name">
+              {(field) => (
+                <field.FormInput
+                  required
+                  label={m.migration_wizard_ca_label_common_name()}
+                  type="text"
+                  placeholder={m.migration_wizard_ca_placeholder_common_name()}
+                />
+              )}
+            </form.AppField>
+
+            <form.AppField name="ca_email">
+              {(field) => (
+                <field.FormInput
+                  required
+                  label={m.migration_wizard_ca_label_email()}
+                  placeholder={m.migration_wizard_ca_placeholder_email()}
+                />
+              )}
+            </form.AppField>
+
+            <form.AppField name="ca_validity_period_years">
+              {(field) => (
+                <field.FormSelect
+                  required
+                  label={m.migration_wizard_ca_label_validity()}
+                  options={validityOptions}
+                />
+              )}
+            </form.AppField>
+          </form.AppForm>
+        </form>
+      </div>
+    );
+  };
+
+  const handleBack = () => {
+    setActiveStep(MigrationWizardStep.General);
+  };
+
+  const handleNext = () => {
+    if (caOption === CAOption.Create) {
+      createForm.handleSubmit();
+    } else if (caOption === CAOption.UseOwn) {
+      uploadForm.handleSubmit();
+    }
+  };
+
+  const isPending = isCreatingCA || isUploadingCA;
+
+  return (
+    <WizardCard>
+      <InteractiveBlock
+        title={m.migration_wizard_ca_option_create_title()}
+        value={caOption === CAOption.Create}
+        onClick={() => setCAOption(CAOption.Create)}
+        content={m.migration_wizard_ca_option_create_description()}
+        badge={{
+          text: m.misc_recommended(),
+          variant: BadgeVariant.Success,
+        }}
+      >
+        <SizedBox height={ThemeSpacing.Xl2} />
+        {caOption === CAOption.Create && <CreateCAForm />}
+      </InteractiveBlock>
+
+      <Controls>
+        <Button
+          variant="outlined"
+          text={m.controls_back()}
+          onClick={handleBack}
+          disabled={isPending}
+        />
+        <div className="right">
+          <Button
+            text={m.controls_continue()}
+            onClick={handleNext}
+            loading={isPending}
+            disabled={isPending || !isPresent(caOption)}
+          />
+        </div>
+      </Controls>
+    </WizardCard>
+  );
+};
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardCASummaryStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardCASummaryStep.tsx
new file mode 100644
index 000000000..ed76cc006
--- /dev/null
+++ b/web/src/pages/MigrationWizardPage/steps/MigrationWizardCASummaryStep.tsx
@@ -0,0 +1,119 @@
+import { useQuery } from '@tanstack/react-query';
+import { useCallback } from 'react';
+import { m } from '../../../paraglide/messages';
+import api from '../../../shared/api/api';
+import { ActionCard } from '../../../shared/components/ActionCard/ActionCard';
+import { Controls } from '../../../shared/components/Controls/Controls';
+import { WizardCard } from '../../../shared/components/wizard/WizardCard/WizardCard';
+import { Button } from '../../../shared/defguard-ui/components/Button/Button';
+import { Divider } from '../../../shared/defguard-ui/components/Divider/Divider';
+import { ThemeSpacing } from '../../../shared/defguard-ui/types';
+import { isPresent } from '../../../shared/defguard-ui/utils/isPresent';
+import { downloadFile } from '../../../shared/utils/download';
+import caIcon from '../../SetupPage/assets/ca.png';
+import { useMigrationWizardStore } from '../store/useMigrationWizardStore';
+import { CAOption, MigrationWizardStep } from '../types';
+
+export const MigrationWizardCASummaryStep = () => {
+  const setActiveStep = useMigrationWizardStore((s) => s.setActiveStep);
+  const caOption = useMigrationWizardStore((s) => s.ca_option);
+
+  const { data: caData, isFetching } = useQuery({
+    queryKey: ['initial_setup', 'ca'],
+    queryFn: api.initial_setup.getCA,
+    select: (resp) => resp.data,
+  });
+
+  const handleDownloadCA = useCallback(() => {
+    const caPem = caData?.ca_cert_pem;
+    if (!isPresent(caPem)) return;
+    const blob = new Blob([caPem], {
+      type: 'application/x-pem-file;charset=utf-8',
+    });
+    downloadFile(blob, 'defguard-ca', 'pem');
+  }, [caData?.ca_cert_pem]);
+
+  const handleBack = () => {
+    setActiveStep(MigrationWizardStep.Ca);
+  };
+
+  const handleNext = () => {
+    setActiveStep(MigrationWizardStep.Edge);
+  };
+
+  const downloadCA = () => {
+    return (
+      <ActionCard
+        title={m.migration_wizard_ca_generated_title()}
+        subtitle={m.migration_wizard_ca_generated_subtitle()}
+        imageSrc={caIcon}
+      >
+        <Button
+          iconLeft="download"
+          variant="outlined"
+          text={m.migration_wizard_ca_download_button()}
+          onClick={handleDownloadCA}
+          loading={isFetching}
+          disabled={!isPresent(caData?.ca_cert_pem) || isFetching}
+        />
+      </ActionCard>
+    );
+  };
+
+  const getValidityString = (validForDays?: number) => {
+    if (!validForDays) return m.migration_wizard_ca_validity_unknown();
+    try {
+      const years = Math.round(validForDays / 365);
+      if (years <= 0) return m.migration_wizard_ca_validity_less_than_year();
+      return years === 1
+        ? m.migration_wizard_ca_validity_one_year()
+        : m.migration_wizard_ca_validity_years({ years });
+    } catch (e) {
+      console.error('Error calculating validity string:', e);
+      return m.migration_wizard_ca_validity_unknown();
+    }
+  };
+
+  const displayCAInfo = () => {
+    if (!isPresent(caData)) return null;
+
+    const commonName = caData.subject_common_name || '—';
+    const validity = getValidityString(caData.valid_for_days);
+
+    return (
+      <ActionCard
+        title={m.migration_wizard_ca_validated_title()}
+        subtitle={m.migration_wizard_ca_validated_subtitle()}
+        imageSrc={caIcon}
+      >
+        <div className="ca-info">
+          <p className="ca-info-title">{m.migration_wizard_ca_info_title()}</p>
+          <Divider spacing={ThemeSpacing.Md} />
+          <div className="ca-info-grid">
+            <div className="ca-info-label">
+              {m.migration_wizard_ca_info_label_common_name()}
+            </div>
+            <div className="ca-info-value">{commonName}</div>
+            <div className="ca-info-label">
+              {m.migration_wizard_ca_info_label_validity()}
+            </div>
+            <div className="ca-info-value">{validity}</div>
+          </div>
+        </div>
+      </ActionCard>
+    );
+  };
+
+  return (
+    <WizardCard>
+      {caOption === CAOption.Create && downloadCA()}
+      {caOption === CAOption.UseOwn && displayCAInfo()}
+      <Controls>
+        <Button variant="outlined" text={m.controls_back()} onClick={handleBack} />
+        <div className="right">
+          <Button text={m.controls_continue()} onClick={handleNext} />
+        </div>
+      </Controls>
+    </WizardCard>
+  );
+};
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep.tsx
new file mode 100644
index 000000000..3d681b603
--- /dev/null
+++ b/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep.tsx
@@ -0,0 +1,22 @@
+import { m } from '../../../paraglide/messages';
+import { Controls } from '../../../shared/components/Controls/Controls';
+import { WizardCard } from '../../../shared/components/wizard/WizardCard/WizardCard';
+import { Button } from '../../../shared/defguard-ui/components/Button/Button';
+import { useMigrationWizardStore } from '../store/useMigrationWizardStore';
+import { MigrationWizardStep } from '../types';
+
+export const MigrationWizardConfirmationStep = () => {
+  const setActiveStep = useMigrationWizardStore((s) => s.setActiveStep);
+
+  return (
+    <WizardCard>
+      <Controls>
+        <Button
+          variant="outlined"
+          text={m.controls_back()}
+          onClick={() => setActiveStep(MigrationWizardStep.EdgeAdoption)}
+        />
+      </Controls>
+    </WizardCard>
+  );
+};
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardEdgeAdoptionStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardEdgeAdoptionStep.tsx
new file mode 100644
index 000000000..f1639c5fd
--- /dev/null
+++ b/web/src/pages/MigrationWizardPage/steps/MigrationWizardEdgeAdoptionStep.tsx
@@ -0,0 +1,188 @@
+import { useCallback, useEffect, useMemo } from 'react';
+import { m } from '../../../paraglide/messages';
+import { Controls } from '../../../shared/components/Controls/Controls';
+import { LoadingStep } from '../../../shared/components/LoadingStep/LoadingStep';
+import { WizardCard } from '../../../shared/components/wizard/WizardCard/WizardCard';
+import { Button } from '../../../shared/defguard-ui/components/Button/Button';
+import { CodeCard } from '../../../shared/defguard-ui/components/CodeCard/CodeCard';
+import { SizedBox } from '../../../shared/defguard-ui/components/SizedBox/SizedBox';
+import { ThemeSpacing } from '../../../shared/defguard-ui/types';
+import { useSSEController } from '../../../shared/hooks/useSSEController';
+import type { SetupEvent, SetupStep, SetupStepId } from '../../EdgeSetupPage/steps/types';
+import { useMigrationWizardStore } from '../store/useMigrationWizardStore';
+import { MigrationWizardStep } from '../types';
+
+export const MigrationWizardEdgeAdoptionStep = () => {
+  const setActiveStep = useMigrationWizardStore((s) => s.setActiveStep);
+  const migrationWizardStore = useMigrationWizardStore((s) => s);
+  const edgeAdoptionState = useMigrationWizardStore((s) => s.edgeAdoptionState);
+  const setEdgeAdoptionState = useMigrationWizardStore((s) => s.setEdgeAdoptionState);
+  const resetEdgeAdoptionState = useMigrationWizardStore((s) => s.resetEdgeAdoptionState);
+
+  const handleEvent = useCallback(
+    (event: SetupEvent) => {
+      setEdgeAdoptionState({
+        currentStep: event.step,
+        isComplete: event.step === 'Done',
+        isProcessing: event.step !== 'Done' && !event.error,
+        proxyVersion: event.version ?? null,
+        errorMessage: event.error
+          ? event.message || m.edge_setup_adoption_error_default()
+          : null,
+        proxyLogs: event.logs && event.logs.length > 0 ? [...event.logs] : [],
+      });
+    },
+    [setEdgeAdoptionState],
+  );
+
+  const sse = useSSEController<SetupEvent>(
+    '/api/v1/proxy/setup/stream',
+    {
+      ip_or_domain: migrationWizardStore.ip_or_domain,
+      grpc_port: migrationWizardStore.grpc_port,
+      common_name: migrationWizardStore.common_name,
+    },
+    {
+      onMessage: handleEvent,
+    },
+  );
+
+  const handleBack = () => {
+    useMigrationWizardStore.getState().resetEdgeAdoptionState();
+    setActiveStep(MigrationWizardStep.Edge);
+  };
+
+  const handleNext = async () => {
+    setActiveStep(MigrationWizardStep.Confirmation);
+  };
+
+  const steps: SetupStep[] = useMemo(
+    () => [
+      {
+        id: 'CheckingConfiguration',
+        title: m.edge_setup_adoption_checking_configuration(),
+      },
+      {
+        id: 'CheckingAvailability',
+        title: m.edge_setup_adoption_checking_availability({
+          ip_or_domain: migrationWizardStore.ip_or_domain,
+          grpc_port: migrationWizardStore.grpc_port.toString(),
+        }),
+      },
+      {
+        id: 'CheckingVersion',
+        title: edgeAdoptionState.proxyVersion
+          ? m.edge_setup_adoption_checking_version_with_value({
+              proxyVersion: edgeAdoptionState.proxyVersion,
+            })
+          : m.edge_setup_adoption_checking_version(),
+      },
+      {
+        id: 'ObtainingCsr',
+        title: m.edge_setup_adoption_obtaining_csr(),
+      },
+      {
+        id: 'SigningCertificate',
+        title: m.edge_setup_adoption_signing_certificate(),
+      },
+      {
+        id: 'ConfiguringTls',
+        title: m.edge_setup_adoption_configuring_tls(),
+      },
+    ],
+    [migrationWizardStore, edgeAdoptionState.proxyVersion],
+  );
+
+  const stepDone = useCallback(
+    (stepId: SetupStepId): boolean => {
+      const stepIndex = steps.findIndex((step) => step.id === stepId);
+      const currentStepIndex = edgeAdoptionState.currentStep
+        ? steps.findIndex((step) => step.id === edgeAdoptionState.currentStep)
+        : -1;
+      return stepIndex < currentStepIndex || edgeAdoptionState.isComplete;
+    },
+    [edgeAdoptionState.isComplete, edgeAdoptionState.currentStep, steps],
+  );
+
+  const stepLoading = useCallback(
+    (stepId: SetupStepId): boolean => {
+      return edgeAdoptionState.isProcessing && edgeAdoptionState.currentStep === stepId;
+    },
+    [edgeAdoptionState.isProcessing, edgeAdoptionState.currentStep],
+  );
+
+  const stepError = useCallback(
+    (stepId: SetupStepId): string | null => {
+      if (edgeAdoptionState.errorMessage && edgeAdoptionState.currentStep === stepId) {
+        return edgeAdoptionState.errorMessage;
+      }
+      return null;
+    },
+    [edgeAdoptionState.errorMessage, edgeAdoptionState.currentStep],
+  );
+
+  // biome-ignore lint/correctness/useExhaustiveDependencies: only run on mount
+  useEffect(() => {
+    resetEdgeAdoptionState();
+    sse.start();
+
+    return () => {
+      sse.stop();
+    };
+  }, []);
+
+  return (
+    <WizardCard>
+      <div>
+        {steps.map((step) => (
+          <LoadingStep
+            key={step.id}
+            title={step.title}
+            loading={stepLoading(step.id)}
+            success={stepDone(step.id)}
+            error={!!stepError(step.id)}
+            errorMessage={stepError(step.id) || undefined}
+          >
+            {edgeAdoptionState.proxyLogs.length > 0 ? (
+              <>
+                <CodeCard
+                  title={m.edge_setup_adoption_error_log_title()}
+                  value={edgeAdoptionState.proxyLogs.join('\n')}
+                />
+                <SizedBox height={ThemeSpacing.Xl} />
+              </>
+            ) : null}
+            <Controls>
+              <div className="left">
+                <Button
+                  variant="primary"
+                  text={m.edge_setup_adoption_controls_retry()}
+                  onClick={() => {
+                    resetEdgeAdoptionState();
+                    sse.restart();
+                  }}
+                  disabled={edgeAdoptionState.isProcessing}
+                />
+              </div>
+            </Controls>
+          </LoadingStep>
+        ))}
+      </div>
+      <Controls>
+        <Button
+          variant="outlined"
+          text={m.edge_setup_adoption_controls_back()}
+          onClick={handleBack}
+          disabled={edgeAdoptionState.isProcessing || edgeAdoptionState.isComplete}
+        />
+        <div className="right">
+          <Button
+            text={m.edge_setup_adoption_controls_continue()}
+            onClick={handleNext}
+            disabled={!edgeAdoptionState.isComplete || edgeAdoptionState.isProcessing}
+          />
+        </div>
+      </Controls>
+    </WizardCard>
+  );
+};
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardEdgeComponentStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardEdgeComponentStep.tsx
new file mode 100644
index 000000000..38b68279f
--- /dev/null
+++ b/web/src/pages/MigrationWizardPage/steps/MigrationWizardEdgeComponentStep.tsx
@@ -0,0 +1,131 @@
+import { useMemo } from 'react';
+import z from 'zod';
+import { useShallow } from 'zustand/react/shallow';
+import { m } from '../../../paraglide/messages';
+import { Controls } from '../../../shared/components/Controls/Controls';
+import { WizardCard } from '../../../shared/components/wizard/WizardCard/WizardCard';
+import { Button } from '../../../shared/defguard-ui/components/Button/Button';
+import { SizedBox } from '../../../shared/defguard-ui/components/SizedBox/SizedBox';
+import { ThemeSpacing } from '../../../shared/defguard-ui/types';
+import { useAppForm } from '../../../shared/form';
+import { formChangeLogic } from '../../../shared/formLogic';
+import { validateIpOrDomain } from '../../../shared/validators';
+import { useMigrationWizardStore } from '../store/useMigrationWizardStore';
+import { MigrationWizardStep } from '../types';
+
+type FormFields = StoreValues;
+
+type StoreValues = {
+  common_name: string;
+  ip_or_domain: string;
+  grpc_port: number;
+};
+
+export const MigrationWizardEdgeComponentStep = () => {
+  const setActiveStep = useMigrationWizardStore((s) => s.setActiveStep);
+
+  const defaultValues = useMigrationWizardStore(
+    useShallow(
+      (s): FormFields => ({
+        common_name: s.common_name,
+        ip_or_domain: s.ip_or_domain,
+        grpc_port: s.grpc_port,
+      }),
+    ),
+  );
+
+  const handleNext = () => {
+    form.handleSubmit();
+  };
+
+  const formSchema = useMemo(
+    () =>
+      z.object({
+        common_name: z
+          .string()
+          .min(1, m.edge_setup_component_error_common_name_required()),
+        ip_or_domain: z
+          .string()
+          .min(1, m.edge_setup_component_error_ip_or_domain_required())
+          .refine((val) => validateIpOrDomain(val, false, true)),
+        grpc_port: z
+          .number()
+          .min(1, m.edge_setup_component_error_grpc_port_required())
+          .max(65535, m.edge_setup_component_error_grpc_port_max()),
+      }),
+    [],
+  );
+
+  const form = useAppForm({
+    defaultValues,
+    validationLogic: formChangeLogic,
+    validators: {
+      onSubmit: formSchema,
+      onChange: formSchema,
+    },
+    onSubmit: ({ value }) => {
+      useMigrationWizardStore.setState({
+        ...value,
+      });
+      setActiveStep(MigrationWizardStep.EdgeAdoption);
+    },
+  });
+
+  return (
+    <WizardCard>
+      <form
+        onSubmit={(e) => {
+          e.stopPropagation();
+          e.preventDefault();
+          form.handleSubmit();
+        }}
+      >
+        <form.AppForm>
+          <form.AppField name="common_name">
+            {(field) => (
+              <field.FormInput
+                required
+                label={m.edge_setup_component_label_common_name()}
+                type="text"
+              />
+            )}
+          </form.AppField>
+          <SizedBox height={ThemeSpacing.Xl} />
+          <form.AppField name="ip_or_domain">
+            {(field) => (
+              <field.FormInput
+                required
+                label={m.edge_setup_component_label_ip_or_domain()}
+                type="text"
+              />
+            )}
+          </form.AppField>
+          <SizedBox height={ThemeSpacing.Xl} />
+          <form.AppField name="grpc_port">
+            {(field) => (
+              <field.FormInput
+                required
+                label={m.edge_setup_component_label_grpc_port()}
+                type="number"
+              />
+            )}
+          </form.AppField>
+        </form.AppForm>
+      </form>
+      <Controls>
+        <Button
+          variant="outlined"
+          text={m.controls_back()}
+          onClick={() => setActiveStep(MigrationWizardStep.CaSummary)}
+        />
+        <div className="right">
+          <Button
+            text={m.edge_setup_component_controls_submit()}
+            onClick={handleNext}
+            type="submit"
+          />
+        </div>
+      </Controls>
+    </WizardCard>
+  );
+};
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardGeneralConfigurationStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardGeneralConfigurationStep.tsx
new file mode 100644
index 000000000..feaf3e34b
--- /dev/null
+++ b/web/src/pages/MigrationWizardPage/steps/MigrationWizardGeneralConfigurationStep.tsx
@@ -0,0 +1,23 @@
+import { m } from '../../../paraglide/messages';
+import { Controls } from '../../../shared/components/Controls/Controls';
+import { WizardCard } from '../../../shared/components/wizard/WizardCard/WizardCard';
+import { Button } from '../../../shared/defguard-ui/components/Button/Button';
+import { useMigrationWizardStore } from '../store/useMigrationWizardStore';
+import { MigrationWizardStep } from '../types';
+
+export const MigrationWizardGeneralConfigurationStep = () => {
+  const setActiveStep = useMigrationWizardStore((s) => s.setActiveStep);
+
+  return (
+    <WizardCard>
+      <Controls>
+        <div className="right">
+          <Button
+            text={m.controls_continue()}
+            onClick={() => setActiveStep(MigrationWizardStep.Ca)}
+          />
+        </div>
+      </Controls>
+    </WizardCard>
+  );
+};
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardStart.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardStart.tsx
new file mode 100644
index 000000000..69a6efd0a
--- /dev/null
+++ b/web/src/pages/MigrationWizardPage/steps/MigrationWizardStart.tsx
@@ -0,0 +1,39 @@
+import { Controls } from '../../../shared/components/Controls/Controls';
+import { AppText } from '../../../shared/defguard-ui/components/AppText/AppText';
+import { Button } from '../../../shared/defguard-ui/components/Button/Button';
+import { IconKind } from '../../../shared/defguard-ui/components/Icon';
+import { InfoBanner } from '../../../shared/defguard-ui/components/InfoBanner/InfoBanner';
+import { SizedBox } from '../../../shared/defguard-ui/components/SizedBox/SizedBox';
+import { TextStyle, ThemeSpacing } from '../../../shared/defguard-ui/types';
+import { useMigrationWizardStore } from '../store/useMigrationWizardStore';
+
+export const MigrationWizardStart = () => {
+  return (
+    <>
+      <InfoBanner
+        icon={IconKind.InfoOutlined}
+        variant="warning"
+        text={`IMPORTANT: Until you finish this migration process your VPN Locations will not work!.`}
+      />
+      <SizedBox height={ThemeSpacing.Lg} />
+      <AppText font={TextStyle.TBodySm400}>{`${explain1}\n\n${explain2}`}</AppText>
+      <SizedBox height={ThemeSpacing.Xl} />
+      <Controls>
+        <div className="left">
+          <Button
+            text="Start migration process"
+            onClick={() => {
+              useMigrationWizardStore.setState({
+                isWelcome: true,
+              });
+            }}
+          />
+        </div>
+      </Controls>
+    </>
+  );
+};
+
+const explain1 = `We will first automatically upgrade the Core instance (what you see now), followed by the public communication component, Edge (called Proxy prior to 2.0).`;
+
+const explain2 = `Next, each VPN location must be upgraded. This will likely require manual changes to your internal network (firewall rules), as the Core ↔ Gateway communication has changed: the Core now initiates the connection to the Gateway (in 1.x Gateway connected to Core).`;
diff --git a/web/src/pages/MigrationWizardPage/store/useMigrationWizardStore.tsx b/web/src/pages/MigrationWizardPage/store/useMigrationWizardStore.tsx
new file mode 100644
index 000000000..093448d13
--- /dev/null
+++ b/web/src/pages/MigrationWizardPage/store/useMigrationWizardStore.tsx
@@ -0,0 +1,84 @@
+import { omit } from 'lodash-es';
+import { create } from 'zustand';
+import { createJSONStorage, persist } from 'zustand/middleware';
+import type { EdgeAdoptionState } from '../../EdgeSetupPage/types';
+import {
+  type CAOptionType,
+  MigrationWizardStep,
+  type MigrationWizardStepValue,
+} from '../types';
+
+interface StoreValues {
+  isWelcome: boolean;
+  activeStep: MigrationWizardStepValue;
+  ca_common_name: string;
+  ca_email: string;
+  ca_validity_period_years: number;
+  ca_cert_file: File | null;
+  ca_option: CAOptionType | null;
+  common_name: string;
+  ip_or_domain: string;
+  grpc_port: number;
+  edgeAdoptionState: EdgeAdoptionState;
+}
+
+const edgeAdoptionStateDefaults: EdgeAdoptionState = {
+  isProcessing: false,
+  isComplete: false,
+  currentStep: null,
+  errorMessage: null,
+  proxyVersion: null,
+  proxyLogs: [],
+};
+
+const defaults: StoreValues = {
+  isWelcome: true,
+  activeStep: MigrationWizardStep.General,
+  ca_common_name: '',
+  ca_email: '',
+  ca_validity_period_years: 5,
+  ca_cert_file: null,
+  ca_option: null,
+  common_name: '',
+  ip_or_domain: '',
+  grpc_port: 50051,
+  edgeAdoptionState: edgeAdoptionStateDefaults,
+};
+
+interface Store extends StoreValues {
+  setActiveStep: (step: MigrationWizardStepValue) => void;
+  setState: (values: Partial<StoreValues>) => void;
+  resetEdgeAdoptionState: () => void;
+  setEdgeAdoptionState: (state: Partial<EdgeAdoptionState>) => void;
+}
+
+export const useMigrationWizardStore = create<Store>()(
+  persist(
+    (set) => ({
+      ...defaults,
+      setActiveStep: (step) => set({ activeStep: step }),
+      setState: (newValues) => {
+        set(newValues);
+      },
+      resetEdgeAdoptionState: () =>
+        set(() => ({
+          edgeAdoptionState: { ...edgeAdoptionStateDefaults },
+        })),
+      setEdgeAdoptionState: (state: Partial<EdgeAdoptionState>) =>
+        set((s) => ({
+          edgeAdoptionState: { ...s.edgeAdoptionState, ...state },
+        })),
+    }),
+    {
+      name: 'migration-wizard',
+      storage: createJSONStorage(() => sessionStorage),
+      partialize: (state) =>
+        omit(state, [
+          'setActiveStep',
+          'setState',
+          'resetEdgeAdoptionState',
+          'setEdgeAdoptionState',
+        ]),
+    },
+  ),
+);
diff --git a/web/src/pages/MigrationWizardPage/style.scss b/web/src/pages/MigrationWizardPage/style.scss
new file mode 100644
index 000000000..08d1924b3
--- /dev/null
+++ b/web/src/pages/MigrationWizardPage/style.scss
@@ -0,0 +1,40 @@
+#migration-wizard .wizard-card {
+  .ca-info {
+    .ca-info-title {
+      font: var(--t-body-sm-500);
+    }
+
+    .ca-info-grid {
+      display: grid;
+      grid-template-columns: 180px 1fr;
+      gap: var(--spacing-md) var(--spacing-lg);
+      align-items: center;
+    }
+
+    .ca-info-label {
+      color: var(--fg-neutral);
+      font: var(--t-body-md-400);
+    }
+
+    .ca-info-value {
+      color: var(--fg-faded);
+      font: var(--t-body-md-400);
+    }
+  }
+
+  .ca-settings {
+    padding: var(--spacing-xl);
+    border-radius: var(--radius-lg);
+    border: var(--border-1) solid var(--border-default);
+
+    form {
+      display: grid;
+      grid-template-columns: 1fr 1fr;
+      gap: var(--spacing-xl) var(--spacing-md);
+
+      & > :nth-child(odd):last-child {
+        grid-column: span 2;
+      }
+    }
+  }
+}
diff --git a/web/src/pages/MigrationWizardPage/types.ts b/web/src/pages/MigrationWizardPage/types.ts
new file mode 100644
index 000000000..5365098fc
--- /dev/null
+++ b/web/src/pages/MigrationWizardPage/types.ts
@@ -0,0 +1,18 @@
+export const MigrationWizardStep = {
+  General: 'general',
+  Ca: 'ca',
+  CaSummary: 'caSummary',
+  Edge: 'edge',
+  EdgeAdoption: 'edgeAdoption',
+  Confirmation: 'confirmation',
+} as const;
+
+export type MigrationWizardStepValue =
+  (typeof MigrationWizardStep)[keyof typeof MigrationWizardStep];
+
+export const CAOption = {
+  Create: 'create',
+  UseOwn: 'useOwn',
+} as const;
+
+export type CAOptionType = (typeof CAOption)[keyof typeof CAOption];
diff --git a/web/src/routeTree.gen.ts b/web/src/routeTree.gen.ts
index dd7b76882..d08bab316 100644
--- a/web/src/routeTree.gen.ts
+++ b/web/src/routeTree.gen.ts
@@ -21,6 +21,7 @@ import { Route as AuthLoadingRouteImport } from './routes/auth/loading'
 import { Route as AuthCallbackRouteImport } from './routes/auth/callback'
 import { Route as WizardSetupLoginRouteImport } from './routes/_wizard/setup-login'
 import { Route as WizardSetupRouteImport } from './routes/_wizard/setup'
+import { Route as WizardMigrationRouteImport } from './routes/_wizard/migration'
 import { Route as AuthorizedPlaygroundRouteImport } from './routes/_authorized/playground'
 import { Route as AuthorizedDefaultRouteImport } from './routes/_authorized/_default'
 import { Route as AuthMfaWebauthnRouteImport } from './routes/auth/mfa/webauthn'
@@ -122,6 +123,11 @@ const WizardSetupRoute = WizardSetupRouteImport.update({
   path: '/setup',
   getParentRoute: () => rootRouteImport,
 } as any)
+const WizardMigrationRoute = WizardMigrationRouteImport.update({
+  id: '/_wizard/migration',
+  path: '/migration',
+  getParentRoute: () => rootRouteImport,
+} as any)
 const AuthorizedPlaygroundRoute = AuthorizedPlaygroundRouteImport.update({
   id: '/playground',
   path: '/playground',
@@ -365,6 +371,7 @@ export interface FileRoutesByFullPath {
   '/consent': typeof ConsentRoute
   '/snackbar': typeof SnackbarRoute
   '/playground': typeof AuthorizedPlaygroundRoute
+  '/migration': typeof WizardMigrationRoute
   '/setup': typeof WizardSetupRoute
   '/setup-login': typeof WizardSetupLoginRoute
   '/auth/callback': typeof AuthCallbackRoute
@@ -418,6 +425,7 @@ export interface FileRoutesByTo {
   '/consent': typeof ConsentRoute
   '/snackbar': typeof SnackbarRoute
   '/playground': typeof AuthorizedPlaygroundRoute
+  '/migration': typeof WizardMigrationRoute
   '/setup': typeof WizardSetupRoute
   '/setup-login': typeof WizardSetupLoginRoute
   '/auth/callback': typeof AuthCallbackRoute
@@ -474,6 +482,7 @@ export interface FileRoutesById {
   '/snackbar': typeof SnackbarRoute
   '/_authorized/_default': typeof AuthorizedDefaultRouteWithChildren
   '/_authorized/playground': typeof AuthorizedPlaygroundRoute
+  '/_wizard/migration': typeof WizardMigrationRoute
   '/_wizard/setup': typeof WizardSetupRoute
   '/_wizard/setup-login': typeof WizardSetupLoginRoute
   '/auth/callback': typeof AuthCallbackRoute
@@ -530,6 +539,7 @@ export interface FileRouteTypes {
     | '/consent'
     | '/snackbar'
     | '/playground'
+    | '/migration'
     | '/setup'
     | '/setup-login'
     | '/auth/callback'
@@ -583,6 +593,7 @@ export interface FileRouteTypes {
     | '/consent'
     | '/snackbar'
     | '/playground'
+    | '/migration'
     | '/setup'
     | '/setup-login'
     | '/auth/callback'
@@ -638,6 +649,7 @@ export interface FileRouteTypes {
     | '/snackbar'
     | '/_authorized/_default'
     | '/_authorized/playground'
+    | '/_wizard/migration'
     | '/_wizard/setup'
     | '/_wizard/setup-login'
     | '/auth/callback'
@@ -692,6 +704,7 @@ export interface RootRouteChildren {
   AuthRoute: typeof AuthRouteWithChildren
   ConsentRoute: typeof ConsentRoute
   SnackbarRoute: typeof SnackbarRoute
+  WizardMigrationRoute: typeof WizardMigrationRoute
   WizardSetupRoute: typeof WizardSetupRoute
   WizardSetupLoginRoute: typeof WizardSetupLoginRoute
 }
@@ -782,6 +795,13 @@ declare module '@tanstack/react-router' {
       preLoaderRoute: typeof WizardSetupRouteImport
       parentRoute: typeof rootRouteImport
     }
+    '/_wizard/migration': {
+      id: '/_wizard/migration'
+      path: '/migration'
+      fullPath: '/migration'
+      preLoaderRoute: typeof WizardMigrationRouteImport
+      parentRoute: typeof rootRouteImport
+    }
     '/_authorized/playground': {
       id: '/_authorized/playground'
       path: '/playground'
@@ -1216,6 +1236,7 @@ const rootRouteChildren: RootRouteChildren = {
   AuthRoute: AuthRouteWithChildren,
   ConsentRoute: ConsentRoute,
   SnackbarRoute: SnackbarRoute,
+  WizardMigrationRoute: WizardMigrationRoute,
   WizardSetupRoute: WizardSetupRoute,
   WizardSetupLoginRoute: WizardSetupLoginRoute,
 }
diff --git a/web/src/routes/_wizard/migration.tsx b/web/src/routes/_wizard/migration.tsx
new file mode 100644
index 000000000..c2193197c
--- /dev/null
+++ b/web/src/routes/_wizard/migration.tsx
@@ -0,0 +1,6 @@
+import { createFileRoute } from '@tanstack/react-router';
+import { MigrationWizardPage } from '../../pages/MigrationWizardPage/MigrationWizardPage';
+
+export const Route = createFileRoute('/_wizard/migration')({
+  component: MigrationWizardPage,
+});

From 9629a884d6d274618970d7fa5eeca96d44eb3a9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20=C5=9Al=C4=99zak?= <fslezak@teonite.com>
Date: Mon, 2 Mar 2026 10:26:16 +0100
Subject: [PATCH 07/15] up

---
 crates/defguard/src/main.rs                   |  3 --
 .../src/db/models/wizard_flags.rs             |  7 ++--
 .../src/handlers/session_info.rs              | 40 +++++++------------
 web/src/app/App.tsx                           |  5 ++-
 web/src/routes/auth.tsx                       | 28 ++++++-------
 web/src/shared/api/api.ts                     |  2 +
 web/src/shared/api/types.ts                   | 13 ++++++
 web/src/shared/hooks/useApp.tsx               |  8 +++-
 .../providers/AppSessionInfoProvider.tsx      | 14 +++++++
 web/src/shared/query.ts                       |  9 +++++
 10 files changed, 81 insertions(+), 48 deletions(-)
 create mode 100644 web/src/shared/providers/AppSessionInfoProvider.tsx

diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs
index 32de64976..8ec191d13 100644
--- a/crates/defguard/src/main.rs
+++ b/crates/defguard/src/main.rs
@@ -100,7 +100,6 @@ async fn main() -> Result<(), anyhow::Error> {
     Settings::init_defaults(&pool).await?;
     // initialize global settings struct
     initialize_current_settings(&pool).await?;
-    let mut settings = Settings::get_current_settings();
 
     if wizard_flags.initial_wizard_in_progress && !wizard_flags.initial_wizard_completed {
         if let Err(err) =
@@ -108,8 +107,6 @@ async fn main() -> Result<(), anyhow::Error> {
         {
             anyhow::bail!("Setup web server exited with error: {err}");
         }
-
-        settings = Settings::get_current_settings();
     }
 
     config.initialize_post_settings();
diff --git a/crates/defguard_core/src/db/models/wizard_flags.rs b/crates/defguard_core/src/db/models/wizard_flags.rs
index 1c76d80b1..2832c992c 100644
--- a/crates/defguard_core/src/db/models/wizard_flags.rs
+++ b/crates/defguard_core/src/db/models/wizard_flags.rs
@@ -77,12 +77,11 @@ impl WizardFlags {
 
             sqlx::query(
                 "INSERT INTO wizard (
-                    migration_wizard_needed,
                     migration_wizard_in_progress,
                     migration_wizard_completed,
                     initial_wizard_in_progress,
                     initial_wizard_completed
-                ) VALUES ($1, FALSE, FALSE, $2, FALSE)",
+                ) VALUES ($1, FALSE, $2, FALSE)",
             )
             .bind(is_migration_needed)
             .bind(is_fresh_instance)
@@ -90,8 +89,8 @@ impl WizardFlags {
             .await?;
 
             return Ok(Self {
-                migration_wizard_needed: is_migration_needed,
-                migration_wizard_in_progress: false,
+                migration_wizard_needed: false,
+                migration_wizard_in_progress: is_migration_needed,
                 migration_wizard_completed: false,
                 initial_wizard_in_progress: is_fresh_instance,
                 initial_wizard_completed: false,
diff --git a/crates/defguard_core/src/handlers/session_info.rs b/crates/defguard_core/src/handlers/session_info.rs
index 439167231..b250882dc 100644
--- a/crates/defguard_core/src/handlers/session_info.rs
+++ b/crates/defguard_core/src/handlers/session_info.rs
@@ -11,6 +11,7 @@ use crate::{
 #[derive(Serialize)]
 struct SessionInfoResponse {
     authorized: bool,
+    is_admin: bool,
     wizard_flags: Option<WizardFlags>,
 }
 
@@ -22,49 +23,38 @@ pub(crate) async fn get_session_info(
     let flags = WizardFlags::get(pool).await?;
 
     let Ok(SessionExtractor(session)) = session else {
-        if flags.initial_wizard_in_progress {
-            return Ok(ApiResponse::json(
-                SessionInfoResponse {
-                    authorized: false,
-                    wizard_flags: Some(flags),
-                },
-                StatusCode::OK,
-            ));
-        } else {
-            return Ok(ApiResponse::json(
-                SessionInfoResponse {
-                    authorized: false,
-                    wizard_flags: None,
-                },
-                StatusCode::OK,
-            ));
-        }
-    };
-
-    let Some(user) = User::find_by_id(pool, session.user_id).await? else {
         return Ok(ApiResponse::json(
             SessionInfoResponse {
                 authorized: false,
-                wizard_flags: None,
+                is_admin: false,
+                wizard_flags: if flags.initial_wizard_in_progress {
+                    Some(flags)
+                } else {
+                    None
+                },
             },
             StatusCode::OK,
         ));
     };
 
-    if !user.is_admin(pool).await? {
+    let Some(user) = User::find_by_id(pool, session.user_id).await? else {
         return Ok(ApiResponse::json(
             SessionInfoResponse {
-                authorized: true,
+                authorized: false,
+                is_admin: false,
                 wizard_flags: None,
             },
             StatusCode::OK,
         ));
-    }
+    };
+
+    let user_admin = user.is_admin(pool).await?;
 
     Ok(ApiResponse::json(
         SessionInfoResponse {
             authorized: true,
-            wizard_flags: Some(flags),
+            is_admin: user_admin,
+            wizard_flags: if user_admin { Some(flags) } else { None },
         },
         StatusCode::OK,
     ))
diff --git a/web/src/app/App.tsx b/web/src/app/App.tsx
index 46956be78..2ede51bc5 100644
--- a/web/src/app/App.tsx
+++ b/web/src/app/App.tsx
@@ -2,6 +2,7 @@ import './day';
 
 import { QueryClientProvider } from '@tanstack/react-query';
 import { RouterProvider } from '@tanstack/react-router';
+import { AppSessionInfoProvider } from '../shared/providers/AppSessionInfoProvider';
 import { AppThemeProvider } from '../shared/providers/AppThemeProvider';
 import { queryClient } from './query';
 import { router } from './router';
@@ -10,7 +11,9 @@ export const App = () => {
   return (
     <AppThemeProvider>
       <QueryClientProvider client={queryClient}>
-        <RouterProvider router={router} />
+        <AppSessionInfoProvider>
+          <RouterProvider router={router} />
+        </AppSessionInfoProvider>
       </QueryClientProvider>
     </AppThemeProvider>
   );
diff --git a/web/src/routes/auth.tsx b/web/src/routes/auth.tsx
index d1fef9d00..fb45a33ab 100644
--- a/web/src/routes/auth.tsx
+++ b/web/src/routes/auth.tsx
@@ -4,9 +4,8 @@ import { useCallback, useEffect } from 'react';
 import z from 'zod';
 import { type User, UserMfaMethod } from '../shared/api/types';
 import { isPresent } from '../shared/defguard-ui/utils/isPresent';
-import { useApp } from '../shared/hooks/useApp';
 import { useAuth } from '../shared/hooks/useAuth';
-import { getSettingsEssentialsQueryOptions } from '../shared/query';
+import { getSessionInfoQueryOptions } from '../shared/query';
 
 const basicSchema = z.object({
   url: z.string().nullable().optional(),
@@ -22,23 +21,24 @@ const mfaSchema = z.object({
 
 export const Route = createFileRoute('/auth')({
   beforeLoad: async ({ context }) => {
-    // ensure that login is possible on the instance
-    let settings = useApp.getState().settingsEssentials;
-    // fill settings
-    if (!isPresent(settings)) {
-      settings = (
-        await context.queryClient.ensureQueryData(getSettingsEssentialsQueryOptions)
-      ).data;
-      useApp.setState({
-        settingsEssentials: settings,
-      });
-    }
-    if (!settings.initial_setup_completed) {
+    const sessionInfo = (
+      await context.queryClient.ensureQueryData(getSessionInfoQueryOptions)
+    ).data;
+    if (sessionInfo.wizard_flags?.initial_wizard_in_progress) {
       throw redirect({
         to: '/setup',
         replace: true,
       });
     }
+    if (sessionInfo.authorized) {
+      if (sessionInfo.wizard_flags?.migration_wizard_in_progress) {
+        throw redirect({
+          to: '/migration',
+          replace: true,
+        });
+      } else {
+      }
+    }
   },
   component: RouteComponent,
 });
diff --git a/web/src/shared/api/api.ts b/web/src/shared/api/api.ts
index b0aec8570..aab0173ae 100644
--- a/web/src/shared/api/api.ts
+++ b/web/src/shared/api/api.ts
@@ -81,6 +81,7 @@ import type {
   PaginatedResponse,
   RenameApiTokenRequest,
   RenameAuthKeyRequest,
+  SessionInfo,
   SetGeneralConfigRequest,
   Settings,
   SettingsEnterprise,
@@ -499,6 +500,7 @@ const api = {
       client.put(`/activity_log_stream/${id}`, data),
     deleteStream: (id: number) => client.delete(`/activity_log_stream/${id}`),
   },
+  getSessionInfo: () => client.get<SessionInfo>(`/session-info`),
   getActivityLog: (data?: ActivityLogRequestParams) =>
     client
       .get<PaginatedResponse<ActivityLogEvent>>(`/activity_log`, {
diff --git a/web/src/shared/api/types.ts b/web/src/shared/api/types.ts
index 1a68b47d6..e6e84a16e 100644
--- a/web/src/shared/api/types.ts
+++ b/web/src/shared/api/types.ts
@@ -9,6 +9,19 @@ export type ResourceById<T extends object> = {
   [id: number]: T | undefined;
 };
 
+export type WizardFlags = {
+  initial_wizard_in_progress: boolean;
+  initial_wizard_completed: boolean;
+  migration_wizard_completed: boolean;
+  migration_wizard_in_progress: boolean;
+};
+
+export interface SessionInfo {
+  authorized: boolean;
+  isAdmin: boolean;
+  wizard_flags: WizardFlags | null;
+}
+
 export interface GatewayTokenResponse {
   grpc_url: string;
   token: string;
diff --git a/web/src/shared/hooks/useApp.tsx b/web/src/shared/hooks/useApp.tsx
index e4837d695..8b9d320d1 100644
--- a/web/src/shared/hooks/useApp.tsx
+++ b/web/src/shared/hooks/useApp.tsx
@@ -1,10 +1,11 @@
 import { create } from 'zustand';
-import type { ApplicationInfo, SettingsEssentials } from '../api/types';
+import type { ApplicationInfo, SessionInfo, SettingsEssentials } from '../api/types';
 
 type StoreValues = {
   navigationOpen: boolean;
   appInfo: ApplicationInfo;
   settingsEssentials?: SettingsEssentials;
+  sessionInfo: SessionInfo;
 };
 
 type Store = StoreValues;
@@ -21,6 +22,11 @@ const defaults: StoreValues = {
     smtp_enabled: false,
     version: '',
   },
+  sessionInfo: {
+    authorized: false,
+    isAdmin: false,
+    wizard_flags: null,
+  },
   settingsEssentials: undefined,
 };
 
diff --git a/web/src/shared/providers/AppSessionInfoProvider.tsx b/web/src/shared/providers/AppSessionInfoProvider.tsx
new file mode 100644
index 000000000..c2eb1a14d
--- /dev/null
+++ b/web/src/shared/providers/AppSessionInfoProvider.tsx
@@ -0,0 +1,14 @@
+import { useQuery } from '@tanstack/react-query';
+import { type PropsWithChildren, useEffect } from 'react';
+import { getSessionInfoQueryOptions } from '../query';
+
+export const AppSessionInfoProvider = ({ children }: PropsWithChildren) => {
+  const { data } = useQuery(getSessionInfoQueryOptions);
+
+  useEffect(() => {
+    if (data) {
+      console.log(data);
+    }
+  }, [data]);
+  return children;
+};
diff --git a/web/src/shared/query.ts b/web/src/shared/query.ts
index a3c33e076..39b6f4847 100644
--- a/web/src/shared/query.ts
+++ b/web/src/shared/query.ts
@@ -231,6 +231,15 @@ export const getActivityLogStreamsQueryOptions = queryOptions({
   select: (resp) => resp.data,
 });
 
+export const getSessionInfoQueryOptions = queryOptions({
+  queryFn: api.getSessionInfo,
+  queryKey: ['session-info'],
+  select: (resp) => resp.data,
+  refetchOnMount: true,
+  refetchOnReconnect: true,
+  refetchOnWindowFocus: false,
+});
+
 export const getSettingsEssentialsQueryOptions = queryOptions({
   queryFn: api.settings.getSettingsEssentials,
   queryKey: ['settings_essentials'],

From f605d01ca48670a0ba51b36d6a237e8a299268ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20=C5=9Al=C4=99zak?= <fslezak@teonite.com>
Date: Mon, 2 Mar 2026 12:06:12 +0100
Subject: [PATCH 08/15] update ui

---
 web/messages/en/migration_wizard.json         |  12 ++
 .../MigrationWizardPage.tsx                   |   1 -
 .../steps/MigrationWizardCAStep.tsx           | 199 +++++-------------
 ...igrationWizardGeneralConfigurationStep.tsx | 151 ++++++++++++-
 .../steps/MigrationWizardStart.tsx            |  14 +-
 .../store/useMigrationWizardStore.tsx         |  10 +
 web/src/routes/_authorized.tsx                |  29 +--
 web/src/routes/_wizard/migration.tsx          |   7 +
 web/src/routes/_wizard/setup.tsx              |  75 +++----
 web/src/routes/auth.tsx                       |  31 ++-
 .../wizard/WizardWelcomePage/style.scss       |   4 +
 web/src/shared/components/wizard/types.ts     |   2 +-
 web/src/shared/query.ts                       |   8 +-
 13 files changed, 316 insertions(+), 227 deletions(-)

diff --git a/web/messages/en/migration_wizard.json b/web/messages/en/migration_wizard.json
index 8c1cee003..d8ea95607 100644
--- a/web/messages/en/migration_wizard.json
+++ b/web/messages/en/migration_wizard.json
@@ -18,6 +18,18 @@
 
   "migration_wizard_ca_validity_one_year": "1 year",
   "migration_wizard_ca_validity_years": "{years} years",
+  "migration_wizard_general_config_error_invalid_url": "Invalid URL",
+  "migration_wizard_general_config_error_defguard_url_required": "Defguard URL is required",
+  "migration_wizard_general_config_error_admin_group_required": "Default admin group name is required",
+  "migration_wizard_general_config_error_auth_period_min": "Authentication period must be at least 1 day",
+  "migration_wizard_general_config_error_mfa_timeout_min": "MFA code timeout must be at least 60 seconds",
+  "migration_wizard_general_config_label_defguard_url": "Defguard URL",
+  "migration_wizard_general_config_label_admin_group": "Default Admin Group Name",
+  "migration_wizard_general_config_label_auth_period": "Default Authentication Period (days)",
+  "migration_wizard_general_config_label_mfa_timeout": "Default MFA Code Timeout (seconds)",
+  "migration_wizard_general_config_label_public_proxy_url": "Public Edge component URL",
+  "migration_wizard_general_config_error_public_proxy_url_invalid": "Public Proxy URL must be a valid URL",
+  "migration_wizard_general_config_error_public_proxy_url_required": "Public Proxy URL is required",
   "migration_wizard_ca_error_common_name_required": "Common name is required",
   "migration_wizard_ca_error_email_invalid": "Invalid email address",
   "migration_wizard_ca_error_email_required": "Email is required",
diff --git a/web/src/pages/MigrationWizardPage/MigrationWizardPage.tsx b/web/src/pages/MigrationWizardPage/MigrationWizardPage.tsx
index f39dda08d..811a7bbd6 100644
--- a/web/src/pages/MigrationWizardPage/MigrationWizardPage.tsx
+++ b/web/src/pages/MigrationWizardPage/MigrationWizardPage.tsx
@@ -20,7 +20,6 @@ const welcomePageConfig: WizardWelcomePageConfig = {
   title: 'Welcome to Defguard Migration Wizard.',
   subtitle: `We've detected your previous version 1.X so email.`,
   content: <MigrationWizardStart />,
-  media: <img alt="media.png" />,
   docsText: `We'll guide you through the process step by step. For full details, see the migration guide following the link bellow.`,
 } as const;
 
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardCAStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardCAStep.tsx
index b98641c86..3fd3292f9 100644
--- a/web/src/pages/MigrationWizardPage/steps/MigrationWizardCAStep.tsx
+++ b/web/src/pages/MigrationWizardPage/steps/MigrationWizardCAStep.tsx
@@ -1,23 +1,21 @@
 import { useMutation } from '@tanstack/react-query';
-import { useCallback, useMemo } from 'react';
+import { useMemo } from 'react';
 import z from 'zod';
 import { useShallow } from 'zustand/react/shallow';
 import { m } from '../../../paraglide/messages';
 import api from '../../../shared/api/api';
 import { Controls } from '../../../shared/components/Controls/Controls';
 import { WizardCard } from '../../../shared/components/wizard/WizardCard/WizardCard';
-import { BadgeVariant } from '../../../shared/defguard-ui/components/Badge/types';
 import { Button } from '../../../shared/defguard-ui/components/Button/Button';
-import { InteractiveBlock } from '../../../shared/defguard-ui/components/InteractiveBlock/InteractiveBlock';
+import { EvenSplit } from '../../../shared/defguard-ui/components/EvenSplit/EvenSplit';
 import type { SelectOption } from '../../../shared/defguard-ui/components/Select/types';
 import { SizedBox } from '../../../shared/defguard-ui/components/SizedBox/SizedBox';
 import { Snackbar } from '../../../shared/defguard-ui/providers/snackbar/snackbar';
 import { ThemeSpacing } from '../../../shared/defguard-ui/types';
-import { isPresent } from '../../../shared/defguard-ui/utils/isPresent';
 import { useAppForm } from '../../../shared/form';
 import { formChangeLogic } from '../../../shared/formLogic';
 import { useMigrationWizardStore } from '../store/useMigrationWizardStore';
-import { CAOption, type CAOptionType, MigrationWizardStep } from '../types';
+import { MigrationWizardStep } from '../types';
 
 type ValidityValue = 1 | 2 | 3 | 5 | 10;
 
@@ -41,27 +39,8 @@ type CreateCAStoreValues = {
   ca_validity_period_years: number;
 };
 
-type UploadCAFormFields = UploadCAStoreValues;
-
-type UploadCAStoreValues = {
-  ca_cert_file: File | null;
-};
-
-const readFileAsText = (file: File): Promise<string> => {
-  return new Promise((resolve, reject) => {
-    const reader = new FileReader();
-    reader.onload = () => resolve(reader.result as string);
-    reader.onerror = () => reject(reader.error);
-    reader.readAsText(file);
-  });
-};
-
 export const MigrationWizardCAStep = () => {
   const setActiveStep = useMigrationWizardStore((s) => s.setActiveStep);
-  const caOption = useMigrationWizardStore((s) => s.ca_option);
-  const setCAOption = useCallback((option: CAOptionType) => {
-    useMigrationWizardStore.setState({ ca_option: option });
-  }, []);
 
   const createCAdefaultValues = useMigrationWizardStore(
     useShallow(
@@ -73,10 +52,6 @@ export const MigrationWizardCAStep = () => {
     ),
   );
 
-  const uploadCAdefaultValues: UploadCAFormFields = {
-    ca_cert_file: undefined as unknown as File,
-  };
-
   const createFormSchema = useMemo(
     () =>
       z.object({
@@ -93,17 +68,7 @@ export const MigrationWizardCAStep = () => {
     [],
   );
 
-  const uploadFormSchema = useMemo(
-    () =>
-      z.object({
-        ca_cert_file: z
-          .file()
-          .refine((file) => isPresent(file), m.migration_wizard_ca_error_cert_required()),
-      }),
-    [],
-  );
-
-  const { mutate: createCA, isPending: isCreatingCA } = useMutation({
+  const { mutateAsync: createCA } = useMutation({
     mutationFn: api.initial_setup.createCA,
     onSuccess: () => {
       setActiveStep(MigrationWizardStep.CaSummary);
@@ -117,34 +82,20 @@ export const MigrationWizardCAStep = () => {
     },
   });
 
-  const { mutate: uploadCA, isPending: isUploadingCA } = useMutation({
-    mutationFn: api.initial_setup.uploadCA,
-    onSuccess: () => {
-      setActiveStep(MigrationWizardStep.CaSummary);
-    },
-    onError: (error) => {
-      console.error('Failed to upload CA:', error);
-      Snackbar.error(m.migration_wizard_ca_error_upload_failed());
-    },
-    meta: {
-      invalidate: ['initial_setup', 'ca'],
-    },
-  });
-
-  const createForm = useAppForm({
+  const form = useAppForm({
     defaultValues: createCAdefaultValues,
     validationLogic: formChangeLogic,
     validators: {
       onSubmit: createFormSchema,
       onChange: createFormSchema,
     },
-    onSubmit: ({ value }) => {
+    onSubmit: async ({ value }) => {
       useMigrationWizardStore.setState({
         ca_common_name: value.ca_common_name,
         ca_email: value.ca_email,
         ca_validity_period_years: value.ca_validity_period_years,
       });
-      createCA({
+      await createCA({
         common_name: value.ca_common_name,
         email: value.ca_email,
         validity_period_years: value.ca_validity_period_years,
@@ -152,32 +103,21 @@ export const MigrationWizardCAStep = () => {
     },
   });
 
-  const uploadForm = useAppForm({
-    defaultValues: uploadCAdefaultValues,
-    validationLogic: formChangeLogic,
-    validators: {
-      onSubmit: uploadFormSchema,
-      onChange: uploadFormSchema,
-    },
-    onSubmit: async ({ value }) => {
-      if (!value.ca_cert_file) return;
-      const certContent = await readFileAsText(value.ca_cert_file);
-      uploadCA({ cert_file: certContent });
-    },
-  });
+  const handleBack = () => {
+    setActiveStep(MigrationWizardStep.General);
+  };
 
-  const CreateCAForm = () => {
-    const form = createForm;
-    return (
-      <div className="ca-settings">
-        <form
-          onSubmit={(e) => {
-            e.stopPropagation();
-            e.preventDefault();
-            form.handleSubmit();
-          }}
-        >
-          <form.AppForm>
+  return (
+    <WizardCard>
+      <form
+        onSubmit={(e) => {
+          e.stopPropagation();
+          e.preventDefault();
+          form.handleSubmit();
+        }}
+      >
+        <form.AppForm>
+          <EvenSplit>
             <form.AppField name="ca_common_name">
               {(field) => (
                 <field.FormInput
@@ -188,7 +128,6 @@ export const MigrationWizardCAStep = () => {
                 />
               )}
             </form.AppField>
-
             <form.AppField name="ca_email">
               {(field) => (
                 <field.FormInput
@@ -198,68 +137,42 @@ export const MigrationWizardCAStep = () => {
                 />
               )}
             </form.AppField>
-
-            <form.AppField name="ca_validity_period_years">
-              {(field) => (
-                <field.FormSelect
-                  required
-                  label={m.migration_wizard_ca_label_validity()}
-                  options={validityOptions}
+          </EvenSplit>
+          <SizedBox height={ThemeSpacing.Xl} />
+          <form.AppField name="ca_validity_period_years">
+            {(field) => (
+              <field.FormSelect
+                required
+                label={m.migration_wizard_ca_label_validity()}
+                options={validityOptions}
+              />
+            )}
+          </form.AppField>
+          <form.Subscribe
+            selector={(s) => ({
+              isSubmitting: s.isSubmitting,
+            })}
+          >
+            {({ isSubmitting }) => (
+              <Controls>
+                <Button
+                  variant="outlined"
+                  text={m.controls_back()}
+                  onClick={handleBack}
+                  disabled={isSubmitting}
                 />
-              )}
-            </form.AppField>
-          </form.AppForm>
-        </form>
-      </div>
-    );
-  };
-
-  const handleBack = () => {
-    setActiveStep(MigrationWizardStep.General);
-  };
-
-  const handleNext = () => {
-    if (caOption === CAOption.Create) {
-      createForm.handleSubmit();
-    } else if (caOption === CAOption.UseOwn) {
-      uploadForm.handleSubmit();
-    }
-  };
-
-  const isPending = isCreatingCA || isUploadingCA;
-
-  return (
-    <WizardCard>
-      <InteractiveBlock
-        title={m.migration_wizard_ca_option_create_title()}
-        value={caOption === CAOption.Create}
-        onClick={() => setCAOption(CAOption.Create)}
-        content={m.migration_wizard_ca_option_create_description()}
-        badge={{
-          text: m.misc_recommended(),
-          variant: BadgeVariant.Success,
-        }}
-      >
-        <SizedBox height={ThemeSpacing.Xl2} />
-        {caOption === CAOption.Create && <CreateCAForm />}
-      </InteractiveBlock>
-
-      <Controls>
-        <Button
-          variant="outlined"
-          text={m.controls_back()}
-          onClick={handleBack}
-          disabled={isPending}
-        />
-        <div className="right">
-          <Button
-            text={m.controls_continue()}
-            onClick={handleNext}
-            loading={isPending}
-            disabled={isPending || !isPresent(caOption)}
-          />
-        </div>
-      </Controls>
+                <div className="right">
+                  <Button
+                    text={m.controls_continue()}
+                    type="submit"
+                    loading={isSubmitting}
+                  />
+                </div>
+              </Controls>
+            )}
+          </form.Subscribe>
+        </form.AppForm>
+      </form>
     </WizardCard>
   );
 };
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardGeneralConfigurationStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardGeneralConfigurationStep.tsx
index feaf3e34b..053767ce6 100644
--- a/web/src/pages/MigrationWizardPage/steps/MigrationWizardGeneralConfigurationStep.tsx
+++ b/web/src/pages/MigrationWizardPage/steps/MigrationWizardGeneralConfigurationStep.tsx
@@ -1,23 +1,156 @@
+import { useMemo } from 'react';
+import z from 'zod';
+import { useShallow } from 'zustand/react/shallow';
 import { m } from '../../../paraglide/messages';
 import { Controls } from '../../../shared/components/Controls/Controls';
 import { WizardCard } from '../../../shared/components/wizard/WizardCard/WizardCard';
 import { Button } from '../../../shared/defguard-ui/components/Button/Button';
+import { SizedBox } from '../../../shared/defguard-ui/components/SizedBox/SizedBox';
+import { ThemeSpacing } from '../../../shared/defguard-ui/types';
+import { useAppForm } from '../../../shared/form';
+import { formChangeLogic } from '../../../shared/formLogic';
 import { useMigrationWizardStore } from '../store/useMigrationWizardStore';
 import { MigrationWizardStep } from '../types';
 
+type FormFields = StoreValues;
+
+type StoreValues = {
+  defguard_url: string;
+  default_admin_group_name: string;
+  default_authentication: number;
+  default_mfa_code_lifetime: number;
+  public_proxy_url: string;
+};
+
 export const MigrationWizardGeneralConfigurationStep = () => {
-  const setActiveStep = useMigrationWizardStore((s) => s.setActiveStep);
+  const defaultValues = useMigrationWizardStore(
+    useShallow(
+      (s): FormFields => ({
+        defguard_url: s.defguard_url,
+        default_admin_group_name: s.default_admin_group_name,
+        default_authentication: s.default_authentication_period_days,
+        default_mfa_code_lifetime: s.default_mfa_code_timeout_seconds,
+        public_proxy_url: s.public_proxy_url,
+      }),
+    ),
+  );
+
+  const formSchema = useMemo(
+    () =>
+      z.object({
+        defguard_url: z
+          .url(m.migration_wizard_general_config_error_invalid_url())
+          .min(1, m.migration_wizard_general_config_error_defguard_url_required()),
+        default_admin_group_name: z
+          .string()
+          .min(1, m.migration_wizard_general_config_error_admin_group_required()),
+        default_authentication: z
+          .number()
+          .min(1, m.migration_wizard_general_config_error_auth_period_min()),
+        default_mfa_code_lifetime: z
+          .number()
+          .min(60, m.migration_wizard_general_config_error_mfa_timeout_min()),
+        public_proxy_url: z
+          .url(m.migration_wizard_general_config_error_public_proxy_url_invalid())
+          .min(1, m.migration_wizard_general_config_error_public_proxy_url_required()),
+      }),
+    [],
+  );
+
+  const form = useAppForm({
+    defaultValues,
+    validationLogic: formChangeLogic,
+    validators: {
+      onSubmit: formSchema,
+      onChange: formSchema,
+    },
+    onSubmit: ({ value }) => {
+      useMigrationWizardStore.setState({
+        defguard_url: value.defguard_url,
+        default_admin_group_name: value.default_admin_group_name,
+        default_authentication_period_days: value.default_authentication,
+        default_mfa_code_timeout_seconds: value.default_mfa_code_lifetime,
+        public_proxy_url: value.public_proxy_url,
+        activeStep: MigrationWizardStep.Ca,
+      });
+    },
+  });
 
   return (
     <WizardCard>
-      <Controls>
-        <div className="right">
-          <Button
-            text={m.controls_continue()}
-            onClick={() => setActiveStep(MigrationWizardStep.Ca)}
-          />
-        </div>
-      </Controls>
+      <form
+        onSubmit={(e) => {
+          e.stopPropagation();
+          e.preventDefault();
+          form.handleSubmit();
+        }}
+      >
+        <form.AppForm>
+          <form.AppField name="defguard_url">
+            {(field) => (
+              <field.FormInput
+                required
+                label={m.migration_wizard_general_config_label_defguard_url()}
+                type="text"
+              />
+            )}
+          </form.AppField>
+          <SizedBox height={ThemeSpacing.Xl} />
+          <form.AppField name="default_admin_group_name">
+            {(field) => (
+              <field.FormInput
+                required
+                label={m.migration_wizard_general_config_label_admin_group()}
+                type="text"
+              />
+            )}
+          </form.AppField>
+          <SizedBox height={ThemeSpacing.Xl} />
+          <form.AppField name="default_authentication">
+            {(field) => (
+              <field.FormInput
+                required
+                label={m.migration_wizard_general_config_label_auth_period()}
+                type="number"
+              />
+            )}
+          </form.AppField>
+          <SizedBox height={ThemeSpacing.Xl} />
+          <form.AppField name="default_mfa_code_lifetime">
+            {(field) => (
+              <field.FormInput
+                required
+                label={m.migration_wizard_general_config_label_mfa_timeout()}
+                type="number"
+              />
+            )}
+          </form.AppField>
+          <SizedBox height={ThemeSpacing.Xl} />
+          <form.AppField name="public_proxy_url">
+            {(field) => (
+              <field.FormInput
+                required
+                label={m.migration_wizard_general_config_label_public_proxy_url()}
+                type="text"
+              />
+            )}
+          </form.AppField>
+          <Controls>
+            <Button
+              variant="outlined"
+              text={m.controls_back()}
+              onClick={() => {
+                useMigrationWizardStore.setState({
+                  isWelcome: true,
+                });
+              }}
+            />
+            <div className="right">
+              <Button text={m.controls_continue()} type="submit" />
+            </div>
+          </Controls>
+        </form.AppForm>
+      </form>
     </WizardCard>
   );
 };
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardStart.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardStart.tsx
index 69a6efd0a..18789605e 100644
--- a/web/src/pages/MigrationWizardPage/steps/MigrationWizardStart.tsx
+++ b/web/src/pages/MigrationWizardPage/steps/MigrationWizardStart.tsx
@@ -3,20 +3,28 @@ import { AppText } from '../../../shared/defguard-ui/components/AppText/AppText'
 import { Button } from '../../../shared/defguard-ui/components/Button/Button';
 import { IconKind } from '../../../shared/defguard-ui/components/Icon';
 import { InfoBanner } from '../../../shared/defguard-ui/components/InfoBanner/InfoBanner';
+import { RenderMarkdown } from '../../../shared/defguard-ui/components/RenderMarkdown/RenderMarkdown';
 import { SizedBox } from '../../../shared/defguard-ui/components/SizedBox/SizedBox';
-import { TextStyle, ThemeSpacing } from '../../../shared/defguard-ui/types';
+import {
+  TextStyle,
+  ThemeSpacing,
+  ThemeVariable,
+} from '../../../shared/defguard-ui/types';
 import { useMigrationWizardStore } from '../store/useMigrationWizardStore';
 
 export const MigrationWizardStart = () => {
   return (
     <>
+      <SizedBox height={ThemeSpacing.Lg} />
       <InfoBanner
         icon={IconKind.InfoOutlined}
         variant="warning"
         text={`IMPORTANT: Until you finish this migration process your VPN Locations will not work!.`}
       />
       <SizedBox height={ThemeSpacing.Lg} />
-      <AppText font={TextStyle.TBodySm400}>{`${explain1}\n\n${explain2}`}</AppText>
+      <AppText font={TextStyle.TBodySm400} color={ThemeVariable.FgFaded}>
+        <RenderMarkdown content={`${explain1}</br></br>${explain2}`} />
+      </AppText>
       <SizedBox height={ThemeSpacing.Xl} />
       <Controls>
         <div className="left">
@@ -24,7 +32,7 @@ export const MigrationWizardStart = () => {
             text="Start migration process"
             onClick={() => {
               useMigrationWizardStore.setState({
-                isWelcome: true,
+                isWelcome: false,
               });
             }}
           />
diff --git a/web/src/pages/MigrationWizardPage/store/useMigrationWizardStore.tsx b/web/src/pages/MigrationWizardPage/store/useMigrationWizardStore.tsx
index 093448d13..51e0e337d 100644
--- a/web/src/pages/MigrationWizardPage/store/useMigrationWizardStore.tsx
+++ b/web/src/pages/MigrationWizardPage/store/useMigrationWizardStore.tsx
@@ -11,6 +11,11 @@ import {
 interface StoreValues {
   isWelcome: boolean;
   activeStep: MigrationWizardStepValue;
+  defguard_url: string;
+  default_admin_group_name: string;
+  default_authentication_period_days: number;
+  default_mfa_code_timeout_seconds: number;
+  public_proxy_url: string;
   ca_common_name: string;
   ca_email: string;
   ca_validity_period_years: number;
@@ -34,6 +39,11 @@ const edgeAdoptionStateDefaults: EdgeAdoptionState = {
 const defaults: StoreValues = {
   isWelcome: true,
   activeStep: MigrationWizardStep.General,
+  defguard_url: '',
+  default_admin_group_name: '',
+  default_authentication_period_days: 7,
+  default_mfa_code_timeout_seconds: 60,
+  public_proxy_url: '',
   ca_common_name: '',
   ca_email: '',
   ca_validity_period_years: 5,
diff --git a/web/src/routes/_authorized.tsx b/web/src/routes/_authorized.tsx
index 6ae2fa51f..0ea08fc54 100644
--- a/web/src/routes/_authorized.tsx
+++ b/web/src/routes/_authorized.tsx
@@ -5,35 +5,18 @@ import { LimitReachedModal } from '../shared/components/modals/license/LimitReac
 import { UpgradeBusinessModal } from '../shared/components/modals/license/UpgradeBusinessModal/UpgradeBusinessModal';
 import { UpgradeEnterpriseModal } from '../shared/components/modals/license/UpgradeEnterpriseModal/UpgradeEnterpriseModal';
 import { SelectionModal } from '../shared/components/modals/SelectionModal/SelectionModal';
-import { useAuth } from '../shared/hooks/useAuth';
 import { AppInfoProvider } from '../shared/providers/AppInfoProvider';
 import { AppUserProvider } from '../shared/providers/AppUserProvider';
-import { getUserMeQueryOptions } from '../shared/query';
+import { getSessionInfoQueryOptions } from '../shared/query';
 
 export const Route = createFileRoute('/_authorized')({
   component: RouteComponent,
   beforeLoad: async ({ context }) => {
-    if (!useAuth.getState().user) {
-      try {
-        const user = (
-          await (
-            await context.queryClient.ensureQueryData(getUserMeQueryOptions)
-          )()
-        ).data;
-
-        // Invalid user object
-        if (!user.id) {
-          useAuth.getState().reset();
-          throw redirect({ to: '/auth/login', replace: true });
-        }
-        useAuth.getState().setUser(user);
-      } catch (_) {
-        useAuth.getState().reset();
-        throw redirect({
-          to: '/auth/login',
-          replace: true,
-        });
-      }
+    const sessionInfo = (
+      await context.queryClient.ensureQueryData(getSessionInfoQueryOptions)
+    ).data;
+    if (!sessionInfo.authorized) {
+      throw redirect({ to: '/auth/login', replace: true });
     }
   },
 });
diff --git a/web/src/routes/_wizard/migration.tsx b/web/src/routes/_wizard/migration.tsx
index c2193197c..fb404f6b9 100644
--- a/web/src/routes/_wizard/migration.tsx
+++ b/web/src/routes/_wizard/migration.tsx
@@ -1,6 +1,13 @@
 import { createFileRoute } from '@tanstack/react-router';
+import { AppLoaderPage } from '../../pages/AppLoaderPage/AppLoaderPage';
 import { MigrationWizardPage } from '../../pages/MigrationWizardPage/MigrationWizardPage';
+import { getSessionInfoQueryOptions, getSettingsQueryOptions } from '../../shared/query';
 
 export const Route = createFileRoute('/_wizard/migration')({
   component: MigrationWizardPage,
+  pendingComponent: AppLoaderPage,
+  loader: async ({ context }) => {
+    await context.queryClient.ensureQueryData(getSessionInfoQueryOptions);
+    return context.queryClient.ensureQueryData(getSettingsQueryOptions);
+  },
 });
diff --git a/web/src/routes/_wizard/setup.tsx b/web/src/routes/_wizard/setup.tsx
index bebc95579..4ee53ed91 100644
--- a/web/src/routes/_wizard/setup.tsx
+++ b/web/src/routes/_wizard/setup.tsx
@@ -1,58 +1,48 @@
 import type { QueryClient } from '@tanstack/react-query';
-import { createFileRoute, type ParsedLocation, redirect } from '@tanstack/react-router';
+import { createFileRoute, redirect } from '@tanstack/react-router';
 import type { AxiosError } from 'axios';
 import { SetupPage } from '../../pages/SetupPage/SetupPage';
 import { SetupPageStep, type SetupPageStepValue } from '../../pages/SetupPage/types';
 import { useSetupWizardStore } from '../../pages/SetupPage/useSetupWizardStore';
 import api from '../../shared/api/api';
 import type { InitialSetupStepValue } from '../../shared/api/types';
-import { isPresent } from '../../shared/defguard-ui/utils/isPresent';
-import { useApp } from '../../shared/hooks/useApp';
-import { getSettingsEssentialsQueryOptions } from '../../shared/query';
+import {
+  getSessionInfoQueryOptions,
+  getSettingsEssentialsQueryOptions,
+} from '../../shared/query';
 
 const requiresSetupAuth = (step: InitialSetupStepValue) =>
   step !== 'Welcome' && step !== 'AdminUser';
 
-const handleWizardRedirect = async ({
-  location,
-  client,
-}: {
-  location: ParsedLocation;
-  client: QueryClient;
-}) => {
-  let settingsEssentials = useApp.getState().settingsEssentials;
-  if (!isPresent(settingsEssentials)) {
-    settingsEssentials = (await client.ensureQueryData(getSettingsEssentialsQueryOptions))
-      .data;
-    useApp.setState({
-      settingsEssentials,
-    });
-  }
-
-  const applyWizardStepFromServer = (step: InitialSetupStepValue) => {
-    const stepMap: Record<InitialSetupStepValue, SetupPageStepValue> = {
-      Welcome: SetupPageStep.AdminUser,
-      AdminUser: SetupPageStep.AdminUser,
-      GeneralConfiguration: SetupPageStep.GeneralConfig,
-      Ca: SetupPageStep.CertificateAuthority,
-      CaSummary: SetupPageStep.CASummary,
-      EdgeComponent: SetupPageStep.EdgeComponent,
-      Confirmation: SetupPageStep.Confirmation,
-      Finished: SetupPageStep.Confirmation,
-    };
-
-    useSetupWizardStore.setState({
-      activeStep: stepMap[step],
-      isOnWelcomePage: step === 'Welcome',
-    });
+const applyWizardStepFromServer = (step: InitialSetupStepValue) => {
+  const stepMap: Record<InitialSetupStepValue, SetupPageStepValue> = {
+    Welcome: SetupPageStep.AdminUser,
+    AdminUser: SetupPageStep.AdminUser,
+    GeneralConfiguration: SetupPageStep.GeneralConfig,
+    Ca: SetupPageStep.CertificateAuthority,
+    CaSummary: SetupPageStep.CASummary,
+    EdgeComponent: SetupPageStep.EdgeComponent,
+    Confirmation: SetupPageStep.Confirmation,
+    Finished: SetupPageStep.Confirmation,
   };
 
-  // Tries to access setup wizard but setup is already completed
-  const setupCompletedButAccessingWizard =
-    settingsEssentials.initial_setup_completed && location.pathname.startsWith('/setup');
+  useSetupWizardStore.setState({
+    activeStep: stepMap[step],
+    isOnWelcomePage: step === 'Welcome',
+  });
+};
+
+const handleWizardRedirect = async ({ client }: { client: QueryClient }) => {
+  const sessionInfo = (await client.ensureQueryData(getSessionInfoQueryOptions)).data;
+  const settingsEssentials = (
+    await client.ensureQueryData(getSettingsEssentialsQueryOptions)
+  ).data;
 
-  if (setupCompletedButAccessingWizard) {
-    throw redirect({ to: '/auth/login', replace: true });
+  if (sessionInfo.wizard_flags?.initial_wizard_completed) {
+    throw redirect({
+      to: '/auth/login',
+      replace: true,
+    });
   }
 
   if (requiresSetupAuth(settingsEssentials.initial_setup_step)) {
@@ -71,10 +61,9 @@ const handleWizardRedirect = async ({
 };
 
 export const Route = createFileRoute('/_wizard/setup')({
-  beforeLoad: async ({ context, location }) => {
+  beforeLoad: async ({ context }) => {
     await handleWizardRedirect({
       client: context.queryClient,
-      location,
     });
   },
   component: SetupPage,
diff --git a/web/src/routes/auth.tsx b/web/src/routes/auth.tsx
index fb45a33ab..6564748e4 100644
--- a/web/src/routes/auth.tsx
+++ b/web/src/routes/auth.tsx
@@ -2,10 +2,11 @@ import { useQueryClient } from '@tanstack/react-query';
 import { createFileRoute, Outlet, redirect, useNavigate } from '@tanstack/react-router';
 import { useCallback, useEffect } from 'react';
 import z from 'zod';
+import { queryClient } from '../app/query';
 import { type User, UserMfaMethod } from '../shared/api/types';
 import { isPresent } from '../shared/defguard-ui/utils/isPresent';
 import { useAuth } from '../shared/hooks/useAuth';
-import { getSessionInfoQueryOptions } from '../shared/query';
+import { getSessionInfoQueryOptions, getUserMeQueryOptions } from '../shared/query';
 
 const basicSchema = z.object({
   url: z.string().nullable().optional(),
@@ -37,6 +38,21 @@ export const Route = createFileRoute('/auth')({
           replace: true,
         });
       } else {
+        if (sessionInfo.isAdmin) {
+          throw redirect({
+            to: '/vpn-overview',
+            replace: true,
+          });
+        } else {
+          const me = (await queryClient.ensureQueryData(getUserMeQueryOptions)).data;
+          throw redirect({
+            to: '/user/$username',
+            params: {
+              username: me.username,
+            },
+            replace: true,
+          });
+        }
       }
     }
   },
@@ -67,14 +83,23 @@ function RouteComponent() {
 
   // biome-ignore lint/correctness/useExhaustiveDependencies: rxjs sub
   useEffect(() => {
-    const sub = loginSubject.subscribe((state) => {
+    const sub = loginSubject.subscribe(async (state) => {
       const basicResult = basicSchema.safeParse(state);
       const basicResponse = basicResult.data;
       if (isPresent(basicResponse) && basicResult.success) {
+        useAuth.getState().setUser(basicResponse.user);
         void queryClient.invalidateQueries({
           queryKey: ['me'],
         });
-        useAuth.getState().setUser(basicResponse.user);
+        void queryClient.invalidateQueries({
+          queryKey: ['session-info'],
+        });
+        const sessionInfo = (
+          await queryClient.ensureQueryData(getSessionInfoQueryOptions)
+        ).data;
+        if (sessionInfo.wizard_flags?.migration_wizard_in_progress) {
+          navigate({ to: '/migration', replace: true });
+        }
         if (isPresent(basicResponse.url)) {
           window.location.replace(basicResponse.url);
           return;
diff --git a/web/src/shared/components/wizard/WizardWelcomePage/style.scss b/web/src/shared/components/wizard/WizardWelcomePage/style.scss
index 34b46bf26..ab055d757 100644
--- a/web/src/shared/components/wizard/WizardWelcomePage/style.scss
+++ b/web/src/shared/components/wizard/WizardWelcomePage/style.scss
@@ -21,6 +21,7 @@
     overflow: hidden;
     width: 100%;
     max-width: 1110px;
+    min-height: 657px;
 
     .main-track {
       box-sizing: border-box;
@@ -46,6 +47,9 @@
       display: flex;
       align-items: center;
       justify-content: center;
+      background: linear-gradient(157deg, #e6e6ff -2.15%, #8cadff 102.56%);
+      background-repeat: no-repeat;
+      background-size: cover;
 
       img {
         width: 100%;
diff --git a/web/src/shared/components/wizard/types.ts b/web/src/shared/components/wizard/types.ts
index bb9d6a5e6..e19ec4f5e 100644
--- a/web/src/shared/components/wizard/types.ts
+++ b/web/src/shared/components/wizard/types.ts
@@ -25,7 +25,7 @@ export interface WizardWelcomePageConfig {
   title: string;
   subtitle: string;
   content: React.ReactNode;
-  media: React.ReactNode;
+  media?: React.ReactNode;
   docsLink?: string;
   docsText?: string;
   onClose?: () => void;
diff --git a/web/src/shared/query.ts b/web/src/shared/query.ts
index 39b6f4847..d74bf2f32 100644
--- a/web/src/shared/query.ts
+++ b/web/src/shared/query.ts
@@ -65,7 +65,7 @@ export const getNetworkDevicesQueryOptions = queryOptions({
 });
 
 export const getUserMeQueryOptions = queryOptions({
-  queryFn: () => api.user.getMe,
+  queryFn: api.user.getMe,
   queryKey: ['me'],
   staleTime: 60_000,
   throwOnError: false,
@@ -250,3 +250,9 @@ export const getSettingsEssentialsQueryOptions = queryOptions({
   staleTime: 60_000,
   select: (resp) => resp.data,
 });
+
+export const getCaQueryOptions = queryOptions({
+  queryFn: api.initial_setup.getCA,
+  queryKey: ['initial_setup', 'ca'],
+  select: (resp) => resp.data,
+});

From add111858100577096d68ba3dc109c0e42028b38 Mon Sep 17 00:00:00 2001
From: Maciek <19913370+wojcik91@users.noreply.github.com>
Date: Mon, 2 Mar 2026 12:10:07 +0100
Subject: [PATCH 09/15] add dedicated migration wizard API (#2157)

* add a separate API server for the migration wizard

* add auth endpoints to migration API
---
 crates/defguard/src/main.rs                   |   9 +-
 .../src/enterprise/handlers/openid_login.rs   |   6 +-
 crates/defguard_core/src/handlers/auth.rs     |   4 +-
 crates/defguard_core/src/handlers/mod.rs      |   2 +-
 .../src/handlers/session_info.rs              |   2 +-
 crates/defguard_setup/src/lib.rs              |   1 +
 crates/defguard_setup/src/migration.rs        | 157 ++++++++++++++++++
 7 files changed, 173 insertions(+), 8 deletions(-)
 create mode 100644 crates/defguard_setup/src/migration.rs

diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs
index 8ec191d13..c4e2b8d49 100644
--- a/crates/defguard/src/main.rs
+++ b/crates/defguard/src/main.rs
@@ -33,7 +33,7 @@ use defguard_event_router::{RouterReceiverSet, run_event_router};
 use defguard_gateway_manager::{GatewayManager, GatewayTxSet};
 use defguard_proxy_manager::{ProxyManager, ProxyTxSet};
 use defguard_session_manager::{events::SessionManagerEvent, run_session_manager};
-use defguard_setup::setup::run_setup_web_server;
+use defguard_setup::{migration::run_migration_web_server, setup::run_setup_web_server};
 use defguard_vpn_stats_purge::run_periodic_stats_purge;
 use secrecy::ExposeSecret;
 use tokio::sync::{
@@ -107,6 +107,13 @@ async fn main() -> Result<(), anyhow::Error> {
         {
             anyhow::bail!("Setup web server exited with error: {err}");
         }
+    } else if wizard_flags.migration_wizard_in_progress && !wizard_flags.migration_wizard_completed
+    {
+        if let Err(err) =
+            run_migration_web_server(pool.clone(), config.http_bind_address, config.http_port).await
+        {
+            anyhow::bail!("Migration web server exited with error: {err}");
+        }
     }
 
     config.initialize_post_settings();
diff --git a/crates/defguard_core/src/enterprise/handlers/openid_login.rs b/crates/defguard_core/src/enterprise/handlers/openid_login.rs
index 3c2e41dc2..29569b1c1 100644
--- a/crates/defguard_core/src/enterprise/handlers/openid_login.rs
+++ b/crates/defguard_core/src/enterprise/handlers/openid_login.rs
@@ -487,7 +487,7 @@ pub async fn user_from_claims(
     Ok(user)
 }
 
-pub(crate) async fn get_auth_info(
+pub async fn get_auth_info(
     _license: LicenseInfo,
     private_cookies: PrivateCookieJar,
     State(appstate): State<AppState>,
@@ -555,12 +555,12 @@ pub(crate) async fn get_auth_info(
 }
 
 #[derive(Deserialize)]
-pub(crate) struct AuthenticationResponse {
+pub struct AuthenticationResponse {
     code: AuthorizationCode,
     state: CsrfToken,
 }
 
-pub(crate) async fn auth_callback(
+pub async fn auth_callback(
     _license: LicenseInfo,
     cookies: CookieJar,
     mut private_cookies: PrivateCookieJar,
diff --git a/crates/defguard_core/src/handlers/auth.rs b/crates/defguard_core/src/handlers/auth.rs
index dc6cb8494..b0bb095fa 100644
--- a/crates/defguard_core/src/handlers/auth.rs
+++ b/crates/defguard_core/src/handlers/auth.rs
@@ -136,7 +136,7 @@ pub async fn create_session(
         (status = CREATED, description = "User authenticated, but an additional authentication factor is required"),
     ),
 )]
-pub(crate) async fn authenticate(
+pub async fn authenticate(
     cookies: CookieJar,
     mut private_cookies: PrivateCookieJar,
     user_agent: TypedHeader<UserAgent>,
@@ -305,7 +305,7 @@ pub(crate) async fn authenticate(
         (status = OK, description = "User logged out"),
     ),
 )]
-pub(crate) async fn logout(
+pub async fn logout(
     cookies: CookieJar,
     SessionExtractor(session): SessionExtractor,
     user_agent: TypedHeader<UserAgent>,
diff --git a/crates/defguard_core/src/handlers/mod.rs b/crates/defguard_core/src/handlers/mod.rs
index c82707d69..4903c08ff 100644
--- a/crates/defguard_core/src/handlers/mod.rs
+++ b/crates/defguard_core/src/handlers/mod.rs
@@ -42,7 +42,7 @@ pub mod openid_clients;
 pub mod openid_flow;
 pub(crate) mod pagination;
 pub mod proxy;
-pub(crate) mod session_info;
+pub mod session_info;
 pub mod settings;
 pub(crate) mod ssh_authorized_keys;
 pub(crate) mod static_ips;
diff --git a/crates/defguard_core/src/handlers/session_info.rs b/crates/defguard_core/src/handlers/session_info.rs
index b250882dc..57b435fba 100644
--- a/crates/defguard_core/src/handlers/session_info.rs
+++ b/crates/defguard_core/src/handlers/session_info.rs
@@ -15,7 +15,7 @@ struct SessionInfoResponse {
     wizard_flags: Option<WizardFlags>,
 }
 
-pub(crate) async fn get_session_info(
+pub async fn get_session_info(
     State(appstate): State<AppState>,
     session: Result<SessionExtractor, WebError>,
 ) -> ApiResult {
diff --git a/crates/defguard_setup/src/lib.rs b/crates/defguard_setup/src/lib.rs
index 5d1cc01be..de63928c8 100644
--- a/crates/defguard_setup/src/lib.rs
+++ b/crates/defguard_setup/src/lib.rs
@@ -1,3 +1,4 @@
 pub mod db;
 pub mod handlers;
+pub mod migration;
 pub mod setup;
diff --git a/crates/defguard_setup/src/migration.rs b/crates/defguard_setup/src/migration.rs
new file mode 100644
index 000000000..4154ab84b
--- /dev/null
+++ b/crates/defguard_setup/src/migration.rs
@@ -0,0 +1,157 @@
+use std::{
+    net::{IpAddr, Ipv4Addr, SocketAddr},
+    sync::{Arc, Mutex, RwLock},
+};
+
+use anyhow::anyhow;
+use axum::{
+    Extension, Router,
+    routing::{get, post, put},
+    serve,
+};
+use defguard_common::VERSION;
+use defguard_core::{
+    auth::failed_login::FailedLoginMap,
+    handle_404,
+    handlers::{
+        auth::{
+            authenticate, email_mfa_code, email_mfa_enable, email_mfa_init, logout, mfa_disable,
+            mfa_enable, recovery_code, request_email_mfa_code, totp_code, totp_enable, totp_secret,
+            webauthn_end, webauthn_finish, webauthn_init, webauthn_start,
+        },
+        component_setup::setup_proxy_tls_stream,
+        session_info::get_session_info,
+        settings::get_settings_essentials,
+    },
+    health_check,
+    version::IncompatibleComponents,
+};
+use defguard_web_ui::{index, svg, web_asset};
+use semver::Version;
+use sqlx::PgPool;
+use tokio::{
+    net::TcpListener,
+    sync::{broadcast, mpsc, oneshot::Sender},
+};
+use tracing::{info, instrument};
+
+use defguard_core::{
+    appstate::AppState,
+    db::AppEvent,
+    enterprise::handlers::openid_login::{auth_callback, get_auth_info},
+    events::ApiEvent,
+    grpc::GatewayEvent,
+};
+
+use crate::handlers::initial_wizard::{
+    create_ca, finish_setup, get_ca, set_general_config, setup_session, upload_ca,
+};
+
+pub fn build_migration_webapp(
+    pool: PgPool,
+    version: Version,
+    setup_shutdown_tx: Sender<()>,
+) -> Router {
+    let failed_logins = Arc::new(Mutex::new(FailedLoginMap::new()));
+    let (webhook_tx, webhook_rx) = mpsc::unbounded_channel::<AppEvent>();
+    let (event_tx, _event_rx) = mpsc::unbounded_channel::<ApiEvent>();
+    let (wireguard_tx, _wireguard_rx) = broadcast::channel::<GatewayEvent>(64);
+    let (proxy_control_tx, _proxy_control_rx) = mpsc::channel(32);
+    let incompatible_components = Arc::new(RwLock::new(IncompatibleComponents::default()));
+    let app_state = AppState::new(
+        pool.clone(),
+        webhook_tx,
+        webhook_rx,
+        wireguard_tx,
+        failed_logins.clone(),
+        event_tx,
+        incompatible_components,
+        proxy_control_tx,
+    );
+
+    Router::new()
+        .route("/", get(index))
+        .route("/{*path}", get(index))
+        .route("/fonts/{*path}", get(web_asset))
+        .route("/assets/{*path}", get(web_asset))
+        .route("/svg/{*path}", get(svg))
+        .nest(
+            "/api/v1",
+            Router::new()
+                .route("/health", get(health_check))
+                .route("/session-info", get(get_session_info))
+                .route("/settings_essentials", get(get_settings_essentials))
+                .route("/proxy/setup/stream", get(setup_proxy_tls_stream))
+                .route("/auth", post(authenticate))
+                .route("/auth/logout", post(logout))
+                .route("/auth/mfa", put(mfa_enable).delete(mfa_disable))
+                .route("/auth/webauthn/init", post(webauthn_init))
+                .route("/auth/webauthn/finish", post(webauthn_finish))
+                .route("/auth/webauthn/start", post(webauthn_start))
+                .route("/auth/webauthn", post(webauthn_end))
+                .route("/auth/totp/init", post(totp_secret))
+                .route("/auth/totp", post(totp_enable))
+                .route("/auth/totp/verify", post(totp_code))
+                .route("/auth/email/init", post(email_mfa_init))
+                .route(
+                    "/auth/email",
+                    get(request_email_mfa_code).post(email_mfa_enable),
+                )
+                .route("/auth/email/verify", post(email_mfa_code))
+                .route("/auth/recovery", post(recovery_code))
+                .nest(
+                    "/initial_setup",
+                    Router::new()
+                        .route("/ca", post(create_ca).get(get_ca))
+                        .route("/ca/upload", post(upload_ca))
+                        .route("/general_config", post(set_general_config))
+                        // .route("/admin", post(create_admin))
+                        // .route("/login", post(setup_login))
+                        .route("/session", get(setup_session))
+                        .route("/finish", post(finish_setup)),
+                ),
+        )
+        .nest(
+            "/api/v1/openid",
+            Router::new()
+                .route("/callback", post(auth_callback))
+                .route("/auth_info", get(get_auth_info)),
+        )
+        .fallback_service(get(handle_404))
+        .with_state(app_state)
+        .layer(Extension(pool))
+        .layer(Extension(version))
+        .layer(Extension(failed_logins))
+        .layer(Extension(Arc::new(Mutex::new(Some(setup_shutdown_tx)))))
+}
+
+#[instrument(skip_all)]
+pub async fn run_migration_web_server(
+    pool: PgPool,
+    http_bind_address: Option<IpAddr>,
+    http_port: u16,
+) -> Result<(), anyhow::Error> {
+    let (setup_shutdown_tx, setup_shutdown_rx) = tokio::sync::oneshot::channel::<()>();
+    let setup_webapp = build_migration_webapp(
+        pool.clone(),
+        defguard_version::Version::parse(VERSION)?,
+        setup_shutdown_tx,
+    );
+
+    info!("Starting instance migration web server on port {http_port}");
+    let addr = SocketAddr::new(
+        http_bind_address.unwrap_or(IpAddr::V4(Ipv4Addr::UNSPECIFIED)),
+        http_port,
+    );
+    let listener = TcpListener::bind(&addr).await?;
+    serve(
+        listener,
+        setup_webapp.into_make_service_with_connect_info::<SocketAddr>(),
+    )
+    .with_graceful_shutdown(async move {
+        setup_shutdown_rx.await.ok();
+        info!("Shutting down instance migration web server");
+    })
+    .await
+    .map_err(|err| anyhow!("Web server can't be started {err}"))
+}

From f96c50b0f1bf2bced1d76ff00cbf3a18da09a266 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20=C5=9Al=C4=99zak?= <fslezak@teonite.com>
Date: Mon, 2 Mar 2026 14:33:07 +0100
Subject: [PATCH 10/15] add migration confirm ui content

---
 crates/defguard/src/main.rs                   |  18 +++-
 .../MigrationWizardPage.tsx                   |   2 +-
 .../steps/MigrationWizardConfirmationStep.tsx |  22 -----
 .../MigrationWizardConfirmationStep.tsx       |  81 ++++++++++++++++++
 .../assets/prepare-network.png                | Bin 0 -> 10610 bytes
 web/src/pages/MigrationWizardPage/style.scss  |  18 ++++
 6 files changed, 114 insertions(+), 27 deletions(-)
 delete mode 100644 web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep.tsx
 create mode 100644 web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep/MigrationWizardConfirmationStep.tsx
 create mode 100644 web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep/assets/prepare-network.png

diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs
index c4e2b8d49..c602ea242 100644
--- a/crates/defguard/src/main.rs
+++ b/crates/defguard/src/main.rs
@@ -95,6 +95,7 @@ async fn main() -> Result<(), anyhow::Error> {
     }
 
     let wizard_flags = WizardFlags::init(&pool).await?;
+    let mut ini_server_config = true;
 
     // initialize default settings
     Settings::init_defaults(&pool).await?;
@@ -109,6 +110,13 @@ async fn main() -> Result<(), anyhow::Error> {
         }
     } else if wizard_flags.migration_wizard_in_progress && !wizard_flags.migration_wizard_completed
     {
+        config.initialize_post_settings();
+        SERVER_CONFIG
+            .set(config.clone())
+            .expect("Failed to initialize server config.");
+
+        ini_server_config = false;
+
         if let Err(err) =
             run_migration_web_server(pool.clone(), config.http_bind_address, config.http_port).await
         {
@@ -116,11 +124,13 @@ async fn main() -> Result<(), anyhow::Error> {
         }
     }
 
-    config.initialize_post_settings();
+    if ini_server_config {
+        config.initialize_post_settings();
 
-    SERVER_CONFIG
-        .set(config.clone())
-        .expect("Failed to initialize server config.");
+        SERVER_CONFIG
+            .set(config.clone())
+            .expect("Failed to initialize server config.");
+    }
 
     // create event channels for services
     let (api_event_tx, api_event_rx) = unbounded_channel::<ApiEvent>();
diff --git a/web/src/pages/MigrationWizardPage/MigrationWizardPage.tsx b/web/src/pages/MigrationWizardPage/MigrationWizardPage.tsx
index 811a7bbd6..fdc5e6ecd 100644
--- a/web/src/pages/MigrationWizardPage/MigrationWizardPage.tsx
+++ b/web/src/pages/MigrationWizardPage/MigrationWizardPage.tsx
@@ -8,7 +8,7 @@ import type {
 import { WizardPage } from '../../shared/components/wizard/WizardPage/WizardPage';
 import { MigrationWizardCAStep } from './steps/MigrationWizardCAStep';
 import { MigrationWizardCASummaryStep } from './steps/MigrationWizardCASummaryStep';
-import { MigrationWizardConfirmationStep } from './steps/MigrationWizardConfirmationStep';
+import { MigrationWizardConfirmationStep } from './steps/MigrationWizardConfirmationStep/MigrationWizardConfirmationStep';
 import { MigrationWizardEdgeAdoptionStep } from './steps/MigrationWizardEdgeAdoptionStep';
 import { MigrationWizardEdgeComponentStep } from './steps/MigrationWizardEdgeComponentStep';
 import { MigrationWizardGeneralConfigurationStep } from './steps/MigrationWizardGeneralConfigurationStep';
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep.tsx
deleted file mode 100644
index 3d681b603..000000000
--- a/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep.tsx
+++ /dev/null
@@ -1,22 +0,0 @@
-import { m } from '../../../paraglide/messages';
-import { Controls } from '../../../shared/components/Controls/Controls';
-import { WizardCard } from '../../../shared/components/wizard/WizardCard/WizardCard';
-import { Button } from '../../../shared/defguard-ui/components/Button/Button';
-import { useMigrationWizardStore } from '../store/useMigrationWizardStore';
-import { MigrationWizardStep } from '../types';
-
-export const MigrationWizardConfirmationStep = () => {
-  const setActiveStep = useMigrationWizardStore((s) => s.setActiveStep);
-
-  return (
-    <WizardCard>
-      <Controls>
-        <Button
-          variant="outlined"
-          text={m.controls_back()}
-          onClick={() => setActiveStep(MigrationWizardStep.EdgeAdoption)}
-        />
-      </Controls>
-    </WizardCard>
-  );
-};
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep/MigrationWizardConfirmationStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep/MigrationWizardConfirmationStep.tsx
new file mode 100644
index 000000000..cb76447cd
--- /dev/null
+++ b/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep/MigrationWizardConfirmationStep.tsx
@@ -0,0 +1,81 @@
+import { useState } from 'react';
+import { m } from '../../../../paraglide/messages';
+import { Controls } from '../../../../shared/components/Controls/Controls';
+import { WizardCard } from '../../../../shared/components/wizard/WizardCard/WizardCard';
+import { ActionableSection } from '../../../../shared/defguard-ui/components/ActionableSection/ActionableSection';
+import { AppText } from '../../../../shared/defguard-ui/components/AppText/AppText';
+import { Button } from '../../../../shared/defguard-ui/components/Button/Button';
+import { Checkbox } from '../../../../shared/defguard-ui/components/Checkbox/Checkbox';
+import { Divider } from '../../../../shared/defguard-ui/components/Divider/Divider';
+import { RenderMarkdown } from '../../../../shared/defguard-ui/components/RenderMarkdown/RenderMarkdown';
+import { SizedBox } from '../../../../shared/defguard-ui/components/SizedBox/SizedBox';
+import { Snackbar } from '../../../../shared/defguard-ui/providers/snackbar/snackbar';
+import {
+  TextStyle,
+  ThemeSpacing,
+  ThemeVariable,
+} from '../../../../shared/defguard-ui/types';
+import prepareNetworkImage from './assets/prepare-network.png';
+
+export const MigrationWizardConfirmationStep = () => {
+  const [confirm, setConfirm] = useState(false);
+
+  return (
+    <WizardCard>
+      <AppText font={TextStyle.TTitleH4} color={ThemeVariable.FgSuccess}>
+        {`Initial system migration are complete.`}
+      </AppText>
+      <SizedBox height={ThemeSpacing.Sm} />
+      <AppText font={TextStyle.TBodyPrimary400} color={ThemeVariable.FgNeutral}>
+        {`You've completed the first stage of the migration. Defguard is almost ready to go.`}
+      </AppText>
+      <Divider spacing={ThemeSpacing.Xl2} />
+      <AppText font={TextStyle.TBodyPrimary500} color={ThemeVariable.FgFaded}>
+        {`You currently have X VPN locations configured. These locations must be upgraded.`}
+      </AppText>
+      <SizedBox height={ThemeSpacing.Md} />
+      <AppText font={TextStyle.TBodySm400} color={ThemeVariable.FgNeutral}>
+        {`A key architectural change in Defguard 2.0 is that the Core now initiates connections to the gateways (in 1.x, gateways connected to the Core). As a result, in addition to upgrading the gateway components, you must update your firewall rules to:`}
+      </AppText>
+      <SizedBox height={ThemeSpacing.Lg} />
+      <ul id="upgrade-guide-list">
+        <li>{`Allow connections from the Core to the gateways on port 5055 tcp.`}</li>
+        <li>{`Block connections from the gateways to the Core.`}</li>
+      </ul>
+      <Divider spacing={ThemeSpacing.Lg} />
+      <RenderMarkdown
+        containerProps={{
+          id: 'confirm-improve-notice',
+        }}
+        content={`**This change significantly improves the overall security of Defguard deployments**. 
+You can [read more about it in the documentation](https://docs.defguard.net)`}
+      />
+      <SizedBox height={ThemeSpacing.Xl2} />
+      <ActionableSection
+        imageSrc={prepareNetworkImage}
+        title={`Prepare your network`}
+        subtitle={`Please prepare all required network and firewall changes before starting the migration. Once ready, we’ll begin adopting the upgraded gateway components for each VPN location.`}
+      />
+      <SizedBox height={ThemeSpacing.Xl} />
+      <Checkbox
+        active={confirm}
+        onClick={() => {
+          setConfirm((s) => !s);
+        }}
+        text={`I have changed all my gateways firewall rules and network setup`}
+      />
+      <Controls>
+        <div className="right">
+          <Button
+            variant="primary"
+            text={m.controls_finish()}
+            disabled={!confirm}
+            onClick={() => {
+              Snackbar.default(`TODO`);
+            }}
+          />
+        </div>
+      </Controls>
+    </WizardCard>
+  );
+};
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep/assets/prepare-network.png b/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep/assets/prepare-network.png
new file mode 100644
index 0000000000000000000000000000000000000000..a2e1453ff5fe48164972737bbfc3a4f3e0f195a9
GIT binary patch
literal 10610
zcmV-&DUH^NP)<h;3K|Lk000e1NJLTq006WA006KE1^@s6rd&iM00009a7bBm000&x
z000&x0ZCFM@Bjb+0drDELIAGL9O(c600d`2O+f$vv5yP<VFdsH01k9TSaefwW^{L9
za%BKUX=iO=p0So=001cMNkl<ZcmeHQdyE~`dH-ha-IwiMKNb@M-h`3{BZCxBfdq=d
zX<7nONh;NkRFzu0DV3T&FfmmdrHvtN9+hGqY8t9270w@#0(R9xT0v-&8cb~(hvFvK
z4T+OD*nqLIz3b=h-8(ZqznOdXo;~->%sDe>=HA`CKgle+d-p!h{N_8q^ZUN@9ilF}
zm_=}C4rBGEV3A*`ZDND)y8+SV>_>;#klg?L*50pC7c&xbme8v=PyB{Y^bkcvmT@R>
zXw$AQ_B}~m7z2TV+;KL(?z<Sp7Lns0a;w3UJO6gz5EYC$N9fg?FRTuzvL&EkHNL<0
z-7amsy~4ga^vw5s`nxCVboN5@SQfRnRjU32Wn75a06ycf|GkI(TO|L!jPaZ^gpLM#
z@_sg~7;IWF;4mV)v}RQ${Qc3B0e$}QI_>*OApa?gF8&9)q>hJ*$Ose&5`%1<fBc3|
z&+PU2!$--dN8F(I;hhgVqhuL#g3zlzF}}%hoGsKCY((TWx4N{T-(k@>pzXUn+V*TT
z;2`?iRnf)RzRRZ<UhydiXxpv_`!-S+Es)1nobf~)Jr%Io&kM)1fkQ>CS7tS#AupJY
zdyE=78H4@Fk5*{e;^<?CME;gXXUC(*gUA~`R0)X=AZoAw+$848L(f0h_Y2g;6jWoY
zA~NvuPka_IJk{(6Se*f@Gz+o%&o5ja)GLqq4V}Dfi9?@UU!59kd4S_C2L3LDqg*)7
zN$@pD+}MhcWgKR|Tdr}!fO2*`V9`3jV=njW?te1ba-9tcGOGy9wVYq4EeNYzK5V$X
zsguKLZ+|rH;bQ#BM=Es7)h>0BjOjrlXjy}ZfQ);L1&kfLrpq`k^EfvCT0r+aTBn0=
zFjBiU=<f$8CuR+yq2+w1Hl^i6`M`DZj_3VQUc?P>7p>rnX}^xebdWf9@;C#sj1z(9
zf&~27gLTY;SXAaFwD#2ug1~w2@6fy@73!&7M7@*e$?fm$01fWeZgw2n%>M5td@IX`
zU9WibB^H&Bo{AoR%QbEomAQ^i!)^D~!mokXdnwH!RC{U2^Cs_R*ZpobzC-v~5;^7d
zh`e4&!uronhKojrdT;bSIx=3PVEzEr>*vYy`e}Um5vpz9?s%ku)Cj$HOVE4rZ5q7w
zUg}*qOoV5xup6q<OYMa-IpVkhh`bKp%JM;1CwI{br!u*@UXO^({w0zV<NSqh)TaVQ
zmT_LTgu=fM$QxnII)XsydDP?dQBO6X{-c+%nPNk5Vd*(KlSb@VLL(wy{}(iLbd2Uv
z4|NR0$icoHlBYnGev8w3T}%ffG7Ao2kQm`a)^#qD7Kb+AEuw*=>|YwOm4sgVL{RzV
zKcnG!b?PV<RC>G*d7k$fY7Dq6A0B(QK25)gesdQIkYw90UdCp-539*}@O8GZermdN
zQD(pZv0v|}-nDCk6Dm@-5c-$?Am}-?lZHD&A9FMY-1pTwSvBqH>bE%!iO3))0>mBH
zx4J%<`QQ+tJb*v8T?^|<KUH44lrCDmB{;G30jDnhZW^HxnLCNhkQcr`xtV3^ATLtW
z)kRNxvj)=o!=`gl7J40WFO1SKi_~w6k$Q^I(9Dn-okC`DVS?{<($(B=?m~^U^@j)*
zkxd<<q5)FBK1{=myvNCL!l*Vy=nvdW3mF~S&xmLmL|NyEYK5JauC{?%J)qv|?1}Q6
z$f9#`#|@EeQ<3xOy<WKB%i~;>1;~&0{V5IpH_>T)9}*f;<LGW0pmrjf1|Oz|p39o9
z*1^HoeOfZ)(2~K{sD$Dfy!LF7EpRS8FPn3bv^eY}^j2v8$}Pe8fd`ygNa*9cX^`3k
z9z7a%QK9K-Jl8&U(GYp=xS@HG5RvyC4CugX%?ml>k&<u{Arm=iaoDL?a*XD)FSTl0
zqq9?E(;#hDWuk1RtMOd8SO?#Tqy#Q1kIn~v?uWmt)uWr`#w%SGy=mq`A~HS`h^!(f
zZg6<^o#0&L1xv#8GcD~@kL+RBm`X-U^pG`N*2M@S?}0;6<ON}W@lq#ztpx+qqctw%
zuUzNMY@3fsHgbXo*tp(-Z%r0_MHBh8V~wCON%Y~HD}@p6rcY3RwJ)GPtt7b(NP}Kv
zx*CLq9>xXZnm8<5WEb;0F9-D6@n*DM`7WmoceNeFNj6>QB584$7h=%hc<opa29_c)
z{~WuF$e9=IZODZ#MW(Ayo(|}{uSSCi!lM2b0~qOKe_FJ@@hW%56Irx2JH@$B5t(B_
zf#UYmAoWzoJ?4BANa(WC)#AcVj=XR+5cTC~JyVg#xhRsz;#x%o1gav(y;`SAwXj4=
ziRo&2VFw8#>tr!n&seZAbzSFvHq%{$Z%vDb;ueQ_A+J?b!1x#Knjq0)eZnm>T`lTl
zabbr6{_YRe(RxNgSVS{2r#cs+%~|AvPlw2WxEL=QRxfc{x>~g@Cri4TCqQ`Qy>UfE
zSXn2F(RxNAgL5I50~F<4h%zn?y7F#8fArP&{e@1>1)Uv2mz1uSBf`peMePO<dBtcA
zkNL){n$dcuZEkPQa>3Lr*U8R>4AXTAJ|D{aU6+P}oR(WYLYJ7Xj!S?<He7tPhCTP;
zn`TDQQk-*vMYQVXhjW4LW#YD{b~qOtASPbBo$HiLgl<>5I!-48anbsn7tfIBEM!gj
zEQc{ukpqF^OHX3Abo6~YoeKbg1VN+|)+y#M-^O$`AFw!AL-wF~wARJgxqyz1GOLl@
zcUN3e(v2X<HGFI8Tol!YLD#wH6e4rzzYR%Vl$oyP2@phH5ccGm<Y<leW-`d<Cjxr=
zG|`2L=zE{(xJmZfJw;w5Ma_jt!<M<^T$n)bl0{_R!TxW=BwdXQ@v#Rd>5)IIHiUmN
zkn;yI)#>VH<kgARI$$0-y)_!p>GM<`q`+XKVT&!mx%lp@$wcn-#FQ4HIhj#b8In^o
zT^+Wj9Z!G$xCBU2x;ide>i|SPc{ZR^>~H;mN`VdMB5rY*7vfmPVWwnQQwa@knHrJ#
zvm2UZzUR@&sYQvXqj4dYEhbuZO@;2fp%M;6Ty)Nou2w~Blf@9^#nF>YQj}DYrE)Gz
z8@9wP4)a3SxxiW^>*5+x6hUtd`^?}&(MTpVjC~5ijg-)L{O<hxH@uL{oaB74F+i}9
z{`e!&8;6dLgHF1dH}_LTYthxv!FY}6*jO;7lgmKa4O?^}CZ^)R7kpV?Uv^@2W@;Nq
zq=VyzI&XwGuLcl7V8?-kk^DfrEuTeXH*Dtw65n}4Jdu+UAm~P^ay3M4XFBykUcAlR
zk5gx<G@u~M_nQS-ozk#H-kGC9Ugtv9Iv1a5)ivepeo1-D!Fv3c6BK0J@q9E_^Gwv|
zSyTbRS6$QF=-RG+<GShUcP@=|a$K}Fnfgwi3FyS>be%lP^mLsO|DvIsB$5iUlJ?}O
zoQt9ww&*$+rn8=ixDybH%v!3D_|}7ft`18+uWn}kKrWD$7slWNtWCHGd@%R@G&unx
zM&6`otpi=1JYI_k4>I@X>D6c0u%%4rLX>uK$W!woe;$r@?G#Uz9F0W`U)1rvXQHHd
z{8RCb@3N+=Rnb}p@Q&X+rKgiY=C|^;*Y4nkEn={ULmuZs^?3jlkug)&S#Y^{QSsz9
znq2sF!XtJZ@}{e^=wuxm4!?uE@Yv%A`Y1C@8nyuPCWazgmFYScypw)bh%OhPDrpsG
z%7yc&6lfC~0|g*j#@TSVYe87me!Zg8)oD8U^!b22HhP>&Ui9~*zou!!7P&WdCpZ`U
zn&bgY08VDr%`9hL%Y?D~SCQFvx*8cn4F1#^Ckp5e8VC$|5$AGLnfxDSi^2Y$xX(+`
zxrI*cZqK9Nrw(*3Fpgyw58+d&h};fqR7UQPXOgbw7gWcC#+0Z6bTVwXv~)Ez8y*Mp
z&F^pheQ(8~Mf2HII6wJ$cp`~em=EClPHEUuhI0`IShN2o*l=wrA&5b)j~SA7Uyzut
zmUVJkwC3cO?KzWlHFWZs3(4}Lmqp}WgGTNujmQg_%5K;qj&IWYEqb?3J4y)Bko&$B
zr9zf;wN7!7t__E%jGJRDCQ^Xh3+KnnizJ8{Q4smqD5lncb}<jWtcEQ%w>{;7DUn?k
z0|rX!#FUHB(GCTLt8r}<Vbh|uYJ;l?T}=j!JbI22<;Bv4MDubu8@S2%g?!^gK;L@F
z4{y@*jrZ2>ZBJs>wMbwQ4)0#K76$KYm|3-MNp^JZ2>n91;?+-A$9d2qOw!fxIL|Z=
zo0sJU1`%gXhw_5*0Sm+P;{iSQ1E0S6q8DCNpxxV^!ZEz6_-#+7&IN)8u6s|(yWeta
zXpmVaUCpDlDq|=@H(d>2kU5!UpvDC9qH1YCVO8xu;M0$eL~m@xa)*BF0~Pwfd+jgy
zI%(Te79ztn5@$m^2WGO|r3D(uH56g<5H{7OrK@#1d?x8+{O&(kRL5}K_5LP9Riwv)
z?;VRNlTJ<o+zS8~>#p~^bn{Brda|ICwms>(NgP-lg9kE^`OVOAi4_$vl`k12?cySp
zPEJc#gUJ8Nrg+@pAW|H-yg)>*7BJ1t>vQOX*SX=pJX&0ZPTKaAWx<EYyLdtKXC@^G
zwvmg_Xpj2To@^aH`M_~4D&y57(5lTTJ_(DMv>2RM?84)|H5FREwCh}OfXGW0Fd`2&
z$Gsh;x-#++x{invUtAQ|;WJ4mV?eOz+H)ZKB_bp0E>4_oeK6$3Wy8fpWElgNqjC`q
zTe2drbJ0nDbZ!m3=GJDqT9q*rk+#5iiV<0~!Z5u<Ge7ZMoh`^(A73qb1#JVJ)Ud^d
za}h@5*^*d+hSurusk^}V*B7Hq8yo}>`O4+x*3#ml6eU~4!mT*WB<BL32Ss7JQN6FX
zLlY~!>JGq%Lb^9iC&%5v(8;@*wAd&$Y(xj9;h}QL%&YO1E^@3oB=QCa70Prjkm1zb
z-v?iR>B4yDLI?O;+hdx9+`|`_u1>pyLFTPHywZs)gJ&6Wu@}v^H}IY4T*NKFWnjUF
zVtmnRvk}$HK<?D{9oL)b<il*r9TD7ucP^zw@aMA))O}!adV!_ahvqr#0@{-sy4#+L
zK5@&2b79Mmo?wpH;sqU^SP_wC*&rf6{+t*3)EjQEhIcQd1rii-KxXcV=e(&!qK#;d
z3w!!plwrgg;2mu6t8VoE-JFZeqPIPnz$D`uXTjO@qh~~7g(J;|11WipFptRi@E5IA
zU({Eb_q_XnH!aO<W08nRfeVC`<Kn?6ig0q{`vn;ZT}HzeU6?k~K|MGE1$QoHx*wgJ
z(C{#ikG1}sr>jL9P6nd(x7qJMe%JK3A*Pwv-R9DD@6J~*A?jqv3nXDsX!QEq(FMu6
zXu*xJZ?9L%wx=}M(73a~kIqeK)rSXBK}x;|L4?KNK|+X+iCYw^(#&`~o-awF$l#k|
zLA-fv#eNZ+?(1G-u_}<;R69?y1s`USH%~T?Q;<=nb77KZjw>E2+K=|i>LEy$@#Swe
zn~h-LV97x$Ap55StoYa8RtfKX4*V_B;7PR{GB}aBP6nwUjn0inB!uKiO3YLmzdJh~
zeU<@slYz)TJ&J#9QCW}g<x#}8CmE*GIu>iV9=4qeT|e6QsT5cr^25iYuh6_E1O)C|
zQ=QVu7;K2$d5yF;qP9*g1#cdMNC6ve{y?OYkB?4Y1SX-cH;US*vp^j*F5=NsK8wl`
zk>k*b+n$PaE=+EQp6U$Pv66(FSDJqSPG(+V2W@?2L$3VQZ%>cfGWe!g*h9QnsW!=E
z!HMX?>n;L8fXjw?AHOK9;P3Vyihu37<Xm*RAKf7b2~5Yg8w*MNLz5N^Y7&_tFR+gg
z5&&exg+oS6UIc>Na5&-ySk#8xxd7shr@+3!J8meR$erL^*of+Juqj8h37ym<BMniC
zJN{jBYmd7fsBD9d{*RX<>+Y`iHy4zuMIkyNah=SyGsu03<|0rv_>VP?*FX{oe<wd4
z3*Bq4$lgXv=R^Y=X=dF<JRD&}F2Ii-J0G;{SmEmczD}`$v}TQ`(IH6p0?5Fdh1<dX
zWN6?IUe|m{=wcA`Z@ylivi2Z1K6+cUkbJojA$i1()8vRosKtOz#zIeb5vUq`0J8#W
zRPemlysP<|Ao3N<obX>YV~5T#>N~9&RuQHRTjHDxjK}z--g7|rBi&t;A1y~}6ZvF<
zlxB?qdr4;~+L=v805SI*h=>T{f{d`?IPhWq>bLRosDF-r_L;9w(vjoQ;!s3drVxXM
ziyyZLRC&y*-N^EBbnw6zvgrJ?qlna$naFaRu4PNqk27u9f*TAZ6s^Nf_oItGL7^}W
zji?Innr1#=JZj^!BRU@z$|*r+kYB!=5!pAgbooe3-A8|~6K(|)7lC|XC?n2#5<6+)
zJ^b$N&4kVsm#AO2FJ&uvT!V4hyKcv}r?UNM5E!MiY0r)Rf%VDSddEd8XJ^d!gKv@F
zyPGso7@?st*WK1iLdXyNgEr*_{TwO}8n})*2qOtaOo+f(1d0xaj!p(t4HZ@IK?M+B
zg}6#P*$rt&nz?L0n%B-uuyJ@tdOO{9^?L0yjLhNa2SM1%?QW_}KF)5Nt-eP`(w@LN
zp+N*hQ?c#>#KmBNC;%ceBKKc^eY&ap@w=km^R&6nenQ~*STJR`sdTbT0zmFVXId|U
zi`l1;GO9LRsydFc)6DJgqtiORax~w5a5Ha&dFS;m9el&5r@x0>K(L;T=z6E(Yz@4g
zt&{-kgoaZge&B7-*25xx?n~p%-n_DzEV+sO{M#>2cR;@U&FO_nH?K^t8bT4eD(ffP
zSAg7cUZwAKAUE$8x1e#T4&Jdbt#`T~&1+{Sgav6;QC}dN2CZksM}g<yRPU8wvs0<9
zV@v+ujEmOR35^R7cKxKLcMMX!x1mQl*^x^A-0xMx{%|s(`QPxgIe_QHMO>kXpfZ``
z%zU}=_>C)E`t|p@#+D>5E|1QtN;_2@hpmP!o$N;=xixw&a+Wx7ZBPd-e-5#5P3{S(
zYJQ2WeV9$z??zaL;bAsktWmvZ>x729z}`SO6&TE$Sae-?Tk``UGK&}LRY_Lh!$OiE
zlJm##x@bhv70ctJwQ8pYARn1_*+mZh>a~?nYxfye*`XT~Zq&GvQMrzz9ckt`=b|V-
zTC6eWzr)|bzn9w;%Qf!efuhmuIX&ngsBxm>_v=45iLW<@i^m$ZZ2hoKXx@H+V}%f5
zF}++gL}7tHF49vk`csQSO#NcY8y5qQ!OwqmB)$X{h||gP$xIkv+!Q>uZ2~^+_Eef3
zqD07b9G&D`6zNCv8uNN%lI27e7v}i8{fGRp!6la$a!)|jIgRqM9f;KU{vac^=XqBX
zRrbj5$2y@Q5q^1PWm=JuIKA+qe%N)K%!tVA*n)A>qtU2?{7>!h!k<HX4>WYHDzT!{
znB0cj_H6Y0eLYO_T;YTgBMbP{z5i$aoN_Lb7OpCt%p<Z$<m1eJ`llD-o4_A@oq7LH
z)wNGMNXv&<C$zYOTb^FxutD1O%?tdocm%jRA|lR)laCgD?-g!H<h~3A{PIN>cW$c=
z-Z6D9Y^0f08n;M4TC6eWfP*nSIDKIb=jmA%kzf2jKP0`ZlXcFD&w@gHXt|9S1`Kzc
zYVj8bOgSr-w?@>sbhT{5K_`RAdE|xs8h~mCifJ^Ir**)jVN1KBx@f}zss{3S4qStO
z{x2_lEFjAVIq29t-p)Fqzww+mO&4=ZEU7q2M3Nt@ldi_JhciHsrp^L6YKjm~D*)Qj
zumw{(ZiX`bXz_qjKy}a(9)krw0@-WFqBkO+q+7;$=GF=Qzl{hfr@VClX`%9iRaIni
zx|-``NQ|uVBCSC;A9&M-Ew<9k@)#8DM~gM);d3~xB?V~M`Q|B~p8Z}xdw-;s5Axz1
z;|v{*MYL@cmioT#-R5m)WisogtFKt*hKHjMX4oo^ofJsJ>(=dd!eXsxKbqTc{Hz+4
zbHP35@9gtw*AM(D(u?vzUYr+w1`W{G0)NO0Sa>pY)780ja^oVQMnw0<`^lTZjN0~;
z#gCSCvdXyt*<U$?b7nkxE5>G%b#hsU*q1_RTu2n_i@<_!#hTVBN7jgdyds9YKy3u%
zMHZkj`p~@SkRcPKk-3b9Ejq~JN6R*x>|AgnAAUQaCwDh>a%;MJdeABR5c@(2Eql;d
zBwo2(O+u4&byl5>zkvqqDd1CgLc^9U5=U%_2B@411QgV1@7^DsGpVxSROxCPHk>I6
zBQ#tMq=w~Q&oW`Nq^nKA>k0ZSHDVM|c7ePKS^Q`@T@B|38;51*0#O?z{`Z%fI@u&$
zT{a3OG!SRQm6EP@qDV0~U@kAx(5{9pBC<wxF<tF8HVuoL4mgpKM|l1RO?e^92URV(
zoUSe#g%LWbjaM1zY8=3co1tRa8ESXK7LF`_w5XFs3r=<}P(X%={QaLbb+ULYw5*fU
z($!_cI-#*+8xdJ`T9m4RHefSdjlThri;x#`(xqL_g{dDcrmIy%=JMk>`z$XWh}X$Q
zrK@eiI-yZEs?y0i>1xQ64_#l$)Tbf5Pz#D}Xu|8eJEeiRjvvj54ARPnk%~I{XGf#M
zn%a@BwuwRt{6*-bt3`Q&O12-qroXqnNS!QWCbi)b)75d#1#~vfE&uobDKA}(X7IRP
zMYR<!OhfCWtARLqqJzGk=!UValjES9SOJP^*plW)i|OjnOP=5AT!6?(pgjNm^3v7f
zh6q$C76t2s)=gJ)m^O3-inQU9phLuV`q4b<;yL1+3lROke^_3+T0Z>?&xe*1MIkq#
z`Jn5jtNE05&!d`KD5TfIg0IN#o@uWiN6L2l(LD01YA$%h{`p&w7v-d@<yH=5^~=uv
z)VK(U%CO0j($#ra#97nTHi0u(e5svoC-~7Ie%*Ii@@cwr!54)1DwcH?ovxOTd(Lvw
z7sim+lw7<}Kf9~-F!V^K#qqx%l-{VEIRe(K%0}iQ)75#<Nq#i6wcAi`qH}@wgX!KR
zT`g{pGKIWxI7^#hRcWs8Pd_;=2`Rnp+^2&exclk7e)vJtAg_qoGoXdjVWMC?8KPY}
zISrjuNw>7I>*c3!Mv+yll>6VG>Zhyo>SVd)S(bBUlKbJ2HWCT#d-PRuX#I{|-p~uL
zG((2mjZ|I{Q%K^<rogN0aVnFW$p9csr~?PuD=$=7!e)wv3tBa9JN@W0>{{SCxJ3t@
zTxPmj?i3~O>d`^ktYqS1CBJOY!-zTgYvcqw*Z_?1AA`8CUgQ;V*nZb_zY^4|4^jqT
z`UIIzpVjxF^J2naZMwLzI&YUBt?D$2gveW?(W0=-bhUgYW0vDMbZ_PX14}pkK4PQ}
zJbE9CwCm7{iTz~cQ`_pH(8q`3AINblU#U2i2UX2K(jZ2i33KzKRCG!MaqdUIJr?=N
zWu>d-*1)RW?`beCi#6#@u01gXUe6QcOzv^qkksp%jaHzO-L3v)Wlxrq1#oAVb;@X7
z9C|CzzTwL7qvhlCicDAA(8+*_djlZioAATTJBXt7rfM&Jda_m@>FKQ=&JvMD%oH*M
zI%n;b<ws-V1bUtTI_YXG2r;WZz1O4nT;_)VuM7F?@+`;JWodNIWtIstnPDKYL)HED
z8g<b?nSL|~%gGF#%p3Kn($%6)-o>QC7asTMvl~I^^!H=ShBMhd#-XzdUxf~HcV`~T
z_M`a$OMpmbwA4cORkq>Kd>Qf(5gA=U5v^~zI+>8FbhYU@<)#i0M_h@qF1m!yh<5qW
zDDebI;47=hEbC}2;1OZ}@!o3acqAoFY^AHS90-)ut;z&lLK~u;2U_B0;oV&~3NqtU
z+afX}D*y3Ere9Jx5*u$%pSNwLt4(Gm4poUU#uU3}FrGNL$!hAmiwKLDtQeZ#z5^}A
zR<xp%fd~w}2{MD=AA4|;9{G4rNXo}Q)sv`si%M7PKviN4$Ppe*@vWr3yO<8~Sh;ri
z(ML~359Ia4AS3seANj-RQi9+M=7EsW-^CHL=yY`w;!2F;dWTp`eRt6cQ~Sy0ftDaJ
z@SaPX**`#x*lTaCuz$(Ph`4n1+4DhIh^8YmOpB=G&mzhT6DK74oEQgxq?Cr|vl&O;
zo_>Bv5{mGnWk4STcizxk=%vXERl2&jCzv8R7Mn>oLsp%v>WHO#bElmLDWXeg15DJ@
zA5)Yc4P7}d`TkS7cX7H67niP<lO}O6O;?MbMb#0@M6#jkQWsr9TS6Irw0!Z;HoEA?
z9kraKlM$_-+T*bsg+B-Lny++eiQ>Rf({wcu*AdHfOfas+rM|mpL8sJ5%ZN)?<M`-j
z_Ig^yMOo6-aXQ)b9CQ9$mkyVZ`tG7QKN_;)*jSL6$Z<9tHl`jp<ZC5OY^JO8I3XZ&
zzu^XtE}=7^>;o-LAa1AP>1rfRzVmW3TEm~d@hZ24$hOnfHY2<)I*!m~_1MS)T(E_U
z^BriJx6^1E#K?Q{^mKWVlr*uKuFg8ks18#yMaL1k+Bt2~T5yR#grX0$lmYU%8aMlg
zZ;EWV@BYxAIvf-vzws(ZSu$!nU2W3|nPiLF3VQ+9AjowkharkS&{73X9vwXid7-P5
zv!<(6Wu3)E_#o^JE^a+bLfZ)~Z@BGbm?TzIy3&Rpod$k5XxtvZveMOQP#vEa7vWE_
zn?-k*P5TKwPSmbWNT$$9tQ2|j)uhJjBbq~AsC06>($yleM0n5O#%mj)G2pz|W;UQG
zKUyS?4iTZDWwaw*Eh8zyr#T@eGgMbY=R{F{w8;VsgjlBNY}L+mHAkFIHi__s?E3Da
z6-DjrwqfICA)iVv0k)kGlh4;peV2fuD(SK~1u8%*%WaF3U^86}*o^R{?E0RoP$gFK
z`qBJ3Ofzb6i0nB1$J<U<%iW!TtPx)ITxsYM+5mE5#fEc{rvOQX&<)YJG0I3+XHDnF
zZOzg_m(YeVO-QJSW11R{o5E2xDocy86!O?kSIg@Nz_t@&f-a#AfM}yzxT9KNnQGFw
zDLe^Dge)Un-Hw7J5nVzXU`&IEwro5+$FNjv&-c^8?z)!LS6+2&M)~P#eW)Tl?`r$Z
z-XL6aeDb4J?bc;oLR*4OBIk)zAPA4P?MzpvAuhtB_Z}KhPDv^D6-NN_UF~V;650Y(
zQO5R$SY1G(pr10za9gX_%1c+rA#Q7y+`n3cNk+MFLI-|u+Hs?4WVWHG4Y7GKSVBRP
zEu9QrAOiD^2`Y$nDV#^_Go4o5`^86SCt#P?F)mZ=WY{9IYRa{ZcBQLDsBT)-A*^u_
z59;Jn#C6@VKygELC5HieE764(r%M|JNV+hY<+75`M!K3K?z6TYE|rW`*F*(Z*e@Av
zT5!g2evj(0T|yfGh2}O3kaU6WqJQ^PU8yfs0GSUT4~!&183jqEp92sN{>0H54LlR~
z_%5Lh5L#j-Iu|<nQUwz-C+TEc1xfNbFS?MMx$|*g;$>^x(02)KfU=wmmA=HGOcZ$U
z3<A1?Qr@G^`ztG5EuZtE1NmShkeMH)jdAcN=}6q)b_s0&Bvy3DlGV9TFO;0!?3p&<
zB03fC;q>RARFsjfhED#{lXa$f$q0zb;sKzLDd>OQ(A$Uo$;$mnf8QmvMdWcVS`rG4
z)5Wm(F)=)oTF;i1uEyb>f4R-9bWlEdK$a<v<Geya&+ny;#hfR!jdKz6oC_i+6ma2!
zz}*tJiqC?$WJaEJwY)Wp1M=Vt-_R$s>Htt#ra)%6nrC2kBXkbL5k&`z%-CUe>9+dy
zo+l^=aC7k}om9AQGhHnLQB_AT^Mj2x2*+i#$`og}?>So>ud-ivIoTz22IO%r5W#TK
z`HGz%CtY!?U(I{wBY=o^s&TY5+Rzr6u9hJ>5lN5_08KnAp3KlCv;iuPx<E$<@`8^O
zxmt;ctkI!B3n1{t3ybX}8iyahk$jgxCu7ma<we|><hi-Kgf;*YE2fBXE*^KC9wsm7
zh%F+=q0ECX;~W+|4^Fa0;~NgeBKYxYwP#D-o4ZTs0%6O!$bxnpe0hn~cwIaIl*^0O
zwL^1E>K67?b_rboRErya(WoRKTWC`6Y~$d|NK&}$^9SMi<7-z<x8cOBXDBZm=hK0g
zZxJk`OK6LTb1rOOv@~GPqY0U9)nWr1Zm-e?;rq0;16f9w&=!DII-<`D`-^cdOaRTS
zYscl;U9E%Gsyb&kTRUtja_!J1bPmYbtfHI?6Tn|igN@zQNsz1R#AH#?YlkY!76oh}
zFf;nub_n8}3mdESyhzG?+T2~Og6almuk^*htA3SALbYce`BbM4?wj9PXssS=WV5Kc
z-^MCEFXCFyCZ(%wK$WhpXr`-e;e3TAtAnSgetxh^=rpMGAa^c0X?nx1nz}GW6us5U
zM!MP-20f}*->lKZLZX6qwskHR&P%4F+PR3*vebb<5`&)!J~TgDorw-?rmJn?%z3I+
zSB%s6QTEws4x+CI7hU~3`GRphNPc;GFbj~`8(CT$rHV*b+rmqyXrj7(yW@TEkAhmQ
zhYXGgpZNfpufE&~zlun6E@%z|na?jh>2=&f7^pimL5$0xZMWniI&*Z4hG`C<%2xU#
z7dtKIW5;cK;tQL0U$Azf=ybIugq0*Ap|?Na)H*3jBWl_xycYo?Uoy;yJRJSM2$gfe
zw>_1;u<0a}m9EYUZ=Ae6|KKzU4Sf4H8ogmBEuD>?^d)SewEW^$B4eu%rqFg24|Oui
zPFLr}?h|x^|9>-6xX$qw-xr*@P@g>uL@fBwwNlo}GtIdu6YWS>=fU~&GzRU=zn_-+
ze)fybxz!&J9IuxKX$AvC#!7!kvaIBk>`ZYk%0N5Q)md?(MrRIu#hKP{p{15%=a-$c
zjMOv}NsUO1vPGH5aoe7{&P8XWtFr)+Stc`}EKUNcf9Vf`iM}CPTq!s$9`15jOt}DU
zeEBkmmM)T?TTyf2xL<5%@lYqB6VlbDzyfge1dSfp?$lJjkFB<Q=_?L=hGQ&RFR0C<
zdA5li9*2BNuQ5s-;+zW=ky+$<#&vo>-KkozOmtGZS{EpyJI5~Vfk){a(?hW;D7AbP
z(VBfZd(*waKxLfzC)gUxh7*$ad~axEl?4~K?TP%#p1Ewn0iBqxP69~W7tn;)Pvd+4
zp2kBWe>wSYwCkbwJQVtTVLV;CHbAu2ir8;0ch8VxZ&?9Z0WzmK7Xbx3-JtTBiw{@-
zi)IPl8o@;+V<={<Q8qvipL2Tu{)*Q+R$h491^0p;()*)K1^$f}(#jF7-aK&vkui_7
z0OFjB77H$*L+nnzf7jN&uhA^St((XHhs`*@^UPkK?!4aB`Wrc2&7{}1ir;(h&WD}w
zc+Qt-cA@wkE1tg(2Y&4PNwx_;j>xieL5-;6`n`|vi#6NedVOE>E4BOCST6cJ^NM+p
zP<1L&%~(u!-M{Ohp66&5qi{m+e0bo{t($B6*tB;oroFYR(v=DtrHrv@5??i(i&;-(
z4tzc~<8AZ<dWhY~m-C<h_;sIdxjGtGMNerqCeEhWIAf_$%AP_u@E-9U_c2U;fJkap
zbU~VWxg-{2oC`L6`VZiyp*ez`Tl@ZH^`;B^0=KdyaDol^*^XV&xMGYTN9Nj%E~2!>
z?XCAsY+(a@KmLE&;;0D;&dWfvzKyphM{U`;m@Cs~8W^!J_bZiuW+QT~_;ZX;#S1ph
zr5l~2RJUgJCoXL8$=$+U^>Y3*kozA$(GwC}hU}MiiLAz|d+Q%@9Pe7@CXEJuW#3#L
zpSIYKGO<xW^cNqk(tFrfOq;u2K^Mzb=i>RTy>mhbc99)z^V3&v3Ksd*+C7Y{o7lID
zVjeapbzm3S(e?xpbYQr^p<s0*Vvn-_-^bqAzrd#I61j^mx|p;0e=O+w%IXnpO#lD@
M07*qoM6N<$f@MC(`Tzg`

literal 0
HcmV?d00001

diff --git a/web/src/pages/MigrationWizardPage/style.scss b/web/src/pages/MigrationWizardPage/style.scss
index 08d1924b3..b39eeb784 100644
--- a/web/src/pages/MigrationWizardPage/style.scss
+++ b/web/src/pages/MigrationWizardPage/style.scss
@@ -38,3 +38,21 @@
     }
   }
 }
+
+#upgrade-guide-list {
+  font: var(--t-body-sm-400);
+  color: var(--fg-neutral);
+
+  li {
+    margin-left: var(--spacing-md);
+  }
+}
+
+#confirm-improve-notice {
+  font: var(--t-body-sm-400);
+  color: var(--fg-neutral);
+
+  strong {
+    font-weight: 500;
+  }
+}

From f8f1bc84dda2a679c9c0782ddda5f448af3d0f69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20=C5=9Al=C4=99zak?= <fslezak@teonite.com>
Date: Mon, 2 Mar 2026 14:42:05 +0100
Subject: [PATCH 11/15] upgrade ui packages

---
 web/package.json   |  24 +--
 web/pnpm-lock.yaml | 415 ++++++++++++++++++++++-----------------------
 2 files changed, 215 insertions(+), 224 deletions(-)

diff --git a/web/package.json b/web/package.json
index 137071df3..594672fd9 100644
--- a/web/package.json
+++ b/web/package.json
@@ -15,18 +15,18 @@
   "dependencies": {
     "@axa-ch/react-polymorphic-types": "^1.4.1",
     "@floating-ui/react": "^0.27.18",
-    "@inlang/paraglide-js": "^2.12.0",
+    "@inlang/paraglide-js": "^2.13.0",
     "@react-hook/resize-observer": "^2.0.2",
     "@shortercode/webzip": "1.1.1-0",
     "@stablelib/base64": "^2.0.1",
     "@stablelib/x25519": "^2.0.1",
     "@tanstack/react-form": "^1.28.3",
     "@tanstack/react-query": "^5.90.21",
-    "@tanstack/react-router": "^1.162.8",
+    "@tanstack/react-router": "^1.163.3",
     "@tanstack/react-table": "^8.21.3",
     "@tanstack/react-virtual": "^3.13.19",
     "@uidotdev/usehooks": "^2.4.1",
-    "axios": "^1.13.5",
+    "axios": "^1.13.6",
     "byte-size": "^9.0.1",
     "clsx": "^2.1.1",
     "dayjs": "^1.11.19",
@@ -37,7 +37,7 @@
     "motion": "^12.34.3",
     "qrcode.react": "^4.2.0",
     "qs": "^6.15.0",
-    "radashi": "^12.7.1",
+    "radashi": "^12.7.2",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
     "react-intersection-observer": "^10.0.3",
@@ -52,26 +52,26 @@
   },
   "devDependencies": {
     "@biomejs/biome": "2.4.4",
-    "@inlang/paraglide-js": "2.12.0",
-    "@tanstack/devtools-vite": "^0.5.1",
+    "@inlang/paraglide-js": "2.13.0",
+    "@tanstack/devtools-vite": "^0.5.2",
     "@tanstack/react-devtools": "^0.9.6",
     "@tanstack/react-query-devtools": "^5.91.3",
-    "@tanstack/react-router-devtools": "^1.162.8",
-    "@tanstack/router-plugin": "^1.162.8",
+    "@tanstack/react-router-devtools": "^1.163.3",
+    "@tanstack/router-plugin": "^1.164.0",
     "@types/byte-size": "^8.1.2",
     "@types/humanize-duration": "^3.27.4",
     "@types/lodash-es": "^4.17.12",
-    "@types/node": "^25.3.0",
+    "@types/node": "^25.3.3",
     "@types/qs": "^6.14.0",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react-swc": "^4.2.3",
-    "autoprefixer": "^10.4.24",
-    "globals": "^17.3.0",
+    "autoprefixer": "^10.4.27",
+    "globals": "^17.4.0",
     "prettier": "^3.8.1",
     "sass": "^1.97.3",
     "sharp": "^0.34.5",
-    "stylelint": "^17.3.0",
+    "stylelint": "^17.4.0",
     "stylelint-config-standard-scss": "^17.0.0",
     "stylelint-scss": "^7.0.0",
     "typescript": "~5.9.3",
diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml
index a7d6cc56d..f3b91929e 100644
--- a/web/pnpm-lock.yaml
+++ b/web/pnpm-lock.yaml
@@ -15,8 +15,8 @@ importers:
         specifier: ^0.27.18
         version: 0.27.18(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
       '@inlang/paraglide-js':
-        specifier: ^2.12.0
-        version: 2.12.0
+        specifier: ^2.13.0
+        version: 2.13.0
       '@react-hook/resize-observer':
         specifier: ^2.0.2
         version: 2.0.2(react@19.2.4)
@@ -36,8 +36,8 @@ importers:
         specifier: ^5.90.21
         version: 5.90.21(react@19.2.4)
       '@tanstack/react-router':
-        specifier: ^1.162.8
-        version: 1.162.8(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
+        specifier: ^1.163.3
+        version: 1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
       '@tanstack/react-table':
         specifier: ^8.21.3
         version: 8.21.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
@@ -48,8 +48,8 @@ importers:
         specifier: ^2.4.1
         version: 2.4.1(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
       axios:
-        specifier: ^1.13.5
-        version: 1.13.5
+        specifier: ^1.13.6
+        version: 1.13.6
       byte-size:
         specifier: ^9.0.1
         version: 9.0.1
@@ -81,8 +81,8 @@ importers:
         specifier: ^6.15.0
         version: 6.15.0
       radashi:
-        specifier: ^12.7.1
-        version: 12.7.1
+        specifier: ^12.7.2
+        version: 12.7.2
       react:
         specifier: ^19.2.4
         version: 19.2.4
@@ -121,8 +121,8 @@ importers:
         specifier: 2.4.4
         version: 2.4.4
       '@tanstack/devtools-vite':
-        specifier: ^0.5.1
-        version: 0.5.1(vite@7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0))
+        specifier: ^0.5.2
+        version: 0.5.2(vite@7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0))
       '@tanstack/react-devtools':
         specifier: ^0.9.6
         version: 0.9.6(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(csstype@3.2.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(solid-js@1.9.9)
@@ -130,11 +130,11 @@ importers:
         specifier: ^5.91.3
         version: 5.91.3(@tanstack/react-query@5.90.21(react@19.2.4))(react@19.2.4)
       '@tanstack/react-router-devtools':
-        specifier: ^1.162.8
-        version: 1.162.8(@tanstack/react-router@1.162.8(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@tanstack/router-core@1.162.6)(csstype@3.2.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
+        specifier: ^1.163.3
+        version: 1.163.3(@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@tanstack/router-core@1.163.3)(csstype@3.2.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
       '@tanstack/router-plugin':
-        specifier: ^1.162.8
-        version: 1.162.8(@tanstack/react-router@1.162.8(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(vite@7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0))
+        specifier: ^1.164.0
+        version: 1.164.0(@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(vite@7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0))
       '@types/byte-size':
         specifier: ^8.1.2
         version: 8.1.2
@@ -145,8 +145,8 @@ importers:
         specifier: ^4.17.12
         version: 4.17.12
       '@types/node':
-        specifier: ^25.3.0
-        version: 25.3.0
+        specifier: ^25.3.3
+        version: 25.3.3
       '@types/qs':
         specifier: ^6.14.0
         version: 6.14.0
@@ -158,13 +158,13 @@ importers:
         version: 19.2.3(@types/react@19.2.14)
       '@vitejs/plugin-react-swc':
         specifier: ^4.2.3
-        version: 4.2.3(vite@7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0))
+        version: 4.2.3(vite@7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0))
       autoprefixer:
-        specifier: ^10.4.24
-        version: 10.4.24(postcss@8.5.6)
+        specifier: ^10.4.27
+        version: 10.4.27(postcss@8.5.6)
       globals:
-        specifier: ^17.3.0
-        version: 17.3.0
+        specifier: ^17.4.0
+        version: 17.4.0
       prettier:
         specifier: ^3.8.1
         version: 3.8.1
@@ -175,23 +175,23 @@ importers:
         specifier: ^0.34.5
         version: 0.34.5
       stylelint:
-        specifier: ^17.3.0
-        version: 17.3.0(typescript@5.9.3)
+        specifier: ^17.4.0
+        version: 17.4.0(typescript@5.9.3)
       stylelint-config-standard-scss:
         specifier: ^17.0.0
-        version: 17.0.0(postcss@8.5.6)(stylelint@17.3.0(typescript@5.9.3))
+        version: 17.0.0(postcss@8.5.6)(stylelint@17.4.0(typescript@5.9.3))
       stylelint-scss:
         specifier: ^7.0.0
-        version: 7.0.0(stylelint@17.3.0(typescript@5.9.3))
+        version: 7.0.0(stylelint@17.4.0(typescript@5.9.3))
       typescript:
         specifier: ~5.9.3
         version: 5.9.3
       vite:
         specifier: ^7.3.1
-        version: 7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0)
+        version: 7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0)
       vite-plugin-image-optimizer:
         specifier: ^2.0.3
-        version: 2.0.3(sharp@0.34.5)(vite@7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0))
+        version: 2.0.3(sharp@0.34.5)(vite@7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0))
 
 packages:
 
@@ -341,11 +341,11 @@ packages:
     cpu: [x64]
     os: [win32]
 
-  '@cacheable/memory@2.0.7':
-    resolution: {integrity: sha512-RbxnxAMf89Tp1dLhXMS7ceft/PGsDl1Ip7T20z5nZ+pwIAsQ1p2izPjVG69oCLv/jfQ7HDPHTWK0c9rcAWXN3A==}
+  '@cacheable/memory@2.0.8':
+    resolution: {integrity: sha512-FvEb29x5wVwu/Kf93IWwsOOEuhHh6dYCJF3vcKLzXc0KXIW181AOzv6ceT4ZpBHDvAfG60eqb+ekmrnLHIy+jw==}
 
-  '@cacheable/utils@2.3.4':
-    resolution: {integrity: sha512-knwKUJEYgIfwShABS1BX6JyJJTglAFcEU7EXqzTdiGCXur4voqkiJkdgZIQtWNFhynzDWERcTYv/sETMu3uJWA==}
+  '@cacheable/utils@2.4.0':
+    resolution: {integrity: sha512-PeMMsqjVq+bF0WBsxFBxr/WozBJiZKY0rUojuaCoIaKnEl3Ju1wfEwS+SV1DU/cSe8fqHIPiYJFif8T3MVt4cQ==}
 
   '@csstools/css-calc@3.1.1':
     resolution: {integrity: sha512-HJ26Z/vmsZQqs/o3a6bgKslXGFAungXGbinULZO3eMsOyNJHeBBZfup5FiZInOghgoM4Hwnmw+OgbJCNg1wwUQ==}
@@ -360,8 +360,8 @@ packages:
     peerDependencies:
       '@csstools/css-tokenizer': ^4.0.0
 
-  '@csstools/css-syntax-patches-for-csstree@1.0.28':
-    resolution: {integrity: sha512-1NRf1CUBjnr3K7hu8BLxjQrKCxEe8FP/xmPTenAxCRZWVLbmGotkFvG9mfNpjA6k7Bw1bw4BilZq9cu19RA5pg==}
+  '@csstools/css-syntax-patches-for-csstree@1.0.29':
+    resolution: {integrity: sha512-jx9GjkkP5YHuTmko2eWAvpPnb0mB4mGRr2U7XwVNwevm8nlpobZEVk+GNmiYMk2VuA75v+plfXWyroWKmICZXg==}
 
   '@csstools/css-tokenizer@4.0.0':
     resolution: {integrity: sha512-QxULHAm7cNu72w97JUNCBFODFaXpbDg+dP8b/oWFAZ2MTRppA3U00Y2L1HqaS4J6yBqxwa/Y3nMBaxVKbB/NsA==}
@@ -566,8 +566,8 @@ packages:
   '@floating-ui/utils@0.2.10':
     resolution: {integrity: sha512-aGTxbpbg8/b5JfU1HXSrbH3wXZuLPJcNEcZQFMxLs3oSzgtVu6nFPkbbGGUvBcUjKV2YyB9Wxxabo+HEH9tcRQ==}
 
-  '@img/colour@1.0.0':
-    resolution: {integrity: sha512-A5P/LfWGFSl6nsckYtjw9da+19jB8hkJ6ACTGcDfEJ0aE+l2n2El7dsVM7UVHZQ9s2lmYMWlrS21YLy2IR1LUw==}
+  '@img/colour@1.1.0':
+    resolution: {integrity: sha512-Td76q7j57o/tLVdgS746cYARfSyxk8iEfRxewL9h4OMzYhbW4TAcppl0mT4eyqXddh6L/jwoM75mo7ixa/pCeQ==}
     engines: {node: '>=18'}
 
   '@img/sharp-darwin-arm64@0.34.5':
@@ -719,8 +719,8 @@ packages:
     cpu: [x64]
     os: [win32]
 
-  '@inlang/paraglide-js@2.12.0':
-    resolution: {integrity: sha512-wnqTeSLcMMS2usL8zjS8bDGs9r16X00aeoGk2wVAnPfAgCChYalKdG20pS2XtJVMM1H6nBBBLKt3ZQMnKrusKQ==}
+  '@inlang/paraglide-js@2.13.0':
+    resolution: {integrity: sha512-m7JQiTeLC3tY3DusUCc4iRWlsKoMuDLhw4iGhkY0yI96ki7PK42DLsi1kMk8ubSVenKOwgrs7eqQZN1Htvkhew==}
     hasBin: true
 
   '@inlang/recommend-sherlock@0.2.1':
@@ -1103,72 +1103,72 @@ packages:
   '@standard-schema/utils@0.3.0':
     resolution: {integrity: sha512-e7Mew686owMaPJVNNLs55PUvgz371nKgwsc4vxE49zsODpJEnxgxRo2y/OKrqueavXgZNMDVj3DdHFlaSAeU8g==}
 
-  '@swc/core-darwin-arm64@1.15.13':
-    resolution: {integrity: sha512-ztXusRuC5NV2w+a6pDhX13CGioMLq8CjX5P4XgVJ21ocqz9t19288Do0y8LklplDtwcEhYGTNdMbkmUT7+lDTg==}
+  '@swc/core-darwin-arm64@1.15.18':
+    resolution: {integrity: sha512-+mIv7uBuSaywN3C9LNuWaX1jJJ3SKfiJuE6Lr3bd+/1Iv8oMU7oLBjYMluX1UrEPzwN2qCdY6Io0yVicABoCwQ==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [darwin]
 
-  '@swc/core-darwin-x64@1.15.13':
-    resolution: {integrity: sha512-cVifxQUKhaE7qcO/y9Mq6PEhoyvN9tSLzCnnFZ4EIabFHBuLtDDO6a+vLveOy98hAs5Qu1+bb5Nv0oa1Pihe3Q==}
+  '@swc/core-darwin-x64@1.15.18':
+    resolution: {integrity: sha512-wZle0eaQhnzxWX5V/2kEOI6Z9vl/lTFEC6V4EWcn+5pDjhemCpQv9e/TDJ0GIoiClX8EDWRvuZwh+Z3dhL1NAg==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [darwin]
 
-  '@swc/core-linux-arm-gnueabihf@1.15.13':
-    resolution: {integrity: sha512-t+xxEzZ48enl/wGGy7SRYd7kImWQ/+wvVFD7g5JZo234g6/QnIgZ+YdfIyjHB+ZJI3F7a2IQHS7RNjxF29UkWw==}
+  '@swc/core-linux-arm-gnueabihf@1.15.18':
+    resolution: {integrity: sha512-ao61HGXVqrJFHAcPtF4/DegmwEkVCo4HApnotLU8ognfmU8x589z7+tcf3hU+qBiU1WOXV5fQX6W9Nzs6hjxDw==}
     engines: {node: '>=10'}
     cpu: [arm]
     os: [linux]
 
-  '@swc/core-linux-arm64-gnu@1.15.13':
-    resolution: {integrity: sha512-VndeGvKmTXFn6AGwjy0Kg8i7HccOCE7Jt/vmZwRxGtOfNZM1RLYRQ7MfDLo6T0h1Bq6eYzps3L5Ma4zBmjOnOg==}
+  '@swc/core-linux-arm64-gnu@1.15.18':
+    resolution: {integrity: sha512-3xnctOBLIq3kj8PxOCgPrGjBLP/kNOddr6f5gukYt/1IZxsITQaU9TDyjeX6jG+FiCIHjCuWuffsyQDL5Ew1bg==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [linux]
     libc: [glibc]
 
-  '@swc/core-linux-arm64-musl@1.15.13':
-    resolution: {integrity: sha512-SmZ9m+XqCB35NddHCctvHFLqPZDAs5j8IgD36GoutufDJmeq2VNfgk5rQoqNqKmAK3Y7iFdEmI76QoHIWiCLyw==}
+  '@swc/core-linux-arm64-musl@1.15.18':
+    resolution: {integrity: sha512-0a+Lix+FSSHBSBOA0XznCcHo5/1nA6oLLjcnocvzXeqtdjnPb+SvchItHI+lfeiuj1sClYPDvPMLSLyXFaiIKw==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [linux]
     libc: [musl]
 
-  '@swc/core-linux-x64-gnu@1.15.13':
-    resolution: {integrity: sha512-5rij+vB9a29aNkHq72EXI2ihDZPszJb4zlApJY4aCC/q6utgqFA6CkrfTfIb+O8hxtG3zP5KERETz8mfFK6A0A==}
+  '@swc/core-linux-x64-gnu@1.15.18':
+    resolution: {integrity: sha512-wG9J8vReUlpaHz4KOD/5UE1AUgirimU4UFT9oZmupUDEofxJKYb1mTA/DrMj0s78bkBiNI+7Fo2EgPuvOJfuAA==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [linux]
     libc: [glibc]
 
-  '@swc/core-linux-x64-musl@1.15.13':
-    resolution: {integrity: sha512-OlSlaOK9JplQ5qn07WiBLibkOw7iml2++ojEXhhR3rbWrNEKCD7sd8+6wSavsInyFdw4PhLA+Hy6YyDBIE23Yw==}
+  '@swc/core-linux-x64-musl@1.15.18':
+    resolution: {integrity: sha512-4nwbVvCphKzicwNWRmvD5iBaZj8JYsRGa4xOxJmOyHlMDpsvvJ2OR2cODlvWyGFH6BYL1MfIAK3qph3hp0Az6g==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [linux]
     libc: [musl]
 
-  '@swc/core-win32-arm64-msvc@1.15.13':
-    resolution: {integrity: sha512-zwQii5YVdsfG8Ti9gIKgBKZg8qMkRZxl+OlYWUT5D93Jl4NuNBRausP20tfEkQdAPSRrMCSUZBM6FhW7izAZRg==}
+  '@swc/core-win32-arm64-msvc@1.15.18':
+    resolution: {integrity: sha512-zk0RYO+LjiBCat2RTMHzAWaMky0cra9loH4oRrLKLLNuL+jarxKLFDA8xTZWEkCPLjUTwlRN7d28eDLLMgtUcQ==}
     engines: {node: '>=10'}
     cpu: [arm64]
     os: [win32]
 
-  '@swc/core-win32-ia32-msvc@1.15.13':
-    resolution: {integrity: sha512-hYXvyVVntqRlYoAIDwNzkS3tL2ijP3rxyWQMNKaxcCxxkCDto/w3meOK/OB6rbQSkNw0qTUcBfU9k+T0ptYdfQ==}
+  '@swc/core-win32-ia32-msvc@1.15.18':
+    resolution: {integrity: sha512-yVuTrZ0RccD5+PEkpcLOBAuPbYBXS6rslENvIXfvJGXSdX5QGi1ehC4BjAMl5FkKLiam4kJECUI0l7Hq7T1vwg==}
     engines: {node: '>=10'}
     cpu: [ia32]
     os: [win32]
 
-  '@swc/core-win32-x64-msvc@1.15.13':
-    resolution: {integrity: sha512-XTzKs7c/vYCcjmcwawnQvlHHNS1naJEAzcBckMI5OJlnrcgW8UtcX9NHFYvNjGtXuKv0/9KvqL4fuahdvlNGKw==}
+  '@swc/core-win32-x64-msvc@1.15.18':
+    resolution: {integrity: sha512-7NRmE4hmUQNCbYU3Hn9Tz57mK9Qq4c97ZS+YlamlK6qG9Fb5g/BB3gPDe0iLlJkns/sYv2VWSkm8c3NmbEGjbg==}
     engines: {node: '>=10'}
     cpu: [x64]
     os: [win32]
 
-  '@swc/core@1.15.13':
-    resolution: {integrity: sha512-0l1gl/72PErwUZuavcRpRAQN9uSst+Nk++niC5IX6lmMWpXoScYx3oq/narT64/sKv/eRiPTaAjBFGDEQiWJIw==}
+  '@swc/core@1.15.18':
+    resolution: {integrity: sha512-z87aF9GphWp//fnkRsqvtY+inMVPgYW3zSlXH1kJFvRT5H/wiAn+G32qW5l3oEk63KSF1x3Ov0BfHCObAmT8RA==}
     engines: {node: '>=10'}
     peerDependencies:
       '@swc/helpers': '>=0.5.17'
@@ -1200,8 +1200,8 @@ packages:
     peerDependencies:
       solid-js: '>=1.9.7'
 
-  '@tanstack/devtools-vite@0.5.1':
-    resolution: {integrity: sha512-5dXxMznSxx8NNpO9IbDC011sIdvTVvsoLaLAxm69dgDAX0+2OB8gdXrQp8dnzeNMvszKCgRxI2cgr/pjPgmnNw==}
+  '@tanstack/devtools-vite@0.5.2':
+    resolution: {integrity: sha512-UQF6qnxZ1Ad0J/r25lGYFST3cdAY2mdW1WjRyPyHLDg85pVZ52PigWp3QUnzXsx7VNQVy4+8asADwOOHpsVF0w==}
     engines: {node: '>=18'}
     peerDependencies:
       vite: ^6.0.0 || ^7.0.0
@@ -1258,20 +1258,20 @@ packages:
     peerDependencies:
       react: ^18 || ^19
 
-  '@tanstack/react-router-devtools@1.162.8':
-    resolution: {integrity: sha512-dDohOU8eNbCukLQNcuocCTnvwSu8Z1XwbKvPc4U7KDYoUTUlJls48fXl5y/ENThK/nZEsA7i3oCy1BcX42OOlw==}
+  '@tanstack/react-router-devtools@1.163.3':
+    resolution: {integrity: sha512-42VMkV/2Z8ro7xzblPBRNZIEmCNXMzm2jD68G52p2qhjXm38wGpg46qneAESN9FtTQeVWk5aSXs47/jt7lkzmw==}
     engines: {node: '>=20.19'}
     peerDependencies:
-      '@tanstack/react-router': ^1.162.8
-      '@tanstack/router-core': ^1.162.6
+      '@tanstack/react-router': ^1.163.3
+      '@tanstack/router-core': ^1.163.3
       react: '>=18.0.0 || >=19.0.0'
       react-dom: '>=18.0.0 || >=19.0.0'
     peerDependenciesMeta:
       '@tanstack/router-core':
         optional: true
 
-  '@tanstack/react-router@1.162.8':
-    resolution: {integrity: sha512-WunoknGI5ielJ833yl/F7Vq4nv/OWzrJVBsMgyxX16Db1DwVvX/B5zTg8EMjdZUOJ7ONpvur3t4aq7KQiYRagQ==}
+  '@tanstack/react-router@1.163.3':
+    resolution: {integrity: sha512-hheBbFVb+PbxtrWp8iy6+TTRTbhx3Pn6hKo8Tv/sWlG89ZMcD1xpQWzx8ukHN9K8YWbh5rdzt4kv6u8X4kB28Q==}
     engines: {node: '>=20.19'}
     peerDependencies:
       react: '>=18.0.0 || >=19.0.0'
@@ -1302,30 +1302,30 @@ packages:
       react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
       react-dom: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
 
-  '@tanstack/router-core@1.162.6':
-    resolution: {integrity: sha512-WFMNysDsDtnlM0G0L4LPWJuvpGatlPvBLGlPnieWYKem/Ed4mRHu7Hqw78MR/CMuFSRi9Gvv91/h8F3EVswAJw==}
+  '@tanstack/router-core@1.163.3':
+    resolution: {integrity: sha512-jPptiGq/w3nuPzcMC7RNa79aU+b6OjaDzWJnBcV2UAwL4ThJamRS4h42TdhJE+oF5yH9IEnCOGQdfnbw45LbfA==}
     engines: {node: '>=20.19'}
 
-  '@tanstack/router-devtools-core@1.162.6':
-    resolution: {integrity: sha512-ni+9XmQOg9ale1e6FnhNrBymVVQAkzQ02SfAB6MgobXLp97MHiBk7d0k7DkoyVLk3tXRqmrCERWYRC8IGrcQmw==}
+  '@tanstack/router-devtools-core@1.163.3':
+    resolution: {integrity: sha512-FPi64IP0PT1IkoeyGmsD6JoOVOYAb85VCH0mUbSdD90yV0+1UB6oT+D7K27GXkp7SXMJN3mBEjU5rKnNnmSCIw==}
     engines: {node: '>=20.19'}
     peerDependencies:
-      '@tanstack/router-core': ^1.162.6
+      '@tanstack/router-core': ^1.163.3
       csstype: ^3.0.10
     peerDependenciesMeta:
       csstype:
         optional: true
 
-  '@tanstack/router-generator@1.162.6':
-    resolution: {integrity: sha512-mzkD3kfPW50xgX1hI8YrQx76+hshsUmpI9fVvS741L0cRQKH7bCIYTvcNHkz3sftZwmjt/lh+k7arV1AMLaWhA==}
+  '@tanstack/router-generator@1.164.0':
+    resolution: {integrity: sha512-Uiyj+RtW0kdeqEd8NEd3Np1Z2nhJ2xgLS8U+5mTvFrm/s3xkM2LYjJHoLzc6am7sKPDsmeF9a4/NYq3R7ZJP0Q==}
     engines: {node: '>=20.19'}
 
-  '@tanstack/router-plugin@1.162.8':
-    resolution: {integrity: sha512-u6ZqYEjIA8jXge6JSl5UFFYPzVRciee0vwDwtkIF1Sb+G4cDdDaEjYQ4aN1/va8D7n3LptYvSMU8SeGkX+9slA==}
+  '@tanstack/router-plugin@1.164.0':
+    resolution: {integrity: sha512-cZPsEMhqzyzmuPuDbsTAzBZaT+cj0pGjwdhjxJfPCM06Ax8v4tFR7n/Ug0UCwnNAUEmKZWN3lA9uT+TxXnk9PQ==}
     engines: {node: '>=20.19'}
     peerDependencies:
       '@rsbuild/core': '>=1.0.2'
-      '@tanstack/react-router': ^1.162.8
+      '@tanstack/react-router': ^1.163.3
       vite: '>=5.0.0 || >=6.0.0 || >=7.0.0'
       vite-plugin-solid: ^2.11.10
       webpack: '>=5.92.0'
@@ -1419,8 +1419,8 @@ packages:
   '@types/ms@2.1.0':
     resolution: {integrity: sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==}
 
-  '@types/node@25.3.0':
-    resolution: {integrity: sha512-4K3bqJpXpqfg2XKGK9bpDTc6xO/xoUP/RBWS7AtRMug6zZFaRekiLzjVtAoZMquxoAbzBvy5nxQ7veS5eYzf8A==}
+  '@types/node@25.3.3':
+    resolution: {integrity: sha512-DpzbrH7wIcBaJibpKo9nnSQL0MTRdnWttGyE5haGwK86xgMOkFLp7vEyfQPGLOJh5wNYiJ3V9PmUMDhV9u8kkQ==}
 
   '@types/qs@6.14.0':
     resolution: {integrity: sha512-eOunJqu0K1923aExK6y8p6fsihYEn/BYuQ4g0CxAAgFc4b/ZLN4CrsRZ55srTdqoiLzU2B2evC+apEIxprEzkQ==}
@@ -1507,15 +1507,15 @@ packages:
   asynckit@0.4.0:
     resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}
 
-  autoprefixer@10.4.24:
-    resolution: {integrity: sha512-uHZg7N9ULTVbutaIsDRoUkoS8/h3bdsmVJYZ5l3wv8Cp/6UIIoRDm90hZ+BwxUj/hGBEzLxdHNSKuFpn8WOyZw==}
+  autoprefixer@10.4.27:
+    resolution: {integrity: sha512-NP9APE+tO+LuJGn7/9+cohklunJsXWiaWEfV3si4Gi/XHDwVNgkwr1J3RQYFIvPy76GmJ9/bW8vyoU1LcxwKHA==}
     engines: {node: ^10 || ^12 || >=14}
     hasBin: true
     peerDependencies:
       postcss: ^8.1.0
 
-  axios@1.13.5:
-    resolution: {integrity: sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q==}
+  axios@1.13.6:
+    resolution: {integrity: sha512-ChTCHMouEe2kn713WHbQGcuYrr6fXTBiu460OTwWrWob16g1bXn4vtz07Ope7ewMozJAnEquLk5lWQWtBig9DQ==}
 
   babel-dead-code-elimination@1.0.12:
     resolution: {integrity: sha512-GERT7L2TiYcYDtYk1IpD+ASAYXjKbLTDPhBtYj7X1NuRMDTMtAx9kyBenub1Ev41lo91OHCKdmP+egTDmfQ7Ig==}
@@ -1523,10 +1523,6 @@ packages:
   bail@2.0.2:
     resolution: {integrity: sha512-0xO6mYd7JB2YesxDKplafRpsiOzPt9V02ddPCLbY1xYGPOX24NTyN50qnUxgCPcSoYMhKpAuBTjQoRZCAkUDRw==}
 
-  balanced-match@3.0.1:
-    resolution: {integrity: sha512-vjtV3hiLqYDNRoiAv0zC4QaGAMPomEoq83PRmYIofPswwZurCeWR5LByXm7SyoL0Zh5+2z0+HC7jG8gSZJUh0w==}
-    engines: {node: '>= 16'}
-
   baseline-browser-mapping@2.10.0:
     resolution: {integrity: sha512-lIyg0szRfYbiy67j9KN8IyeD7q7hcmqnJ1ddWmNt19ItGpNN64mnllmxUNFIOdOm6by97jlL6wfpTTJrmnjWAA==}
     engines: {node: '>=6.0.0'}
@@ -1554,8 +1550,8 @@ packages:
       '@75lb/nature':
         optional: true
 
-  cacheable@2.3.2:
-    resolution: {integrity: sha512-w+ZuRNmex9c1TR9RcsxbfTKCjSL0rh1WA5SABbrWprIHeNBdmyQLSYonlDy9gpD+63XT8DgZ/wNh1Smvc9WnJA==}
+  cacheable@2.3.3:
+    resolution: {integrity: sha512-iffYMX4zxKp54evOH27fm92hs+DeC1DhXmNVN8Tr94M/iZIV42dqTHSR2Ik4TOSPyOAwKr7Yu3rN9ALoLkbWyQ==}
 
   call-bind-apply-helpers@1.0.2:
     resolution: {integrity: sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==}
@@ -1569,8 +1565,8 @@ packages:
     resolution: {integrity: sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==}
     engines: {node: '>=6'}
 
-  caniuse-lite@1.0.30001774:
-    resolution: {integrity: sha512-DDdwPGz99nmIEv216hKSgLD+D4ikHQHjBC/seF98N9CPqRX4M5mSxT9eTV6oyisnJcuzxtZy4n17yKKQYmYQOA==}
+  caniuse-lite@1.0.30001775:
+    resolution: {integrity: sha512-s3Qv7Lht9zbVKE9XoTyRG6wVDCKdtOFIjBGg3+Yhn6JaytuNKPIjBMTMIY1AnOH3seL5mvF+x33oGAyK3hVt3A==}
 
   ccount@2.0.1:
     resolution: {integrity: sha512-eyrF0jiFpY+3drT6383f1qhkbGsLSifNAjA61IUjZjmLCWjItY6LB9ft9YhoDgwfmclB2zhu51Lc7+95b8NRAg==}
@@ -1624,8 +1620,8 @@ packages:
     resolution: {integrity: sha512-yPVavfyCcRhmorC7rWlkHn15b4wDVgVmBA7kV4QVBsF7kv/9TKJAbAXVTxvTnwP8HHKjRCJDClKbciiYS7p0DQ==}
     engines: {node: '>=16'}
 
-  comment-json@4.5.1:
-    resolution: {integrity: sha512-taEtr3ozUmOB7it68Jll7s0Pwm+aoiHyXKrEC8SEodL4rNpdfDLqa7PfBlrgFoCNNdR8ImL+muti5IGvktJAAg==}
+  comment-json@4.6.1:
+    resolution: {integrity: sha512-kdBIsBGqD/sAeqvzeOhBvO/bhtpbfbIU/2lw7bp182FV1cVlY7gr1Jf3Q1I+NOsCk8e4gF5Sl9iYH5cNvVmx5w==}
     engines: {node: '>= 6'}
 
   consola@3.4.0:
@@ -1641,8 +1637,8 @@ packages:
   core-util-is@1.0.3:
     resolution: {integrity: sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==}
 
-  cosmiconfig@9.0.0:
-    resolution: {integrity: sha512-itvL5h8RETACmOTFc4UfIyB2RfEHi71Ax6E/PivVxq9NseKbOWpeyHEOIbmAw1rs8Ak0VursQNww7lf7YtUwzg==}
+  cosmiconfig@9.0.1:
+    resolution: {integrity: sha512-hr4ihw+DBqcvrsEDioRO31Z17x71pUYoNe/4h6Z0wB72p7MU7/9gH8Q3s12NFhHPfYBBOV3qyfUxmr/Yn3shnQ==}
     engines: {node: '>=14'}
     peerDependencies:
       typescript: '>=4.9.5'
@@ -1795,8 +1791,8 @@ packages:
     resolution: {integrity: sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==}
     engines: {node: '>= 0.4'}
 
-  es-toolkit@1.44.0:
-    resolution: {integrity: sha512-6penXeZalaV88MM3cGkFZZfOoLGWshWWfdy0tWw/RlVVyhvMaWSBTOvXNeiW3e5FwdS5ePW0LGEu17zT139ktg==}
+  es-toolkit@1.45.0:
+    resolution: {integrity: sha512-RArCX+Zea16+R1jg4mH223Z8p/ivbJjIkU3oC6ld2bdUfmDxiCkFYSi9zLOR2anucWJUeH4Djnzgd0im0nD3dw==}
 
   esbuild@0.27.3:
     resolution: {integrity: sha512-8VwMnyGCONIs6cWue2IdpHxHnAjzxnw2Zr7MkVxB2vjmQ2ivqGFb4LEG3SMnv0Gb2F/G/2yA8zUaiL1gywDCCg==}
@@ -1857,8 +1853,8 @@ packages:
   flat-cache@6.1.20:
     resolution: {integrity: sha512-AhHYqwvN62NVLp4lObVXGVluiABTHapoB57EyegZVmazN+hhGhLTn3uZbOofoTw4DSDvVCadzzyChXhOAvy8uQ==}
 
-  flatted@3.3.3:
-    resolution: {integrity: sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==}
+  flatted@3.3.4:
+    resolution: {integrity: sha512-3+mMldrTAPdta5kjX2G2J7iX4zxtnwpdA8Tr2ZSjkyPSanvbZAcy6flmtnXbEybHrDcU9641lxrMfFuUxVz9vA==}
 
   follow-redirects@1.15.11:
     resolution: {integrity: sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==}
@@ -1929,8 +1925,8 @@ packages:
     resolution: {integrity: sha512-awConJSVCHVGND6x3tmMaKcQvwXLhjdkmomy2W+Goaui8YPgYgXJZewhg3fWC+DlfqqQuWg8AwqjGTD2nAPVWg==}
     engines: {node: '>=6'}
 
-  globals@17.3.0:
-    resolution: {integrity: sha512-yMqGUQVVCkD4tqjOJf3TnrvaaHDMYp4VlUSObbkIiuCPe/ofdMBFIAcBbCSRFWOnos6qRiTVStDwqPLUclaxIw==}
+  globals@17.4.0:
+    resolution: {integrity: sha512-hjrNztw/VajQwOLsMNT1cbJiH2muO3OROCHnbehc8eY5JyD2gqz4AcMHPqgaOR59DjgUjYAYLeH699g/eWi2jw==}
     engines: {node: '>=18'}
 
   globby@16.1.1:
@@ -2142,8 +2138,8 @@ packages:
     resolution: {integrity: sha512-FIyV/64EkKhJmjgC0g2hygpBv5RNWVPyNCqSAD7eTCv6eFWNIi4PN1UvdSJGicN/o35bnevgis4Y0UDC0qi8jQ==}
     engines: {node: '>=14.0.0'}
 
-  launch-editor@2.13.0:
-    resolution: {integrity: sha512-u+9asUHMJ99lA15VRMXw5XKfySFR9dGXwgsgS14YTbUq3GITP58mIM32At90P5fZ+MUId5Yw+IwI/yKub7jnCQ==}
+  launch-editor@2.13.1:
+    resolution: {integrity: sha512-lPSddlAAluRKJ7/cjRFoXUFzaX7q/YKI7yPHuEvSJVqoXvFnJov1/Ud87Aa4zULIbA9Nja4mSPK8l0z/7eV2wA==}
 
   lines-and-columns@1.2.4:
     resolution: {integrity: sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg==}
@@ -2406,8 +2402,8 @@ packages:
   queue-microtask@1.2.3:
     resolution: {integrity: sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==}
 
-  radashi@12.7.1:
-    resolution: {integrity: sha512-rwxcGY3oKMQJ+ojhS4MlxyVWqdXPVJSxg3ZjXDYYz26DYRuAAs+7XBM406/GYzPEBbjSJqdKfHDpBRfjWn34RQ==}
+  radashi@12.7.2:
+    resolution: {integrity: sha512-BfoN4XJll34ok3rCHjVlRypymJvD3cE+M3UATC8519wUgHl1/AXt2dEEIFv5865gO6t0ENAU6qEOqjr/NcIRyQ==}
     engines: {node: '>=16.0.0'}
 
   react-dom@19.2.4:
@@ -2631,8 +2627,8 @@ packages:
     resolution: {integrity: sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==}
     engines: {node: '>=8'}
 
-  strip-ansi@7.1.2:
-    resolution: {integrity: sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==}
+  strip-ansi@7.2.0:
+    resolution: {integrity: sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==}
     engines: {node: '>=12'}
 
   style-to-js@1.1.21:
@@ -2679,8 +2675,8 @@ packages:
     peerDependencies:
       stylelint: ^16.8.2 || ^17.0.0
 
-  stylelint@17.3.0:
-    resolution: {integrity: sha512-1POV91lcEMhj6SLVaOeA0KlS9yattS+qq+cyWqP/nYzWco7K5jznpGH1ExngvPlTM9QF1Kjd2bmuzJu9TH2OcA==}
+  stylelint@17.4.0:
+    resolution: {integrity: sha512-3kQ2/cHv3Zt8OBg+h2B8XCx9evEABQIrv4hh3uXahGz/ZEHrTR80zxBiK2NfXNaSoyBzxO1pjsz1Vhdzwn5XSw==}
     engines: {node: '>=20.19.0'}
     hasBin: true
 
@@ -2927,8 +2923,8 @@ packages:
     resolution: {integrity: sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==}
     hasBin: true
 
-  write-file-atomic@7.0.0:
-    resolution: {integrity: sha512-YnlPC6JqnZl6aO4uRc+dx5PHguiR9S6WeoLtpxNT9wIG+BDya7ZNE1q7KOjVgaA73hKhKLpVPgJ5QA9THQ5BRg==}
+  write-file-atomic@7.0.1:
+    resolution: {integrity: sha512-OTIk8iR8/aCRWBqvxrzxR0hgxWpnYBblY1S5hDWBQfk/VFmJwzmJgQFN3WsoUKHISv2eAwe+PpbUzyL1CKTLXg==}
     engines: {node: ^20.17.0 || >=22.9.0}
 
   ws@8.19.0:
@@ -3127,14 +3123,14 @@ snapshots:
   '@biomejs/cli-win32-x64@2.4.4':
     optional: true
 
-  '@cacheable/memory@2.0.7':
+  '@cacheable/memory@2.0.8':
     dependencies:
-      '@cacheable/utils': 2.3.4
+      '@cacheable/utils': 2.4.0
       '@keyv/bigmap': 1.3.1(keyv@5.6.0)
       hookified: 1.15.1
       keyv: 5.6.0
 
-  '@cacheable/utils@2.3.4':
+  '@cacheable/utils@2.4.0':
     dependencies:
       hashery: 1.5.0
       keyv: 5.6.0
@@ -3148,7 +3144,7 @@ snapshots:
     dependencies:
       '@csstools/css-tokenizer': 4.0.0
 
-  '@csstools/css-syntax-patches-for-csstree@1.0.28': {}
+  '@csstools/css-syntax-patches-for-csstree@1.0.29': {}
 
   '@csstools/css-tokenizer@4.0.0': {}
 
@@ -3273,7 +3269,7 @@ snapshots:
 
   '@floating-ui/utils@0.2.10': {}
 
-  '@img/colour@1.0.0': {}
+  '@img/colour@1.1.0': {}
 
   '@img/sharp-darwin-arm64@0.34.5':
     optionalDependencies:
@@ -3369,7 +3365,7 @@ snapshots:
   '@img/sharp-win32-x64@0.34.5':
     optional: true
 
-  '@inlang/paraglide-js@2.12.0':
+  '@inlang/paraglide-js@2.13.0':
     dependencies:
       '@inlang/recommend-sherlock': 0.2.1
       '@inlang/sdk': 2.7.0
@@ -3383,7 +3379,7 @@ snapshots:
 
   '@inlang/recommend-sherlock@0.2.1':
     dependencies:
-      comment-json: 4.5.1
+      comment-json: 4.6.1
 
   '@inlang/sdk@2.7.0':
     dependencies:
@@ -3685,51 +3681,51 @@ snapshots:
 
   '@standard-schema/utils@0.3.0': {}
 
-  '@swc/core-darwin-arm64@1.15.13':
+  '@swc/core-darwin-arm64@1.15.18':
     optional: true
 
-  '@swc/core-darwin-x64@1.15.13':
+  '@swc/core-darwin-x64@1.15.18':
     optional: true
 
-  '@swc/core-linux-arm-gnueabihf@1.15.13':
+  '@swc/core-linux-arm-gnueabihf@1.15.18':
     optional: true
 
-  '@swc/core-linux-arm64-gnu@1.15.13':
+  '@swc/core-linux-arm64-gnu@1.15.18':
     optional: true
 
-  '@swc/core-linux-arm64-musl@1.15.13':
+  '@swc/core-linux-arm64-musl@1.15.18':
     optional: true
 
-  '@swc/core-linux-x64-gnu@1.15.13':
+  '@swc/core-linux-x64-gnu@1.15.18':
     optional: true
 
-  '@swc/core-linux-x64-musl@1.15.13':
+  '@swc/core-linux-x64-musl@1.15.18':
     optional: true
 
-  '@swc/core-win32-arm64-msvc@1.15.13':
+  '@swc/core-win32-arm64-msvc@1.15.18':
     optional: true
 
-  '@swc/core-win32-ia32-msvc@1.15.13':
+  '@swc/core-win32-ia32-msvc@1.15.18':
     optional: true
 
-  '@swc/core-win32-x64-msvc@1.15.13':
+  '@swc/core-win32-x64-msvc@1.15.18':
     optional: true
 
-  '@swc/core@1.15.13':
+  '@swc/core@1.15.18':
     dependencies:
       '@swc/counter': 0.1.3
       '@swc/types': 0.1.25
     optionalDependencies:
-      '@swc/core-darwin-arm64': 1.15.13
-      '@swc/core-darwin-x64': 1.15.13
-      '@swc/core-linux-arm-gnueabihf': 1.15.13
-      '@swc/core-linux-arm64-gnu': 1.15.13
-      '@swc/core-linux-arm64-musl': 1.15.13
-      '@swc/core-linux-x64-gnu': 1.15.13
-      '@swc/core-linux-x64-musl': 1.15.13
-      '@swc/core-win32-arm64-msvc': 1.15.13
-      '@swc/core-win32-ia32-msvc': 1.15.13
-      '@swc/core-win32-x64-msvc': 1.15.13
+      '@swc/core-darwin-arm64': 1.15.18
+      '@swc/core-darwin-x64': 1.15.18
+      '@swc/core-linux-arm-gnueabihf': 1.15.18
+      '@swc/core-linux-arm64-gnu': 1.15.18
+      '@swc/core-linux-arm64-musl': 1.15.18
+      '@swc/core-linux-x64-gnu': 1.15.18
+      '@swc/core-linux-x64-musl': 1.15.18
+      '@swc/core-win32-arm64-msvc': 1.15.18
+      '@swc/core-win32-ia32-msvc': 1.15.18
+      '@swc/core-win32-x64-msvc': 1.15.18
 
   '@swc/counter@0.1.3': {}
 
@@ -3758,7 +3754,7 @@ snapshots:
     transitivePeerDependencies:
       - csstype
 
-  '@tanstack/devtools-vite@0.5.1(vite@7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0))':
+  '@tanstack/devtools-vite@0.5.2(vite@7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0))':
     dependencies:
       '@babel/core': 7.29.0
       '@babel/generator': 7.29.1
@@ -3768,9 +3764,9 @@ snapshots:
       '@tanstack/devtools-client': 0.0.5
       '@tanstack/devtools-event-bus': 0.4.1
       chalk: 5.6.2
-      launch-editor: 2.13.0
+      launch-editor: 2.13.1
       picomatch: 4.0.3
-      vite: 7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0)
+      vite: 7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0)
     transitivePeerDependencies:
       - bufferutil
       - supports-color
@@ -3838,22 +3834,22 @@ snapshots:
       '@tanstack/query-core': 5.90.20
       react: 19.2.4
 
-  '@tanstack/react-router-devtools@1.162.8(@tanstack/react-router@1.162.8(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@tanstack/router-core@1.162.6)(csstype@3.2.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)':
+  '@tanstack/react-router-devtools@1.163.3(@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@tanstack/router-core@1.163.3)(csstype@3.2.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)':
     dependencies:
-      '@tanstack/react-router': 1.162.8(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
-      '@tanstack/router-devtools-core': 1.162.6(@tanstack/router-core@1.162.6)(csstype@3.2.3)
+      '@tanstack/react-router': 1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
+      '@tanstack/router-devtools-core': 1.163.3(@tanstack/router-core@1.163.3)(csstype@3.2.3)
       react: 19.2.4
       react-dom: 19.2.4(react@19.2.4)
     optionalDependencies:
-      '@tanstack/router-core': 1.162.6
+      '@tanstack/router-core': 1.163.3
     transitivePeerDependencies:
       - csstype
 
-  '@tanstack/react-router@1.162.8(react-dom@19.2.4(react@19.2.4))(react@19.2.4)':
+  '@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4)':
     dependencies:
       '@tanstack/history': 1.161.4
       '@tanstack/react-store': 0.9.1(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
-      '@tanstack/router-core': 1.162.6
+      '@tanstack/router-core': 1.163.3
       isbot: 5.1.35
       react: 19.2.4
       react-dom: 19.2.4(react@19.2.4)
@@ -3886,7 +3882,7 @@ snapshots:
       react: 19.2.4
       react-dom: 19.2.4(react@19.2.4)
 
-  '@tanstack/router-core@1.162.6':
+  '@tanstack/router-core@1.163.3':
     dependencies:
       '@tanstack/history': 1.161.4
       '@tanstack/store': 0.9.1
@@ -3896,18 +3892,18 @@ snapshots:
       tiny-invariant: 1.3.3
       tiny-warning: 1.0.3
 
-  '@tanstack/router-devtools-core@1.162.6(@tanstack/router-core@1.162.6)(csstype@3.2.3)':
+  '@tanstack/router-devtools-core@1.163.3(@tanstack/router-core@1.163.3)(csstype@3.2.3)':
     dependencies:
-      '@tanstack/router-core': 1.162.6
+      '@tanstack/router-core': 1.163.3
       clsx: 2.1.1
       goober: 2.1.18(csstype@3.2.3)
       tiny-invariant: 1.3.3
     optionalDependencies:
       csstype: 3.2.3
 
-  '@tanstack/router-generator@1.162.6':
+  '@tanstack/router-generator@1.164.0':
     dependencies:
-      '@tanstack/router-core': 1.162.6
+      '@tanstack/router-core': 1.163.3
       '@tanstack/router-utils': 1.161.4
       '@tanstack/virtual-file-routes': 1.161.4
       prettier: 3.8.1
@@ -3918,7 +3914,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@tanstack/router-plugin@1.162.8(@tanstack/react-router@1.162.8(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(vite@7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0))':
+  '@tanstack/router-plugin@1.164.0(@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(vite@7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0))':
     dependencies:
       '@babel/core': 7.29.0
       '@babel/plugin-syntax-jsx': 7.28.6(@babel/core@7.29.0)
@@ -3926,16 +3922,16 @@ snapshots:
       '@babel/template': 7.28.6
       '@babel/traverse': 7.29.0
       '@babel/types': 7.29.0
-      '@tanstack/router-core': 1.162.6
-      '@tanstack/router-generator': 1.162.6
+      '@tanstack/router-core': 1.163.3
+      '@tanstack/router-generator': 1.164.0
       '@tanstack/router-utils': 1.161.4
       '@tanstack/virtual-file-routes': 1.161.4
       chokidar: 3.6.0
       unplugin: 2.3.11
       zod: 3.25.76
     optionalDependencies:
-      '@tanstack/react-router': 1.162.8(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
-      vite: 7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0)
+      '@tanstack/react-router': 1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4)
+      vite: 7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0)
     transitivePeerDependencies:
       - supports-color
 
@@ -4017,7 +4013,7 @@ snapshots:
 
   '@types/ms@2.1.0': {}
 
-  '@types/node@25.3.0':
+  '@types/node@25.3.3':
     dependencies:
       undici-types: 7.18.2
 
@@ -4044,11 +4040,11 @@ snapshots:
 
   '@ungap/structured-clone@1.3.0': {}
 
-  '@vitejs/plugin-react-swc@4.2.3(vite@7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0))':
+  '@vitejs/plugin-react-swc@4.2.3(vite@7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0))':
     dependencies:
       '@rolldown/pluginutils': 1.0.0-rc.2
-      '@swc/core': 1.15.13
-      vite: 7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0)
+      '@swc/core': 1.15.18
+      vite: 7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0)
     transitivePeerDependencies:
       - '@swc/helpers'
 
@@ -4090,16 +4086,16 @@ snapshots:
 
   asynckit@0.4.0: {}
 
-  autoprefixer@10.4.24(postcss@8.5.6):
+  autoprefixer@10.4.27(postcss@8.5.6):
     dependencies:
       browserslist: 4.28.1
-      caniuse-lite: 1.0.30001774
+      caniuse-lite: 1.0.30001775
       fraction.js: 5.3.4
       picocolors: 1.1.1
       postcss: 8.5.6
       postcss-value-parser: 4.2.0
 
-  axios@1.13.5:
+  axios@1.13.6:
     dependencies:
       follow-redirects: 1.15.11
       form-data: 4.0.5
@@ -4118,8 +4114,6 @@ snapshots:
 
   bail@2.0.2: {}
 
-  balanced-match@3.0.1: {}
-
   baseline-browser-mapping@2.10.0: {}
 
   binary-extensions@2.3.0: {}
@@ -4131,17 +4125,17 @@ snapshots:
   browserslist@4.28.1:
     dependencies:
       baseline-browser-mapping: 2.10.0
-      caniuse-lite: 1.0.30001774
+      caniuse-lite: 1.0.30001775
       electron-to-chromium: 1.5.302
       node-releases: 2.0.27
       update-browserslist-db: 1.2.3(browserslist@4.28.1)
 
   byte-size@9.0.1: {}
 
-  cacheable@2.3.2:
+  cacheable@2.3.3:
     dependencies:
-      '@cacheable/memory': 2.0.7
-      '@cacheable/utils': 2.3.4
+      '@cacheable/memory': 2.0.8
+      '@cacheable/utils': 2.4.0
       hookified: 1.15.1
       keyv: 5.6.0
       qified: 0.6.0
@@ -4158,7 +4152,7 @@ snapshots:
 
   callsites@3.1.0: {}
 
-  caniuse-lite@1.0.30001774: {}
+  caniuse-lite@1.0.30001775: {}
 
   ccount@2.0.1: {}
 
@@ -4206,7 +4200,7 @@ snapshots:
 
   commander@11.1.0: {}
 
-  comment-json@4.5.1:
+  comment-json@4.6.1:
     dependencies:
       array-timsort: 1.0.3
       core-util-is: 1.0.3
@@ -4220,7 +4214,7 @@ snapshots:
 
   core-util-is@1.0.3: {}
 
-  cosmiconfig@9.0.0(typescript@5.9.3):
+  cosmiconfig@9.0.1(typescript@5.9.3):
     dependencies:
       env-paths: 2.2.1
       import-fresh: 3.3.1
@@ -4339,7 +4333,7 @@ snapshots:
       has-tostringtag: 1.0.2
       hasown: 2.0.2
 
-  es-toolkit@1.44.0: {}
+  es-toolkit@1.45.0: {}
 
   esbuild@0.27.3:
     optionalDependencies:
@@ -4412,11 +4406,11 @@ snapshots:
 
   flat-cache@6.1.20:
     dependencies:
-      cacheable: 2.3.2
-      flatted: 3.3.3
+      cacheable: 2.3.3
+      flatted: 3.3.4
       hookified: 1.15.1
 
-  flatted@3.3.3: {}
+  flatted@3.3.4: {}
 
   follow-redirects@1.15.11: {}
 
@@ -4484,7 +4478,7 @@ snapshots:
       kind-of: 6.0.3
       which: 1.3.1
 
-  globals@17.3.0: {}
+  globals@17.4.0: {}
 
   globby@16.1.1:
     dependencies:
@@ -4692,7 +4686,7 @@ snapshots:
 
   kysely@0.27.6: {}
 
-  launch-editor@2.13.0:
+  launch-editor@2.13.1:
     dependencies:
       picocolors: 1.1.1
       shell-quote: 1.8.3
@@ -5059,7 +5053,7 @@ snapshots:
 
   queue-microtask@1.2.3: {}
 
-  radashi@12.7.1: {}
+  radashi@12.7.2: {}
 
   react-dom@19.2.4(react@19.2.4):
     dependencies:
@@ -5126,7 +5120,7 @@ snapshots:
       '@reduxjs/toolkit': 2.11.2(react-redux@9.2.0(@types/react@19.2.14)(react@19.2.4)(redux@5.0.1))(react@19.2.4)
       clsx: 2.1.1
       decimal.js-light: 2.5.1
-      es-toolkit: 1.44.0
+      es-toolkit: 1.45.0
       eventemitter3: 5.0.4
       immer: 10.2.0
       react: 19.2.4
@@ -5247,7 +5241,7 @@ snapshots:
 
   sharp@0.34.5:
     dependencies:
-      '@img/colour': 1.0.0
+      '@img/colour': 1.1.0
       detect-libc: 2.1.2
       semver: 7.7.4
     optionalDependencies:
@@ -5344,7 +5338,7 @@ snapshots:
   string-width@8.2.0:
     dependencies:
       get-east-asian-width: 1.5.0
-      strip-ansi: 7.1.2
+      strip-ansi: 7.2.0
 
   stringify-entities@4.0.4:
     dependencies:
@@ -5355,7 +5349,7 @@ snapshots:
     dependencies:
       ansi-regex: 5.0.1
 
-  strip-ansi@7.1.2:
+  strip-ansi@7.2.0:
     dependencies:
       ansi-regex: 6.2.2
 
@@ -5367,33 +5361,33 @@ snapshots:
     dependencies:
       inline-style-parser: 0.2.7
 
-  stylelint-config-recommended-scss@17.0.0(postcss@8.5.6)(stylelint@17.3.0(typescript@5.9.3)):
+  stylelint-config-recommended-scss@17.0.0(postcss@8.5.6)(stylelint@17.4.0(typescript@5.9.3)):
     dependencies:
       postcss-scss: 4.0.9(postcss@8.5.6)
-      stylelint: 17.3.0(typescript@5.9.3)
-      stylelint-config-recommended: 18.0.0(stylelint@17.3.0(typescript@5.9.3))
-      stylelint-scss: 7.0.0(stylelint@17.3.0(typescript@5.9.3))
+      stylelint: 17.4.0(typescript@5.9.3)
+      stylelint-config-recommended: 18.0.0(stylelint@17.4.0(typescript@5.9.3))
+      stylelint-scss: 7.0.0(stylelint@17.4.0(typescript@5.9.3))
     optionalDependencies:
       postcss: 8.5.6
 
-  stylelint-config-recommended@18.0.0(stylelint@17.3.0(typescript@5.9.3)):
+  stylelint-config-recommended@18.0.0(stylelint@17.4.0(typescript@5.9.3)):
     dependencies:
-      stylelint: 17.3.0(typescript@5.9.3)
+      stylelint: 17.4.0(typescript@5.9.3)
 
-  stylelint-config-standard-scss@17.0.0(postcss@8.5.6)(stylelint@17.3.0(typescript@5.9.3)):
+  stylelint-config-standard-scss@17.0.0(postcss@8.5.6)(stylelint@17.4.0(typescript@5.9.3)):
     dependencies:
-      stylelint: 17.3.0(typescript@5.9.3)
-      stylelint-config-recommended-scss: 17.0.0(postcss@8.5.6)(stylelint@17.3.0(typescript@5.9.3))
-      stylelint-config-standard: 40.0.0(stylelint@17.3.0(typescript@5.9.3))
+      stylelint: 17.4.0(typescript@5.9.3)
+      stylelint-config-recommended-scss: 17.0.0(postcss@8.5.6)(stylelint@17.4.0(typescript@5.9.3))
+      stylelint-config-standard: 40.0.0(stylelint@17.4.0(typescript@5.9.3))
     optionalDependencies:
       postcss: 8.5.6
 
-  stylelint-config-standard@40.0.0(stylelint@17.3.0(typescript@5.9.3)):
+  stylelint-config-standard@40.0.0(stylelint@17.4.0(typescript@5.9.3)):
     dependencies:
-      stylelint: 17.3.0(typescript@5.9.3)
-      stylelint-config-recommended: 18.0.0(stylelint@17.3.0(typescript@5.9.3))
+      stylelint: 17.4.0(typescript@5.9.3)
+      stylelint-config-recommended: 18.0.0(stylelint@17.4.0(typescript@5.9.3))
 
-  stylelint-scss@7.0.0(stylelint@17.3.0(typescript@5.9.3)):
+  stylelint-scss@7.0.0(stylelint@17.4.0(typescript@5.9.3)):
     dependencies:
       css-tree: 3.1.0
       is-plain-object: 5.0.0
@@ -5403,20 +5397,19 @@ snapshots:
       postcss-resolve-nested-selector: 0.1.6
       postcss-selector-parser: 7.1.1
       postcss-value-parser: 4.2.0
-      stylelint: 17.3.0(typescript@5.9.3)
+      stylelint: 17.4.0(typescript@5.9.3)
 
-  stylelint@17.3.0(typescript@5.9.3):
+  stylelint@17.4.0(typescript@5.9.3):
     dependencies:
       '@csstools/css-calc': 3.1.1(@csstools/css-parser-algorithms@4.0.0(@csstools/css-tokenizer@4.0.0))(@csstools/css-tokenizer@4.0.0)
       '@csstools/css-parser-algorithms': 4.0.0(@csstools/css-tokenizer@4.0.0)
-      '@csstools/css-syntax-patches-for-csstree': 1.0.28
+      '@csstools/css-syntax-patches-for-csstree': 1.0.29
       '@csstools/css-tokenizer': 4.0.0
       '@csstools/media-query-list-parser': 5.0.0(@csstools/css-parser-algorithms@4.0.0(@csstools/css-tokenizer@4.0.0))(@csstools/css-tokenizer@4.0.0)
       '@csstools/selector-resolve-nested': 4.0.0(postcss-selector-parser@7.1.1)
       '@csstools/selector-specificity': 6.0.0(postcss-selector-parser@7.1.1)
-      balanced-match: 3.0.1
       colord: 2.9.3
-      cosmiconfig: 9.0.0(typescript@5.9.3)
+      cosmiconfig: 9.0.1(typescript@5.9.3)
       css-functions-list: 3.3.3
       css-tree: 3.1.0
       debug: 4.4.3
@@ -5431,7 +5424,6 @@ snapshots:
       import-meta-resolve: 4.2.0
       imurmurhash: 0.1.4
       is-plain-object: 5.0.0
-      known-css-properties: 0.37.0
       mathml-tag-names: 4.0.0
       meow: 14.1.0
       micromatch: 4.0.8
@@ -5445,7 +5437,7 @@ snapshots:
       supports-hyperlinks: 4.4.0
       svg-tags: 1.0.0
       table: 6.9.0
-      write-file-atomic: 7.0.0
+      write-file-atomic: 7.0.1
     transitivePeerDependencies:
       - supports-color
       - typescript
@@ -5684,15 +5676,15 @@ snapshots:
       d3-time: 3.1.0
       d3-timer: 3.0.1
 
-  vite-plugin-image-optimizer@2.0.3(sharp@0.34.5)(vite@7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0)):
+  vite-plugin-image-optimizer@2.0.3(sharp@0.34.5)(vite@7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0)):
     dependencies:
       ansi-colors: 4.1.3
       pathe: 2.0.3
-      vite: 7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0)
+      vite: 7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0)
     optionalDependencies:
       sharp: 0.34.5
 
-  vite@7.3.1(@types/node@25.3.0)(sass@1.97.3)(tsx@4.21.0):
+  vite@7.3.1(@types/node@25.3.3)(sass@1.97.3)(tsx@4.21.0):
     dependencies:
       esbuild: 0.27.3
       fdir: 6.5.0(picomatch@4.0.3)
@@ -5701,7 +5693,7 @@ snapshots:
       rollup: 4.59.0
       tinyglobby: 0.2.15
     optionalDependencies:
-      '@types/node': 25.3.0
+      '@types/node': 25.3.3
       fsevents: 2.3.3
       sass: 1.97.3
       tsx: 4.21.0
@@ -5714,9 +5706,8 @@ snapshots:
     dependencies:
       isexe: 2.0.0
 
-  write-file-atomic@7.0.0:
+  write-file-atomic@7.0.1:
     dependencies:
-      imurmurhash: 0.1.4
       signal-exit: 4.1.0
 
   ws@8.19.0: {}

From 9c5ad002017a263f7f0f6c63cd480a305eeec00f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20=C5=9Al=C4=99zak?= <fslezak@teonite.com>
Date: Mon, 2 Mar 2026 15:04:35 +0100
Subject: [PATCH 12/15] add translations strings

---
 web/messages/en/migration_wizard.json         | 17 +++++++----
 .../MigrationWizardConfirmationStep.tsx       | 24 ++++++++--------
 .../MigrationWizardEdgeComponentStep.tsx      | 28 +++++++++----------
 web/src/shared/constants.ts                   |  1 +
 4 files changed, 40 insertions(+), 30 deletions(-)

diff --git a/web/messages/en/migration_wizard.json b/web/messages/en/migration_wizard.json
index d8ea95607..e030b1886 100644
--- a/web/messages/en/migration_wizard.json
+++ b/web/messages/en/migration_wizard.json
@@ -2,7 +2,6 @@
   "$schema": "https://inlang.com/schema/inlang-message-format",
   "migration_wizard_title": "Migration Wizard",
   "migration_wizard_subtitle": "This wizard will guide you through migration-related configuration of your Defguard instance.",
-
   "migration_wizard_step_general_config_label": "General Configuration",
   "migration_wizard_step_general_config_description": "Manage core details and connection parameters for your VPN location.",
   "migration_wizard_step_certificate_authority_label": "Certificate Authority",
@@ -12,10 +11,19 @@
   "migration_wizard_step_edge_component_label": "Edge Component",
   "migration_wizard_step_edge_component_description": "Set up your VPN proxy quickly and ensure secure, optimized traffic flow for your users.",
   "migration_wizard_step_edge_adoption_label": "Edge Component Adoption",
-  "migration_wizard_step_edge_adoption_description": "Review the system’s checks and see if any issues need attention before deployment.",
+  "migration_wizard_step_edge_adoption_description": "Review the system's checks and see if any issues need attention before deployment.",
   "migration_wizard_step_confirmation_label": "Confirmation",
-  "migration_wizard_step_confirmation_description": "Your configuration was successful. You’re all set.",
-
+  "migration_wizard_step_confirmation_description": "Your configuration was successful. You're all set.",
+  "migration_wizard_confirmation_title": "Initial system migration are complete.",
+  "migration_wizard_confirmation_subtitle": "You've completed the first stage of the migration. Defguard is almost ready to go.",
+  "migration_wizard_confirmation_locations_info": "You currently have X VPN locations configured. These locations must be upgraded.",
+  "migration_wizard_confirmation_architecture_change_info": "A key architectural change in Defguard 2.0 is that the Core now initiates connections to the gateways (in 1.x, gateways connected to the Core). As a result, in addition to upgrading the gateway components, you must update your firewall rules to:",
+  "migration_wizard_confirmation_rule_1": "Allow connections from the Core to the gateways on port 5055 tcp.",
+  "migration_wizard_confirmation_rule_2": "Block connections from the gateways to the Core.",
+  "migration_wizard_confirmation_security_notice_markdown": "**This change significantly improves the overall security of Defguard deployments**. You can [read more about it in the documentation]({link})",
+  "migration_wizard_confirmation_prepare_network_title": "Prepare your network",
+  "migration_wizard_confirmation_prepare_network_subtitle": "Please prepare all required network and firewall changes before starting the migration. Once ready, we'll begin adopting the upgraded gateway components for each VPN location.",
+  "migration_wizard_confirmation_checkbox_label": "I have changed all my gateways firewall rules and network setup",
   "migration_wizard_ca_validity_one_year": "1 year",
   "migration_wizard_ca_validity_years": "{years} years",
   "migration_wizard_general_config_error_invalid_url": "Invalid URL",
@@ -44,7 +52,6 @@
   "migration_wizard_ca_label_email": "Email",
   "migration_wizard_ca_placeholder_email": "email@example.com",
   "migration_wizard_ca_label_validity": "Validity Period",
-
   "migration_wizard_ca_generated_title": "Certificate Authority Generated",
   "migration_wizard_ca_generated_subtitle": "The system created all required certificate files, including the root certificate and private key. You can download these files and continue with the configuration.",
   "migration_wizard_ca_download_button": "Download CA certificate",
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep/MigrationWizardConfirmationStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep/MigrationWizardConfirmationStep.tsx
index cb76447cd..c6a04cc99 100644
--- a/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep/MigrationWizardConfirmationStep.tsx
+++ b/web/src/pages/MigrationWizardPage/steps/MigrationWizardConfirmationStep/MigrationWizardConfirmationStep.tsx
@@ -2,6 +2,7 @@ import { useState } from 'react';
 import { m } from '../../../../paraglide/messages';
 import { Controls } from '../../../../shared/components/Controls/Controls';
 import { WizardCard } from '../../../../shared/components/wizard/WizardCard/WizardCard';
+import { externalLink } from '../../../../shared/constants';
 import { ActionableSection } from '../../../../shared/defguard-ui/components/ActionableSection/ActionableSection';
 import { AppText } from '../../../../shared/defguard-ui/components/AppText/AppText';
 import { Button } from '../../../../shared/defguard-ui/components/Button/Button';
@@ -23,38 +24,39 @@ export const MigrationWizardConfirmationStep = () => {
   return (
     <WizardCard>
       <AppText font={TextStyle.TTitleH4} color={ThemeVariable.FgSuccess}>
-        {`Initial system migration are complete.`}
+        {m.migration_wizard_confirmation_title()}
       </AppText>
       <SizedBox height={ThemeSpacing.Sm} />
       <AppText font={TextStyle.TBodyPrimary400} color={ThemeVariable.FgNeutral}>
-        {`You've completed the first stage of the migration. Defguard is almost ready to go.`}
+        {m.migration_wizard_confirmation_subtitle()}
       </AppText>
       <Divider spacing={ThemeSpacing.Xl2} />
       <AppText font={TextStyle.TBodyPrimary500} color={ThemeVariable.FgFaded}>
-        {`You currently have X VPN locations configured. These locations must be upgraded.`}
+        {m.migration_wizard_confirmation_locations_info()}
       </AppText>
       <SizedBox height={ThemeSpacing.Md} />
       <AppText font={TextStyle.TBodySm400} color={ThemeVariable.FgNeutral}>
-        {`A key architectural change in Defguard 2.0 is that the Core now initiates connections to the gateways (in 1.x, gateways connected to the Core). As a result, in addition to upgrading the gateway components, you must update your firewall rules to:`}
+        {m.migration_wizard_confirmation_architecture_change_info()}
       </AppText>
       <SizedBox height={ThemeSpacing.Lg} />
       <ul id="upgrade-guide-list">
-        <li>{`Allow connections from the Core to the gateways on port 5055 tcp.`}</li>
-        <li>{`Block connections from the gateways to the Core.`}</li>
+        <li>{m.migration_wizard_confirmation_rule_1()}</li>
+        <li>{m.migration_wizard_confirmation_rule_2()}</li>
       </ul>
       <Divider spacing={ThemeSpacing.Lg} />
       <RenderMarkdown
         containerProps={{
           id: 'confirm-improve-notice',
         }}
-        content={`**This change significantly improves the overall security of Defguard deployments**. 
-You can [read more about it in the documentation](https://docs.defguard.net)`}
+        content={m.migration_wizard_confirmation_security_notice_markdown({
+          link: externalLink.defguard.docs,
+        })}
       />
       <SizedBox height={ThemeSpacing.Xl2} />
       <ActionableSection
         imageSrc={prepareNetworkImage}
-        title={`Prepare your network`}
-        subtitle={`Please prepare all required network and firewall changes before starting the migration. Once ready, we’ll begin adopting the upgraded gateway components for each VPN location.`}
+        title={m.migration_wizard_confirmation_prepare_network_title()}
+        subtitle={m.migration_wizard_confirmation_prepare_network_subtitle()}
       />
       <SizedBox height={ThemeSpacing.Xl} />
       <Checkbox
@@ -62,7 +64,7 @@ You can [read more about it in the documentation](https://docs.defguard.net)`}
         onClick={() => {
           setConfirm((s) => !s);
         }}
-        text={`I have changed all my gateways firewall rules and network setup`}
+        text={m.migration_wizard_confirmation_checkbox_label()}
       />
       <Controls>
         <div className="right">
diff --git a/web/src/pages/MigrationWizardPage/steps/MigrationWizardEdgeComponentStep.tsx b/web/src/pages/MigrationWizardPage/steps/MigrationWizardEdgeComponentStep.tsx
index 38b68279f..0b98737cf 100644
--- a/web/src/pages/MigrationWizardPage/steps/MigrationWizardEdgeComponentStep.tsx
+++ b/web/src/pages/MigrationWizardPage/steps/MigrationWizardEdgeComponentStep.tsx
@@ -110,22 +110,22 @@ export const MigrationWizardEdgeComponentStep = () => {
               />
             )}
           </form.AppField>
+          <Controls>
+            <Button
+              variant="outlined"
+              text={m.controls_back()}
+              onClick={() => setActiveStep(MigrationWizardStep.CaSummary)}
+            />
+            <div className="right">
+              <Button
+                text={m.edge_setup_component_controls_submit()}
+                onClick={handleNext}
+                type="submit"
+              />
+            </div>
+          </Controls>
         </form.AppForm>
       </form>
-      <Controls>
-        <Button
-          variant="outlined"
-          text={m.controls_back()}
-          onClick={() => setActiveStep(MigrationWizardStep.CaSummary)}
-        />
-        <div className="right">
-          <Button
-            text={m.edge_setup_component_controls_submit()}
-            onClick={handleNext}
-            type="submit"
-          />
-        </div>
-      </Controls>
     </WizardCard>
   );
 };
diff --git a/web/src/shared/constants.ts b/web/src/shared/constants.ts
index 52b6d2e67..b22cdb0f0 100644
--- a/web/src/shared/constants.ts
+++ b/web/src/shared/constants.ts
@@ -2,6 +2,7 @@ import { OpenIdProviderKind, type OpenIdProviderKindValue } from './api/types';
 
 export const externalLink = {
   defguard: {
+    docs: 'https://docs.defguard.net',
     pricing: 'https://defguard.net/pricing',
     download: 'https://defguard.net/download',
   },

From 5a1b97abbf23af6a602915a56229926fdca99441 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20=C5=9Al=C4=99zak?= <fslezak@teonite.com>
Date: Mon, 2 Mar 2026 16:19:16 +0100
Subject: [PATCH 13/15] remove wizard_needed flag

---
 crates/defguard_core/src/db/models/wizard_flags.rs        | 5 -----
 migrations/20260225142454_[2.0.0]_migration_wizard.up.sql | 1 -
 2 files changed, 6 deletions(-)

diff --git a/crates/defguard_core/src/db/models/wizard_flags.rs b/crates/defguard_core/src/db/models/wizard_flags.rs
index 2832c992c..1e2cd50d9 100644
--- a/crates/defguard_core/src/db/models/wizard_flags.rs
+++ b/crates/defguard_core/src/db/models/wizard_flags.rs
@@ -3,7 +3,6 @@ use sqlx::{PgExecutor, prelude::FromRow};
 
 #[derive(Debug, Serialize, Deserialize, FromRow)]
 pub struct WizardFlags {
-    pub migration_wizard_needed: bool,
     pub migration_wizard_in_progress: bool,
     pub migration_wizard_completed: bool,
     pub initial_wizard_completed: bool,
@@ -18,14 +17,12 @@ impl WizardFlags {
         sqlx::query(
             "UPDATE wizard
              SET
-                migration_wizard_needed = $1,
                      migration_wizard_in_progress = $2,
                      migration_wizard_completed = $3,
                      initial_wizard_in_progress = $4,
                      initial_wizard_completed = $5
              WHERE is_singleton = TRUE",
         )
-        .bind(self.migration_wizard_needed)
         .bind(self.migration_wizard_in_progress)
         .bind(self.migration_wizard_completed)
         .bind(self.initial_wizard_in_progress)
@@ -43,7 +40,6 @@ impl WizardFlags {
         sqlx::query_as!(
             Self,
             "SELECT
-                migration_wizard_needed,
                 migration_wizard_in_progress,
                 migration_wizard_completed,
                 initial_wizard_in_progress,
@@ -89,7 +85,6 @@ impl WizardFlags {
             .await?;
 
             return Ok(Self {
-                migration_wizard_needed: false,
                 migration_wizard_in_progress: is_migration_needed,
                 migration_wizard_completed: false,
                 initial_wizard_in_progress: is_fresh_instance,
diff --git a/migrations/20260225142454_[2.0.0]_migration_wizard.up.sql b/migrations/20260225142454_[2.0.0]_migration_wizard.up.sql
index ea2af6ad2..1d53dafae 100644
--- a/migrations/20260225142454_[2.0.0]_migration_wizard.up.sql
+++ b/migrations/20260225142454_[2.0.0]_migration_wizard.up.sql
@@ -1,5 +1,4 @@
 CREATE TABLE wizard (
-    migration_wizard_needed BOOLEAN NOT NULL DEFAULT FALSE,
     migration_wizard_state JSONB DEFAULT NULL,
     migration_wizard_completed BOOLEAN NOT NULL DEFAULT FALSE,
     migration_wizard_in_progress BOOLEAN NOT NULL DEFAULT FALSE,

From 7cc2ce2b5b4802def679ee32551bd1023369cd90 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Mon, 2 Mar 2026 16:27:13 +0100
Subject: [PATCH 14/15] Migration config to db, part 1 (#2156)

---
 crates/defguard/src/main.rs                   |  24 +-
 crates/defguard_common/src/config.rs          | 198 +++++++---------
 .../defguard_common/src/db/models/settings.rs | 217 +++++++++++++++++-
 crates/defguard_core/src/appstate.rs          |  12 +-
 .../src/enterprise/handlers/openid_login.rs   |   2 +-
 crates/defguard_core/src/handlers/auth.rs     |   2 +-
 .../src/handlers/network_devices.rs           |   7 +-
 crates/defguard_core/src/handlers/user.rs     |  15 +-
 crates/defguard_core/src/lib.rs               |   9 +-
 .../tests/integration/api/common/mod.rs       |  11 +-
 crates/defguard_proxy_manager/src/handler.rs  |  26 +--
 crates/defguard_proxy_manager/src/lib.rs      |   6 +
 .../src/servers/enrollment.rs                 |   8 +-
 .../src/servers/password_reset.rs             |  16 +-
 crates/defguard_setup/src/migration.rs        |  10 +-
 ...0227091211_[2.0.0]_settings_in_db.down.sql |  13 ++
 ...260227091211_[2.0.0]_settings_in_db.up.sql |  13 ++
 17 files changed, 418 insertions(+), 171 deletions(-)
 create mode 100644 migrations/20260227091211_[2.0.0]_settings_in_db.down.sql
 create mode 100644 migrations/20260227091211_[2.0.0]_settings_in_db.up.sql

diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs
index c602ea242..270db7d1f 100644
--- a/crates/defguard/src/main.rs
+++ b/crates/defguard/src/main.rs
@@ -101,6 +101,8 @@ async fn main() -> Result<(), anyhow::Error> {
     Settings::init_defaults(&pool).await?;
     // initialize global settings struct
     initialize_current_settings(&pool).await?;
+    Settings::ensure_secret_key(&pool, &config).await?;
+    let mut settings = Settings::get_current_settings();
 
     if wizard_flags.initial_wizard_in_progress && !wizard_flags.initial_wizard_completed {
         if let Err(err) =
@@ -108,6 +110,7 @@ async fn main() -> Result<(), anyhow::Error> {
         {
             anyhow::bail!("Setup web server exited with error: {err}");
         }
+        settings = Settings::get_current_settings();
     } else if wizard_flags.migration_wizard_in_progress && !wizard_flags.migration_wizard_completed
     {
         config.initialize_post_settings();
@@ -122,6 +125,13 @@ async fn main() -> Result<(), anyhow::Error> {
         {
             anyhow::bail!("Migration web server exited with error: {err}");
         }
+        settings = Settings::get_current_settings();
+    }
+
+    if wizard_flags.migration_wizard_needed {
+        info!("Migration from 1.6: copying configuration options to DB");
+        settings.update_from_config(&pool, &config).await?;
+        info!("Migration from 1.6: copied configuration options to DB");
     }
 
     if ini_server_config {
@@ -153,7 +163,11 @@ async fn main() -> Result<(), anyhow::Error> {
 
     let incompatible_components: Arc<RwLock<IncompatibleComponents>> = Arc::default();
 
-    // read grpc TLS cert and key
+    if settings.ca_cert_der.is_none() || settings.ca_key_der.is_none() {
+        anyhow::bail!("CA certificate or key were not found in settings, despite completing setup.")
+    }
+
+    // read grpc TLS cert and key from legacy config values
     let grpc_cert = config
         .grpc_cert
         .as_ref()
@@ -184,11 +198,13 @@ async fn main() -> Result<(), anyhow::Error> {
     }
 
     let (proxy_control_tx, proxy_control_rx) = channel::<ProxyControlMessage>(100);
+    let proxy_secret_key = settings.secret_key_required()?.to_string();
     let proxy_manager = ProxyManager::new(
         pool.clone(),
         ProxyTxSet::new(gateway_tx.clone(), bidi_event_tx.clone()),
         Arc::clone(&incompatible_components),
         proxy_control_rx,
+        proxy_secret_key,
     );
 
     let mut gateway_manager = GatewayManager::new(
@@ -220,9 +236,9 @@ async fn main() -> Result<(), anyhow::Error> {
         ) => error!("Web server returned early: {res:?}"),
         res = run_periodic_stats_purge(
             pool.clone(),
-            config.stats_purge_frequency.into(),
-            config.stats_purge_threshold.into()
-        ), if !config.disable_stats_purge =>
+            settings.stats_purge_frequency(),
+            settings.stats_purge_threshold()
+        ), if !settings.disable_stats_purge =>
             error!("Periodic stats purge task returned early: {res:?}"),
         res = run_periodic_license_check(&pool) =>
             error!("Periodic license check task returned early: {res:?}"),
diff --git a/crates/defguard_common/src/config.rs b/crates/defguard_common/src/config.rs
index 6db70311a..b05f859d5 100644
--- a/crates/defguard_common/src/config.rs
+++ b/crates/defguard_common/src/config.rs
@@ -1,4 +1,4 @@
-use std::{fs::read_to_string, io, net::IpAddr, sync::OnceLock};
+use std::{net::IpAddr, sync::OnceLock};
 
 use clap::{Args, Parser, Subcommand};
 use humantime::Duration;
@@ -13,7 +13,6 @@ use rsa::{
 };
 use secrecy::{ExposeSecret, SecretString};
 use serde::Serialize;
-use tonic::transport::{Certificate, ClientTlsConfig, Identity};
 
 use crate::db::models::Settings;
 
@@ -38,13 +37,15 @@ pub struct DefGuardConfig {
     #[arg(long, env = "DEFGUARD_LOG_FILE")]
     pub log_file: Option<String>,
 
-    #[arg(long, env = "DEFGUARD_AUTH_COOKIE_TIMEOUT", default_value = "7d")]
+    #[arg(long, env = "DEFGUARD_AUTH_COOKIE_TIMEOUT")]
     #[serde(skip_serializing)]
-    pub auth_cookie_timeout: Duration,
+    #[deprecated(since = "2.0.0", note = "Use Settings.auth_cookie_timeout instead")]
+    pub auth_cookie_timeout: Option<Duration>,
 
     #[arg(long, env = "DEFGUARD_SECRET_KEY")]
     #[serde(skip_serializing)]
-    pub secret_key: SecretString,
+    #[deprecated(since = "2.0.0", note = "Use Settings.secret_key instead")]
+    pub secret_key: Option<SecretString>,
 
     #[arg(long, env = "DEFGUARD_DB_HOST", default_value = "localhost")]
     pub database_host: String,
@@ -68,9 +69,8 @@ pub struct DefGuardConfig {
     #[arg(long, env = "DEFGUARD_GRPC_PORT", default_value_t = 50055)]
     pub grpc_port: u16,
 
-    // Certificate authority (CA), certificate, and key for gRPC communication over HTTPS.
-    #[arg(long, env = "DEFGUARD_GRPC_CA")]
-    pub grpc_ca: Option<String>,
+    // Certificate and key for gRPC communication over HTTPS.
+    // Kept in runtime config for backwards compatibility - workers still use this.
     #[arg(long, env = "DEFGUARD_GRPC_CERT")]
     pub grpc_cert: Option<String>,
     #[arg(long, env = "DEFGUARD_GRPC_KEY")]
@@ -92,69 +92,81 @@ pub struct DefGuardConfig {
 
     // relying party id and relying party origin for WebAuthn
     #[arg(long, env = "DEFGUARD_WEBAUTHN_RP_ID")]
+    #[deprecated(since = "2.0.0", note = "Use Settings.webauthn_rp_id instead")]
     pub webauthn_rp_id: Option<String>,
     #[arg(long, env = "DEFGUARD_URL", value_parser = Url::parse, default_value = "http://localhost:8000")]
     #[deprecated(since = "2.0.0", note = "Use Settings.defguard_url instead")]
     pub url: Url,
 
-    #[arg(long, env = "DEFGUARD_GRPC_URL", value_parser = Url::parse, default_value = "http://localhost:50055")]
-    pub grpc_url: Url,
+    #[arg(long, env = "DEFGUARD_GRPC_URL", value_parser = Url::parse)]
+    #[deprecated(since = "2.0.0", note = "Use Settings.grpc_url instead")]
+    pub grpc_url: Option<Url>,
 
     #[arg(long, env = "DEFGUARD_DISABLE_STATS_PURGE")]
-    pub disable_stats_purge: bool,
+    #[deprecated(since = "2.0.0", note = "Use Settings.disable_stats_purge instead")]
+    pub disable_stats_purge: Option<bool>,
 
-    #[arg(long, env = "DEFGUARD_STATS_PURGE_FREQUENCY", default_value = "24h")]
+    #[arg(long, env = "DEFGUARD_STATS_PURGE_FREQUENCY")]
     #[serde(skip_serializing)]
-    pub stats_purge_frequency: Duration,
+    #[deprecated(since = "2.0.0", note = "Use Settings.stats_purge_frequency instead")]
+    pub stats_purge_frequency: Option<Duration>,
 
-    #[arg(long, env = "DEFGUARD_STATS_PURGE_THRESHOLD", default_value = "30d")]
+    #[arg(long, env = "DEFGUARD_STATS_PURGE_THRESHOLD")]
     #[serde(skip_serializing)]
-    pub stats_purge_threshold: Duration,
+    #[deprecated(since = "2.0.0", note = "Use Settings.stats_purge_threshold instead")]
+    pub stats_purge_threshold: Option<Duration>,
 
-    #[arg(long, env = "DEFGUARD_ENROLLMENT_URL", value_parser = Url::parse, default_value = "http://localhost:8080")]
+    #[arg(long, env = "DEFGUARD_ENROLLMENT_URL", value_parser = Url::parse)]
     #[deprecated(since = "2.0.0", note = "Use Settings.public_proxy_url instead")]
-    pub enrollment_url: Url,
+    pub enrollment_url: Option<Url>,
 
-    #[arg(long, env = "DEFGUARD_ENROLLMENT_TOKEN_TIMEOUT", default_value = "24h")]
+    #[arg(long, env = "DEFGUARD_ENROLLMENT_TOKEN_TIMEOUT")]
     #[serde(skip_serializing)]
-    pub enrollment_token_timeout: Duration,
+    #[deprecated(
+        since = "2.0.0",
+        note = "Use Settings.enrollment_token_timeout instead"
+    )]
+    pub enrollment_token_timeout: Option<Duration>,
 
-    #[arg(long, env = "DEFGUARD_MFA_CODE_TIMEOUT", default_value = "60s")]
+    #[arg(long, env = "DEFGUARD_MFA_CODE_TIMEOUT")]
     #[serde(skip_serializing)]
     #[deprecated(
         since = "2.0.0",
-        note = "Use Settings.default_mfa_code_lifetime instead"
+        note = "Use Settings.mfa_code_timeout_seconds instead"
     )]
-    pub mfa_code_timeout: Duration,
+    pub mfa_code_timeout: Option<Duration>,
 
-    #[arg(long, env = "DEFGUARD_SESSION_TIMEOUT", default_value = "7d")]
+    #[arg(long, env = "DEFGUARD_SESSION_TIMEOUT")]
     #[serde(skip_serializing)]
-    #[deprecated(since = "2.0.0", note = "Use Settings.default_authentication instead")]
-    pub session_timeout: Duration,
-
-    #[arg(
-        long,
-        env = "DEFGUARD_PASSWORD_RESET_TOKEN_TIMEOUT",
-        default_value = "24h"
+    #[deprecated(
+        since = "2.0.0",
+        note = "Use Settings.authentication_period_days instead"
     )]
-    #[serde(skip_serializing)]
-    pub password_reset_token_timeout: Duration,
+    pub session_timeout: Option<Duration>,
 
-    #[arg(
-        long,
-        env = "DEFGUARD_ENROLLMENT_SESSION_TIMEOUT",
-        default_value = "10m"
-    )]
+    #[arg(long, env = "DEFGUARD_PASSWORD_RESET_TOKEN_TIMEOUT")]
     #[serde(skip_serializing)]
-    pub enrollment_session_timeout: Duration,
+    #[deprecated(
+        since = "2.0.0",
+        note = "Use Settings.password_reset_token_timeout instead"
+    )]
+    pub password_reset_token_timeout: Option<Duration>,
 
-    #[arg(
-        long,
-        env = "DEFGUARD_PASSWORD_RESET_SESSION_TIMEOUT",
-        default_value = "10m"
+    #[arg(long, env = "DEFGUARD_ENROLLMENT_SESSION_TIMEOUT")]
+    #[serde(skip_serializing)]
+    #[deprecated(
+        since = "2.0.0",
+        note = "Use Settings.enrollment_session_timeout instead"
     )]
+    pub enrollment_session_timeout: Option<Duration>,
+
+    #[arg(long, env = "DEFGUARD_PASSWORD_RESET_SESSION_TIMEOUT")]
     #[serde(skip_serializing)]
-    pub password_reset_session_timeout: Duration,
+    #[deprecated(
+        since = "2.0.0",
+        note = "Use Settings.password_reset_session_timeout instead"
+    )]
+    pub password_reset_session_timeout: Option<Duration>,
 
     #[arg(long, env = "DEFGUARD_COOKIE_DOMAIN")]
     pub cookie_domain: Option<String>,
@@ -162,10 +174,6 @@ pub struct DefGuardConfig {
     #[arg(long, env = "DEFGUARD_COOKIE_INSECURE")]
     pub cookie_insecure: bool,
 
-    // path to certificate `.pem` file used if connecting to proxy over HTTPS
-    #[arg(long, env = "DEFGUARD_PROXY_GRPC_CA")]
-    pub proxy_grpc_ca: Option<String>,
-
     #[command(subcommand)]
     #[serde(skip_serializing)]
     pub cmd: Option<Command>,
@@ -227,7 +235,11 @@ impl DefGuardConfig {
     #[must_use]
     pub fn new() -> Self {
         let config = Self::parse();
-        config.validate_secret_key();
+        #[allow(deprecated)]
+        if let Some(secret_key) = &config.secret_key {
+            Settings::validate_secret_key(secret_key.expose_secret())
+                .expect("Invalid DEFGUARD_SECRET_KEY");
+        }
         config
     }
 
@@ -240,19 +252,20 @@ impl DefGuardConfig {
     /// Initialize values that depend on Settings.
     pub fn initialize_post_settings(&mut self) {
         let url = Settings::url().expect("Unable to parse Defguard URL.");
-        self.initialize_rp_id(&url);
+        // TODO(jck)
+        // self.initialize_rp_id(&url);
         self.initialize_cookie_domain(&url);
     }
 
-    fn initialize_rp_id(&mut self, url: &Url) {
-        if self.webauthn_rp_id.is_none() {
-            self.webauthn_rp_id = Some(
-                url.domain()
-                    .expect("Unable to get domain for server URL.")
-                    .to_string(),
-            );
-        }
-    }
+    // fn initialize_rp_id(&mut self, url: &Url) {
+    //     if self.webauthn_rp_id.is_none() {
+    //         self.webauthn_rp_id = Some(
+    //             url.domain()
+    //                 .expect("Unable to get domain for server URL.")
+    //                 .to_string(),
+    //         );
+    //     }
+    // }
 
     fn initialize_cookie_domain(&mut self, url: &Url) {
         if self.cookie_domain.is_none() {
@@ -264,20 +277,6 @@ impl DefGuardConfig {
         }
     }
 
-    fn validate_secret_key(&self) {
-        let secret_key = self.secret_key.expose_secret();
-        assert!(
-            secret_key.trim().len() == secret_key.len(),
-            "SECRET_KEY cannot have leading and trailing space",
-        );
-
-        assert!(
-            secret_key.len() >= 64,
-            "SECRET_KEY must be at least 64 characters long, provided value has {} characters",
-            secret_key.len()
-        );
-    }
-
     /// Try PKCS#1 and PKCS#8 PEM formats.
     fn parse_openid_key(path: &str) -> Result<RsaPrivateKey, rsa::pkcs8::Error> {
         if let Ok(key) = RsaPrivateKey::read_pkcs1_pem_file(path) {
@@ -297,25 +296,6 @@ impl DefGuardConfig {
             None
         }
     }
-
-    /// Provide [`ClientTlsConfig`] from paths to cerfiticate, key, and cerfiticate authority (CA).
-    pub fn grpc_client_tls_config(&self) -> Result<Option<ClientTlsConfig>, io::Error> {
-        if self.grpc_ca.is_none() && (self.grpc_cert.is_none() || self.grpc_key.is_none()) {
-            return Ok(None);
-        }
-        let mut tls = ClientTlsConfig::new();
-        if let (Some(cert_path), Some(key_path)) = (&self.grpc_cert, &self.grpc_key) {
-            let cert = read_to_string(cert_path)?;
-            let key = read_to_string(key_path)?;
-            tls = tls.identity(Identity::from_pem(cert, key));
-        }
-        if let Some(ca_path) = &self.grpc_ca {
-            let ca = read_to_string(ca_path)?;
-            tls = tls.ca_certificate(Certificate::from_pem(ca));
-        }
-
-        Ok(Some(tls))
-    }
 }
 
 impl Default for DefGuardConfig {
@@ -336,29 +316,29 @@ mod tests {
         DefGuardConfig::command().debug_assert();
     }
 
-    #[test]
-    fn test_generate_rp_id() {
-        unsafe {
-            env::remove_var("DEFGUARD_WEBAUTHN_RP_ID");
-        }
+    // #[test]
+    // fn test_generate_rp_id() {
+    //     unsafe {
+    //         env::remove_var("DEFGUARD_WEBAUTHN_RP_ID");
+    //     }
 
-        let url = Url::parse("https://defguard.example.com").unwrap();
-        let mut config = DefGuardConfig::new();
-        config.initialize_rp_id(&url);
+    //     let url = Url::parse("https://defguard.example.com").unwrap();
+    //     let mut config = DefGuardConfig::new();
+    //     config.initialize_rp_id(&url);
 
-        assert_eq!(
-            config.webauthn_rp_id,
-            Some("defguard.example.com".to_string())
-        );
+    //     assert_eq!(
+    //         config.webauthn_rp_id,
+    //         Some("defguard.example.com".to_string())
+    //     );
 
-        unsafe {
-            env::set_var("DEFGUARD_WEBAUTHN_RP_ID", "example.com");
-        }
+    //     unsafe {
+    //         env::set_var("DEFGUARD_WEBAUTHN_RP_ID", "example.com");
+    //     }
 
-        let config = DefGuardConfig::new();
+    //     let config = DefGuardConfig::new();
 
-        assert_eq!(config.webauthn_rp_id, Some("example.com".to_string()));
-    }
+    //     assert_eq!(config.webauthn_rp_id, Some("example.com".to_string()));
+    // }
 
     #[test]
     fn test_generate_cookie_domain() {
diff --git a/crates/defguard_common/src/db/models/settings.rs b/crates/defguard_common/src/db/models/settings.rs
index 8daaf158a..616cef6c3 100644
--- a/crates/defguard_common/src/db/models/settings.rs
+++ b/crates/defguard_common/src/db/models/settings.rs
@@ -1,6 +1,8 @@
 use std::{collections::HashMap, fmt, time::Duration};
 
 use chrono::NaiveDateTime;
+use rand::{RngCore, rngs::OsRng};
+use secrecy::ExposeSecret;
 use serde::{Deserialize, Serialize};
 use sqlx::{PgExecutor, PgPool, Type, query, query_as};
 use struct_patch::Patch;
@@ -10,7 +12,7 @@ use url::Url;
 use utoipa::ToSchema;
 use uuid::Uuid;
 
-use crate::{db::Id, global_value, secret::SecretStringWrapper};
+use crate::{config::DefGuardConfig, db::Id, global_value, secret::SecretStringWrapper};
 
 global_value!(SETTINGS, Option<Settings>, None, set_settings, get_settings);
 
@@ -46,6 +48,14 @@ pub enum SettingsValidationError {
     CannotEnableGatewayNotifications,
 }
 
+#[derive(Error, Debug)]
+pub enum SettingsRequiredValueError {
+    #[error("Missing required setting: {0}")]
+    Missing(&'static str),
+    #[error("Invalid required setting `{0}`: {1}")]
+    Invalid(&'static str, &'static str),
+}
+
 #[derive(Clone, Deserialize, Serialize, PartialEq, Eq, Type, Debug, Default)]
 #[sqlx(type_name = "smtp_encryption", rename_all = "lowercase")]
 pub enum SmtpEncryption {
@@ -175,6 +185,18 @@ pub struct Settings {
     pub public_proxy_url: String,
     pub initial_setup_step: InitialSetupStep,
     pub default_admin_id: Option<Id>,
+    // 1.6 config options
+    pub secret_key: Option<String>,
+    pub webauthn_rp_id: Option<String>,
+    pub grpc_url: String,
+    pub disable_stats_purge: bool,
+    auth_cookie_timeout_days: i32,
+    stats_purge_frequency_hours: i32,
+    stats_purge_threshold_days: i32,
+    enrollment_token_timeout_hours: i32,
+    password_reset_token_timeout_hours: i32,
+    enrollment_session_timeout_minutes: i32,
+    password_reset_session_timeout_minutes: i32,
 }
 
 // Implement manually to avoid exposing the license key.
@@ -269,6 +291,63 @@ impl fmt::Debug for Settings {
 }
 
 impl Settings {
+    pub(crate) fn validate_secret_key(secret_key: &str) -> Result<(), SettingsRequiredValueError> {
+        if secret_key.trim().len() != secret_key.len() {
+            return Err(SettingsRequiredValueError::Invalid(
+                "secret_key",
+                "cannot have leading or trailing whitespace",
+            ));
+        }
+
+        if secret_key.len() < 64 {
+            return Err(SettingsRequiredValueError::Invalid(
+                "secret_key",
+                "must be at least 64 characters long",
+            ));
+        }
+
+        Ok(())
+    }
+
+    fn generate_secret_key() -> String {
+        let mut bytes = [0_u8; 32];
+        OsRng.fill_bytes(&mut bytes);
+        let mut secret_key = String::with_capacity(64);
+        for byte in bytes {
+            use std::fmt::Write as _;
+            let _ = write!(secret_key, "{byte:02x}");
+        }
+        secret_key
+    }
+
+    pub async fn ensure_secret_key(
+        pool: &PgPool,
+        config: &DefGuardConfig,
+    ) -> Result<(), anyhow::Error> {
+        let mut settings = Settings::get_current_settings();
+
+        #[allow(deprecated)]
+        if let Some(secret_key) = &config.secret_key {
+            let secret_key = secret_key.expose_secret();
+            Settings::validate_secret_key(secret_key)?;
+            if settings.secret_key.as_deref() != Some(secret_key) {
+                settings.secret_key = Some(secret_key.to_string());
+                update_current_settings(pool, settings).await?;
+            }
+            return Ok(());
+        }
+
+        if let Some(secret_key) = settings.secret_key.as_deref() {
+            Settings::validate_secret_key(secret_key)?;
+            return Ok(());
+        }
+
+        settings.secret_key = Some(Settings::generate_secret_key());
+        update_current_settings(pool, settings).await?;
+
+        Ok(())
+    }
+
     pub async fn get<'e, E>(executor: E) -> Result<Option<Self>, sqlx::Error>
     where
         E: PgExecutor<'e>,
@@ -297,7 +376,10 @@ impl Settings {
             ca_key_der, ca_cert_der, ca_expiry, initial_setup_completed, defguard_url, \
             default_admin_group_name, authentication_period_days, mfa_code_timeout_seconds, \
             public_proxy_url, initial_setup_step \"initial_setup_step: InitialSetupStep\", \
-            default_admin_id \
+            default_admin_id, auth_cookie_timeout_days, secret_key, webauthn_rp_id, grpc_url, disable_stats_purge, \
+            stats_purge_frequency_hours, stats_purge_threshold_days, \
+            enrollment_token_timeout_hours, password_reset_token_timeout_hours, \
+            enrollment_session_timeout_minutes, password_reset_session_timeout_minutes \
             FROM \"settings\" WHERE id = 1",
         )
         .fetch_optional(executor)
@@ -385,7 +467,18 @@ impl Settings {
             mfa_code_timeout_seconds = $56, \
             public_proxy_url = $57, \
             initial_setup_step = $58, \
-            default_admin_id = $59 \
+            default_admin_id = $59, \
+            auth_cookie_timeout_days = $60, \
+            secret_key = $61, \
+            webauthn_rp_id = $62, \
+            grpc_url = $63, \
+            disable_stats_purge = $64, \
+            stats_purge_frequency_hours = $65, \
+            stats_purge_threshold_days = $66, \
+            enrollment_token_timeout_hours = $67, \
+            password_reset_token_timeout_hours = $68, \
+            enrollment_session_timeout_minutes = $69, \
+            password_reset_session_timeout_minutes = $70 \
             WHERE id = 1",
             self.openid_enabled,
             self.wireguard_enabled,
@@ -446,6 +539,17 @@ impl Settings {
             self.public_proxy_url,
             &self.initial_setup_step as &InitialSetupStep,
             self.default_admin_id,
+            self.auth_cookie_timeout_days,
+            self.secret_key,
+            self.webauthn_rp_id,
+            self.grpc_url,
+            self.disable_stats_purge,
+            self.stats_purge_frequency_hours,
+            self.stats_purge_threshold_days,
+            self.enrollment_token_timeout_hours,
+            self.password_reset_token_timeout_hours,
+            self.enrollment_session_timeout_minutes,
+            self.password_reset_session_timeout_minutes,
         )
         .execute(executor)
         .await?;
@@ -526,9 +630,116 @@ impl Settings {
         Duration::from_secs(self.authentication_period_days as u64 * 24 * 3600)
     }
 
+    #[must_use]
+    pub fn auth_cookie_timeout(&self) -> Duration {
+        Duration::from_secs(self.auth_cookie_timeout_days as u64 * 24 * 3600)
+    }
+
+    #[must_use]
+    pub fn stats_purge_frequency(&self) -> Duration {
+        Duration::from_secs(self.stats_purge_frequency_hours as u64 * 3600)
+    }
+
+    #[must_use]
+    pub fn stats_purge_threshold(&self) -> Duration {
+        Duration::from_secs(self.stats_purge_threshold_days as u64 * 24 * 3600)
+    }
+
+    #[must_use]
+    pub fn enrollment_token_timeout(&self) -> Duration {
+        Duration::from_secs(self.enrollment_token_timeout_hours as u64 * 3600)
+    }
+
+    #[must_use]
+    pub fn password_reset_token_timeout(&self) -> Duration {
+        Duration::from_secs(self.password_reset_token_timeout_hours as u64 * 3600)
+    }
+
+    #[must_use]
+    pub fn enrollment_session_timeout(&self) -> Duration {
+        Duration::from_secs(self.enrollment_session_timeout_minutes as u64 * 60)
+    }
+
+    #[must_use]
+    pub fn password_reset_session_timeout(&self) -> Duration {
+        Duration::from_secs(self.password_reset_session_timeout_minutes as u64 * 60)
+    }
+
+    pub fn secret_key_required(&self) -> Result<&str, SettingsRequiredValueError> {
+        let secret_key = self
+            .secret_key
+            .as_deref()
+            .ok_or(SettingsRequiredValueError::Missing("secret_key"))?;
+
+        Settings::validate_secret_key(secret_key)?;
+
+        Ok(secret_key)
+    }
+
     pub fn proxy_public_url(&self) -> Result<Url, url::ParseError> {
         Url::parse(&self.public_proxy_url)
     }
+
+    #[allow(deprecated)]
+    pub async fn update_from_config<'e, E>(
+        &mut self,
+        executor: E,
+        config: &DefGuardConfig,
+    ) -> Result<(), sqlx::Error>
+    where
+        E: PgExecutor<'e>,
+    {
+        let minute = 60;
+        let hour = minute * 60;
+        let day = hour * 24;
+        if let Some(auth_cookie_timeout) = config.auth_cookie_timeout {
+            self.auth_cookie_timeout_days = (auth_cookie_timeout.as_secs() / day) as i32;
+        }
+        if let Some(secret_key) = &config.secret_key {
+            self.secret_key = Some(secret_key.expose_secret().to_string());
+        }
+        if let Some(webauthn_rp_id) = &config.webauthn_rp_id {
+            self.webauthn_rp_id = Some(webauthn_rp_id.clone());
+        }
+        if let Some(grpc_url) = &config.grpc_url {
+            self.grpc_url = grpc_url.to_string();
+        }
+        if let Some(enrollment_url) = &config.enrollment_url {
+            self.public_proxy_url = enrollment_url.to_string();
+        }
+        if let Some(mfa_code_timeout) = config.mfa_code_timeout {
+            self.mfa_code_timeout_seconds = mfa_code_timeout.as_secs() as i32;
+        }
+        if let Some(session_timeout) = config.session_timeout {
+            self.authentication_period_days = (session_timeout.as_secs() / day) as i32;
+        }
+        if let Some(disable_stats_purge) = config.disable_stats_purge {
+            self.disable_stats_purge = disable_stats_purge;
+        }
+        if let Some(stats_purge_frequency) = config.stats_purge_frequency {
+            self.stats_purge_frequency_hours = (stats_purge_frequency.as_secs() / hour) as i32;
+        }
+        if let Some(stats_purge_threshold) = config.stats_purge_threshold {
+            self.stats_purge_threshold_days = (stats_purge_threshold.as_secs() / day) as i32;
+        }
+        if let Some(enrollment_token_timeout) = config.enrollment_token_timeout {
+            self.enrollment_token_timeout_hours =
+                (enrollment_token_timeout.as_secs() / hour) as i32;
+        }
+        if let Some(password_reset_token_timeout) = config.password_reset_token_timeout {
+            self.password_reset_token_timeout_hours =
+                (password_reset_token_timeout.as_secs() / hour) as i32;
+        }
+        if let Some(enrollment_session_timeout) = config.enrollment_session_timeout {
+            self.enrollment_session_timeout_minutes =
+                (enrollment_session_timeout.as_secs() / minute) as i32;
+        }
+        if let Some(password_reset_session_timeout) = config.password_reset_session_timeout {
+            self.password_reset_session_timeout_minutes =
+                (password_reset_session_timeout.as_secs() / minute) as i32;
+        }
+        update_current_settings(executor, self.clone()).await
+    }
 }
 
 #[derive(Serialize)]
diff --git a/crates/defguard_core/src/appstate.rs b/crates/defguard_core/src/appstate.rs
index 2db868f0a..6e06111b7 100644
--- a/crates/defguard_core/src/appstate.rs
+++ b/crates/defguard_core/src/appstate.rs
@@ -2,11 +2,8 @@ use std::sync::{Arc, Mutex, RwLock};
 
 use axum::extract::FromRef;
 use axum_extra::extract::cookie::Key;
-use defguard_common::{
-    config::server_config, db::models::Settings, types::proxy::ProxyControlMessage,
-};
+use defguard_common::{db::models::Settings, types::proxy::ProxyControlMessage};
 use reqwest::Client;
-use secrecy::ExposeSecret;
 use serde_json::json;
 use sqlx::PgPool;
 use tokio::{
@@ -113,6 +110,7 @@ impl AppState {
         tx: UnboundedSender<AppEvent>,
         rx: UnboundedReceiver<AppEvent>,
         wireguard_tx: Sender<GatewayEvent>,
+        key: Key,
         failed_logins: Arc<Mutex<FailedLoginMap>>,
         event_tx: UnboundedSender<ApiEvent>,
         incompatible_components: Arc<RwLock<IncompatibleComponents>>,
@@ -120,10 +118,10 @@ impl AppState {
     ) -> Self {
         spawn(Self::handle_triggers(pool.clone(), rx));
 
-        let config = server_config();
         let url = Settings::url().expect("Invalid Defguard URL configuration");
+        let settings = Settings::get_current_settings();
         let webauthn_builder = WebauthnBuilder::new(
-            config
+            settings
                 .webauthn_rp_id
                 .as_ref()
                 .expect("Webauth RP ID configuration is required"),
@@ -136,8 +134,6 @@ impl AppState {
                 .expect("Invalid WebAuthn configuration"),
         );
 
-        let key = Key::from(config.secret_key.expose_secret().as_bytes());
-
         Self {
             pool,
             tx,
diff --git a/crates/defguard_core/src/enterprise/handlers/openid_login.rs b/crates/defguard_core/src/enterprise/handlers/openid_login.rs
index 29569b1c1..8217caa29 100644
--- a/crates/defguard_core/src/enterprise/handlers/openid_login.rs
+++ b/crates/defguard_core/src/enterprise/handlers/openid_login.rs
@@ -605,7 +605,7 @@ pub async fn auth_callback(
     let (session, user_info, mfa_info) =
         create_session(&appstate.pool, insecure_ip, user_agent.as_str(), &mut user).await?;
 
-    let max_age = Duration::seconds(config.auth_cookie_timeout.as_secs() as i64);
+    let max_age = Duration::seconds(settings.auth_cookie_timeout().as_secs() as i64);
     let cookie_domain = config
         .cookie_domain
         .as_ref()
diff --git a/crates/defguard_core/src/handlers/auth.rs b/crates/defguard_core/src/handlers/auth.rs
index b0bb095fa..1481d9e42 100644
--- a/crates/defguard_core/src/handlers/auth.rs
+++ b/crates/defguard_core/src/handlers/auth.rs
@@ -237,7 +237,7 @@ pub async fn authenticate(
     let (session, user_info, mfa_info) =
         create_session(&appstate.pool, insecure_ip, user_agent.as_str(), &mut user).await?;
 
-    let max_age = Duration::seconds(server_config().auth_cookie_timeout.as_secs() as i64);
+    let max_age = Duration::seconds(settings.auth_cookie_timeout().as_secs() as i64);
     let config = server_config();
     let cookie_domain = config
         .cookie_domain
diff --git a/crates/defguard_core/src/handlers/network_devices.rs b/crates/defguard_core/src/handlers/network_devices.rs
index 10a3fa94e..8e2c78ee4 100644
--- a/crates/defguard_core/src/handlers/network_devices.rs
+++ b/crates/defguard_core/src/handlers/network_devices.rs
@@ -32,7 +32,6 @@ use crate::{
     enterprise::{firewall::try_get_location_firewall_config, limits::update_counts},
     events::{ApiEvent, ApiEventType, ApiRequestContext},
     grpc::GatewayEvent,
-    server_config,
 };
 
 #[derive(Serialize)]
@@ -448,14 +447,13 @@ pub(crate) async fn start_network_device_setup(
         config,
         device: NetworkDeviceInfo::from_device(device, &mut transaction).await?,
     };
-    let config = server_config();
     let settings = Settings::get_current_settings();
     let configuration_token = start_desktop_configuration(
         &user,
         &mut transaction,
         &user,
         None,
-        config.enrollment_token_timeout.as_secs(),
+        settings.enrollment_token_timeout().as_secs(),
         settings.proxy_public_url()?.clone(),
         false,
         Some(result.device.id),
@@ -514,14 +512,13 @@ pub(crate) async fn start_network_device_setup_for_device(
                 user which added the device not found"
             ))
         })?;
-    let config = server_config();
     let settings = Settings::get_current_settings();
     let configuration_token = start_desktop_configuration(
         &user,
         &mut transaction,
         &user,
         None,
-        config.enrollment_token_timeout.as_secs(),
+        settings.enrollment_token_timeout().as_secs(),
         settings.proxy_public_url()?,
         false,
         Some(device.id),
diff --git a/crates/defguard_core/src/handlers/user.rs b/crates/defguard_core/src/handlers/user.rs
index bbbb8bfb9..884eed08f 100644
--- a/crates/defguard_core/src/handlers/user.rs
+++ b/crates/defguard_core/src/handlers/user.rs
@@ -48,7 +48,7 @@ use crate::{
     },
     error::WebError,
     events::{ApiEvent, ApiEventType, ApiRequestContext},
-    is_valid_phone_number, server_config,
+    is_valid_phone_number,
     user_management::{delete_user_and_cleanup_devices, sync_allowed_user_devices},
 };
 
@@ -465,7 +465,7 @@ pub async fn start_enrollment(
     let mut transaction = appstate.pool.begin().await?;
 
     // try to parse token expiration time if provided
-    let config = server_config();
+    let settings = Settings::get_current_settings();
     let token_expiration_time_seconds = match data.token_expiration_time {
         Some(time) => parse_duration(&time)
             .map_err(|err| {
@@ -473,10 +473,9 @@ pub async fn start_enrollment(
                 WebError::BadRequest("Failed to parse token expiration time".to_owned())
             })?
             .as_secs(),
-        None => config.enrollment_token_timeout.as_secs(),
+        None => settings.enrollment_token_timeout().as_secs(),
     };
 
-    let settings: Settings = Settings::get_current_settings();
     let public_proxy_url = settings.proxy_public_url()?;
 
     let enrollment_token = start_user_enrollment(
@@ -580,7 +579,6 @@ pub async fn start_remote_desktop_configuration(
         "Generating a new desktop activation token by {}.",
         session.user.username
     );
-    let config = server_config();
     let settings = Settings::get_current_settings();
     let public_proxy_url = settings.proxy_public_url()?;
     let desktop_configuration_token = start_desktop_configuration(
@@ -588,7 +586,7 @@ pub async fn start_remote_desktop_configuration(
         &mut transaction,
         &session.user,
         Some(email),
-        config.enrollment_token_timeout.as_secs(),
+        settings.enrollment_token_timeout().as_secs(),
         public_proxy_url.clone(),
         data.send_enrollment_notification,
         None,
@@ -1105,16 +1103,15 @@ pub async fn reset_password(
 
         Token::delete_unused_user_password_reset_tokens(&mut transaction, user.id).await?;
 
-        let config = server_config();
+        let settings = Settings::get_current_settings();
         let enrollment = Token::new(
             user.id,
             Some(session.user.id),
             Some(user.email.clone()),
-            config.password_reset_token_timeout.as_secs(),
+            settings.password_reset_token_timeout().as_secs(),
             Some(PASSWORD_RESET_TOKEN_TYPE.to_string()),
         );
         enrollment.save(&mut *transaction).await?;
-        let settings = Settings::get_current_settings();
         let public_proxy_url = settings.proxy_public_url()?;
 
         let result = Mail::new(
diff --git a/crates/defguard_core/src/lib.rs b/crates/defguard_core/src/lib.rs
index 79a249964..baf11401f 100644
--- a/crates/defguard_core/src/lib.rs
+++ b/crates/defguard_core/src/lib.rs
@@ -11,6 +11,7 @@ use axum::{
     routing::{delete, get, post, put},
     serve,
 };
+use axum_extra::extract::cookie::Key;
 use defguard_certs::CertificateAuthority;
 use defguard_common::{
     VERSION,
@@ -219,6 +220,7 @@ pub fn build_webapp(
     wireguard_tx: Sender<GatewayEvent>,
     worker_state: Arc<Mutex<WorkerState>>,
     pool: PgPool,
+    key: Key,
     failed_logins: Arc<Mutex<FailedLoginMap>>,
     event_tx: UnboundedSender<ApiEvent>,
     version: Version,
@@ -604,6 +606,7 @@ pub fn build_webapp(
             webhook_tx,
             webhook_rx,
             wireguard_tx,
+            key,
             failed_logins,
             event_tx,
             incompatible_components,
@@ -638,12 +641,16 @@ pub async fn run_web_server(
     incompatible_components: Arc<RwLock<IncompatibleComponents>>,
     proxy_control_tx: tokio::sync::mpsc::Sender<ProxyControlMessage>,
 ) -> Result<(), anyhow::Error> {
+    let settings = Settings::get_current_settings();
+    let key = Key::from(settings.secret_key_required()?.as_bytes());
+
     let webapp = build_webapp(
         webhook_tx,
         webhook_rx,
         wireguard_tx,
         worker_state,
         pool,
+        key,
         failed_logins,
         event_tx,
         Version::parse(VERSION)?,
@@ -702,8 +709,6 @@ pub async fn init_dev_env(config: &DefGuardConfig) {
     settings.ca_key_der = Some(ca.key_pair_der().to_vec());
     settings.ca_expiry = Some(ca.expiry().expect("Failed to get CA expiry"));
     settings.initial_setup_completed = true;
-    // This should possibly be initialized somehow differently in the future since we are deprecating the enrollment URL env var.
-    settings.public_proxy_url = config.enrollment_url.to_string();
     settings.defguard_url = config.url.to_string();
     update_current_settings(&pool, settings)
         .await
diff --git a/crates/defguard_core/tests/integration/api/common/mod.rs b/crates/defguard_core/tests/integration/api/common/mod.rs
index 6d9ad0234..372ff5d72 100644
--- a/crates/defguard_core/tests/integration/api/common/mod.rs
+++ b/crates/defguard_core/tests/integration/api/common/mod.rs
@@ -5,13 +5,14 @@ use std::{
     sync::{Arc, Mutex},
 };
 
+use axum_extra::extract::cookie::Key;
 pub use defguard_common::db::setup_pool;
 use defguard_common::{
     VERSION,
     config::DefGuardConfig,
     db::{
         Id,
-        models::{Device, User, WireguardNetwork, settings::initialize_current_settings},
+        models::{Device, Settings, User, WireguardNetwork, settings::initialize_current_settings},
     },
 };
 use defguard_core::{
@@ -123,12 +124,20 @@ pub(crate) async fn make_base_client(
     //     .with(tracing_subscriber::fmt::layer())
     //     .init();
 
+    let key = Key::from(
+        Settings::get_current_settings()
+            .secret_key_required()
+            .unwrap()
+            .as_bytes(),
+    );
+
     let webapp = build_webapp(
         tx,
         rx,
         wg_tx,
         worker_state,
         pool,
+        key,
         failed_logins,
         api_event_tx,
         Version::parse(VERSION).unwrap(),
diff --git a/crates/defguard_proxy_manager/src/handler.rs b/crates/defguard_proxy_manager/src/handler.rs
index 06b24aba0..02111cbcf 100644
--- a/crates/defguard_proxy_manager/src/handler.rs
+++ b/crates/defguard_proxy_manager/src/handler.rs
@@ -7,7 +7,6 @@ use std::{
 use axum_extra::extract::cookie::Key;
 use defguard_common::{
     VERSION,
-    config::server_config,
     db::{
         Id,
         models::{Settings, proxy::Proxy},
@@ -43,7 +42,6 @@ use defguard_version::{
 use hyper_rustls::HttpsConnectorBuilder;
 use openidconnect::{AuthorizationCode, Nonce, Scope, core::CoreAuthenticationFlow};
 use reqwest::Url;
-use secrecy::ExposeSecret;
 use semver::Version;
 use sqlx::PgPool;
 use tokio::{
@@ -87,10 +85,12 @@ pub(super) struct ProxyHandler {
     pub(super) url: Url,
     shutdown_signal: Arc<Mutex<ShutdownReceiver>>,
     proxy_id: Id,
+    proxy_cookie_key: Key,
     client: Option<ProxyClient<InterceptedService<Channel, ClientVersionInterceptor>>>,
 }
 
 impl ProxyHandler {
+    #[allow(clippy::too_many_arguments)]
     pub(super) fn new(
         pool: PgPool,
         url: Url,
@@ -99,6 +99,7 @@ impl ProxyHandler {
         sessions: Arc<RwLock<HashMap<String, ClientLoginSession>>>,
         shutdown_signal: Arc<Mutex<ShutdownReceiver>>,
         proxy_id: Id,
+        proxy_cookie_key: Key,
     ) -> Self {
         // Instantiate gRPC servers.
         let services = ProxyServices::new(&pool, tx, remote_mfa_responses, sessions);
@@ -109,6 +110,7 @@ impl ProxyHandler {
             url,
             shutdown_signal,
             proxy_id,
+            proxy_cookie_key,
             client: None,
         }
     }
@@ -120,6 +122,7 @@ impl ProxyHandler {
         remote_mfa_responses: Arc<RwLock<HashMap<String, oneshot::Sender<String>>>>,
         sessions: Arc<RwLock<HashMap<String, ClientLoginSession>>>,
         shutdown_signal: Arc<Mutex<ShutdownReceiver>>,
+        proxy_cookie_key: Key,
     ) -> Result<Self, ProxyError> {
         let url = Url::from_str(&format!("http://{}:{}", proxy.address, proxy.port))?;
         let proxy_id = proxy.id;
@@ -131,6 +134,7 @@ impl ProxyHandler {
             sessions,
             shutdown_signal,
             proxy_id,
+            proxy_cookie_key,
         ))
     }
 
@@ -196,14 +200,13 @@ impl ProxyHandler {
         loop {
             let endpoint = self.endpoint()?;
             let settings = Settings::get_current_settings();
-            let Some(ca_cert_der) = settings.ca_cert_der else {
+            let Some(ref ca_cert_der) = settings.ca_cert_der else {
                 return Err(ProxyError::MissingConfiguration(
                     "Core CA is not setup, can't create a Proxy endpoint.".to_string(),
                 ));
             };
-            let tls_config =
-                tls_certs::client_config(&ca_cert_der, certs_rx.clone(), self.proxy_id)
-                    .map_err(|err| ProxyError::TlsConfigError(err.to_string()))?;
+            let tls_config = tls_certs::client_config(ca_cert_der, certs_rx.clone(), self.proxy_id)
+                .map_err(|err| ProxyError::TlsConfigError(err.to_string()))?;
             let connector = HttpsConnectorBuilder::new()
                 .with_tls_config(tls_config)
                 .https_only()
@@ -270,13 +273,9 @@ impl ProxyHandler {
             info!("Connected to proxy at {}", endpoint.uri());
             let mut resp_stream = response.into_inner();
 
-            // Derive proxy cookie key from core secret to avoid transmitting it over gRPC.
-            let config = server_config();
-            let proxy_cookie_key = Key::derive_from(config.secret_key.expose_secret().as_bytes());
-
             // Send initial info with private cookies key.
             let initial_info = InitialInfo {
-                private_cookies_key: proxy_cookie_key.master().to_vec(),
+                private_cookies_key: self.proxy_cookie_key.master().to_vec(),
             };
             let _ = tx.send(CoreResponse {
                 id: 0,
@@ -722,12 +721,12 @@ impl ProxyHandler {
                                             as a result of proxy OpenID auth callback.",
                                                 user.username
                                             );
-                                            let config = server_config();
+                                            let settings = Settings::get_current_settings();
                                             let desktop_configuration = Token::new(
                                                 user.id,
                                                 Some(user.id),
                                                 Some(user.email),
-                                                config.enrollment_token_timeout.as_secs(),
+                                                settings.enrollment_token_timeout().as_secs(),
                                                 Some(ENROLLMENT_TOKEN_TYPE.to_string()),
                                             );
                                             debug!("Saving a new desktop configuration token...");
@@ -736,7 +735,6 @@ impl ProxyHandler {
                                                 "Saved desktop configuration token. Responding to \
                                             proxy with the token."
                                             );
-                                            let settings = Settings::get_current_settings();
                                             let public_proxy_url = settings.proxy_public_url()?;
 
                                             Some(core_response::Payload::AuthCallback(
diff --git a/crates/defguard_proxy_manager/src/lib.rs b/crates/defguard_proxy_manager/src/lib.rs
index b4bd75255..fad1fe58c 100644
--- a/crates/defguard_proxy_manager/src/lib.rs
+++ b/crates/defguard_proxy_manager/src/lib.rs
@@ -4,6 +4,7 @@ use std::{
     time::Duration,
 };
 
+use axum_extra::extract::cookie::Key;
 use defguard_common::{db::models::proxy::Proxy, types::proxy::ProxyControlMessage};
 use defguard_core::{events::BidiStreamEvent, grpc::GatewayEvent, version::IncompatibleComponents};
 use sqlx::PgPool;
@@ -40,6 +41,7 @@ pub struct ProxyManager {
     tx: ProxyTxSet,
     incompatible_components: Arc<RwLock<IncompatibleComponents>>,
     proxy_control: Receiver<ProxyControlMessage>,
+    proxy_cookie_key: Key,
 }
 
 impl ProxyManager {
@@ -48,12 +50,14 @@ impl ProxyManager {
         tx: ProxyTxSet,
         incompatible_components: Arc<RwLock<IncompatibleComponents>>,
         proxy_control_rx: Receiver<ProxyControlMessage>,
+        core_secret_key: String,
     ) -> Self {
         Self {
             pool,
             tx,
             incompatible_components,
             proxy_control: proxy_control_rx,
+            proxy_cookie_key: Key::derive_from(core_secret_key.as_bytes()),
         }
     }
 
@@ -89,6 +93,7 @@ impl ProxyManager {
                     Arc::clone(&remote_mfa_responses),
                     Arc::clone(&sessions),
                     Arc::new(Mutex::new(shutdown_rx)),
+                    self.proxy_cookie_key.clone(),
                 )
             })
             .collect::<Result<Vec<_>, _>>()?;
@@ -131,6 +136,7 @@ impl ProxyManager {
                                     Arc::clone(&remote_mfa_responses),
                                     Arc::clone(&sessions),
                                     Arc::new(Mutex::new(shutdown_rx)),
+                                    self.proxy_cookie_key.clone(),
                                 ) {
                                     Ok(proxy) => {
                                         debug!("Spawning proxy task for proxy {}", proxy.url);
diff --git a/crates/defguard_proxy_manager/src/servers/enrollment.rs b/crates/defguard_proxy_manager/src/servers/enrollment.rs
index bd1bbef18..1c84423dc 100644
--- a/crates/defguard_proxy_manager/src/servers/enrollment.rs
+++ b/crates/defguard_proxy_manager/src/servers/enrollment.rs
@@ -1,7 +1,6 @@
 use std::collections::HashSet;
 
 use defguard_common::{
-    config::server_config,
     csv::AsCsv,
     db::{
         Id,
@@ -87,7 +86,8 @@ impl EnrollmentServer {
             );
             return Err(Status::permission_denied("invalid token"));
         }
-        if enrollment.is_session_valid(server_config().enrollment_session_timeout.as_secs()) {
+        let settings = Settings::get_current_settings();
+        if enrollment.is_session_valid(settings.enrollment_session_timeout().as_secs()) {
             info!("Enrollment session validated: {enrollment:?}");
             Ok(enrollment)
         } else {
@@ -164,10 +164,11 @@ impl EnrollmentServer {
                 "Validating enrollment token and starting session for user {}({:?})",
                 user.username, user.id,
             );
+            let settings = Settings::get_current_settings();
             let session_deadline = enrollment
                 .start_session(
                     &mut transaction,
-                    server_config().enrollment_session_timeout.as_secs(),
+                    settings.enrollment_session_timeout().as_secs(),
                 )
                 .await?;
             info!(
@@ -179,7 +180,6 @@ impl EnrollmentServer {
                 "Retrieving settings for enrollment of user {}({:?}).",
                 user.username, user.id
             );
-            let settings = Settings::get_current_settings();
             debug!("Settings: {settings:?}");
 
             debug!(
diff --git a/crates/defguard_proxy_manager/src/servers/password_reset.rs b/crates/defguard_proxy_manager/src/servers/password_reset.rs
index b6d94f253..84ad4a81a 100644
--- a/crates/defguard_proxy_manager/src/servers/password_reset.rs
+++ b/crates/defguard_proxy_manager/src/servers/password_reset.rs
@@ -1,7 +1,4 @@
-use defguard_common::{
-    config::server_config,
-    db::models::{Settings, User},
-};
+use defguard_common::db::models::{Settings, User};
 use defguard_core::{
     db::models::enrollment::{PASSWORD_RESET_TOKEN_TYPE, Token},
     enterprise::ldap::utils::ldap_change_password,
@@ -59,7 +56,8 @@ impl PasswordResetServer {
             return Err(Status::permission_denied("invalid token"));
         }
 
-        if enrollment.is_session_valid(server_config().enrollment_session_timeout.as_secs()) {
+        let settings = Settings::get_current_settings();
+        if enrollment.is_session_valid(settings.enrollment_session_timeout().as_secs()) {
             info!("Password reset session validated: {enrollment:?}.",);
             Ok(enrollment)
         } else {
@@ -88,7 +86,6 @@ impl PasswordResetServer {
         request: PasswordResetInitializeRequest,
         req_device_info: Option<DeviceInfo>,
     ) -> Result<(), Status> {
-        let config = server_config();
         debug!("Starting password reset request");
 
         let ip_address;
@@ -133,11 +130,12 @@ impl PasswordResetServer {
 
         Token::delete_unused_user_password_reset_tokens(&mut transaction, user.id).await?;
 
+        let settings = Settings::get_current_settings();
         let enrollment = Token::new(
             user.id,
             None,
             Some(email.clone()),
-            config.password_reset_token_timeout.as_secs(),
+            settings.password_reset_token_timeout().as_secs(),
             Some(PASSWORD_RESET_TOKEN_TYPE.to_string()),
         );
         enrollment.save(&mut *transaction).await?;
@@ -147,7 +145,6 @@ impl PasswordResetServer {
             Status::internal("unexpected error")
         })?;
 
-        let settings = Settings::get_current_settings();
         let public_proxy_url = settings.proxy_public_url().map_err(|err| {
             error!("Failed to get public proxy URL: {err}");
             Status::internal("unexpected error")
@@ -212,10 +209,11 @@ impl PasswordResetServer {
             Status::internal("unexpected error")
         })?;
 
+        let settings = Settings::get_current_settings();
         let session_deadline = enrollment
             .start_session(
                 &mut transaction,
-                server_config().password_reset_session_timeout.as_secs(),
+                settings.password_reset_session_timeout().as_secs(),
             )
             .await?;
 
diff --git a/crates/defguard_setup/src/migration.rs b/crates/defguard_setup/src/migration.rs
index 4154ab84b..bebeba9e6 100644
--- a/crates/defguard_setup/src/migration.rs
+++ b/crates/defguard_setup/src/migration.rs
@@ -9,7 +9,8 @@ use axum::{
     routing::{get, post, put},
     serve,
 };
-use defguard_common::VERSION;
+use axum_extra::extract::cookie::Key;
+use defguard_common::{VERSION, db::models::Settings};
 use defguard_core::{
     auth::failed_login::FailedLoginMap,
     handle_404,
@@ -58,11 +59,18 @@ pub fn build_migration_webapp(
     let (wireguard_tx, _wireguard_rx) = broadcast::channel::<GatewayEvent>(64);
     let (proxy_control_tx, _proxy_control_rx) = mpsc::channel(32);
     let incompatible_components = Arc::new(RwLock::new(IncompatibleComponents::default()));
+    let key = Key::from(
+        Settings::get_current_settings()
+            .secret_key_required()
+            .expect("Missing required secret key in settings")
+            .as_bytes(),
+    );
     let app_state = AppState::new(
         pool.clone(),
         webhook_tx,
         webhook_rx,
         wireguard_tx,
+        key,
         failed_logins.clone(),
         event_tx,
         incompatible_components,
diff --git a/migrations/20260227091211_[2.0.0]_settings_in_db.down.sql b/migrations/20260227091211_[2.0.0]_settings_in_db.down.sql
new file mode 100644
index 000000000..5e68c9996
--- /dev/null
+++ b/migrations/20260227091211_[2.0.0]_settings_in_db.down.sql
@@ -0,0 +1,13 @@
+ALTER TABLE settings
+    DROP COLUMN auth_cookie_timeout_days,
+    DROP COLUMN secret_key,
+    DROP COLUMN openid_signing_key,
+    DROP COLUMN webauthn_rp_id,
+    DROP COLUMN grpc_url,
+    DROP COLUMN disable_stats_purge,
+    DROP COLUMN stats_purge_frequency_hours,
+    DROP COLUMN stats_purge_threshold_days,
+    DROP COLUMN enrollment_token_timeout_hours,
+    DROP COLUMN password_reset_token_timeout_hours,
+    DROP COLUMN enrollment_session_timeout_minutes,
+    DROP COLUMN password_reset_session_timeout_minutes;
diff --git a/migrations/20260227091211_[2.0.0]_settings_in_db.up.sql b/migrations/20260227091211_[2.0.0]_settings_in_db.up.sql
new file mode 100644
index 000000000..b414c04c1
--- /dev/null
+++ b/migrations/20260227091211_[2.0.0]_settings_in_db.up.sql
@@ -0,0 +1,13 @@
+ALTER TABLE settings
+    ADD COLUMN auth_cookie_timeout_days int4 NOT NULL DEFAULT 7,
+    ADD COLUMN secret_key text,
+    ADD COLUMN openid_signing_key text,
+    ADD COLUMN webauthn_rp_id text,
+    ADD COLUMN grpc_url text NOT NULL DEFAULT 'http://localhost:50055',
+    ADD COLUMN disable_stats_purge boolean NOT NULL DEFAULT false,
+    ADD COLUMN stats_purge_frequency_hours int4 NOT NULL DEFAULT 24,
+    ADD COLUMN stats_purge_threshold_days int4 NOT NULL DEFAULT 30,
+    ADD COLUMN enrollment_token_timeout_hours int4 NOT NULL DEFAULT 24,
+    ADD COLUMN password_reset_token_timeout_hours int4 NOT NULL DEFAULT 24,
+    ADD COLUMN enrollment_session_timeout_minutes int4 NOT NULL DEFAULT 10,
+    ADD COLUMN password_reset_session_timeout_minutes int4 NOT NULL DEFAULT 10;

From 534e5953f490a23eebeff2c073c1c3d0af23c2d5 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Mon, 2 Mar 2026 17:23:19 +0100
Subject: [PATCH 15/15] fix migration flags (#2159)

---
 crates/defguard/src/main.rs                      | 8 ++------
 crates/defguard_common/src/db/models/settings.rs | 6 +++++-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs
index 270db7d1f..919b58511 100644
--- a/crates/defguard/src/main.rs
+++ b/crates/defguard/src/main.rs
@@ -113,6 +113,8 @@ async fn main() -> Result<(), anyhow::Error> {
         settings = Settings::get_current_settings();
     } else if wizard_flags.migration_wizard_in_progress && !wizard_flags.migration_wizard_completed
     {
+        settings.update_from_config(&pool, &config).await?;
+
         config.initialize_post_settings();
         SERVER_CONFIG
             .set(config.clone())
@@ -128,12 +130,6 @@ async fn main() -> Result<(), anyhow::Error> {
         settings = Settings::get_current_settings();
     }
 
-    if wizard_flags.migration_wizard_needed {
-        info!("Migration from 1.6: copying configuration options to DB");
-        settings.update_from_config(&pool, &config).await?;
-        info!("Migration from 1.6: copied configuration options to DB");
-    }
-
     if ini_server_config {
         config.initialize_post_settings();
 
diff --git a/crates/defguard_common/src/db/models/settings.rs b/crates/defguard_common/src/db/models/settings.rs
index 616cef6c3..2d3cee5c5 100644
--- a/crates/defguard_common/src/db/models/settings.rs
+++ b/crates/defguard_common/src/db/models/settings.rs
@@ -689,6 +689,7 @@ impl Settings {
     where
         E: PgExecutor<'e>,
     {
+        info!("Updating Settings from DefguardConfig: {config:?}");
         let minute = 60;
         let hour = minute * 60;
         let day = hour * 24;
@@ -738,7 +739,10 @@ impl Settings {
             self.password_reset_session_timeout_minutes =
                 (password_reset_session_timeout.as_secs() / minute) as i32;
         }
-        update_current_settings(executor, self.clone()).await
+        update_current_settings(executor, self.clone()).await?;
+
+        info!("Updated Settings from DefguardConfig: {config:?}");
+		Ok(())
     }
 }